FCC ID: I88MAX306 2.5GHz MIMO Outdoor CPE

by: ZyXEL Communications Corporation latest update: 2009-07-08 model: MAX306

One grant has been issued under this FCC ID on 07/08/2009 (this is one of sixteen releases in 2009 for this grantee). Public details available include frequency information, manuals, and internal & external photos. some products also feature user submitted or linked instructions, troubleshooting guides, password defaults, drivers, & warrantee terms.

permalink for this FCC identifier

search for: Repair details

from iFixIt

Trade-in? Recycling locations

eg for Slack usage

all	frequencies			exhibits	applications
		manuals

all exhibits 16
1 ~ 2009-07-08 16

app s				submitted / available
1	Manual Part 1	Users Manual	pdf	3.15 MiB	August 07 2009
1	Manual Part 2	Users Manual	pdf	3.18 MiB	August 07 2009
1		Attestation Statements	pdf		August 07 2009
1		Attestation Statements	pdf		August 07 2009
1		Attestation Statements	pdf		August 07 2009
1		Attestation Statements	pdf		August 07 2009
1		Cover Letter(s)	pdf		August 07 2009
1		Cover Letter(s)	pdf		August 07 2009
1		External Photos	pdf		August 07 2009
1		Internal Photos	pdf		August 07 2009
1		ID Label/Location Info	pdf		August 07 2009
1		ID Label/Location Info	pdf		August 07 2009
1		Operational Description	pdf		August 07 2009
1		RF Exposure Info	pdf		August 07 2009
1		Test Report	pdf		August 07 2009
1		Test Setup Photos	pdf		August 07 2009

exhibit
download
text

Manual Part 1

Users Manual

pdf

3.15 MiB

August 07 2009

MAX-306HW2 Series Models: MAX-306 ODU (2.5 GHz), MAX-316 ODU (3.5 GHz), MAX-306HW2 IDU WiMAX MIMO Indoor/Outdoor CPE (2.5GHz & 3.5GHz) Company Confidential Default Login Details IP Address:

User Name:admin Password:1234 Firmware Version 3.6 Edition 2, 05/2009 www.zyxel.com http://192.168.100.1 www.zyxel.com Copyright 2009 ZyXEL Communications Corporation Company Confidential About This User's Guide Command Reference Guide Intended Audience Web Configurator Online Help About This User's Guide Related Documentation Quick Start Guide Embedded web help for descriptions of individual screens and supplementary information. The Quick Start Guide is designed to help you get up and running right away. It contains information on setting up your network and configuring for Internet access. This manual is intended for people who want to configure this product using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology. Company Confidential Help us help you. Send all Users Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you!

The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Please refer to www.zyxel.com for additional support documentation and product certifications. The Command Reference Guide explains how to use the Command-Line Interface (CLI) and CLI commands to configure the WiMAX Device. Refer to the included CD for support documents. Users Guide Feedback E-mail: techwriters@zyxel.com.tw ZyXEL Web Site Support Disc Users Guide 3 Document Conventions Document Conventions Warnings and Notes device, the system or the product in this Users Guide.

[ENTER] means the enter or return key on your keyboard. need to configure or helpful tips) or recommendations. These are how warnings and notes are shown in this Users Guide. Note: Notes tell you other important information (for example, other things you may Warnings tell you about things that could harm you or your WiMAX Device. Product labels, screen names, field labels and field choices are all in bold font. A key stroke is denoted by square brackets and uppercase text, for example, Syntax Conventions This product may be referred to as the WiMAX Device, the ZyXEL Device, the Company Confidential A right angle bracket ( > ) within a screen name denotes a mouse click. For example, TOOLS > Logs > Log Settings means you first click Tools in the navigation panel, then the Logs sub menu and finally the Log Settings tab to get to that screen.

[ENTER] key. Select or choose means for you to use one of the predefined choices. For example, k for kilo may denote 1000 or 1024, M for mega may denote 1000000 or 1048576 and so on. Units of measurement may denote the metric value or the scientific value. e.g., is a shorthand for for instance, and i.e., means that is or in other Enter means for you to type one or more characters and then press the words. 4 Users Guide Document Conventions Icons Used in Figures NotebookServerWiMAX Base Station Table 1 Common Icons Wireless SignalInternet CloudComputer Figures in this Users Guide may use the following generic icons. The WiMAX Device icon is not an exact representation of your WiMAX Device.\

Company Confidential TelephoneSwitchRouter Network Cloud Users Guide 5 Safety Warnings Safety Warnings swimming pool. remote risk of electric shock from lightning. Connect ONLY suitable accessories to the device. Make sure to connect the cables to the correct ports. Do NOT expose your device to dampness, dust or corrosive liquids. Do NOT use this product near water, for example, in a wet basement or near a Do NOT open the device or unit. Opening or removing covers can expose you to For your safety, be sure to read and follow all warning notices and instructions. Do NOT store things on the device. Do NOT install, use, or service this device during a thunderstorm. There is a dangerous high voltage points or other risks. ONLY qualified service personnel should service or disassemble this device. Please contact your vendor for further information. Company Confidential the right supply voltage (for example, 110V AC in North America or 230V AC in Europe). to order a new one.Do not use the device outside, and make sure all the connections are indoors. There is a remote risk of electric shock from lightning. your device.Use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord. Do NOT attempt to repair the power adaptor or cord. Contact your local vendor Always disconnect all cables from this device before servicing or disassembling. Do NOT allow anything to rest on the power adaptor or cord and do NOT place Use ONLY an appropriate power adaptor or cord for your device. Connect it to attach the plug to the power adaptor first before connecting it to a power outlet. Do NOT obstruct the device ventilation slots, as insufficient airflow may harm Antenna Warning! This device meets ETSI and FCC certification requirements Place connecting cables carefully so that no one will step on them or stumble If the power adaptor or cord is damaged, remove it from the device and the Do NOT use the device if the power adaptor or cord is damaged as it might Do NOT remove the plug and connect it to a power outlet by itself; always when using the included antenna(s). Only use the included antenna(s). the product where anyone can walk on the power adaptor or cord. If you wall mount your device, make sure that no electrical lines, gas or water cause electrocution. power source. over them. pipes will be damaged. 6 Users Guide Safety Warnings outdoor unit. Users Guide to supply power to the Outdoor Unit. other than the Outdoor Unit models specified in this Users Guide. Your product is marked with this symbol, which is known as the WEEE mark. Do not use any PoE device other than the Indoor Unit model specified in this You must maintain a minimum distance of 23 centimeters (9 inches) from the The Power over Ethernet (PoE) device that supplies power must be indoors. Do not use the Indoor Units PoE feature to supply power to any other device WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately. Company Confidential Users Guide 7 Safety Warnings Company Confidential 8 Users Guide Contents Overview Contents Overview The Setup Screens ....................................................................................................................67 Basic Screens ........................................................................................................................65 Introduction and Wizards ......................................................................................................29 Advanced Screens .................................................................................................................73 Getting Started ...........................................................................................................................31 Introducing the Web Configurator ..............................................................................................37 Internet Connection Wizard....................................................................................................... 47 VoIP Connection Wizard ............................................................................................................59 The LAN Configuration Screens ................................................................................................75 The WAN Configuration Screens ...............................................................................................89 The Wi-Fi Configuration Screens ............................................................................................103 The VPN Transport Screens .....................................................................................................113 The NAT Configuration Screens ..............................................................................................125 The System Configuration Screens .........................................................................................135 Company Confidential The Certificates Screens .........................................................................................................183 The Firewall Screens ...............................................................................................................203 Content Filter ...........................................................................................................................213 The Remote Management Screens .........................................................................................217 The Logs Screens ...................................................................................................................227 The UPnP Screen ....................................................................................................................243 The Status Screen ...................................................................................................................253 The Service Configuration Screens .........................................................................................147 The Phone Screens .................................................................................................................165 The Phone Book Screens ........................................................................................................175 Troubleshooting .......................................................................................................................267 Product Specifications .............................................................................................................275 Voice Screens .......................................................................................................................145 Appendices and Index .........................................................................................................277 Tools & Status Screens .......................................................................................................181 Troubleshooting and Specifications ..................................................................................265 Users Guide 9 Contents Overview Company Confidential 10 Users Guide Table of Contents Table of Contents List of Figures.........................................................................................................................19 Contents Overview...................................................................................................................9 About This User's Guide..........................................................................................................3 List of Tables...........................................................................................................................25 Table of Contents....................................................................................................................11 Safety Warnings........................................................................................................................6 Document Conventions............................................................................................................4 Part I: Introduction and Wizards...........................................................29 Chapter 1 Getting Started........................................................................................................................31 Company Confidential 1.1 Overview ..............................................................................................................................31 1.1.1 Wi-Fi Access Point .....................................................................................................32 1.1.2 WiMAX Internet Access .............................................................................................32 1.1.3 Make Calls via Internet Telephony Service Provider ..................................................33 1.2 WiMAX Device Hardware ....................................................................................................34 1.2.1 LEDs ..........................................................................................................................34 1.3 Good Habits for Managing the WiMAX Device ....................................................................35 2.1 Overview ..............................................................................................................................37 2.1.1 Accessing the Web Configurator ................................................................................37 2.1.2 The Reset Button .......................................................................................................40 2.2 The Main Screen .................................................................................................................40 3.1 Overview ..............................................................................................................................47 3.1.1 Welcome to the ZyXEL Setup Wizard ........................................................................47 3.1.2 System Information ....................................................................................................48 3.1.3 Wireless LAN .............................................................................................................49 Chapter 3 Internet Connection Wizard...................................................................................................47 Chapter 2 Introducing the Web Configurator........................................................................................37 Users Guide 11 Table of Contents Part II: Basic Screens............................................................................65 3.1.4 Authentication Settings ..............................................................................................54 3.1.5 IP Address ..................................................................................................................56 3.1.6 Setup Complete .........................................................................................................58 Chapter 5 The Setup Screens..................................................................................................................67 Chapter 4 VoIP Connection Wizard.........................................................................................................59 4.1 Overview ..............................................................................................................................59 4.2 Welcome to the ZyXEL Setup Wizard .................................................................................59 4.2.1 First Voice Account Settings ......................................................................................60 4.2.2 Setup Complete .........................................................................................................63 Company Confidential 6.1 Overview ..............................................................................................................................75 6.1.1 What You Can Do in This Chapter .............................................................................75 6.1.2 What You Need to Know ............................................................................................75 6.2 DHCP Setup ........................................................................................................................76 6.3 Static DHCP .........................................................................................................................78 6.4 IP Alias ................................................................................................................................79 6.5 IP Static Route .....................................................................................................................81 6.5.1 IP Static Route Setup .................................................................................................82 6.6 Other Settings ......................................................................................................................83 6.7 Technical Reference ............................................................................................................84 6.7.1 IP Address and Subnet Mask .....................................................................................84 5.1 Overview ..............................................................................................................................67 5.1.1 What You Can Do in This Chapter .............................................................................67 5.1.2 What You Need to Know ............................................................................................67 5.1.3 Before You Begin .......................................................................................................68 5.2 Set IP Address .....................................................................................................................68 5.3 DHCP Client ........................................................................................................................69 5.4 Time Setting .........................................................................................................................70 5.4.1 Pre-Defined NTP Time Servers List ...........................................................................71 5.4.2 Resetting the Time .....................................................................................................72 Chapter 6 The LAN Configuration Screens............................................................................................75 Part III: Advanced Screens....................................................................73 12 Users Guide Table of Contents Chapter 8 The Wi-Fi Configuration Screens........................................................................................103 Chapter 7 The WAN Configuration Screens...........................................................................................89 6.7.2 DHCP Setup ...............................................................................................................85 6.7.3 LAN TCP/IP ................................................................................................................85 6.7.4 DNS Server Address ..................................................................................................86 6.7.5 RIP Setup ...................................................................................................................86 6.7.6 Multicast .....................................................................................................................87 7.1 Overview ..............................................................................................................................89 7.1.1 What You Can Do in This Chapter .............................................................................89 7.1.2 What You Need to Know ............................................................................................89 7.2 Internet Connection .............................................................................................................93 7.3 WiMAX Configuration ..........................................................................................................95 7.3.1 Frequency Ranges .....................................................................................................97 7.3.2 Configuring Frequency Settings .................................................................................97 7.3.3 Using the WiMAX Frequency Screen .........................................................................98 7.4 Traffic Redirect ....................................................................................................................99 7.5 Advanced ...........................................................................................................................101 Company Confidential 9.1 Overview .............................................................................................................................113 9.1.1 What You Can Do in This Chapter ............................................................................114 9.1.2 What You Need to Know ...........................................................................................114 9.1.3 Before You Begin ......................................................................................................115 9.2 General ...............................................................................................................................116 9.3 Customer Interface .............................................................................................................116 9.3.1 Multi-Protocol Label Switching ..................................................................................117 9.3.2 Generic Routing Encapsulation .................................................................................117 9.3.3 Customer Interface Options ......................................................................................118 9.3.4 Customer Interface Setup ........................................................................................120 9.4 Ethernet Pseudowire .........................................................................................................121 9.4.1 Ethernet Pseudowire Setup .....................................................................................123 9.5 Statistics ............................................................................................................................124 8.1 Overview ............................................................................................................................103 8.1.1 What You Can Do in This Chapter ...........................................................................103 8.1.2 What You Need to Know ..........................................................................................103 8.2 General ..............................................................................................................................104 8.3 MAC Filter ..........................................................................................................................109 8.4 Advanced ...........................................................................................................................110 Chapter 9 The VPN Transport Screens.................................................................................................113 Users Guide 13 Table of Contents Chapter 10 The NAT Configuration Screens..........................................................................................125 Chapter 11 The System Configuration Screens....................................................................................135 10.1 Overview ..........................................................................................................................125 10.1.1 What You Can Do in This Chapter .........................................................................125 10.2 General ............................................................................................................................125 10.3 Port Forwarding ..............................................................................................................126 10.3.1 Port Forwarding Options ........................................................................................127 10.3.2 Port Forwarding Rule Setup ...................................................................................129 10.4 Trigger Port ......................................................................................................................130 10.4.1 Trigger Port Forwarding Example ..........................................................................131 10.5 ALG .................................................................................................................................132 11.1 Overview ..........................................................................................................................135 11.1.1 What You Can Do in This Chapter .........................................................................135 11.1.2 What You Need to Know ........................................................................................135 11.2 General ...........................................................................................................................137 11.3 Dynamic DNS ..................................................................................................................138 11.4 Firmware ..........................................................................................................................140 11.4.1 The Firmware Upload Process ...............................................................................141 11.5 Configuration ....................................................................................................................142 11.5.1 The Restore Configuration Process .......................................................................143 11.6 Restart .............................................................................................................................143 11.6.1 The Restart Process ...............................................................................................144 Company Confidential 12.1 Overview ..........................................................................................................................147 12.1.1 What You Can Do in This Chapter .........................................................................147 12.1.2 What You Need to Know ........................................................................................147 12.1.3 Before you Begin ....................................................................................................149 12.2 SIP Settings .....................................................................................................................149 12.2.1 Advanced SIP Settings ..........................................................................................151 12.3 QoS .................................................................................................................................158 12.4 Technical Reference ........................................................................................................159 12.4.1 SIP Call Progression ..............................................................................................159 12.4.2 SIP Client Server ....................................................................................................160 12.4.3 SIP User Agent ......................................................................................................160 Chapter 12 The Service Configuration Screens....................................................................................147 Part IV: Voice Screens.........................................................................145 14 Users Guide Table of Contents Chapter 14 The Phone Book Screens.....................................................................................................175 Chapter 13 The Phone Screens...............................................................................................................165 12.4.4 SIP Proxy Server ....................................................................................................160 12.4.5 SIP Redirect Server ...............................................................................................161 12.4.6 NAT and SIP ..........................................................................................................162 12.4.7 DiffServ ..................................................................................................................162 12.4.8 DSCP and Per-Hop Behavior .................................................................................163 13.1 Overview ..........................................................................................................................165 13.1.1 What You Can Do in This Chapter .........................................................................165 13.1.2 What You Need to Know ........................................................................................165 13.2 Analog Phone ..................................................................................................................166 13.2.1 Advanced Analog Phone Setup .............................................................................168 13.3 Common ..........................................................................................................................169 13.4 Region .............................................................................................................................170 13.5 Technical Reference ........................................................................................................170 13.5.1 The Flash Key ........................................................................................................170 13.5.2 Europe Type Supplementary Phone Services .......................................................171 13.5.3 USA Type Supplementary Services .......................................................................173 Company Confidential 15.1 Overview ..........................................................................................................................183 15.1.1 What You Can Do in This Chapter .........................................................................183 15.1.2 What You Need to Know ........................................................................................183 15.2 My Certificates .................................................................................................................184 15.2.1 My Certificates Create ............................................................................................186 15.2.2 My Certificate Edit ..................................................................................................189 15.2.3 My Certificate Import ..............................................................................................192 15.3 Trusted CAs .....................................................................................................................193 15.3.1 Trusted CA Edit ......................................................................................................195 14.1 Overview ..........................................................................................................................175 14.1.1 What You Can Do in This Chapter .........................................................................175 14.1.2 What You Need to Know ........................................................................................175 14.2 Incoming Call Policy ........................................................................................................176 14.3 Speed Dial .......................................................................................................................178 Chapter 15 The Certificates Screens......................................................................................................183 Part V: Tools & Status Screens...........................................................181 Users Guide 15 Table of Contents Chapter 17 Content Filter.........................................................................................................................213 Chapter 16 The Firewall Screens............................................................................................................203 15.3.2 Trusted CA Import ..................................................................................................197 15.4 Technical Reference ........................................................................................................198 15.4.1 Certificate Authorities .............................................................................................198 15.4.2 Verifying a Certificate .............................................................................................200 16.1 Overview ..........................................................................................................................203 16.1.1 What You Can Do in This Chapter .........................................................................203 16.1.2 What You Need to Know ........................................................................................203 16.2 Firewall Setting ................................................................................................................204 16.2.1 Firewall Rule Directions .........................................................................................204 16.2.2 Triangle Route ........................................................................................................205 16.2.3 Firewall Setting Options .........................................................................................206 16.3 Service Setting ................................................................................................................207 16.4 Technical Reference ........................................................................................................208 16.4.1 Stateful Inspection Firewall. ..................................................................................208 16.4.2 Guidelines For Enhancing Security With Your Firewall ..........................................209 16.4.3 The Triangle Route Problem ................................................................................209 Company Confidential 18.1 Overview ..........................................................................................................................217 18.1.1 What You Can Do in This Chapter .........................................................................217 18.1.2 What You Need to Know ........................................................................................218 18.2 WWW ..............................................................................................................................219 18.3 Telnet ...............................................................................................................................220 18.4 FTP ..................................................................................................................................220 18.5 SNMP ..............................................................................................................................221 18.5.1 SNMP Traps ...........................................................................................................222 18.5.2 SNMP Options .......................................................................................................223 18.6 DNS .................................................................................................................................224 18.7 Security ............................................................................................................................225 17.1 Overview ..........................................................................................................................213 17.1.1 What You Can Do in This Chapter .........................................................................213 17.2 Filter .................................................................................................................................214 17.3 Schedule ..........................................................................................................................216 Chapter 18 The Remote Management Screens.....................................................................................217 Chapter 19 The Logs Screens.................................................................................................................227 16 Users Guide Table of Contents Chapter 21 The Status Screen.................................................................................................................253 Chapter 20 The UPnP Screen..................................................................................................................243 19.1 Overview ..........................................................................................................................227 19.1.1 What You Can Do in This Chapter .........................................................................227 19.1.2 What You Need to Know ........................................................................................227 19.2 View Logs ........................................................................................................................229 19.3 Log Settings .....................................................................................................................231 19.4 Log Message Descriptions ..............................................................................................233 20.1 Overview ..........................................................................................................................243 20.1.1 What You Can Do in This Chapter .........................................................................243 20.1.2 What You Need to Know ........................................................................................243 20.2 UPnP ...............................................................................................................................244 20.3 Technical Reference ........................................................................................................245 20.3.1 Installing UPnP in Windows XP .............................................................................245 20.3.2 Web Configurator Easy Access .............................................................................249 Company Confidential 21.1 Overview ..........................................................................................................................253 21.2 Status Screen ..................................................................................................................253 21.2.1 Packet Statistics .....................................................................................................258 21.2.2 WiMAX Site Information .........................................................................................259 21.2.3 DHCP Table ...........................................................................................................260 21.2.4 VoIP Statistics ........................................................................................................261 21.2.5 WiMAX Profile ........................................................................................................263 22.1 Power, Hardware Connections, and LEDs ......................................................................267 22.2 WiMAX Device Access and Login ...................................................................................268 22.3 Internet Access ................................................................................................................270 22.4 Phone Calls and VoIP ......................................................................................................272 22.5 Reset the WiMAX Device to Its Factory Defaults ............................................................273 22.5.1 Pop-up Windows, JavaScripts and Java Permissions ...........................................273 Chapter 22 Troubleshooting....................................................................................................................267 Chapter 23 Product Specifications.........................................................................................................275 Part VI: Troubleshooting and Specifications....................................265 Users Guide 17 Table of Contents Part VII: Appendices and Index..........................................................277 Appendix E IP Addresses and Subnetting...........................................................................337 Appendix D Pop-up Windows, JavaScripts and Java Permissions......................................327 Appendix H Common Services............................................................................................383 Appendix J Customer Support.............................................................................................391 Appendix C Wireless LANs..................................................................................................311 Appendix F Importing Certificates........................................................................................349 Appendix A WiMAX Security................................................................................................279 Appendix B Setting Up Your Computers IP Address...........................................................283 Appendix I Legal Information................................................................................................387 Appendix G SIP Passthrough...............................................................................................381 Index.......................................................................................................................................399 Company Confidential 18 Users Guide List of Figures List of Figures Company Confidential Figure 1 The IDU/ODU Setup .................................................................................................................31 Figure 2 WiFi Access Point ....................................................................................................................32 Figure 3 WiMAX Device and Base Station .............................................................................................32 Figure 4 WiMAX Devices VoIP Features - Peer-to-Peer Calls ..............................................................33 Figure 5 WiMAX Devices VoIP Features - Calls via VoIP Service Provider ..........................................33 Figure 6 The WiMAX Devices LEDs ......................................................................................................34 Figure 7 Main Screen .............................................................................................................................43 Figure 8 Select a Mode ..........................................................................................................................47 Figure 9 Internet Connection Wizard > System Information ...................................................................48 Figure 10 Internet Connection Wizard > Wireless LAN Screen ..............................................................49 Figure 11 Internet Connection Wizard > Basic (WEP) Screen ...............................................................51 Figure 12 Internet Connection Wizard > Extended (WPA-PSK) Screen ................................................53 Figure 13 Internet Connection Wizard > Authentication Settings Screen ...............................................54 Figure 14 Internet Connection Wizard > IP Address ..............................................................................56 Figure 15 Internet Connection Wizard > IP Address Assignment ..........................................................57 Figure 16 Select a Mode ........................................................................................................................59 Figure 17 VoIP Connection > First Voice Account Settings ....................................................................60 Figure 18 VoIP Connection > SIP Registration Test ...............................................................................61 Figure 19 VoIP Connection > SIP Registration Fail ................................................................................62 Figure 20 VoIP Connection > Finish ......................................................................................................63 Figure 21 SETUP > Set IP Address .......................................................................................................68 Figure 22 SETUP > DHCP Client ...........................................................................................................69 Figure 23 SETUP > Time Setting ...........................................................................................................70 Figure 24 ADVANCED > LAN Configuration > DHCP Setup .................................................................76 Figure 25 ADVANCED > LAN Configuration > Static DHCP ..................................................................78 Figure 26 ADVANCED > LAN Configuration> IP Alias ...........................................................................79 Figure 27 Advanced> LAN Configuration > IP Static Route ...................................................................81 Figure 28 Advanced> LAN Configuration > IP Static Route Setup .........................................................82 Figure 29 ADVANCED > LAN Configuration > Advanced ......................................................................83 Figure 30 WiMax: Mobile Station ............................................................................................................90 Figure 31 WiMAX: Multiple Mobile Stations ............................................................................................90 Figure 32 Using an AAA Server .............................................................................................................91 Figure 33 Traffic Redirect WAN Setup ....................................................................................................91 Figure 34 Traffic Redirect LAN Setup .....................................................................................................92 Figure 35 ADVANCED > WAN Configuration > Internet Connection .....................................................93 Figure 36 ADVANCED > WAN Configuration >WiMAX Configuration ................................................96 Figure 37 Frequency Ranges .................................................................................................................97 Figure 38 Completing the WiMAX Frequency Screen ............................................................................99 Users Guide 19 List of Figures Company Confidential Figure 39 ADVANCED > WAN Configuration > Traffic Redirect .............................................................99 Figure 40 ADVANCED > WAN Configuration > Advanced ..............................................................101 Figure 41 ADVANCED > Wi-Fi Configuration > General ......................................................................104 Figure 42 ADVANCED > Wi-Fi Configuration > WPA/WPA2 Optionsl ..................................................106 Figure 43 ADVANCED > Wi-Fi Configuration > WPA-PSK/WPA2-PSK Optionsl .................................107 Figure 44 ADVANCED > WAN Configuration >WiMAX Configuration ..............................................109 Figure 45 ADVANCED > WAN Configuration > Traffic Redirect ............................................................110 Figure 46 VPN Transport Example ........................................................................................................113 Figure 47 Identifying Users ....................................................................................................................115 Figure 48 ADVANCED > VPN Transport > General ..............................................................................116 Figure 49 Pseudowire Mapping .............................................................................................................117 Figure 50 VPLS Tunneling .....................................................................................................................118 Figure 51 ADVANCED > VPN Transport > Customer Interface ............................................................118 Figure 52 ADVANCED > VPN Transport > Customer Interface Setup ............................................120 Figure 53 Ethernet Pseudowire Settings Example ..............................................................................121 Figure 54 Advance > VPN Transport > Ethernet Pseudowire ..............................................................121 Figure 55 ADVANCED > VPN Transport > Ethernet Pseudowire Setup ............................................123 Figure 56 ADVANCED > VPN Transport > Statistics ............................................................................124 Figure 57 ADVANCED > NAT Configuration > General .......................................................................125 Figure 58 Multiple Servers Behind NAT Example ................................................................................127 Figure 59 ADVANCED > NAT Configuration > Port Forwarding ...........................................................127 Figure 60 ADVANCED > NAT Configuration > Port Forwarding > Rule Setup .....................................129 Figure 61 ADVANCED > NAT Configuration > Trigger Port .................................................................130 Figure 62 Trigger Port Forwarding Example .........................................................................................131 Figure 63 ADVANCED > NAT Configuration > ALG .............................................................................133 Figure 64 ADVANCED > System Configuration > General ..................................................................137 Figure 65 ADVANCED > System Configuration > Dynamic DNS .........................................................139 Figure 66 ADVANCED > System Configuration > Firmware ................................................................140 Figure 67 ADVANCED > System Configuration > Configuration ..........................................................142 Figure 68 ADVANCED > System Configuration > Restart ....................................................................143 Figure 69 VOICE > Service Configuration > SIP Setting ......................................................................149 Figure 70 STUN ....................................................................................................................................151 Figure 71 VOICE > Service Configuration > SIP Settings > Advanced ................................................153 Figure 72 VOICE > Service Configuration > QoS ................................................................................158 Figure 73 SIP User Agent .....................................................................................................................160 Figure 74 SIP Proxy Server ..................................................................................................................161 Figure 75 SIP Redirect Server ..............................................................................................................162 Figure 76 DiffServ: Differentiated Service Field ....................................................................................163 Figure 77 VOICE > Phone > Analog Phone .........................................................................................166 Figure 78 VOICE > Phone > Analog Phone > Advanced .....................................................................168 Figure 79 VOICE > Phone > Common .................................................................................................169 Figure 80 VOICE > Phone > Region ....................................................................................................170 Figure 81 VOICE > Phone Book > Incoming Call Policy ......................................................................176 20 Users Guide List of Figures Company Confidential Figure 82 VOICE > Phone Book > Speed Dial .....................................................................................178 Figure 83 TOOLS > Certificates > My Certificates ............................................................................184 Figure 84 TOOLS > Certificates > My Certificates > Create ................................................................186 Figure 85 TOOLS > Certificates > My Certificates > Edit ....................................................................189 Figure 86 TOOLS > Certificates > My Certificates > Import .................................................................192 Figure 87 TOOLS > Certificates > Trusted CAs ...................................................................................193 Figure 88 TOOLS > Certificates > Trusted CAs > Edit ......................................................................195 Figure 89 TOOLS > Certificates > Trusted CAs > Import .....................................................................198 Figure 90 Remote Host Certificates .....................................................................................................201 Figure 91 Certificate Details ................................................................................................................201 Figure 92 Firewall Rule Directions ........................................................................................................204 Figure 93 Ideal Firewall Setup ..............................................................................................................205 Figure 94 TOOLS > Firewall > Firewall Setting ....................................................................................206 Figure 95 TOOLS > Firewall > Service Setting ....................................................................................207 Figure 96 Triangle Route Problem .....................................................................................................210 Figure 97 IP Alias ..................................................................................................................................211 Figure 98 TOOLS > Content Filter > Filter ...........................................................................................214 Figure 99 TOOLS > Content Filter > Schedule ....................................................................................216 Figure 100 TOOLS > Remote Management > WWW ..........................................................................219 Figure 101 TOOLS > Remote Management > Telnet ...........................................................................220 Figure 102 TOOLS > Remote Management > FTP ..............................................................................220 Figure 103 SNMP Management Model ................................................................................................221 Figure 104 TOOLS > Remote Management > SNMP ..........................................................................223 Figure 105 TOOLS > Remote Management > DNS .............................................................................224 Figure 106 TOOLS > Remote Management > Security .......................................................................225 Figure 107 TOOLS > Logs > View Logs ...............................................................................................229 Figure 108 TOOLS > Logs > Log Settings ...........................................................................................231 Figure 109 TOOLS > UPnP ..................................................................................................................244 Figure 110 Network Connections .........................................................................................................245 Figure 111 Windows Optional Networking Components Wizard ..........................................................246 Figure 112 Networking Services ...........................................................................................................246 Figure 113 Network Connections .........................................................................................................247 Figure 114 Internet Connection Properties ..........................................................................................247 Figure 115 Internet Connection Properties: Advanced Settings ...........................................................248 Figure 116 Internet Connection Properties: Advanced Settings: Add ..................................................248 Figure 117 System Tray Icon ................................................................................................................248 Figure 118 Internet Connection Status .................................................................................................249 Figure 119 Network Connections .........................................................................................................250 Figure 120 Network Connections: My Network Places ........................................................................250 Figure 121 Network Connections: My Network Places: Properties: Example ......................................251 Figure 122 Status .................................................................................................................................253 Figure 123 Packet Statistics .................................................................................................................258 Figure 124 WiMAX Site Information ....................................................................................................259 Users Guide 21 List of Figures Company Confidential Figure 125 DHCP Table ........................................................................................................................260 Figure 126 VoIP Statistics .....................................................................................................................261 Figure 127 WiMAX Profile ...................................................................................................................263 Figure 128 Windows XP: Start Menu ....................................................................................................284 Figure 129 Windows XP: Control Panel ...............................................................................................284 Figure 130 Windows XP: Control Panel > Network Connections > Properties ....................................285 Figure 131 Windows XP: Local Area Connection Properties ...............................................................285 Figure 132 Windows XP: Internet Protocol (TCP/IP) Properties ..........................................................286 Figure 133 Windows Vista: Start Menu .................................................................................................287 Figure 134 Windows Vista: Control Panel ............................................................................................287 Figure 135 Windows Vista: Network And Internet ................................................................................287 Figure 136 Windows Vista: Network and Sharing Center .....................................................................288 Figure 137 Windows Vista: Network and Sharing Center .....................................................................288 Figure 138 Windows Vista: Local Area Connection Properties ............................................................289 Figure 139 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties ...................................290 Figure 140 Mac OS X 10.4: Apple Menu ..............................................................................................291 Figure 141 Mac OS X 10.4: System Preferences .................................................................................291 Figure 142 Mac OS X 10.4: Network Preferences ...............................................................................292 Figure 143 Mac OS X 10.4: Network Preferences > TCP/IP Tab. .......................................................292 Figure 144 Mac OS X 10.4: Network Preferences > Ethernet ..............................................................293 Figure 145 Mac OS X 10.4: Network Utility ..........................................................................................294 Figure 146 Mac OS X 10.5: Apple Menu ..............................................................................................295 Figure 147 Mac OS X 10.5: Systems Preferences ...............................................................................295 Figure 148 Mac OS X 10.5: Network Preferences > Ethernet ..............................................................296 Figure 149 Mac OS X 10.5: Network Preferences > Ethernet ..............................................................297 Figure 150 Mac OS X 10.5: Network Utility ..........................................................................................298 Figure 151 Ubuntu 8: System > Administration Menu ..........................................................................299 Figure 152 Ubuntu 8: Network Settings > Connections ........................................................................299 Figure 153 Ubuntu 8: Administrator Account Authentication ................................................................300 Figure 154 Ubuntu 8: Network Settings > Connections ........................................................................300 Figure 155 Ubuntu 8: Network Settings > Properties ...........................................................................301 Figure 156 Ubuntu 8: Network Settings > DNS ...................................................................................302 Figure 157 Ubuntu 8: Network Tools ....................................................................................................303 Figure 158 openSUSE 10.3: K Menu > Computer Menu .....................................................................304 Figure 159 openSUSE 10.3: K Menu > Computer Menu .....................................................................305 Figure 160 openSUSE 10.3: YaST Control Center ..............................................................................305 Figure 161 openSUSE 10.3: Network Settings ....................................................................................306 Figure 162 openSUSE 10.3: Network Card Setup ...............................................................................307 Figure 163 openSUSE 10.3: Network Settings ....................................................................................308 Figure 164 openSUSE 10.3: KNetwork Manager .................................................................................309 Figure 165 openSUSE: Connection Status - KNetwork Manager ........................................................309 Figure 166 Peer-to-Peer Communication in an Ad-hoc Network ..........................................................311 Figure 167 Basic Service Set ...............................................................................................................312 22 Users Guide List of Figures Company Confidential Figure 168 Infrastructure WLAN ...........................................................................................................313 Figure 169 RTS/CTS ...........................................................................................................................314 Figure 170 WPA(2) with RADIUS Application Example .......................................................................323 Figure 171 WPA(2)-PSK Authentication ...............................................................................................324 Figure 172 Pop-up Blocker ...................................................................................................................327 Figure 173 Internet Options: Privacy ....................................................................................................328 Figure 174 Internet Options: Privacy ....................................................................................................329 Figure 175 Pop-up Blocker Settings .....................................................................................................330 Figure 176 Internet Options: Security ...................................................................................................331 Figure 177 Security Settings - Java Scripting .......................................................................................332 Figure 178 Security Settings - Java ......................................................................................................333 Figure 179 Java (Sun) ..........................................................................................................................334 Figure 180 Mozilla Firefox: TOOLS > Options ......................................................................................334 Figure 181 Mozilla Firefox Content Security .........................................................................................335 Figure 182 Network Number and Host ID ............................................................................................338 Figure 183 Subnetting Example: Before Subnetting ............................................................................341 Figure 184 Subnetting Example: After Subnetting ...............................................................................342 Figure 185 Conflicting Computer IP Addresses Example ....................................................................347 Figure 186 Conflicting Computer IP Addresses Example ....................................................................347 Figure 187 Conflicting Computer and Router IP Addresses Example ..................................................348 Figure 188 Internet Explorer 7: Certification Error ................................................................................350 Figure 189 Internet Explorer 7: Certification Error ................................................................................350 Figure 190 Internet Explorer 7: Certificate Error ...................................................................................351 Figure 191 Internet Explorer 7: Certificate ............................................................................................351 Figure 192 Internet Explorer 7: Certificate Import Wizard ....................................................................352 Figure 193 Internet Explorer 7: Certificate Import Wizard ....................................................................352 Figure 194 Internet Explorer 7: Certificate Import Wizard ....................................................................353 Figure 195 Internet Explorer 7: Select Certificate Store .......................................................................353 Figure 196 Internet Explorer 7: Certificate Import Wizard ....................................................................354 Figure 197 Internet Explorer 7: Security Warning .................................................................................354 Figure 198 Internet Explorer 7: Certificate Import Wizard ....................................................................355 Figure 199 Internet Explorer 7: Website Identification ..........................................................................355 Figure 200 Internet Explorer 7: Public Key Certificate File ...................................................................356 Figure 201 Internet Explorer 7: Open File - Security Warning ..............................................................356 Figure 202 Internet Explorer 7: Tools Menu .........................................................................................357 Figure 203 Internet Explorer 7: Internet Options ..................................................................................357 Figure 204 Internet Explorer 7: Certificates ..........................................................................................358 Figure 205 Internet Explorer 7: Certificates ..........................................................................................358 Figure 206 Internet Explorer 7: Root Certificate Store ..........................................................................358 Figure 207 Firefox 2: Website Certified by an Unknown Authority .......................................................360 Figure 208 Firefox 2: Page Info ............................................................................................................361 Figure 209 Firefox 2: Tools Menu .........................................................................................................362 Figure 210 Firefox 2: Options ...............................................................................................................362 Users Guide 23 List of Figures Figure 211 Firefox 2: Certificate Manager ...........................................................................................363 Figure 212 Firefox 2: Select File ..........................................................................................................363 Figure 213 Firefox 2: Tools Menu .........................................................................................................364 Figure 214 Firefox 2: Options ...............................................................................................................364 Figure 215 Firefox 2: Certificate Manager ...........................................................................................365 Figure 216 Firefox 2: Delete Web Site Certificates ..............................................................................365 Figure 217 Opera 9: Certificate signer not found .................................................................................366 Figure 218 Opera 9: Security information .............................................................................................367 Figure 219 Opera 9: Tools Menu ..........................................................................................................368 Figure 220 Opera 9: Preferences .........................................................................................................369 Figure 221 Opera 9: Certificate manager ............................................................................................370 Figure 222 Opera 9: Import certificate .................................................................................................370 Figure 223 Opera 9: Install authority certificate ...................................................................................371 Figure 224 Opera 9: Install authority certificate ...................................................................................371 Figure 225 Opera 9: Tools Menu ..........................................................................................................372 Figure 226 Opera 9: Preferences .........................................................................................................372 Figure 227 Opera 9: Certificate manager ............................................................................................373 Figure 228 Konqueror 3.5: Server Authentication ................................................................................374 Figure 229 Konqueror 3.5: Server Authentication ................................................................................374 Figure 230 Konqueror 3.5: KDE SSL Information ................................................................................375 Figure 231 Konqueror 3.5: Public Key Certificate File ..........................................................................376 Figure 232 Konqueror 3.5: Certificate Import Result ............................................................................376 Figure 233 Konqueror 3.5: Kleopatra ...................................................................................................376 Figure 234 Konqueror 3.5: Settings Menu ............................................................................................378 Figure 235 Konqueror 3.5: Configure ...................................................................................................378 Company Confidential 24 Users Guide List of Tables List of Tables Table 1 Common Icons ............................................................................................................................ 5 Table 2 The WiMAX Device ...................................................................................................................34 Table 3 Main > Icons .............................................................................................................................40 Table 4 Main ..........................................................................................................................................42 Table 5 Main > Icons .............................................................................................................................43 Table 6 Main ..........................................................................................................................................44 Table 7 Internet Connection Wizard > System Information ...................................................................48 Table 8 Internet Connection Wizard > Wireless LAN Screen ................................................................49 Table 9 Internet Connection Wizard > Basic (WEP) Screen ..................................................................52 Table 10 Internet Connection Wizard > Extended (WPA-PSK) Screen .................................................53 Table 11 Internet Connection Wizard > Authentication Settings Screen ...............................................54 Table 12 Internet Connection Wizard > IP Address ...............................................................................56 Table 13 Internet Connection Wizard > IP Address ...............................................................................58 Table 14 VoIP Connection > First Voice Account Settings ....................................................................60 Table 15 SETUP > Set IP Address ........................................................................................................69 Table 16 SETUP > Set IP Address ........................................................................................................69 Table 17 SETUP > DHCP Client ............................................................................................................70 Table 18 Pre-defined NTP Time Servers ...............................................................................................71 Table 19 ADVANCED > LAN Configuration > DHCP Setup ..................................................................77 Table 20 ADVANCED > LAN Configuration > Static DHCP ...................................................................78 Table 21 ADVANCED > LAN Configuration> IP Alias ...........................................................................79 Table 22 Advanced> LAN Configuration > IP Static Route ....................................................................81 Table 23 Advanced> LAN Configuration > IP Static Route ....................................................................81 Table 24 Management > Static Route > IP Static Route > Edit .............................................................82 Table 25 ADVANCED > LAN Configuration > Other Settings ................................................................83 Table 26 ADVANCED > WAN Configuration > Internet Connection > ISP Parameters for Internet Access Company Confidential Table 27 Radio Frequency Conversion .................................................................................................96 Table 28 ADVANCED > WAN Configuration >WiMAX Configuration ....................................................96 Table 29 DL Frequency Example Settings ............................................................................................98 Table 30 ADVANCED > WAN Configuration > Traffic Redirect ...........................................................100 Table 31 ADVANCED > WAN Configuration > Advanced ...................................................................101 Table 32 ADVANCED > Wi-Fi Configuration > General ......................................................................104 Table 33 ADVANCED > Wi-Fi Configuration > General ......................................................................107 Table 34 ADVANCED > Wi-Fi Configuration > General ......................................................................108 Table 35 ADVANCED > WAN Configuration >WiMAX Configuration ..................................................109 Table 36 ADVANCED > Wi-Fi Configuration > Advanced ....................................................................110 Table 37 ADVANCED > VPN Transport > General ...............................................................................116 93 Users Guide 25 List of Tables Company Confidential Table 38 Advanced> VPN Transport > Customer Interface ..................................................................119 Table 39 ADVANCED > VPN Transport > Customer Interface .............................................................119 Table 40 ADVANCED > VPN Transport > Customer Interface Setup .................................................120 Table 41 Advanced> VPN Transport > Customer Interface .................................................................122 Table 42 ADVANCED > VPN Transport > Ethernet Pseudowire .........................................................122 Table 43 ADVANCED > VPN Transport > Ethernet Pseudowire Setup ...............................................123 Table 44 ADVANCED > VPN Transport > Statistics ............................................................................124 Table 45 ADVANCED > NAT Configuration > General ........................................................................126 Table 46 Advanced> VPN Transport > Customer Interface .................................................................128 Table 47 ADVANCED > NAT Configuration > Port Forwarding ...........................................................128 Table 48 ADVANCED > NAT Configuration > Port Forwarding > Rule Setup .....................................129 Table 49 ADVANCED > NAT Configuration > Trigger Port ..................................................................130 Table 50 ADVANCED > NAT Configuration > ALG ..............................................................................133 Table 51 ADVANCED > System Configuration > General ...................................................................137 Table 52 ADVANCED > System Configuration > Dynamic DNS .........................................................139 Table 53 ADVANCED > System Configuration > Firmware .................................................................141 Table 54 ADVANCED > System Configuration > Configuration ..........................................................142 Table 55 ADVANCED > System Configuration > Firmware .................................................................143 Table 56 VOICE > Service Configuration > SIP Setting ......................................................................150 Table 57 VOICE > Service Configuration > SIP Settings > Advanced ................................................153 Table 58 Custom Tones Details ...........................................................................................................156 Table 59 VOICE > Service Configuration > QoS .................................................................................158 Table 60 SIP Call Progression .............................................................................................................159 Table 61 VOICE > Phone > Analog Phone ..........................................................................................167 Table 62 VOICE > Phone > Analog Phone > Advanced ......................................................................168 Table 63 VOICE > Phone > Common ..................................................................................................169 Table 64 VOICE > Phone > Region .....................................................................................................170 Table 65 European Type Flash Key Commands .................................................................................171 Table 66 USA Type Flash Key Commands .........................................................................................173 Table 67 VOICE > Phone Book > Incoming Call Policy .......................................................................176 Table 68 Advanced> LAN Configuration > IP Static Route ..................................................................178 Table 69 VOICE > Phone Book > Speed Dial ......................................................................................179 Table 70 TOOLS > Certificates > My Certificates ................................................................................184 Table 71 TOOLS > Certificates > My Certificates ................................................................................184 Table 72 TOOLS > Certificates > My Certificates > Create .................................................................187 Table 73 TOOLS > Certificates > My Certificates > Edit ......................................................................190 Table 74 TOOLS > Certificates > My Certificates > Import ..................................................................192 Table 75 TOOLS > Certificates > Trusted CAs ....................................................................................193 Table 76 TOOLS > Certificates > Trusted CAs ....................................................................................193 Table 77 TOOLS > Certificates > Trusted CAs > Edit ..........................................................................195 Table 78 TOOLS > Certificates > Trusted CAs Import .........................................................................198 Table 79 TOOLS > Firewall > Firewall Setting .....................................................................................206 Table 80 TOOLS > Firewall > Service Setting .....................................................................................207 26 Users Guide List of Tables Company Confidential Table 81 TOOLS > Content Filter > Filter ............................................................................................215 Table 82 TOOLS > Content Filter > Schedule .....................................................................................216 Table 83 Remote Management ...........................................................................................................217 Table 84 TOOLS > Remote Management > WWW .............................................................................219 Table 85 TOOLS > Remote Management > Telnet .............................................................................220 Table 86 TOOLS > Remote Management > FTP ................................................................................221 Table 87 SNMP Traps ..........................................................................................................................222 Table 88 TOOLS > Remote Management > SNMP .............................................................................223 Table 89 TOOLS > Remote Management > DNS ...............................................................................224 Table 90 TOOLS > Remote Management > Security ..........................................................................225 Table 91 Syslog Logs ..........................................................................................................................228 Table 92 RFC-2408 ISAKMP Payload Types ......................................................................................228 Table 93 TOOLS > Logs > View Logs .................................................................................................229 Table 94 TOOLS > Logs > Log Settings ..............................................................................................231 Table 95 System Error Logs ................................................................................................................233 Table 96 System Maintenance Logs ....................................................................................................233 Table 97 Access Control Logs .............................................................................................................234 Table 98 TCP Reset Logs ....................................................................................................................234 Table 99 Packet Filter Logs .................................................................................................................235 Table 100 ICMP Logs ..........................................................................................................................235 Table 101 PPP Logs ............................................................................................................................236 Table 102 UPnP Logs ..........................................................................................................................236 Table 103 Content Filtering Logs .........................................................................................................236 Table 104 Attack Logs .........................................................................................................................237 Table 105 Remote Management Logs .................................................................................................238 Table 106 ICMP Notes .........................................................................................................................239 Table 107 SIP Logs .............................................................................................................................240 Table 108 RTP Logs ............................................................................................................................240 Table 109 FSM Logs: Caller Side ........................................................................................................240 Table 110 FSM Logs: Callee Side .......................................................................................................240 Table 111 Lifeline Logs ........................................................................................................................241 Table 112 TOOLS > UPnP ...................................................................................................................245 Table 113 Status ..................................................................................................................................254 Table 114 Packet Statistics ..................................................................................................................258 Table 115 WiMAX Site Information ......................................................................................................259 Table 116 DHCP Table ........................................................................................................................260 Table 117 VoIP Statistics .....................................................................................................................261 Table 118 The WiMAX Profile Screen .................................................................................................263 Table 119 IDU Hardware Specifications ..............................................................................................275 Table 120 Indoor Wireless LAN Specification ......................................................................................275 Table 121 ODU Hardware Specifications ............................................................................................276 Table 122 Outdoor Wireless LAN Specification ...................................................................................276 Table 123 IEEE 802.11g ......................................................................................................................316 Users Guide 27 List of Tables Table 124 Wireless Security Levels .....................................................................................................316 Table 125 Comparison of EAP Authentication Types ..........................................................................320 Table 126 Wireless Security Relational Matrix ....................................................................................324 Table 127 IP Address Network Number and Host ID Example ...........................................................338 Table 128 Subnet Masks .....................................................................................................................339 Table 129 Maximum Host Numbers ....................................................................................................339 Table 130 Alternative Subnet Mask Notation .......................................................................................340 Table 131 Subnet 1 ..............................................................................................................................343 Table 132 Subnet 2 ..............................................................................................................................343 Table 133 Subnet 3 ..............................................................................................................................343 Table 134 Subnet 4 ..............................................................................................................................343 Table 135 Eight Subnets ......................................................................................................................344 Table 136 24-bit Network Number Subnet Planning ............................................................................344 Table 137 16-bit Network Number Subnet Planning ............................................................................345 Table 138 Commonly Used Services ...................................................................................................383 Company Confidential 28 Users Guide Getting Started (31) Introducing the Web Configurator (37) PART I Wizards Introduction and Company Confidential Internet Connection Wizard (47) VoIP Connection Wizard (59) 29 Company Confidential 30 CHAPTER 1 1.1 Overview Getting Started Note: This Users Guide is concerned strictly with the IDU, hereafter referred to as the WiMAX Device. In the following figures both the IDU and ODU may be shown, but all configuration options are for the IDU alone. This product is a WiMAX subscriber station system comprised of an outdoor unit

(ODU) and an indoor unit (IDU). The ODU connects to the WiMAX network while the IDU is the management point between the WiMAX network (via the ODU) and your computer/local area network. The IDU can also function as a Wi-Fi access point to the WiMAX network. Company Confidential Connecting wirelessly to the Internet via WiMAX. Use a traditional analog telephone to make Internet calls using the WiMAX Set up an IEEE 802.11g wireless network (WLAN) using the WiMAX Device as an Configure firewall, content filtering and other features using the built-in Devices Voice over IP (VoIP) communication capabilities. access point for the computers on your network. See Chapter 23 on page 275 for a complete list of features for your model. Figure 1 The IDU/ODU Setup browser-based Web Configurator. With this product, you can:

Wi-Fi Users Guide 31 Chapter 1Getting Started 1.1.1 Wi-Fi Access Point Wi-Fi WiMAX Figure 2 WiFi Access Point Activate the WiMAX Devices built-in IEEE 802.11g (also known as Wi-Fi or WLAN) feature to allow it to function as a wireless Access Point (AP). The illustration below shows a group of notebook computers connecting wirelessly to the WiMAX Device and then to the Internet through a WiMAX base station (BS). Company Confidential Connect your computer or network directly to the WiMAX Device for WiMAX Internet access. In a wireless metropolitan area network (MAN), the WiMAX Device connects to a nearby WiMAX base station (BS) for Internet access. When the firewall is on, all incoming traffic from the Internet to your network is blocked unless it is initiated from your network. The following diagram shows a notebook computer equipped with the WiMAX Device connecting to the Internet through a WiMAX base station (BS). 1.1.2 WiMAX Internet Access Figure 3 WiMAX Device and Base Station 32 Users Guide Chapter 1Getting Started 1.2 WiMAX Device Hardware STATE DESCRIPTION 1.2.1 LEDs Figure 6 The WiMAX Devices LEDs The following figure shows the LEDs (lights) on the WiMAX Device. Follow the instructions in the Quick Start Guideto make hardware connections. The following table describes your WiMAX Devices LEDs (from right to left). Table 2 The WiMAX Device LED PWROffThe WiMAX Device is not receiving power. Company Confidential GreenA SIP account is registered. Blinking GreenA SIP account is registered, and the phone attached unable to start up correctly or is not receiving enough power. See the Troubleshooting section for more information. GreenThe WiMAX Device has a successful Local Area Network (Ethernet) connection. message on the SIP server, and the phone attached to the LINE port is in use (off the hook). Blinking GreenThe WiMAX Device is the process of transmitting VoIP 1~2OffNo SIP account is registered, or the WiMAX Device Blinking OrangeA SIP account is registered and has a voice Blinking GreenThe WiMAX Device is performing a self-test. RedThe WiMAX Device is receiving power but has been Solid GreenThe WiMAX Device is receiving power and OrangeA SIP account is registered and has a voice to the LINE port is in use (off the hook). LAN 1~4OffThe LAN is not connected. message on the SIP server. is not receiving power. functioning correctly. and receiving data. 34 Users Guide Chapter 1Getting Started STATE over the PoE link. DESCRIPTION across the Wi-Fi network. WLANOffThe Wi-Fi network is not operational. LINKGreenThe WiMAX service set ID is registered and SIGNAL 1~3The Signal LEDs display the Received Signal Strength Indication (RSSI) of joining a WiMAX network (approximate blink speed is 0.5 second per). Table 2 The WiMAX Device LED PoEOffThe Power over Ethernet (PoE) link is not functioning. GreenThe Wi-Fi network is operational. Blinking GreenThe WiMAX Device is sending and receiving data GreenThe PoE link is functioning correctly Blinking GreenThe WiMAX Device is trasmitting and receiving data operational. The WiMAX Device is currently searching for a channel (approximate blink is speed 1 second per). Slow Blinking Green Fast Blinking GreenThe WiMAX Device is currently the process of Company Confidential Restoring an earlier working configuration may be useful if the WiMAX Device becomes unstable or even crashes. If you forget your password, you will have to reset the WiMAX Device to its factory default settings. If you backed up an earlier configuration file, you would not have to totally re-configure the WiMAX Device. You could simply restore your last configuration. the wireless (WiMAX) connection. No Signal LEDSThere is no WiMAX connection. Signal 1 OnThe signal strength is less than or equal to -90 dBm Signal 2 OnThe signal strength is less than or equal to -80 dBm Signal 3 OnThe signal strength is less than or equal to -70 dBm 1.3 Good Habits for Managing the WiMAX Device Do the following things regularly to make the WiMAX Device more secure and to manage the WiMAX Device more effectively. Change your passwords regularly. Use passwords that are not easy to guess and that consist of different types of characters, such as numbers and letters. Write down your passwords but be sure to put them in a safe, secure place. Back up the configuration (and make sure you know how to restore it). Never store them in proximity to your computer or WiMAX Device. Users Guide 35 Chapter 1Getting Started Company Confidential 36 Users Guide CHAPTER 2 In order to use the web configurator you need to allow:

2.1 Overview Web browser pop-up windows from your device. Web pop-up blocking is The web configurator is an HTML-based management interface that allows easy device set up and management via any web browser that supports: HTML 4.0, CSS 2.0, and JavaScript 1.5, and higher. The recommended screen resolution for using the web configurator is 1024 by 768 pixels and 16-bit color, or higher. Introducing the Web Configurator Company Confidential See the Appendix D on page 327 for more information on configuring your web browser. JavaScript (enabled by default in most web browsers). Java permissions (enabled by default in most web browsers). 2.1.1 Accessing the Web Configurator 1 Make sure your WiMAX Device hardware is properly connected (refer to the Quick enabled by default in many operating systems and web browsers. 3 Enter "192.168.1.1" as the URL. Start Guide for more information). Launch your web browser. 2 Users Guide 37 Chapter 2Introducing the Web Configurator 4 A password screen displays. The default password (1234) displays in non-

5 readable characters. If you havent changed the password yet, you can just click Login. Click Cancel to revert to the default password in the password field. If you have changed the password, enter your password and click Login. The following screen displays if you have not yet changed your password. It is highly recommended you change the default password. Enter a new password, retype it to confirm and click Apply; alternatively click Ignore to proceed to the main menu if you do not want to change the password now. Company Confidential 38 Users Guide Chapter 2Introducing the Web Configurator 6 Click Apply in the next screen to create a certificate using your WiMAX Devices screens. Click Go to Wizard setup if you are logging in for the first time or if you 7 A screen displays to let you choose whether to go to the wizard or the advanced MAC address which is specific to this device. This certificate is used for authentication when using a secure HTTPS connection over the Internet. Company Confidential not use the web configurator for five minutes. If this happens, simply log in again. want to make basic changes. The wizard selection screen appears after you click Apply. See Chapter 3 on page 47 for more information. available in the wizards. The main screen appears after you click Apply. See Section 3 on page 40 for more information. Note: For security reasons, the WiMAX Device automatically logs you out if you do Click Go to Advanced setup if you want to configure features that are not Click Exit if you want to log out. Users Guide 39 Chapter 2Introducing the Web Configurator 2.1.2 The Reset Button 2 1 Make sure the Power light is on (not blinking). 2.1.2.1 Using The Reset Button 2.2 The Main Screen 3 Reconfigure the WiMAX Device following the steps in your Quick Start Guide. If you forget your password or cannot access the web configurator, you will need to use the Reset button to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to 1234. To set the device back to the factory default settings, press the Reset button for ten seconds or until the Power light begins to blink and then release it. When the Power light begins to blink, the defaults have been restored and the device restarts. Company Confidential When you first log into the web configurator, the Main screen appears. Here you can view a concise summary of your WiMAX Device connection status. This is also the default home page for the ZyXEL web configurator and it contains conveniently-placed shortcuts to all of the other screens. Note: Some features in the web configurator may not be available depending on your Click to go to the Advanced screen, where you can configure features like Port Forwarding and Triggering, SNTP and so on. Click to go the Setup screen, where you can configure LAN, DHCP and WAN settings. Table 3 Main > Icons ICON firmware version and/or configuration. DESCRIPTION MAIN Click to return to the Main screen. ADVANCED SETUP 40 Users Guide Chapter 2Introducing the Web Configurator TOOLS STATUS Table 3 Main > Icons (continued) DESCRIPTION ICON VOICE Strength Indicator Click to go the Tools screen, where you can configure your firewall, QoS, and content filter, among other things. Displays a visual representation of the quality of your WiMAX connection. Click to go to the Voice screen, where you can configure your voice service and phone settings. Click to go to the Status screen, where you can view status and statistical information for all connections and interfaces. Disconnected - Zero bars Poor reception - One bar Good reception - Two bars Excellent reception - Three bars Company Confidential Users Guide 41 Chapter 2Introducing the Web Configurator DESCRIPTION configurators online help. Status messages are as follows:

connected to the WiMAX network. WiMAX Connection Status LogoutClick to log out of the web configurator. DL_SYN - Indicates a download synchronization is in Disconnected - Indicates that the WiMAX Device is not This field indicates the current status of your WiMAX connection. Note: This does not log you off the WiMAX network, it simply Wizard. All of the settings that you can configure in this wizard are also available in these web configurator screens. logs you out of the WiMAX Devices browser-based configuration interface. Connected - Indicates that the WiMAX Device is connected to the WiMAX network. Use the Strength Indicator icon to determine the quality of your network connection. The following table describes the labels in this screen. Table 4 Main LABEL HelpClick to open the web WizardClick to run the Internet Connection and VoIP Connection Setup Company Confidential For example: V3.60(BCC.0)c4 | 07/08/2008 indicates that the firmware is 3.60, build BCC.0, candidate4, released on July 08, 2008. connected to the WiMAX network. This resets every time you disconnect from the WiMAX network, shut the device down, or restart it. firmware. The version number takes the form of:

Version(Build),release status (candidate) | Version Release Date. progress. This means the firmware is checking with the server for any updates or settings alterations. Version DateThis field indicates the exact date and time the current firmware Software VersionThis field indicates the version number of the WiMAX Device System UptimeThis field indicates how long the WiMAX Device has been on. WiMAX UptimeThis field indicates how long the WiMAX Device has been Voice 1This field indicates the number and receiver status of the first This resets every time you shut the device down or restart it. voice account. was compiled. s 42 Users Guide Chapter 2Introducing the Web Configurator Figure 7 Main Screen The following table describes the icons in this screen. Company Confidential Click to go to the Advanced screen, where you can configure features like Port Forwarding and Triggering, SNTP and so on. VOICE Click to go the Setup screen, where you can configure LAN and DHCP settings. Click to go to the Voice screen, where you can configure your voice service and phone settings. Click to go the Tools screen, where you can configure your firewall, QoS, and content filter, among other things. Table 5 Main > Icons ICON Click to return to the Main screen. DESCRIPTION ADVANCED TOOLS SETUP MAIN Users Guide 43 Chapter 2Introducing the Web Configurator Table 5 Main > Icons (continued) DESCRIPTION ICON STATUS DESCRIPTION Strength Indicator configurators online help. Displays a visual representation of the quality of your WiMAX connection. Click to go to the Status screen, where you can view status and statistical information for all connections and interfaces. Disconnected - Zero bars Poor reception - One bar Good reception - Two bars Excellent reception - Three bars The following table describes the labels in this screen. Table 6 Main LABEL HelpClick to open the web WizardClick to run the Internet Connection and VoIP Connection Setup Company Confidential For example: V3.60(BCC.0)c4 | 07/08/2009 indicates that the firmware is 3.60, build BCC.0, candidate 4, released on July 08, 2009. Connected - Indicates that the WiMAX Device is connected to the WiMAX network. Use the Strength Indicator icon to determine the quality of your network connection. logs you out of the WiMAX Devices browser-based configuration interface. firmware. The version number takes the form of: Version(Build), release status (candidate) | Version Release Date . Wizard. All of the settings that you can configure in this wizard are also available in these web configurator screens. progress. This means the firmware is checking with the server for any updates or settings alterations. Note: This does not log you off the WiMAX network, it simply Version DateThis field indicates the exact date and time the current firmware Software VersionThis field indicates the version number of the WiMAX Device System UptimeThis field indicates how long the WiMAX Device has been on. This field indicates the current status of your WiMAX connection. This resets every time you shut the device down or restart it. Disconnected - Indicates that the WiMAX Device is not DL_SYN - Indicates a download synchronization is in LogoutClick to log out of the web configurator. WiMAX Connection Status connected to the WiMAX network. Status messages are as follows:

was compiled. s 44 Users Guide Chapter 2Introducing the Web Configurator voice account. voice account. DESCRIPTION Voice 1This field indicates the number and receiver status of the first Voice 2This field indicates the number and receiver status of the second Table 6 Main (continued) LABEL WiMAX UptimeThis field indicates how long the WiMAX Device has been connected to the WiMAX network. This resets every time you disconnect from the WiMAX network, shut the device down, or restart it. Company Confidential Users Guide 45 Chapter 2Introducing the Web Configurator Company Confidential 46 Users Guide CHAPTER 3 3.1 Overview Note: Screens are presented here in order of appearance as you work through the 3.1.1 Welcome to the ZyXEL Setup Wizard Internet Connection Wizard. To get to any particular screen, you must first navigate through the ones that came before it. Internet Connection Wizard This chapter provides information on the Internet Connection Wizard screens. The wizard guides you through several steps in which you can configure your most basic (and essential) Internet settings. Company Confidential This is the welcome screen for the ZyXEL Setup Wizard. You can choose to either configure your Internet connection or your VoIP connection. Select Internet Connection Wizard to begin. Figure 8 Select a Mode Users Guide 47 Chapter 3Internet Connection Wizard 3.1.2 System Information Figure 9 Internet Connection Wizard > System Information This Internet Connection Wizard screen allows you to configure your WiMAX Devices system information. The settings here correspond to the ADVANCED >

System Configuration > General screen (Section 11.2 on page 137). Company Confidential DESCRIPTION System Name is a unique name to identify the WiMAX Device in an Ethernet network. Enter a descriptive name. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted. Type the domain name (if you know it) here. If you leave this field blank, the ISP may assign a domain name via DHCP. The domain name entered by you is given priority over the ISP assigned domain name. Click to display the previous screen. Click to proceed to the next screen. Click to close the wizard without saving. The following table describes the labels in this screen. Table 7 Internet Connection Wizard > System Information LABEL System Name Back Next Exit Domain Name 48 Users Guide Chapter 3Internet Connection Wizard 3.1.3 Wireless LAN Figure 10 Internet Connection Wizard > Wireless LAN Screen Note: The Security option you select here determines which screen comes next. This Internet Connection Wizard screen follows the System Information screen and allows you to configure your wireless networks security settings. The settings here correspond to the Advanced > WiFi Configuration > General screen, Security sub-section (Section 8.2 on page 104). Company Confidential The following table describes the labels in this screen. Table 8 Internet Connection Wizard > Wireless LAN Screen LABEL Name (SSID)This is the name you assign to your network and the name there are other networks in range, select a channel number than is not already in use in order to minimize possible cross-channel interferrence. Note: SSID means Service Set IDentifier and is the Channel SelectionThis is the radio channel on which the device broadcasts. If technical term for a wireless network name. that appears in a wireless clie nts network selection options. DESCRIPTION Users Guide 49 Chapter 3Internet Connection Wizard DESCRIPTION Security Options are:

Extend (WPA-PSK with customized key) - This Basic (WEP) - This is a basic form of encryption. It is Extend (WPA2-PSK with customize key) - This is a None - It is not recommended that you use this setting. With no security, anyone who has a wireless device can connect to your network. discourage people from accessing your network without authorization. Choose an encryption method compatible with all of your anticipated network clients. Table 8 Internet Connection Wizard > Wireless LAN Screen (continued) LABEL SecuritySelect an encryption method for your network. This is to not recommended that you use it as it can be by-passed quite easily. However, because it is one of the original wireless encryption methods, it is the most compatible with older wireless devices. Select this option if you require the widest range of compatibility. provides both improved data encryption and user authentication. Using PSK, both the WiMAX Device and the connecting client share a common password in order to validate the connection. This type of encryption, while robust, is not as strong as WPA2-PSK. Use this type of security of you do not use a RADIUS server to authenticate user credentials. Company Confidential The option you select here changes the configuration options on this screen accordingly. For details on the specific security options, see subsequent tables. Click to display the previous screen. Click to proceed to the next screen. Click to close the wizard without saving. newer, more robust version of the WPA encryption standard. It offers slightly better security. Use this option if you do not have RADIUS server on your network to verify user credentials. Back Next Exit 50 Users Guide Chapter 3Internet Connection Wizard 3.1.3.1 Wireless LAN - Basic (WEP) Figure 11 Internet Connection Wizard > Basic (WEP) Screen This screen appears as a result of selecting Basic WEP as your Security option in the previous screen. It allows you to configure WEP encryption for your wireless network. The settings here correspond to the Advanced > WiFi Configuration

> General screen, Security sub-section with the Basic (WEP) option selected

(Section 8.2 on page 104.) Company Confidential Users Guide 51 Chapter 3Internet Connection Wizard network. DESCRIPTION 64-Bit WEP - This is the older of the two available WEP EncryptionSelect the encryption strength for your WEP-enabled Note: If you Generate a passphrase, the length of the key created is determined by the option you select in the WEP encryption field. Device create a unique Hex-based key for you. After entering your password, click the Generate button. The Hex-based key appears in the field below. The following table describes the labels in this screen. Table 9 Internet Connection Wizard > Basic (WEP) Screen LABEL PassphraseEnter a password in this field if you want to have the WiMAX encryption algorithms. The key is smaller and requires less computational resources to cipher/decipher. For all intents and purposes, this is irrelevent for modern computers and wireless devices. Unfortunately, this level of security is rudimentary, at best, and easily broken. You should only use in circumstances where backwards compatibility with older devices is a significant issue. 128-Bit WEP - This represents a higher standard of security for WEP encryption. Keys are larger, require slightly more computational resources, and are more difficult to crack. If backwards compatibility for older wireless devices is a non-issue, use this level of encryption for more robust security. Company Confidential Note: Of all the encryption types available for wireless networks, WEP is the weakest and easiest to by-

pass. It is recommended that you use WPA or WPA2 whenever possible. If you choose to allow the WiMAX Device to automatically create an encryption key for you using the Passphrase field and its corresponding Generate key, then the new key appears in this field. Click to display the previous screen. Click to proceed to the next screen. Click to close the wizard without saving. create an encryption key, you can manually enter one here either in ASCII or in Hex. Remember to record the password and distribute it to your wireless clients accordingly (and securely). Note: For 64-bit encryption: Enter 5 ASCII characters or Note: For 128-bit encryption: Enter 13 ASCII characters ASCII / HexIf you choose not to have the WiMAX Device automatically or 26 hexadecimal characters (0-9, A-F). 10 hexadecimal characters (0-9, A-F). Back Next Exit 52 Users Guide Chapter 3Internet Connection Wizard 3.1.3.2 Wireless LAN -Extended (WPA-PSK / WPA2-PSK) minimal variation. Figure 12 Internet Connection Wizard > Extended (WPA-PSK) Screen Note: Both WPA-PSK and WPA2-PSK configuration options use this screen, with only This screen appears as a result of selecting either WPA-PSK or WPA2-PSK as your Security option in the previous screen. It allows you to configure WPA-PSK /

WPA2-PSK encryption for your wireless network. The settings here correspond to the Advanced > WiFi Configuration > General screen, Security sub-section with the Extend option selected (Section 8.2 on page 104.) Company Confidential The following table describes the labels in this screen. Table 10 Internet Connection Wizard > Extended (WPA-PSK) Screen LABEL Pre-shared KeyThis is a secret password that both the WiMAX Device and As the device administrator, you can generate this key how you see fit so long as it consists of a minimum of 8 alphanumeric letters and number. However, keep in mind that the more complex the key, the more difficult it is to break. The best keys consist of both letters and numbers. Click to display the previous screen. Click to proceed to the next screen. Click to close the wizard without saving. network to authenticate their connections, so be sure to distribute it accordingly (and securely). the wireless client must have in common in order for the wireless client to use the network. Note: This key is used by all wireless clients on your DESCRIPTION Back Next Exit Users Guide 53 Chapter 3Internet Connection Wizard 3.1.4 Authentication Settings Figure 13 Internet Connection Wizard > Authentication Settings Screen This Internet Connection Wizard screen follows the Wireless LAN security setup screens and allows you to configure your Internet access settings. The settings here correspond to the ADVANCED > WAN Configuration > Internet Connection screen (Section 7.2 on page 93). Company Confidential Service Provider. Anonymous identity (also known as outer identity) is used with EAP-TTLS encryption. The anonymous identity is used to route your authentication request to the correct authentication server, and does not reveal your real user name. Your real user name and password are encrypted in the TLS tunnel, and only the anonymous identity can be seen. Table 11 Internet Connection Wizard > Authentication Settings Screen LABEL Authentication Leave this field blank if your ISP did not give you an anonymous identity to use. Anonymous IdentityEnter the anonymous identity provided by your Internet The following table describes the labels in this screen. PasswordEnter the password associated with your Internet access UserEnter the username associated with your Internet access account. You can enter up to 61 printable ASCII characters. account. You can enter up to 47 printable ASCII characters. DESCRIPTION 54 Users Guide Chapter 3Internet Connection Wizard DESCRIPTION Choose from the following user authentication methods:

PKMThis field displays the Privacy Key Management version Note: Not all WiMAX Devices support TLS AuthenticationThis field displays the user authentication method. TTLS Inner EAPThis field displays the type of secondary authentication TTLS (Tunnelled Transport Layer Security) TLS (Transport Layer Security) Table 11 Internet Connection Wizard > Authentication Settings Screen (continued) LABEL Check with your service provider if you are unsure of the correct setting for your account. authentication. Check with your service provider for details. Authentication is the process of confirming the identity of a mobile station (by means of a username and password, for example). number. PKM provides security between the WiMAX Device and the base station. At the time of writing, the WiMAX Device supports PKMv2 only. See the WiMAX security appendix for more information. Company Confidential authenticate the AAA server. Use the TOOLS > Certificates

> Trusted CA screen to import certificates to the WiMAX Device. Click to display the previous screen. Click to proceed to the next screen. Click to close the wizard without saving. method. Once a secure EAP-TTLS connection is established, the inner EAP is the protocol used to exchange security information between the mobile station, the base station and the AAA server to authenticate the mobile station. See the WiMAX security appendix for more details. The WiMAX Device supports the following inner authentication types:

CHAP (Challenge Handshake Authentication Protocol) MSCHAP (Microsoft CHAP) MSCHAPV2 (Microsoft CHAP version 2) PAP (Password Authentication Protocol) CertificateThis is the security certificate the WiMAX Device uses to Back Next Exit Users Guide 55 Chapter 3Internet Connection Wizard 3.1.5 IP Address Figure 14 Internet Connection Wizard > IP Address This Internet Connection Wizard screen follows the Authentication Settings screen and allows you to configure the method with which your WiMAX Device acquires its IP address. The settings here correspond to the SETUP > Set IP Address screen (Section 5.2 on page 68). A fixed (static) IP address is one that your ISP gives you. Your WiMAX Device uses that IP address every time you connect to the Internet. On the other hand, an automatic (dynamic) IP address is variable in that the ISP assigns you a different one each time you connect to the Internet. Company Confidential The following table describes the labels in this screen. Table 12 Internet Connection Wizard > IP Address LABEL IP Address Select this if you have a dynamic IP address. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. My computer or device gets its IP address automatically from the network (Default) Note: Selecting this option takes you to the Setup Complete screen. DESCRIPTION 56 Users Guide Chapter 3Internet Connection Wizard your ISP gives you. DESCRIPTION Assignment screen. Table 12 Internet Connection Wizard > IP Address (continued) LABEL 3.1.5.1 IP Address Assignment Use Fixed IP AddressSelect this option to enter static IP address or a fixed IP that Note: Selecting this option takes you to the IP Address Click to proceed to the next screen. Click to close the wizard screen without saving. BackClick to display the previous screen. Next Exit The settings for WAN IP Address Assignment correspond to the Advanced >

WAN Configuration > Internet Connection screen (Section 7.2 on page 93). The settings for DNS Server Address Assignment correspond to the Advanced

> LAN Configuration > DHCP Setup screen, DNS Server sub-section. This screen appears as a result of selecting the Used Fixed IP Address option in the previous screen. It allows you to configure your static WAN and DNS IP Addresses. Use the information given to you by your Internet Service Provider. Company Confidential Figure 15 Internet Connection Wizard > IP Address Assignment Users Guide 57 Chapter 3Internet Connection Wizard DESCRIPTION DNS Server Address Assignment First, Second and Third DNS Server Enter a subnet mask in dotted decimal notation. Gateway IP AddressSpecify a gateway IP address (supplied by your ISP). 3.1.6 Setup Complete Click to proceed to the next screen. Click to close the wizard screen without saving. If you enter nothing in these fields, no DNS service will be provided by the WiMAX Device. Refer to the appendicesto calculate a subnet mask if you are implementing subnetting. BackClick to display the previous screen. Next Exit Specify the IP addresses of a maximum of three DNS servers that the network can use. The WiMAX Device provides these IP addresses to DHCP clients. My WAN IP AddressEnter your ISP-assigned IP Address here. My WAN IP Subnet Mask The following table describes the labels in this screen. Table 13 Internet Connection Wizard > IP Address LABEL WAN IP Address Assignment Company Confidential Refer to the rest of this guide for more detailed information on the complete range of WiMAX Device features available in the more advanced web configurator. Launch your web browser and navigate to www.zyxel.com. If if everything was configured properly, the web page should display. You can now surf the Internet!

Note: If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct. Click Close to complete and save the Internet Connection Wizard settings. 58 Users Guide CHAPTER 4 4.1 Overview Note: Screens are presented here in order of appearance as you work through either the VoIP Connection Wizard. To get to any particular screen, you must first navigate through the ones that came before it. VoIP Connection Wizard This chapter provides information on the VoIP Connection Wizard screens. The wizard guides you through several steps in which you can configure the minimum required settings for placing phone calls over the Internet. You can configure the WiMAX Device to use up to two SIP-based VoIP accounts. Company Confidential This is the welcome screen for the ZyXEL Setup Wizard. You can choose to either configure your Internet connection or your VoIP connection. 4.2 Welcome to the ZyXEL Setup Wizard Select VoIP Connection Wizard to begin. Figure 16 Select a Mode Users Guide 59 Chapter 4VoIP Connection Wizard 4.2.1 First Voice Account Settings Figure 17 VoIP Connection > First Voice Account Settings This VoIP Connection Wizard screen allows you to configure your voice account. The settings here correspond to the VOICE > Service Configuration > SIP Setting screen (see Section 12.2 on page 149 for more information). Company Confidential The following table describes the labels in this screen Table 14 VoIP Connection > First Voice Account Settings LABEL SIP NumberEnter your SIP number in this field (use the number or text that SIP register server. Type the user name exactly as it was given to you. You can use up to 95 ASCII characters. PasswordType the password associated with the user name above. You comes before the @ symbol in a SIP account like 1234@VoIP-

provider.com). You can use up to 127 ASCII characters. SIP Server AddressType the IP address or domain name of the SIP server in this name that comes after the @ symbol in a SIP account like 1234@VoIP-provider.com ). You can use up to 127 ASCII Extended set characters. field. It doesnt matter whether the SIP server is a proxy, redirect or register server. You can use up to 95 ASCII characters. SIP Service DomainEnter the SIP service domain name in this field (the domain User NameThis is the user name for registering this SIP account with the can use up to 95 ASCII Extended set characters. DESCRIPTION 60 Users Guide Chapter 4VoIP Connection Wizard Back Apply Exit Figure 18 VoIP Connection > SIP Registration Test After you enter your voice account settings and click Next, the WiMAX Device attempts to register your SIP account with the SIP server. Table 14 VoIP Connection > First Voice Account Settings (continued) LABEL Configure the second voice account DESCRIPTION Select this check box if you have a second SIP account that you want to use. You will need to configure the same fields as displayed on this screen for the second SIP account. Click to return to the previous screen. Click to complete the wizard setup and save your configuration. Clickto close the wizard without saving your settings. Company Confidential This screen displays if SIP account registration fails. Check your WiMAX connection using the WiMAX Link and Strength Indicator LEDs on the front of the WiMAX Device, then wait a few seconds and click Register Again. If your Users Guide 61 Chapter 4VoIP Connection Wizard Figure 19 VoIP Connection > SIP Registration Fail Internet connection was already working, you can click Back and try re-entering your SIP account settings. Company Confidential 62 Users Guide Chapter 4VoIP Connection Wizard 4.2.2 Setup Complete Figure 20 VoIP Connection > Finish Click Close to complete and save the VoIP Connection settings. Company Confidential This screen displays if your SIP account registration was successful. Users Guide 63 Chapter 4VoIP Connection Wizard Company Confidential 64 Users Guide The Main Screen (40) The Setup Screens (67) PART II Basic Screens Company Confidential 65 Company Confidential 66 CHAPTER 5 connected DHCP clients. WiMAX Devices IP address and subnet mask. WiMAX Devices time and date keeping settings. 5.1 Overview Use these screens to configure or view LAN, DHCP Client and WAN settings. The Time Setting screen (Section 5.4 on page 70) lets you configure your The DHCP Client screen (Section 5.3 on page 69) lets you view a list of all The Set IP Address screen (Section 5.2 on page 68) lets you configure the 5.1.1 What You Can Do in This Chapter The Setup Screens Company Confidential A Local Area Network, or a shared communication system to which many computers are attached. A LAN, as its name implies, is limited to a local area such as a home or office environment. LANs have different topologies, the most common being the linear bus and the star configuration. IP addresses identify individual devices on a network. Every networking device

(including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. The subnet mask specifies the network number portion of an IP address. Your device will compute the subnet mask automatically based on the IP Address that 5.1.2 What You Need to Know The following terms and concepts may help as you read through this chapter. Subnet Mask IP Address LAN Users Guide 67 Chapter 5The Setup Screens NTP Time Daytime you entered. You do not need to change the computer subnet mask unless you are instructed to do so. NTP stands for Network Time Protocol. It is employed by devices connected to the Internet in order to obtain a precise time setting from an official time server. These time servers are accurate to within 200 microseconds. A network protocol for retrieving the current time from a server. The computer issuing the command compares the time on its clock to the information returned by the server, adjusts itself automatically for time zone differences, then calculates the difference and corrects itself if there has been any temporal drift. A network protocol used by devices for debugging and time measurement. A computer can use this protocol to set its internal clock but only if it knows in which order the year, month, and day are returned by the server. Not all servers use the same format. Company Confidential Click the SETUP icon in the navigation bar to set up the WiMAX Devices IP address and subnet mask. This screen displays this screen by default. If you are in any other sub-screen you can simply choose Set IP Address from the navigation menu on the left to open it again. Make sure that you have logged in to the web configurator at least one time and changed your password from the default, as described in the Quick Start Guide. Make sure that you have made all the appropriate hardware connections to the 5.2 Set IP Address 5.1.3 Before You Begin WiMAX Device, as described in the Quick Start Guide. Figure 21 SETUP > Set IP Address 68 Users Guide Chapter 5The Setup Screens IP Subnet Mask Apply Reset Note: This field is the IP address you use to access the 5.3 DHCP Client DESCRIPTION Enter the IP address of the WiMAX Device on the LAN. Enter the subnet mask of the LAN. Click to save your changes. Click to restore your previously saved settings. The following table describes the labels in this screen. Table 15 SETUP > Set IP Address LABEL IP Address WiMAX Device on the LAN. If the web configurator is running on a computer on the LAN, you lose access to it as soon as you change this field and click Apply. You can access the web configurator again by typing the new IP address in the browser. Company Confidential This indicates the IP address of the connected DHCP client device. This indicates the name of the connected DHCP client device. Indicates the MAC address of the connected DHCP client. Indicates whether the IP address of the connected client is reserved for that client or not. Click to save your changes. Click to restore your previously saved settings. The following table describes the labels in this screen. Table 16 SETUP > Set IP Address LABEL

#This is the number of the item in this list. IP Address Click SETUP > DHCP Client to view a list of all connected DHCP clients. DHCP clients are those devices connected to the WiMAX Device, either directly with Ethernet cables or over a Wi-Fi network, and which have and IP address assigned to them by an associated DHCP server. Figure 22 SETUP > DHCP Client Host Name MAC Address Reserve DESCRIPTION Apply Reset Users Guide 69 Chapter 5The Setup Screens 5.4 Time Setting Figure 23 SETUP > Time Setting Click SETUP >Time Setting to set the date, time, and time zone for the WiMAX Device. Company Confidential The following table describes the labels in this screen. Table 17 SETUP > DHCP Client LABEL Current Time and Date Current TimeDisplays the current time according to the WiMAX Device. Current DateDisplays the current time according to the WiMAX Device. Time and Date Setup Manual Select this if you want to specify the current date and time in the fields below. Enter the new time in this field, and click Apply. Enter the new date in this field, and click Apply. Select this if you want to use a time server to update the current date and time in the WiMAX Device. New Time New Date Get from Time Server DESCRIPTION 70 Users Guide Chapter 5The Setup Screens Table 17 SETUP > DHCP Client (continued) LABEL DESCRIPTION Time Server Address daylight-savings time starts. Time ProtocolSelect the time service protocol that your time server End DateEnter which hour on the which day of which week of which Start DateEnter which hour on which day of which week of which month Daytime (RFC 867) - This format is day/month/year/time zone. uses.Check with your ISP or network administrator, or use trial-

and-error to find a protocol that works. Time (RFC 868) - This format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0. savings is a period from late spring to early fall when many places set their clocks ahead of normal local time by one hour to give more daytime light in the evening. NTP (RFC 1305) - This format is similar to Time (RFC 868). Enter the IP address or URL of your time server. Check with your ISP or network administrator if you are unsure of this information. Time Zone Setup Time ZoneSelect the time zone at your location. Daylight SavingsSelect this if your location uses daylight savings time. Daylight Company Confidential When the WiMAX Device uses the list, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then it goes through the rest of the list in order until either it is successful or all the pre-defined NTP time servers have been tried. Table 18 Pre-defined NTP Time Servers ntp1.cs.wisc.edu ntp1.gbg.netnod.se ntp2.cs.wisc.edu tock.usno.navy.mil ntp3.cs.wisc.edu ntp.cs.strath.ac.uk ntp1.sp.se The WiMAX Device uses a pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified. It can use this list regardless of the time protocol you select. month daylight-savings time ends. Click to save your changes. Click to restore your previously saved settings. 5.4.1 Pre-Defined NTP Time Servers List Apply Reset Users Guide 71 Chapter 5The Setup Screens 5.4.2 Resetting the Time When the device starts up, such as when you press the Power button. The WiMAX Device automatically resets the time in the following circumstances:

When you click Apply in the SETUP > Time Setting screen. Once every 24-hours after starting up. Table 18 Pre-defined NTP Time Servers (continued) time1.stupi.se tick.stdtime.gov.tw tock.stdtime.gov.tw time.stdtime.gov.tw Company Confidential 72 Users Guide The VPN Transport Screens (113) The LAN Configuration Screens (75) The WAN Configuration Screens (89) The NAT Configuration Screens (125) The System Configuration Screens (135) PART III Advanced Screens Company Confidential 73 Company Confidential 74 6.1 Overview A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is usually a computer network limited to the immediate area, such as the same building or floor of a building. Use the ADVANCED > LAN Configuration screens to set up the WiMAX Device on the LAN. You can configure its IP address and subnet mask, DHCP services, and other subnets. You can also control how the WiMAX Device sends routing information using RIP. CHAPTER 6 The LAN Configuration Screens Company Confidential The IP Alias screen (Section 6.4 on page 79) lets you add subnets on the LAN port. You can also control what routing information is sent and received by each subnet. IP addresses identify individual devices on a network. Every networking device

(including computers, servers, routers, printers, etc.) needs an IP address to routing information that is sent and received by each subnet assign specific IP addresses to specific computers on the LAN. 6.1.1 What You Can Do in This Chapter 6.1.2 What You Need to Know The DHCP Setup screen (Section 6.2 on page 76) lets you enable, disable, and The Static DHCP screen (Section 6.3 on page 78) lets you assign specific IP The IP Static Route screen (Section 6.5 on page 81) lets you examine the The following terms and concepts may help as you read through this chapter. The Other Settings screen (Section 6.6 on page 83) lets you control the configure the DHCP server in the WiMAX Device. static routes configured in the WiMAX Device. addresses to specific computers on the LAN. IP Address Users Guide 75 Chapter 6The LAN Configuration Screens DNS DHCP Subnet Masks 6.2 DHCP Setup communicate across the network. These networking devices are also known as hosts. A DHCP (Dynamic Host Configuration Protocol) server can assign a device an IP address, subnet mask, DNS and other routing information when its turned on. Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks. DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a networking device before you can access it. Company Confidential Click ADVANCED > LAN Configuration > DHCP Setup to enable, disable, and configure the DHCP server in the WiMAX Device. Figure 24 ADVANCED > LAN Configuration > DHCP Setup 76 Users Guide Chapter 6The LAN Configuration Screens Pool Size DESCRIPTION IP Pool Starting Address DNS Server First, Second and Third DNS Server Specify the IP addresses of a maximum of three DNS servers that the network can use. The WiMAX Device provides these IP addresses to DHCP clients. You can specify these IP addresses two ways. The following table describes the labels in this screen. Table 19 ADVANCED > LAN Configuration > DHCP Setup LABEL DHCP Setup Enable DHCP Server Select this if you want the WiMAX Device to be the DHCP server on the LAN. As a DHCP server, the WiMAX Device assigns IP addresses to DHCP clients on the LAN and provides the subnet mask and DNS server information. Enter the IP address from which the WiMAX Device begins allocating IP addresses, if you have not specified an IP address for the computers on your network in ADVANCED > LAN Configuration > Static DHCP. Enter the number of IP addresses to allocate. This number must be at least one and is limited by a subnet mask of 255.255.255.0 (regardless of the subnet the WiMAX Device is in). For example, if the IP Pool Start Address is 10.10.10.10, the WiMAX Device can allocate up to 10.10.10.254, or 245 IP addresses. Company Confidential None - no DNS service will be provided by the WiMAX Device. Click to save your changes. Click to restore your previously saved settings. From ISP - provide the DNS servers provided by the ISP on the WAN port. DNS Relay - this setting will relay DNS information from the DNS server obtained by the WiMAX Device. User Defined - enter a static IP address. Apply Reset Users Guide 77 Chapter 6The LAN Configuration Screens 6.3 Static DHCP in ADVANCED > LAN Configuration > DHCP Setup. Figure 25 ADVANCED > LAN Configuration > Static DHCP Note: This screen has no effect if the DHCP server is not enabled. You can enable it Click ADVANCED > LAN Configuration > Static DHCP to assign specific IP addresses to specific computers on the LAN. Company Confidential Enter the MAC address of the computer to which you want the WiMAX Device to assign the same IP address. Enter the IP address you want the WiMAX Device to assign to the computer. Click to save your changes. Click to restore your previously saved settings. Table 20 ADVANCED > LAN Configuration > Static DHCP LABEL

#The number of the item in this list. MAC Address The following table describes the labels in this screen. DESCRIPTION Apply Reset IP Address 78 Users Guide Chapter 6The LAN Configuration Screens 6.4 IP Alias Figure 26 ADVANCED > LAN Configuration> IP Alias Click ADVANCED > LAN Configuration > IP Alias to add subnets on the LAN port. You can also control what routing information is sent and received by each subnet. Company Confidential The following table describes the labels in this screen. Table 21 ADVANCED > LAN Configuration> IP Alias LABEL IP Alias 1 DESCRIPTION Select this to add the specified subnet to the LAN port. Enter the IP address of the WiMAX Device on the subnet. Enter the subnet mask of the subnet. Use this field to control how much routing information the WiMAX Device sends and receives on the subnet. Out Only - The WiMAX Device only sends routing information on the Both - The WiMAX Device sends and receives routing information on In Only - The WiMAX Device only receives routing information on None - The WiMAX Device does not send or receive routing IP Address IP Subnet Mask RIP Direction information on the subnet. the subnet. the subnet. subnet. Users Guide 79 Chapter 6The LAN Configuration Screens IP Alias 2 the subnet. the subnet. RIP Version information. information. information. information on the subnet. IP Address IP Subnet Mask RIP Direction Table 21 ADVANCED > LAN Configuration> IP Alias (continued) LABEL RIP-1 - The WiMAX Device uses RIPv1 to exchange routing None - The WiMAX Device does not send or receive routing In Only - The WiMAX Device only receives routing information on RIP-2M - The WiMAX Device multicasts RIPv2 to exchange routing RIP-2B - The WiMAX Device broadcasts RIPv2 to exchange routing Both - The WiMAX Device sends and receives routing information on Use this field to control how much routing information the WiMAX Device sends and receives on the subnet. Select this to add the specified subnet to the LAN port. Enter the IP address of the WiMAX Device on the subnet. Enter the subnet mask of the subnet. DESCRIPTION Select which version of RIP the WiMAX Device uses when it sends or receives information on the subnet. Company Confidential Select which version of RIP the WiMAX Device uses when it sends or receives information on the subnet. Click to save your changes. Click to restore your previously saved settings. Out Only - The WiMAX Device only sends routing information on the RIP-2B - The WiMAX Device broadcasts RIPv2 to exchange routing RIP-2M - The WiMAX Device multicasts RIPv2 to exchange routing RIP-1 - The WiMAX Device uses RIPv1 to exchange routing Apply Reset information. information. information. RIP Version subnet. 80 Users Guide Chapter 6The LAN Configuration Screens 6.5 IP Static Route Figure 27 Advanced> LAN Configuration > IP Static Route Note: The first static route is the default route and cannot be modified or deleted. Click ADVANCED > LAN Configuration > IP Static Route to look at the static routes configured in the WiMAX Device. The following table describes the icons in this screen. Table 22 Advanced> LAN Configuration > IP Static Route ICON Company Confidential DESCRIPTION The number of the item in this list. This field displays the name that describes the static route. This field shows whether this static route is active ( Yes) or not (No). This field displays the destination IP address(es) that this static route affects. This field displays the IP address of the gateway to which the WiMAX Device should send packets for the specified Destination. The gateway is a router or a switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations. Click to save your changes. Click to restore your previously saved settings. The following table describes the labels in this screen. Table 23 Advanced> LAN Configuration > IP Static Route LABEL

Name Active Destination DESCRIPTION Edit Click to delete this item. Click to edit this item. Apply Reset Gateway Delete Users Guide 81 Chapter 6The LAN Configuration Screens 6.5.1 IP Static Route Setup Figure 28 Advanced> LAN Configuration > IP Static Route Setup Click an Edit icon in ADVANCED > LAN Configuration > IP Static Route to edit a static route in the WiMAX Device. Company Confidential DESCRIPTION Enter the name of the static route. Select this if you want the static route to be used. Clear this if you do not want the static route to be used. Select this if you do not want the WiMAX Device to tell other routers about this static route. For example, you might select this if the static route is in your LAN. Clear this if you want the WiMAX Device to tell other routers about this static route. Enter one of the destination IP addresses that this static route affects. addresses that this static route affects. If this static route affects only one IP address, enter 255.255.255.255. Enter the IP address of the gateway to which the WiMAX Device should send packets for the specified Destination. The gateway is a router or a switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations. Usually, you should keep the default value. This field is related to RIP. The following table describes the labels in this screen. Table 24 Management > Static Route > IP Static Route > Edit LABEL Route Name Active The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest

"cost". The smaller the metric, the lower the "cost". RIP uses hop count as the measurement of cost, where 1 is for a directly-connected network. The metric must be 1-15; if you use a value higher than 15, the routers assume the link is down. Destination IP Address IP Subnet Mask Enter the subnet mask that defines the range of destination IP Gateway IP Address Private Metric 82 Users Guide Chapter 6The LAN Configuration Screens Figure 29 ADVANCED > LAN Configuration > Advanced 6.6 Other Settings Click ADVANCED > LAN Configuration > Other Settings to set the RIP and Multicast options. DESCRIPTION Click to save your changes. Click to return to the previous screen without saving your changes. Table 24 Management > Static Route > IP Static Route > Edit (continued) LABEL Apply Cancel Company Confidential The following table describes the labels in this screen. Table 25 ADVANCED > LAN Configuration > Other Settings LABEL RIP & Multicast Setup RIP Direction Select which version of RIP the WiMAX Device uses when it sends or receives information on the subnet. Use this field to control how much routing information the WiMAX Device sends and receives on the subnet. Out Only - The WiMAX Device only sends routing information on the Both - The WiMAX Device sends and receives routing information on RIP-2B - The WiMAX Device broadcasts RIPv2 to exchange routing RIP-2M - The WiMAX Device multicasts RIPv2 to exchange routing In Only - The WiMAX Device only receives routing information on None - The WiMAX Device does not send or receive routing RIP-1 - The WiMAX Device uses RIPv1 to exchange routing information on the subnet. DESCRIPTION information. information. information. RIP Version the subnet. the subnet. subnet. Users Guide 83 Chapter 6The LAN Configuration Screens Apply Reset 6.7 Technical Reference Table 25 ADVANCED > LAN Configuration > Other Settings (continued) LABEL Multicast None - The WiMAX Device does not support multicasting. IGMP-v1 - The WiMAX Device supports IGMP version 1. IGMP-v2 - The WiMAX Device supports IGMP version 2. DESCRIPTION You do not have to enable multicasting to use RIP-2M. (See RIP Version.) Select which version of IGMP the WiMAX Device uses to support multicasting on the LAN. Multicasting sends packets to some computers on the LAN and is an alternative to unicasting (sending packets to one computer) and broadcasting (sending packets to every computer). Multicasting can improve overall network performance. However, it requires extra processing and generates more network traffic. In addition, other computers on the LAN have to support the same version of IGMP. Click to save your changes. Click to restore your previously saved settings. Company Confidential If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0 and you must enable the Network Address Translation (NAT) feature of the WiMAX Device. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. Let's say you select 192.168.1.0 as the network number; which covers 254 individual addresses, from 192.168.100.1 to 192.168.1.254 (zero and 255 are reserved). In other words, the first three numbers specify the network number while the last number identifies an individual computer on that network. Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. Similar to the way houses on a street share a common street name, computers on a LAN share one common network number. The following section contains additional technical information about the WiMAX Device features described in this chapter. 6.7.1 IP Address and Subnet Mask 84 Users Guide Chapter 6The LAN Configuration Screens 6.7.2 DHCP Setup Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.100.1, for your WiMAX Device, but make sure that no other device on your network is using that IP address. The WiMAX Device is pre-configured with a pool of IP addresses for the DHCP clients (DHCP Pool). See the product specifications in the appendices. Do not assign static IP addresses from the DHCP pool to your LAN computers. The subnet mask specifies the network number portion of an IP address. Your WiMAX Device will compute the subnet mask automatically based on the IP address that you entered. You don't need to change the subnet mask computed by the WiMAX Device unless you are instructed to do otherwise. DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the WiMAX Device as a DHCP server or disable it. When configured as a server, the WiMAX Device provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else each computer must be manually configured. Company Confidential IP address of 192.168.100.1 with subnet mask of 255.255.255.0 (24 bits) DHCP server enabled with 32 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), see Section 6.3 on page 78. These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), see Section 6.3 on page 78. The WiMAX Device has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. The LAN parameters of the WiMAX Device are preset in the factory with the following values:

6.7.3 LAN TCP/IP Users Guide 85 Chapter 6The LAN Configuration Screens 6.7.4 DNS Server Address DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask. Some ISPs choose to pass the DNS servers using the DNS server extensions of PPP IPCP (IP Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances are the DNS servers are conveyed through IPCP negotiation. The WiMAX Device supports the IPCP DNS server extensions through the DNS proxy feature. There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when s/he signs up. If your ISP gives you the DNS server addresses, enter them in the DNS Server fields in DHCP Setup, otherwise, leave them blank. Company Confidential Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions. It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances. If your ISP gives you explicit DNS servers, make sure that you enter their IP addresses in the LAN Setup screen. This way, the WiMAX Device can pass the DNS servers to the computers and the computers can query the DNS server directly without the WiMAX Devices intervention. If the Primary and Secondary DNS Server fields in the LAN Setup screen are notspecified, for instance, left as 0.0.0.0, the WiMAX Device tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the WiMAX Device, the WiMAX Device forwards the query to the real DNS server learned through IPCP and relays the response back to the computer. RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. When set to:

In Only - the WiMAX Device will not send any RIP packets but will accept all RIP Out Only - the WiMAX Device will send out RIP packets but will not accept any Both - the WiMAX Device will broadcast its routing table periodically and incorporate the RIP information that it receives. 6.7.5 RIP Setup RIP packets received. packets received. 86 Users Guide Chapter 6The LAN Configuration Screens None - the WiMAX Device will not send any RIP packets and will ignore any RIP packets received. 6.7.6 Multicast Both RIP-2B and RIP-2M sends the routing data in RIP-2 format; the difference being that RIP-2B uses subnet broadcasting while RIP-2M uses multicasting. Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1. The Version field controls the format and the broadcasting method of the RIP packets that the WiMAX Device sends (it recognizes both formats when receiving). RIP-1 is universally supported; but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology. Company Confidential IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data. IGMP version 2 (RFC 2236) is an improvement over version 1 (RFC 1112) but IGMP version 1 is still in wide use. If you would like to read more detailed information about interoperability between IGMP version 2 and version 1, please see sections 4 and 5 of RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The WiMAX Device supports both IGMP version 1 (IGMP-v1) and IGMP version 2

(IGMP-v2). At start up, the WiMAX Device queries all directly connected networks to gather group membership. After that, the WiMAX Device periodically updates this information. IP multicasting can be enabled/disabled on the WiMAX Device LAN and/or WAN interfaces in the web configurator (LAN; WAN). Select None to disable IP multicasting on these interfaces. Users Guide 87 Chapter 6The LAN Configuration Screens Company Confidential 88 Users Guide 7.1 Overview 7.1.1 What You Can Do in This Chapter Use the ADVANCED > WAN Configuration screens to set up your WiMAX Devices Wide Area Network (WAN) or Internet features. A Wide Area Network (or WAN) links geographically dispersed locations to other networks or the Internet. A WAN configuration can include switched and permanent telephone circuits, terrestrial radio systems and satellite systems. CHAPTER 7 The WAN Configuration Screens Company Confidential WiMAX (Worldwide Interoperability for Microwave Access) is the IEEE 802.16 wireless networking standard, which provides high-bandwidth, wide-range wireless service across wireless Metropolitan Area Networks (MANs). ZyXEL is a member of the WiMAX Forum, the industry group dedicated to promoting and certifying interoperability of wireless broadband products. In a wireless MAN, a wireless-equipped computer is known either as a mobile station (MS) or a subscriber station (SS). Mobile stations use the IEEE 802.16e standard and are able to maintain connectivity while switching their connection 7.1.2 What You Need to Know The Internet Connection screen (Section 7.2 on page 93) lets you set up your The Traffic Redirect screen (Section 7.4 on page 99) lets change your WiMAX The WiMAX Configuration screen (Section 7.3 on page 95) lets set up the The following terms and concepts may help as you read through this chapter. The Advanced screen (Section 7.5 on page 101) lets configure your DNS server, RIP, Multicast and Windows Networking settings. frequencies used by your WiMAX Device. WiMAX Devices Internet settings. Devices traffic redirect settings. WiMAX Users Guide 89 Chapter 7The WAN Configuration Screens Figure 30 WiMax: Mobile Station Figure 31 WiMAX: Multiple Mobile Stations from one base station to another base station (handover) while subscriber stations use other standards that do not have this capability (IEEE 802.16-2004, for example). The following figure shows an MS-equipped notebook computer MS1 moving from base station BS1s coverage area and connecting to BS2. WiMAX technology uses radio signals (around 2 to 10 GHz) to connect subscriber stations and mobile stations to local base stations. Numerous subscriber stations and mobile stations connect to the network through a single base station (BS), as in the following figure. Company Confidential The radio frequency and bandwidth of the link between the WiMAX Device and the base station are controlled by the base station. The WiMAX Device follows the base stations configuration. A base station's coverage area can extend over many hundreds of meters, even under poor conditions. A base station provides network access to subscriber stations and mobile stations, and communicates with other base stations. 90 Users Guide Chapter 7The WAN Configuration Screens Authentication Figure 32 Using an AAA Server The following figure shows a base station using an AAA server to authenticate mobile station MS, allowing it to access the Internet. When authenticating a user, the base station uses a third-party RADIUS or Diameter server known as an AAA (Authentication, Authorization and Accounting) server to authenticate the mobile or subscriber stations. Company Confidential Traffic redirect forwards WAN traffic to a backup gateway when the WiMAX Device cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the WiMAX Device still provides firewall protection for the LAN. In this figure, the dashed arrow shows the PKM (Privacy Key Management) secured connection between the mobile station and the base station, and the solid arrow shows the EAP secured connection between the mobile station, the base station and the AAA server. See the WiMAX security appendix for more details. IP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into Figure 33 Traffic Redirect WAN Setup Traffic Redirect Users Guide 91 Chapter 7The WAN Configuration Screens Figure 34 Traffic Redirect LAN Setup two or three logical networks with the WiMAX Device itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2). Configure a LAN to LAN/WiMAX Device firewall rule that forwards packets from the protected LAN

(Subnet 1) to the backup gateway (Subnet 2). Company Confidential 92 Users Guide Chapter 7The WAN Configuration Screens 7.2 Internet Connection Note: Not all WiMAX Device models have all the fields shown here. Figure 35 ADVANCED > WAN Configuration > Internet Connection Click ADVANCED > WAN Configuration to set up your WiMAX Devices Internet settings. Company Confidential The following table describes the labels in this screen. Table 26 ADVANCED > WAN Configuration > Internet Connection > ISP Parameters for Internet Access LABEL DESCRIPTION ISP Parameters for Internet Access UserUse this field to enter the username associated with your Internet PasswordUse this field to enter the password associated with your Internet access account. You can enter up to 61 printable ASCII characters. access account. You can enter up to 47 printable ASCII characters. Users Guide 93 Chapter 7The WAN Configuration Screens DESCRIPTION A static IP address is a fixed IP that your ISP gives you. The WiMAX Device supports the following authentication modes:

CertificateThis is the security certificate the WiMAX Device uses to User Only Device Only with Cert Certs and User Authentication This field is not available in all WiMAX Devices. Check with your service provider for details. authenticate the AAA server. Use the TOOLS > > Trusted CAs screen to import certificates to the WiMAX Device. Select this if you have a dynamic IP address. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. Table 26 ADVANCED > WAN Configuration > Internet Connection > ISP Parameters for Internet Access (continued) LABEL Auth ModeSelect the authentication mode from the drop-down list box. WAN IP Address Assignment Get automatically from ISP

(Default) Use Fixed IP Address IP AddressEnter your ISP-assigned IP Address here. IP Subnet MaskEnter a subnet mask in dotted decimal notation. Company Confidential In a WiMAX network, a mobile or subscriber station must use a radio frequency supported by the base station to communicate. When the WiMAX Device looks for a connection to a base station, it can search a range of frequencies. Gateway IP Address ApplyClick to save your changes. ResetClick to restore your previously saved settings. Click ADVANCED > WAN Configuration > WiMAX Configuration to set up the frequencies used by your WiMAX Device. Refer to the appendicesto calculate a subnet mask if you are implementing subnetting. Specify a gateway IP address (supplied by your ISP). 7.3 WiMAX Configuration Users Guide 95 Chapter 7The WAN Configuration Screens Figure 36 ADVANCED > WAN Configuration >WiMAX Configuration Radio frequency is measured in Hertz (Hz). Table 27 Radio Frequency Conversion 1 kHz = 1000 Hz 1 MHz = 1000 kHz (1000000 Hz) 1 GHz = 1000 MHz (1000000 kHz) Company Confidential The following table describes the labels in this screen. Table 28 ADVANCED > WAN Configuration >WiMAX Configuration LABEL DL Frequency /

Bandwidth [1~19]

DESCRIPTION These fields show the downlink frequency settings in kilohertz (kHz). Enter values in these fields to have the WiMAX Device scan these frequencies for available channels in ascending numerical order. WiMAX Device finds a WiMAX connection, its frequency is displayed in this field. ApplyClick to save your changes. ResetClick to restore your previously saved settings. Note: The Bandwidth field is not user-configurable; when the Contact your service provider for details of supported frequencies. 96 Users Guide Chapter 7The WAN Configuration Screens 7.3.1 Frequency Ranges Figure 37 Frequency Ranges The following figure shows the WiMAX Device searching a range of frequencies to find a connection to a base station. In the figure, B shows the operator frequency range. This is the range of frequencies within the WiMAX frequency range supported by your operator

(service provider). In this figure, A is the WiMAX frequency range. WiMAX frequency range refers to the entire range of frequencies the WiMAX Device is capable of using to transmit and receive (see the Product Specifications appendix for details). Company Confidential The downlink frequencies are points of the frequency range your WiMAX Device searches for an available connection. Use the Site Survey screen to set these bands. You can set the downlink frequencies anywhere within the WiMAX frequency range. In this example, the downlink frequencies have been set to search all of the operator range for a connection. Have the WiMAX Device search only certain frequencies by configuring the downlink frequencies. Your operator can give you information on the supported frequencies. Use the WiMAX Frequency screen to define the radio frequencies to be searched for available wireless connections. See Section 7.3.3 on page 98 for an example of using the WiMAX Frequency screen. The operator range is subdivided into bandwidth steps. In the figure, each C is a bandwidth step. You need to set the WiMAX Device to scan one or more specific radio frequencies to find an available connection to a WiMAX base station. 7.3.2 Configuring Frequency Settings The arrow D shows the WiMAX Device searching for a connection. Users Guide 97 Chapter 7The WAN Configuration Screens Note: It may take several minutes for the WiMAX Device to find a connection. EXAMPLE 2 order, from [1] to [19]. on to the next DL Frequency field. Table 29 DL Frequency Example Settings EXAMPLE 1 25000002500000 25500002550000 WiMAX connection, its frequency is displayed in this field. The following table describes some examples of DL Frequency settings. When the WiMAX Device connects to a base station, the values in this screen The WiMAX Device searches the DL Frequency settings in ascending numerical If you enter a 0 in a DL Frequency field, the WiMAX Device immediately moves Note: The Bandwidth field is not user-configurable; when the WiMAX Device finds a are automatically set to the base stations frequency. The next time the WiMAX Device searches for a connection, it searches only this frequency. If you want the WiMAX Device to search other frequencies, enter them in the DL Frequency fields. Company Confidential Bandwidth:

DL Frequency

[1]:

DL Frequency [2] 02600000 DL Frequency

[3]:

DL Frequency

[4]:

The WiMAX Device searches at 2500000 kHz and then at 2550000 kHz if it has not found an available connection. If it still does not find an available connection, it searches at 2600000 kHz. In the DL Frequency [1] field, enter 2510000 (2510000 kilohertz (kHz) is equal to 2.51 gigahertz). In this example, your Internet service provider has given you a list of supported frequencies: 2.51, 2.525, 2.6, and 2.625. 7.3.3 Using the WiMAX Frequency Screen The WiMAX Device searches at 2500000 kHz, and then searches at 2550000 kHz if it has not found a connection. In the DL Frequency [2] field, enter 2525000. 1 2 0 0 0 0 3 In the DL Frequency [3] field, enter 2600000. 98 Users Guide Chapter 7The WAN Configuration Screens 4 In the DL Frequency [4] field, enter 2625000. 5 Click Apply. The WiMAX Device stores your settings. Leave the rest of the DL Frequency fields at zero. The screen appears as follows. Figure 38 Completing the WiMAX Frequency Screen Company Confidential When the WiMAX Device searches for available frequencies, it scans all frequencies from DL Frequency [1] to DL Frequency [4]. When it finds an available connection, the fields in this screen will be automatically set to use that frequency. Click ADVANCED > WAN Configuration > Traffic Redirect to change your WiMAX Devices traffic redirect settings. 7.4 Traffic Redirect Figure 39 ADVANCED > WAN Configuration > Traffic Redirect Users Guide 99 Chapter 7The WAN Configuration Screens DESCRIPTION WAN IP Address field. the normal WAN connection goes down. configure an IP address here. Backup Gateway IP Address Check WAN IP Address Fail ToleranceType the number of times (2 recommended) that your WiMAX Device Note: If you activate either traffic redirect or dial backup, you must Note: If you activate traffic redirect, you must configure the Check When using a WAN backup connection, the WiMAX Device periodically pings the addresses configured here and uses the other WAN backup connection (if configured) if there is no response. The following table describes the labels in this screen. Table 30 ADVANCED > WAN Configuration > Traffic Redirect LABEL ActiveSelect this check box to have the WiMAX Device use traffic redirect if Type the IP address of your backup gateway in dotted decimal notation. The WiMAX Device automatically forwards traffic to this IP address if the WiMAX Device's Internet connection terminates. Configure this field to test your WiMAX Device's WAN accessibility. Type the IP address of a reliable nearby computer (for example, your ISP's DNS server address). Company Confidential a response to the ping before considering the check to have failed. This setting must be less than the Period. Use a higher value in this field if your network is busy or congested. Type a number of seconds (5 to 300) to set the time interval between checks. Allow more time if your destination IP address handles lots of traffic. may ping the IP addresses configured in the Check WAN IP Address field without getting a response before switching to a WAN backup connection (or a different WAN backup connection). ping to either the default gateway or the address in the Check WAN IP Address field. ApplyClick to save your changes. ResetClick to restore your previously saved settings. Timeout (sec)Type the number of seconds (1 to 10) for your WiMAX Device to wait for Period (sec)The WiMAX Device tests a WAN connection by periodically sending a 100 Users Guide Chapter 7The WAN Configuration Screens 7.5 Advanced Figure 40 ADVANCED > WAN Configuration > Advanced Click ADVANCED > WAN Configuration > Advanced to configure your DNS server, RIP, Multicast and Windows Networking settings. Company Confidential The following table describes the labels in this screen. Table 31 ADVANCED > WAN Configuration > Advanced LABEL DNS Servers First, Second and Third DNS Server Select UserDefined if you have the IP address of a DNS server. Enter the DNS server's IP address in the field to the right. If you chose UserDefined, but leave the IP address set to 0.0.0.0, UserDefined changes to None after you click Apply. If you set a second choice to UserDefined, and enter the same IP address, the second UserDefined changes to None after you click Apply. Select Obtainedfrom ISP if your ISP dynamically assigns DNS server information (and the WiMAX Device's WAN IP address). Use the drop-down list box to select a DNS server IP address that the ISP assigns in the field to the right. Select None if you do not want to configure DNS servers. You must have another DHCP server on your LAN, or else the computers must have their DNS server addresses manually configured. If you do not configure a DNS server, you must know the IP address of a computer in order to access it. DESCRIPTION Users Guide 101 Chapter 7The WAN Configuration Screens DESCRIPTION RIP-1, RIP-2B and RIP-2M. None, Both, In Only and Out Only. Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN. Windows Networking (NetBIOS over TCP/IP) Allow between LAN and WAN protocol used to establish membership in a multicast group. The WiMAX Device supports both IGMP version 1 ( IGMP-v1) and IGMP-v2. Select None to disable it. Allow Trigger DialSelect this option to allow NetBIOS packets to initiate calls. ApplyClick to save your changes. ResetClick to restore your previously saved settings. Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic. Table 31 ADVANCED > WAN Configuration > Advanced (continued) LABEL RIP & Multicast Setup RIP DirectionSelect the RIP direction from RIP VersionSelect the RIP version from MulticastIGMP (Internet Group Multicast Protocol) is a network-layer Company Confidential 102 Users Guide Devices basic Wi-Fi settings and security. 8.1 Overview The General screen (Section 8.2 on page 104) allows you to set up your WiMAX 8.1.1 What You Can Do in This Chapter Use the ADVANCED > Wi-Fi Configuration screens to set up your WiMAX Devices Wi-Fi network features. CHAPTER 8 The Wi-Fi Configuration Screens Company Confidential On a local area network (LAN) or other network, the MAC address is a computer's unique hardware number. (On an Ethernet LAN, it's the same as your Ethernet address). The MAC layer frames data for transmission over the network, then passes the frame to the physical layer interface where it is transmitted as a stream of bits. Media Access Control filtering filters incoming frames based on MAC (Media Access Control) address(es) that you specify. Request to Send / Clear to Send is a mechanism for reducing interference (or collisions) on a network by delaying other data in the pipeline. The network device 8.1.2 What You Need to Know The MAC Filter screen (Section 8.3 on page 109) allows you to create a list of The Advanced screen (Section 8.4 on page 110) allows you to adjust your The following terms and concepts may help as you read through this chapter. computer MAC addresses that you can allow or deny on your network. advanced Wi-Fi network settings. MAC Address MAC Filtering RTS/CTS Users Guide 103 Chapter 8The Wi-Fi Configuration Screens Fragmentation option that you select. 8.2 General Figure 41 ADVANCED > Wi-Fi Configuration > General Note: The security options in this screen change according to the Security Mode using RTS/CTS initiates the delay as soon as a data frame over a specified size enters the network. The length of the delay is specified in the RTS/CTS configuration parameters. Click ADVANCED > Wi-Fi Configuration. This screen allows you to set up your WiMAX Devices basic wireless settings and security. On a wireless network, fragmentation refers to the mechanism used to ensue data integrity during transmission. If a network experiences an inordinate amount of interference (or collisions), then artificially fragmenting the data moving across it can reduce this risk. Company Confidential The following table describes the labels in this screen. Table 32 ADVANCED > Wi-Fi Configuration > General LABEL Wireless Setup Enable Wireless LAN Select this turn to have the WiMAX Device broadcast an IEEE 802.11b/g Wi-Fi signal. DESCRIPTION 104 Users Guide Chapter 8The Wi-Fi Configuration Screens Channel Selection DESCRIPTION Security Options are:

as on compatible Wi-Fi clients. from unwanted visitors. The options are:

Static WEP - This is a basic form of encryption. It is not Hide SSIDSelect this option to mask your Wi-Fi network signal. While this may hide it from casual scanning programs and devices, it cannot truly hide it from dedicated signal sniffers. No Security - It is not recommended that you use this setting. With no security, anyone who has a Wi-Fi device can connect to your network. Security Security ModeSelect a security encryption protocol to protect your Wi-Fi network Table 32 ADVANCED > Wi-Fi Configuration > General (continued) LABEL Name (SSID)Enter the SSID name that the wireless network signal will be listed If you know the SSID, however, you can still connect to it when prompted to enter an SSID either by your operating system s connection mechanism or the Wi-Fi software you use. Select a channel on which to broadcast your Wi-Fi network signal. Ideally, you should choose a channel that is currently not in use by other devices within range of this one. Company Confidential user authentication. Using PSK, both the WiMAX Device and the connecting client share a common password in order to validate the connection. This type of encryption, while robust, is not as strong as WPA, WPA2 or even WPA2-PSK. Use this type of security of you do not use a RADIUS server to authenticate user credentials. WPA2-PSK - This is a newer, more robust version of the WPA encryption standard. It offers slightly better security, although the use of PSK makes it less robust than it could be. Use this option if you do not have RADIUS server on your network to verify user credentials. wireless networks. It requires a RADIUS server to authenticate user credentials and is a full implementation the security protocol. Use this security option for maximum protection of your network. However, it is the least backwards compatible with older devices. recommended that you use it as it can be by-passed quite easily. However, because it is one of the original Wi-Fi encryption methods, it is the most compatible with older devices. Select this option if you require maximum compatibility. The option you select here changes the configuration options on this screen accordingly. For details on the specific security options, see subsequent tables. presence of a RADIUS server on your network in order to validate user credentials. This encryption standard is slightly older than WPA2 and therefore is more compatible with older devices. ApplyClick to save your changes. ResetClick to restore your previously saved settings. WPA2 - This is currently the most robust form of encryption for WPA-PSK - This provides both improved data encryption and WPA - This is a security subset of WPA2. It requires the Users Guide 105 Chapter 8The Wi-Fi Configuration Screens The subsequent screens describe the individual Security Mode options. Figure 42 ADVANCED > Wi-Fi Configuration > WPA/WPA2 Optionsl Company Confidential 106 Users Guide Chapter 8The Wi-Fi Configuration Screens options. DESCRIPTION appears in WPA2 mode. WPA or WPA2 to display the following Wi-Fi network security Group Key Update Timer Authentication Server WPA CompatibleSelect this option to ensure backwards compatibility with the WPA Note: This option does not appear in WPA mode. It only Set the time (in seconds) that the WiMAX Device waits before requiring a connected client to reauthenticate their session. encryption protocol while in WPA2 mode, thus allowing both WPA and WPA2 clients to connect simultaneously. ReAuthentication Time Idle TimeoutSet the time (in seconds) the WiMAX Device waits before The following table describes the Security Mode options for both WPA and WPA2. Table 33 ADVANCED > Wi-Fi Configuration > General LABEL Security ModeSelect disconnecting an idle client. If a client becomes active before the idle count is up, the count resets. Set the time (in seconds) that WiMAX Device updates the encryption key used for all connected clients on the Wi-Fi network. This is a server used to securely check one s login credentials, such as a RADIUS server. Company Confidential IP AddressEnter the IP address of the authentication server. Port NumberEnter the port number of the authentication server. Shared Enter the password for the authentication server. Secret IP AddressEnter the IP address of the accounting server. Port NumberEnter the port number of the accounting server. Shared Enter the password for the accounting server. Secret This is a server that measures the duration of all active connections, usually for accounting purposes, such as an ISP that charges users per minute online rather than a flat fee per month. Figure 43 ADVANCED > Wi-Fi Configuration > WPA-PSK/WPA2-PSK Optionsl ActiveSelect this option to have the WiMAX Device use an accounting server in tandem with the authentication server. Accounting Server Users Guide 107 Chapter 8The Wi-Fi Configuration Screens DESCRIPTION network security options. Group Key Update Timer appears in WPA2-PSK mode. WPA-PSK or WPA2-PSK to display the following Wi-Fi WPA CompatibleSelect this option to ensure backwards compatibility with the WPA-

Pre-Shared KeyEnter the password that wireless clients will have to match in order Note: This option does not appear in WPA-PSK mode. It only PSK encryption protocol while in WPA2-PSK mode, thus allowing both WPA and WPA2 clients to connect simultaneously. to make a secure Wi-Fi network connection with this device. Set the time (in seconds) that the WiMAX Device waits before requiring a connected client to reauthenticate their session. ReAuthentication Time Idle TimeoutSet the time (in seconds) the WiMAX Device waits before disconnecting an idle client. If a client becomes active before the idle count is up, the count resets. Set the time (in seconds) that WiMAX Device updates the encryption key used for all connected clients on the wireless network. The following table describes the Security Mode options for both WPA-PSK and WPA2-PSK. Table 34 ADVANCED > Wi-Fi Configuration > General LABEL Security ModeSelect Company Confidential 108 Users Guide Chapter 8The Wi-Fi Configuration Screens 8.3 MAC Filter address fields. (This is the default setting.) Figure 44 ADVANCED > WAN Configuration >WiMAX Configuration Note: If you do not want to enable this feature, enter 00:00:00:00:00:00 in the MAC Click ADVANCED > Wi-Fi Configuration > MAC Filter. This screen allows you to create a list of MAC addresses that you will allow or deny on your network. Company Confidential The following table describes the labels in this screen. Table 35 ADVANCED > WAN Configuration >WiMAX Configuration LABEL ActiveSelect this option to enable MAC address filtering on your WiMAX SetThe number of the item in the list. MAC AddressEnter the MAC address to filter. MAC addresses are always written as Device. When active, only clients whose MAC addresses match those you enter on this list are filtered. ApplyClick to save your changes. ResetClick to restore your previously saved settings. Deny - Select this option to disallow connection only to the MAC Allow - Select this option to allow connections only to the MAC Filter ActionSelect the the type of filter you want to employ:

8 hexidecimal pairs separated by colons. addresses on this list. addresses on the list. DESCRIPTION Users Guide 109 Chapter 8The Wi-Fi Configuration Screens 8.4 Advanced Appendix C on page 313. Figure 45 ADVANCED > WAN Configuration > Traffic Redirect Note: For more information on RTS/CTS and Fragmentation Thresholds, see Click ADVANCED > Wi-Fi Configuration > Advanced. This screen allows to adjust your advanced Wi-Fi network settings. Company Confidential Note: Setting the value to 2346 effectively turns this off. Enter a value between 256 and 2346 if you want to use the Fragmentation Threshold mechanism. This reduces packet loss resulting from signal interference (such as from other nearby wireless transmitters) by pre-emptively and logically fragmenting data packets and reassemblnig them at their destination. The following table describes the labels in this screen. Table 36 ADVANCED > Wi-Fi Configuration > Advanced LABEL RTS/CTS Threshold DESCRIPTION Enter a value between 256 and 2346 if you want to use the RTS

(Request to Send) / CTS (Clear to Send) mechanism to reduce potential packet collisions. As with the RTS/CTS Threshold mechanism, using this feature can improve network performance if you are detecting an abnormal number of packet collisions. If you notice that your Wi-Fi clients are suffering from data loss or slow data packet transmission/reception, use this feature. Note: Setting the value to 2346 effectively turns this off. Fragmentation Threshold 110 Users Guide Chapter 8The Wi-Fi Configuration Screens DESCRIPTION 802.11g - This protocol is newer and marginally more robust than 802.11b - This protocol is one of the older ones and is not nearly as ApplyClick to save your changes. ResetClick to restore your previously saved settings. Table 36 ADVANCED > Wi-Fi Configuration > Advanced (continued) LABEL 802.11 ModeSelect the Wi-Fi protocol to use while broadcasting. 802.11b/g - This is a hybrid protocol that incorporates all the advantages of the individual protocols with few, if any, of their drawbacks. More importantly, it does not suffer from interference from other devices in its frequencey range. Select this method if you have clients who are using either b, g, or both. robust as later versions (b, g, n). In many countries, it shares the same frequency range (2.4 GHz) as other devices, like cordless phones, Bluetooth devices, and microwave ovens, and so may be prone to interference from them. This protocol has an approximate maximum data throughput of: 11 Mbit/s (average is about 4.5 Mbit/

s in a typical networking environment). Select this mode if all your clients are using b and if you have moderate to low bandwidth requirements. its predecessor. Like the b protocol, it, too, tends to overlap frequencies with other kinds of devices (2.4 GHz) and is similarly prone to interference from them. However, differences in how it operates give it much higher bandwidth capabilities and ouptut power. This protocol has an approximate maximum data throughput of: 54 Mbit/s (average is about 19 Mbit/s in a typical networking environment.) Select this mode if your clients are using g or a mix of g and b and if you have moderate to high bandwidth requirements. Company Confidential Users Guide 111 Chapter 8The Wi-Fi Configuration Screens Company Confidential 112 Users Guide CHAPTER 9 9.1 Overview VPN stands for Virtual Private Network. There are many types of VPN; the type used by the WiMAX Device is known as Virtual Private LAN Service, or VPLS. The VPN Transport Screens This chapter describes the ADVANCED > VPN Transport screens, where you can configure the WiMAX Device to allow traffic from multiple users to pass through the WiMAX network to the service providers router. Each user has his own personal connection to the service provider, even though there is only a single WiMAX connection. This allows the service provider to identify which user traffic comes from. Company Confidential The following figure shows two users (A and B), connecting to the WiMAX Device

(Z) through a switch (S). Each user has his own connection over the WiMAX network to the service providers router (R). Note: Unlike some other types of VPN (such as IPSec VPNs) VPLS VPNs do not use Note: The services available may vary, depending upon the service provider. authentication or encryption to secure the data they carry. Figure 46 VPN Transport Example RWiMAX SZ A B Users Guide 113 Chapter 9The VPN Transport Screens 9.1.1 What You Can Do in This Chapter Identifying Users which users can use which WiMAX network links. information about the VPN transport connections. The following terms and concepts may help as you read through this chapter. The Statistics screen (Section 9.5 on page 124) lets you view performance The Customer Interface screen (Section 9.3 on page 116) lets you specify The Ethernet Pseudowire screen (Section 9.4 on page 121) lets you configure 9.1.2 What You Need to Know the links over the WiMAX network between the WiMAX Device and the service providers router. The General screen (Section 9.2 on page 116) lets you turn VPN transport on or off, and to set the VPN transport endpoint (your service providers router). For the WiMAX Devices VPN Transport feature to work, it must be able to identify users on the LAN. It does this by examining VLAN (Virtual Local Area Network) tags. Company Confidential These tags must be added to the data packets by a switch on the LAN. In the following example, two users (A and B) are connected to a switch (C). A and B are connected to different ports on the switch (port 1 and port 2). A and B send untagged packets to the switch. The switch adds tags to packets depending on the physical port on which they arrive. Packets arriving on port 1 are given a VLAN ID

(VLAN IDentifier) of 1, and packets arriving on port 2 are given a VLAN ID of 2. 114 Users Guide Chapter 9The VPN Transport Screens 9.2 General DESCRIPTION Figure 48 ADVANCED > VPN Transport > General Click ADVANCED >VPN Transport to turn VPN transport on or off and to set the VPN transport endpoint (your service providers router). The following table describes the labels in this screen. Table 37 ADVANCED > VPN Transport > General LABEL L2/L3 VPN Transport General Setup Transport L2/L3 VPN... Remote GRE Tunnel End ApplyClick to save your changes. ResetClick to restore your previously saved settings. Company Confidential Customer interfaces connect data coming from your computers to Ethernet pseudowires, according to the datas VLAN (Virtual Local Area Network) information. One customer interface is for traffic that has no tag; this is the default interface (rule 0) which cannot be deleted in the GUI. All other customer interfaces are identified by their VLAN ID. Select this to turn the VPN transport feature on. Deselect it to turn the VPN transport feature off. Enter the domain name or IP address of your service providers router. Once the WiMAX Device has examined a frames VLAN tag, it is able to assign the frame to a specified path. This is done using a customer interface. The customer 9.3 Customer Interface 116 Users Guide Chapter 9The VPN Transport Screens 1 2 20 10 PW2 PW1 WiMAX PW1 PW2 VLAN 10 VLAN 20 Figure 49 Pseudowire Mapping interface is simply a set of information that takes frames from a VLAN and put them on an Ethernet pseudowire, and vice versa. The WiMAX Device has a default customer interface configured for frames that arrive at the WiMAX Device without VLAN tags. In this example, the WiMAX Device takes frames tagged with two different VLAN IDs (10 and 20) and using the customer interfaces, assigns them to specific pseudowires (PW1 and PW2). Company Confidential The WiMAX Device uses MPLS VPNs to create virtual private LANs. MPLS stands for Multi-Protocol Label Switching, and is a packet-switching technology that allows packets with different VLAN tags to be transported on different paths (known as LSPs, or Label Switched Paths). Each packet is identified by its VLAN tag and sent to a specific LSP for transport over the WiMAX network. In order to transport the VPLS traffic over the WiMAX network, the WiMAX Device uses the Generic Routing Encapsulation (GRE) protocol. Like MPLS, GRE is a tunneling protocol that has specified endpoints. The GRE tunnel is bi-directional, and transports both LSPs. The GRE tunnel runs across the WiMAX network between the WiMAX Device and your service providers router. Each LSP has a defined start-point and end-point. Since MPLS creates mono-

directional paths (traffic flows in only one direction), each Ethernet pseudowire uses two LSPs so that traffic can flow both ways. One LSP carries upstream traffic, and the other carries downstream traffic. 9.3.2 Generic Routing Encapsulation 9.3.1 Multi-Protocol Label Switching R Users Guide 117 Chapter 9The VPN Transport Screens GRE TUNNEL WiMAX CONNECTION ETHERNET PSEUDOWIRES Figure 50 VPLS Tunneling 9.3.3 Customer Interface Options It is necessary to encapsulate the Ethernet pseudowire since the WiMAX connection is IP-only. MPLS information is carried in a packets Ethernet header and, without encapsulation, would be stripped from the packet prior to the packets transmission over the WiMAX link. The following figure shows the VPLS connection between your WiMAX Device (A) and your service providers router (B), consisting of GRE-encapsulated Ethernet pseudowire traffic. Company Confidential Click ADVANCED >VPN Transport > Customer Interface to configure the VPNs used by the WiMAX Device. Note: You cannot delete the Untagged entry. It is required for the WiMAX Device to Figure 51 ADVANCED > VPN Transport > Customer Interface function properly. 118 Users Guide Chapter 9The VPN Transport Screens Delete DESCRIPTION Click to edit this item. Click to delete this item. DESCRIPTION Edit Interface TypeThis displays either The following table describes the icons in this screen. Table 38 Advanced> VPN Transport > Customer Interface ICON if the associated interface is disabled. Enable or disable an interface by clicking its Edit icon and selecting or deselecting Active and clicking Apply in the screen that displays. The following table describes the labels in this screen. Table 39 ADVANCED > VPN Transport > Customer Interface LABEL

#The number of the item in this list. ActiveThis icon is green if the associated interface is enabled. The icon is grey Company Confidential Associated Ethernet Pseudowire

(Ingress, Egress) DSCPThis displays the DiffServ Control Point value you previously entered in binary. This determines the pseudowires priority on the network. The DSCP value is displayed in binary notation and has six bits. This displays the information you previously entered describing the interface. For the default interface, interface 0, the description reads for routing / NAT. interface, interface 0, can be a routing interface. This displays the number of the Ethernet pseudowire that this interface uses, as well as the ingress and egress MPLS (Multi-Protocol Label Switching) VC (Virtual Circuit) label numbers. traffic with a specific IEEE 802.1Q VLAN tag, whereas an untagged interface controls traffic that does not have a VLAN tag. There can be only one untagged interface. VLAN IDFor a tagged interface, this displays the IEEE 802.1Q VLAN ID number. Edit icon to set up a new interface or alter the configuration of Click the Delete icon to remove an existing interface. Tagged or Untagged. A tagged interface controls B (bridging) or R (routing). Only the default For the untagged interface, -1 displays. ModeThis displays either Interface Description an existing interface. ActionClick the Users Guide 119 Chapter 9The VPN Transport Screens 9.3.4 Customer Interface Setup Figure 52 ADVANCED > VPN Transport > Customer Interface Setup Click the Edit icon in the ADVANCED >VPN Transport > Customer Interface screen to open the Customer Interface Setup. Customer interfaces map traffic onto specific Ethernet pseudowires for transport over the WiMAX network. There is also a default customer interface for routing traffic that does not possess a VLAN tag. Company Confidential The following table describes the labels in this screen. Table 40 ADVANCED > VPN Transport > Customer Interface Setup LABEL ActiveSelect to make this customer interface active. Deselect it to make in bridging mode only. Select the Ethernet pseudowire this interface should use for communications over the WiMAX network. You should configure the pseudowire (in the ADVANCED >VPN Transport > Ethernet Pseudowire screen) before you select it. specific VLAN ID) or untagged (controlling traffic without a specific VLAN ID). There can be only one untagged interface. for this interface. This VLAN ID must not be used by any other customer interface. VLAN IDEnter the Virtual Local Area Network Identifier number (1 ~ 4094) TypeA customer interface can be tagged (controlling traffic that has a Bridging or Routing. A tagged interface can operate For the untagged interface, -1 displays. Associated Ethernet Pseudowire the customer interface inactive. DESCRIPTION Customer Interface ModeThis displays 120 Users Guide Chapter 9The VPN Transport Screens DESCRIPTION 9.4 Ethernet Pseudowire Table 40 ADVANCED > VPN Transport > Customer Interface Setup (continued) LABEL DSCPIf you wish to prioritize an interface, enter a DiffServ Code Point value of six bits in binary notation. The higher the value, the higher the interfaces priority on the WiMAX Devices WiMAX link. Enter a brief (up to 31 characters) name or description for this interface. Because VPLS mimics a simple wired Ethernet connection to your service providers router, the connection between the WiMAX Device and the peer device is known as an Ethernet pseudowire or PW. Interface Description ApplyClick to save your changes. CancelClick to return to the previous screen without saving your changes. The Ethernet pseudowires use MPLS (MultiProtocol Label Switching) virtual circuit labels to define the connection. In any such pseudowire, the ingress label on one device must be the same as the egress label on the peer device, as shown in the following figure. A is your WiMAX Device and B is your service providers router. Company Confidential Click ADVANCED >VPN Transport > Ethernet Pseudowire to configure the WiMAX Devices Ethernet pseudowires. Figure 54 Advance > VPN Transport > Ethernet Pseudowire Figure 53 Ethernet Pseudowire Settings Example INGRESS LABEL: Y EGRESS LABEL: X INGRESS LABEL: X EGRESS LABEL: Y PSEUDOWIRE TO Y TO X B A Users Guide 121 Chapter 9The VPN Transport Screens Delete MPLS VC Label DESCRIPTION from the peer device. Click to edit this item. Click to delete this item. DESCRIPTION Edit IngressThis is the MPLS virtual circuit label number for traffic coming EgressThis is the MPLS virtual circuit label number for traffic going to the icon is grey if the associated pseudowire is disabled. Enable or disable a pseudowire by clicking its Edit icon. The following table describes the icons in this screen. Table 41 Advanced> VPN Transport > Customer Interface ICON The following table describes the labels in this screen. Table 42 ADVANCED > VPN Transport > Ethernet Pseudowire LABEL

#The number of the item in this list. ActiveThis icon is green if the associated pseudowire is enabled. The Company Confidential peer device. This displays the information you previously entered describing the pseudowire. Click the Delete icon to remove an existing Ethernet pseudowire. Edit icon to set up an Ethernet pseudowire or alter the Pseudowire Description ActionClick the configuration of an existing Ethernet pseudowire. 122 Users Guide Chapter 9The VPN Transport Screens 9.4.1 Ethernet Pseudowire Setup Figure 55 ADVANCED > VPN Transport > Ethernet Pseudowire Setup Click a pseudowire entrys Edit icon in the ADVANCED >VPN Transport >

Ethernet Pseudowire screen to set up or modify an Ethernet pseudowires configuration. The following table describes the labels in this screen. Table 43 ADVANCED > VPN Transport > Ethernet Pseudowire Setup LABEL ActiveSelect this to enable the pseudowire. Deselect it to disable the Company Confidential the ingress label of the peer device. This should not be the egress label number of any other Ethernet pseudowire configured on the WiMAX Device. Enter a brief (up to 31 characters) description for this pseudowire. Pseudowire Description ApplyClick to save your changes. CancelClick to return to the previous screen without saving your be the egress label number of the peer device. This should not be the ingress label number of any other Ethernet pseudowire configured on the WiMAX Device. IngressEnter the VC ingress label number for this pseudowire. This must EgressEnter the egress label number for this pseudowire. This must be DESCRIPTION MPLS VC Label pseudowire. changes. Users Guide 123 Chapter 9The VPN Transport Screens 9.5 Statistics DESCRIPTION Figure 56 ADVANCED > VPN Transport > Statistics Click ADVANCED >VPN Transport > Statistics to view details and performance information of each active customer interface and its associated Ethernet pseudowire. The following table describes the labels in this screen. Table 44 ADVANCED > VPN Transport > Statistics LABEL

#The number of the item in this list. ActiveThis icon is green if the associated interface is enabled. The icon is Company Confidential grey if the associated interface is disabled. Enable or disable an interface by clicking its Edit icon. configured in the ADVANCED >VPN Transport > Customer InterfaceSetup screen.

(Transmit) on the customer interface since the interface was activated, or the Clear button pressed.

(Transmit) on the customer interface since the interface was activated, or the Clear button pressed. Interface DescriptionThis is the brief name or description of the customer interface Total PacketsThis displays the number of packets received (

Total BytesThis displays the number of bytes received (

Receive) and sent Receive) and sent 124 Users Guide 10.1 Overview Use these screens to configure port forwarding and trigger ports for the WiMAX Device. You can also enable and disable SIP, FTP, and H.323 ALG. Network Address Translation (NAT) maps a hosts IP address within one network to a different IP address in another network. For example, you can use a NAT router to map one IP address from your ISP to multiple private IP addresses for the devices in your home network. 10 CHAPTER The NAT Configuration Screens Company Confidential Click ADVANCED > NAT Configuration > General to enable or disable NAT and to allocate memory for NAT and firewall rules. current port-forwarding rules in the WiMAX Device, and to enable, disable, activate, and deactivate each one. 10.1.1 What You Can Do in This Chapter The General screen (Section 10.2 on page 125) lets you enable or disable NAT The Trigger Port screen (Section 10.4 on page 130) lets you maintain trigger The Port Forwarding screen (Section 10.3 on page 126) lets you look at the The ALG screen (Section 10.5 on page 132) lets you enable and disable SIP

(VoIP), FTP (file transfer), and H.323 (audio-visual) ALG in the WiMAX Device. Figure 57 ADVANCED > NAT Configuration > General 10.2 General and to allocate memory for NAT and firewall rules. port forwarding rules for the WiMAX Device. Users Guide 125 Chapter 10The NAT Configuration Screens Apply CancelClick to return to the previous screen without saving your Each NAT session establishes a corresponding firewall session. Use this field to limit the number of NAT/firewall sessions each client computer can establish through the WiMAX Device. The following table describes the labels in this screen. Table 45 ADVANCED > NAT Configuration > General LABEL Enable Network Address Translation Max NAT/Firewall Session Per User If your network has a small number of clients using peer to peer applications, you can raise this number to ensure that their performance is not degraded by the number of NAT sessions they can establish. If your network has a large number of users using peer to peer applications, you can lower this number to ensure no single client is using all of the available NAT sessions. Click to save your changes. DESCRIPTION Select this if you want to use port forwarding, trigger ports, or any of the ALG. When computers use peer to peer applications, such as file sharing applications, they may use a large number of NAT sessions. If you do not limit the number of NAT sessions a single client can establish, this can result in all of the available NAT sessions being used. In this case, no additional NAT sessions can be established, and users may not be able to access the Internet. Company Confidential Use the ADVANCED > NAT Configuration > Port Forwarding screen to forward incoming service requests to the server(s) on your local network. You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers. In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server. If the default is not defined, the service request is simply discarded. A NAT server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make accessible to the outside world even though NAT makes your whole inside network appear as a single machine to the outside world. 10.3 Port Forwarding changes. 126 Users Guide Chapter 10The NAT Configuration Screens Figure 58 Multiple Servers Behind NAT Example 10.3.1 Port Forwarding Options Click ADVANCED > NAT Configuration > Port Forwarding to look at the current port-forwarding rules in the WiMAX Device, and to enable, disable, activate, and deactivate each one. You can also set up a default server to handle ports not covered by rules. For example, let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Company Confidential Figure 59 ADVANCED > NAT Configuration > Port Forwarding Users Guide 127 Chapter 10The NAT Configuration Screens Delete DESCRIPTION Click to edit this item. Click to delete this item. DESCRIPTION Edit Port Forwarding

Active Name Start Port The following table describes the icons in this screen. Table 46 Advanced> VPN Transport > Customer Interface ICON Enter the IP address of the server to which the WiMAX Device should forward packets for ports that are not specified in the Port Forwarding section below or in the TOOLS > Remote MGMT screens. Enter 0.0.0.0 if you want the WiMAX Device to discard these packets instead. The following table describes the labels in this screen. Table 47 ADVANCED > NAT Configuration > Port Forwarding LABEL Default Server Setup Default Server Company Confidential The number of the item in this list. Select this to enable this rule. Clear this to disable this rule. This field displays the name of the rule. It does not have to be unique. This field displays the beginning of the range of port numbers forwarded by this rule. This field displays the end of the range of port numbers forwarded by this rule. If it is the same as the Start Port, only one port number is forwarded. This field displays the IP address of the server to which packet for the selected port(s) are forwarded. Click the Delete icon to remove an existing port forwarding rule. Click to save your changes. Click to restore your previously saved settings. Server IP Address ActionClick the Edit icon to set up a port forwarding rule or alter the configuration of an existing port forwarding rule. Apply Reset End Port 128 Users Guide Chapter 10The NAT Configuration Screens 10.3.2 Port Forwarding Rule Setup Figure 60 ADVANCED > NAT Configuration > Port Forwarding > Rule Setup Click a port forwarding rules Edit icon in the ADVANCED >NAT Configuration

> Port Forwarding screen to activate, deactivate, or edit it. The following table describes the labels in this screen. Table 48 ADVANCED > NAT Configuration > Port Forwarding > Rule Setup LABEL Active Service Name Company Confidential DESCRIPTION Select this to enable this rule. Clear this to disable this rule. Enter a name to identify this rule. You can use 1 - 31 printable ASCII characters, or you can leave this field blank. It does not have to be a unique name. Enter the port number or range of port numbers you want to forward to the specified server. Server IP Address Apply CancelClick to return to the previous screen without saving your changes. enter the port number at the end of the range in the End Port field. Enter the IP address of the server to which to forward packets for the selected port number(s). This server is usually on the LAN. Click to save your changes. To forward one port number, enter the port number in the Start Port and End Port fields. enter the port number at the beginning of the range in the Start To forward a range of ports, Start Port Port field End Port Users Guide 129 Chapter 10The NAT Configuration Screens 10.4 Trigger Port Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN). The problem is that port forwarding only forwards a service to a single LAN IP address. In order to use the same service on a different LAN computer, you have to manually replace the LAN computer's IP address in the forwarding port with another LAN computer's IP address, Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The WiMAX Device records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger" port). When the WiMAX Device's WAN port receives a response with a specific port number and protocol

("incoming" port), the WiMAX Device forwards the traffic to the LAN IP address of the computer that sent the request. After that computers connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application. Company Confidential The following table describes the labels in this screen. Table 49 ADVANCED > NAT Configuration > Trigger Port LABEL

Name DESCRIPTION The number of the item in this list. Enter a name to identify this rule. You can use 1 - 15 printable ASCII characters, or you can leave this field blank. It does not have to be a unique name. Click ADVANCED > NAT Configuration > Trigger Port to maintain trigger port forwarding rules for the WiMAX Device. Figure 61 ADVANCED > NAT Configuration > Trigger Port Incoming 130 Users Guide Chapter 10The NAT Configuration Screens Trigger Port field Start Port End Port Start Port End Port To select a range of ports, To forward a range of ports, enter the port number at the beginning of the range in the Start enter the port number at the end of the range in the End Port field. Table 49 ADVANCED > NAT Configuration > Trigger Port (continued) LABEL If you want to delete this rule, enter zero in the Start Port and End Port fields. To forward one port number, enter the port number in the Start Port and End Port fields. To select one port number, enter the port number in the Start Port and End Port fields. Enter the outgoing port number or range of port numbers that makes the WiMAX Device record the source IP address and assign it to the selected incoming port number(s). DESCRIPTION Enter the incoming port number or range of port numbers you want to forward to the IP address the WiMAX Device records. Company Confidential If you want to delete this rule, enter zero in the Start Port and End Port fields. Click to save your changes. The following is an example of trigger port forwarding. In this example, J is Janes computer and S is the Real Audio server. Apply CancelClick to return to the previous screen without saving your changes. 10.4.1 Trigger Port Forwarding Example enter the port number at the end of the range in the End Port field. Figure 62 Trigger Port Forwarding Example enter the port number at the beginning of the range in the Start Port field Users Guide 131 Chapter 10The NAT Configuration Screens 1 Jane requests a file from the Real Audio server (port 7070). 4 3 2 2 1 Two points to remember about trigger ports:

The WiMAX Device forwards the traffic to Janes computer IP address. The Real Audio server responds using a port number ranging between 6970-7170. 5 Only Jane can connect to the Real Audio server until the connection is closed or Trigger events only happen on data that is coming from inside the WiMAX Device and going to the outside. If an application needs a continuous data stream, that port (range) will be tied up so that another computer on the LAN cant trigger it. Port 7070 is a trigger port and causes the WiMAX Device to record Janes computer IP address. The WiMAX Device associates Jane's computer IP address with the "incoming" port range of 6970-7170. times out. The WiMAX Device times out in three minutes with UDP (User Datagram Protocol), or two hours with TCP/IP (Transfer Control Protocol/Internet Protocol). Company Confidential Some NAT routers may include a SIP Application Layer Gateway (ALG). An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer. Some applications, such as SIP, cannot operate through NAT (are NAT un-

friendly) because they embed IP addresses and port numbers in their packets data payload. A SIP ALG allows SIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream. 10.5 ALG 132 Users Guide Chapter 10The NAT Configuration Screens DESCRIPTION Enable H.323 ALG forwarding and port-triggering rules. The following table describes the labels in this screen. Figure 63 ADVANCED > NAT Configuration > ALG Enable FTP ALG Select this to make sure FTP (file transfer) works correctly with port-

Click ADVANCED > NAT Configuration > ALG to enable and disable SIP (VoIP), FTP (file transfer), and H.323 (audio-visual) ALG in the WiMAX Device. Table 50 ADVANCED > NAT Configuration > ALG LABEL Enable SIP ALG Select this to make sure SIP (VoIP) works correctly with port-

forwarding and port-triggering rules. Select this to make sure H.323 (audio-visual programs, such as NetMeeting) works correctly with port-forwarding and port-triggering rules. Click to save your changes. Company Confidential Apply CancelClick to return to the previous screen without saving your changes. Users Guide 133 Chapter 10The NAT Configuration Screens Company Confidential 134 Users Guide 11.1 Overview 11.1.1 What You Can Do in This Chapter Click ADVANCED > System Configuration to set up general system settings, change the system mode, change the password, configure the DDNS server settings, and set the current date and time. CHAPTER 11 The System Configuration Screens Company Confidential In Windows 2000: Click Start > Settings > Control Panel and then double-

click the System icon. Select the Network Identification tab and then click the Properties button. Note the entry for the Computer Name field and enter it as the System Name. The System Name is often used for identification purposes. Because some ISPs check this name you should enter your computer's "Computer Name". Devices mode, set up its system name, domain name, idle timeout, and administrator password. 11.1.2 What You Need to Know The Firmware screen (Section 11.4 on page 140) lets you upload new firmware The Restart screen (Section 11.6 on page 143) lets you restart your WiMAX The General screen (Section 11.2 on page 137) lets you change the WiMAX The Configuration screen (Section 11.5 on page 142) lets you back up or The following terms and concepts may help as you read through this chapter. The Dynamic DNS screen (Section 11.3 on page 138) lets you set up the restore the configuration of the WiMAX Device. Device from within the web configurator. WiMAX Device as a dynamic DNS client. System Name to the WiMAX Device. Users Guide 135 Chapter 11The System Configuration Screens In Windows XP: Click Start > My Computer > View system information and 1 Domain Name DNS Server Address Assignment The WiMAX Device can get the DNS server addresses in the following ways:

then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the WiMAX Device System Name. The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the SYSTEM General screen. Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the WiMAX Device via DHCP. Company Confidential If the ISP did not give you DNS server information, leave the DNS Server fields in the SYSTEM General screen set to 0.0.0.0 for the ISP to dynamically assign the DNS server IP addresses. 2 136 Users Guide Chapter 11The System Configuration Screens 11.2 General Figure 64 ADVANCED > System Configuration > General Click ADVANCED > System Configuration > General to change the WiMAX Devices mode, set up its system name, domain name, idle timeout, and administrator password. Company Confidential The following table describes the labels in this screen. Table 51 ADVANCED > System Configuration > General LABEL System Setup System NameEnter your computer's "Computer Name". This is for identification LAN. If you leave this blank, the domain name obtained from the ISP is used. Use up to 38 alphanumeric characters. Spaces are not allowed, but dashes - and periods "." are accepted. Enter the number of minutes a management session can be left idle before the session times out. After it times out, you have to log in again. A value of "0" means a management session never times out, no matter how long it has been left idle. This is not recommended. Long idle timeouts may have security risks. The default is five minutes. Password Setup Old PasswordEnter the current password you use to access the WiMAX Device. New PasswordEnter the new password for the WiMAX Device. You can use up to 30 purposes, but some ISPs also check this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes -

and underscores "_" are accepted. characters. As you type the password, the screen displays an asterisk

(*) for each character you type. Domain NameEnter the domain name entry that is propagated to DHCP clients on the Administrator Inactivity Timer DESCRIPTION Users Guide 137 Chapter 11The System Configuration Screens DESCRIPTION Enter the new password again. 11.3 Dynamic DNS Table 51 ADVANCED > System Configuration > General (continued) LABEL Retype to Confirm ApplyClick to save your changes. ResetClick to restore your previously saved settings. Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-

SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address. Company Confidential Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname. First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key. Note: If you have a private WAN IP address, then you cannot use Dynamic DNS. 138 Users Guide Chapter 11The System Configuration Screens Click ADVANCED > System Configuration > Dynamic DNS to set up the WiMAX Device as a dynamic DNS client. Figure 65 ADVANCED > System Configuration > Dynamic DNS Company Confidential Table 52 ADVANCED > System Configuration > Dynamic DNS LABEL Dynamic DNS Setup Enable Dynamic DNS Service Provider Dynamic DNS Type Host Name Select the type of service that you are registered for from your Dynamic DNS service provider. Enter the host name. You can specify up to two host names, separated by a comma (","). Enter your user name. Enter the password assigned to you. Select this to enable the DynDNS Wildcard feature. User Name Password Enable Wildcard Option The following table describes the labels in this screen. Select the name of your Dynamic DNS service provider. Select this to use dynamic DNS. DESCRIPTION Users Guide 139 Chapter 11The System Configuration Screens Use specified IP address Note: The DDNS server may not be able to detect the proper IP ApplyClick to save your changes. ResetClick to restore your previously saved settings. address if there is an HTTP proxy server between the WiMAX Device and the DDNS server. IP Address Update Policy Use WAN IP Address Dynamic DNS server auto detect IP address Select this if you want to use the specified IP address with the host name(s). Then, specify the IP address. Use this option if you have a static IP address. Table 52 ADVANCED > System Configuration > Dynamic DNS (continued) LABEL Enable offline option Select this if you want the WiMAX Device to update the domain name with the WAN port's IP address. Select this if you want the DDNS server to update the IP address of the host name(s) automatically. Select this optionwhen there are one or more NAT routers between the WiMAX Device and the DDNS server. DESCRIPTION This field is available when CustomDNS is selected in the DDNS Type field. Select this if your Dynamic DNS service provider redirects traffic to a URL that you can specify while you are off line. Check with your Dynamic DNS service provider. Company Confidential Click ADVANCED > System Configuration > Firmware to upload new firmware to the WiMAX Device. Firmware files usually use the system model name with a "*.bin" extension, such as "WiMAX Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. Contact your service provider for information on available firmware upgrades. Note: Only use firmware for your WiMAX Devices specific model. Figure 66 ADVANCED > System Configuration > Firmware 11.4 Firmware 140 Users Guide Chapter 11The System Configuration Screens minutes. progress!

DESCRIPTION Note: Do not turn off the device while firmware upload is in Note: Do not turn off the device while firmware upload is in progress!

11.4.1 The Firmware Upload Process Browse... to find it. You must decompress compressed (.zip) files before you can upload them. Browse... Click this to find the *.bin file you want to upload. Upload Click this to begin uploading the selected file. This may take up to two The following table describes the labels in this screen. Table 53 ADVANCED > System Configuration > Firmware LABEL File Path Enter the location of the *.bin file you want to upload, or click When the WiMAX Device uploads new firmware, the process usually takes about two minutes. The device also automatically restarts in this time. This causes a temporary network disconnect. Company Confidential After two minutes, log in again, and check your new firmware version in the Status screen. You might have to open a new browser window to log in. If the upload is not successful, you will be notified by error message. Click Return to go back to the Firmware screen. Users Guide 141 Chapter 11The System Configuration Screens 11.5 Configuration Figure 67 ADVANCED > System Configuration > Configuration Click ADVANCED > System Configuration > Configuration to back up or restore the configuration of the WiMAX Device. You can also use this screen to reset the WiMAX Device to the factory default settings. Company Confidential Table 54 ADVANCED > System Configuration > Configuration LABEL Backup Configuration Backup Click this to save the WiMAX Devices current configuration to a file on your computer. Once your device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file is useful if you need to return to your previous settings. Restore Configuration File PathEnter the location of the file you want to upload, or click Click this to clear all user-entered configuration information and return the WiMAX Device to its factory defaults. There is no warning screen. BrowseClick this to find the file you want to upload. UploadClick this to restore the selected configuration file. Note: Do not turn off the device while configuration file upload is in The following table describes the labels in this screen. Back to Factory Defaults Reset DESCRIPTION progress. Browse... to find it. 142 Users Guide Chapter 11The System Configuration Screens 11.5.1 The Restore Configuration Process 11.6 Restart Click Return to go back to the Configuration screen. You might have to open a new browser to log in again. Note: Do not turn off the device while configuration file upload is in progress. If the upload was not successful, you are notified by Configuration Upload Error message:

When the WiMAX Device restores a configuration file, the device automatically restarts. This causes a temporary network disconnect. If the WiMAX Devices IP address is different in the configuration file you selected, you may need to change the IP address of your computer to be in the same subnet as that of the default management IP address (192.168.5.1). See the Quick Start Guide or the appendices for details on how to set up your computers IP address. Company Confidential The following table describes the labels in this screen. Table 55 ADVANCED > System Configuration > Firmware LABEL Restart Click this button to have the device perform a software restart. The Click ADVANCED > System Configuration > Restart to reboot the WiMAX Device without turning the power off. Power LED blinks as it restarts and the shines steadily if the restart is successful. Note: Restarting the WiMAX Device does not affect its configuration. Note: Wait one minute before logging back into the WiMAX Device Figure 68 ADVANCED > System Configuration > Restart after a restart. DESCRIPTION Users Guide 143 Chapter 11The System Configuration Screens 11.6.1 The Restart Process When you click Restart, the the process usually takes about two minutes. Once the restart is complete you can log in again. Company Confidential 144 Users Guide The Phone Screens (165) The Phone Book Screens (175) The Service Configuration Screens (147) PART IV Voice Screens Company Confidential 145 Company Confidential 146 12.1 Overview The VOICE > Service Configuration screens allow you to set up your voice accounts and configure your QoS settings. CHAPTER 12 The Service Configuration Screens VoIP (Voice over IP) is the sending of voice signals over the Internet Protocol. This allows you to make phone calls and send faxes over the Internet at a fraction of the cost of using the traditional circuit-switched telephone network. You can also use servers to run telephone service applications like PBX services and voice mail. Internet Telephony Service Provider (ITSP) companies provide VoIP service. A company could alternatively set up an IP-PBX and provide its own VoIP service. Company Confidential Circuit-switched telephone networks require 64 kilobits per second (kbps) in each direction to handle a telephone call. VoIP can use advanced voice coding techniques with compression to reduce the required bandwidth. 12.1.1 What You Can Do in This Chapter 12.1.2 What You Need to Know The Advanced SIP Settings screen (Section 12.2.1 on page 151) lets you set The QoS screen (Section 12.3 on page 158) lets you set up and maintain ToS The following terms and concepts may help as you read through this chapter. The SIP Settings screen (Section 12.2 on page 149) lets you setup and The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and up and maintain advanced settings for each SIP account maintain your SIP account(s) in the WiMAX Device. and VLAN settings for the WiMAX Device. SIP Users Guide 147 Chapter 12The Service Configuration Screens SIP Number SIP Identities SIP Service Domain multimedia sessions over the Internet. SIP signaling is separate from the media for which it handles sessions. The media that is exchanged during the session can use a different path from that of the signaling. SIP handles telephone calls and can interface with traditional circuit-switched telephone networks. The SIP number is the part of the SIP URI that comes before the @ symbol. A SIP number can use letters like in an e-mail address (johndoe@your-ITSP.com for example) or numbers like a telephone number (1122334455@VoIP-provider.com for example). A SIP account uses an identity (sometimes referred to as a SIP address). A complete SIP identity is called a SIP URI (Uniform Resource Identifier). A SIP account's URI identifies the SIP account in a way similar to the way an e-mail address identifies an e-mail account. The format of a SIP identity is SIP-

Number@SIP-Service-Domain. Company Confidential If you know the NAT routers public IP address and SIP port number, you can use the Use NAT feature to manually configure the WiMAX Device to use a them in the SIP messages. This eliminates the need for STUN or a SIP ALG. You must also configure the NAT router to forward traffic with this port number to the WiMAX Device. The SIP service domain of the VoIP service provider (the company that lets you make phone calls over the Internet) is the domain name in a SIP URI. For example, if the SIP address is 1122334455@VoIP-provider.com, then VoIP-

provider.com is the SIP service domain. A SIP register server maintains a database of SIP identity-to-IP address (or domain name) mapping. The register server checks your user name and password when you register. When you make a VoIP call using SIP, the RTP (Real time Transport Protocol) is used to handle voice data transfer. See RFC 1889 for details on RTP. SIP Register Server Use NAT RTP 148 Users Guide Chapter 12The Service Configuration Screens 12.1.3 Before you Begin Figure 69 VOICE > Service Configuration > SIP Setting 12.2 SIP Settings Ensure that you have all of your voice account information on hand. If not, Connect your WiMAX Device to the Internet, as described in the Quick Start Guide. If you have not already done so, then you will not be able to test your VoIP settings. contact your voice account service provider to find out which settings in this chapter you should configure in order to use your telephone with the WiMAX Device. Click VOICE > Service Configuration > SIP Setting to setup and maintain your SIP account(s) in the WiMAX Device. Your VoIP or Internet service provider should provide you with your account information. You can also enable and disable each SIP account. Company Confidential Users Guide 149 Chapter 12The Service Configuration Screens SIP Local Port SIP Server Address SIP Server Port REGISTER Server Address SIP Settings Active SIP Account NumberEnter your SIP number. In the full SIP URI, this is the part before the @

Select this if you want the WiMAX Device to use this account. Clear it if you do not want the WiMAX Device to use this account. The following table describes the labels in this screen. Table 56 VOICE > Service Configuration > SIP Setting LABEL SIP Account DESCRIPTION Select the SIP account you want to see in this screen. If you change this field, the screen automatically refreshes. symbol. You can use up to 127 printable ASCII characters. Enter the WiMAX Devices listening port number, if your VoIP service provider gave you one. Otherwise, keep the default value. Enter the IP address or domain name of the SIP server provided by your VoIP service provider. You can use up to 95 printable ASCII characters. It does not matter whether the SIP server is a proxy, redirect or register server. Enter the SIP servers listening port number, if your VoIP service provider gave you one. Otherwise, keep the default value. Enter the IP address or domain name of the SIP register server, if your VoIP service provider gave you one. Otherwise, enter the same address you entered in the SIP Server Address field. You can use up to 95 printable ASCII characters. Enter the SIP register servers listening port number, if your VoIP service provider gave you one. Otherwise, enter the same port number you entered in the SIP Server Port field. Enter the SIP service domain name. In the full SIP URI, this is the part after the @ symbol. You can use up to 127 printable ASCII Extended set characters. Company Confidential given to you. You can use up to 95 printable ASCII Extended set characters. Click to save your changes. Click to restore your previously saved settings. Click this to edit the advanced settings for this SIP account. The Advanced SIP Settings screen appears. Authentication User NameEnter the user name for registering this SIP account, exactly as it was given to you. You can use up to 95 printable ASCII characters. PasswordEnter the user name for registering this SIP account, exactly as it was Send Caller IDSelect this if you want to send identification when you make VoIP phone calls. Clear this if you do not want to send identification. Apply Reset Advanced SIP Service Domain REGISTER Server Port 150 Users Guide Chapter 12The Service Configuration Screens 12.2.1 Advanced SIP Settings 1 3 2 12.2.1.1 STUN The following figure shows how STUN works. The WiMAX Device (A) sends SIP packets to the STUN server (B). This section describes the features of the Advanced SIP settings screen. The STUN server (B) finds the public IP address and port number that the NAT router used on the WiMAX Devices SIP packets and sends them to the WiMAX Device. STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) allows the WiMAX Device to find the presence and types of NAT routers and/or firewalls between it and the public Internet. STUN also allows the WiMAX Device to find the public IP address that NAT assigned, so the WiMAX Device can embed it in the SIP data stream. STUN does not work with symmetric NAT routers or firewalls. See RFC 3489 for details on STUN. Company Confidential Your VoIP service provider may host a SIP outbound proxy server to handle all of the WiMAX Devices VoIP traffic. This allows the WiMAX Device to work with any type of NAT router and eliminates the need for STUN or a SIP ALG. Turn off a SIP ALG on a NAT router in front of the WiMAX Device to keep it from re-translating the IP address (since this is already handled by the outbound proxy server). The WiMAX Device uses the public IP address and port number in the SIP packets that it sends to the SIP server (C). Figure 70 STUN 12.2.1.2 Outbound Proxy NAT A B C 1 Users Guide 151 Chapter 12The Service Configuration Screens 12.2.1.3 Voice Coding G.711 is a Pulse Code Modulation (PCM) waveform codec. PCM measures G.723 is an Adaptive Differential Pulse Code Modulation (ADPCM) waveform A codec (coder/decoder) codes analog voice signals into digital signals and decodes the digital signals back into voice signals. The WiMAX Device supports the following codecs. analog signal amplitudes at regular time intervals (sampling) and converts them into digital bits (quantization). Quantization reads the analog signal and then writes it to the nearest digital value. For this reason, a digital sample is usually slightly different from its analog original (this difference is known as quantization noise). G.711 provides excellent sound quality but requires 64kbps of bandwidth. codec. Differential (or Delta) PCM is similar to PCM, but encodes the audio signal based on the difference between one sample and a prediction based on previous samples, rather than encoding the samples actual quantized value. Many thousands of samples are taken each second, and the differences between consecutive samples are usually quite small, so this saves space and reduces the bandwidth necessary. Company Confidential However, DPCM produces a high quality signal (high signal-to-noise ratio or SNR) for high difference signals (where the actual signal is very different from what was predicted) but a poor quality signal (low SNR) for low difference signals (where the actual signal is very similar to what was predicted). This is because the level of quantization noise is the same at all signal levels. Adaptive DPCM solves this problem by adapting the difference signals level of quantization according to the audio signals strength. A low difference signal is given a higher quantization level, increasing its signal-to-noise ratio. This provides a similar sound quality at all signal levels. G.723 provides high quality sound and requires 20 or 40 kbps. based on information about how the human vocal tract produces sounds. The codec analyzes the incoming voice signal and attempts to synthesize it using its list of voice elements. It tests the synthesized signal against the original and, if it is acceptable, transmits details of the voice elements it used to make the synthesis. Because the codec at the receiving end has the same list, it can exactly recreate the synthesized audio signal.G.729 provides good sound quality and reduces the required bandwidth to 8kbps. Enable Message Waiting Indication (MWI) enables your phone to give you a messagewaiting (beeping) dial tone when you have one or more voice messages. Your VoIP service provider must have a messaging system that sends message-

waiting-status SIP packets as defined in RFC 3842. 12.2.1.4 MWI (Message Waiting Indication) G.729 is an Analysis-by-Synthesis (AbS) hybrid waveform codec. It uses a filter 152 Users Guide Chapter 12The Service Configuration Screens 12.2.1.5 Advanced SIP Settings Options Figure 71 VOICE > Service Configuration > SIP Settings > Advanced Click Advanced in VOICE > Service Configuration > SIP Settings to set up and maintain advanced settings for each SIP account. Company Confidential Table 57 VOICE > Service Configuration > SIP Settings > Advanced LABEL SIP Server Settings URL TypeSelect whether or not to include the SIP service domain name when the SIP - include the SIP service domain name TEL - do not include the SIP service domain name The following table describes the labels in this screen. WiMAX Device sends the SIP number. DESCRIPTION Users Guide 153 Chapter 12The Service Configuration Screens End Port Register Re-

send timer RTP Port Range Start Port Min-SEEnter the minimum number of seconds the WiMAX Device accepts for a Session ExpiresEnter the number of seconds the conversation can last before the call is session expiration time when it receives a request to start a SIP session. If the request has a shorter time, the WiMAX Device rejects it. Enter the listening port number(s) for RTP traffic, if your VoIP service provider gave you this information. Otherwise, keep the default values. To enter one port number, enter the port number in the Start Port and End Port fields. automatically disconnected. Usually, when one-half of this time has passed, the WiMAX Device or the other party updates this timer to prevent this from happening. Table 57 VOICE > Service Configuration > SIP Settings > Advanced (continued) LABEL Expiration Duration DESCRIPTION Enter the number of seconds your SIP account is registered with the SIP register server before it is deleted. The WiMAX Device automatically tries to re-register your SIP account when one-half of this time has passed. (The SIP register server might have a different expiration.) Enter the number of seconds the WiMAX Device waits before it tries again to register the SIP account, if the first try failed or if there is no response. Company Confidential For more on voice compression, see Voice Coding on page152 Control how the WiMAX Device handles the tones that your telephone makes when you push its buttons. You should use the same mode your VoIP service provider uses. G.711A is typically used in Europe. G.711u is typically used in North America and Japan. G.723 provides good voice quality, and requires 20 or 40 kbps. G.729 requires only 8 kbps. works best when you are using a codec that does not use compression (like G.711). Codecs that use compression (like G.729) can distort the tones. RFC 2833 - send the DTMF tones in RTP packets PCM - send the DTMF tones in the voice data stream. This method The WiMAX Device must use the same codec as the peer. When two SIP devices start a SIP session, they must agree on a codec. G.711 provides high voice quality but requires more bandwidth (64 kbps). Select the type of voice coder/decoder (codec) that you want the WiMAX Device to use. Voice Compression Primary, Secondary, and Third Compression Type the port number at the end of the range in the End Port field. Type the port number at the beginning of the range in the Start SIP INFO - send the DTMF tones in SIP messages To enter a range of ports:

DTMF Mode Port field STUN 154 Users Guide Chapter 12The Service Configuration Screens server. for a STUN server. DESCRIPTION address of the NAT router. your VoIP service provider. Otherwise, clear this field. Server PortEnter the STUN server s listening port, if your VoIP service provider gave you one. Otherwise, keep the default value. There is a NAT router between the WiMAX Device and the SIP Server AddressEnter the IP address or domain name of the STUN server provided by The NAT router is not a SIP ALG. Your VoIP service provider gave you an IP address or domain name Use NAT ActiveSelect this if you want the WiMAX Device to send SIP traffic to a specific Server AddressEnter the public IP address or domain name of the NAT router. Server PortEnter the port number that your SIP sessions use with the public IP NAT router. You must also configure the NAT router to forward traffic with the specified port to the WiMAX Device. This eliminates the need for STUN or a SIP ALG. Table 57 VOICE > Service Configuration > SIP Settings > Advanced (continued) LABEL ActiveSelect this if all of the following conditions are satisfied. Company Confidential Keep Alive with SIP Proxy Keep Alive with Outbound Proxy Keep Alive Interval MWI (Message Waiting Indication) EnableSelect this if you want to hear a waiting (beeping) dial tone on your handle voice calls. This allows the WiMAX Device to work with any type of NAT router and eliminates the need for STUN or a SIP ALG. Turn off any SIP ALG on a NAT router in front of the WiMAX Device to keep it from re-translating the IP address (since this is already handled by the outbound proxy server). server (a SIP proxy server or outbound proxy server) from dropping the SIP session. The WiMAX Device does this by sending SIP notify messages to the SIP server based on the specified interval. Select this if the SIP server is a SIP proxy server. Select this if the SIP server is an outbound proxy server. You must enable Outbound Proxy to use this. Enter how often (in seconds) the WiMAX Device should send SIP notify messages to the SIP server. Server AddressEnter the IP address or domain name of the SIP outbound proxy server. Server PortEnter the SIP outbound proxy Outbound Proxy ActiveSelect this if your VoIP service provider has a SIP outbound server to NAT Keep Alive ActiveSelect this to stop NAT routers between the WiMAX Device and SIP phone when you have at least one voice message. Your VoIP service provider must support this feature. servers listening port, if your VoIP service provider gave you one. Otherwise, keep the default value. Users Guide 155 Chapter 12The Service Configuration Screens DESCRIPTION Caller Ringing Tone Call Forward Call Forward Table Select this if the WiMAX Device should use G.711 to send fax messages. The peer devices must also use G.711. Caller Ringing EnableCheck this box if you want people to hear a customized recording when TCP/IP packets through IP networks. This provides better quality, but it may have inter-operability problems. The peer devices must also use T.38. Select which call forwarding table you want the WiMAX Device to use for incoming calls. You set up these tables in VOICE > Phone Book >

Incoming Call Policy. Table 57 VOICE > Service Configuration > SIP Settings > Advanced (continued) LABEL Expiration TimeKeep the default value, unless your VoIP service provider tells you to change it. Enter the number of seconds the SIP server should provide the message waiting service each time the WiMAX Device subscribes to the service. Before this time passes, the WiMAX Device automatically subscribes again. Fax Option G.711 Fax Passthrough T.38 Fax RelaySelect this if the WiMAX Device should send fax messages as UDP or Company Confidential IVR (Interactive Voice Response) is a feature that allows you to use your telephone to interact with the WiMAX Device. The WiMAX Device allows you to record custom tones for the Caller Ringing Tone and On Hold Tone functions. The same recordings apply to both the caller ringing and on hold tones. Table 58 Custom Tones Details LABEL Total Time for All Tones128 seconds for all custom tones combined See Custom Tones (IVR) on page156 for information on how to record these tones. BackClick this to return to the they call you. Select the tone you want people to hear when they call you. See Custom Tones (IVR) on page156 for information on how to record these tones. On Hold EnableCheck this box if you want people to hear a customized recording when changes. Click to save your changes. Click to restore your previously saved settings. On Hold ToneSelect the tone you want people to hear when you put them on hold. 12.2.1.6 Custom Tones (IVR) SIP Settings screen without saving your you put them on hold. DESCRIPTION Apply Reset 156 Users Guide Chapter 12The Service Configuration Screens 8 3 2 1 4 DESCRIPTION 20 seconds Press a number from 1101~1108 on your phone followed by the # key. You can record up to eight different custom tones but the total time must be 128 seconds or less. Table 58 Custom Tones Details LABEL Maximum Time per Individual Tone Total Number of Tones Recordable You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done. Pick up the phone and press **** on your phones keypad and wait for the message that says you are in the configuration menu. Use the following steps if you would like to create new tones or change your tones:

Play your desired music or voice recording into the receivers mouthpiece. Press the # key. Company Confidential Press a number from 1301~1308 followed by the # key to delete the tone of your choice. Press 14 followed by the # key if you wish to clear all your custom tones. Pick up the phone and press **** on your phones keypad and wait for the message that says you are in the configuration menu. Pick up the phone and press **** on your phones keypad and wait for the message that says you are in the configuration menu. You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done. You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done. Press a number from 1201~1208 followed by the # key to listen to the tone. Do the following to listen to a custom tone:

Do the following to delete a custom tone:

1 2 3 1 2 3 Users Guide 157 Chapter 12The Service Configuration Screens 12.3 QoS Figure 72 VOICE > Service Configuration > QoS Virtual Local Area Network (VLAN) allows a physical network to be partitioned into multiple logical networks. Only stations within the same group can communicate with each other. Network traffic can be classified by setting the ToS (Type Of Service) values at the data source (for example, at the WiMAX Device) so a server can decide the best method of delivery, that is the least cost, fastest route and so on. Click VOICE > Service Configuration > QoS to set up and maintain ToS and VLAN settings for the WiMAX Device. QoS (Quality of Service) refers to both a network's ability to deliver data with minimum delay and the networking methods used to provide bandwidth for real-time multimedia applications. Your WiMAX Device can add IEEE 802.1Q VLAN ID tags to voice frames that it sends to the network. This allows the WiMAX Device to communicate with a SIP server that is a member of the same VLAN group. Some ISPs use the VLAN tag to identify voice traffic and give it priority over other traffic. Company Confidential The following table describes the labels in this screen. Table 59 VOICE > Service Configuration > QoS LABEL TDS SIP TOS Priority Setting Enter the priority for SIP voice transmissions. The WiMAX Device creates Type of Service priority tags with this priority to voice traffic that it transmits. Enter the priority for RTP voice transmissions. The WiMAX Device creates Type of Service priority tags with this priority to RTP traffic that it transmits. RTP TOS Priority Setting DESCRIPTION VLAN Tagging 158 Users Guide Chapter 12The Service Configuration Screens Apply Reset DESCRIPTION 12.4.1 SIP Call Progression 12.4 Technical Reference Otherwise, clear this field. Click to save your changes. Click to restore your previously saved settings. Table 59 VOICE > Service Configuration > QoS LABEL Voice VLAN IDSelect this if the WiMAX Device has to be a member of a VLAN to The following section contains additional technical information about the WiMAX Device features described in this chapter. communicate with the SIP server. Ask your network administrator, if you are not sure. Enter the VLAN ID provided by your network administrator in the field on the right. Your LAN and gateway must be configured to use VLAN tags. Company Confidential The following figure displays the basic steps in the setup and tear down of a SIP call. A calls B. Table 60 SIP Call Progression A 1. INVITE 4 A then sends an ACK message to acknowledge that B has answered the call. 1 A sends a SIP INVITE request to B. This message is an invitation for B to 2 B sends a response indicating that the telephone is ringing. 3 B sends an OK response after the call is answered. participate in a SIP telephone call. 5.Dialogue (voice traffic) 2. Ringing 3. OK 5 Now A and B exchange voice media (talk). 4. ACK 6. BYE 7. OK B Users Guide 159 Chapter 12The Service Configuration Screens 6 After talking, A hangs up and sends a BYE request. terminated. 12.4.3 SIP User Agent 12.4.2 SIP Client Server 7 B replies with an OK response confirming receipt of the BYE request and the call is SIP is a client-server protocol. A SIP client is an application program or device that sends SIP requests. A SIP server responds to the SIP requests. When you use SIP to make a VoIP call, it originates at a client and terminates at a server. A SIP client could be a computer or a SIP phone. One device can act as both a SIP client and a SIP server. A SIP user agent can make and receive VoIP telephone calls. This means that SIP can be used for peer-to-peer communications even though it is a client-server protocol. In the following figure, either A or B can act as a SIP user agent client to initiate a call. A and B can also both act as a SIP user agent to receive the call. Company Confidential In the following example, you want to use client device A to call someone who is using client device C. The client device (A in the figure) sends a call invitation to the SIP proxy server

(B). A SIP proxy server receives requests from clients and forwards them to another server. 12.4.4 SIP Proxy Server Figure 73 SIP User Agent A B 1 160 Users Guide Chapter 12The Service Configuration Screens 2 1 2 B C A The SIP proxy server forwards the call invitation to C. Figure 74 SIP Proxy Server 12.4.5 SIP Redirect Server Company Confidential A SIP redirect server accepts SIP requests, translates the destination address to an IP address and sends the translated IP address back to the device that sent the request. Then the client device that originally sent the request can send requests to the IP address that it received back from the redirect server. Redirect servers do not initiate SIP requests. In the following example, you want to use client device A to call someone who is using client device C. The SIP redirect server sends the invitation back to A with Cs IP address (or domain name). 1 Client device A sends a call invitation for C to the SIP redirect server (B). 2 Users Guide 161 Chapter 12The Service Configuration Screens 3 Client device A then sends the call invitation to client device C. 3 2 1 B C A Figure 75 SIP Redirect Server 12.4.6 NAT and SIP Company Confidential The WiMAX Device must register its public IP address with a SIP register server. If there is a NAT router between the WiMAX Device and the SIP register server, the WiMAX Device probably has a private IP address. The WiMAX Device lists its IP address in the SIP message that it sends to the SIP register server. NAT does not translate this IP address in the SIP message. The SIP register server gets the WiMAX Devices IP address from inside the SIP message and maps it to your SIP identity. If the WiMAX Device has a private IP address listed in the SIP message, the SIP server cannot map it to your SIP identity. See Chapter10 The NAT Configuration Screens for more information. DiffServ is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going. Use a SIP ALG (Application Layer Gateway), Use NAT, STUN, or outbound proxy to allow the WiMAX Device to list its public IP address in the SIP messages. 12.4.7 DiffServ 162 Users Guide Chapter 12The Service Configuration Screens 12.4.8 DSCP and Per-Hop Behavior DSCP

(6-bit) Unused

(2-bit) Figure 76 DiffServ: Differentiated Service Field DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping. DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field. The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different priorities of forwarding. Resources can then be allocated according to the DSCP values and the configured policies. Company Confidential Users Guide 163 Chapter 12The Service Configuration Screens Company Confidential 164 Users Guide CHAPTER 13 The Phone Screens 13.1 Overview The Common screen (Section 13.3 on page 169) lets you activate and The Analog Phone screen (Section 13.2 on page 166) lets you control which 13.1.1 What You Can Do in This Chapter Use the VOICE > Phone screens to configure the volume, echo cancellation, VAD settings and custom tones for the phone port on the WiMAX Device. You can also select which SIP account to use for making outgoing calls. Company Confidential When using VAD, the WiMAX Device generates comfort noise when the other party is not speaking. The comfort noise lets you know that the line is still connected as total silence could easily be mistaken for a lost connection. Voice Activity Detection (VAD) detects whether or not speech is present. This lets the WiMAX Device reduce the bandwidth that a call uses by not transmitting silent packets when you are not speaking. G.168 is an ITU-T standard for eliminating the echo caused by the sound of your voice reverberating in the telephone receiver while you talk. The Region screen (Section 13.4 on page 170) lets you maintain settings that often depend on the region of the world in which the WiMAX Device is located. Voice Activity Detection/Silence Suppression/Comfort Noise 13.1.2 What You Need to Know The following terms and concepts may help as you read through this chapter. SIP accounts each phone uses. Echo Cancellation deactivate immediate dialing. Users Guide 165 Chapter 13The Phone Screens Supplementary Phone Services Overview Caller ID Call Hold Call Transfer Call Forwarding Call Waiting Making a Second Call Three-Way Conference Internal Calls CLIP (Calling Line Identification Presentation) CLIR (Calling Line Identification Restriction) Supplementary services such as call hold, call waiting, call transfer, etc. are generally available from your VoIP service provider. The WiMAX Device supports the following services:

Note: To take full advantage of the supplementary phone services available though the WiMAX Device's phone port, you may need to subscribe to the services from your VoIP service provider. Company Confidential Click VOICE > Phone > Analog Phone to control which SIP accounts each phone uses. 13.2 Analog Phone Figure 77 VOICE > Phone > Analog Phone 166 Users Guide Chapter 13The Phone Screens SIP2Select this if you want to receive phone calls for the SIP2 account on SIP2Select this if you want this phone port to use the SIP2 account when it makes calls. If you select both SIP accounts, the WiMAX Device tries to use SIP2 first. makes calls. If you select both SIP accounts, the WiMAX Device tries to use SIP2 first. Incoming Call apply to SIP1Select this if you want to receive phone calls for the SIP1 account on this phone port. If you select more than one source for incoming calls, there is no way to distinguish between them when you receive phone calls. DESCRIPTION Select the phone port you want to see in this screen. If you change this field, the screen automatically refreshes. this phone port. If you select more than one source for incoming calls, there is no way to distinguish between them when you receive phone calls. Click to save your changes. Click to restore your previously saved settings. The following table describes the labels in this screen. Table 61 VOICE > Phone > Analog Phone LABEL Phone Port Settings Outgoing Call Use SIP1Select this if you want this phone port to use the SIP1 account when it Company Confidential Apply Reset Advanced Setup Click this to edit the advanced settings for this phone port. The Advanced Analog Phone Setup screen appears. Users Guide 167 Chapter 13The Phone Screens 13.2.1 Advanced Analog Phone Setup Figure 78 VOICE > Phone > Analog Phone > Advanced Click the Advanced button in VOICE > Phone > Analog Phone to edit advanced settings for each phone port. Company Confidential The following table describes the labels in this screen. Table 62 VOICE > Phone > Analog Phone > Advanced LABEL Voice Volume Control Speaking Volume Listening Volume Echo Cancellation G.168 ActiveSelect this if you want to eliminate the echo caused by the sound of Enter the loudness that the WiMAX Device uses for speech that it sends to the peer device. -1 is the quietest, and 1 is the loudest. Enter the loudness that the WiMAX Device uses for speech that it receives from the peer device. -1 is the quietest, and 1 is the loudest. Enter the number of seconds the WiMAX Device should wait after you stop dialing numbers before it makes the phone call. The value depends on how quickly you dial phone numbers. If you select Active Immediate Dial in VOICE > Phone > Common, you can press the pound key (#) to tell the WiMAX Device to make the phone call immediately, regardless of this setting. VAD SupportSelect this if the WiMAX Device should stop transmitting when you are not speaking. This reduces the bandwidth the WiMAX Device uses. Dialing Interval Select Dialing Interval Select your voice reverberating in the telephone receiver while you talk. Note: The G.711 codec does not support this feature. DESCRIPTION 168 Users Guide Chapter 13The Phone Screens Apply Reset DESCRIPTION Analog Phone screen without saving your Figure 79 VOICE > Phone > Common The following table describes the labels in this screen. 13.3 Common Click VOICE > Phone > Common to activate and deactivate immediate dialing. Table 62 VOICE > Phone > Analog Phone > Advanced LABEL BackClick this to return to the changes. Click to save your changes. Click to restore your previously saved settings. Company Confidential If you select this, dial the phone number, and then press the pound key if you do not want to wait. The WiMAX Device makes the call immediately. Click to save your changes. Click to restore your previously saved settings. DESCRIPTION Select this if you want to use the pound key (#) to tell the WiMAX Device to make the phone call immediately, instead of waiting the number of seconds you selected in the Dialing Interval Select in VOICE > Phone > Analog Phone. Table 63 VOICE > Phone > Common LABEL Active Immediate Dial Apply Reset Users Guide 169 Chapter 13The Phone Screens 13.4 Region DESCRIPTION Call Service Mode Figure 80 VOICE > Phone > Region The following table describes the labels in this screen. Click VOICE > Phone > Region to maintain settings that often depend on the region of the world in which the WiMAX Device is located. Default. Select the mode for supplementary phone services (call hold, call waiting, call transfer and three-way conference calls) that your VoIP service provider supports. Table 64 VOICE > Phone > Region LABEL Region Settings Select the place in which the WiMAX Device is located. Do not select Company Confidential Flashing means to press the hook for a short period of time (a few hundred milliseconds) before releasing it. On newer telephones, there should be a "flash"

key (button) that generates the signal electronically. If the flash key is not available, you can tap (press and immediately release) the hook by hand to achieve the same effect. However, using the flash key is preferred since the timing is much more precise. The WiMAX Device may interpret manual tapping as hanging up if the duration is too long You might have to subscribe to these services to use them. Contact your VoIP service provider. Click to save your changes. Click to restore your previously saved settings. The following section contains additional technical information about the WiMAX Device features described in this chapter. 13.5 Technical Reference 13.5.1 The Flash Key Europe Type - use supplementary phone services in European USA Type - use supplementary phone services American mode Apply Reset mode 170 Users Guide Chapter 13The Phone Screens You can invoke all the supplementary services by using the flash key. COMMAND DESCRIPTION which is waiting for answer. Switch back to the call (if there is no second call). Flash Put a current call on hold to place a second call. Flash0Drop the call presently on hold or reject an incoming call Flash1Disconnect the current phone connection and answer the 13.5.2 Europe Type Supplementary Phone Services This section describes how to use supplementary phone services with the Europe TypeCall Service Mode . Commands for supplementary services are listed in the table below. After pressing the flash key, if you do not issue the sub-command before the default sub-command timeout (2 seconds) expires or issue an invalid sub-

command, the current operation will be aborted. Table 65 European Type Flash Key Commands COMMAND SUB-

Company Confidential Press the flash key and then 1 to disconnect the current call and resume the call on hold. European Call Waiting allows you to place a call on hold while you answer another incoming call on the same telephone (directory) number. If you have another call, press the flash key and then 2 to switch back and forth between caller A and B by putting either one on hold. Press the flash key and then 0 to disconnect the call presently on hold and keep the current call on line. Flash3Create three-way conference connection. Flash *98#Transfer the call to another phone. 3. Separate the current three-way conference call into two individual calls (one is on-line, the other is on hold). European Call Hold allows you to put a call (A) on hold by pressing the flash key. If you hang up the phone but a caller is still on hold, there will be a remind ring. 2. Put a current call on hold to answer an incoming call. incoming call or resume with caller presently on hold. Flash21. Switch back and forth between two calls. If there is a second call to a telephone number, you will hear a call waiting tone. Take one of the following actions. Users Guide 171 Chapter 13The Phone Screens Reject the second call. 1 Press the flash key and then 2. Press the flash key and then press 0. Press the flash key to put the caller on hold. want to transfer the call. to operate the Intercom. Disconnect the first call and answer the second call. Put the first call on hold and answer the second call. 2 When you hear the dial tone, dial *98# followed by the number to which you 3 After you hear the ring signal or the second party answers it, hang up the phone. Either press the flash key and press 1, or just hang up the phone and then answer the phone after it rings. European Call Transfer allows you to transfer an incoming call (that you have answered) to another phone. To do so:

European Three-Way Conference allows you to make three-way conference calls. To do so:

Company Confidential If you want to separate the activated three-way conference into two individual connections (one is on-line, the other is on hold), press the flash key and press 2. 3 When the second call is answered, press the flash key and press 3 to create a 1 When you are on the phone talking to someone, place the flash key to put the 2 Dial a phone number directly to make another call. 4 Hang up the phone to drop the connection. caller on hold and get a dial tone. three-way conversation. 5 172 Users Guide Chapter 13The Phone Screens 13.5.3 USA Type Supplementary Services COMMAND Flash *98#Transfer the call to another phone. Put a current call on hold to answer an incoming call. Flash Put a current call on hold to place a second call. After the USA Call Hold allows you to put a call (A) on hold by pressing the flash key. second call is successful, press the flash key again to have a three-way conference call. If you have another call, press the flash key to switch back and forth between caller A and B by putting either one on hold. This section describes how to use supplementary phone services with the USA TypeCall Service Mode . Commands for supplementary services are listed in the table below. After pressing the flash key, if you do not issue the sub-command before the default sub-command timeout (2 seconds) expires or issue an invalid sub-

command, the current operation will be aborted. Table 66 USA Type Flash Key Commands COMMAND SUB-

DESCRIPTION Company Confidential USA Call Waiting allows you to place a call on hold while you answer another incoming call on the same telephone (directory) number. If there is a second call to your telephone number, you will hear a call waiting tone. USA Call Transfer allows you to transfer an incoming call (that you have answered) to another phone. To do so:

3 After you hear the ring signal or the second party answers it, hang up the phone. 2 When you hear the dial tone, dial *98# followed by the number to which you If you hang up the phone but a caller is still on hold, there will be a remind ring. Press the flash key to put the first call on hold and answer the second call. want to transfer the call. to operate the Intercom. Press the flash key to put the caller on hold. 1 Users Guide 173 Chapter 13The Phone Screens 4 dial tone. conversation. 5 Hang up the phone to drop the connection. 2 Dial a phone number to make a second call. USA Three-Way Conference allows you to make three-way conference calls. To do so:

3 When the second call is answered, press the flash key to create a three-way 1 When you are making a call, press the flash key to put the call on hold and get a If you want to separate the three-way conference into two individual calls (one call is online, the other is on hold), press the flash key. The first call is online and the second call is on hold. Pressing the flash key again will recreate the three-way conversation. The next time you press the flash key, the second call is online and the first call is on hold. Company Confidential 174 Users Guide 14.1 Overview rules for handling incoming calls. You can block, redirect, or accept them. The Incoming Call Policy screen (Section 14.2 on page 176) lets you maintain 14.1.1 What You Can Do in This Chapter The VOICE > Phone Book screens allow you to configure the WiMAX Devices phone book for making VoIP calls. CHAPTER 14 The Phone Book Screens Company Confidential In peer-to-peer calls, you call another VoIP device directly without going through a SIP server. In the WiMAX Device, you must set up a speed dial entry in the phone book in order to do this. Select Non-Proxy (Use IP or URL) in the Type column and enter the callees IP address or domain name. The WiMAX Device sends SIP INVITE requests to the peer VoIP device when you use the speed dial entry. Speed dial provides shortcuts for dialing frequently used (VoIP) phone numbers. It is also required if you want to make peer-to-peer calls. You do not need to configure a SIP account in order to make a peer-to-peer VoIP call. 14.1.2 What You Need to Know The following terms and concepts may help as you read through this chapter. The Speed Dial screen (Section 14.3 on page 178) lets you add, edit, or Speed Dial and Peer-to-Peer Calling remove speed-dial entries. Users Guide 175 Chapter 14The Phone Book Screens 14.2 Incoming Call Policy Figure 81 VOICE > Phone Book > Incoming Call Policy Click VOICE > Phone Book > Incoming Call Policy to maintain rules for handling incoming calls. You can block, redirect, or accept them. Company Confidential Select this if you want the WiMAX Device to forward all incoming calls to the specified phone number, regardless of other rules in the Forward to Number section. Specify the phone number in the field on the right. Select this if you want the WiMAX Device to forward incoming calls to the specified phone number if the phone port is busy. Specify the phone number in the field on the right. If you have call waiting, the incoming call is forwarded to the specified phone number if you reject or ignore the second incoming call. The following table describes the labels in this screen. Table 67 VOICE > Phone Book > Incoming Call Policy LABEL Table Number DESCRIPTION Select the call-forwarding table you want to see in this screen. If you change this field, the screen automatically refreshes. Forward to Number Setup Unconditional Forward to Number Busy Forward to Number 176 Users Guide Chapter 14The Phone Book Screens the Incoming Call Number, or select an alternative action. Unconditional - The WiMAX Device immediately forwards any calls ConditionSelect the situations in which you want to forward incoming calls from Enter the number of seconds the WiMAX Device should wait for you to answer an incoming call before it considers the call is unanswered. Enter the phone number to which you want to forward incoming calls from the Incoming Call Number. You may leave this field blank, depending on the Condition. Table 67 VOICE > Phone Book > Incoming Call Policy LABEL No Answer Forward to Number No Answer Waiting Time DESCRIPTION Select this if you want the WiMAX Device to forward incoming calls to the specified phone number if the call is unanswered. (See No Answer Waiting Time.) Specify the phone number in the field on the right. This field is used by the No Answer Forward to Number feature and No Answer conditions below. Advanced Setup

#The number of the item in this list. ActivateSelect this to enable this rule. Clear this to disable this rule. Enter the phone number to which this rule applies. Incoming Call Number Forward to Number Company Confidential Accept - The WiMAX Device allows calls from the Incoming Call Number. You might create a rule with this condition if you do not want incoming calls from someone to be forwarded by rules in the Forward to Number section. Busy - The WiMAX Device forwards any calls from the Incoming Call Number to the Forward to Number when your SIP account already has a call connected. Incoming Call Number to the Forward to Number when the call is unanswered. (See No Answer Waiting Time.) Click to save your changes. Click to restore your previously saved settings. Note: The WiMAX Device checks the Advanced rules first before checking the Forward to Number rules. All rules are checked in order from top to bottom. Block - The WiMAX Device rejects calls from the Incoming Call No Answer - The WiMAX Device forwards any calls from the from the Incoming Call Number to the Forward to Number. Apply Reset Number. Users Guide 177 Chapter 14The Phone Book Screens 14.3 Speed Dial Figure 82 VOICE > Phone Book > Speed Dial Click VOICE > Phone Book > Speed Dial to add, edit, or remove speed-dial entries. You must create speed-dial entries if you want to make peer-to-peer calls or call SIP numbers that use letters. You can also create speed-dial entries for frequently-used SIP phone numbers. Company Confidential The following table describes the icons in this screen. Table 68 Advanced> LAN Configuration > IP Static Route ICON DESCRIPTION Delete Click to delete this item. 178 Users Guide Chapter 14The Phone Book Screens TypeSelect dial number. this phone number. the speed-dial number. Use Proxy if you want to use one of your SIP accounts to call NameEnter a name to identify the party you call when you dial the speed-dial number. You can use up to 127 printable ASCII characters. NameThis is the name of the party associated with this speed-dial number. TypeThis indicates whether this speed dial number uses a proxy or not when DESCRIPTION Select the speed-dial number you want to use for this phone number. Select Non-Proxy (Use IP or URL) if you want to use a different SIP server or if you want to make a peer-to-peer call. In this case, enter the IP address or domain name of the SIP server or the other party in the field below. AddClick to add the new number to the list below.

#This is a list of speed dial numbers. NumberThis is the SIP number the WiMAX Device calls when you use this speed The following table describes the labels in this screen. Table 69 VOICE > Phone Book > Speed Dial LABEL Speed Dial NumberEnter the SIP number you want the WiMAX Device to call when you dial Company Confidential Click to save your changes. Click to clear all fields on the screen and begin anew. DestinationThis indicates if the speed-dial entry uses one of your SIP accounts or ActionClick the Apply Clear uses the IP address or domain name of the SIP server. placing a call to the phone number associated with it. Delete icon to erase this speed-dial entry. Users Guide 179 Chapter 14The Phone Book Screens Company Confidential 180 Users Guide The Firewall Screens (203) The Certificates Screens (183) PART V Screens Tools & Status Company Confidential The Remote Management Screens (217) The Status Screen (253) The Logs Screens (227) The UPnP Screen (243) Content Filter (213) 181 Company Confidential 182 15.1 Overview Use the TOOLS > Certificates screens to manage public key certificates on the WiMAX Device. CHAPTER 15 The Certificates Screens The WiMAX Device can use public key certificates (also sometimes called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owners identity and public key. Certificates provide a way to exchange public keys for use in authentication. Company Confidential Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions (to name a few) receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar. If they match, then the certificate is issued to the website operator, who then places it on his site to be issued to all visiting web browsers to let them know that the site is legitimate. A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the summary list of certificates of the certification authorities that you have set the WiMAX Device to accept as trusted. export self-signed certificates or certification requests and import the WiMAX Devices CA-signed certificates. 15.1.1 What You Can Do in This Chapter 15.1.2 What You Need to Know The My Certificates screen (Section 15.2 on page 184) lets you generate and The following terms and concepts may help as you read through this chapter. The Trusted CAs screen (Section 15.3 on page 193) lets you display a Certificate Authorities Users Guide 183 Chapter 15The Certificates Screens Figure 83 TOOLS > Certificates > My Certificates 15.2 My Certificates WiMAX Device to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. Click TOOLS > Certificates > My Certificates to generate and export self-

signed certificates or certification requests and import the WiMAX Devices CA-

signed certificates. Company Confidential The following table describes the labels in this screen. Table 71 TOOLS > Certificates > My Certificates LABEL PKI Storage Space in Use DESCRIPTION This bar displays the percentage of the WiMAX Device s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates. The following table describes the icons in this screen. Table 70 TOOLS > Certificates > My Certificates ICON DESCRIPTION Edit

#The number of the item in this list. Click to delete this item. Click to import an item. Click to edit this item. Import Delete 184 Users Guide Chapter 15The Certificates Screens DESCRIPTION IssuerThis field displays identifying in SubjectThis field displays identifying in SELF represents a self-signed certificate. TypeThis field displays what kind of certificate this is. recommended that you give each certificate a unique name. CERT represents a certificate issued by a certification authority.

*SELF represents the default self-signed certificate which signs the imported remote host certificates. Table 71 TOOLS > Certificates > My Certificates (continued) LABEL NameThis field displays the name used to identify this certificate. It is REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request. formation about the certificates owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. formation about the certificates issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field. Company Confidential Click the Delete icon to remove a certificate. A window displays asking you to confirm that you want to delete the certificate. Subsequent certificates move up by one when you take this action. The WiMAX Device keeps all of your certificates unless you specifically delete them. Uploading new firmware or default configuration file does not delete your certificates. Valid FromThis field displays the date that the certificate becomes applicable. Valid ToThis field displays the date that the certificate expires. The text displays ImportClick to a certificate into the WiMAX Device. CreateClick to go to the screen where you can have the WiMAX Device Click the Export icon to save a copy of the certificate without its private key. Browse to the location you want to use and click Save. You cannot delete certificates that any of the WiMAX Device s features are configured to use. in red and includes an Expired! message if the certificate has expired. RefreshClick to display the current validity status of the certificates. Edit icon to open a screen with an in-depth list of information generate a certificate or a certification request. about the certificate. ActionClick the Users Guide 185 Chapter 15The Certificates Screens 15.2.1 My Certificates Create Figure 84 TOOLS > Certificates > My Certificates > Create Click TOOLS > Certificates > My Certificates and then the Create icon to open the My Certificates Create screen. Use this screen to have the WiMAX Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Company Confidential 186 Users Guide Chapter 15The Certificates Screens DESCRIPTION Subject Information entify the certificates owner by IP Common Name Select a radio button to id Organizational UnitIdentify the organizational unit or department to which the A domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods. An e-mail address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore. address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-mail address is for identification purposes only and can be any string. The following table describes the labels in this screen. Table 72 TOOLS > Certificates > My Certificates > Create LABEL Certificate NameType a name to identify this certificate. You can use up to 31 alphanumeric and ;~!@#$%^&()_+[]{},.=- characters. Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information. Company Confidential generated. Select Create a self-signed certificate to have the WiMAX Device generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates. Select Create a certification request and save it locally for later manual enrollment to have the WiMAX Device generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority. many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space. Enrollment OptionsThese radio buttons deal with how and when the certificate is to be belongs. You can use up to 63 characters. You can use alphanumeric characters, the hyphen and the underscore. certificate owner belongs. You can use up to 63 characters. You can use alphanumeric characters, the hyphen and the underscore. use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore. Copy the certification request from the My Certificate Details screen and then send it to the certification authority. Create a certification request and save it locally for later manual enrollment CountryIdentify the state in which the certificate owner is located. You can Key LengthSelect a number from the drop-down list box to determine how OrganizationIdentify the company or group to which the certificate owner Create a self-

signed certificate Users Guide 187 Chapter 15The Certificates Screens Enrollment Protocol You must have the certification authoritys certificate already imported in the Trusted CAs screen. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco. Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510. DESCRIPTION Select Create a certification request and enroll for a certificate immediately online to have the WiMAX Device generate a request for a certificate and apply to a certification authority for a certificate. Table 72 TOOLS > Certificates > My Certificates > Create LABEL Create a certification request and enroll for a certificate immediately online When you select this option, you must select the certification authoritys enrollment protocol and the certification authority s certificate from the drop-down list boxes and enter the certification authoritys server address. You also need to fill in the Reference Number and Key if the certification authority requires them. This field applies when you select Create a certification request and enroll for a certificate immediately online . Select the certification authoritys enrollment protocol from the drop-down list box. Company Confidential You must have the certification authoritys certificate already imported in the Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the WiMAX Device's list of certificates of trusted certification authorities. When you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. For a URL, you can use up to 511 of the following characters. a-zA-

Z0-9'()+,/:.=?;!*#@$_%-

CA CertificateThis field applies when you select Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol. Just the Key field displays if your certification authority uses the SCEP enrollment protocol. and enroll for a certificate immediately online . Select the certification authoritys certificate from the CA Certificate drop-

down list box. and enroll for a certificate immediately online . Enter the IP address (or URL) of the certification authority server. For the key, use up to 31 of the following characters. a-zA-Z0-

9;|`~!@#$%^&*()_+\{}':,./<>=-

CA Server Address This field applies when you select Create a certification request For the reference number, use 0 to 99999999. Create a certification request Request Authentication 188 Users Guide Chapter 15The Certificates Screens 15.2.2 My Certificate Edit Figure 85 TOOLS > Certificates > My Certificates > Edit Click TOOLS > Certificates > My Certificates and then the Edit iconto view in-

depth certificate information and change the certificates name. Table 72 TOOLS > Certificates > My Certificates > Create LABEL Apply Cancel DESCRIPTION Click to save your changes. Click to return to the previous screen without saving your changes. If you configured the My Certificate Create screen to have the WiMAX Device enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen. Click Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the WiMAX Device to enroll a certificate online. Company Confidential Users Guide 189 Chapter 15The Certificates Screens PropertySelect DESCRIPTION up to 31 alphanumeric and ;~!@#$%^&()_+[]{},.=- characters. Certification PathThis field displays for a certificate, not a certification request. Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself). Default self-signed certificate which signs the imported remote host certificates to use this certificate to sign the remote host certificates you upload in the TOOLS > Certificates >Trusted CAs screen. RefreshClick to display the certification path. Certification Information TypeThis field displays general information about the certificate. CA-signed The following table describes the labels in this screen. Table 73 TOOLS > Certificates > My Certificates > Edit LABEL NameThis field displays the identifying name of this certificate. You can use If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The WiMAX Device does not trust the certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked. Company Confidential none displays for a certification request. This field displays the type of algorithm that was used to sign the certificate. The WiMAX Device uses rsa-pkcs1-sha1 (RSA public-

private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-

private key encryption algorithm and the MD5 hash algorithm). means that a Certification Authority signed the certificate. Self-signed means that the certificates owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates. issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Name field. certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). VersionThis field displays the X.509 version number. Serial NumberThis field displays the certif Valid FromThis field displays the date that the certificate becomes applicable. SubjectThis field displays information that identifies the owner of the certification authority or generated by the WiMAX Device. none displays for a certification request. icates identification number given by the g information about the certificate s IssuerThis field displays identifyin Signature Algorithm 190 Users Guide Chapter 15The Certificates Screens DESCRIPTION s key can be used. calculated using the MD5 algorithm. MD5 FingerprintThis is the certificate SHA1 FingerprintThis is the certificate s message digest that the WiMAX Device Key AlgorithmThis field displays the type of algorithm that was used to generate the displays in red and includes an Expired! message if the certificate has expired. none displays for a certification request. Table 73 TOOLS > Certificates > My Certificates > Edit LABEL Valid ToThis field displays the date that the certificate expires. The text For example, DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text. Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authoritys certificate and Path Length Constraint=1 means that there can only be one certification authority in the certificate s path. This field does not display for a certification request. certificates key pair (the WiMAX Device uses RSA encryption) and the length of the key set in bits (1024 bits for example). This field displays the certificate owner s IP address (IP), domain Subject Alternative Name name (DNS) or e-mail address (EMAIL). Key UsageThis field displays for what functions the certificate Company Confidential You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution

(via floppy disk for example). Click to save your changes. Click to return to the previous screen without saving your changes. calculated using the SHA1 algorithm. This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert the binary certificate into a printable form. You can copy and paste a certification request into a certification authoritys web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment. Certificate in PEM

(Base-64) Encoded Format s message digest that the WiMAX Device Apply Cancel Users Guide 191 Chapter 15The Certificates Screens 15.2.3 My Certificate Import The following table describes the labels in this screen. Figure 86 TOOLS > Certificates > My Certificates > Import Click TOOLS > Certificates > My Certificates > Import to import a certificate that matches a corresponding certification request that was generated by the WiMAX Device. You must remove any spaces from the certificates filename before you can import it. Company Confidential Table 74 TOOLS > Certificates > My Certificates > Import LABEL File Path Type in the location of the file you want to upload in this field or click Browse Browse Click to find the certificate file you want to upload. Apply Cancel Click to save your changes. Click to return to the previous screen without saving your changes. You cannot import a certificate with the same name as a certificate that is already in the WiMAX Device. DESCRIPTION to find it. 192 Users Guide Chapter 15The Certificates Screens 15.3 Trusted CAs The following table describes the icons in this screen. Figure 87 TOOLS > Certificates > Trusted CAs Click TOOLS > Certificates >Trusted CAs to display a summary list of certificates of the certification authorities that you have set the WiMAX Device to accept as trusted. The WiMAX Device accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities. Company Confidential DESCRIPTION This bar displays the percentage of the WiMAX Device s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates. The number of the item in this list. formation about the certificates owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. Table 76 TOOLS > Certificates > Trusted CAs LABEL PKI Storage Space in Use

NameThis field displays the name used to identify this certificate. SubjectThis field displays identifying in Table 75 TOOLS > Certificates > Trusted CAs ICON The following table describes the labels in this screen. DESCRIPTION Edit Click to delete this item. Click to export an item. Click to edit this item. Export Delete Users Guide 193 Chapter 15The Certificates Screens ActionClick the DESCRIPTION about the certificate. CRL IssuerThis field displays Yes if the certification authority issues CRL Edit icon to open a screen with an in-depth list of information Valid ToThis field displays the date that the certificate expires. The text displays Table 76 TOOLS > Certificates > Trusted CAs (continued) LABEL IssuerThis field displays identifying in in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired. Use the Export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.

(Certificate Revocation Lists) for the certificates that it has issued and you have selected the Check incoming certificates issued by this CA against a CRL check box in the certificates details screen to have the WiMAX Device check the CRL before trusting any certificates issued by the certification authority. Otherwise the field displays No. formation about the certificates issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field. Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable. Company Confidential Click the Delete icon to remove the certificate. A window displays asking you to confirm that you want to delete the certificate. Note that subsequent certificates move up by one when you take this action. certification authority that you trust, from your computer to the WiMAX Device. RefreshClick this button to display the current validity status of the certificates. Import to open a screen where you can save the certificate of a ImportClick 194 Users Guide Chapter 15The Certificates Screens 15.3.1 Trusted CA Edit Figure 88 TOOLS > Certificates > Trusted CAs > Edit Click TOOLS > Certificates >Trusted CAs and then click the Edit icon to open the Trusted CAs screen to view in-depth certificate information and change the certificates name. Company Confidential The following table describes the labels in this screen. Table 77 TOOLS > Certificates > Trusted CAs > Edit LABEL NameThis field displays the identifying name of this certificate. You can use Default self-signed certificate which signs the imported remote host certificates to use this certificate to sign the remote host certificates you upload in the TOOLS > Certificates >Trusted CAs screen. up to 31 alphanumeric and ;~!@#$%^&()_+[]{},.=- characters. DESCRIPTION PropertySelect Users Guide 195 Chapter 15The Certificates Screens DESCRIPTION Refresh to display the certification path. VersionThis field displays the X.509 version number. Serial NumberThis field displays the certif Table 77 TOOLS > Certificates > Trusted CAs > Edit (continued) LABEL Certification PathThis field displays for a certificate, not a certification request. Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself). RefreshClick Certification Information TypeThis field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificates owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates. If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The WiMAX Device does not trust the certificate and displays Not trusted in this field if any certificate on the path has expired or been revoked. Company Confidential none displays for a certification request. This field displays the type of algorithm that was used to sign the certificate. The WiMAX Device uses rsa-pkcs1-sha1 (RSA public-

private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-

private key encryption algorithm and the MD5 hash algorithm). certificates key pair (the WiMAX Device uses RSA encryption) and the length of the key set in bits (1024 bits for example). This field displays the certificate owner s IP address (IP), domain name (DNS) or e-mail address (EMAIL). issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. displays in red and includes an Expired! message if the certificate has expired. none displays for a certification request. With self-signed certificates, this is the same as the Subject Name field. certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C). Key AlgorithmThis field displays the type of algorithm that was used to generate the Valid FromThis field displays the date that the certificate becomes applicable. Valid ToThis field displays the date that the certificate expires. The text SubjectThis field displays information that identifies the owner of the certification authority or generated by the WiMAX Device. none displays for a certification request. icates identification number given by the g information about the certificate s Subject Alternative Name IssuerThis field displays identifyin Signature Algorithm 196 Users Guide Chapter 15The Certificates Screens DESCRIPTION s key can be used. calculated using the MD5 algorithm. MD5 FingerprintThis is the certificate SHA1 FingerprintThis is the certificate s message digest that the WiMAX Device s message digest that the WiMAX Device Certificate in PEM

(Base-64) Encoded Format Table 77 TOOLS > Certificates > Trusted CAs > Edit (continued) LABEL Key UsageThis field displays for what functions the certificate For example, DigitalSignature means that the key can be used to sign certificates and KeyEncipherment means that the key can be used to encrypt text. You can copy and paste a certification request into a certification authoritys web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment. calculated using the SHA1 algorithm. This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert the binary certificate into a printable form. Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authoritys certificate and Path Length Constraint=1 means that there can only be one certification authority in the certificate s path. This field does not display for a certification request. Company Confidential Click TOOLS > Certificates >Trusted CAs and then click Import to open the Trusted CA Import screen. Follow the instructions in this screen to save a trusted certification authoritys certificate from a computer to the WiMAX Device. The WiMAX Device trusts any valid certificate signed by any of the imported trusted CA certificates. You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution

(via floppy disk for example). Click to save your changes. Click to return to the previous screen without saving your changes. 15.3.2 Trusted CA Import Apply Cancel Users Guide 197 Chapter 15The Certificates Screens Note: You must remove any spaces from the certificates filename before you can DESCRIPTION import the certificate. Figure 89 TOOLS > Certificates > Trusted CAs > Import The following table describes the labels in this screen. Table 78 TOOLS > Certificates > Trusted CAs Import LABEL File Path Type in the location of the file you want to upload in this field or click Browse Company Confidential These keys work like a handwritten signature (in fact, certificates are often referred to as digital signatures). Only you can write your signature exactly as it ought to look. When people know what your signature ought to look like, they can verify whether something was signed by you, or by someone else. In the same way, your private key writes your digital signature and your public key allows When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure. Choose... Click to find the certificate file you want to upload. Apply Cancel The following section contains additional technical information about the WiMAX Device features described in this chapter. Click to save your changes. Click to return to the previous screen without saving your changes. 15.4 Technical Reference 15.4.1 Certificate Authorities to find it. 198 Users Guide Chapter 15The Certificates Screens 4 3 2 1 Jennys public key to verify the message. Tim uses his private key to sign the message and sends it to Jenny. people to verify whether data was signed by you, or by someone else. This process works as follows. 5 Additionally, Jenny uses her own private key to sign a message and Tim uses Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). Jenny receives the message and uses Tims public key to verify it. Jenny knows that the message is from Tim, and she knows that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tims private key). Company Confidential The WiMAX Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm. Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The WiMAX Device can check a peers certificate against a directory servers list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure). A certification path is the hierarchy of certification authority certificates that validate a certificate. The WiMAX Device does not trust a certificate if any certificate on its path has expired or been revoked. The certification authority uses its private key to sign certificates. Anyone can then use the certification authoritys public key to verify the certificates. 15.4.1.1 Advantages of Certificates Certificates offer the following benefits. Users Guide 199 Chapter 15The Certificates Screens The WiMAX Device only has to store the certificates of the certification X.509 certificates. keys and you never need to transmit private keys. 15.4.1.2 Self-signed Certificates 15.4.1.4 Certificate File Formats 15.4.1.3 Factory Default Certificate Any certificate that you want to import has to be in one of these file formats:

Binary X.509: This is an ITU-T recommendation that defines the formats for Key distribution is simple and very secure since you can freely distribute public authorities that you decide to trust, no matter how many devices you need to authenticate. You can have the WiMAX Device act as a certification authority and sign its own certificates. The WiMAX Device generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. Company Confidential Before you import a certificate into the WiMAX Device, you should verify that you have the correct certificate. This is especially true of trusted certificates since the WiMAX Device also trusts any valid certificate signed by any of the imported trusted certificates.

(including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The WiMAX Device currently allows the importation of a PKS#7 file that contains a single certificate. lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form. lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form. Note: Be careful to not convert a binary file to text during the transfer process. It is PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses easy for this to occur since many programs use text files by default. 15.4.2 Verifying a Certificate Binary PKCS#7: This is a standard that defines the general syntax for data PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses 200 Users Guide Chapter 15The Certificates Screens 15.4.2.1 Checking the Fingerprint of a Certificate on Your Computer 1 Browse to where you have the certificate saved on your computer. 3 Double-click the certificates icon to open the Certificate window. Click the 2 Make sure that the certificate has a .cer or .crt file name extension. (On some Linux distributions, the file extension may be .der.) Figure 90 Remote Host Certificates A certificates fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificates fingerprint to verify that you have the actual certificate. Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 91 Certificate Details Company Confidential in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 4 Use a secure method to verify that the certificate owner has the same information Users Guide 201 Chapter 15The Certificates Screens Company Confidential 202 Users Guide 16.1 Overview CHAPTER 16 The Firewall Screens Use the TOOLS > Firewall screens to manage WiMAX Devices firewall security measures. Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term

"firewall" is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. Of course, firewalls cannot solve every security problem. Company Confidential A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy. It should never be the only mechanism or method employed. For a firewall to guard effectively, you must design and deploy it appropriately. This requires integrating the firewall into a broad information-

security policy. In addition, specific policies must be implemented within the firewall itself. The Service Setting screen (Section 16.3 on page 207) lets you enable service blocking, set up the date and time service blocking is effective, and to maintain the list of services you want to block. The WiMAX Device firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated. The WiMAX Device's purpose is to allow a private Local Area Network (LAN) to be securely connected to 16.1.1 What You Can Do in This Chapter 16.1.2 What You Need to Know The Firewall Setting screen (Section 16.2 on page 204) lets you configure the The following terms and concepts may help as you read through this chapter. About the WiMAX Device Firewall basic settings for your firewall. Users Guide 203 Chapter 16The Firewall Screens This section describes firewalls and the built-in WiMAX Devices firewall features. 16.2 Firewall Setting 16.2.1 Firewall Rule Directions Figure 92 Firewall Rule Directions the Internet. The WiMAX Device can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The WiMAX Device is installed between the LAN and a WiMAX base station connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN. The WiMAX Device has one Ethernet (LAN) port. The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web. However, inbound access is not allowed (by default) unless the remote host is authorized to use a specific service. Company Confidential Blocked LAN-to-WAN packets are considered alerts. Alerts are higher priority logs that include system errors, attacks and attempted access to blocked web sites. Alerts appear in red in the View Log screen. You may choose to have alerts e-mailed immediately in the Log Settings screen. You can block certain LAN-to-WAN traffic in the Services screen (click the Services tab). All services displayed in the Blocked Services list box are LAN-

to-WAN firewall rules that block those services originating from the LAN. LAN-to-WAN rules are local network to Internet firewall rules. The default is to forward all traffic from your local network to the Internet. 204 Users Guide Chapter 16The Firewall Screens Forwarded WAN-to-LAN packets are not considered alerts. 16.2.2 Triangle Route LAN-to-LAN/WiMAX Device means the LAN to the WiMAX Device LAN interface. This is always allowed, as this is how you manage the WiMAX Device from your local computer. How can you forward certain WAN to LAN traffic? You may allow traffic originating from the WAN to be forwarded to the LAN by:

WAN-to-LAN rules are Internet to your local network firewall rules. The default is to block all traffic from the Internet to your local network. Configuring NAT port forwarding rules. Configuring WAN or LAN & WAN access for services in the Remote MGMT screens or SMT menus. When you allow remote management from the WAN, you are actually configuring WAN-to-WAN/WiMAX Device firewall rules. WAN-to-

WAN/WiMAX Device firewall rules are Internet to the WiMAX Device WAN interface firewall rules. The default is to block all such traffic. When you decide what WAN-to-LAN packets to log, you are in fact deciding what WAN-to-LAN and WAN-to-WAN/WiMAX Device packets to log. Company Confidential When the firewall is on, your WiMAX Device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the WiMAX Device to protect your LAN against attacks. Figure 93 Ideal Firewall Setup Users Guide 205 Chapter 16The Firewall Screens 16.2.3 Firewall Setting Options The following table describes the labels in this screen. Figure 94 TOOLS > Firewall > Firewall Setting Click TOOLS > Firewall > Firewall Setting to configure the basic settings for your firewall. Company Confidential DESCRIPTION Select this to activate the firewall. The WiMAX Device controls access and protects against Denial of Service (DoS) attacks when the firewall is activated. Select this if you want to let some traffic from the WAN go directly to a computer in the LAN without passing through the WiMAX Device. Select the maximum number of NAT rules and firewall rules the WiMAX Device enforces at one time. The WiMAX Device automatically allocates memory for the maximum number of rules, regardless of whether or not there is a rule to enforce. This is the same number you enter in Network > NAT > General. Table 79 TOOLS > Firewall > Firewall Setting LABEL Enable Firewall Log All - create log entries for every packet Click to save your changes. Click to restore your previously saved settings. Log Forwarded - (WAN to LAN only) create log entries when packets are forwarded Log Blocked - (LAN to WAN only) create log entries when packets are blocked Select the situations in which you want to create log entries for firewall events. Bypass Triangle Route Max NAT/

Firewall Session Per User Packet Direction Log No Log - do not create any log entries Apply Reset 206 Users Guide Chapter 16The Firewall Screens 16.3 Service Setting Figure 95 TOOLS > Firewall > Service Setting Click TOOLS > Firewall > Service Setting to enable service blocking, set up the date and time service blocking is effective, and to maintain the list of services you want to block. Company Confidential The following table describes the labels in this screen. Table 80 TOOLS > Firewall > Service Setting LABEL Service Setup Enable Services Blocking Select this to activate service blocking. The Schedule to Block section controls what days and what times service blocking is actually effective, however. This is a list of pre-defined services (destination ports) you may prohibit your LAN computers from using. Select the port you want to block, and click Add to add the port to the Blocked Services field. A custom port is a service that is not available in the pre-defined Available Services list. You must define it using the Type and Port Number fields. DESCRIPTION Available Services Users Guide 207 Chapter 16The Firewall Screens Add Delete Apply Reset Time of Day to Block Type Port Number Clear All Schedule to Block Day to Block Table 80 TOOLS > Firewall > Service Setting (continued) LABEL Blocked Services Select which days of the week you want the service blocking to be effective. Select what time each day you want service blocking to be effective. Enter times in 24-hour format; for example, 3:00pm should be entered as 15:00. Click to save your changes. Click to restore your previously saved settings. DESCRIPTION This is a list of services (ports) that are inaccessible to computers on your LAN when service blocking is effective. To remove a service from this list, select the service, and click Delete. Select TCP or UDP, based on which one the custom port uses. Enter the range of port numbers that defines the service. For example, suppose you want to define the Gnutella service. Select TCP type and enter a port range of 6345-6349. Click this to add the selected service in Available Services to the Blocked Services list. Select a service in the Blocked Services, and click this to remove the service from the list. Click this to remove all the services in the Blocked Services list. Company Confidential Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency; however, they may lack the granular application level access control or caching that some proxies support. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises. The following section contains additional technical information about the WiMAX Device features described in this chapter. 16.4 Technical Reference 16.4.1 Stateful Inspection Firewall. 208 Users Guide Chapter 16The Firewall Screens 5 3 2 6 16.4.2 Guidelines For Enhancing Security With Your Firewall Limit who can access your router. 7 Keep the firewall in a secured (locked) room. 1 Change the default password via web configurator. Protect against IP spoofing by making sure the firewall is active. Think about access control before you connect to the network in any way. 4 Don't enable any local service (such as telnet or FTP) that you don't use. Any 16.4.3 The Triangle Route Problem For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces. enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. Company Confidential A traffic route is a path for sending or receiving data packets between two Ethernet devices. You may have more than one connection to the Internet

(through one or more ISPs). If an alternate gateway is on the LAN (and its IP address is in the same subnet as the WiMAX Devices LAN IP address), the triangle route (also called asymmetrical route) problem may occur. The steps below describe the triangle route problem. The WiMAX Device reroutes the SYN packet through Gateway A on the LAN to the WAN. The reply from the WAN goes directly to the computer on the LAN without going through the WiMAX Device. 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN. 2 3 Users Guide 209 Chapter 16The Firewall Screens Figure 96 Triangle Route Problem As a result, the WiMAX Device resets the connection, as the connection has not been acknowledged. 16.4.3.1 Solving the Triangle Route Problem If you have the WiMAX Device allow triangle route sessions, traffic from the WAN can go directly to a LAN computer without passing through the WiMAX Device and its firewall protection. Company Confidential Its like having multiple LAN networks that actually use the same physical cables and ports. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the WiMAX Device to your LAN. The following steps describe such a scenario. Another solution is to use IP alias. IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your WiMAX Device supports up to three logical LAN interfaces with the WiMAX Device being the gateway for each logical network. 1 A computer on the LAN initiates a connection by sending a SYN packet to a The WiMAX Devicereroutes the packet to Gateway A, which is in Subnet 2. The reply from the WAN goes to the WiMAX Device. receiving server on the WAN. 2 3 210 Users Guide Chapter 16The Firewall Screens 4 The WiMAX Device then sends it to the computer on the LAN in Subnet 1. Figure 97 IP Alias Company Confidential Users Guide 211 Chapter 16The Firewall Screens Company Confidential 212 Users Guide CHAPTER 17 Content Filter 17.1 Overview Use the TOOLS > Content Filter screens to create and enforce policies that restrict access to the Internet based on content Internet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords. The WiMAX Device can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. The WiMAX Device also allows you to define time periods and days during which the WiMAX Device performs content filtering. Company Confidential address, which web features are restricted, and which keywords are blocked when content filtering is effective. 17.1.1 What You Can Do in This Chapter The Schedule screen (Section 17.3 on page 216) lets you schedule content The Filter screen (Section 17.2 on page 214) lets you set up a trusted IP filtering. Users Guide 213 Chapter 17Content Filter 17.2 Filter Figure 98 TOOLS > Content Filter > Filter Click TOOLS > Content Filter > Filter to set up a trusted IP address, which web features are restricted, and which keywords are blocked when content filtering is effective. Company Confidential 214 Users Guide Chapter 17Content Filter DESCRIPTION Cookies - This is used by Web servers to track usage and to provide service based on ID. Java - This is used to build downloadable Web components or Internet and intranet business applications of all kinds. Web Proxy - This is a server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN, it is possible for LAN users to avoid content filtering restrictions. ActiveX - This is a tool for building dynamic and active Web pages and distributed object applications. When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again. You can allow a specific computer to access all Internet resources without the restrictions you set in these screens. Enter the IP address of the trusted computer. Select the web features you want to disable. If a user downloads a page with a restricted feature, that part of the web page appears blank or grayed out. The following table describes the labels in this screen. Table 81 TOOLS > Content Filter > Filter LABEL Trusted IP Setup Trusted Computer IP Address Restrict Web Features Company Confidential Select this if you want the WiMAX Device to block Web sites based on words in the web site address. For example, if you block the keyword bad, http://www.website.com/bad.html is blocked. Type a keyword you want to block in this field. You can use up to 64 printable ASCII characters. There is no wildcard character, however. Click this to add the specified Keyword to the Keyword List. You can enter up to 64 keywords. This field displays the keywords that are blocked when Enable URL Keyword Blocking is selected. To delete a keyword, select it, click Delete, and click Apply. Click Delete to remove the selected keyword in the Keyword List. The keyword disappears after you click Apply. Click this button to remove all of the keywords in the Keyword List. Enter the message that is displayed when the WiMAX Device s content filter feature blocks access to a web site. Click to save your changes. Click to restore your previously saved settings. Keyword Blocking Enable URL Keyword Blocking Keyword Clear All Denied Access Message Apply Reset Keyword List Delete Add Users Guide 215 Chapter 17Content Filter 17.3 Schedule Figure 99 TOOLS > Content Filter > Schedule Click TOOLS > Content Filter > Schedule to schedule content filtering. The following table describes the labels in this screen. Table 82 TOOLS > Content Filter > Schedule LABEL Day to Block Time of Day to Block Company Confidential DESCRIPTION Select which days of the week you want content filtering to be effective. Select what time each day you want content filtering to be effective. Enter times in 24-hour format; for example, 3:00pm should be entered as 15:00. Click to save your changes. Click to restore your previously saved settings. Apply Reset 216 Users Guide 18.1 Overview Use the TOOLS > Remote Management screens to control which computers can use which services to access the WiMAX Device on each interface. Remote management allows you to determine which services/protocols can access which WiMAX Device interface (if any) from which computers. CHAPTER 18 The Remote Management Screens Company Confidential You may only have one remote management session running at a time. The WiMAX Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows:

Telnet or HTTP. To disable remote management of a service, select Disable in the corresponding Server Access field. Table 83 Remote Management Internet (WAN only) LAN only 18.1.1 What You Can Do in This Chapter The Telnet screen (Section 18.3 on page 220) lets you control Telnet access to The FTP screen (Section 18.4 on page 220) lets you control FTP access to your The SNMP screen (Section 18.5 on page 221) lets you control SNMP access to The WWW screen (Section 18.2 on page 219) lets you control HTTP access to You may manage your WiMAX Device from a remote location via:

ALL (LAN and WAN) Neither (Disable). your WiMAX Device. your WiMAX Device. WiMAX Device. your WiMAX Device. Users Guide 217 Chapter 18The Remote Management Screens The DNS screen (Section 18.6 on page 224) lets you control DNS access to your 3 2 WiMAX Device. FTP or Web service. WiMAX Device responds to other types of requests. WiMAX Device responds to other types of requests. Remote Management Limitations Remote management over LAN or WAN will not work when:

You have disabled that service in one of the remote management screens. The following terms and concepts may help as you read through this chapter. The Security screen (Section 18.7 on page 225) lets you control how your The Security screen (Section 18.7 on page 225) lets you control how your 18.1.2 What You Need to Know 1 A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, Company Confidential There is a default system management idle timeout of five minutes (three hundred seconds). The WiMAX Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the Maintenance > System > General screen. There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the WiMAX Device will disconnect the session immediately. Use the WiMAX Devices WAN IP address when configuring from the WAN. Use the WiMAX Devices LAN IP address when configuring from the LAN. Remote Management and NAT System Timeout When NAT is enabled:

4 218 Users Guide Chapter 18The Remote Management Screens SNMP 18.2 WWW Note: SNMP is only available if TCP/IP is configured. Figure 100 TOOLS > Remote Management > WWW Click TOOLS > Remote Management > WWW to control HTTP access to your WiMAX Device. Simple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your WiMAX Device supports SNMP agent functionality, which allows a manager station to manage and monitor the WiMAX Device through the network. The WiMAX Device supports SNMP version one (SNMPv1) and version two (SNMPv2). The next figure illustrates an SNMP management operation. Company Confidential DESCRIPTION Enter the port number this service can use to access the WiMAX Device. The computer must use the same port number. Select the interface(s) through which a computer may access the WiMAX Device using this service. Select All to allow any computer to access the WiMAX Device using this service. The following table describes the labels in this screen. Table 84 TOOLS > Remote Management > WWW LABEL Server Port Select Selected to only allow the computer with the IP address that you specify to access the WiMAX Device using this service. Click to save your changes. Click to restore your previously saved settings. Secured Client IP Address Server Access Apply Reset Users Guide 219 Chapter 18The Remote Management Screens 18.3 Telnet Server Access Figure 101 TOOLS > Remote Management > Telnet Click TOOLS > Remote Management > Telnet to control Telnet access to your WiMAX Device. The following table describes the labels in this screen. Table 85 TOOLS > Remote Management > Telnet LABEL Server Port DESCRIPTION Enter the port number this service can use to access the WiMAX Device. The computer must use the same port number. Select the interface(s) through which a computer may access the WiMAX Device using this service. Select All to allow any computer to access the WiMAX Device using this service. Company Confidential Select Selected to only allow the computer with the IP address that you specify to access the WiMAX Device using this service. Click to save your changes. Click to restore your previously saved settings. Click TOOLS > Remote Management > FTP to control FTP access to your WiMAX Device. Figure 102 TOOLS > Remote Management > FTP 18.4 FTP Secured Client IP Address Apply Reset 220 Users Guide Chapter 18The Remote Management Screens Apply Reset Server Access Secured Client IP Address 18.5 SNMP An SNMP managed network consists of two main types of component: agents and a manager. The following table describes the labels in this screen. Table 86 TOOLS > Remote Management > FTP LABEL Server Port Select Selected to only allow the computer with the IP address that you specify to access the WiMAX Device using this service. Click to save your changes. Click to restore your previously saved settings. DESCRIPTION Enter the port number this service can use to access the WiMAX Device. The computer must use the same port number. Select the interface(s) through which a computer may access the WiMAX Device using this service. Select All to allow any computer to access the WiMAX Device using this service. Company Confidential An agent is a management software module that resides in a managed device (the WiMAX Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices. Figure 103 SNMP Management Model Users Guide 221 Chapter 18The Remote Management Screens 18.5.1 SNMP Traps Set - Allows the manager to set values for object variables within an agent. Trap - Used by the agent to inform the manager of some events. Get - Allows the manager to retrieve an object variable from the agent. GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations:

The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. The WiMAX Device supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. Company Confidential A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community (password). A trap is sent with the reason of restart before rebooting when the system is going to restart

(warm start). A trap is sent with the message "System reboot by user!" if reboot is done intentionally, (for example, download new files, CI command "sys reboot", etc.). A trap is sent with the message of the fatal code if the system reboots because of fatal errors. The WiMAX Device sends traps to the SNMP manager when any of the following events occurs:

coldStart (defined in RFC-

1215) warmStart (defined in RFC-

1215) authenticationFailure (defined in RFC-1215) Table 87 SNMP Traps TRAP # TRAP NAME 0 DESCRIPTION A trap is sent after booting (power on). whyReboot (defined in ZYXEL-MIB) A trap is sent after booting (software reboot). For intentional reboot:

For fatal error:

6b 6a 1 4 6 222 Users Guide Chapter 18The Remote Management Screens 18.5.2 SNMP Options Figure 104 TOOLS > Remote Management > SNMP Click TOOLS > Remote Management > SNMP to control SNMP access to your WiMAX Device. Company Confidential Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Enter the Set community, which is the password for incoming Set requests from the management station. The default is public and allows all requests. Enter the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests. Enter the IP address of the station to send your SNMP traps to. You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Select the interface(s) through which a computer may access the WiMAX Device using this service. Table 88 TOOLS > Remote Management > SNMP LABEL SNMP Configuration Get Community The following table describes the labels in this screen. Trap Destination SNMP Port DESCRIPTION Trap Community Set Community Access Status Users Guide 223 Chapter 18The Remote Management Screens Apply Reset DESCRIPTION 18.6 DNS communicate with the WiMAX Device using this service. Figure 105 TOOLS > Remote Management > DNS Select All to allow any computer to access the WiMAX Device using this service. Table 88 TOOLS > Remote Management > SNMP (continued) LABEL Secured Client IP A secured client is a trusted computer that is allowed to Click TOOLS > Remote Management > DNS to control DNS access to your WiMAX Device. Choose Selected to just allow the computer with the IP address that you specify to access the WiMAX Device using this service. Click to save your changes. Click to restore your previously saved settings. Company Confidential DESCRIPTION This field is read-only. This field displays the port number this service uses to access the WiMAX Device. The computer must use the same port number. Select the interface(s) through which a computer may access the WiMAX Device using this service. Select All to allow any computer to access the WiMAX Device using this service. The following table describes the labels in this screen. Table 89 TOOLS > Remote Management > DNS LABEL Server Port Select Selected to only allow the computer with the IP address that you specify to access the WiMAX Device using this service. Click to save your changes. Click to restore your previously saved settings. Secured Client IP Address Server Access Apply Reset 224 Users Guide Chapter 18The Remote Management Screens 18.7 Security Figure 106 TOOLS > Remote Management > Security Disable - the WiMAX Device does not respond to any ping requests. LAN - the WiMAX Device only responds to ping requests received Click TOOLS > Remote Management > Security to control how your WiMAX Device responds to other types of requests. DESCRIPTION Select the interface(s) on which the WiMAX Device should respond to incoming ping requests. The following table describes the labels in this screen. Table 90 TOOLS > Remote Management > Security LABEL Respond to Ping on Company Confidential Select this to prevent outsiders from discovering your WiMAX Device by sending requests to unsupported port numbers. If an outside user attempts to probe an unsupported port on your WiMAX Device, an ICMP response packet is automatically returned. This allows the outside user to know the WiMAX Device exists. Your WiMAX Device supports anti-

probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your WiMAX Device when unsupported ports are probed. If you clear this, your WiMAX Device replies with an ICMP Port Unreachable packet for a port probe on unused UDP ports and with a TCP Reset packet for a port probe on unused TCP ports. Click to save your changes. Click to restore your previously saved settings. LAN & WAN - the WiMAX Device responds to ping requests received WAN - the WiMAX Device only responds to ping requests received Do not respond to requests for unauthorized services from the LAN or the WAN. from the WAN. from the LAN. Apply Reset Users Guide 225 Chapter 18The Remote Management Screens Company Confidential 226 Users Guide CHAPTER 19 The Logs Screens and alerts. For a list of log messages, see Section 19.4 on page 233. 19.1 Overview The View Logs screen (Section 19.2 on page 229) lets you look at log entries The Log Settings screen (Section 19.3 on page 231) lets you configure where 19.1.1 What You Can Do in This Chapter Use the TOOLS > Logs screens to look at log entries and alerts and to configure the WiMAX Devices log and alert settings. Company Confidential The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on. An external log analyzer An alert is a type of log that warrants more serious attention. Some categories such as System Errors consist of both logs and alerts. the WiMAX Device sends logs and alerts, the schedule for sending logs, and which logs and alerts are sent or recorded. 19.1.2 What You Need to Know The following terms and concepts may help as you read through this chapter. There are two types of syslog: event logs and traffic logs. Syslog Logs Alerts Users Guide 227 Chapter 19The Logs Screens Traffic Log: <Facility*8 +

Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>"

dst="<dstIP:dstPort>"

msg="Traffic Log"

note="Traffic Log" devID="<mac address>" cat="Traffic Log"

duration=seconds sent=sentBytes rcvd=receiveBytes dir="<from:to>"

protoID=IPProtocolID proto="serviceName"

trans="IPSec/Normal"

DESCRIPTION This message is sent by the system ("RAS" displays as the system name if you havent configured one) when the router generates a syslog. The facility is defined in the Log Settings screen. The severity is the logs syslog class. The definition of messages and notes are defined in the various log charts throughout this appendix. The devID is the MAC address of the routers LAN port. The cat is the same as the category in the router s logs. This message is sent by the device when the connection (session) is closed. The facility is defined in the Log Settings screen. The severity is the traffic log type. The message and note always display

"Traffic Log". The "proto" field lists the service name. The "dir" field lists the incoming and outgoing interfaces ("LAN:LAN", "LAN:WAN",

"LAN:DEV" for example). can reconstruct and analyze the traffic flowing through the device after collecting the traffic logs. Table 91 Syslog Logs LOG MESSAGE Event Log: <Facility*8 +

Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>"

dst="<dstIP:dstPort>"

msg="<msg>" note="<note>"

devID="<mac address>"

cat="<category>"

Company Confidential The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Table 92 RFC-2408 ISAKMP Payload Types LOG DISPLAY SA PROP TRANS KE ID CER CER_REQ HASH SIG NONCE NOTFY DEL VID PAYLOAD TYPE Security Association Proposal Transform Key Exchange Identification Certificate Certificate Request Hash Signature Nonce Notification Delete Vendor ID 228 Users Guide Chapter 19The Logs Screens 19.2 View Logs Figure 107 TOOLS > Logs > View Logs Click TOOLS > Logs > View Log to look at log entries and alerts. Alerts are written in red. Company Confidential Click a column header to sort log entries in descending (later-to-earlier) order. Click again to sort in ascending order. The small triangle next to a column header indicates how the table is currently sorted (pointing downward is descending;

pointing upward is ascending). The following table describes the labels in this screen. Table 93 TOOLS > Logs > View Logs LABEL Display DESCRIPTION Select a category whose log entries you want to view. To view all logs, select All Logs. The list of categories depends on what log categories are selected in the Log Settings page. Log Settings page. Click to renew the log screen. Click to clear all the log entries, regardless of what is shown on the log screen. Email Log Now Click this to send the log screen to the e-mail address specified in the Refresh Clear Log Users Guide 229 Chapter 19The Logs Screens Note Source Destination DESCRIPTION Table 93 TOOLS > Logs > View Logs (continued) LABEL

#The number of the item in this list. Time Message This field displays the time the log entry was recorded. This field displays the reason for the log entry. See Section 19.4 on page 233. This field displays the source IP address and the port number of the incoming packet. In many cases, some or all of this information may not be available. This field lists the destination IP address and the port number of the incoming packet. In many cases, some or all of this information may not be available. This field displays additional information about the log entry. Company Confidential 230 Users Guide Chapter 19The Logs Screens 19.3 Log Settings Figure 108 TOOLS > Logs > Log Settings Click TOOLS > Logs > Log Settings to configure where the WiMAX Device sends logs and alerts, the schedule for sending logs, and which logs and alerts are sent or recorded. Company Confidential The following table describes the labels in this screen. Table 94 TOOLS > Logs > Log Settings LABEL E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server the WiMAX Device should use to e-mail logs and alerts. Leave this field blank if you do not want to send logs or alerts by e-mail. Enter the subject line used in e-mail messages the WiMAX Device sends. DESCRIPTION Mail Subject Users Guide 231 Chapter 19The Logs Screens Log Schedule Send Alerts to Day for Sending Log Table 94 TOOLS > Logs > Log Settings LABEL Send Log to Daily Weekly Hourly When Log is Full None. If the Weekly or the Daily option is selected, specify a time of day when the E-mail should be sent. If the Weekly option is selected, then also specify which day of the week the E-mail should be sent. If the When Log is Full option is selected, an alert is sent when the log fills up. If you select None, no log messages are sent. This field is only available when you select Weekly in the Log Schedule field. DESCRIPTION Enter the e-mail address to which log entries are sent by e-mail. Leave this field blank if you do not want to send logs by e-mail. Enter the e-mail address to which alerts are sent by e-mail. Leave this field blank if you do not want to send alerts by e-mail. Select the frequency with which the WiMAX Device should send log messages by e-mail. Company Confidential Select this to enable syslog logging. Enter the server name or IP address of the syslog server that logs the selected categories of logs. Select a location. The log facility allows you to log the messages in different files in the syslog server. See the documentation of your syslog for more details. Select the categories of logs that you want to record. Select the categories of alerts that you want the WiMAX Device to send immediately. Click to save your changes. Click to return to the previous screen without saving your changes. Enter the time of day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. Select this to clear all logs and alert messages after logs are sent by e-

mail. Select which day of the week to send the logs. This field is only available when you select Daily or Weekly in the Log Schedule field. Active Log and Alert Log Send immediate alert Apply Cancel Clear log after sending mail Syslog Logging Active Syslog Server IP Address Log Facility Time for Sending Log 232 Users Guide Chapter 19The Logs Screens 19.4 Log Message Descriptions WAN interface gets IP: %s

%s exceeds the max. number of session per host!

Table 96 System Maintenance Logs LOG MESSAGE Time calibration is successful Time calibration failed DESCRIPTION The WAN connection is down. You cannot access the network through this interface. This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host. The following tables provide descriptions of example log messages. Table 95 System Error Logs LOG MESSAGE WAN connection is down. Company Confidential DESCRIPTION The device has adjusted its time based on information from the time server. The device failed to get information from the time server. The WAN interface got a new IP address from the DHCP or PPPoE server. A DHCP client got a new IP address from the DHCP server. A DHCP client's IP address has expired. The DHCP server assigned an IP address to a client. Someone has logged on to the device's web configurator interface. Someone has failed to log on to the device's web configurator interface. Someone has logged on to the router via telnet. Someone has failed to log on to the router via telnet. Someone has logged on to the device via ftp. Someone has failed to log on to the device via ftp. The maximum number of NAT session table entries has been exceeded and the table is full. The device got the time and date from the Daytime server. The device got the time and date from the time server. The device got the time and date from the NTP server. The device was not able to connect to the Daytime server. The device was not able to connect to the Time server. Time initialized by Daytime Server Time initialized by Time server Time initialized by NTP server Connect to Daytime server fail Connect to Time server fail TELNET Login Successfully TELNET Login Fail Successful FTP login FTP login failed NAT Session Table is Full!

DHCP client IP expired DHCP server assigns %s Successful WEB login DHCP client gets %s WEB login failed Users Guide 233 Chapter 19The Logs Screens Firewall rule [NOT] match:[ TCP

| UDP | IGMP | ESP | GRE | OSPF

] <Packet Direction>, <rule:%d>

Table 97 Access Control Logs LOG MESSAGE Firewall default policy: [ TCP |

UDP | IGMP | ESP | GRE | OSPF ]

DESCRIPTION Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched the default policy and was blocked or forwarded according to the default policy s setting. Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched (or did not match) a configured firewall rule (denoted by its number) and was blocked or forwarded according to the rule. The firewall allowed a triangle route session to pass through. Table 96 System Maintenance Logs (continued) DESCRIPTION LOG MESSAGE Connect to NTP server fail The device was not able to connect to the NTP server. Too large ICMP packet has The device dropped an ICMP packet that was too been dropped large. Configuration Change: PC =

The device is saving configuration changes. 0x%x, Task ID = 0x%x Company Confidential DESCRIPTION The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) The router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.) The router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state. The router sent a message to notify a user that the router blocked access to a web site that the user requested. The device blocked a session because the host's connections exceeded the maximum sessions per host. A packet from the WAN (TCP or UDP) matched a cone NAT session and the device forwarded it to the LAN. Triangle route packet forwarded:

[ TCP | UDP | IGMP | ESP | GRE |

OSPF ]

Packet without a NAT table entry blocked: [ TCP | UDP | IGMP |

ESP | GRE | OSPF ]

Router sent blocked web site message: TCP Table 98 TCP Reset Logs LOG MESSAGE Under SYN flood attack, sent TCP RST Firewall allowed a packet that matched a NAT session: [ TCP |

UDP ]

Exceed maximum sessions per host

(%d). The router blocked a packet that didn't have a corresponding NAT table entry. Exceed TCP MAX incomplete, sent TCP RST Peer TCP state out of order, sent TCP RST 234 Users Guide Chapter 19The Logs Screens UDP idle timeout: 3 minutes ICMP idle timeout: 3 minutes The default timeout values are as follows:

TCP idle (established) timeout (s): 150 minutes Exceed MAX incomplete, sent TCP RST Table 98 TCP Reset Logs (continued) LOG MESSAGE Firewall session time out, sent TCP RST TCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header). TCP connection (three way handshaking) timeout: 270 seconds DESCRIPTION The router sent a TCP reset packet when a dynamic firewall session timed out. TCP reset timeout: 10 seconds The router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the user-configured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note:

When the number of incomplete connections (TCP + UDP)

> Maximum Incomplete High, the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections <

Maximum Incomplete Low. The router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: sys firewall tcprst). Company Confidential For type and code details, see Table 106 on page 239. Table 100 ICMP Logs LOG MESSAGE Firewall default policy: ICMP

<Packet Direction>, <type:%d>,

<code:%d>

Firewall rule [NOT] match: ICMP

<Packet Direction>, <rule:%d>,

<type:%d>, <code:%d>

Triangle route packet forwarded:

ICMP DESCRIPTION ICMP access matched the default policy and was blocked or forwarded according to the user's setting. ICMP access matched (or didnt match) a firewall rule (denoted by its number) and was blocked or forwarded according to the rule. The firewall allowed a triangle route session to pass through. DESCRIPTION Attempted access matched a configured filter rule

(denoted by its set and rule number) and was blocked or forwarded according to the rule. Table 99 Packet Filter Logs LOG MESSAGE

[ TCP | UDP | ICMP | IGMP |

Generic ] packet filter matched (set: %d, rule: %d) Access block, sent TCP RST Users Guide 235 Chapter 19The Logs Screens ppp:IPCP Starting ppp:IPCP Opening Table 101 PPP Logs LOG MESSAGE ppp:LCP Starting ppp:LCP Opening ppp:CHAP Opening Table 100 ICMP Logs (continued) LOG MESSAGE Packet without a NAT table entry blocked: ICMP Unsupported/out-of-order ICMP:

ICMP Router reply ICMP packet: ICMP DESCRIPTION The router blocked a packet that didnt have a corresponding NAT table entry. The firewall does not support this kind of ICMP packets or the ICMP packets are out of order. The router sent an ICMP reply packet to the sender. DESCRIPTION The PPP connections Link Control Protocol stage has started. The PPP connections Link Control Protocol stage is opening. The PPP connections Challenge Handshake Authentication Protocol stage is opening. The PPP connections Internet Protocol Control Protocol stage is starting. The PPP connections Internet Protocol Control Protocol stage is opening. The PPP connections Link Control Protocol stage is closing. The PPP connections Internet Protocol Control Protocol stage is closing. Company Confidential

%s: Not in trusted web list

%s: Forbidden Web site The web site is in the forbidden web site list.

%s: Contains ActiveX

%s: Contains Java applet

%s: Contains cookie

%s: Proxy mode detected DESCRIPTION The content of a requested web page matched a user defined keyword. The web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites. Table 103 Content Filtering Logs LOG MESSAGE

%s: Keyword blocking Table 102 UPnP Logs LOG MESSAGE UPnP pass through Firewall DESCRIPTION UPnP packets can pass through the firewall. The web site contains a cookie. The router detected proxy mode in the packet. The web site contains ActiveX. The web site contains a Java applet. ppp:LCP Closing ppp:IPCP Closing 236 Users Guide Chapter 19The Logs Screens The external content filtering license key is invalid. For type and code details, see Table 106 on page 239. Table 103 Content Filtering Logs (continued) LOG MESSAGE

%s: Trusted Web site

%s Waiting content filter server timeout DNS resolving failed Creating socket failed Connecting to content filter server fail License key is invalid The WiMAX Device cannot get the IP address of the external content filtering via DNS query. The WiMAX Device cannot issue a query because TCP/UDP socket creation failed, port:port number. The connection to the external content filtering server failed. DESCRIPTION The web site is in a trusted domain. When the content filter is not on according to the time schedule:

The external content filtering server did not respond within the timeout period. Company Confidential Table 104 Attack Logs LOG MESSAGE attack [ TCP | UDP | IGMP

| ESP | GRE | OSPF ]

attack ICMP (type:%d, code:%d) land [ TCP | UDP | IGMP |

ESP | GRE | OSPF ]

land ICMP (type:%d, code:%d) ip spoofing - WAN [ TCP |

UDP | IGMP | ESP | GRE |

OSPF ]

ip spoofing - WAN ICMP

(type:%d, code:%d) icmp echo : ICMP

(type:%d, code:%d) syn flood TCP ports scan TCP teardrop TCP teardrop UDP teardrop ICMP (type:%d, code:%d) illegal command TCP NetBIOS TCP The firewall detected a TCP syn flood attack. The firewall detected a TCP port scan attack. The firewall detected a TCP teardrop attack. The firewall detected an UDP teardrop attack. The firewall detected an ICMP teardrop attack. DESCRIPTION The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack. The firewall detected an ICMP attack. The firewall detected an ICMP IP spoofing attack on the WAN port. The firewall detected an ICMP echo attack. The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack. The firewall detected an ICMP land attack. The firewall detected a TCP illegal command attack. The firewall detected a TCP NetBIOS attack. The firewall detected an IP spoofing attack on the WAN port. Users Guide 237 Chapter 19The Logs Screens The firewall detected an ICMP traceroute attack. The firewall detected an ICMP vulnerability attack. The firewall classified an ICMP packet with no source routing entry as an IP spoofing attack. The firewall detected a UDP port scan attack. The firewall sent TCP packet in response to a DoS attack DESCRIPTION The firewall classified a packet with no source routing entry as an IP spoofing attack. The firewall detected an ICMP Source Quench attack. The firewall detected an ICMP Time Exceed attack. The firewall detected an ICMP Destination Unreachable attack. The firewall detected an ICMP ping of death attack. The firewall detected an ICMP smurf attack. Table 104 Attack Logs (continued) LOG MESSAGE ip spoofing - no routing entry [ TCP | UDP | IGMP

| ESP | GRE | OSPF ]

ip spoofing - no routing entry ICMP (type:%d, code:%d) vulnerability ICMP

(type:%d, code:%d) traceroute ICMP (type:%d, code:%d) ports scan UDP Firewall sent TCP packet in response to DoS attack TCP ICMP Source Quench ICMP ICMP Time Exceed ICMP ICMP Destination Unreachable ICMP ping of death. ICMP smurf ICMP Company Confidential DESCRIPTION Attempted use of FTP service was blocked according to remote management settings. Attempted use of TELNET service was blocked according to remote management settings. Attempted use of HTTP or UPnP service was blocked according to remote management settings. Attempted use of WWW service was blocked according to remote management settings. Attempted use of HTTPS service was blocked according to remote management settings. Attempted use of SSH service was blocked according to remote management settings. Attempted use of ICMP service was blocked according to remote management settings. Attempted use of DNS service was blocked according to remote management settings. Remote Management: TELNET denied Remote Management: HTTP or UPnP denied Remote Management: WWW denied Table 105 Remote Management Logs LOG MESSAGE Remote Management: FTP denied Remote Management: ICMP Ping response denied Remote Management: DNS denied Remote Management: HTTPS denied Remote Management: SSH denied 238 Users Guide Chapter 19The Logs Screens 0 4 5 3 0 5 CODE 0 1 2 3 4 Table 106 ICMP Notes TYPE 0 Company Confidential DESCRIPTION Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network. Redirect Redirect datagrams for the Network Redirect datagrams for the Host Redirect datagrams for the Type of Service and Network Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message 0 1 2 3 0 1 15 16 11 12 13 14 0 0 0 8 0 0 0 Users Guide 239 Chapter 19The Logs Screens An attempt to delete the listed SIP accounts registration from the SIP register server failed. Table 108 RTP Logs LOG MESSAGE Error, RTP init fail Error, Call fail: RTP connect fail Error, RTP connection cannot close DESCRIPTION The initialization of an RTP session failed. A VoIP phone call failed because the RTP session could not be established. The termination of an RTP session failed. Table 107 SIP Logs LOG MESSAGE SIP Registration Success by SIP:SIP Phone Number SIP Registration Fail by SIP:SIP Phone Number SIP UnRegistration Success by SIP:SIP Phone Number SIP UnRegistration Fail by SIP:SIP Phone Number DESCRIPTION The listed SIP account was successfully registered with a SIP register server. An attempt to register the listed SIP account with a SIP register server was not successful. The listed SIP accounts registration was deleted from the SIP register server. Company Confidential Table 109 FSM Logs: Caller Side LOG MESSAGE VoIP Call Start Ph[Phone Port Number] <- Outgoing Call Number VoIP Call Established Ph[Phone Port] ->

Outgoing Call Number DESCRIPTION A VoIP phone call came to the WiMAX Device from the listed SIP number. Table 110 FSM Logs: Callee Side LOG MESSAGE VoIP Call Start from SIP[SIP Port Number]

DESCRIPTION Someone used a phone connected to the listed phone port to initiate a VoIP call to the listed destination. A VoIP phone call made from a phone connected to the listed phone port has terminated. Someone used a phone connected to the listed phone port to make a VoIP call to the listed destination. VoIP Call End Phone[Phone Port]

240 Users Guide Chapter 19The Logs Screens A VoIP phone call that came into the WiMAX Device has terminated. DESCRIPTION A PSTN call has been initiated. A PSTN call has terminated. A PSTN call has been set up. Table 111 Lifeline Logs LOG MESSAGE PSTN Call Start PSTN Call End PSTN Call Established DESCRIPTION A VoIP phone call was set up from the listed SIP number to the WiMAX Device. Table 110 FSM Logs: Callee Side (continued) LOG MESSAGE VoIP Call Established Ph[Phone Port] <-

Outgoing Call Number VoIP Call End Phone[Phone Port]

Company Confidential Users Guide 241 Chapter 19The Logs Screens Company Confidential 242 Users Guide CHAPTER 20 The UPnP Screen 20.1 Overview Use the TOOLS > UPnP screen to enable the WiMAX Devices UPnP feature. 20.1.1 What You Can Do in This Chapter Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use. Company Confidential UPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following:

UPnP hardware is identified as an icon in the Network Connections folder

(Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device. The UPnP screen (Section 20.2 on page 244) lets you enable the UPnP feature in your WiMAX Device. 20.1.2 What You Need to Know The following terms and concepts may help as you read through this chapter. How do I know if I'm using UPnP?

NAT Traversal Dynamic port mapping Users Guide 243 Chapter 20The UPnP Screen Learning public IP addresses Assigning lease times to mappings UPnP and ZyXEL Cautions with UPnP See Chapter 10 on page 125 for further information about NAT. All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. Windows Messenger is an example of an application that supports NAT traversal and UPnP. ZyXEL has received UPnP certification from the official UPnP Forum (http://

www.upnp.org). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. Company Confidential Click TOOLS > UPnP to enable UPnP in your WiMAX Device. The WiMAX Device only sends UPnP multicasts to the LAN. 20.2 UPnP Figure 109 TOOLS > UPnP 244 Users Guide Chapter 20The UPnP Screen Allow UPnP to pass through Firewall Apply Reset 20.3 Technical Reference The following table describes the labels in this screen. Table 112 TOOLS > UPnP LABEL Device Name Enable the Universal Plug and Play (UPnP) Feature Allow users to make configuration changes through UPnP DESCRIPTION This field identifies your device in UPnP applications. Select this to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the WiMAX Device's IP address. You still have to enter the password, however. Select this to allow UPnP-enabled applications to automatically configure the WiMAX Device so that they can communicate through the WiMAX Device. For example, using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application. Select this to allow traffic from UPnP-enabled applications to bypass the firewall. Clear this if you want the firewall to check UPnP application packets (for example, MSN packets). Click to save your changes. Click to restore your previously saved settings. Company Confidential In the Network Connections window, click Advanced in the main menu and select Optional Networking Components . Figure 110 Network Connections The following section contains additional technical information about the WiMAX Device features described in this chapter. 20.3.1 Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 2 Double-click Network Connections. 1 Click Start > Control Panel. 3 Users Guide 245 Chapter 20The UPnP Screen 4 5 The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details. Figure 111 Windows Optional Networking Components Wizard In the Networking Services window, select the Universal Plug and Play check box. Figure 112 Networking Services Company Confidential This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the WiMAX Device. 20.3.1.1 Auto-discover Your UPnP-enabled Network Device in Windows XP 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 246 Users Guide Chapter 20The UPnP Screen displays under Internet Gateway. Figure 113 Network Connections 2 Right-click the icon and select Properties. Make sure the computer is connected to a LAN port of the WiMAX Device. Turn on your computer and the WiMAX Device. 1 Click Start and Control Panel. Double-click Network Connections. An icon Company Confidential In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. Figure 114 Internet Connection Properties 3 Users Guide 247 Chapter 20The UPnP Screen 4 Figure 116 Internet Connection Properties: Advanced Settings: Add You may edit or delete the port mappings or click Add to manually add port mappings. Figure 115 Internet Connection Properties: Advanced Settings Company Confidential An icon displays in the system tray. Figure 117 System Tray Icon 6 Select Show icon in notification area when connected option and click OK. 5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 248 Users Guide Chapter 20The UPnP Screen 7 Double-click on the icon to display your current Internet connection status. Figure 118 Internet Connection Status 20.3.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the WiMAX Device without finding out the IP address of the WiMAX Device first. This becomes helpful if you do not know the IP address of the WiMAX Device. Company Confidential Follow the steps below to access the web configurator:

2 Double-click Network Connections. 1 Click Start and then Control Panel. Users Guide 249 Chapter 20The UPnP Screen 3 Select My Network Places under Other Places. Figure 119 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Company Confidential configurator login screen displays. Figure 120 Network Connections: My Network Places 5 Right-click on the icon for your WiMAX Device and select Invoke. The web Network. 250 Users Guide

exhibit
download
text

Manual Part 2

Users Manual

pdf

3.18 MiB

August 07 2009

Chapter 20The UPnP Screen 6 Right-click on the icon for your WiMAX Device and select Properties. A properties window displays with basic information about the WiMAX Device. Figure 121 Network Connections: My Network Places: Properties: Example Company Confidential Users Guide 251 Chapter 20The UPnP Screen Company Confidential 252 Users Guide CHAPTER 21 The Status Screen 21.1 Overview 21.2 Status Screen Use this screen to view a complete summary of your WiMAX Device connection status. Click the STATUS icon in the navigation bar to go to this screen, where you can view the current status of the device, system resources, interfaces (LAN and WAN), and SIP accounts. You can also register and un-register SIP accounts as well as view detailed information from DHCP and statistics from WiMAX, VoIP, bandwidth management, and traffic. Company Confidential Figure 122 Status Users Guide 253 Chapter 21The Status Screen WAN. identification. DESCRIPTION Firmware Version You can change the firmware version by uploading new firmware in ADVANCED > System Configuration > Firmware . IP Subnet MaskThis field displays the current subnet mask on the WAN. DHCPThis field displays what DHCP services the WiMAX Device is using in the WAN Information IP AddressThis field displays the current IP address of the WiMAX Device in the You can change this in the ADVANCED > System Configuration >

General screens System Name field. This field displays the current version of the firmware inside the device. It also shows the date the firmware version was created. The following tables describe the labels in this screen. Table 113 Status LABEL Refresh IntervalSelect how often you want the WiMAX Device to update this screen. Refresh NowClick this to update this screen immediately. Device Information System NameThis field displays the WiMAX Device system name. It is used for Company Confidential Every WiMAX service provider has a unique Operator ID number, which is broadcast by each base station it owns. You can only connect to the Internet through base stations belonging to your service provider s network. This field displays the identification number of the wireless base station to which the WiMAX Device is connected. Every base station transmits a unique BSID, which identifies it across the network. Server - The WiMAX Device is a DHCP server in the LAN. It assigns IP addresses to other computers in the LAN. Relay - The WiMAX Device is routing DHCP requests to one or more DHCP servers. The DHCP server(s) may be on another network. None - The WiMAX Device is not providing any DHCP services to the LAN. Client - The WiMAX Device is a DHCP client in the WAN. Its IP address comes from a DHCP server on the WAN. None - The WiMAX Device is not using any DHCP services in the WAN. It has a static IP address. LAN Information IP AddressThis field displays the current IP address of the WiMAX Device in the IP Subnet MaskThis field displays the current subnet mask in the LAN. DHCPThis field displays what DHCP services the WiMAX Device is providing to You can change this in ADVANCED > LAN Configuration > DHCP Setup. WiMAX Information Operator ID the LAN. Choices are:

WAN. Choices are:

BSID LAN. 254 Users Guide Chapter 21The Status Screen Frequency MAC address security information. information about their capabilities. WiMAX StateThis field displays the status of the WiMAX Devices current connection. AUTH: the WiMAX Device and the base station are exchanging CAP_NEGO: the WiMAX Device and the base station are exchanging INIT: the WiMAX Device is starting up. DL_SYN: The WiMAX Device is unable to connect to a base station. RANGING: the WiMAX Device and the base station are transmitting and receiving information about the distance between them. Ranging allows the WiMAX Device to use a lower transmission power level when communicating with a nearby base station, and a higher transmission power level when communicating with a distant base station. Table 113 Status (continued) DESCRIPTION LABEL A base stations coverage area can be divided into multiple cells. This Cell ID field shows the identification number of the cell in which the WiMAX Device is connected. This field displays the radio frequency of the WiMAX Device s wireless connection to a base station. This field displays the Media Access Control address of the WiMAX Device. Every network device has a unique MAC address which identifies it across the network. Company Confidential This field shows the size of the bandwidth step the WiMAX Device uses to connect to a base station in megahertz (MHz). This field shows the average Carrier to Interference plus Noise Ratio of the current connection. This value is an indication of overall radio signal quality. A higher value indicates a higher signal quality, and a lower value indicates a lower signal quality. This field shows the amount of change in the CINR level. This value is an indication of radio signal stability. A lower number indicates a more stable signal, and a higher number indicates a less stable signal. This field shows the Received Signal Strength Indication. This value is a measurement of overall radio signal strength. A higher RSSI level indicates a stronger signal, and a lower RSSI level indicates a weaker signal. A strong signal does not necessarily indicate a good signal: a strong signal may have a low signal-to-noise ratio (SNR). This field shows the number of data packets uploaded from the WiMAX Device to the base station each second. This field shows the number of data packets downloaded to the WiMAX Device from the base station each second. This field shows the Packet Error Rate. The PER is the percentage of data packets transmitted across the network but not successfully received. REGIST: the WiMAX Device is registering with a RADIUS server. OPERATIONAL: the WiMAX Device has successfully registered with the base station. Traffic can now flow between the WiMAX Device and the base station. IDLE: the WiMAX Device is in power saving mode, but can connect when a base station alerts it that there is traffic waiting. CINR deviation DL Data Rate UL Data Rate CINR mean Bandwidth RSSI PER Users Guide 255 Chapter 21The Status Screen tage of the WiMAX Devices processing entage of the WiMAX Devices memory is Memory UsageThis field displays what perc Current Date/

Time CPU UsageThis field displays what percen ability is currently being used. The higher the CPU usage, the more likely the WiMAX Device is to slow down. You can reduce this by disabling some services, such as DHCP, NAT, or content filtering. System Status System UptimeThis field displays how long the WiMAX Device has been running since it Table 113 Status (continued) DESCRIPTION LABEL This field shows the output transmission (Tx) level of the WiMAX Tx Power Device. last started up. The WiMAX Device starts up when you plug it in, when you restart it (ADVANCED > System Configuration > Restart ), or when you reset it. This field displays the current date and time in the WiMAX Device. You can change this in SETUP > Time Setting. currently used. The higher the memory usage, the more likely the WiMAX Device is to slow down. Some memory is required just to start the WiMAX Device and to run the web configurator. You can reduce the memory usage by disabling some services (see CPU Usage); by reducing the amount of memory allocated to NAT and firewall rules (you may have to reduce the number of NAT rules or firewall rules to do so);

or by deleting rules in functions such as incoming call policies, speed dial entries, and static routes. Company Confidential Interface Status InterfaceThis column displays each interface of the WiMAX Device. StatusThis field indicates whether or not the WiMAX Device is using the For the WAN interface, this field displays Up when the WiMAX Device is connected to a WiMAX network, and Down when the WiMAX Device is not connected to a WiMAX network. For the LAN interface, this field displays Up when the WiMAX Device is using the interface and Down when the WiMAX Device is not using the interface. For the WAN interface, it displays the downstream and upstream transmission rate or N/A if the WiMAX Device is not connected to a base station. For the WLAN interface, it displays the transmission rate when WLAN is enabled or N/A when WLAN is disabled. is currently used. IVR (Interactive Voice Response) refers to the customizable ring tone and on-hold music you set. Click this link to view details of the radio frequencies used by the WiMAX Device to connect to a base station. Summary Packet Statistics WiMAX Site Information RateFor the LAN ports this displays the port speed and duplex setting. IVR UsageThis field displays what percentage of the WiMAX Device Click this link to view port status and packet specific statistics. s IVR memory interface. 256 Users Guide Chapter 21The Status Screen has given an IP address. The second field displays Registered. If the SIP account is not registered with the SIP server, If the SIP account is already registered with the SIP server, You have to register SIP accounts with a SIP server to use VoIP. Click Register to have the WiMAX Device attempt to register the SIP account with the SIP server. Table 113 Status (continued) DESCRIPTION LABEL DHCP TableClick this link to see details of computers to which the WiMAX Device Click Unregister to delete the SIP accounts registration in the SIP server. This does not cancel your SIP account, but it deletes the mapping between your SIP identity and your IP address or domain name. VoIP StatisticsClick this link to view statistics about your VoIP usage. WiMAX ProfileClick this link to view details of the current wireless security settings. VoIP Status AccountThis column displays each SIP account in the WiMAX Device. RegistrationThis field displays the current registration status of the SIP account. Company Confidential Register Fail - The last time the WiMAX Device tried to register the SIP account with the SIP server, the attempt failed. The WiMAX Device automatically tries to register the SIP account when you turn on the WiMAX Device or when you activate it. Inactive - The SIP account is not active. You can activate it in VOICE

> SIP > SIP Settings. URIThis field displays the account number and service domain of the SIP The second field displays the reason the account is not registered. account. You can change these in VOICE > SIP > SIP Settings. Users Guide 257 Chapter 21The Status Screen 21.2.1 Packet Statistics Figure 123 Packet Statistics Click Status > Packet Statistics to open this screen. This read-only screen displays information about the data transmission through the WiMAX Device. To configure these settings, go to the corresponding area in the Advanced screens. The following table describes the fields in this screen. Table 114 Packet Statistics LABEL PortThis column displays each interface of the WiMAX Device. Status Company Confidential For the WLAN interface, it displays the transmission rate when WLAN is enabled or Down when WLAN is disabled. This field displays the number of packets transmitted on this interface. This field displays the number of packets received on this interface. This field displays the number of collisions on this port. This field displays the number of bytes transmitted in the last second. This field displays the number of bytes received in the last second. This field displays the elapsed time this interface has been connected. This is the elapsed time the system has been on. Type the time interval for the browser to refresh system statistics. Click this button to apply the new poll interval you entered in the Poll Interval field above. Click this button to halt the refreshing of the system statistics. For the WAN interface, this field displays the port speed and duplex setting when the WiMAX Device is connected to a WiMAX network, and Down when the WiMAX Device is not connected to a WiMAX network. For the LAN interface, this field displays the port speed and duplex setting when the WiMAX Device is using the interface and Down when the WiMAX Device is not using the interface. TxPkts RxPkts Collisions Tx B/s Rx B/s Up Time System up Time Poll Interval(s) Set Interval This field indicates whether or not the WiMAX Device is using the interface. DESCRIPTION Stop 258 Users Guide Chapter 21The Status Screen 21.2.2 WiMAX Site Information Figure 124 WiMAX Site Information Click Status > WiMAX Site Information to open this screen. This read-only screen shows WiMAX frequency information for the WiMAX Device. These settings can be configured in the ADVANCED > WAN Configuration > WiMAX Configuration screen. Company Confidential The following table describes the labels in this screen. Table 115 WiMAX Site Information LABEL DESCRIPTION These fields show the downlink frequency settings in kilohertz DL Frequency

(kHz). These settings determine how the WiMAX Device searches for an available wireless connection.

[0] ~ [19]

Users Guide 259 Chapter 21The Status Screen 21.2.3 DHCP Table Figure 125 DHCP Table Each field is described in the following table. Table 116 DHCP Table DESCRIPTION LABEL

#The number of the item in this list. IP AddressThis field displays the IP address the WiMAX Device assigned to a Click Status > DHCP Table to open this screen. This read-only screen shows the IP addresses, Host Names and MAC addresses of the devices currently connected to the WiMAX Device. These settings can be configured in the ADVANCED > LAN Configuration > DHCP Setup screen. Company Confidential MAC AddressThis field displays the MAC address of the computer to which the Host NameThis field displays the system name of the computer to which the RefreshClick this button to update the table data. WiMAX Device assigned the IP address. WiMAX Device assigned the IP address. computer in the network. 260 Users Guide Chapter 21The Status Screen 21.2.4 VoIP Statistics Figure 126 VoIP Statistics Click Status > DHCP Table to open this screen. This read-only screen shows SIP registration information, status of calls and VoIP traffic statistics. These settings can be configured in the VOICE > Service Configuration > SIP Setting screen. Company Confidential Each field is described in the following table. Table 117 VoIP Statistics LABEL SIP Status PortThis column displays each SIP account in the WiMAX Device. StatusThis field displays the current registration status of the SIP account. Inactive - The SIP account is not active. You can activate it in VOICE

> SIP > SIP Settings. This field displays the last time you successfully registered the SIP account. It displays N/A if you never successfully registered this account. Register Fail - The last time the WiMAX Device tried to register the SIP account with the SIP server, the attempt failed. The WiMAX Device automatically tries to register the SIP account when you turn on the WiMAX Device or when you activate it. accounts always use UDP. This field indicates whether or not there are any messages waiting for the SIP account. This field displays the last number that called the SIP account. It displays N/A if no number has ever dialed the SIP account. ProtocolThis field displays the transport protocol the SIP account uses. SIP URIThis field displays the account number and service domain of the SIP Message Waiting Last Incoming Number account. You can change these in VOICE > SIP > SIP Settings. Registered - The SIP account is registered with a SIP server. You can change this in the Status screen. Last Registration DESCRIPTION Users Guide 261 Chapter 21The Status Screen s phone port number. DIAL - The callees phone is ringing. Process - There is a VoIP call in progress. Off - The phone is dialing, calling, or connected. On - The phone is hanging up or already hung up. RING - The phone is ringing for an incoming VoIP call. StatusThis field displays the current state of the phone call. CodecThis field displays what voice codec is being used for a current VoIP call DISC - The callees line is busy, the callee hung up or your phone was left off the hook. N/A - There are no current VoIP calls, incoming calls or outgoing calls being made. DESCRIPTION This field displays the last number the SIP account called. It displays N/A if the SIP account has never dialed a number. Table 117 VoIP Statistics LABEL Last Outgoing Number Call Statistics PhoneThis field displays the WiMAX Device HookThis field indicates whether the phone is on the hook or off the hook. Company Confidential DurationThis field displays how long the current call has lasted. Tx PktsThis field displays the number of packets the WiMAX Device has in the current call. The rate is the average number of bytes transmitted per second. packets in the current call. The rate is the average number of bytes transmitted per second. Poll Interval(s)Enter how often you want the WiMAX Device to update this screen, and Peer NumberThis field displays the SIP number of the party that is currently engaged Set IntervalClick this to make the WiMAX Device update the screen based on the Rx B/sThis field displays how quickly the WiMAX Device has received packets Tx B/sThis field displays how quickly the WiMAX Device has transmitted Rx PktsThis field displays the number of packets the WiMAX Device has StopClick this to make the WiMAX Device stop updating the screen. amount of time you specified in Poll Interval. in a VoIP call through a phone port. transmitted in the current call. received in the current call. through a phone port. click Set Interval. 262 Users Guide Chapter 21The Status Screen 21.2.5 WiMAX Profile Figure 127 WiMAX Profile Note: Not all WiMAX Device models have all the fields shown here. Click Status > WiMAX Profile to open this screen. This read-only screen displays information about the security settings you are using. To configure these settings, go to the ADVANCED > WAN Configuration > Internet Connection screen. Company Confidential The following table describes the labels in this screen. Table 118 The WiMAX Profile Screen LABEL UserThis is the username for your Internet access account. PasswordThis is the password for your Internet access account. The EAP-TTLS allows an MS/SS and a base station to establish a secure link (or tunnel) with an AAA (Authentication, Authorization and Accounting) server in order to exchange authentication information. See the WiMAX security appendix for more details. Anonymous IdentityThis is the anonymous identity provided by your Internet Service Provider. Anonymous identity (also known as outer identity) is used with EAP-TTLS encryption. is the process of confirming the identity of a user (by means of a username and password, for example). PKM provides security between the WiMAX Device and the base station. See the WiMAX security appendix for more information. AuthenticationThis field displays the user authentication method. Authentication PKMThis field displays the Privacy Key Management version number. password displays as a row of asterisks for security purposes. DESCRIPTION Users Guide 263 Chapter 21The Status Screen DESCRIPTION following authentication modes:

CertificateThis is the security certificate the WiMAX Device uses to Auth ModeThis is the authentication mode. The WiMAX Device supports the User Only Device Only with Cert Certs and User Authentication The WiMAX Device supports the following inner authentication types:

Table 118 The WiMAX Profile Screen (continued) LABEL TTLS Inner EAPThis field displays the type of secondary authentication method. CHAP (Challenge Handshake Authentication Protocol) MSCHAP (Microsoft CHAP) MSCHAPV2 (Microsoft CHAP version 2) PAP (Password Authentication Protocol) Once a secure EAP-TTLS connection is established, the inner EAP is the protocol used to exchange security information between the mobile station, the base station and the AAA server to authenticate the mobile station. See the WiMAX security appendix for more details. Company Confidential authenticate the AAA server, if one is available. 264 Users Guide Troubleshooting (267) Product Specifications (275) PART VI Troubleshooting and Specifications Company Confidential 265 Company Confidential 266 CHAPTER 22 Troubleshooting Reset the WiMAX Device to Its Factory Defaults Internet Access Phone Calls and VoIP Power, Hardware Connections, and LEDs WiMAX Device Access and Login This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories:

22.1 Power, Hardware Connections, and LEDs Company Confidential plugged in to an appropriate power source. Make sure the power source is turned on. 1 Make sure you understand the normal behavior of the LED. See Section 1.2.1 on 1 Make sure you are using the power adapter or cord included with the WiMAX 2 Make sure the power adapter or cord is connected to the WiMAX Device and 3 Disconnect and re-connect the power adapter or cord to the WiMAX Device. The WiMAX Device does not turn on. None of the LEDs turn on. One of the LEDs does not behave as expected. If the problem continues, contact the vendor. page 34 for more information. Device. 4 Users Guide 267 Chapter 22Troubleshooting 2 Check the hardware connections. See the Quick Start Guide. 5 3 2 1 If the problem continues, contact the vendor. The default IP address is http://192.168.100.1. I forgot the IP address for the WiMAX Device. 4 Disconnect and re-connect the power adapter to the WiMAX Device. 22.2 WiMAX Device Access and Login Inspect your cables for damage. Contact the vendor to replace any damaged cables. Company Confidential If you changed the IP address and have forgotten it, you might get the IP address of the WiMAX Device by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the WiMAX Device (it depends on the network), so enter this IP address in your Internet browser. If this does not work, you have to reset the WiMAX Device to its factory defaults. See Section 22.1 on page 267. If this does not work, you have to reset the WiMAX Device to its factory defaults. See Section 11.5 on page 142. I cannot see or access the Login screen in the web configurator. 1 Make sure you are using the correct IP address. I forgot the password. The default password is 1234. 3 1 2 The default IP address is http://192.168.100.1. 268 Users Guide Chapter 22Troubleshooting If you changed the IP address (Section 5.2 on page 68), use the new IP 4 6 address. JavaScript and Java enabled. See Appendix D on page 327. suggestions for I forgot the IP address for the WiMAX Device. Device with the default IP address. See Section 11.6 on page 143. expected. See the Quick Start Guide and Section 1.2.1 on page 34. If you changed the IP address and have forgotten it, see the troubleshooting 3 Make sure your Internet browser does not block pop-up windows and has 2 Check the hardware connections, and make sure the LEDs are behaving as 5 Reset the WiMAX Device to its factory defaults, and try to access the WiMAX If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. Your WiMAX Device is a DHCP server by default. If there is no DHCP server on your network, make sure your computers IP address is in the same subnet as the WiMAX Device. See Appendix E on page 337. If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Company Confidential You cannot log in to the web configurator while someone is using Telnet to access the WiMAX Device. Log out of the WiMAX Device in the other session, or ask the person who is logged in to log out. If this does not work, you have to reset the WiMAX Device to its factory defaults. See Section 11.5 on page 142. user name is admin, and the default password is 1234. These fields are case-

sensitive, so make sure [Caps Lock] is not on. can access the WiMAX Device, check the remote management settings and firewall rules to find out why the WiMAX Device does not respond to HTTP. I can see the Login screen, but I cannot log in to the WiMAX Device. 1 Make sure you have entered the user name and password correctly. The default 3 Disconnect and re-connect the power adapter or cord to the WiMAX Device. If your computer is connected wirelessly, use a computer that is connected to a Try to access the WiMAX Device using another service, such as Telnet. If you Advanced Suggestions LAN/ETHERNET port. 2 4 Users Guide 269 Chapter 22Troubleshooting I cannot access the Internet. I cannot Telnet to the WiMAX Device. expected. See the Quick Start Guide and Section 1.2.1 on page 34. These fields are case-sensitive, so make sure [Caps Lock] is not on. 22.3 Internet Access 1 Check the hardware connections, and make sure the LEDs are behaving as 2 Make sure you entered your ISP account information correctly in the wizard. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. Company Confidential wrong frequencies for a wireless connection. In the web configurator, go to the Status screen. Click the WiMAX Site Information link in the Summary box and ensure that the values are correct. If the values are incorrect, enter the correct frequency settings in the ADVANCED > WAN Configuration > WiMAX Configuration screen. If you are unsure of the correct values, contact your service provider. 3 Check your security settings. In the web configurator, go to the Status screen. Click the WiMAX Profile link in the Summary box and make sure that you are using the correct security settings for your Internet account. I cannot access the Internet any more. I had access to the Internet (with the WiMAX Device), but my Internet connection is not available any more. If you are trying to access the Internet wirelessly, make sure the wireless settings in the wireless client are the same as the settings in the AP. 6 Disconnect all the cables from your WiMAX Device, and follow the directions in the 4 Check your WiMAX settings. The WiMAX Device may have been set to search the If the problem continues, contact your ISP. Quick Start Guide again. 5 7 270 Users Guide Chapter 22Troubleshooting 1 Check the hardware connections, and make sure the LEDs are behaving as 2 1 3 If the problem continues, contact your ISP. The Internet connection is slow or intermittent. expected. See the Quick Start Guide and Section 1.2.1 on page 34. 2 Disconnect and re-connect the power adapter to the WiMAX Device. 3 As well as having an external antenna connector, the MAX-210HW2 is equipped There may be radio interference caused by nearby electrical devices such as microwave ovens and radio transmitters. Move the WiMAX Device away or switch the other devices off. Weather conditions may also affect signal quality. The quality of the WiMAX Devices wireless connection to the base station may be poor. Poor signal reception may be improved by moving the WiMAX Device away from thick walls and other obstructions, or to a higher floor in your building. Company Confidential with an internal directional antenna. If you know the location of the base station, orient the front of the WiMAX Device (the side with the LEDs) towards the base station. If you do not know the location of the base station, experiment by moving the WiMAX Device while observing the Strength Indicator LEDs for an increase in received signal strength. The MAX-200HW2 and MAX-230HW2 do not have internal antennas. There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.2.1 on page 34. If the WiMAX Device is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications. If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. 1 Check your WiMAX link and signal strength using the WiMAX Link and Strength 5 Disconnect and re-connect the power adapter to the WiMAX Device. The Internet connection disconnects. 2 Contact your ISP if the problem persists. Indicator LEDs on the device. 4 6 Users Guide 271 Chapter 22Troubleshooting 22.4 Phone Calls and VoIP 2 screen properly configured (Chapter 12 on page 147). screen properly configured (Chapter 12 on page 147). 1 Check the telephone connections and telephone wire. I can access the Internet, but cannot make VoIP calls. 2 Make sure you have the VOICE > Service Configuration > SIP Settings 1 Make sure you have the VOICE > Service Configuration > SIP Settings The telephone port wont work or the telephone lacks a dial tone. The VoIP LED should come on. Make sure that your telephone is connected to the VoIP port (see the Quick Start Guide for information on connecting telephone cables to the these ports). Company Confidential You can set up two SIP accounts on your WiMAX Device. By default your WiMAX Device uses SIP account 1 for outgoing calls, and it uses SIP accounts 1 and 2 for incoming calls. With this setting, you always use SIP account 1 for your outgoing calls and you cannot distinguish which SIP account the calls are coming in through. If you want to control the use of different dialing plans for accounting purposes or other reasons, you need to configure your phone port in order to control which SIP account you are using when placing or receiving calls. If the VoIP settings are correct, use speed dial to make peer-to-peer calls. If you cannot make a call using speed dial, there may be something wrong with the SIP server. Contact your VoIP service provider. You can also check the VoIP status in the Status screen. Problems With Multiple SIP Accounts 3 4 272 Users Guide Chapter 22Troubleshooting To reset the WiMAX Device, 1 Make sure the Power LED is on and not blinking. when the Power LED begins to blink. The default settings have been restored. You will lose all of your changes when you push the Reset button. 2 Press and hold the Reset button for five to ten seconds. Release the Reset button If the WiMAX Device restarts automatically, wait for the WiMAX Device to finish restarting, and log in to the web configurator. The password is 1234. 22.5 Reset the WiMAX Device to Its Factory Defaults If you reset the WiMAX Device, you lose all of the changes you have made. The WiMAX Device re-loads its default settings, and the password resets to 1234. You have to make all of your changes again. Company Confidential If the WiMAX Device does not restart automatically, disconnect and reconnect the WiMAX Devices power. Then, follow the directions above again. 22.5.1 Pop-up Windows, JavaScripts and Java Permissions Please see Appendix D on page 327. Users Guide 273 Chapter 22Troubleshooting Company Confidential 274 Users Guide Weight450 g Power48V DC, 1.25A Dimension (W x D x H)216 mm x 164 mm x 52 mm CHAPTER 23 Product Specifications This chapter gives details about your WiMAX Devices hardware and firmware features. Table 119 IDU Hardware Specifications FEATUREDESCRIPTION Device NameMAX-306HW2-IDU Company Confidential Table 120 Indoor Wireless LAN Specification FEATUREDESCRIPTION Standard IEEE802.11b/g compliant Wireless LAN Antenna Connector Operation Environmental Temperature: 0 Power over Ethernet (PoE)Provides Power over Ethernet via PoE port. 1 R-SMA connector for external wireless LAN antenna CE certification & WiMAX Forum Wave II Compliance Receiver Sensitivity -70dBm @54M, -85dBm @11M 802.11g: 14 2dBm @54Mbps (Typical 15dBm) Wireless LAN AntennaExternal dipole, 2dBi gain. Storage Environmental Temperature: -25 Ethernet Ports4 RJ-45 Ethernet ports Transmit Output Power802.11b: 17 2dBm @11Mbps (Typical 18dBm) Phone Ports2 RJ-11 phone ports Humidity: 10% ~ 90% RH Humidity: 10% ~ 95% RH CertificationSafety CSA 60950-1-07 oC ~ 55oC oC ~ 45oC EMI & EMS Users Guide 275 Chapter 23Product Specifications MAX-316 oC ~ 65oC oC ~ 60oC CertificationSafety Humidity: 10% ~ 95% RH Humidity: 10% ~ 90% RH ODU end: RJ-45 Connector Physical Connector1 Vent Connector Weight4 kg including the mount kits Storage Environmental Temperature: -40 Data/Power PortIDU end: RJ-45 Connector Operation Environmental Temperature: -40 Dimension (W x D x H)231 mm x 236 mm x 69.6 mm Table 121 ODU Hardware Specifications FEATUREDESCRIPTION Device NameMAX-306 MAX-316: CROSS- Polarization 14dBi (Built-in Antenna) WiMAX AntennaMAX-306: CROSS- Polarization 12dBi (Built-in Antenna) Company Confidential Table 122 Outdoor Wireless LAN Specification FEATUREDESCRIPTION Standard IEEE 802.16e-2005 Water Tightness: IP65 Wind Resistance Testing: Hurricane/Wind Speed 56.1-61.2(m/s) FCC certification & WiMAX Forum Wave II Compliance CE certification & WiMAX Forum Wave II Compliance Channel Bandwidth / FFT size5MHz / 512FFT, 7MHz / 1024 FFT and 10MHz / 1024FFT WiMAX BandwidthMAX-306: 2.5-2.7 GHz (5MHz/10MHz) Maximum Output Power at Antenna Port Data RateAggregate throughput up to 30 Mbps MAX-316: 3.4-3.6 GHz (5MHz/7MHz/10MHz) ModulationQPSK, 16QAM, 64QAM (DL Only) EN60950-1 (CE-LVD & CB by TUV) Sensitivity96dBm @ QPSK 1/2 Duplex modeMTDD EMI & EMS 26dBm Other 276 Users Guide WiMAX Security (279) Setting Up Your Computers IP Address

(283) Index PART VII Appendices and Company Confidential Pop-up Windows, JavaScripts and Java Permissions (327) IP Addresses and Subnetting (337) Importing Certificates (349) Customer Support (391) Common Services (383) Legal Information (387) SIP Passthrough (381) 277 Company Confidential 278 APPENDIX A User Authentication and Data Encryption WiMAX Security The WiMAX (IEEE 802.16) standard employs user authentication and encryption to ensure secured communication at all times. Wireless security is vital to protect your wireless communications. Without it, information transmitted over the wireless network would be accessible to any networking device within range. User authentication is the process of confirming a users identity and level of authorization. Data encryption is the process of encoding information so that it cannot be read by anyone who does not know the code. Company Confidential In cryptography, a key is a piece of information, typically a string of random numbers and letters, that can be used to lock (encrypt) or unlock (decrypt) a message. Public key encryption uses key pairs, which consist of a public (freely available) key and a private (secret) key. The public key is used for encryption and the private key is used for decryption. You can decrypt a message only if you have the private key. Public key certificates (or digital IDs) allow users to verify each others identity. PKMv2 is a procedure that allows authentication of a mobile or subscriber station and negotiation of a public key to encrypt traffic between the MS/SS and the base station. PKMv2 uses standard EAP methods such as Transport Layer Security

(EAP-TLS) or Tunneled TLS (EAP-TTLS) for secure communication. WiMAX uses PKMv2 (Privacy Key Management version 2) for authentication, and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol) for data encryption. WiMAX supports EAP (Extensible Authentication Protocol, RFC 2486) which allows additional authentication methods to be deployed with no changes to the base station or the mobile or subscriber stations. PKMv2 Users Guide 279 Appendix AWiMAX Security RADIUS Accounting Authorization Authentication Determines the identity of the users. Keeps track of the clients network activity. Types of RADIUS Messages Determines the network services available to authenticated users once they are connected to the network. RADIUS is a simple package exchange in which your base station acts as a message relay between the MS/SS and the network RADIUS server. The following types of RADIUS messages are exchanged between the base station and the RADIUS server for user authentication:

RADIUS is based on a client-server model that supports authentication, authorization and accounting. The base station is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:

Company Confidential Sent by a RADIUS server requesting more information in order to allow access. The base station sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the base station and the RADIUS server for user accounting:

In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password they both know. The key is not sent over Sent by the RADIUS server to indicate that it has started or stopped accounting. Sent by an base station requesting authentication. Sent by the base station requesting accounting. Sent by a RADIUS server allowing access. Sent by a RADIUS server rejecting access. Accounting-Response Accounting-Request Access-Challenge Access-Request Access-Accept Access-Reject 280 Users Guide Appendix AWiMAX Security Diameter Key request and reply Authorization request and reply Security Association the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. The MS/SS requests a transport encryption key (TEK) which the base station generates and encrypts using the authentication key. The MS/SS presents its public certificate to the base station. The base station verifies the certificate and sends an authentication key (AK) to the MS/SS. Diameter (RFC 3588) is a type of AAA server that provides several improvements over RADIUS in efficiency, security, and support for roaming. The set of information about user authentication and data encryption between two computers is known as a security association (SA). In a WiMAX network, the process of security association has three stages. Company Confidential Cipher Block Chaining Message Authentication (also known as CBC-MAC) ensures message integrity by encrypting each block of plain text in such a way that its encryption is dependent on the block before it. This series of chained blocks creates a message authentication code (MAC or CMAC) that ensures the encrypted data has not been tampered with. Counter mode refers to the encryption of each block of plain text with an arbitrary number, known as the counter. This number changes each time a block of plain text is encrypted. Counter mode avoids the security weakness of repeated identical blocks of encrypted text that makes encrypted data vulnerable to pattern-spotting. All traffic in a WiMAX network is encrypted using CCMP (Counter Mode with Cipher Block Chaining Message Authentication Protocol). CCMP is based on the 128-bit Advanced Encryption Standard (AES) algorithm. The MS/SS decrypts the TEK (using the authentication key). Both stations can now securely encrypt and decrypt the data flow. Encrypted traffic CCMP Users Guide 281 Appendix AWiMAX Security Authentication The WiMAX Device supports EAP-TTLS authentication. EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection (with EAP-

TLS digital certifications are needed by both the server and the wireless clients for mutual authentication). Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. Company Confidential 282 Users Guide Note: Your specific ZyXEL device may not support all of the operating systems described in this appendix. See the product specifications for more information about which operating systems are supported. This appendix shows you how to configure the IP settings on your computer in order for it to be able to communicate with the other devices on your network. Windows Vista/XP/2000, Mac OS 9/OS X, and all versions of UNIX/LINUX include the software components you need to use TCP/IP on your computer. APPENDIX B Setting Up Your Computers IP Address Company Confidential If you manually assign IP information instead of using a dynamic IP, make sure that your networks computers have IP addresses that place them in the same subnet. Mac OS X: 10.5 on page295 Linux: Ubuntu 8 (GNOME) on page 298 Windows Vista on page287 Mac OS X: 10.3 and 10.4 on page291 In this appendix, you can set up an IP address for:

Linux: openSUSE 10.3 (KDE) on page304 Windows XP/NT/2000 on page284 Users Guide 283 Appendix BSetting Up Your Computer s IP Address Windows XP/NT/2000 1 Click Start > Control Panel. Figure 128 Windows XP: Start Menu The following example uses the default Windows XP display theme but can also apply to Windows 2000 and Windows NT. Company Confidential In the Control Panel, click the Network Connections icon. Figure 129 Windows XP: Control Panel 2 284 Users Guide Appendix BSetting Up Your Computer s IP Address 3 Right-click Local Area Connection and then select Properties. 4 On the General tab, select Internet Protocol (TCP/IP) and then click Figure 130 Windows XP: Control Panel > Network Connections > Properties Properties. Figure 131 Windows XP: Local Area Connection Properties Company Confidential Users Guide 285 Appendix BSetting Up Your Computer s IP Address 5 The Internet Protocol TCP/IP Properties window opens. Figure 132 Windows XP: Internet Protocol (TCP/IP) Properties Company Confidential Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an AlternateDNS server, if that information was provided. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information. Click OK to close the Local Area Connection Properties window.Verifying Settings 6 Select Obtain an IP address automatically if your network administrator or ISP 7 Click OK to close the Internet Protocol (TCP/IP) Properties window. 1 Click Start > All Programs > Accessories > Command Prompt. In the Command Prompt window, type "ipconfig" and then press [ENTER]. assigns your IP address dynamically. 2 286 Users Guide Appendix BSetting Up Your Computer s IP Address Windows Vista 2 1 Click Start > Control Panel. Figure 133 Windows Vista: Start Menu This section shows screens from Windows Vista Professional. In the Control Panel, click the Network and Internet icon. Figure 134 Windows Vista: Control Panel Company Confidential Figure 135 Windows Vista: Network And Internet 3 Click the Network and Sharing Center icon. Users Guide 287 Appendix BSetting Up Your Computer s IP Address 4 Click Manage network connections. Figure 137 Windows Vista: Network and Sharing Center Figure 136 Windows Vista: Network and Sharing Center 5 Right-click Local Area Connection and then select Properties. Company Confidential Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. 288 Users Guide Appendix BSetting Up Your Computer s IP Address 6 Select Internet Protocol Version 4 (TCP/IPv4) and then select Properties. Figure 138 Windows Vista: Local Area Connection Properties Company Confidential Users Guide 289 Appendix BSetting Up Your Computer s IP Address 7 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens. Figure 139 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties Company Confidential Select Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields if you have a static IP address that was assigned to you by your network administrator or ISP. You may also have to enter a Preferred DNS server and an AlternateDNS server, if that information was provided.Click Advanced. You can also go to Start > Control Panel > Network Connections, right-click a network connection, click Status and then click the Support tab to view your IP address and connection information. Click OK to close the Local Area Connection Properties window.Verifying Settings 8 Select Obtain an IP address automatically if your network administrator or ISP 9 Click OK to close the Internet Protocol (TCP/IP) Properties window. 1 Click Start > All Programs > Accessories > Command Prompt. In the Command Prompt window, type "ipconfig" and then press [ENTER]. assigns your IP address dynamically. 2 290 Users Guide Appendix BSetting Up Your Computer s IP Address Mac OS X: 10.3 and 10.4 2 1 Click Apple > System Preferences. Figure 140 Mac OS X 10.4: Apple Menu The screens in this section are from Mac OS X 10.4 but can also apply to 10.3. Company Confidential In the System Preferences window, click the Network icon. Figure 141 Mac OS X 10.4: System Preferences Users Guide 291 Appendix BSetting Up Your Computer s IP Address 3 When the Network preferences pane opens, select Built-in Ethernet from the network connection type list, and then click Configure. Figure 142 Mac OS X 10.4: Network Preferences Company Confidential For dynamically assigned settings, select Using DHCP from the Configure IPv4 list in the TCP/IP tab. Figure 143 Mac OS X 10.4: Network Preferences > TCP/IP Tab. 4 292 Users Guide Appendix BSetting Up Your Computer s IP Address 5 For statically assigned settings, do the following:

From the Configure IPv4 list, select Manually. In the IP Address field, type your IP address. In the Subnet Mask field, type your subnet mask. In the Router field, type the IP address of your device. Figure 144 Mac OS X 10.4: Network Preferences > Ethernet Company Confidential Users Guide 293 Appendix BSetting Up Your Computer s IP Address Click Apply Now and close the window.Verifying Settings Figure 145 Mac OS X 10.4: Network Utility Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network Interface from the Info tab. Company Confidential 294 Users Guide Appendix BSetting Up Your Computer s IP Address Mac OS X: 10.5 1 Click Apple > System Preferences. Figure 146 Mac OS X 10.5: Apple Menu The screens in this section are from Mac OS X 10.5. Company Confidential In System Preferences, click the Network icon. Figure 147 Mac OS X 10.5: Systems Preferences 2 Users Guide 295 Appendix BSetting Up Your Computer s IP Address 3 When the Network preferences pane opens, select Ethernet from the list of available connection types. Figure 148 Mac OS X 10.5: Network Preferences > Ethernet Company Confidential In the IP Address field, enter your IP address. In the Subnet Mask field, enter your subnet mask. From the Configure list, select Using DHCP for dynamically assigned settings. For statically assigned settings, do the following:

From the Configure list, select Manually. 4 5 296 Users Guide Appendix BSetting Up Your Computer s IP Address In the Router field, enter the IP address of your WiMAX Device. Figure 149 Mac OS X 10.5: Network Preferences > Ethernet Company Confidential 6 Click Apply and close the window. Users Guide 297 Appendix BSetting Up Your Computer s IP Address Verifying Settings Figure 150 Mac OS X 10.5: Network Utility Check your TCP/IP properties by clicking Applications > Utilities > Network Utilities, and then selecting the appropriate Network interface from the Info tab. Company Confidential This section shows you how to configure your computers TCP/IP settings in the GNU Object Model Environment (GNOME) using the Ubuntu 8 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default Ubuntu 8 installation. Follow the steps below to configure your computer IP address in GNOME:

Linux: Ubuntu 8 (GNOME) Note: Make sure you are logged in as the root administrator. 298 Users Guide Appendix BSetting Up Your Computer s IP Address 1 Click System > Administration > Network. Figure 151 Ubuntu 8: System > Administration Menu 2 When the Network Settings window opens, click Unlock to open the Authenticate window. (By default, the Unlock button is greyed out until clicked.) You cannot make changes to your configuration unless you first enter your admin password. Figure 152 Ubuntu 8: Network Settings > Connections Company Confidential Users Guide 299 Appendix BSetting Up Your Computer s IP Address 3 4 In the Authenticate window, enter your admin account name and password then click the Authenticate button. Figure 153 Ubuntu 8: Administrator Account Authentication In the Network Settings window, select the connection that you want to configure, then click Properties. Figure 154 Ubuntu 8: Network Settings > Connections Company Confidential 300 Users Guide Appendix BSetting Up Your Computer s IP Address 5 have a dynamic IP address. The Properties dialog box opens. Figure 155 Ubuntu 8: Network Settings > Properties In the Configuration list, select Static IP address if you have a static IP address. Fill in the IP address, Subnet mask, and Gateway address fields. In the Configuration list, select Automatic Configuration (DHCP) if you 6 Click OK to save the changes and close the Properties dialog box and return to Company Confidential the Network Settings screen. Users Guide 301 Appendix BSetting Up Your Computer s IP Address 7 If you know your DNS server IP address(es), click the DNS tab in the Network Settings window and then enter the DNS server information in the fields provided. Figure 156 Ubuntu 8: Network Settings > DNS Company Confidential Check your TCP/IP properties by clicking System > Administration > Network Tools, and then selecting the appropriate Network device from the Devices 8 Click the Close button to apply the changes. Verifying Settings 302 Users Guide Appendix BSetting Up Your Computer s IP Address Linux: openSUSE 10.3 (KDE) Figure 158 openSUSE 10.3: K Menu > Computer Menu Note: Make sure you are logged in as the root administrator. Follow the steps below to configure your computer IP address in the KDE:

1 Click K Menu > Computer > Administrator Settings (YaST). This section shows you how to configure your computers TCP/IP settings in the K Desktop Environment (KDE) using the openSUSE 10.3 Linux distribution. The procedure, screens and file locations may vary depending on your specific distribution, release version, and individual configuration. The following screens use the default openSUSE 10.3 installation. Company Confidential 304 Users Guide Appendix BSetting Up Your Computer s IP Address 2 When the Run as Root - KDE su dialog opens, enter the admin password and 3 When the YaST Control Center window opens, select Network Devices and then click the Network Card icon. Figure 160 openSUSE 10.3: YaST Control Center click OK. Figure 159 openSUSE 10.3: K Menu > Computer Menu Company Confidential Users Guide 305 Appendix BSetting Up Your Computer s IP Address 4 When the Network Settings window opens, click the Overview tab, select the appropriate connection Name from the list, and then click the Configure button. Figure 161 openSUSE 10.3: Network Settings Company Confidential 306 Users Guide Appendix BSetting Up Your Computer s IP Address 5 When the Network Card Setup window opens, click the Address tab Figure 162 openSUSE 10.3: Network Card Setup Company Confidential Select Statically assigned IP Address if you have a static IP address. Fill in the IP address, Subnet mask, and Hostname fields. 7 Click Next to save the changes and close the Network Card Setup window. 6 Select Dynamic Address (DHCP) if you have a dynamic IP address. Users Guide 307 Appendix BSetting Up Your Computer s IP Address 8 If you know your DNS server IP address(es), click the Hostname/DNS tab in Network Settings and then enter the DNS server information in the fields provided. Figure 163 openSUSE 10.3: Network Settings Company Confidential 9 Click Finish to save your settings and close the window. 308 Users Guide Appendix BSetting Up Your Computer s IP Address Verifying Settings Figure 164 openSUSE 10.3: KNetwork Manager Figure 165 openSUSE: Connection Status - KNetwork Manager When the Connection Status - KNetwork Manager window opens, click the Statistics tab to see if your connection is working properly. Click the KNetwork Manager icon on the Task bar to check your TCP/IP properties. From the Options sub-menu, select Show Connection Information. Company Confidential Users Guide 309 Appendix BSetting Up Your Computer s IP Address Company Confidential 310 Users Guide APPENDIX C Ad-hoc Wireless LAN Configuration Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Wireless LANs The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS). The following diagram shows an example of notebook computers using wireless adapters to form an ad-hoc wireless LAN. Company Confidential A Basic Service Set (BSS) exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate Figure 166 Peer-to-Peer Communication in an Ad-hoc Network BSS Users Guide 311 Appendix CWireless LANs Figure 167 Basic Service Set with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. Company Confidential An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. ESS 312 Users Guide Appendix CWireless LANs Figure 168 Infrastructure WLAN An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. Company Confidential A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance. Adjacent channels partially overlap however. To avoid interference due to overlap, your AP should be on a channel at least five channels away from a channel that an adjacent AP is using. For example, if your region has 11 channels and an adjacent AP is using channel 1, then you need to select a channel between 6 or 11. A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or RTS/CTS Channel Users Guide 313 Appendix CWireless LANs Figure 169 RTS/CTS wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. RTS/CTS is designed to prevent collisions due to hidden nodes. An RTS/CTS defines the biggest size data frame you can send before an RTS (Request To Send)/CTS (Clear to Send) handshake is invoked. When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. Company Confidential When a data frame exceeds the RTS/CTS value you set (between 0 to 2432 bytes), the station that wants to transmit this frame must first send an RTS

(Request To Send) message to the AP for permission to send it. The AP then responds with a CTS (Clear to Send) message to all other stations within its range to notify them to defer their transmission. It also reserves and confirms with the requesting station the time frame for the requested transmission. You should only configure RTS/CTS if the possibility of hidden nodes exists on your network and the "cost" of resending large frames is more than the extra network overhead involved in the RTS (Request To Send)/CTS (Clear to Send) handshake. If the RTS/CTS value is greater than the Fragmentation Threshold value (see next), then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Note: Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. Stations can send frames smaller than the specified RTS/CTS directly to the AP without the RTS (Request To Send)/CTS (Clear to Send) handshake. 314 Users Guide Appendix CWireless LANs Fragmentation Threshold Preamble Type Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the AP will fragment the packet into smaller data frames. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Company Confidential Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all support short preamble. IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point

(and vice versa) at 11 Mbps or lower depending on range. IEEE 802.11g has Use long preamble if you are unsure what preamble mode other wireless devices on the network support, and to provide more reliable communications in busy wireless networks. Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the WiMAX Device uses long preamble. Use short preamble if you are sure all wireless devices on the network support it, and to provide more efficient communications. Note: The wireless devices MUSTuse the same preamble mode in order to IEEE 802.11g Wireless LAN communicate. Users Guide 315 Appendix CWireless LANs MODULATION OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. Wireless security methods available on the WiMAX Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the WiMAX Device identity. several intermediate rate steps between the maximum and minimum data rates. The IEEE 802.11g data rate and modulation are as follows:

Table 123 IEEE 802.11g DATA RATE

(MBPS) 1DBPSK (Differential Binary Phase Shift Keyed) 2DQPSK (Differential Quadrature Phase Shift Keying) 5.5 / 11CCK (Complementary Code Keying) 6/9/12/18/24/36/

48/54 Company Confidential The following figure shows the relative effectiveness of these wireless security methods available on your WiMAX Device. Table 124 Wireless Security Levels SECURITY LEVEL Least Secure Unique SSID (Default) Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) WPA2 Note: You must enable the same wireless security settings on the WiMAX Device and on all wireless clients that you want to associate with it. SECURITY TYPE Most Secure 316 Users Guide Appendix CWireless LANs IEEE 802.1x RADIUS Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients. RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks:

User based identification that allows for roaming. Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are:

Company Confidential The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication:

RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server. Determines the network services available to authenticated users once they are connected to the network. Sent by an access point requesting authentication. Types of RADIUS Messages Keeps track of the clients network activity. Sent by a RADIUS server rejecting access. Determines the identity of the users. Access-Request Authentication Access-Accept Access-Reject Authorization Accounting Sent by a RADIUS server allowing access. Users Guide 317 Appendix CWireless LANs Access-Challenge Accounting-Request Accounting-Response Sent by the access point requesting accounting. Sent by the RADIUS server to indicate that it has started or stopped accounting. Types of EAP Authentication The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting:

Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access. Company Confidential EAP (Extensible Authentication Protocol) is an authentication protocol that runs on top of the IEEE 802.1x transport mechanism in order to support multiple types of user authentication. By using EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate

(also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner. MD5 authentication is the simplest one-way authentication method. The authentication server sends a challenge to the wireless client. The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the information. Password is not sent in plain text. This section discusses some popular authentication types: EAP-MD5, EAP-TLS, EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all authentication types. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. EAP-MD5 (Message-Digest Algorithm 5) 318 Users Guide Appendix CWireless LANs EAP-TLS (Transport Layer Security) EAP-TTLS (Tunneled Transport Layer Service) However, MD5 authentication has some weaknesses. Since the authentication server needs to get the plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may access the password file. In addition, it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication. Finally, MD5 authentication method does not support data encryption with dynamic session key. You must configure WEP encryption keys for data encryption. With EAP-TLS, digital certifications are needed by both the server and the wireless clients for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the senders identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. Company Confidential Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-

TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. PEAP (Protected EAP) LEAP Users Guide 319 Appendix CWireless LANs Dynamic WEP Key Exchange Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen. You may still configure and store keys, but they will not be used while dynamic WEP is enabled. For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types. Table 125 Comparison of EAP Authentication Types Company Confidential If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client. As long as the passwords match, a wireless client will be granted access to a WLAN. Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2

(IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. EAP-TLS EAP-TTLS Yes Yes Yes Yes Strong Hard No Mutual Authentication Certificate Client Certificate Server Dynamic Key Exchange Credential Integrity Deployment Difficulty Client Identity Protection LEAP PEAP Yes Yes No Optional No Yes Yes Yes Strong Moderate Moderate Moderate Yes Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication. EAP-MD5 No No No No None Easy No Yes Optional Yes Yes Strong Moderate Yes WPA and WPA2 No 320 Users Guide Appendix CWireless LANs Encryption If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA2 also uses TKIP when required for compatibility reasons, but offers stronger encryption than TKIP with Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP). TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-

packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Company Confidential The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force password-guessing attacks but its still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption The Message Integrity Check (MIC) is designed to prevent an attacker from capturing data packets, altering them and resending them. The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC. If they do not match, it is assumed that the data has been tampered with and the packet is dropped. The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. This all happens in the background automatically. By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. Users Guide 321 Appendix CWireless LANs User Authentication Wireless Client WPA Supplicants keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP) Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP. The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again. WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. WPA2 reduces the number of key exchange messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-

authentication. These two features are optional and may not be supported in all wireless devices. Company Confidential To set up WPA(2), you need the IP address of the RADIUS server, its port number

(default is 1812), and the RADIUS shared secret. A WPA(2) application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system. A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is theWPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration" wireless client. However, you must run Windows XP to use it. The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. 3 A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by The AP passes the wireless client's authentication request to the RADIUS server. WPA(2) with RADIUS Application Example 1 2 the RADIUS server and the client. 322 Users Guide Appendix CWireless LANs 4 WPA(2)-PSK Application Example The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients. Figure 170 WPA(2) with RADIUS Application Example Company Confidential First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols). The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. The AP checks each wireless client's password and allows it to join the network only if the password matches. A WPA(2)-PSK application looks as follows. 1 2 3 Users Guide 323 Appendix CWireless LANs 4 Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features. The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them. Figure 171 WPA(2)-PSK Authentication Company Confidential Enable without Dynamic WEP Key Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Enable Disable Enable Disable Table 126 Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL OpenNoneNoDisable ENTER MANUAL KEY IEEE 802.1X WPA WPA-PSK WPA2 WPA2-PSK TKIP/AES TKIP/AES TKIP/AES TKIP/AES Yes No Yes ENCRYPTIO N METHOD No Yes Yes No Yes No Yes Shared Open WEP WEP 324 Users Guide Appendix CWireless LANs Antenna Overview Frequency Radiation Pattern Antenna Characteristics A radiation pattern is a diagram that allows you to visualize the shape of the antennas coverage area. Positioning the antennas properly increases the range and coverage area of a wireless LAN. An antenna in the frequency of 2.4GHz (IEEE 802.11b and IEEE 802.11g) or 5GHz

(IEEE 802.11a) is needed to communicate efficiently in a wireless LAN An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Company Confidential For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna. An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions. dBi represents the true gain that the antenna provides. Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. Antenna Gain Users Guide 325 Appendix CWireless LANs Types of Antennas for WLAN Positioning Antennas There are two types of antennas used for wireless LAN applications. Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points. In general, antennas should be mounted as high as practically possible and free of obstructions. In point-topoint application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. Directional antennas concentrate the RF signal in a beam, like a flashlight does with the light from its bulb. The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications. Company Confidential For omni-directional antennas mounted on a table, desk, and so on, point the antenna up. For omni-directional antennas mounted on a wall or ceiling, point the antenna down. For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. 326 Users Guide Java permissions (enabled by default). In order to use the web configurator you need to allow:

Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer Web browser pop-up windows from your device. JavaScripts (enabled by default). APPENDIX D Pop-up Windows, JavaScripts and Java Permissions Company Confidential In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 172 Pop-up Blocker Either disable pop-up blocking (enabled by default in Windows XP SP (Service Pack) 2) or allow pop-up blocking and create an exception for your devices IP address. You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. Internet Explorer Pop-up Blockers You may have to disable pop-up blocking to log into your device. Disable Pop-up Blockers versions may vary. 1 Users Guide 327 Appendix DPop-up Windows, JavaScripts and Java Permissions 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 173 Internet Options: Privacy Company Confidential Alternatively, if you only want to allow pop-up windows from your device, see the following steps. In Internet Explorer, select Tools, Internet Options and then the Privacy tab. Enable Pop-up Blockers with Exceptions 3 Click Apply to save this setting. 1 328 Users Guide Appendix DPop-up Windows, JavaScripts and Java Permissions 2 Select Settingsto open the Pop-up Blocker Settings screen. Figure 174 Internet Options: Privacy Company Confidential Type the IP address of your device (the web page that you do not want to have blocked) with the prefix http://. For example, http://192.168.167.1. 3 Users Guide 329 Appendix DPop-up Windows, JavaScripts and Java Permissions 4 Click Add to move the IP address to the list of Allowed sites. Figure 175 Pop-up Blocker Settings Company Confidential If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts 330 Users Guide Appendix DPop-up Windows, JavaScripts and Java Permissions 1 In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 176 Internet Options: Security Company Confidential 5 Under Scripting of Java applets make sure that Enable is selected (the 4 Under Active scripting make sure that Enable is selected (the default). 2 Click the Custom Level... button. 3 Scroll down to Scripting. default). Users Guide 331 Appendix DPop-up Windows, JavaScripts and Java Permissions 6 Click OK to close the window. Java Permissions Figure 177 Security Settings - Java Scripting Company Confidential From Internet Explorer, click Tools, Internet Options and then the Security tab. 4 Under Java permissions make sure that a safety level is selected. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 1 332 Users Guide Appendix DPop-up Windows, JavaScripts and Java Permissions 5 Click OK to close the window. JAVA (Sun) Figure 178 Security Settings - Java Company Confidential From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 1 Users Guide 333 Appendix DPop-up Windows, JavaScripts and Java Permissions 3 Click OK to close the window. Figure 179 Java (Sun) Company Confidential You can enable Java, Javascripts and pop-ups in one screen. Click Tools, then click Options in the screen that appears. Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary. Figure 180 Mozilla Firefox: TOOLS > Options Mozilla Firefox 334 Users Guide Appendix DPop-up Windows, JavaScripts and Java Permissions Figure 181 Mozilla Firefox Content Security Click Content.to show the screen below. Select the check boxes as shown in the following screen. Company Confidential Users Guide 335 Appendix DPop-up Windows, JavaScripts and Java Permissions Company Confidential 336 Users Guide APPENDIX E This appendix introduces IP addresses and subnet masks. Introduction to IP Addresses Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks. IP Addresses and Subnetting IP addresses identify individual devices on a network. Every networking device

(including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Company Confidential One part of the IP address is the network number, and the other part is the host ID. In the same way that houses on a street share a common street name, the hosts on a network share a common network number. Similarly, as each house has its own house number, each host on the network has its own unique identifying number - the host ID. Routers use the network number to send packets to the correct network, while the host ID determines to which host on the network the packets are delivered. An IP address is made up of four parts, written in dotted decimal notation (for example, 192.168.100.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. Structure Users Guide 337 Appendix EIP Addresses and Subnetting Figure 182 Network Number and Host ID The following figure shows an example IP address in which the first three octets

(192.168.1) are the network number, and the fourth octet (16) is the host ID. How much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Company Confidential A subnet mask has 32 bits. If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID. The following example shows a subnet mask identifying the network number (in bold text) and host ID of an IP address (192.168.1.2 in decimal). Table 127 IP Address Network Number and Host ID Example A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). The term subnet is short for sub-network. IP Address (Binary)11000000101010000000000100000010 Subnet Mask (Binary) Network Number Host ID00000010 111111111111111111111111 110000001010100000000001 Subnet Masks 1ST OCTET:

(192) 2ND OCTET:

(168) 3RD OCTET:

(1) 4TH OCTET

(2) 00000000 338 Users Guide Appendix EIP Addresses and Subnetting 11111111 11111111 11111111 DECIMAL 255.0.0.0 255.255.0.0 BINARY 1ST OCTET 4TH OCTET 00000000 00000000 3RD OCTET 00000000 00000000 2ND OCTET 00000000 11111111 8-bit mask 11111111 11111111 16-bit mask 24-bit mask 29-bit mask By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. Subnet masks can be referred to by the size of the network number part (the bits with a 1 value). For example, an 8-bit mask means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Table 128 Subnet Masks Company Confidential As these two IP addresses cannot be used for individual hosts, calculate the maximum number of possible hosts in a network as follows:

Table 129 Maximum Host Numbers HOST ID SIZE SUBNET MASK An IP address with host IDs of all zeros is the IP address of the network

(192.168.1.0 with a 24-bit subnet mask, for example). An IP address with host IDs of all ones is the broadcast address for that network (192.168.1.255 with a 24-bit subnet mask, for example). The size of the network number determines the maximum number of possible hosts you can have on your network. The larger the number of network number bits, the smaller the number of remaining host ID bits. 8 bits255.0.0.024 bits 16 bits255.255.0.016 bits 24 bits255.255.255.08 bits 29 bits255.255.255.2 24 216777214 16 265534 8 2254 23 2 MAXIMUM NUMBER OF HOSTS 255.255.255.24 8 Network Size 255.255.255.0 11111111 00000000 11111111 11111111 11111000 3 bits 48 2 2 2 6 Users Guide 339 Appendix EIP Addresses and Subnetting Notation

/26 1100 0000 LAST OCTET

(DECIMAL) 0 128 ALTERNATIVE NOTATION

/24

/25 The following table shows some possible subnet masks using both notations. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a / followed by the number of bits in the mask after the address. Table 130 Alternative Subnet Mask Notation LAST OCTET SUBNET

(BINARY) MASK 255.255.255.0 0000 0000 1000 0000 255.255.255.12 8 255.255.255.19 2 255.255.255.22 4 255.255.255.24 0 255.255.255.24 8 255.255.255.25 2 Company Confidential You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons. In this example, the company network address is 192.168.1.0. The first three octets of the address (192.168.1) are the network number, and the remaining octet is the host ID, allowing a maximum of 28 2 or 254 possible hosts. Subnetting 1110 0000 1111 0000 1111 1000 1111 1100 192 224 240 248 252

/27

/28

/29

/30 340 Users Guide Appendix EIP Addresses and Subnetting The following figure shows the company network before subnetting. Figure 183 Subnetting Example: Before Subnetting You can borrow one of the host ID bits to divide the network 192.168.1.0 into two separate sub-networks. The subnet mask is now 25 bits (255.255.255.128 or

/25). Company Confidential The borrowed host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.100.128 /25. Users Guide 341 Appendix EIP Addresses and Subnetting Figure 184 Subnetting Example: After Subnetting The following figure shows the company network after subnetting. There are now two sub-networks, A and B. Company Confidential The previous example illustrated using a 25-bit subnet mask to divide a 24-bit address into two subnets. Similarly, to divide a 24-bit address into four subnets, you need to borrow two host ID bits to give four possible combinations (00, 01, 10 and 11). The subnet mask is 26 bits

(11111111.11111111.11111111.11000000) or 255.255.255.192. 192.168.1.0 with mask 255.255.255.128 is subnet A itself, and 192.168.100.127 with mask 255.255.255.128 is its broadcast address. Therefore, the lowest IP address that can be assigned to an actual host for subnet A is 192.168.100.1 and the highest is 192.168.100.126. In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 27 2 or 126 possible hosts (a host ID of all zeroes is the subnets address itself, all ones is the subnets broadcast address). Similarly, the host ID range for subnet B is 192.168.100.129 to 192.168.1.254. Example: Four Subnets 342 Users Guide Appendix EIP Addresses and Subnetting NETWORK NUMBER NETWORK NUMBER Highest Host ID: 192.168.1.62 LAST OCTET BIT VALUE 64 LAST OCTET BIT VALUE 0 Table 132 Subnet 2 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address:

192.168.1.64 Broadcast Address:

192.168.100.127 IP Address (Decimal) IP Address (Binary) Subnet Mask (Binary) Subnet Address:

192.168.1.0 Broadcast Address:

192.168.1.63 192.168.1. 11000000.10101000.00000001. 01000000 11111111.11111111.11111111. 11000000 Lowest Host ID: 192.168.1.65 192.168.1. 11000000.10101000.00000001. 00000000 11111111.11111111.11111111. 11000000 Lowest Host ID: 192.168.100.1 Each subnet contains 6 host ID bits, giving 26 - 2 or 62 hosts for each subnet (a host ID of all zeroes is the subnet itself, all ones is the subnets broadcast address). Table 131 Subnet 1 IP/SUBNET MASK Company Confidential 192.168.1. 11000000.10101000.00000001. 10000000 11111111.11111111.11111111. 11000000 Lowest Host ID: 192.168.100.129 IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address:

192.168.100.128 Broadcast Address:

192.168.100.191 192.168.1. 11000000.10101000.00000001

. 11111111.11111111.11111111

. LAST OCTET BIT VALUE 192 11000000 Table 133 Subnet 3 IP/SUBNET MASK Table 134 Subnet 4 IP/SUBNET MASK LAST OCTET BIT VALUE 128 IP Address IP Address (Binary) Highest Host ID: 192.168.100.126 Highest Host ID: 192.168.100.190 NETWORK NUMBER NETWORK NUMBER Subnet Mask (Binary) 11000000 Users Guide 343 Appendix EIP Addresses and Subnetting Table 134 Subnet 4 (continued) IP/SUBNET MASK NETWORK NUMBER Highest Host ID: 192.168.1.254 Lowest Host ID: 192.168.100.193 LAST OCTET BIT VALUE FIRST ADDRESS LAST Example: Eight Subnets Subnet Address:

192.168.100.192 Broadcast Address:

192.168.1.255 Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet. Table 135 Eight Subnets SUBNET Company Confidential The following table is a summary for subnet planning on a network with a 24-bit network number. Table 136 24-bit Network Number Subnet Planning NO. BORROWED HOST BITS 1 2 3 4 5 6 7 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) BROADCAST ADDRESS 31 63 95 127 159 191 223 255 SUBNET ADDRESS 0 32 64 96 128 160 192 224 ADDRESS 30 62 94 126 158 190 222 254 SUBNET 126 62 30 14 6 2 1 NO. SUBNETS NO. HOSTS PER Subnet Planning 1 33 65 97 129 161 193 225 2 4 8 16 32 64 128 SUBNET MASK 1 2 3 4 5 6 7 8 344 Users Guide Appendix EIP Addresses and Subnetting SUBNET MASK NO. SUBNETS 2 4 8 16 32 64 128 256 512 1024 2048 4096 8192 16384 32768 NO. HOSTS PER SUBNET 32766 16382 8190 4094 2046 1022 510 254 126 62 30 14 6 2 1 255.255.128.0 (/17) 255.255.192.0 (/18) 255.255.224.0 (/19) 255.255.240.0 (/20) 255.255.248.0 (/21) 255.255.252.0 (/22) 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) The following table is a summary for subnet planning on a network with a 16-bit network number. Table 137 16-bit Network Number Subnet Planning NO. BORROWED HOST BITS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Company Confidential If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established. If this is the case, it is recommended that you select a network number from 192.168.0.0 to 192.168.255.0. The Internet Assigned Number Authority (IANA) reserved this block of addresses specifically for private use; please do not use any other number unless you are told otherwise. You must also enable Network Address Translation (NAT) on the WiMAX Device. Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. Once you have decided on the network number, pick an IP address for your WiMAX Device that is easy to remember (for instance, 192.168.100.1) but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your WiMAX Device will compute the subnet mask automatically based on the IP Configuring IP Addresses Users Guide 345 Appendix EIP Addresses and Subnetting Private IP Addresses 192.168.0.0 192.168.255.255 address that you entered. You don't need to change the subnet mask computed by the WiMAX Device unless you are instructed to do otherwise. 10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 Every machine on the Internet must have a unique address. If your networks are isolated from the Internet (running only between two branch offices, for example) you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks:

You can obtain your IP address from the IANA, from an ISP, or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses. Company Confidential Regardless of your particular situation, do not create an arbitrary IP address;

always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. More than one device can not use the same IP address. In the following example computer A has a static (or fixed) IP address that is the same as the IP address that a DHCP server assigns to computer B which is a DHCP client. Neither can access the Internet. This problem can be solved by assigning a different static IP Each device on a network must have a unique IP address. Devices with duplicate IP addresses on the same network will not be able to access the Internet or other resources. The devices may also be unreachable through the network. Conflicting Computer IP Addresses Example IP Address Conflicts 346 Users Guide Appendix EIP Addresses and Subnetting address to computer A or setting computer A to obtain an IP address automatically. Conflicting Router IP Addresses Example Figure 185 Conflicting Computer IP Addresses Example Since a router connects different networks, it must have interfaces using different network numbers. For example, if a router is set between a LAN and the Internet

(WAN), the routers LAN and WAN addresses must be on different subnets. In the following example, the LAN and WAN are on the same subnet. The LAN computers cannot access the Internet because the router cannot route between networks. Company Confidential More than one device can not use the same IP address. In the following example, the computer and the routers LAN port both use 192.168.100.1 as the IP address. Conflicting Computer and Router IP Addresses Example Figure 186 Conflicting Computer IP Addresses Example Users Guide 347 Appendix EIP Addresses and Subnetting The computer cannot access the Internet. This problem can be solved by assigning a different IP address to the computer or the routers LAN port. Figure 187 Conflicting Computer and Router IP Addresses Example Company Confidential 348 Users Guide APPENDIX F This appendix shows you how to import public key certificates into your web browser. Importing Certificates Public key certificates are used by web browsers to ensure that a secure web site is legitimate. When a certificate authority such as VeriSign, Comodo, or Network Solutions, to name a few, receives a certificate request from a website operator, they confirm that the web domain and contact information in the request match those on public record with a domain name registrar. If they match, then the certificate is issued to the website operator, who then places it on the site to be issued to all visiting web browsers to let them know that the site is legitimate. Company Confidential Many ZyXEL products, such as the NSA-2401, issue their own public key certificates. These can be used by web browsers on a LAN or WAN to verify that they are in fact connecting to the legitimate device and not one masquerading as it. However, because the certificates were not issued by one of the several organizations officially recognized by the most common web browsers, you will need to import the ZyXEL-created certificate into your web browser and flag that certificate as a trusted authority. Note: You can see if you are browsing on a secure website if the URL in your web browsers address bar begins with https:// or there is a sealed padlock icon () somewhere in the main browser window (not all browsers show the padlock in the same location.) Internet Explorer on page 350 Firefox on page 360 Opera on page 366 Konqueror on page 374 In this appendix, you can import a public key certificate for:

Users Guide 349 Appendix FImporting Certificates Internet Explorer 1 The following example uses Microsoft Internet Explorer 7 on Windows XP Professional; however, they can also apply to Internet Explorer on Windows Vista. If your devices web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Figure 188 Internet Explorer 7: Certification Error Company Confidential 2 Click Continue to this website (not recommended). Figure 189 Internet Explorer 7: Certification Error 350 Users Guide Appendix FImporting Certificates 3 4 In the Address Bar, click Certificate Error > View certificates. Figure 190 Internet Explorer 7: Certificate Error In the Certificate dialog box, click Install Certificate. Figure 191 Internet Explorer 7: Certificate Company Confidential Users Guide 351 Appendix FImporting Certificates 5 In the Certificate Import Wizard, click Next. Figure 192 Internet Explorer 7: Certificate Import Wizard Company Confidential If you want Internet Explorer to Automatically select certificate store based on the type of certificate, click Next again and then go to step 9. Figure 193 Internet Explorer 7: Certificate Import Wizard 6 352 Users Guide Appendix FImporting Certificates 7 Otherwise, select Place all certificates in the following store and then click 8 Browse. Figure 194 Internet Explorer 7: Certificate Import Wizard In the Select Certificate Store dialog box, choose a location in which to save the certificate and then click OK. Figure 195 Internet Explorer 7: Select Certificate Store Company Confidential Users Guide 353 Appendix FImporting Certificates 9 In the Completing the Certificate Import Wizard screen, click Finish. Figure 196 Internet Explorer 7: Certificate Import Wizard Company Confidential 10 If you are presented with another Security Warning, click Yes. Figure 197 Internet Explorer 7: Security Warning 354 Users Guide Appendix FImporting Certificates 11 Finally, click OK when presented with the successful certificate installation 12 The next time you start Internet Explorer and go to a ZyXEL web configurator message. Figure 198 Internet Explorer 7: Certificate Import Wizard page, a sealed padlock icon appears in the address bar. Click it to view the pages Website Identification information. Figure 199 Internet Explorer 7: Website Identification Company Confidential Users Guide 355 Appendix FImporting Certificates Installing a Stand-Alone Certificate File in Internet Explorer 2 1 Double-click the public key certificate file. Figure 200 Internet Explorer 7: Public Key Certificate File In the security warning dialog box, click Open. Figure 201 Internet Explorer 7: Open File - Security Warning Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. Company Confidential 3 Refer to steps 4-12 in the Internet Explorer procedure beginning on page350 to complete the installation process. 356 Users Guide Appendix FImporting Certificates Removing a Certificate in Internet Explorer Figure 202 Internet Explorer 7: Tools Menu 1 Open Internet Explorer and click TOOLS >Internet Options . This section shows you how to remove a public key certificate in Internet Explorer 7. Company Confidential In the Internet Options dialog box, click Content > Certificates. Figure 203 Internet Explorer 7: Internet Options 2 Users Guide 357 Appendix FImporting Certificates 3 In the Certificates dialog box, click the Trusted Root Certificates Authorities tab, select the certificate that you want to delete, and then click Remove. Figure 204 Internet Explorer 7: Certificates Company Confidential In the Root Certificate Store dialog box, click Yes. Figure 206 Internet Explorer 7: Root Certificate Store In the Certificates confirmation, click Yes. Figure 205 Internet Explorer 7: Certificates 4 5 358 Users Guide Appendix FImporting Certificates 6 The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. Company Confidential Users Guide 359 Appendix FImporting Certificates Firefox 1 2 Select Accept this certificate permanently and click OK. Figure 207 Firefox 2: Website Certified by an Unknown Authority The following example uses Mozilla Firefox 2 on Windows XP Professional;

however, the screens can also apply to Firefox 2 on all platforms. If your devices web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Company Confidential 360 Users Guide Appendix FImporting Certificates 3 The certificate is stored and you can now connect securely to the web configurator. A sealed padlock appears in the address bar, which you can click to open the Page Info > Security window to view the web pages security information. Figure 208 Firefox 2: Page Info Company Confidential Users Guide 361 Appendix FImporting Certificates Installing a Stand-Alone Certificate File in Firefox Figure 209 Firefox 2: Tools Menu 1 Open Firefox and click TOOLS > Options. Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. Company Confidential In the Options dialog box, click ADVANCED >Encryption > View Certificates. Figure 210 Firefox 2: Options 2 362 Users Guide Appendix FImporting Certificates 3 In the Certificate Manager dialog box, click Web Sites > Import. Figure 211 Firefox 2: Certificate Manager 4 Use the Select File dialog box to locate the certificate and then click Open. Company Confidential The next time you visit the web site, click the padlock in the address bar to open the Page Info > Security window to see the web pages security information. Figure 212 Firefox 2: Select File 5 Users Guide 363 Appendix FImporting Certificates 3 In the Certificate Manager dialog box, select the Web Sites tab, select the certificate that you want to remove, and then click Delete. Figure 215 Firefox 2: Certificate Manager Company Confidential The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. In the Delete Web Site Certificates dialog box, click OK. Figure 216 Firefox 2: Delete Web Site Certificates 4 5 Users Guide 365 Appendix FImporting Certificates Opera 1 2 Click Install to accept the certificate. Figure 217 Opera 9: Certificate signer not found The following example uses Opera 9 on Windows XP Professional; however, the screens can apply to Opera 9 on all platforms. If your devices web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Company Confidential 366 Users Guide Appendix FImporting Certificates 3 The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web pages security details. Figure 218 Opera 9: Security information Company Confidential Users Guide 367 Appendix FImporting Certificates Installing a Stand-Alone Certificate File in Opera Figure 219 Opera 9: Tools Menu 1 Open Opera and click TOOLS >Preferences . Rather than browsing to a ZyXEL web configurator and installing a public key certificate when prompted, you can install a stand-alone certificate file if one has been issued to you. Company Confidential 368 Users Guide Appendix FImporting Certificates 2 In Preferences, click ADVANCED >Security > Manage certificates. Figure 220 Opera 9: Preferences Company Confidential Users Guide 369 Appendix FImporting Certificates 3 In the Certificates Manager, click Authorities > Import. Figure 221 Opera 9: Certificate manager Company Confidential Open. Figure 222 Opera 9: Import certificate 4 Use the Import certificate dialog box to locate the certificate and then click 370 Users Guide Appendix FImporting Certificates 5 6 Next, click OK. Figure 224 Opera 9: Install authority certificate In the Install authority certificate dialog box, click Install. Figure 223 Opera 9: Install authority certificate Company Confidential The next time you visit the web site, click the padlock in the address bar to open the Security information window to view the web pages security details. 7 Users Guide 371 Appendix FImporting Certificates Removing a Certificate in Opera 2 Figure 225 Opera 9: Tools Menu 1 Open Opera and click TOOLS >Preferences . This section shows you how to remove a public key certificate in Opera 9. Company Confidential In Preferences, ADVANCED >Security > Manage certificates. Figure 226 Opera 9: Preferences 372 Users Guide Appendix FImporting Certificates 3 In the Certificates manager, select the Authorities tab, select the certificate that you want to remove, and then click Delete. Figure 227 Opera 9: Certificate manager Company Confidential The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. absolutely certain that you want to go through with it before clicking the button. Note: There is no confirmation when you delete a certificate authority, so be 4 Users Guide 373 Appendix FImporting Certificates Konqueror 1 2 Click Continue. Figure 229 Konqueror 3.5: Server Authentication Figure 228 Konqueror 3.5: Server Authentication 3 Click Forever when prompted to accept the certificate. The following example uses Konqueror 3.5 on openSUSE 10.3, however the screens apply to Konqueror 3.5 on all Linux KDE distributions. If your devices web configurator is set to use SSL certification, then the first time you browse to it you are presented with a certification error. Company Confidential 374 Users Guide Appendix FImporting Certificates 4 Click the padlock in the address bar to open the KDE SSL Information window and view the web pages security details. Figure 230 Konqueror 3.5: KDE SSL Information Company Confidential Users Guide 375 Appendix FImporting Certificates 3 The next time you visit the web site, click the padlock in the address bar to open the KDE SSL Information window to view the web pages security details. Company Confidential Users Guide 377 Appendix FImporting Certificates Removing a Certificate in Konqueror 2 In the Configure dialog box, select Crypto. Figure 234 Konqueror 3.5: Settings Menu 1 Open Konqueror and click Settings > Configure Konqueror. This section shows you how to remove a public key certificate in Konqueror 3.5. 3 On the Peer SSL Certificates tab, select the certificate you want to delete and Company Confidential The next time you go to the web site that issued the public key certificate you just removed, a certification error appears. then click Remove. Figure 235 Konqueror 3.5: Configure 4 378 Users Guide Appendix FImporting Certificates Note: There is no confirmation when you remove a certificate authority, so be absolutely certain you want to go through with it before clicking the button. Company Confidential Users Guide 379 Appendix FImporting Certificates Company Confidential 380 Users Guide APPENDIX G Signaling Session Timeout Enabling/Disabling the SIP ALG SIP Passthrough Most SIP clients have an expire mechanism indicating the lifetime of signaling sessions. The SIP UA sends registration packets to the SIP server periodically and keeps the session alive in the WiMAX Device. You can turn off the WiMAX Device SIP ALG to avoid retranslating the IP address of an existing SIP device that is using STUN. If you want to use STUN with a SIP client device (a SIP phone or IP phone for example) behind the WiMAX Device, use the ip alg disable ALG_SIP command to turn off the SIP ALG. Company Confidential If the SIP client does not have this mechanism and makes no call during the WiMAX Device SIP timeout default (60 minutes), the WiMAX Device SIP ALG drops any incoming calls after the timeout period. You can use the ip alg siptimeout command to change the timeout value. If no voice packets go through the SIP ALG before the timeout period default (5 minutes) expires, the SIP ALG does not drop the call but blocks all voice traffic and deletes the audio session. You cannot hear anything and you will need to make a new call to continue your conversation. Audio Session Timeout Users Guide 381 Appendix GSIP Passthrough Company Confidential 382 Users Guide APPENDIX H create a different one, if you like. further information about port numbers. Port(s): This value depends on the Protocol. Please refer to RFC 1700 for Protocol: This is the type of IP protocol used by the service. If this is TCP/

Name: This is a short, descriptive name for the service. You can use this one or UDP, then the service uses the same port number with TCP and UDP. If this is USER-DEFINED, the Port(s) is the IP protocol number, not the port number. Common Services The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/

code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. Company Confidential The IPSEC AH (Authentication Header) tunneling protocol uses this service. AOLs Internet Messenger service. It is also used as a listening port by ICQ. Authentication protocol used by some servers. Border Gateway Protocol. DHCP Client. DHCP Server. A popular videoconferencing solution from White Pines Software. Table 138 Commonly Used Services NAME AH

(IPSEC_TUNNEL) If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number. If the Protocol is USER, this is the IP protocol number. Domain Name Server, a service that matches web names (for example www.zyxel.com) to IP numbers. Description: This is a brief explanation of the applications that use this service BGP BOOTP_CLIENT BOOTP_SERVER CU-SEEME PORT(S) DESCRIPTION 51 or the situations in which this service is used. PROTOCOL User-Defined 179 68 67 7648 TCP UDP UDP TCP UDP TCP/UDP 24032 53 AIM/New-ICQ AUTH 5190 DNS TCP TCP 113 Users Guide 383 Appendix HCommon Services 1 21 20 79 FTP 443 ICQ TCP TCP TCP TCP UDP ICMP HTTPS FINGER TCP TCP 1720 80 User-Defined H.323 HTTP PROTOCOL User-Defined PORT(S) DESCRIPTION 50 Table 138 Commonly Used Services (continued) NAME ESP

(IPSEC_TUNNEL) Company Confidential The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. NetMeeting uses this protocol. Hyper Text Transfer Protocol - a client/server protocol for the world wide web. HTTPS is a secured http session often used in e-commerce. Internet Control Message Protocol is often used for diagnostic or routing purposes. This is a popular Internet chat program. Internet Group Management Protocol is used when sending packets to a specific group of hosts. The Internet Key Exchange algorithm is used for key distribution and management. This is another popular Internet chat program. Microsoft Networks messenger service uses this protocol. An Internet chat program. A protocol for news groups. Network File System - NFS is a client/

server distributed file service that provides transparent file sharing for network environments. Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable. Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other). NEW-ICQ NEWS NFS IGMP

(MULTICAST) 5190 144 2049 TCP TCP UDP MSN Messenger User-Defined User-Defined TCP/UDP NNTP POP3 PING 4000 6667 1863 UDP TCP TCP TCP 119 110 500 IRC IKE 1 2 384 Users Guide Appendix HCommon Services 47 TCP TCP 512 7070 User-Defined SFTP SMTP 514 513 107 554 PPTP_TUNNEL

(GRE) RCMD REAL_AUDIO PROTOCOL TCP TCP TCP TCP TCP/UDP REXEC RLOGIN RTELNET RTSP PORT(S) DESCRIPTION 1723 Table 138 Commonly Used Services (continued) NAME PPTP Company Confidential Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel. PPTP (Point-to-Point Tunneling Protocol) enables secure transfer of data over public networks. This is the data channel. Remote Command Service. A streaming audio service that enables real time sound over the web. Remote Execution Daemon. Remote Login. Remote Telnet. The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. Simple File Transfer Protocol. Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. Simple Network Management Program. Traps for use with the SNMP

(RFC:1215). Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers. Secure Shell Remote Login Program. Stream Works Protocol. Syslog allows you to send system logs to a UNIX server. Login Host Protocol used for

(Terminal Access Controller Access Control System). Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/IP networks. Its primary function is to allow users to log into remote host systems. SSH STRM WORKS SYSLOG TCP/UDP UDP UDP 22 1558 514 SNMP-TRAPS TCP TCP 115 25 TCP/UDP TCP/UDP SQL-NET TACACS TELNET SNMP 1521 UDP TCP TCP 161 162 49 23 Users Guide 385 Appendix HCommon Services TCP 7000 VDOLIVE PROTOCOL UDP PORT(S) DESCRIPTION 69 Table 138 Commonly Used Services (continued) NAME TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP

(Transmission Control Protocol). Another videoconferencing solution. Company Confidential 386 Users Guide APPENDIX I Copyright Copyright 2009 by ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Legal Information The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Company Confidential ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. ZyXEL further reserves the right to make changes in any products described herein without notice. This publication is subject to change without notice. Do not use the WiMAX Device for illegal purposes. Illegal downloading or sharing of files can result in severe civil and criminal penalties. You are subject to the restrictions of copyright laws and any other applicable laws, and will bear the consequences of any infringements thereof. ZyXEL bears NO responsibility or liability for your use of the download service feature. Your use of the WiMAX Device is subject to the terms and conditions of any related service providers. Trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners. Trademarks Disclaimers Users Guide 387 Appendix ILegal Information Certifications may cause undesired operations. This device may not cause harmful interference. This device must accept any interference received, including interference that Federal Communications Commission (FCC) Interference Statement The device complies with Part 15 of FCC rules. Operation is subject to the following two conditions:

If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy, and if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. Company Confidential FCC Radiation Exposure Statement This transmitter must not be co-located or operating in conjunction distance ofatleast23cm mustbemaintainedbetweenthe antenna ofthis device and all persons. 3 Connect the equipment into an outlet on a circuit different from that to which the 4 Consult the dealer or an experienced radio/TV technician for help. To comply with FCC RF exposure compliance requirements, a separation Increase the separation between the equipment and the receiver. 1 Reorient or relocate the receiving antenna. with any other antenna or transmitter. receiver is connected. 2 388 Users Guide Appendix ILegal Information Notices Viewing Certifications 1 Go to http://www.zyxel.com. This Class B digital apparatus complies with Canadian ICES-003. 2 Select your product on the ZyXEL home page to go to that product's page. Cet appareil numrique de la classe B est conforme la norme NMB-003 du Canada. Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. Company Confidential ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions. Repair or replacement, as provided under this warranty, is the exclusive remedy of the purchaser. This warranty is in lieu of all other warranties, express or 3 Select the certification you wish to view from this page. ZyXEL Limited Warranty Note Users Guide 389 Appendix ILegal Information Registration implied, including any implied warranty of merchantability or fitness for a particular use or purpose. ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser. Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com. To obtain the services of this warranty, contact your vendor. You may also refer to the warranty policy for the region in which you bought the device at http://

www.zyxel.com/web/support_warranty_info.php. Company Confidential 390 Users Guide APPENDIX J Brief description of the problem and the steps you took to solve it. Warranty Information. Date that you received your device. Required Information Product model and serial number. Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. Regional offices are listed below (see also http://www.zyxel.com/web/contact_us.php). Please have the following information ready when you contact an office. Company Confidential China - ZyXEL Communications (Beijing) Corp. Support E-mail: cso.zycn@zyxel.cn Sales E-mail: sales@zyxel.cn Web: www.zyxel.com Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Corporate Headquarters (Worldwide) Support E-mail: support@zyxel.com.tw Sales E-mail: sales@zyxel.com.tw Telephone: +886-3-578-3942 Telephone: +86-010-82800646 Fax: +86-010-82800587 Address: 902, Unit B, Horizon Building, No.6, Zhichun Str, Haidian District,

+ is the (prefix) number you dial to make an international telephone call. Web: http://www.zyxel.cn Park, Hsinchu 300, Taiwan Fax: +886-3-578-2439 Beijing Users Guide 391 Appendix JCustomer Support San Jos, Costa Rica Web: http://www.zyxel.cn Fax: +506-2015098 Web: www.zyxel.co.cr Address: 1005F, ShengGao International Tower, No.137 XianXia Rd., Shanghai Regular Mail: ZyXEL Costa Rica, Plaza Roble Escaz, Etapa El Patio, Tercer Piso, Telephone: +86-021-61199055 Fax: +86-021-52069033 Sales E-mail: sales@zyxel.co.cr Telephone: +506-2017878 Costa Rica Support E-mail: soporte@zyxel.co.cr China - ZyXEL Communications (Shanghai) Corp. Support E-mail: cso.zycn@zyxel.cn Sales E-mail: sales@zyxel.cn Company Confidential Web: www.zyxel.cz Regular Mail: ZyXEL Communications, Czech s.r.o., Modransk 621, 143 01 Denmark Support E-mail: support@zyxel.dk Finland Support E-mail: support@zyxel.fi Czech Republic E-mail: info@cz.zyxel.com Telephone: +420-241-091-350 Fax: +420-241-091-359 Sales E-mail: sales@zyxel.dk Telephone: +45-39-55-07-00 Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, Fax: +45-39-55-07-07 Web: www.zyxel.dk Praha 4 - Modrany, Cesk Republika Sales E-mail: sales@zyxel.fi Telephone: +358-9-4780-8411 Denmark 392 Users Guide Appendix JCustomer Support Fax: +358-9-4780-8448 Web: www.zyxel.fi France Finland France E-mail: info@zyxel.fr Regular Mail: ZyXEL Communications Oy, Malminkaari 10, 00700 Helsinki, Telephone: +49-2405-6909-69 Fax: +49-2405-6909-99 Telephone: +33-4-72-52-97-97 Fax: +33-4-72-52-19-20 Germany Support E-mail: support@zyxel.de Sales E-mail: sales@zyxel.de Web: www.zyxel.fr Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, Company Confidential Hungary Support E-mail: support@zyxel.hu Sales E-mail: info@zyxel.hu Sales E-mail: sales@zyxel.in Telephone: +91-11-30888144 to +91-11-30888153 Fax: +91-11-30888149, +91-11-26810715 Web: http://www.zyxel.in India Support E-mail: support@zyxel.in Regular Mail: ZyXEL Hungary, 48, Zoldlomb Str., H-1025, Budapest, Hungary Regular Mail: India - ZyXEL Technology India Pvt Ltd., II-Floor, F2/9 Okhla Regular Mail: ZyXEL Deutschland GmbH., Adenauerstr. 20/A2 D-52146, Fax: +36-1-3259100 Web: www.zyxel.hu Phase -1, New Delhi 110020, India Telephone: +36-1-3361649 Web: www.zyxel.de Wuerselen, Germany Users Guide 393 Appendix JCustomer Support Web: www.zyxel.co.jp Shinagawa-ku, Tokyo 141-0022, Japan Centre, 050010 Almaty, Republic of Kazakhstan Japan Support E-mail: support@zyxel.co.jp Sales E-mail: zyp@zyxel.co.jp Fax: +7-3272-590-689 Web: www.zyxel.kz Regular Mail: ZyXEL Japan, 3F, Office T&U, 1-10-10 Higashi-Gotanda, Sales E-mail: sales@zyxel.kz Telephone: +7-3272-590-698 Telephone: +81-3-6847-3700 Fax: +81-3-6847-3705 Regular Mail: ZyXEL Kazakhstan, 43 Do styk Ave., Office 414, Dostyk Business Kazakhstan Support: http://zyxel.kz/support Company Confidential Malaysia Support E-mail: support@zyxel.com.my North America Support E-mail: support@zyxel.com Support Telephone: +1-800-978-7222 Sales E-mail: sales@zyxel.com Sales Telephone: +1-714-632-0882 Fax: +1-714-632-0858 Sales E-mail: sales@zyxel.com.my Telephone: +603-8076-9933 Fax: +603-8076-9833 Web: http://www.zyxel.com.my Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F, Bandar Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA Puchong Jaya, 47100 Puchong, Selangor Darul Ehsan, Malaysia Web: www.zyxel.com 92806-2001, U.S.A. Norway Support E-mail: support@zyxel.no 394 Users Guide Appendix JCustomer Support Sales E-mail: sales@zyxel.no Telephone: +47-22-80-61-80 Norway Fax: +47-22-80-61-81 Web: www.zyxel.no Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, Telephone: +48-22-333 8250 Fax: +48-22-333 8251 Poland E-mail: info@pl.zyxel.com Sales E-mail: sales@zyxel.ru Telephone: +7-095-542-89-29 Russia Support: http://zyxel.ru/support Web: www.pl.zyxel.com Regular Mail: ZyXEL Communications, ul. Okrzei 1A, 03-715 Warszawa, Poland Company Confidential Web: http://www.zyxel.com.sg Regular Mail: ZyXEL Singapore Pte Ltd., No. 2 International Business Park, The Singapore Support E-mail: support@zyxel.com.sg Sales E-mail: sales@zyxel.com.sg Spain Support E-mail: support@zyxel.es Sales E-mail: sales@zyxel.es Web: www.zyxel.es Regular Mail: ZyXEL Communications, Arte, 21 5 planta, 28033 Madrid, Spain Regular Mail: ZyXEL Russia, Ostrovityanova 37a Str., Moscow 117279, Russia Telephone: +34-902-195-420 Fax: +34-913-005-345 Telephone: +65-6899-6678 Fax: +65-6899-8887 Fax: +7-095-542-89-25 Web: www.zyxel.ru Strategy #03-28, Singapore 609930 Users Guide 395 Appendix JCustomer Support Sweden Web: www.zyxel.se Sweden Support E-mail: support@zyxel.se Sales E-mail: sales@zyxel.se Regular Mail: ZyXEL Communications A/S, Sj porten 4, 41764 Gteborg, Telephone: +46-31-744-7700 Fax: +46-31-744-7701 Address: Room B, 21F., No.333, Sec. 2, Dunhua S. Rd., Da-an District, Taipei Fax: +886-2-27353220 Web: http://www.zyxel.com.tw Sales E-mail: sales@zyxel.com.tw Telephone: +886-2-27399889 Thailand Support E-mail: support@zyxel.co.th Taiwan Support E-mail: support@zyxel.com.tw Company Confidential Turkey Support E-mail: cso@zyxel.com.tr Telephone: +90 212 222 55 22 Ukraine Support E-mail: support@ua.zyxel.com Sales E-mail: sales@zyxel.co.th Telephone: +662-831-5315 Address: Kaptanpasa Mahallesi Piyalepasa Bulvari Ortadogu Plaza N:14/13 K:6 Fax: +662-831-5395 Web: http://www.zyxel.co.th Fax: +90-212-220-2526 Web: http:www.zyxel.com.tr Regular Mail: ZyXEL Thailand Co., Ltd., 1/1 Moo 2, Ratchaphruk Road, Bangrak-Noi, Muang, Nonthaburi 11000, Thailand. Sales E-mail: sales@ua.zyxel.com Telephone: +380-44-247-69-78 Okmeydani/Sisli Istanbul/Turkey 396 Users Guide Appendix JCustomer Support Fax: +380-44-494-49-32 Web: www.ua.zyxel.com Bracknell, Berkshire RG12 2XB, United Kingdom (UK) Regular Mail: ZyXEL Ukraine, 13, Pimonenko Str., Kiev 04050, Ukraine Telephone: +44-1344-303044, 0845 122 0301 (UK only) Fax: +44-1344-303034 United Kingdom Support E-mail: support@zyxel.co.uk Sales E-mail: sales@zyxel.co.uk Web: www.zyxel.co.uk Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Company Confidential Users Guide 397 Appendix JCustomer Support Company Confidential 398 Users Guide Index Index call C A see AAA links 90 CA 183, 199, 319 and certificates 199 BSS 311 BYE request 160 AAA 91 AbS 152 accounting server ACK message 159 activity 91 Advanced Encryption Standard Europe type service mode 171 hold 171173 service mode 171173 transfer 172173 waiting 171173 see AES See AES. AES 281, 321 ALG 132 alternative subnet mask notation 340 analysis-by-synthesis 152 antenna Company Confidential advantages 199 and CA 199 certification path 190, 196, 199 expired 199 factory-default 200 file formats 200 fingerprints 191, 197 importing 185 not used for encryption 199 revoked 199 self-signed 187 serial number 190, 196 storage space 184 thumbprint algorithms 201 thumbprints 201 used for authentication 199 verification 281 verifying fingerprints 201 Certificate Management Protocol (CMP) 188 Certificate Revocation List (CRL) 199 certificates 183, 279 directional 326 gain 325 omni-directional 326 AP (access point) 313 Application Layer Gateway CBC-MAC 281 CCMP 279, 281 cell 89 Certificate Authority request and reply 281 server 91 inner 282 key server 91 types 282 authentication 55, 91, 94, 279 authorization 279 auto-discovery base station UPnP 246 see ALG See CA. Basic Service Set, See BSS 311 BS 8990 see BS B certification Users Guide 399 Index authority, see CA notices 389 requests 183, 187, 188 viewing 389 digital ID 279 DL frequency 98, 99 domain name 136 download frequency see DL frequency E CMAC see DHCP see DiffServ interference 313 protocol 160 SIP 160 see CCMP channel 313 DS field 163 DSCP dynamic WEP key exchange 320 chaining 281 chaining message authentication dynamic DNS 138 Dynamic Host Configuration Protocol EAP 91 EAP Authentication 318 echo cancellation 165 encryption 279281, 321 circuit-switched telephone networks 147 Class of Service (CoS) 162 client-server see MAC codec 152 comfort noise 165 contact information 391 copyright 387 CoS 162 counter mode Company Confidential FCC interference statement 388 firewall 203, 208, 209 flash key 170 flashing 170 fragmentation threshold 315 frequency band 99 ranges 98, 99 scanning 99 Europe type call service mode 171 Extended Service Set, See ESS 312 Extensible Authorization Protocol coverage area 89 cryptography 279 CTS (Clear to Send) 314 customer support 391 client 136 server 76 diameter 91 Differentiated Services decryption 279 encryption 279 flow 281 device name 245 DHCP 76, 136, 138 ESS 312 Ethernet encapsulation 126 restrictions 218 data 279281 DiffServ 162 FTP 138, 218 see DiffServ traffic 281 see CCMP DiffServ Code Point (DSCP) 162 marking rule 163 see EAP D F 400 Users Guide Index G request and reply 281 I L H M see MAC listening port 155 G.168 165 G.711 152 G.729 152 hidden node 313 hybrid waveform codec 152 message integrity 281 Message Integrity Check (MIC) 321 message waiting indication 152 Metropolitan Area Network MAC 281 MAN 89 Management Information Base (MIB) 222 manual site survey 98, 99 Message Authentication Code IANA 346 IBSS 311 identity 91, 279 idle timeout 218 IEEE 802.11g 315 IEEE 802.16 89, 279 IEEE 802.16e 89 IEEE 802.1Q VLAN 158 IGD 1.0 244 Independent Basic Service Set Company Confidential and remote management 218 routers 151 server sets 126 traversal 243 initialization vector (IV) 321 inner authentication 282 Internet MS 90 multimedia 148 MWI 152 My Certificates 184 interoperability 89 IP-PBX 147 ITSP 147 ITU-T 165 access 91 gateway device 244 microwave 89, 90 mobile station Internet Assigned Numbers Authority Internet Telephony Service Provider activity 91 services 91 see also certificates See IBSS 311 see IANA 346 NAT 151, 345 see ITSP see MAN network see MS K N key 55, 94, 279 Users Guide 401 Index O shared secret key 318 P see RTP SIP 148 SIP 161 Protocol. registration product 390 services 166 register server redirect server server 151 SIP 151 Real-time Transport Protocol OK response 159 outbound proxy 151, 162 PKMv2 55, 91, 94, 279, 282 plain text encryption 281 preamble mode 315 Privacy Key Management RFC 3489 151 RFC 3842 152 RTP 148 RTS (Request To Send) 314 related documentation 3 remote management and NAT 218 remote management limitations 218 required bandwidth 152 RFC 1889 148 RFC 2510. See Certificate Management Pairwise Master Key (PMK) 321, 323 pattern-spotting 281 PBX services 147 PCM 152 peer-to-peer calls 175 per-hop behavior 163 PHB (per-hop behavior) 163 phone Company Confidential PSK 321 public certificate 281 public key 55, 94, 279 Public-Key Infrastructure (PKI) 199 public-private key pairs 183, 198 pulse code modulation 152 safety warnings 6 secure communication 55, 94, 279 secure connection 91 security 279 security association 281 silence suppression 165 silent packets 165 Simple Certificate Enrollment Protocol (SCEP) private key 279 product registration 390 proxy server account 148 ACK message 159 ALG 132, 162 Application Layer Gateway, see ALG Message Types 280 message types 317 Messages 280 messages 317 Shared Secret Key 280 services 91 Session Initiation Protocol outbound proxy 151 RADIUS 91, 280, 317 threshold 313, 314 SIP 147 see PKM SIP 160 see SIP see SA server R 188 S 402 Users Guide Index U see TLS see TEK see TTLS see UPnP SNMP 219 process 131 manager 221 trigger port forwarding transport layer security TTLS 55, 94, 279, 282 tunneled TLS triangle route problem 209 solutions 210 unauthorized device 279 uniform resource identifier 148 Universal Plug and Play authentication 60 authentication password 60 BYE request 160 call progression 159 client 160 client server 160 identities 148 INVITE request 159 number 60, 148 OK response 159 outbound proxy 151 proxy server 160 redirect server 161 register server 148 server address 60 servers 160 service domain 60, 148 URI 148 user agent 160 Company Confidential tampering TCP/IP configuration 76 TEK 281 Temporal Key Integrity Protocol (TKIP) 321 TFTP restrictions 218 three-way conference 172, 174 TLS 55, 94, 279 transport encryption key USA type call service mode 173 use NAT 162 use NAT feature 148 user agent, SIP 160 user authentication 279 user ID 60 user name 139 sound quality 152 speed dial 175 SS 89, 90 stateful inspection 208 STUN 151, 162 subnet 337 mask 338 supplementary phone services 166 syntax conventions 4 system timeout 218 VAD 165 verification 281 virtual local area network application 244 auto-discovery 246 security issues 244 Windows XP 245 subnetting 340 subscriber station group 158 ID tags 158 tags 158 VLAN ID 158 voice UPnP 243245 VLAN 158 see VLAN see SS V T Users Guide 403 Index activity detection 165 coding 152 mail 147 W see MAN see VoIP VoIP 147 see WiMAX Voice over IP wireless network Wireless Metropolitan Area Network wireless client WPA supplicants 322 Wireless Interoperability for Microwave Access waveform codec 152 Wi-Fi Protected Access 320 WiMAX 8990 security 281 WiMAX Forum 89 Company Confidential key caching 322 pre-authentication 322 user authentication 322 vs WPA-PSK 321 wireless client supplicant 322 with RADIUS application example 322 user authentication 322 vs WPA2-PSK 321 wireless client supplicant 322 with RADIUS application example 322 wireless security 279, 316 wizard setup 47 WLAN WPA2-Pre-Shared Key 320 WPA2-PSK 320, 321 interference 313 security parameters 324 application example 323 application example 323 access 89 standard 89 WPA-PSK 321 WPA2 320 WPA 320 404 Users Guide Index Company Confidential Users Guide 405

		frequency	equipment class	purpose
1	2009-07-08	2505 ~ 2685	TNB - Licensed Non-Broadcast Station Transmitter	Original Equipment

Application Forms

app s	Applicant Information
1	Effective	2009-07-08
1	Applicant's complete, legal business name	ZyXEL Communications Corporation
1	FCC Registration Number (FRN)	0021059092
1	Physical Address	No.2, Industry East Road IX, Science Park
1		Hsinchu, N/A
1		Taiwan

app s	TCB Information
1	TCB Application Email Address	c******@curtis-straus.com
1	TCB Scope	B1: Commercial mobile radio services equipment in the following 47 CFR Parts 20, 22 (cellular), 24,25 (below 3 GHz) & 27

app s	FCC ID
1	Grantee Code	I88
1	Equipment Product Code	MAX306

app s	Person at the applicant's address to receive grant or for contact
1	Name	E** B******
1	Title	Section Manager
1	Telephone Number	886 3******** Extension:
1	Fax Number	886 3********
1	E-mail	E******@zyxel.com.tw

app s	Technical Contact
1	Firm Name	Bureau Veritas CPS (H.K.) Ltd. Taoyuan Branch
1	Name	E** L**
1	Physical Address	81-1 Luliaoken, 9th Lin, Wulung Tsuen Chiunglin
1		Hsinchu, 307
1		Taiwan
1	Telephone Number	886-3******** Extension:
1	Fax Number	886-3********
1	E-mail	e******@adt.com.tw

app s	Non Technical Contact
1	Firm Name	Bureau Veritas CPS (H.K.) Ltd. Taoyuan Branch
1	Name	E**** L******
1	Physical Address	81-1 Luliaoken, 9th Lin, Wulung Tsuen Chiunglin
1		Hsinchu, 307
1		Taiwan
1	Telephone Number	886-3******** Extension:
1	Fax Number	886-3********
1	E-mail	e******@adt.com.tw

app s	Confidentiality (long or short term)
1	Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?:	Yes
1	Long-Term Confidentiality Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?:	No
	if no date is supplied, the release date will be set to 45 calendar days past the date of grant.

app s	Cognitive Radio & Software Defined Radio, Class, etc
1	Is this application for software defined/cognitive radio authorization?	No
1	Equipment Class	TNB - Licensed Non-Broadcast Station Transmitter
1	Description of product as it is marketed: (NOTE: This text will appear below the equipment class on the grant)	2.5GHz MIMO Outdoor CPE
1	Related OET KnowledgeDataBase Inquiry: Is there a KDB inquiry associated with this application?	No
1	Modular Equipment Type	Does not apply
1	Purpose / Application is for	Original Equipment
1	Composite Equipment: Is the equipment in this application a composite device subject to an additional equipment authorization?	No
1	Related Equipment: Is the equipment in this application part of a system that operates with, or is marketed with, another device that requires an equipment authorization?	No
1	Grant Comments	Power listed is conducted. The device is a 2.5G WiMAX outdoor 1Tx2R MIMO user station. This device must be professionally installed. Marketing to the General Public is prohibited. Only those antenna(s) tested with the device or similar antenna(s) with equal or lesser gain may be used with this transmitter. The use of other antenna requires a Class II Permissive Change filing. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 23cm from all persons. The antenna(s) must not be collocated or operating in conjunction with any other antenna or transmitter. End users must be provided with operating instructions for satisfying RF exposure compliance requirements.
1	Is there an equipment authorization waiver associated with this application?	No
1	If there is an equipment authorization waiver associated with this application, has the associated waiver been approved and all information uploaded?	No

app s	Test Firm Name and Contact Information
1	Firm Name	Bureau Veritas CPS (H.K.) Ltd. Taoyuan Branch
1	Name	R****** C******
1	Telephone Number	886-3********
1	Fax Number	886-3********
1	E-mail	r******@tw.bureauveritas.com

Equipment Specifications
	Line	Rule Parts	Grant Notes	Lower Frequency	Upper Frequency	Power Output	Tolerance	Emission Designator	Microprocessor Number
1	1	27	MO	2500	2685	0.478	2.5 ppm	5M34W7D
1	2	27	MO	2505	2685	0.411	2.5 ppm	10M6W7D

some individual PII (Personally Identifiable Information) available on the public forms may be redacted, original source may include additional details