edgeBOX User`s Guide, v4.0
Contents
1. L hoes Beer Advanced Codecs Privacy al cancel GSM Usually used on European mobile networks this codec uses a small amount of bandwidth providing an acceptable quality of sound ULAW G 711 Known as the native codec in modern communication lines Provides good quality sound at the expense of bandwidth It is the most commonly used codec for VoIP calls because besides being supported by most VoIP providers it has the lowest latency as no type of compression is used It is the codec used in PSTN and ISDN lines ALAW G 711 Basically a G 711 version used in E1 European lines If there isn t a specific system requirement the choice should be ULAW because it is compatible with most phones and softphones available on the market ADPCM This is a legacy codec kept for compatibility with version 3 of edgeBOX G 729 Offers good sound quality with conservative use of bandwidth However to be able to use it a license must be acquired H26 These codecs are used for video calls 3 2 8 1 1 4 Privacy In this panel you may enter a set of IP addresses from where users will not be able to register with this phone s credentials allowing for better control by the administrator 2006 Critical Links SA 64 edgeBOX User s Guide v4 0 3 2 8 1 2 Edit 3 2 8 1 3 Delete 3 2 8 2 val Contig Penisi IPs i 3 Bea2. MOP Configuration Denis States RUNNING Phones Incoming Calls Outbound Cals PEY Features Hardware Generic Munt roup Name Number oF Phones Manage support E e el 7 Parking Hunt Groups Add HuntGroups Edit HuntGroup Delete HuntGroup Stats information EN cinco edgebo 3 2 8 4 5 1 Add HuntGroup This option allows you to create a new huntgroup You will need to supply the following information Name the name for this huntgroup and Phones the phones associated with the huntgroup After selecting the desired extension press the Add button to add the phone to the huntgroup When configuring the IVR system remember that all huntgroups configured may be used in the action HuntGroup 2006 Critical Links SA Network Configuration Reference 91 Edit Hunt Group HunbGroug Name keet Add Phones Phone hsousa 6195 e Add ijonsta 630 irlbulhioes 616 or Restore Caneel 3 2 8 4 6 Voicemail In the voicemail configuration panel you can define some of its functional parameters In general settings you can define Voicemail Extension extension number where you can access the voicemail system and hear your messages Max Messages maximum number of messages that a user can have in his her mailbox You can also define parameters to the notification messages ie messages edgeBOX sends when a user receives a new voicema
3. 12 If the distribution and or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as 1f written in the body of this License 13 The Free Software Foundation may publish revised and or new versions of the Lesser General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distinguishing version number If the Library specifies a version number of this License which applies to 1t and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Library does not specify a license version number you may choose any version ever published by the Free Software Foundation 14 If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make
4. 2006 Critical Links SA Appendix A Authentication 223 9 1 9 2 Appendix A Authentication edgeBOX runs several services under which you have to provide credentials There are a whole lot of possible authentication scenarios and configurations In this appendix edgeBOX s authentication architecture will be explained It is important to understand these concepts as they will be needed if you want to deploy a remote authentication scenario Next it will be shown what happens when the Require users to login option is enabled Finally the complete sequence of events will be reviewed and detailed Finally some remote configuration examples will be shown Authentication architecture Authentication proving who you are and authorisation what you can do are handled in a mixed manner in edgeBOX Considering first a local authentication scenario upon user creation you need to provide a password and define which services a user will be authorised to use Services available in edgeBOX are Regular services such as POP3 IMAP FTP and Internet access for LAN users Windows use Samba Wireless 802 1x PPTP and VoIP WM MW A un mM Internally edgeBOX uses a Radius server configured to use a LDAP backend Require users to login vs Group Policies Connections originating from the LAN to the Internet to the Enterprise network and to services running on edgeBOX are granted by default But you may choose t
5. by source address traffic number of packets Ge e268 2 ie 2 0602 This report shows the number of occurrences traffic was rejected per source address This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA Reporting 213 server Prony Server Frewal sysiog Woi Anti Virus By Protocol Packets by source address traffic number of occurrences By Protacol Ocurrences By Source Port Packets By Source Port Ocurrences By Destination Port Packets Bi Destination Port Ocutrenoes 248111 T0 1414 By Source Address Packets E 62 47 25076 337 221 10 18213 417 By Destination Address Packets By Destination Address Ocutre By Service Packets By Service Ocurrencez 192 168218 11 62 48 1 17 173 761 NTE 964 8 4 13 By Destination Address Packets This report shows the rejected traffic per destination address in packets This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA 214 edgeBOX User s Guide v4 0 Ey riertoce poc Fray ra Ey interface Saurrences OS e a en E By Protacol Patkets by destination address traffic number of packets Ey Protocol fOcurrences Ey Source Port Packets By
6. 2 New Phone elf Config Phone rg Protocol ar D Extension Mamme Support 3 2 8 1 1 2 Advanced This panel allows you to configure protocol specific settings Available options are E VOP Contig Advance Phone Cont lt Net ves Type irena eg ben bere IC Port e060 DTMF Mode ricza33 7 Type friendz ewe TT DTMF Mode ricze33 CallerlD the name by which calls will be identified to the called party Usually identifies 2006 Critical Links SA 62 edgeBOX User s Guide v4 0 3 2 8 1 1 3 Codecs the person using the extension and their number If left blank a default CallerlD will be generated using the data introduced previously in the basic configuration panel NAT this option should be checked when the client is behind a network address translation device such as a router or a firewall MD5 SIP only the password used when registering the client encrypted by an MD5 hash Type type of client using this extension Possible values are Friend This extension will be able to place and receive calls User this extension will only be able to place calls Host available values are Static If selected you will need to specify the IP address for the client registering with the credentials entered using the Hostname text box Dynamic default The client will provide its IP address when regi
7. 2006 Critical Links SA 58 edgeBOX User s Guide v4 0 System Metwork Serivces Security GoS Pallctas Stato Users Wizards Help A wati Filterlpm oam 1 Enable MEL Add Edt Delete Deleteall dd From Pie valerie iy URL TT Enable Words x Shahic Informatica EE teria edgebor 3 2 7 1 Domains Displays a list of the web sites that are currently blocked Enable Check this box to enable web filtering based on the domain name of the web site Add Edit Delete Delete All These buttons are used to edit the list of domain names currently filtered When adding a new domain the following rules apply A single domain will match all urls under that domain As an example if you specify example com it will match example com and example com test A domain preceeded by a dot will match that domain and all subdomains For example example com will match example com as well as new example com or old example com Add from file A list of domain names can be stored in an external text file and loaded into the list in a single step Clicking on this button displays a file dialog panel which allows you to locate the file on the local file system where the browser is being displayed 2006 Critical Links SA Network Configuration Reference 59 3 2 2 Words in URL Displays a list of words are used to determine whether access to a web page should be b
8. 3 2 8 3 6 Authentication edgeBOX supports authentication for outbound calls Authentication is based on a PIN number which is assigned on user creation see Users in User and Group Management Outbound call permissions i e the type of outbound calls a user is allowed to make are also set on user creation This panel allows you to activate VoIP authentication The system will block outbound calls if the user supplied invalid credentials or if the user doesn t have the necessary permissions to make the call If authentication is not active the system will still check the type of each call but just to find the best LCR to use In this mode of operation users are not required to supply a PIN when making calls 2006 Critical Links SA 82 edgeBOX User s Guide v4 0 Svale Network Senices Security 608 Polictes State Users Wizards Hale OE yyy a O OOOO O O O O O Service Ste RUNNING Pines reng Cale Ollbouris Gale Pex Fear Hora Generis gt Authentication Settings tor Suthound calls i i PDP Authentication Statue information REN Tocina edgebo x 3 2 8 4 PBX Features This section describes edgeBOX s IP PBX advanced features All these features can be used in the IVR editor making them available to calls coming from the external network The following features will be described Queues Agents Conferences Parking Huntgroups and Voicemail
9. 266 edgeBOX User s Guide v4 0 3 Apache License This product includes software developed by the Apache Software Foundation http www apache org 4 The PHP License The PHP License version 3 0 Copyright c 1999 2002 The PHP Group All rights reserved Redistribution and use in source and binary forms with or without modification is permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The name PHP must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact group php net 4 Products derived from this software may not be called PHP nor may PHP appear in their name without prior written permission from group php net You may indicate that your software works in conjunction with PHP by saying Foo for PHP instead of calling it PHP Foo or phpfoo 5 The PHP Group may publish revised and or new versions of the license from time to time Each version will be given a distinguishing version number Once covered code has been published under a particular version of the license you ma
10. Reporting 193 Server ot Selva Firewall Sysioal Vol sac penis Proxy Methods 8 3 2 Top Level Destinations This report shows the number of occurrences of the top level destination web pages accessed by LAN users grouped by domain extension for example com net It is possible to choose the type of graphic Pie 3D Pie 2D or line by clicking the radio button This information is also shown in table format 2006 Critical Links SA 194 edgeBOX User s Guide v4 0 Peso that Pip pe Lines Chert Top Level Destinations 8 3 3 Second Level Destinations This report shows the number of occurrences of the second level destination web pages accessed by LAN users grouped by domain for example critical com edgebox net It is possible to choose the type of graphic Pie 3D Pie 2D or line by clicking the radio button This information is also shown in tabular format 2006 Critical Links SA Reporting 195 Server Po Serve Leien sysiog Vo Anti Vitue Second Level Destinations Entierro i e Th 8 3 4 Content Type This report shows the type of content of the files passing through the proxy server for example text plain application octet stream application x msn messenger image gif This information is presented in graphical Pie 3D Pie 2D or line selected by c
11. 3 2 1 2 4 Hosts Nb Host OMS Plast Informatiu Name TR Host 192 168 100 254 This option allows management of the domain database After selecting the domain and pressing Hosts a new pop up window will appear In this window there is a table with all the entries for this domain database Available actions are Host Information fost Information ebro local joc Add Host Window Add 2006 Critical Links SA 36 edgeBOX User s Guide v4 0 3 2 1 3 3 2 1 4 3 2 1 5 3 2 1 6 Allows you to add a new entry A dialogue panel will be displayed requiring you to enter the following information e Host Name the name of the host to be added e Host Type Select from the list Available choices are A CNAME MX and NS e Host IP the IP for this host Edit Allows you to change a record s information The options available are the same as in Add Delete Deletes an entry from the database Select the entry to delete and press Delete Remember that any of the changes made to the domain s database will only take effect after you select Apply in the main panel if you don t select Apply then all changes will be lost Servers to forward to This list contains the servers to where queries will be forwarded to if the domains queried are not in the list of domains This will be the Name Server s used to resolve external domains You will only be able to ch
12. Active Directory If you check this option an Active Directory server will be used as a repository for credentials The Use for Authorisation checkbox will be disabled and the Import Users checkbox will be enabled If you check Import Users then all local user data will be immediately created This is the only remote authentication scheme where this happens since all other remote schemes will do this after the user s first successful login For more details see appendix A Use for Authorisation Check this option if you also want to use the remote LDAP server for service authorisation Please refer to appendix_A for details on configuring a remote LDAP server for performing authentication authorisation This option will not be available if you have checked Active Directory Purge Existing Local Users Checking this option will delete all user data stored on edgeBOX 4 5 2 Accounting This menu option allows you to review and configure the Radius servers used for accounting Note 2006 Critical Links SA Advanced Topics 147 that you can have authentication and accounting performed by the same server or have different servers for each purpose The table lists all the servers configured The configured servers will be contacted in sequence and the first one to answer will store the data The accounting data applies only to the WAN interface Available actions are Add Edit and Delete
13. HHI H HHI ayy MH 302 1 Settings WRA Sec BEIM ih EWAN information Tp 13216040250 i Previos Next mes Cancel E lle SksticiIntarmsbon ME cTervinates edgebox Wireless and EWAN Options e EWAN Information If this option is present you are required to enter the configuration for the enterprise interface specifically e IP Address the default value for this interface is 192 168 200 254 e Netmask The netmask to apply for this interface Pressing Next will lead you to Step 3 2006 Critical Links SA 14 edgeBOX User s Guide v4 0 2 2 3 Step 3 Date Time Miia G t Sten Dates Tien Date 12311 14 600221 Timez ne Eurape Lishon K me Bama len Zei Change Step 3 Date and Time In this step you will be prompted to set the machine clock The controls are initially disabled so to change these settings you have to press Change The following information may be altered e Date Use the up down controls or edit directly the desired value e Time zone Choose from the values present in the list e Time Use the up down controls or enter the desired value Pressing Next will lead you to Step 4 2 2 4 Step 4 Authentication Authorisation initia Sebup Step 3 Guihenticabior Aubhmrizatinn User Authorization fe an Cot Authentication Local Server r Trafhle Loo OFF Step 4 Authentication Authorisa
14. Ifthe user tries to access edgeBOX s port 8010 access is granted Otherwise if the user tries to access a website on port 80 or edgeBOX s authentication page the authentication page is displayed Otherwise any other application access is denied by the firewall After entering his credentials edgeBOX s Radius server is queried If a reject argument is found access is denied authorisation failed Otherwise LDAP is queried if the password does not match access is denied authentication failed Otherwise access is granted authorisation AND authentication succeeded Atthis point rules reflecting this user s group policy are loaded into the firewall The IP MAC address pair in these rules are the user s PC IP MAC address pair Ifthe user has requested a web page and his policy allows his browser will be redirected to the web page requested and a small window will pop up containing a message indicating success and a logout button Otherwise access will be denied If the user closes the pop up window and no network traffic is generated for 5 minutes the rules will be unloaded from the firewall and further connections denied The user will have to reauthenticate Otherwise the user will be granted access according to his policy Remote configuration So far we have assumed edgeBOX handles both authentication and authorisation using its local radius and Idap servers However these two func
15. Serving Status l Start at Boot Internal External Enterprise dis es Il wl det SCH ll Kl ara yes ji kl EE Jet I fap yes L cal JI O I ssh yes fi E IER ical I Imap es It vl det jmi i E vot yes ji vT Kl E ji mp yes I kl EE i I Kl Dr yes ji wT El imi I http e ji tal El Y I pane yes Ll d JN Y E I i ati ormabian O Terminated edgebo General Information Page After logging in your browser will start the Java based Control Centre After the web interface loads the page in the above figure will appear This is a general information panel where you can check certain aspects of edgeBOX s configuration as well as information about the machine status machine load memory usage disk usage uptime etc 2 1 General Layout In the general information panel you can see some elements common to all pages The header menu bar has the following options System Network Services Security QoS Policies State Users Wizards and Help Each of these menus and its submenus will be covered in detail in the next chapter The main panel is divided into two sections The upper section is the working area where information regarding the option chosen in the menu will be displayed It is also the place where configuration details will be entered The lower section is the Status Information panel It displays status information on the operation being performed While an operation is taking place a moving bar is displ
16. e 32 Ss PPP O EE A ES PO PE UE IA AA 33 DOM En EEN 33 DEE 34 Cal GEN 34 DEBES dd rada 34 e 35 Servers to forward tO EE 36 TPE A eE E a a E a a a a a 36 M x Mel tu EE 36 LO I Oe EEN 36 DINaMICONS sisi tica 37 E lei E E ETRE RETO E o o 37 VIS IAS ra ai 38 DOMAINS rs a o sis dies a a A E 38 let era tete oleo 38 A a 39 A ae Poop aeonabainsteina ctane ens cause ett oa iseetva natal E S 39 MACAR ea E EEN 39 CT 39 RIICHT 40 e RL 40 DOIG SUAS anio toa ta io aa 40 Server E CN 41 MAC EE 41 SST DICO eS toda cda baena 41 o nn a 41 ENEE 41 Cal GENEE 42 DEB dr tddi andadas 42 Change Webmaster PASS WO lisis A AA A AAA A AA 42 MT nao 42 EE COMP i ta N e 43 Ee le ENEE 43 IVAN un EU le EC EE 44 Aen EE RR 1 e EE 44 ter CT 44 EK CONNECCION sarahe AE care avn EEE E ERE AEE SEE E AEE EERS 45 WAX Message EE 45 Block Unhresolvable DOMAINS iveiansas vsxcncesnsetios ee rsncnessninaeensnseanseveindvsvevdeensvenvaranuondsdminanesusisssixeesiebsredetniasamadnagnneudaaaneeeye 45 Eelere EE 45 o A E E OO POC 5 A 45 aS A A A A 46 Relay DOMAITUSE serpere E Ea a E E o ao 46 A CN 46 ENEE dnd Locas 47 RANA 48 LDAP EIST tte EE 49 EE e CEDAR EE 49 el UE A 49 Enable LDAP SV MC TEE 49 L cal LDAP Root A SS WO Olano nao 50 Samba EE 51 Klee E EE 52 2006 Critical Links SA III edgeBOX User s Guide v4 0 Coo EEN Global Wins Options Sha es ee een New Edit FOMOS H POSE EE USB Printers ee Web Filt
17. 18H 32M 3 3 5 2 Mail Scanner Allows you to configure the Mailscanner settings The following panels are available for configuration accessible through the named tabs located on the right General Messages and Actions 3 3 5 2 1 General Allows you to configure general Mailscanner configurations Available options are Antivirus engine selection Spam options and Notification options 2006 Critical Links SA 114 edgeBOX User s Guide v4 0 3 3 5 2 1 1 Virus Virus Scanner The Virus Scanning package to use Possible choices are Sophos McAfee ClamAV and None Virus Scanning Check this option if you want to enable virus scanning 2006 Critical Links SA Network Configuration Reference 115 3 3 5 2 1 2 Spam Spam Spam Checks Log Spam Spam Actions Bellver HBL Sarvert ml r lowez or org shi sparmhaus org bl spamcop net proxies relays monkeys com Le eeh ed abl men Delete Add Spam Checks Check this option if you want the MailScanner to check if incoming messages are spam Log Spam Check this option if you want the MailScanner to log soam messages to syslog Spam Actions The action to be applied to soam messages Choose from the list of allowed values which may be e Deliver The message is delivered to the recipient as normal e Delete The message is sil
18. MES RST Select Authentication Method t e Secured password EAP MSCHAP v2 Enable Fast Reconnect Authentication Protected EAP Properties On the dialog window that pops up uncheck the Automatically use my Windows checkbox Press OK on all dialogs to confirm this configuration BAP MS CHAP 2 Properties When connecting Autoriahically use my Window logon name and If the configuration succeeds you should see a balloon warning you to enter credentials to connect to the wireless network Clicking on the balloon will display a prompt requiring you to enter the username and password for a user authorised to connect to the Wireless network Biter Credentials tol Wireless Network Connection 6 sl lick here to select a certificate or other credentials for mein ta the network valebox tse Ename ts Passware sesse Logom domain If the connection was successful its status will appear as Connected 2006 Critical Links SA 242 edgeBOX User s Guide v4 0 11 2 Choose a wireless network Click arite in the list balow bo connect to wireless natwork in range ov to get mirs information Le gt Bs SA aaa Ge de 1 Securibyenabled wireless rk WP A lll emm d ech Ee ij WPA If edgeBOX was configured to use WPA as the security scheme the following settings must be configured on the client Network Authentication WPA PSK D
19. Notices To This field will only be enabled if you check the previous option This is the user who will receive the notifications every time a spam message is received 2006 Critical Links SA Network Configuration Reference 117 3 3 5 2 2 Messages System Network Sernices Security QoS Policies State Users Wizards Help MaitScannar Configu st r Shares Scanner MailScanner Anti virus Engines Message Properties 7 General Tallow Partial Messages Messages Actions _ Allow External Message Bodies E Tallow IFrame Tags Log IFrame Tags Allow Fore Tags FT Allow Object Codeb se Tags TT Convert Dangerous HTML To Text Convert HTML To Text L T Block Encrypted Messages _ Block Unencrypted Messages 4 Expand TNEF close i anne JS Status Thormaid O A edgebo Allow Partial Messages If you check this option you will allow messages that contain only a fraction of the attachments As the scan is not performed on the whole message but on its fragments it will not be done properly Setting this option is very dangerous as viruses may go undetected Allow External Message Bodies If you check this option you will allow messages where the body is stored in a remote server and not in the actual message It will be up to the email client to fetch the message body later Again setting this option is particularly dangerous because MailScanner never scans the message body so it
20. VO certiga Service State TNNG Dote inclina ally Clbount Cals ies Herter Sarei Remote Svetchs A Aller pecan 192 183 2 35 Chics Stop Apply Statue ionmain E WE edgebox Another benefit from this configuration is that an extension from edgeBOX A is able to call an extension registered in edgeBOX B As an example consider you are using an extention from edgeBOX A and you want to call extention 600 from edgeBOX B First step is to define the prefix for remote switch see Prefixes in our example this prefix is 6 Then add a new remote switch configuration see Add in our example the prefix for this connection is 1 Having this configuration done you will be able to call to the extension on edgeBOX B dialling prefix for remote switch 6 prefix for remote schitch connection 1 extension number ie you would dial 61600 When you add a remote switch you are creating an one way connection on the hostname direction If you also want to receive calls using that trunk which is usually the case you will need to activate the option Allow incoming calls Having this set and if the remote edgeBOX also defined your edgeBOX as a remote switch with the same name a two ways trunk will be created allowing 2006 Critical Links SA 80 edgeBOX User s Guide v4 0 incoming and outgoing calls Note that besides calling internal extensions all VolP funcionalities will be
21. wlan or athO depending on the specific wireless card used stands for Wireless interface eth interfaces assume the form ethn where n can be 0 1 2 or 3 depending on the number of Ethernet cards in edgeBOX Web Server The reports in this group show information about edgeBOX s web server usage It is possible to export them in pdf format Status This report shows the number of occurrences of the several possible statuses of the web server Apache You can choose the type of graph to see Pie 3D Pie 2D or line by clicking the radio button 2006 Critical Links SA 192 edgeBOX User s Guide v4 0 8 2 2 8 2 3 8 2 4 8 3 8 3 1 This information is also presented in tabular format listing the statuses and the respective number of occurrences You can see for example the number of occurrences of the status 404 indicating the number of times someone tried to access a page that doesn t exist Request This report shows the number of occurrences of the request types made to the web server Apache You can choose the type of graph to see Pie 3D Pie 2D or line by clicking the radio button This information is also presented in tabular format listing the request types and the respective number of occurrences You can see for example the number of occurrences of the request get indicating the number of times someone retrieved data from the web server Host This
22. Ey interface Packets By Interface Ocurr nces e e By Protacol Packets by source port traffic number of occurrences Ey Protacol Ocurrences Ey Source Port Packets zw Source Port tOCutrtrencez By Destination Port Packets By Destination Port Ocurrerices By Source Addrest Packets Ey Source Address Ocurrances Ey Destination Address Packets Ey Destination Address Ocurre By Service Packet Du Service Ocurrences 8 4 9 By Destination Port Packets This report shows the rejected traffic per destination port in packets This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA 210 edgeBOX User s Guide v4 0 server Proxy Server Feat sysiog War Anti virus fest ier tree UG Firewall Graph By interface culrences n Va va s j i By Protocol Packets by destination port traffic number of packets By Protocol currence Ey Source Port Packets By Source Port Ocurrences i By Destination Port Packets JS By Destination Port Ocurrerces Ey Source Atidres Packets By Source Address Ocurrences Ey Destination Address Packets By Destination Address Gute Ey Service Packets By Service Ocurrences Nason 1484 CTE 8 4 10 By Destination Port Occurrences This report shows the number of occurrences traf
23. IP Netmask Gateway Primary DNS and Secondary DNS After entering this information select Apply Check the status returned 2006 Critical Links SA Network Configuration Reference 21 Network Interfaces WAN LAN EWAN Hostname and Domain AWAN Configuration IP information Static e Status Th Ga Moy 2085 tS UTE being up IP 182 168 2 80 Netmask 255 285 254 0 Gateway IERT Primary DNS 182 163 3104 Secondary DNS Anny DHCP No additional information needs to be entered in this case since all information is fetched from the DHCP server Select Apply and check the status returned Network Interfaces WAN LAN EWAN Hestname and Domain WAN Configuration information DHCP e Status Thu OS Moy S005 12 58 37 UTC dhcp un IRs Nelmask Gateway Primary DNS Secondary DNS am PPPoE In this case you are configuring an ADSL connection You will have to provide the following information e P address this field will not be enabled if Obtain IP automatically is checked e Primary DNS and Secondary DNS these fields will not be enabled if Query DNS is checked e Username Password This information will always have to be entered Check the information your ISP has given you e Internal Modem If this option is available it means an internal modem is installed in your box The following fields will also be ena
24. In the window that pops up select an appropriate file for example vm intro and press OK Repeat the previous step but select the file beep Change action to Voicemail Choose 400 voicemail Change action to Playback Choose file vm msgsaved Change action to Playback Choose file vm goodbye Change action to Hangup Press OK Apply your changes You will need to define 2 more rules like the previous one one for the same days but for the period between 0 00 and 8 00 and on for the week end The time interval does not allow you to enter an interval crossing midnight E 6 2 Scenario 2 SME HQ For the company s HQ premises besides basic connectivity there will be a list of additional requirements n N N N un N UN Static IP and registered domain on the wan side Private LAN firewalled and requiring user authentication Remote authentication provided by the internal W2k PDC Complete backups scheduled daily to the FTP server running on the W2k server Email Filtering DMZ with DNS Web and Email servers IP PBX with the following features Internal extensions IVR configuration with call center and internal extensions published to the PSTN ITSP configuration Warning messages for holidays week ends and night hours Authentication 6 2 1 Step 1 Wan connection The HQ office edgeBOX will have a WAN static IP connection with a registered domain There will be a DMZ
25. WM MW N un UN IP PBX with the following features internal extensions able to connect to and be accessed from the outside pstn network voice mailbox available for people calling during off work hours these features will be common to the HQ configuration 6 1 1 Step 1 WAN connection The WAN connection will be provided by a ADSL connection with a dynamic configuration The modem used in this example will be the USB ADSL modem SpeedTouch 330 Perform the following actions to configure the connection Follow the Embedded firmware for Linux users in Speed Touch s support page to download the modem s firmware Unzip the downloaded file contents The firmware file is prefixed with ZZZL In Control Centre under the System menu choose the Config option The configuration options panel will load In this panel choose the SpeedTouch Firmware tab Select Browse to locate the firmware file Select Upload After completion the firmware revision loaded will be available MMM mM After loading the firmware you are now ready to configure the WAN interface Choose the Interfaces option under the Network Menu The WAN tab will be selected by default Choose PPPoE under IP Information Fill in the fields according to the information provided by you by your ISP Check the Internal Modem checkbox Press the Apply button To check for interface status reload this panel and watch the Status field In our Sce
26. You will then be able to establish the connection selecting the Open Tunnel button If the tunnel was successfully opened the sentence VPN Tunnel opened will be displayed in the status bar as well as a green light You can check all connections active selecting Connections and check all messages exchanged during connection establishment selecting Console ZS VPN Consale ACTIVE 123704 Default Remitiahama IKE dasmor 123704 Default IKE daemon reinitialized 123724 Default SA mpVPN P1 SEND phase 1 Main Made 34 VID map VIB MD D vi 123725 Default SA my PN P1 SEND phase 1 Main Mode BECH ei NOTIFY 123725 Default SA myVPN P1 RECV phase 1 Main Mode HASH re 123725 Default phase 1 done ee id 192 168 2 95 responder id 192 168 123725 Default 54 tryVPN try PN P2 SEND phase 2 Quick Mode HASH 184 RES EXCH NONCE fE D I 123725 Default SA myWPN mivPN P2 RECY phase 2 Quick Mode HASH SA KEY_EXCH NONCE ID ID 123754 Default SEND Informational HASH NO ai 123754 Default RECY Informational HASH NOTIFY 123824 Default SEND Informational HASH NOTIFY 123824 Default BECH Informational HASH NOTIFY 123954 Default SEND Informational bel sb 123854 Default RECY Informational HASH NOTIFY 123925 Default SEND Informational HASH NOTIFY 123925 Default DECH Intormational HASH NOTIFY 123955 Default SEND Informational HASH NOTIFY 123955 Default RECY Informational HASH NOTIFY 124025 Default
27. 2 2 2 Step 2 LAN configuration hitia Setup Step 2 LAN Zopfcutabtan LAN Hostname Goran Information Hostmames ebox Private Domain localloc Eurrent Ip 193188100983 Change current IF Activate DHCP Server statt i00 Endt 250 Step 2 LAN configuration In this panel you will be required to configure some aspects relating to the internal network In LAN Configuration Domain Information you may enter change the following information 2006 Critical Links SA 12 edgeBOX User s Guide v4 0 e Hostname edgeBOX s name in the internal domain e Private Domain This will be the name of the internal domain i e the domain to use in the LAN e Change Current IP Checking this option will allow you to change edgeBOX s internal IP which is set to 192 168 100 254 in the default configuration If you check this option you will be required to enter e New IP the new address for this interface and e Netmask the netmask for this interface e Public LAN Address If you check this option then you will only be using valid IP addresses If you don t use this option your internal network addresses will be private and an address translation scheme will be used NAT If in doubt leave unchecked Initial Setup Ster 2 LAN Coptlotatoru LAN Hostname Coman Information H stname eb Private Doman local loc Curentip 188 100253 4 Change current IP Mea TP 192 16
28. A master domain server is one which has the database for the domain stored locally also called authoritative domain for that domain lt will answer the queries for that domain A forward domain server does not answer queries directly but will forward them to another name server Domain Access Select a value from the list The available selections are Internal and External If you have a registered domain you will grant access to external networks to query this zone otherwise for private domains you will most likely want to grant only to internal hosts for security reasons This option is disabled for forward type name servers Network mask The network mask used for this network This value will be used to build the reserve zone Name Server IP The IP for this domain s name server This option is disabled for forward type name servers Forwarder 1 IP Forwarder 2 IP If you ve chosen type Forward this will be the IP addresses of the servers where queries for this domain will be forwarded Allows you to change the configuration for an existing domain Select the domain to edit and select Edit The options available are similar to the ones available when creating a new domain 3 2 1 2 3 Delete Deletes configuration information for a selected domain Select the domain to delete and select 2006 Critical Links SA Network Configuration Reference 35 Delete Check the status returned by this option
29. Inc Binary Code License Agreement This product includes code licensed from RSA Security Inc Some portions licensed from IBM are available at http oss software ibm com icu4j 14 Licence for libxslt and libxml Copyright C 2001 2002 Daniel Veillard All Rights Reserved Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THE DANIEL VEILLARD BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE 2006 Critical Links SA 276 edgeBOX User s Guide v4 0 ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Except as contained in this notice the name of Daniel Veillard shall not be used in adverti
30. Lines Network Cithet Hold Recoid By default all lines Use the Default Line Settings you wart to change the seltinige for a specific line select the line in the Jet and enter the new ssltings below To change default settings select Cretault Line Settings in the list Settings tor Line Deia ine Setfing a jaa fij II E II cr li E Fuill Fnendiy Dieplay Mame lara 00 ES daneDlos ACME Ine gr er gi Nimes lien E ep 555123456 for Jane Doe de Server ip Proxy of Virtual PBR 192168 379 60 pr sti MPripoo com Password laces Advanced Ems Settings hye are Geht about shy of the above settings please see the mal from the tip company you signed up with forsee Help The dial window has a log panel where call details can be checked Again the number 9999 has been dialed to confirm registration success 2006 Critical Links SA 256 edgeBOX User s Guide v4 0 E EX press EU tok den Help uU 8 S KA Achiesz Loes E Hog i Sot Ootd Ss 2 d e E Da Not Detur SSS TOT et ee dE Call A dies annere nahi ha te ae DEE St nubile IP stray private F Calllafamerad j Cal e EAE nitrated stp cah toe Dig Onatte te autodetect publies TP Heng private F Call arated Call has diesconnected Fer more ES buerg wua ech Com amekaa 2006 Critical Links SA END USER LICENSE AGREEMENT EULA 257 15 END USER LICENSE AGREEMENT
31. SME branch office 1 1 0 eee eeeeeee eee eee NR EEENERREEE RRE EERREEENERREEEE RR EEENEREEENE ERKENNEN 170 ep L WV A COMO CHOWN A A EA EIS Seaia 171 Step 2 LAN connection ANG AAM Z2 PP 171 Step 3 Wireless A o aoi aa o era aroe A eSa aii rasi 173 2006 Critical Links SA Vil edgeBOX User s Guide v4 0 Step 4 Services and USerS ACCOUN S cnccccccccncccnnccccnnnn cnn RRE RRE RRE RARA 173 A so AAPP U Arrauna anneau anarian Unanun 175 SEENEN 175 2 Scenarno 2 SME HQ ia 177 atep 1 Wan CONNECUON smart ita 177 Step 22 LAN connectloh SEHR 178 Step 3 Authentication and Security animas dni das 179 Slep 4 Users ahd Group e e 180 EE eege 181 Sepo AC E 182 Ikea VON E 182 3 IVR configuration E 184 A SOS VPN i a 186 O Remote WIEN ias eiii 187 Part VII Services 189 A APA PP A 189 2 PUBIC Sales nota Oo 189 3 EWAN Kee 189 Part VIII Reporting 190 IES A 190 EPT a dios 190 E ME 190 MEMOor ee 190 NetWork Eege 190 erter Tee 191 Network Received Packers E 191 Network Transmitted packelS Tee 191 2 Web SEW SO eebe 191 AP q o 191 7 PAP AP A 192 O GE 192 nn PP srenecteuencueceuneevencunecveceseecseevenee 192 VR e WEE 192 de e EC 192 TOP Level DESTIN ANIONS umi cnica 193 Second Ehe E E 194 Kuebe DIE sust canicas 195 EXICASIONS uri iii 196 TOP TANG eros iia 197 INCOMINO TER rr iaa 198 RESPONSE e TE 199 Size SUMMON EE 200 WWII UE 201 gl CC A a 201 Chains MACNN E 202 By Interface
32. SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publically available version or derivative of this code cannot be changed 1 e this code cannot simply be copied and put under another distribution licence including the GNU Public Licence 7 Bind Copyright C 1996 2002 Internet Software Consortium Permission to use copy modify and distribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Id COPYRIGHT v 1 6 2 2 2002
33. Subsection 2d requires that any application supplied function or table used by this function must be optional if the application does not supply it the square root function must still compute square roots These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Library and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Library the distribution of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Library In addition mere aggregation of another work not based on the Library with the Library or with a work based on the Library on a volume of a storage or distribution medium does not bring the other work under the scope of this License 3 You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library To do this you must alter all the notices
34. and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE 11 BSD This product includes software developed by the University of California Berkeley and its contributors 12 LGPL GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION O This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License also called this License Each licensee is addressed as you A library means a collection of software functions and or data prepared so as to be conveniently linked with application programs which use some of those functions and data to form executables 2006 Critical Links SA 272
35. but is designed to work with the Library by being compiled or linked with it is called a work that uses the Library Such a work in isolation is not a derivative work of the Library and therefore falls outside the scope of this License However linking a work that uses the Library with the Library creates an executable that is a derivative of the Library because it contains portions of the Library rather than a work that uses the library The executable is therefore covered by this License Section 6 states terms for distribution of such executables When a work that uses the Library uses material from a header file that is part of the Library the object code for the work may be a derivative work of the Library even though the source code is not Whether this is true is especially significant if the work can be linked without the Library or if the work is itself a library The threshold for this to be true is not precisely defined by law If such an object file uses only numerical parameters data structure layouts and accessors and small macros and small inline functions ten lines or less in length then the use of the object file is unrestricted regardless of whether it is legally a derivative work Executables containing this object code plus portions of the Library will still fall under Section 6 Otherwise if the work is a derivative of the Library you may distribute the object code for the work under the terms of Secti
36. e Pin the identification number used to connect to the network e Protocol currently IP is the only protocol supported APN the Access Point Name a name used to identify the network to connect to e g internet company com e OPSYS is used to select the mechanism used to connect to the network Only Connect to GSM Networks Only Connect to UMTS Networks If we have a choice GPRS first If we have a choice UMTS first Automatically let V3G decide GE 2006 Critical Links SA Network Configuration Reference 23 This last option allows the network interface determine which network to connect to A box is also displayed showing details of the connection to the cellular network Information on the registration number network provider network type signal strength and connection status is displayed Note Please contact technical support edgebox support critical links com to get the list of currently supported UMTS hardware None In this case no information needs to be entered The interface will be terminated Remember that if you change the configuration for the interface you are using to connect to the web based management console you may need to reconfigure your client PC 3 1 2 Wireless x Ki Y d cheas AP SHD dpebos VAs E KZ F LAN Mt fsrca li y Get g NI d REL i vw edgeBOX Bes vers CoOnnechyy Io Uwe literal rmalumork A throat adan E A Wireless AP P edg
37. edgeBOX User s Guide v4 0 The Library below refers to any such software library or work which has been distributed under these terms A work based on the Library means either the Library or any derivative work under copyright law that is to say a work containing the Library or a portion of it either verbatim or with modifications and or translated straightforwardly into another language Hereinafter translation is included without limitation in the term modification Source code for a work means the preferred form of the work for making modifications to it For a library complete source code means all the source code for all modules it contains plus any associated interface definition files plus the scripts used to control compilation and installation of the library Activities other than copying distribution and modification are not covered by this License they are outside its scope The act of running a program using the Library is not restricted and output from such a program is covered only if its contents constitute a work based on the Library independent of the use of the Library in a tool for writing it Whether that is true depends on what the Library does and what the program that uses the Library does 1 You may copy and distribute verbatim copies of the Library s complete source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copy
38. in the Callback Login Extension Apply your changes WM MMMM Agents will call this extension to login After hanging up they will be called when there is acallina queue where they are registered Now to create an agent In the same panel under Agents press Add Agent In Agent ID enter a number for example 1 Enter 1111 for PIN Enter sup1 for Agent Name Enter 201 for Login Extension WM MMMM 2006 Critical Links SA 184 edgeBOX User s Guide v4 0 6 3 Press OK and then apply your changes In the same manner create agents sup2 fin1 and fin2 Now to create a queue and to assign the agents just created WM UN UN UN MMM MM Select the Queues tab on the right Press Add Queue Enter support in Queue Name Enter 500 in Extension Select the Agents tab Select agent sup1 Press the Add button Do the same with agent sup2 Press the OK button Apply your changes Create another queue called financial in extension 502 with agents fini and fin2 These queues will be needed when the IVR configuration is reviewed IVR configuration In our scenario we want to be able to access the internal extensions from the PSTN in the same manner as in the branch office configuration and also to be able to offer a call centre service It is not yet possible to have two IVRs so this have to be accomplished by other means we will use a co
39. presenting the number of active processes in both graphical and tabular format The values for Load Average 1 active processes in one minute Load Average 5 active processes in 5 minutes and Load Average 15 active processes 15 minutes are displayed As a reference it is assumed that values bellow 1 represent good CPU load values between 3 and 4 require close monitoring and values around 5 and 6 require immediate action because the CPU is extremely overloaded 8 1 3 Memory This report shows the memory usage in the past 12 hours both in graphical and tabular format The values of both used and free memory are presented in bytes 8 1 4 Network Received bytes This report shows the traffic received by the box at the interfaces WAN LAN and EWAN in bytes per second This information is presented in graphical format You are able to define the time frame for these statistics last 24h last week or last month To do this select the desired option in the radio button and press Search to generate the corresponding graphic You can also generate a table with the average received traffic bytes s per day and per physical 2006 Critical Links SA Reporting 191 8 1 7 8 2 8 2 1 interface Here brO stands for the LAN interface ima stands for the intermediate queuing interface eth2 stands for EWan interface ethO stands for WAN interface lo stands for
40. the PPTP panel in edgeBOX s control centre will display its information Current Users Active Ganmections EACE 2006 Critical Links SA Appendix C Connecting to Wireless 239 11 Appendix C Connecting to Wireless In this appendix it will be shown how to configure a MS Windows client station to connect to edgeBOX s wireless access point using 802 1x and WPA Not all wireless cards will support these security schemes a firmware upgrade may be needed in some cases Some cards have their own managing software In the examples that follow only the native MS Windows client was used To be able to have MS Windows controlling your Wireless connection you must start the Wireless Zero Configuration service Wireless Network Connection E Properties KEN General Wireless Hetwork Advanced 4 Use Windows Io confiauje mi wireless network settings valable networks Toconneo los disconnect tom or find oul mare infomation about wireless networks m range cick the button below View Wireless Networks Eirelemtecd reueg Automatically connect lo available nehwarks mp We order listed below dd Hot ton Leam sbout setting up wireless petrore Advapicad Ciel shor eS Wireless configuration applet Notice that windows is being used to configure wireless In the examples that follow the following general configuration will be used Babe Advanced wireless T
41. which holds the mail routing data and the local LDAP server running on edgeBOX This synchronisation is done via FTP The remote LDAP server must be configured to perform replication to edgeBOX s local LDAP server configiir It do do remote UDAP saver ermeni the db Bgnttomeztion to ayer A sutil alt oi Jl pp e WAN plertace EdgeBox LAN interface FTP usb imad lo pestorm Metal samahi mT Abees Wie L DAP sarya arii V Edoefiosvie focal LDAP K harry switch 2006 Critical Links SA Network Configuration Reference 49 3 2 5 5 1 LDAP Mail Routing The following options are available Enabling LDAP lookups The domain Enabling LDAP synchronisation and Setting the local LDAP root password v labal Access Contral alias LOR LpA pai Boun a Enable Ldap Lookups Doran beste ot L Si Status of the lastsynchronization isdawnlead tim citand date12 13 11 01 2005 Enable LDAP Synchronize LOAP Synchronize vol Lacal DAP Root Password es RRRS 3 2 5 5 1 1 Enable LDAP Lookups Checking this option will enable LDAP routing of email traffic The remaining options will then be available for configuration 3 2 5 5 1 2 Domain The domain for which we will be doing LDAP routing enter a full qualified domain name this domain will then be broken in DCs domain components which will be used by LDAP 3
42. 02 12 06 05 48 marka Exp Portions Copyright C 1996 2001 Nominum Inc Permission to use copy modify and distribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies THE SOFTWARE IS PROVIDED AS IS AND NOMINUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS IN NO EVENT SHALL NOMINUM BE LIABLE FOR ANY SPECIAL DIRECT INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE 8 Curl COPYRIGHT AND PERMISSION NOTICE Copyright c 1996 2003 Daniel Stenberg lt daniel O haxx se gt All rights reserved Permission to use copy modify and distribute this software for any purpose with or without fee is hereby granted provided that the above copyright notice and this permission notice appear in all copies 2006 Critical Links SA 270 edgeBOX User s Guide v4 0 THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE F
43. 1 Change the desired setting s Hostname and or Domain 2 Select Apply 3 Check the status returned to see if the operation was successful wan LAN EAN Hostname and Domain uskrate armed Domat Cemtieturzteg Hostname voip Doran votlan Et Apply 3 1 1 2 LAN Ethernet Configuration To change the configuration for the internal interface take the following steps 1 Change the desired setting s IP Address and or Netmask 2 Select Apply 3 Check the status returned to see if the operation was successful 2006 Critical Links SA 20 edgeBOX User s Guide v4 0 WAN LAN Envy Ah Hostuameandfiomala LAW Ethernet Col aam TR 19188 OO 254 Metmask 255 255 255 0 Ce 3 1 1 3 EWAN Ethernet Configuration 3 1 1 4 This allows you to change the IP Address and or the netmask for the enterprise interface The steps are the same as in LAN Ethernet Configuration WAN Configuration This option allows you to change the configuration for the external Interface The information required will depend on the value chosen for IP Information Available values are Static DHCP PPPoE PPPoA UMTS or none If you have a cellular gateway card installed UMTS will also be available in the IP Information pull down menu Static If the value chosen for IP Information was static the following information has to be entered
44. 111 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission 6 Disclaimer Limitation of Liability THIS SOFTWARE IS PROVIDED BY SENDMAIL INC AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL SENDMAIL INC THE REGENTS OF THE UNIVERSITY OF CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Revision 8 11 2 1 Last updated Date 2003 04 19 14 30 36 6 OpenSSL License Copyright c 1998 2003 The OpenSSL Project All rights reserved 2006 Critical Links SA 268 edgeBOX User s Guide v4 0 Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice
45. 2 5 5 1 3 Enable LDAP Synchronize Checking this option will enable you to configure the options for performing the initial synchronisation You will be required to enter the following information e FTP Server IP Hostname The IP address or hostname for the remote server where the LDAP DB file is located 2006 Critical Links SA 50 edgeBOX User s Guide v4 0 e FTP Login Username used to log in to the remote FTP server e FTP Password Password for the username used e Master DB File The file holding LDAP data in LDIF format e Max Download Time sec The maximum amount of time for the transfer to be completed if this time is exceeded the transfer will be aborted 3 2 5 5 1 4 Local LDAP Root Password The password used by the remote LDAP server to perform synchronisation on the local LDAP server The remote LDAP server has to be configured to perform replication to edgeBOX The following remarks should be taken into consideration when configuring the remote LDAP server e Only the core and miscellaneous schemas shall be configured to be replicated e A replica section has to be included in the configuration file where e The URI points to the local edgeBOX e The TLS element is set to critical e The cn common name used in the binddn distinguished name has to be set to manager e The credentials element has to be set to edgeBOX s local LDAP server root password For example if the dom
46. 3 24 2 the Web server is at 212 3 24 3 and the Email server is at 212 3 24 4 Do the following In the same panel select the DMZ tab Check Enable DMZ Press Add Enter the following information Destination IP 212 3 24 2 Netmask 255 255 255 248 Port 53 Protocol TCP Press Add again Enter the following information Destination IP 212 3 24 3 Netmask 255 255 255 248 Port 80 Protocol TCP Press Add again Enter the following information Destination IP 212 3 24 4 Netmask 255 255 255 248 Port 25 Protocol 25 MMM 2006 Critical Links SA 180 edgeBOX User s Guide v4 0 6 2 4 8 Press Apply Step 4 Users and Group Policies As we have said in the HQ site group policies are going to be enforced A large set of requirements could be defined to illustrate this concept considering different types of users and permissions Instead a small example will be given Consider that most of the users belong to a general group with permission to access the Internet only during lunch hours There will be another group with will have full permissions the administrators Also there will be a need for the W2k machine to have access to the Internet since it will run the Windows update service To build such a configuration take the following steps WM MM LO LO LC In the Control Centre select the Management option under the Users menu If you followed the steps in the previous se
47. A pop up window will display requiring you to enter the following information 2006 Critical Links SA 100 edgeBOX User s Guide v4 0 3 3 2 3 3 2 1 Destination IP The host range to which access will be granted Netmask The netmask to be used Port If you select this option you will need to specify the single port to which access will be granted From To if you select this option you may specify a port range to which access will be granted Protocol The specific protocol to which access will be granted Choices available are TCP UDP ICMP and ALL Edit Allows you to modify an existing rule The options available are the same as in New Delete Selecting this option will eliminate the rule revoking access to the host NAT This page allows you to review and change the NAT configuration With NAT you are able to use private addresses in your internal network All requests made from internal hosts are seen by the external networks as being made by edgeBOX which then translates the response packets destination addresses to the originating internal host To make changes effective remember to select Apply Two panels are available for configuration Nat and Port Forward each accessible by an appropriate tab These panels are described next HAT Configuration Mat Per Finar MAT Contig stiir MAT Enabled Source Mebwork M etmask Out Interface 19
48. Add After selecting Add a popup will display requesting you to enter the following information Server IP The IP address for the new server e Server Port The port used The default value is 1813 but another port may be used e Password The password used by edgeBOX s radius client to access the server e Timeout The maximum amount of time for connection setup with the RADIUS server If this time is exceeded then the next server on the list if any will be contacted Edit Change the settings for a listed server After selecting the server configuration to edit press Edit After changing the possible options and selecting OK you will have to select Apply in the main panel to make changes effective Delete Deletes a server from the list after selecting it and pressing Delete You will have to select Apply in the main panel for changes to become effective Log Network Traffic Select from the list where possible values are Off 15 minutes 30 minutes and 60 minutes This option allows you to control the period for which account information will be recorded If set to Off traffic information will be logged only when users log off If not the label indicates the interval between logs 15 minutes 30 minutes or 60 minutes 4 5 3 Date Time This menu option allows you to set edgeBOX s clock You may also configure edgeBOX to use NTP Network Time Protocol and so its clo
49. Enter the following information IP 10 1 0 0 Netmask 255 255 0 0 Interface wan Press OK and then Apply in the main panel If NAT Enabled is not checked check it and select Apply Next DNS and DHCP servers are configured Do the following Select DNS under the Services menu In Domain Name press the New button A dialog window will pop up Enter the following information Domain Name company internal Domain Type Master Domain Access Internal Network Address 10 1 0 0 Name server IP 10 1 0 254 Press OK If the status in not running press the Start button Select DHCP under the Services menu Check if there s any range already configured Select it and press Delete Press New A dialog window pops up Enter the following information Start IP 10 1 1 0 End IP 10 1 2 0 Prefix ws LO UN UN UN 2006 Critical Links SA Configuration Examples 179 Press OK If the status in not running press the Start button 6 2 3 Step 3 Authentication and Security In our scenario we will enable authentication and enforce group policies Furthermore remote authentication will be provided by a remote W2k server although authorisation will still be local To configure remote authentication using a remote w2k server located at 10 1 0 1 do the following Select Authentication under the System menu Change Authentication to Remote LDAP Server Under Settin
50. Internet Access If this option is unchecked this group will not have access to the Internet so the next panel will be disabled If you check this option you may then fine tune Internet access using the options available in the next panel which are the following 8 Time Period 8 Incoming and 8 Outgoing 2006 Critical Links SA 132 edgeBOX User s Guide v4 0 4 2 1 1 2 1 Time Period You can grant access for the whole day the default or just to a time interval Insert the limits for this interval directly in the fields or using the up down controls 4 2 1 1 2 2 Incoming By default all incoming traffic from the Internet is denied access to the internal network With this option you can allow incoming traffic based on its origin port and or protocol This table displays the list of allowed connections The options available are Add and Delete Add Creates a new entry in the table After selecting Add a popup window similar to the one shown will appear requiring you to enter the following information Policy Rule Information Rute Inte aper Cron Ie Pott 2 From Protocol TER iS Add Allowed Incoming Connection Window e Origin IP The IP address for the host network which is starting the connection we want to allow e Netmask The netmask to apply e Port The service port we want to allow access to this option will be disabled if the protocol chosen is eith
51. Links SA Network Configuration Reference 77 System Metwork Senices Security Gos Policies State Users Wizards Help WOP Comtorsgon Serice state TIMING Pore ein Ca Gulbound Cait BEM Festus Hardware Ganeric Provider Nowe e Stop Apolo Status Information EE SAOD VolP providers configured are show in tabular form The options available are Add a new VolP provider Edit an existing VolP provider details and Delete a VolP provider It is possible to change the details for all VoIP providers selecting it on the table and the pressing the Edit button or by double clicking on its entry However there may be situations where you will not be able to do so For instance when a VolP provider is used in an LCR outbound route editing is disabled to prevent possible problems in registration with remote servers In such cases first you will have to delete the LCR route using the provider and only then you will be able to modify its details 3 2 8 3 3 1 Add Allows you to configure a VolP provider For edgeBOX to be able to use the services of a VolP provider you just have to specify the necessary authentication credentials To make this configuration easier the VolP provider control is filled with the most common VolP providers iaxTel Gossiptel SipGate lpTel FreeWorldDialup Mm MMM mM 2006 Critical Links SA 78 edgeBOX User s Guide v4 0 VoipBust
52. OK and apply your changes The actions and contexts should be visible on the IVR tree We are going to assume the ivr1 tree will be configured in the same manner as we did on the branch office so now we will edit ivr2 8 8 8 8 In the IVR tree select ivr2 Press the Edit Context button Press the Add Action button Select On Start 2006 Critical Links SA Configuration Examples 185 UN UN UN UN N UN LO N Under Actions select Background in Action Press the Select File to select a sound file This is be typically a file with the menu entries 1 for financial 2 for support Press the Add Action button Select After Press and enter 1 Under Actions select GoTo in Actions Select New Context and enter support Following the same steps create another context this time named financial Press OK and then apply your changes So now we have two more child nodes under ivr2 support and financial We will now edit the support context LO UN UN UN UN UU UN LO UN UN UN N UN Select support Press the Edit Context button Press the Add Action button Select On Start Under Actions select Background in Action Press the Select File to select a sound file This is be typically a file with some information and stating that an operator is available upon pressing 1 Press OK Press Add Action Select After Press and enter 1 Under Actions
53. On this page you have two operations available starting stopping the service or applying changes made to the configuration You will trigger these actions selecting the buttons on the lower panel internet EdgeBox PPTP tunnel connecting a host to a private network 2006 Critical Links SA Network Configuration Reference 109 3 3 4 1 3 3 4 2 3 3 4 3 The available elements in this page are described next System Network Serices Security QoS Palicias State Users Wizards Help VPR PETA Confiqurabiar Service State STOPPED ACEIVe Connections User IP Time Authentication Type Local Authentication O Remote Autheriti ation Remote Radins Configuratioh 1812 iP Dames Local 192168 100254 Remote From 192 463 100 240 Remote To 192 168 100 250 Close Start Apply Sas Trteormabgp IEN eine edgebo yx Service State This information is read only and gives you the current status of the service Possible values are running and stopped Connected users A table where each connected user is listed as well as the IP address of the client machine from where the connection was established and the time at which the connection was established Authentication Type Authentication can be performed either by the Radius server running on the edgeBOX or by an external Radius server 3 3 4 3 1 Local Authentication Selecting Local Authentication means that the authenticat
54. Select Path in Document Root and enter intra Enter webmaster company internal for Email Press OK Select Apply Change the webmaster password in the same way as described in branch office Select DNS under the Services menu Select the company internal domain and press Hosts Select Add In the windows that pops up enter the following information Host name intra Host type A Host IP 10 1 0 254 Press OK Apply the changes You should now be able to access the intranet site To upload files login with FTP as webmaster as upload files to the intra directory The Samba service will work in the same manner as in the branch office The SMTP service will be configure following these steps WM WWMM MMMM MM Select SMTP under Services Under Email Domain s press Ada Enter company com and Press OK Press Add again Enter company internal and press OK Select Remote under Storage Enter the mail server s address 212 3 24 4 Select the Access Control Tab Under Relay Domain List press Add Enter company com and press OK Press Add again Enter company internal and press OK Apply your changes If the service state is stopped press the Start button Mail sent to both domains will be received by edgeBOX scanned for virus and forwarded to the mail 2006 Critical Links SA 182 edgeBOX User s Guide v4 0 6 2 6 6 2 7 server located at the D
55. Source Address To set the policy for all addresses enter an IP address of 0 0 0 0 e Port The port corresponding to the service you want to configure If the direction selected was outbound this will be the destination port otherwise it will be the source port After selecting OK the entry will appear in the table for it to become effective you have to select Apply in the main panel Edit Allows you to modify a services QoS table entry The options available for configuration are the same as for inserting a new service QoS entry Delete After selecting a configuration from the table select Delete To make this change effective you have to select Apply in the main panel 2006 Critical Links SA 142 edgeBOX User s Guide v4 0 Remember that this setting overrides any QoS group configuration For example if you decide to assign a group an upload QoS class of upGold and configure the email service to have an upload class of upBE then all outbound traffic from this group for the email service will be treated as upBE 4 5 System Configuration In this section we will cover the options present in the System menu namely Authentication Accounting Date Time syslog Quota Backup Config System Update SNMP Logoff 4 5 1 Authentication A wc Rente 5 ME at turas usar A S WAN interface Gata le miches kom d heats LOAF oi RADIIS s
56. Source Port Ocurrences By Destination Port Packets By Destination Port Our encest By Source Andres Parkets By Source Address currantes rn Lezllretltn Adress Packets By Destination Address Ocurre By Service Packets By Service currence 102 108 3 77 TEPA 8 4 14 By Destination Address Occurrences This report shows the number of occurrences traffic was rejected per destination address This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA Reporting 215 Server Proy Server Deng Sysiog vor ant as C Re ppten Be 20 Chart F Lines chert Jey Inte i Frend Graph By Interface CScurr nces Eu Protacal Packets by destination address traffic number of occurrences Ey Protocol Ocurrences Ae Ne a Ey Source Port Packets By Source Port Ocurrences 02 48 254247 92 By Destination Fort rPacket 1 By Destination Port Ocurr roes IS 83 240 191 48 625 ey su see seins By Source Address Ocurrences P248 215 84 8 043 Ey Destination Address Packets i A SS SE Eelere j w a Ee By Service Packets E Bu Service Ocurrences 7 pe e zc luess SEA EE ATH 6748 2166S 7864 8 4 15 By Service Packets This report shows the rejected traffic per service e g http in packets This information is presented in g
57. WM WM A un un UN 3 2 8 4 1 Manage Queues This panel allows you to manage edgeBOX s queuing system These services are widely used especially in Call Centres where callers are usually placed in a queue before an operator answers the call Configured queues are shown in a tabular manner You can create new queues Add Queue button modify existing queues details Edit Queue button or remove a queue Delete Queue button 2006 Critical Links SA Network Configuration Reference 83 System Network Senices Security GoS Policies State Users Wizards Halp Yelp Eantigurstior Service State PMI Pare menial Cake cubana Cals PBK Feste Jesus sento Extension Mk o o Mas Caers Suede Name Statue information Terminated edgebox 3 2 8 4 1 1 Add Queue Allows you to create a new queue Settings General queue settings are configured selecting the settings tab page Available options are Queue Name name assigned to this queue Extension internal extension associated with this queue Announce Position Frequency time interval in seconds between queue position announcements Ring Strategy algorithm used to assign calls to agents RingAll all agent phones will ring and the call will be assigned to the one that answers first RoundRobin selects each agent in turn LeastRecent selects the agent which was least recently selected FewestCalls selects the ag
58. a remote scheme is used you can still add local users before those users make their first login This can be useful if you want to set their service permissions beforehand when using local authorisation or to set the group to which they will belong by default they are assigned to the generic group When using Active Directory as a remote authentication scheme you have the option to import the users In such a configuration local accounts and entries will be created locally Depending on the scheme used the way an user may perform his first login will vary The next table displays this information used Local AD with user import remote any service FTP POP3 PPTP WiFi LDAP LAN user remote Radius AD without user only using LAN user authentication import 2006 Critical Links SA 226 edgeBOX User s Guide v4 0 10 10 1 Appendix B VPN Setup In this appendix it be will shown how to setup a client to connect to edgeBOX s VPN server Two types of VPSs will be covered IPSec and PPTP VPNs IPsec VPNs The following pictures show the configuration used in edgeBOX in order to establish an IPsec VPN connection between a client machine and edgeBOX The following elements must be consistent in edgeBOX and in the VPN client used Pre shared key 12345678 Encryption 3DES and Authentication MD5 Also IP host configuration will be fetched dinamically RoadWarrior configuration Th
59. become effective all actions performed in this page have to be committed by pressing the Apply button on the bottom right panel Two panels are available Firewall and DMZ To access each of these panels select the appropriate tab 2006 Critical Links SA Network Configuration Reference 97 3 3 1 1 System Network Senices Security GoS Palleias State Users Wizards Help Firewall Configunatian Firewall SS Firing ong sten MT Require Lisers To Login v Enable Firewall Webadmin Access C Wan v EWan Services Service Internal External Eniterprise drs E v Smtp E iv Ve o e ssh E ME zer a CG EE El al samp O C EI ftp O Y http O E ons o e ct O bk samba NM vi 4 Black List C Select All EI Status Infomation EN een edgebo Firewall Configuration Page Firewall Require users to login If you check require users to login users will have to authenticate providing username password in order to be able to access services and resources Granting or revoking access to services and resources is done at the group level To know more about group policies see Policies Firewall OMe Arenal Configuration _ Require Users To Login F Enable Firewall webadmin Access Wen Eise Enable Firewall If this checkbox is turned off edgeBOX will be working in pure router mode all services will
60. button and tabular format 2006 Critical Links SA 198 edgeBOX User s Guide v4 0 eegen E A Cre TCP Time 0 1 0 88 50000 0 1 Y UU A es A f Hladno E D j FER 8 3 7 Incoming TCP This report shows the incoming TCP i e the number of occurrences of IP client requests presented per IP The values displayed will be for example 192 168 3 9 192 168 2 4 192 168 3 212 192 168 2 63 other 69 requesting hosts WM WM LO WM M This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA Reporting 199 ener Pro Seve Firewall ziel vo st ipe CC pe s0than BEZE Les chert haer Incoming TCP Size Distribution i 1103 07 93 110 2 0 1 41 Iemeszsg 2518 8 3 8 Response Code This report shows the number of occurrences of the response codes from the proxy server For a complete list of response codes please check HT TP status codes This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA 200 edgeBOX User s Guide v4 0 SE FITGOM Serve fan e dl ES ZS E ZS E ZS E E E ZS E ZS ZS E E ZS E E S i D e H 8 3 9 Size Distribution This report shows the size distribution of the file
61. capable of performing incoming number recognition is installed in edgeBOX For that to happen a BRI or PRI card must be connected to a digital line 2006 Critical Links SA 72 edgeBOX User s Guide v4 0 3 2 8 2 4 1 Add Route To define a DID route enter the number and define the set of actions to execute The set of actions available are the same ones available in the Add Action popup windows in the IVR context editor 2006 Critical Links SA Network Configuration Reference 73 Action ES eT S heotiss ESCH Tres Actions 3 2 8 2 5 Sound Manager In order to use the Playback and Background actions you need to select the sound file to use This file may be a system file or a user file This panel allows you to upload gsm sound files Select the desired file using the Browser button and then select the Upload button If this operation is successful the uploaded file should be available in the sound files management panel where files may be played or deleted 2006 Critical Links SA 74 edgeBOX User s Guide v4 0 System Network Senices Security Gog Polictas Stata Users Wizards Help eeh Service State RUNG Foes Ine als outeur cals ventas Harare Gare Ma a Sound File promess eeng REN zeien edgeboox 3 2 8 3 Outbound Calls This panel allows you to configure several aspects
62. configured is displayed in this panel in a tabular form You may create a new static conference by pressing the Add Room button modify a static conference s details pressing the Edit Room button and remove a static conference Delete Room button System Network Series Security Gol Policies State Users Wizards Hein Wolz Cantaira Sence State GUDD Phones meskina Carl cunticund Cale PBK Features Hardware esne Settings IF Us Can treats Conferences Eorgterence Extension son Confernes Hunter Pubic Conterent Add Roo Edt Room Palate Room ges Stop Apply Statue Information ed ebons 3 2 8 4 3 1 Add Room Allows you to create a new static conference The following elements must be supplied Conference Number internal extension assigned to this conference 8 Protected Conference If you enable this option you will need to supply a conference PIN and an administrator PIN Users will then have to enter the correct PIN to join this conference All configured static conferences can be used when you use the IVR editor to add a MeetMe action 2006 Critical Links SA 88 edgeBOX User s Guide v4 0 Golerente conference Mimber Protected ontete ace Pie Conterance Piy a ae 3 2 8 4 4 Parking The parking call service is ideal for transferring calls To configure this service you will have to
63. distance calls and Local calls and so on Mew User Nein JSek Liser fame Real Name rop generit Passi rd Cantitm Password Acces anna Oresiisrseryses TI wirete s Securty IS Topp e Leg dolb Extension Number Exbension Pasewiord Fire Permissions Local calls Edit After selecting the user you want to change from the users table and selecting Edit a popup window will appear This popup will be similar to the one displayed when a New record was added except that you will not be able to change the username A table will also appear displaying the users quota settings and you will not be able to change extension details in voip settings After changing the desired fields selecting OK will make them effective and Cancel will abort them If you want to keep the users password unchanged leave the fields blank otherwise the password will be updated Delete Deletes a user from the system After selecting the user from the users table selecting Delete will immediately remove the user If you have authentication set to remote a remote server will validate credentials entered by a user A user and directory structure will be created locally when the first successful login occurs Unless the user was previously created and assigned to a group they will be placed in the generic group You must always create groups and users and assign them before the
64. due to the interference with other devices nearby other APs for example you may need to change this setting 3 1 2 1 4 Ignore clients with broadcast SSID If selected the SSID used by the client must exactly match edgeBOX s SSID stations using no SSID Le stations that are broadcasting in search for an access point to associate to are not allowed to connect 3 1 2 1 5 Allow all clients If this option is checked any client will be able to connect to the access point If you uncheck this option an Allowed Clients list will be visible Each entry in this list will represent the MAC address of a PC that is allowed to connect to the access point To manage this list you have two possible actions Add and Delete Add Adds a client to the list After selecting this option a popup window will appear requesting you to enter the MAC address for the machine you want to allow to connection to the AP After selecting OK you 2006 Critical Links SA Network Configuration Reference 25 have to select Apply in the main panel for changes to become effective Delete Deletes a client from the list of allowed MACs denying access to the PC with this MAC address You will need to select Apply in the main panel for changes to become effective 3 1 2 2 Advanced In this panel you can configure wireless security settings such as authentication and encryption System Network Senices Security GoS Polleia
65. dynamic DNS services Details on how to setup and manage an account on these services are out of the scope of this text and the user is directed to the URLs given The available configuration information includes DNS Server The type of service used Select from the available choices list None DynDNS or No IP Hostname The name you want to use This hostname must have been previously created For details on managing hostnames please check the documentation for the dynamic DNS service chosen The full qualified domain name will be hostname no ip org or hostname dyndns org Username The username for the account used for accessing the service chosen Password The password for the account used for accessing the service chosen For the changes to become effective you have to select Apply Please check the status returned to see if the operation was successful Ceramic DG Congo Servite State STORPED DMS Server None D Hostname I Lsernare Persp Contin Password 3 2 3 DHCP This service is available for the internal network only and is used to dynamically assign IP address to hosts on the internal network Only two actions are possible Starting and Stopping the service We will now describe the elements available on the main panel 2006 Critical Links SA 38 edgeBOX User s Guide v4 0 3 2 3 1 3 2 3 2 3 2 3 3 System Network Senices Security QoS Policias State User
66. edgeBOX S console ccccceeeeeeeeeeceenneeeseeenseeesecaaseeseeeesseeseoeeseesseoesseesseoneneees 4 4 Connecting to edgeBOX s serial port ccccsssseeeecessseeeceesnseeeseeesseeseeeenseeseeeeseeseeoesseesssoneneees 4 5 Powering down the DOX EE 5 Part Il Quick Start 6 1 General Ey OU EE 7 2 The Initial Setup Wizard WEE 8 Step 1 Registered APP 9 Sep Z LAN cONHGUTAON o 11 EPA 14 Step 4 Authentication Authorisation oooncccccccccnccononnnnccnnnncnnnccc cnc rca 14 oe o A mn 16 Final page Complete Configuration oooocccccnnannccconoccncncncononcncnnnannnnnnnnnnnnncce rr rn nana rra 17 Part Ill Network Configuration Reference 18 A SING TAY OF MONU E 18 io 18 Hostname and Domain Configuration is ccccccceiccsscanssceccasnessccecnteccnsensesncbuebessectisnenecceesnndsondversatecetedsacasnesseseeeusheanoasseedeuse 19 LAN Ememnel COMnmi Ole OM EE 19 EWAN Ethernet Ee ee e EE 20 WAN CODMIOU el ericsson erectos 20 NEIE Ag E A E 23 Ge 23 Wree Sor a Oi cocci n 24 a 24 EE e 1 ME 24 Ignore clients with broadcast SSID 0 c cccccccccsssseessessssscceecceeeeeeeeeeeennnnessssccoceccosssseeeeeessenseneenssssccccesenenseeeess 24 le TE Mel CC a oa ID Tada daiwa NAS Pei besa ati 24 EE e 25 SEENEN eege 25 Suc NEP RNO teo a 25 JS E KSE 26 ee a A COn N 27 aere erh Ce 28 CG SE 28 ROES E E nu e EE 29 A 30 A A 30 KICHE EN e H En TE EN 2006 Critical Links SA Contents Il AP
67. exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NOWARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE LIBRARY TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE LIBRARY AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU SHOULD THE LIBRARY PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSAR Y SERVICING REPAIR OR CORRECTION 16 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THELIBRARY TO OPERATE WITH ANY OTHER SOFTWARE EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS 13 Sun Microsystems
68. first task will be to change this configuration so it meets your own requirements The user is advised to perform the initial configuration from a PC connected either directly to edgeBOX s LAN interface or to a device a hub or a switch connected to this interface 2006 Critical Links SA Introducing edgeBOX 3 LAN rupiya Cros5td cable E dg e B OX Connecting with a crossed cable LAN INGE TQ EdgeBox Connecting through a hub If you connect your PC directly to the LAN interface bear in mind that you will need a crossed network cable If you connect a hub or a switch to edgeBOX s LAN interface then you may use a standard network cable The interface is initially configured with the IP address 192 168 100 254 and has the DHCP service active In order to connect to edgeBOX a client PC may be configured in one of two ways e Using DHCP and obtaining its TCP IP address from edgeBOX e Using a static IP address The IP used has to be within the range 192 168 100 0 24 To perform the initial configuration the easiest and preferred way is to use the web interface You can use any web browser provided the java plug in is installed To connect to the web interface point your browser to http 192 168 100 254 8010 you can also use https 192 168 100 254 8011 For a detailed explanation of the steps required to configure edgeBOX please see Network Configuration Reference After the initi
69. group of international calls For the correct call identification to occur all prefixes have to be added to the system otherwise the call will fail If a prefix is not defined in this panel the call will be considered by default an international call All outbound interfaces provided by VolP hardware installed and VolP providers configured will be available as outbound routes Each group may have more than one outbound route If the call fails using one route the next route will be tried Route priorities may me changed using the Up and Down buttons on the right side Besides supporting different LCR per group the use of prefixes to identify the group the call belongs to also allows administrators to restrict the type of calls users are allowed to make For more information see Authentication 2006 Critical Links SA 76 edgeBOX User s Guide v4 0 System Network Senices Security GoS Policies Stata Users Wizards Dein Me EEN Service State GUDD were Kapen Cale Culbound Cafe pay get Pratixs sl Hardware Gariri Mate JE INEA Stati Information 3 2 8 3 3 Providers edgeBOX may also work as a client for SIP IAX servers This panel allows you to configure edgeBOX to work this way using the services offered by VolP providers Currently there are several VolP providers offering calls to local PSTN networks in several countries at very competitive prices 2006 Critical
70. manager interface you will be able to establish a telnet connection to edgeBOX s IP PBX allowing you such diverse administration options as placing calls remotely or receiving events related to the state of calls and extensions This interface may be useful if you own some kind of monitoring software which you want to integrate with edgeBOX You will need to supply the additional information 8 Username username used for telnet authentication Password password to be used for telnet authentication IP Netmask IP address and netmask to me used by the remote host machine 2006 Critical Links SA 96 edgeBOX User s Guide v4 0 3 3 3 3 1 System Network Senices Security Gos Policias State Users Wizarda Help Va contin Service Stare AMM Fiche near Calle cutbicurid Cale FBX Festus Hardens Generi Genene Configuration Loge Pres Hane Canaan Enabled Password o p wegl L Status Information BEE Security Menu This menu option allows you to review and change security settings such as Firewall services access authorisation black lists and DMZ configuration NAT enabling and port forwarding configuration IPSec VPNs PPTP VPNs Mailscanner engine to use settings and actions to take and shares scanner Firewall Following this menu option you will be able to review and configure your Firewall configuration To
71. may allow viruses into your network Allow Iframe Tags If you check this option you will allow your messages to carry Iframe tags Log Iframe Tags If you check this option you will enable logging of messages with Iframe tags Allow Form Tags If you check this option you will allow your messages to carry Form tags Allow Object Codebase Tags If you check this option you will allow your messages to carry Object codebase tags Convert Dangerous HTML to Text If you check this option you will enable the conversion of Iframe and Object codebase tags into plain 2006 Critical Links SA 118 edgeBOX User s Guide v4 0 text This is a good alternative to disallowing or leaving them untouched Convert HTML to Text If you check this option you will enable the conversion of all HTML tags into plain text Block Encrypted Messages If you check this option you will enable blocking of encrypted messages Block Unencrypted Messages If you check this option you will enable blocking of unencrypted messages Expand TNEF If you check this option you will enable expanding of TNEF attachments that are joined in one WINMAIL DAT file If you don t check this option then the filenames within the TNEF attachments will not be checked 3 3 5 2 3 Actions System Network Senices Security QoS Paolleias State Users Wizards Help MaltScannar Canfigur stan Shares Scanner r MailScanner Anti virus Engines Actions i Genetal 2
72. name of the community used when sending a notification Host to send traps to The host name or IP address of a computer where notifications will be sent 4 5 10 Logoff This menu option allows you to perform the following actions Logoff Restart Shutdown Shut Dylan Action to perbarma Ge Logoff C Restart Shutdewn Corifirm 4 5 10 1 Logoff Restart Shutdown After selecting one of these options select Confirm Logoff will only disconnect you from the web management interface Restart will reboot the box and Shutdown will halt the box Remember you can also issue these commands via the CLI with the commands system reboot and system shutdown 2006 Critical Links SA Advanced Topics 159 4 6 State Menu This menu option will allow you to access edgeBOX status information and also some accounting reports if you have selective authorization turned on Next we will describe the following sub menu options Users Network Services Traffic Control Accumulated History Accumulated Session Session Details 4 6 1 Users If you have selective authorisation turned on this page will display a table with the users currently authenticated Beside the username each entry will also display the IP and MAC addresses from which a user is connecting and the group that they belong to 4 6 2 Network This page will display two tables one showing i
73. net gt This product includes the Zend Engine freely available at lt http www zend com gt 5 SENDMAIL LICENSE The following license terms and conditions apply unless a different license is obtained from Sendmail Inc 6425 Christie Ave Fourth Floor Emeryville CA 94608 USA or by electronic mail at license sendmail com License Terms 2006 Critical Links SA Licence texts 267 Use Modification and Redistribution including distribution of any modified or derived work in source and binary forms is permitted only if each of the following conditions is met 1 Redistributions qualify as freeware or Open Source Software under one of the following terms a Redistributions are made at no charge beyond the reasonable cost of materials and delivery b Redistributions are accompanied by acopy of the Source Code or by an irrevocable offer to provide a copy of the Source Code for up to three years at the cost of materials and delivery Such redistributions must allow further use modification and redistribution of the Source Code under substantially the same terms as this license For the purposes of redistribution Source Code means the complete compilable and linkable source code of sendmail including all modifications 2 Redistributions of source code must retain the copyright notices as they appear in each source code file these license terms and the disclaimer limitation of liability set forth as
74. nho Niles sehi hG q Ehanriel Selection Io Tanore clents with Broadcast 5510 F Allow All Gente 11 1 802 1x Remember that in order to use 802 1x you need to authorise Wireless Security on the user management The following pictures illustrate the configuration used on edgeBOX 2006 Critical Links SA 240 edgeBOX User s Guide v4 0 Advanced Wireless Gonfiayration nme O Stabe WEP keys Encryption the WEP O WEA 7 Use enee Rachlin Servier Ras Asc 1 WPA GonPigupattiny ee Feds Altherticalion Password F Paspas errer ooo Radius Authentication Port ae Radios Account eee fa He le D Rade Accounting Password encryption type WPA Radius Accounting Fort JE security type 802 1x On MS Windows double click the Wireless Network Connection icon and select the Wireless Networks tab Make sure the SSID entered is consistent with that defined on edgeBOX valebox on our example Choose WPA for Network Authentication and AES for Data Encryption Select then the Authentication tab Wireless Network Connection B Properties EAA a TEE Can bi AS IO AUMENTE PIGChOon Network name SSID ch Connect usina mip ORINOCO 8021169 ComboCard Gol Wireless matar ken This petacrk requires a key for the following General Wireless Networks Advanced This connection uses the folowing items Ol Client fol Mi
75. not available the next will be queried until one answers The operations available to manage the server list are Ada Edit and Delete If you check Use for Authorisation then service authorisation will also be performed remotely For details on how to configure a Radius server to perform authentication and authorisation please refer to appendix A If you check Purge Existing Local Users then all user data currently stored on edgeBOX will be deleted Aiachentication Coaptgrapon Authentication Remote RADILS Server W settings Server Timeout add en Delete g Hsefor Authorization Purge Existing Local Users Options available for Remote RADIUS Authentication 4 5 1 1 1 Add Adds another server to the list You will need to provide the following information 2006 Critical Links SA Advanced Topics 145 Radus Informatiori Server TE Server Port t812 Password Confirm Password Radius Server Information Server IP The IP address for the remote server e Server Port The port used for authentication The default port used is 1812 e Password The password used by edgeBOX s radius client to connect to the remote server and e Timeout The maximum amount of time for a valid answer from the RADIUS server If this time is exceeded the next server on the list if any will be queried 4 5 1 1 2 Edit After selecting the server row cor
76. not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 8 If the distribution and or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9 The Free Software Foundation may publish revised and or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distingui
77. of the shared folders that are currently active New shared folders can be created by clicking on the New button access permissions can be changed by selecting a shared folder and clicking on the Edit button shared folders can be deleted by selecting an item from the list and clicking the Delete button bal Shares Homes fises USE Printers Shares Nene Path lenfiware vhomefsharesisoftware ven Edt cete 3 2 6 3 1 New When the New button is clicked the New Share panel is displayed It contains the following fields 2006 Critical Links SA 54 edgeBOX User s Guide v4 0 Bevi Spare Name Fath Description T Publie E Writeable Browsable Name Enter the name of the shared directory This name is used to allow users map the folder into their filesystem Path The name of the folder on the edgeBox filesystem A single folder name is specified Folders cannot be nested Description A brief description of the folder and what it contains Admins A list of user names separated by semi colons that are allowed to administer the shared folder e g admin bob sarah Public Check this box if the shared folder is publicly accessible Browseable Check this box if the shared folder can be browsed Writeable Check this box if the shared folder can be written to 3 2 6 3 2 Edit When the Edit button is clicked to change the properties of an existing shared folder t
78. operations was successful the following dialog will be displayed _ Computer Mame Chanees ys After rebooting the machine log on to edgeBOX s domain it should be available on the domains list The user s home directory will be mounted as Z In the picture bellow the user s directory content is shown where the public_html directory can be accessed This is the directory where the user s personal web page will be located The other directory shown profile is where the roaming profile data will be stored so the user will retain her desktop definitions after logging off lara on ebox 2 File Edit View Favorites Tools Help Address 34 24 x mm Ta S profile E B My Documents E d my Computer E A 3 Floppy 4 3 E See Local Cisk 7 E n DYOICD RW Drive De E lara eg aba LZ i profile 8 13 public_html E O Control Panel E D Mobile Device E Ki My Network Places 2 Recycle Bin 2006 Critical Links SA 246 edgeBOX User s Guide v4 0 12 2 Public safes Safes are available only for LAN users and may be used when there s a need for a temporary space for storage Any user on your network can ask for a box to store files and access it as a normal Windows share To be able to use safes the following conditions must be met 8 The Samba service must be started Boxes must be active 8 The user must be authorised to use Samba The options availabl
79. s webpage will be located on http edgebox domain noname or http edgebox domain users noname 3 2 4 5 Virtual Hosts This panel allows you to configure virtual hosts With virtual hosts you are able to have the same web server running multiple websites Possible actions are New Edit and Delete 3 2 4 5 1 New After selecting the New button a popup window will appear requesting that you enter the following information e Virtual Host Select from the list of values Possible values are LAN WAN and both Defines the scope of access to this virtual host Server Name The name of this virtual host Remember that an A or CNAME record has to be added to the DNS for this setup to be complete For example if your domain is local loc and you add a virtual host for docs local loc then you will have to add an entry for host docs pointing to edgeBOX s IP address e Document Root the location of the files in the file system All websites will be located under home wwwhost which is the filesystem directory where the webmaster user will be placed after logging on through FTP The Document Root is specified relative to this directory For example the document root for the intranet website is intra Taking the example from the previous option if you create a directory under home wwwhost called documents to place the virtual host files then the document root will be documents e Email the e
80. select Queue in Action In Queue Name select support Press OK and apply your changes Perform similar actions to build the financial tree We now have the ivr2 tree An user entering this tree will access the support queue pressing 1 twice Notice we used the background action which will not wait until the end of the sound file Notice also that other actions could be added to make these menus more friendly For example a Timeout action to repeat the message An After Press action allowing you to return to the previous menu etc The possibilities are endless Now we need to create a DID route to allow callers to enter directly in the ivr2 tree To do so LO UN UN UN N UN Select DID Routes Press the New Route button On number enter the number for your call centre Select Goto in Action and ivr2 Press the Add button Press OK and apply your changes If this number is called ivr2 will be called placing us in the call centre tree Next we need to provide an entry point to ivr1 to be able to call internal extensions Do the following mM MMMM UU UN UN Select the Incoming Calls tab Select the Call Rules tab on the right Select the existing rule Press Edit Rule The Edit Incoming Rule dialog window pops up Under Tree Actions select ivr and press Remove In Action select GoTo Select ivr1 and press Add Select Goto ivr1 in the actions tree and use the Up and Down
81. session Under the Session Summary table another table should be visible displaying network traffic data If you want to be able to access this data don t forget to turn the log network traffic option on For more information see Log Network Traffic under Accounting 4 7 The CLI Besides supporting configuration via a web interface edgeBOX also supports a CLI Command Line Interface This CLI may be accessed in two different ways the console connecting a keyboard and a monitor directly to the box and connecting through SSH to one of the interfaces remember access to the service has to be granted in the firewall configuration The CLI supports a subset of commands allowing you to perform basic configuration You can check the available commands typing help in the command line The commands available are dhcp configure LAN dhcp server dns configure dns servers domain show dns domain name ewan configure Enterprise WAN interface exit exits the program help prints this screen or help on command hostname set hostname LAN configure LAN interface quota system default quota management route add del static route security firewall nat and authentication control status service service status system system details vpnserver config pptp vpn server WAN configure WAN interface This is the output of the help command The CLI supports command completion by pressing the
82. setting disk quotas you are limiting the amount of disk space a user may consume This feature is useful to keep disk usage at reasonable levels and ultimately to prevent edgeBOX from running out of disk space You have two file systems available for which you can set quotas corresponding to the user s home directory where their personal web page will be located and to the user s mail To set users quotas for one of these file systems e Select the file system for which you want to set quotas e Select Edit A popup window will appear e Change the desired value s Maximum number of Megabytes or and Maximum number of files 2006 Critical Links SA Advanced Topics e Select OK to confirm or Cancel to abort changes e Check the status returned for errors Mail ir Fant Cuota Eating default quotas fer Maximum space occupied ME Maximum number ot files 4 5 6 Backup v i Se A N ETF server ware he backup files wt HH bine Backup Setup Scenario This menu option allows you to review and change your backup configuration edgeBOX can schedule backups to occur periodically at a predefined time These backups can be stored either on a remote FTP server or to a USB disk connected to the edgeBOX Backups may be restored totally or partially at a later time the user can choose the items to restore We advise you to define a backup policy from the start to prevent the loss or corr
83. start with permissions enforcement we need to activate VoIP authentication To do so Select VoIP under Services Select the Outbound Calls tab Select the Authentication tab on your right Select Authentication On Apply your changes Now when users make a call to the PSTN their PIN and permissions will be verified Next Suppose you want to contract the services of a VoIP provider to be able to lower your costs on International calls For example suppose you contract the voip buster service To configure edgeBOX to use voip buster perform the following actions 8 Select the Outbound Calls tab Select the VoIP Providers tab Press the Add Provider button A dialog window will pop up Enter the following information 2006 Critical Links SA Configuration Examples 183 VoIP Provider sip voipbuster com Provider Name VoipBuster Username lt your username gt Password lt your password gt Press OK and Apply your changes If you select the LCR tab on your right and check the Routes combobox VolPBuster will be available as an outgoing route Now a more detailed configuration will be needed you will have to specify which prefixes match to which type of calls AS an example consider the mobile network In Portugal all mobile operators prefixes start with a 9 So to configure mobile calls to be routed to the BRI device perform the following actions S
84. supply the following elements Number to Dial number to dial to place the call on hold Number of Lines number of extensions available for parking and Parking Max Time the maximum amount of time a call can remain on hold To park a call dial plus the number configured in the Number to Dial field A message will inform you in which extension the call was parked into let s assume it was 701 This call can then be answered from any internal extension dialing 701 2006 Critical Links SA Network Configuration Reference 89 System Network Senices Security Ge Policies State Users Wizards Help V aati Service State ouni piores Venten Calle cunbisurid cals PEN Features pardware esmero Parking Mumberot Lines hs gt Tattaen Tecer fra Statue Information ER Tout 3 2 8 4 5 Hunt Groups With this service you can create a group of phones so that when a call arrives for the group all phones in that group will ring at the same time The first one to answer will keep the call Configured huntgroups are displayed in a tabular form You may create a new huntgroup Add HuntGroup button change a huntgroup s configuration Edit HuntGroup button or Remove a huntgroup Delete HuntGroup 2006 Critical Links SA 90 edgeBOX User s Guide v4 0 System Network Senices Security GoS Policias State Users Wizards Help
85. tab key as in most shells Typing help with the name of a command gives you the options available for that command For example typing help LAN gives the following output eOS gt help LAN Options gt LAN show show current configuration gt LAN static ip lt ipaddress netmask gt set static configuration For example if you want to configure this interface to have IP address 192 168 100 254 with a netmask 255 255 255 0 you would type 2006 Critical Links SA 164 edgeBOX User s Guide v4 0 LAN static ip 192 166 100 254 25950255 255 0 2006 Critical Links SA Using edgeBOX 165 9 1 9 2 Using edgeBOX So far we ve seen how to install and setup edgeBOX In this chapter we will show some aspects of edgeBOX s usage from an end user s point of view Login window User Access Control e d Username LS Password edgebo yx Login You re requested to Authenticate in arder to enter s private network Please provide your username and password below Product licensed to if you re 6 employes and do not haye username and password please contact vour system administrator If you re a visitor to and you need to access the internet please request a guest username account to your host By logging In you re acceptina the terms and conditions of s security and infrastructure policy eh Login Window If Require Users to Login was ch
86. the Browse button and navigate to the location where you saved the antivirus engine file Select it e Hit the Upload button and wait until the progress bar reaches 100 Check the status returned to confirm the command was successful This transfer is done via FTP so make sure that FTP traffic is allowed on the LAN side on your firewall configuration Winlead and Tatal Sophie File Browse Progress unload 3 3 5 3 1 3 Update This panel allows the edgeBOX to keep the Sophos antivirus engine automatically updated on a monthly basis Please enter the username and password you received with your Sophos License registration and select the day of the month for this update to be executed 2006 Critical Links SA 122 edgeBOX User s Guide v4 0 lipdate Automatize Lipdate H Userni Password Undate criDay 3 3 5 3 2 McAfee This panel allows you to upload the McAfee antivirus engine required to perform antivirus scans Remember that you will have to buy an appropriate number of licenses in order to use this engine You may also check the virus definitions database version and update it Shares Scanner MailScanner AntiVirus Engines MAES Sophos Information ir tes Ji ECH clama Wersiont Date ofmost recent IDE File Ulloa and Tristall MeAfes File Browse Progress Upload 3 3 5 3 2 1 Information This panel con
87. the connection select this VPN configuration in the initial menu SSH Sentinel Statistics teta Securily Associations PSec Statistics Ej PreiPSec Fi Filter i VEN SUL 192 168 2180 SCC s Pl al gel Secured Networks EEJ Betadt Response al Di ot ai EI a a pr T a ER PRIEST Bey PostiPSec Fiter H lo al trathe Type KBites m KBytes ESP 19377 455 Policy Editor Semily association details SSH Sentinel Statistics You can confirm the connection was in fact established checking SSH Sentinel s Statistics window or edgeBOX s VPN panel where the new opened tunnel will appear under Active Tunnels 2006 Critical Links SA 232 edgeBOX User s Guide v4 0 System Network Senices Security QoS Policias Stata Users Wizards Help VEN Configutstion Sence State RUNNING Active Tunnel Local Subret Connection Status Remote Gateway Remote Subnet 192 152 100 924 1192 TER 2 95 VENG TE S e myTunnel bel Boschdamor Add Edt j Delete Stat II stop Status ntormationy RE terminates edgebo 10 1 2 GreenBow Another certified IPsec VPN client is the GreenBow VPN client After installation an icon will be visible in the tray bar Selecting this icon will display the following window w TheGreenBow VPN Client Fle VPN Configuration Toos 2 Tunnels vi
88. to perform antivirus scans Remember that you will have to buy an appropriate number of licenses in order to use this engine You may also check the virus definitions database version and update it Shares Scanner Mail5zanner Anti Virus Engines Sophos Sophos infomation ee e lara Version ess array Date of most reent IDE File t TIER Lipioad and Install Sophos File ii Browse Progress Upd te Automatic Updater Password l 4 inata args Sophos Options 2006 Critical Links SA Network Configuration Reference 121 3 3 5 3 1 1 Information This panel contains the elements described next Shates Scanner MailScanner Anti Virus Engines Sophos Infarmatior Version Date of most recent IDE Pe lt a Version The antivirus engine version installed This element is read only Date of most recent IDE files The date of the last virus definitions file installed Update IDE Files Selecting this button will download the latest virus definition files You must have a current license for Sophos in order to do this The edgeBOX also performs this update automatically on a daily basis 3 3 5 3 1 2 Upload and Install This panel allows you to install a Sophos antivirus engine e Download the antivirus engine from the Sophos website Bear in mind that you need to buy the appropriate number of licenses to use this software e but
89. to select the hours interval to which this rule will be applied If you want the rule to be valid for a whole day this interval should be defined from 00 00 to 23 59 Actions At least one action should be defined for each rule The actions available here are exactly the same as when modifying a context in the IVR panel In the same way the actions have an execution order which may be changed using the Up and Down buttons Using the Goto action the call may be forwarded to any context defined in the IVR Bear in mind that for a call to enter the IVR flow there should be an explicit rule here directing it to the IVR using a Goto action to the IVR context 2006 Critical Links SA Network Configuration Reference 71 Imncommg Rule GE Marin Des Fret Sunday D Ta Surciay prom T ml H th Ta n nl oS ii e AAA Mohon Payback selesi Fre Add Tree Actions u ml 3 2 8 2 4 DID Routes Using DID routes it is possible to define rules for specific incoming call numbers This functionality may be used when you wish to have a set of actions assigned to a specific number for example to allow an internal extension to be accessed from outside directly You may add a new DID route selecting the Add Route button modify a DID route using the Edit Route button or remove a route selecting the Delete Route button Please note that for DID routes to work we assume that hardware
90. to the remote network This will be a public address 2006 Critical Links SA 106 edgeBOX User s Guide v4 0 Checking this option will allow you to enter the remote host IP This option will be available only if the previous checkbox is on This will be the address of the host to which the tunnel will be established Checking this option will activate automatic keying In this mode keys are automatically generated on connection establishment and periodically generated thereafter The expiration time for a shot term key the time after which a new key will be generated Algorithm used for encryption Available choices are 3DES and AES Algorithm used for authentication Available choices are MD5 SHA1 and SHA2 3 3 3 3 1 2 Services Access Services Allowed for Remote Host s In this table you can grant or revoke access to services running on edgeBOX for hosts in the external network Check the cell corresponding to service desired to grant access uncheck it to revoke access WEN Information Sar Wiese Access Services Allowed for Remote Hostis Name Allowy Pisalloy lans emt ap ssh Iimap volp weber ftp 3 3 3 3 1 3 Host This panel allows you to configure access lists specifically 2006 Critical Links SA Network Configuration Reference 107 To allow access to your network hosts from hosts in the remote network and To deny some of your loc
91. untrusted networks but cannot access the trusted network Usually these kinds of networks are used to house Internet servers web servers DNS servers mail servers The EWAN interface is used to support a DMZ in edgeBOX This interface is configured with an IP address range accessible from the external network in case the external network is the Internet this range will be a public range and so your ISP must provide routing to it Although this address space is accessible from the external network you will have to explicitly grant access to hosts residing in it via appropriate rules Next we will show the option available for configuring a DMZ Firewall DMZ DL Sonngyreion Enable DMZ Add II Edit i Delete Enable DMZ Checking this option will enable DMZ support Make sure you configure an appropriate address range for the EWAN interface EWAN Ethernet configuration panel and that traffic with this subnetwork as its destination is being appropriately routed to edgeBOX usually this is your ISP s responsibility After checking this option you will need to create rules to grant access to hosts residing in this subnetwork The rules are shown in a table which can be modified with the following options New Edit and Delete DMZ Rule Ihformation Ruis It aper Destination Ie 192 168 3 1 Metmy sk 255 255 254 61 Cl Part GD 3 From Tor Protocol TCP Mil New Allows you to enter a new rule
92. v4 0 6 1 Configuration Examples The edgeBOX can run in different types of operational modes The mode best suitable for your situation depends on several factors including your current office network environment and Internet connection type This section shows a complete scenario a company s headquarters and its small remote office Some aspects of this configuration will be dealt with separately IVR configuration IPsec VPN and Remote Switch The complete scenario is displayed in the picture bellow rum tise ata er internet DC werhsofphore PC wth eottphooe winless mitet On the left side it is shown the configuration for the company s headquarters while on the right the company s remote office Each site is connected through an IPsec tunnel Also a remote switch is configured between the two sites In the sections that follow each site s particular requirements will be presented as well as the guide to perform the configuration Scenario 1 SME branch office The requirements for the SME branch office are the usual requirements one would expect to find for a small office ADSL connection to the Internet using a dynamic configuration 2006 Critical Links SA Configuration Examples 171 Private LAN protected by firewall but without the need for user authentication Wireless access Web and SMTP servers PPTP server for users connecting remotely
93. where the DNS server will be located Suppose you have the following configuration MMMM Wan IP 194 65 2 2 30 Gateway 194 65 2 1 DNS 212 3 24 1 DMZ network 212 3 24 0 29 In edgeBOX s Control Centre do the following 2006 Critical Links SA 178 edgeBOX User s Guide v4 0 Select Interfaces under the Network menu Inthe Wan panel enter the following information IP Information Static IP 194 65 2 2 Netmask 255 255 255 252 Gateway 194 65 2 1 Primary DNS 212 3 24 1 Press Apply The DMZ will be enabled later in the firewall panel However the EWAN interface can be configured now In the same menu option select the EWAN tab Enter the following information IP 212 3 24 6 Netmask 255 255 255 248 6 2 2 Step 2 LAN connection and Security In the HQ scenario it is predictable that there will be a large number of machines connected to the LAN The LAN configuration will be as follows IP 10 1 0 254 Netmask 255 255 0 0 In edgeBOX s Control Centre select Interfaces under the Network menu Fill in the fields with the previous information Next to allow the machines to connect to the Internet we need network address translation Do the following In edgeBOX s Control Centre select NAT under the Security menu Check the entries in the table If there isn t an entry for the 10 1 0 0 network using device Wan then select Add A dialog window will pop up
94. will be the remote LAN s address Remote Netmask 255 255 255 0 Remote Gateway branchoffice no ip org remote office WAN address or hostname Pre shared key 12222221 Select the Services Access tab Check all services Select the Host tab Under Local Hosts Visible to External Hosts press the Add button and enter the following information Origin 10 1 0 0 Netmask 255 255 0 0 Protocol ALL Leave the table Local Hosts Denied blank LO LC Press OK Start the service if it isn t started yet You will then need to configure this tunnel on the remote edgeBOX To do so Inthe Control Centre of the remote office s edgeBOX select the IPsec VPN option under the Security menu A window will pop up Enter the following information Choose Network Check the Start on system boot checkbox Tunnel Name hqtunnel Remote Network 10 1 0 0 Remote Netmask 255 255 0 0 Remote Gateway edgebox company com Pre shared key 12222221 Select the Services Access tab Check all services Select the Host tab Under Local Hosts Visible to External Hosts press the Add button and enter the following information Origin 192 168 1 0 MM 2006 Critical Links SA Configuration Examples 187 6 5 Netmask 255 255 255 0 Protocol ALL Press OK Start the service if it isn t started yet Reload the IPsec VPN s panel When the tunnel is established it will appear in the Active Tunnels
95. will download the latest virus definition files automatically on a daily basis Shates Scanmar MailScanner Anti Virus Engines Clana Information Versione 0 8611 Date of most recent IDE File 11 1 2006 edgeBOX also performs this update Sophos McAfee clamav Update DE Files 2006 Critical Links SA 124 edgeBOX User s Guide v4 0 4 4 1 Advanced Topics In this chapter we will cover advanced configuration options such as User and group management Group policies Quality of service for groups and services System configuration State information and The CLI User and Group Management User and group management are some of the key functions of edgeBOX If you have user authentication turned on access to services and resources will be granted only if the user provides their credentials username and password Users will exist in the context of a group and as we will see in Policies there are several items which can be configured to form a policy to apply to a group A policy thus defines the type of access users in a group have to items such as the Internet services running on the box the enterprise network and VPNs Additionally there is the ability to specify which services a user will be able to use This is done during user creation In this section we will see how to deal with user and group management To access user and group managemen
96. will expire some time later This setting is particularly useful for users who are connecting from external networks while traveling for example the so called Road Warriors and for which we want to allow relaying Bear in mind that you will have to grant access to the POP3 service from outside networks in the firewall configuration 3 2 5 3 Access Control In this panel you will be able to configure access control options such as The list of banned domains hosts and The list of relay domains Service State DIR mee A a E Global Access Control alias LOAP Access Control ade Delete play Danz List local Jor I bo Add pes 2006 Critical Links SA 46 edgeBOX User s Guide v4 0 3 2 5 3 1 Ban List A list with email addresses host IPs domains or hosts for which connections will not be accepted Available actions are Add and Delete Add After selecting Add a popup window will appear and you are required to select the type of entry you wish to add from the list of available types Email Address Host Network IP Address Hostname and Domain When entering a value you may use wildcards If a given domain is listed all sub domains will be banned After selecting OK you have to select Apply in the main panel to make the changes effective Delete Select an entry from the list and select Delete To make this change p
97. 06 Critical Links SA Network Configuration Reference 111 3 3 9 gateway for the private network This information is read only Remote From and Remote to These two fields allow you to set the IP address range which will be assigned to clients connecting through PPTP MailScanner In this page you can review and change edgeBOX s MailScanner options New in edgeBOX version 4 is the ability to scan edgeBOX s windows shares and support for the McAfee virus scanning engine System Network Sernices Security GoS Pollas State Users Wizards Help MallScanmer Configu stan Shares Scanner MaiScannet Anti Virus Engines Vu US Vire Scanner Cl maw w 2 Virus Scanning Cipierons Y Remove Infected Files 2 Send Summary by e Mal otificabon E Mail rootidlocalhost stheduled Scanning Time to Perform Scars 15 O H 32 M Coen Annie LS Status Information EE rennen aer edgebor MailScanner Page Currently support is available for three antivirus engines Sophos McAfee and ClamAV edgeBOX is not shipped with the Sophos or the McAfee antivirus engines installed so you will have to buy the appropriate number of licenses to use and upload them to edgeBOX The following panels are available for configuration each accessible through a named tab Shares Scanner Mail Scanner and Anti Virus Engines We will describe each of these panels in the following sections 2006 Criti
98. 109 PL MAM A NOTA Dad iaa ida 109 LN VS VEG eeleren 109 Remote A UT SIMIC lO Mina Aere 110 PTAndeES race OS aia 110 MAMANI EE 111 ss EE 112 o A A o rata a tere ances 112 ONS A A E CUORE 112 Mall SCANNET sortir 113 ET CC H 113 NEE O 114 e Tu WEE 115 2006 Critical Links SA IV V edgeBOX User s Guide v4 0 0 CMN 116 E e EEN 117 Lei ei HEEN 118 PV IES ee ICIS EN 119 OD eee cect tec etacsescct E a a e 120 MAO E 121 Unload au d MECH 121 Eco CHE 121 EE iii 122 Jare ue le WEE 122 Bieles Tu d MER 122 e A x ev e Sie renee nena once sees eos E 123 Part IV Advanced Topics 124 1 User and Group Management ccccccceesseeeceeseseeeeeenseeeeeeenseeseeeesseeseceeseeseoenseeeseoessessons 124 CC 125 Te CC SE 128 2 Policies o 129 Edda Group PONCY austin ls 130 Meme AM E S R 131 COUAIIRY OP SEIVICE usais 131 A o e E E II A 131 UNI tele WEE 132 Tute eye SE 132 19 6 leet EE 133 e 134 SIE 134 QUAM oi Service ebe eege 135 Allow enterprise e 135 o BEE 135 SCOR SE 136 A 136 VPN CGONNECUON Suse ts 137 3 Traffic CONTO aaa 137 rn E E E 137 Upload Urs Ve Le TE 138 Elan fl ng EEN 138 PS Te e a EE 138 D CP I LEE 139 DOW ANG a H ae e un Ir Le e E 139 SVC QOS EEN 140 AUG A A ie 140 Edt 0 itinerant nein a E 141 8 TC 141 5 System Configuration sica EeEE EEN 142 A eege 142 Remote RADIUS Server Authentication nononoeonnnennnaaaaaeannnannnnnnnnennnnnnn
99. 2 168 000 0 255 255 255 D Awan 1 10 40 255 255 Ze 0 han 192 168 2 188 a Wa Add Edit Delete Nat NAT Enabled If you want to enable NAT check this option NAT Table To configure NAT for a network the operations available are add edit and delete 2006 Critical Links SA Network Configuration Reference 101 MAT Information Ria Imtormetop iP nadal Wetrmask 9255 255 755 0 Tnterfare wan Ca ea Add After selecting Add a popup window will appear you are required to enter the following information e IP the IP address for the network to which you want to translate addresses this is the address for the origin network most likely your internal network e Netmask The netmask used to access hosts in this network and e Interface The interface used to reach this network Select from the list where possible values are WAN EWAN and LAN Edit Allows you to modify an existing nat definition The options available are the same as when entering anew NAT configuration Delete To eliminate an entry for a network just select the entry and press Delete You will have to select Apply to make this change effective 3 3 2 2 Port Forward With port forwarding you can make a service running on an internal host visible to the outside world as if it was running on edgeBOX itself The operations possible are Add Edit and Delete Port forwar
100. 26 TT dn TE 226 SSNS EE 228 EI EE 232 2 PPIP VENS nn NANA EE 234 New CONNECTION wizard A 235 Geiben E 237 Connecting to cdo BOX EE 238 Part XI Appendix C Connecting to Wireless 239 E OZ dia 239 2 WPA uma iaa 242 Part XII Appendix D Using Samba 244 1 edgeBOX asa PDC aia cate cio erage aie tc ae rene cee ewan aaa a aa aa 244 2 A AMP cc ecto iow A aged dest ees gi rR 246 Part XIII Appendix E Virtual Hosts 250 2006 Critical Links SA VIII IX edgeBOX User s Guide v4 0 Part XIV Appendix F Softphone configuration 251 A ios 252 3 Ideftek unn 254 3 SS ET 255 Part XV END USER LICENSE AGREEMENT EULA 257 Part XVI Licence texts 262 Index 0 2006 Critical Links SA Introducing edgeBOX 1 1 Introducing edgeBOX edgeBOX is an Internet server appliance suitable for many different types of network installations From a simple home based office Internet presence to a fully featured SME Internet gateway with user access control accounting and Active Directory authentication edgeBOX provides a large and rich set of communication services Flexibility and simplicity are key features of edgeBOX and an integrated Control Centre makes configuration and administration tasks easy to perform edgeBOX is designed as a gateway connecting a local area network to the Internet A second Ethernet interface also allows edgeBOX to be connected to an enterprise wide private network Main
101. 7 Unaliowed me udp 7022344583 45694 B32401754 102 Unaliowed Set ud 7022344888 em B22017854 S Uinaliowed Set on Semer P ss Linaliowed Set 5358 216201 403 Faasst das Unaliowed Set uch Saul ass Uinaliowed Set on B37417148 2900 224017854 das Ueleg Set 5950 241225 43845 ammmgsam Uinallowed Set vo S2127 20799 Fass Unaliowed Set ton eves O ENE ld Es e e la e a ee ae PS 8 4 2 Chains Matching This report shows the number of occurrences of the types of chain matching reason why package was rejected for example dangerous un allowed This information is presented in graphical Pie 3D and tabular format 2006 Critical Links SA Reporting 203 eps Proxy Server Firewall Sysiog Voip Antivirus Be sora PAI Sa ea Ey interface Scurrences gt Eu Protacol Packets Firewall Chains By Protocol currentes By Source Port Packets By Source Port currence ee By Destination Port Packet A E By Destination Port Ouer es CCS i By Source Address Packets l a Ms E a ah E cn eet ca ae FUTURE mural liste By Source Address Ocurrences aa tay Hirai ei Ideeen FWpROP danpeinu By Destination Address Ogere h a Ey Service Packets By Service POcurrentez FURGPyfunatloved 154 350 8 4 3 By Interface Packets This report shows the rejected traffic per physical interface ethO etc in packets This information is presented in graphical
102. 81 00 200 Matmask 255 556 20551 1 Public LON Address Y Activate DHCP Server Start 10 End 250 Options for Change Current IP e Activate DHCP Server This option is unchecked by default If you check this option the machines on your network will be able to use a dynamic addressing scheme i e fetching the IP address from edgeBOX You will be required to enter the range of addresses that may be assigned by DHCP Start address End Address v Activate DHCP Servet Start 00 End 250 Activate DHCP Server e Activate Wireless Access Point This option is unchecked by default If you check it you will activate the edgeBOX AP and you will be required to enter the following information e SSID the network public name The default SSID is edgebox and e Activate Encryption If you check this option you will need to choose the security 2006 Critical Links SA Quick Start 13 type Available types are WEP you will need to provide one key to use 802 1x you will need to choose the encryption type to be used between WEP and WPA In the later case you will further need to provide either a passphrase or a PSK WPA you will need to provide apassphrase or a PSK System Network Senqces Security Go Policies State Users Wizards Help Wireless oh flauration 4 Activate Wireless Access Point 55ih ebox Wireless Becarios activate Encryption WER Settras
103. Address Packets Ey Destination Address r curre Ey Service Packets By Service Ocurrences By Protocol Packets This report shows the rejected traffic in all the physical interfaces per protocol TCP UDP etc in packets This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA 206 edgeBOX User s Guide v4 0 8 4 6 Servar Proxy Server Deg Sysiag Wo antes f By Protocol Ocurrences By Source Port Packets By Source Port Occurrences By Destination Port Packets By Destination Port Ocurercesy Ey Soues Areas paciets Ps Source actress Ocurrantes By Destination Address Packets Ey Destination Address curre By Service Packets By Service Ocurrences By Protocol Occurrences pestha piezo cuates chart by protocol traffic number of packets This report shows the number of occurrences traffic was rejected per protocol TCP UDP etc This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA Reporting 207 Server r Server Hrewal sysiog zeg ste ley interface Ocurr nces E EE By Frotacal Packets by protocol traffic number of occurrences By Source Port Ocurrences By Destinatio
104. Critical Links SA
105. Critical Links SA 60 edgeBOX User s Guide v4 0 System Network Senices Security Goal Policies State Users Wizarda Hein V Conil Service Stare POLI Phones riesit alle ubicar calis ENES Hardvar Espero A aaa o Terminated edgebo x lt 3 2 8 1 1 New Allows you to add a phone to the system and associate it with an extension Four panels are available for configuration 8 8 8 8 Basic Advanced Codecs and Privacy The first panel contains basic options and its configuration is mandatory All other panels contain advanced options for experienced users If left unchanged these panels will be filled with default configurations appropriate for most applications 3 2 8 1 1 1 Basic The configuration options available in this panel are Protocol The protocol to be used by the phone Possible choices are SIP or IAX2 Extension Name This will be the name used by the client when registering the phone with edgeBOX Extension Number The number to be assigned to the new extension Password Password to be used when registering this phone with edgeBOX Voicemail If you check Active VoiceMail you will need to enter a pin which the user will have to supply to access this mailbox Additionally you will also need to supply an 2006 Critical Links SA Network Configuration Reference 61 email address where the new voice mail notifications will be sent
106. DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com Original SSLeay License Copyright C 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are aheared to The following conditions apply to all code found in this distribution be it the RC4 RSA lhash DES etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at progra
107. Deliver Disinfected Fles Messages j kl Quarantine Infections pee 1 Quarantine Whole Message Deliver Urparzable TNEF fash Deliver Silerit Viruses FT Sign csan Messages 4 Mark Infected Messages V Mark Unscanned Messages pech Warning Ts Attachment close annhe LS Status Trtormabtzr IEN ott edgebo Deliver Disinfected Messages If you check this option then infected attached documents will be automatically disinfected and sent to the original recipients Quarantine Infections If you check this option then infected dangerous attachments will be stored in directories created under the quarantine directory Quantantine Whole Message 2006 Critical Links SA Network Configuration Reference 119 3 3 5 3 If you check this option then the whole message will be stored in quarantine and not just the attachments Deliver Unparsable TNEF If you check this option you will allow the delivery of Rich Text Format attachments produced by some versions of Microsoft Outlook that cannot be completely decoded at present Still Deliver Silent Viruses If you check this option messages that originally contained a silent virus will still be delivered even if the addresses were chosen at random by the infected PC and did not correspond to anything a user intended to send Sign Clean Messages If you check this option MailScanner will sign every clean message processed Mark Infected Messages If
108. Drpuapdecscl Infermabiry Maximin Dowerate 99999 kht Status informaban IE KEE edgebo Traffic Control Configuration Page As we ve seen one of the elements you can configure in a policy is the traffic control class With this setting you may assign a special priority to the traffic coming from or going to a given group resulting in a better service for the group Before this setting becomes effective you have to configure and start the traffic control service To access the configuration page select the QoS menu option and then the Traffic Control submenu option A page like the one shown above will display Possible actions are Start Stop depending on whether the service is stopped or running and Apply which will be used when you want to change an existing configuration The available options are similar for each interface so we will just cover the WAN interface The available options are Service State Upload Information and Download Information 4 3 1 Service State This information is read only and provides the current status of the service Possible values are running and stopped This is a global setting and applies to all interfaces 2006 Critical Links SA 138 edgeBOX User s Guide v4 0 4 3 2 Upload Information In this section you can configure the QoS settings for outgoing traffic There are four pre defined QoS classes each corresponding to different levels of QoS pr
109. EULA END USER LICENSE AGREEMENT EULA FOR Critical Software S A CRITICAL EDGEBOX Software October 2005 IMPORTANT READ CAREFULLY This End User License Agreement EULA is a legal agreement between you either an individual or a single entity and Critical Software S A hereinafter CRITICAL the manufacturer for use of the Edgebox tm software Licensed Software By installing copying or otherwise using the Licensed Software you agree to be bound by the terms of this EULA If you do not agree to the terms of this EULA CRITICAL is unwilling to license the software to you In such event you may not use or copy the Licensed Software 1 Definitions 1 1 CRITICAL shall mean Critical Software S A and any of its affiliates such as Critical Software Inc and Critical Software technologies Ltd 1 2 Licensed Software shall mean the EdgeBox software The term Licensed Software is understood to specially include any and all Licensed Software Documentation but specifically does not include open source components Please see Section 8 for details on open source components 1 3 The Licensed Software is intended for use in a single Computer 1 4 License keys shall mean activation codes provided directly by Critical or its partners that are used by licensed users of the EdgeBox Software to activate its functionality for an authorized Computer An authorized Computer is identified by a signature build of hardware parts
110. Ey Destination Address cutre 5 Ey Service Packets mitinsof ds 2 807 TE Termice currentes 8 5 Syslog This report shows information about system logs It can be exported in pdf format It is possible to customise a filter fill keyword to limit the data presented and make analysis easier You will have to press the Search button to retrieve the data The results will be presented in a table with the date the service for example sendmail and the message generated by the respective service 2006 Critical Links SA 218 edgeBOX User s Guide v4 0 Bren Server Firewall zue vow Arteira Searoh Tate ex 20651914 A EAA SP Pr eh N e A A Er H r Pe e a o a a e a ps tel A A E A eel e a e e e ia ee rc cy it ii Soden dei e y Al ideo ee MALE sey bid CIA AAA AE A PA ARA PS aa e AO IS PCIA PO PI FIA A A A a _ A TEEN e E en AA AA EN H AA e Et eee dieron 2006 01 11 00 00 05 derma rot malad 33 bytes ar ouput but got stats Ost AE egent o o E rest 2006 01 11 60 00 05 sandia 080050002883 fromernotsite 233 class l nropts 1 msyidl lt 2006 2006 01 11 00 00 05 erona CH MAIL malise 35 bytes ot aert bul got stalls DTT Pir Ee TEEN NN Ober E tee e E EN E egent ene Vote A 2006 04 11 00 00 05 EE kOBO0SBMOZ0637 from root size 333 classs0 nrcpts 1 megid lt 2006 _ 2006 04 11 00 00 05 sardina pet Ac oer cttadl
111. Fill in the fields with the following information Hostname edgebox Domain branch local After you apply your configuration a pop up window will be displayed warning you that you have to restart your edgeBOX in order for the configuration to take effect Do so by selecting OK Basic connectivity is now configured Next we are going to make sure there s name resolution for you internal clients To do so Load the Control Centre Login as admin and select the DNS option under the services menu Under Domain Name select New A pop up window will be displayed 8 Fill in the fields with the following information Domain Name branch local Domain Type Master Domain Access Internal Network Address 192 168 1 0 Name Server IP 192 168 1 254 WM UN UN MM Press OK and then press Apply Make sure the service status is Running If it is not press the Start button As the address range we have chosen for our internal network is a private one we will have to perform network address translation to allow our clients to access the Internet To do so Select the NAT option under the Security menu If there is an entry in the table that does not fit your needs select it and press Delete Select Add A window will pop up Fill in the fields will the following values IP 192 168 1 0 your LAN network address Netmask 255 255 255 0 Interface wan Press OK and apply the changes From
112. Filter af VPN Connections a GA Secured Connections 44 Secured Networks 4 E Default Response 23 PostlPSeo Filter FF Allow all tratie a BOSCH PEL Aulhentication L e Desorigtion dd a tule OK Cantel Apply Security Policy hod VPM Connection ll laploppool certificate K i Diagnostic Add VPN connection Enter the IP address for the remote gateway in Gateway name in our case it is 192 168 2 180 Select the button will make the Network Editor window pop up In this dialog window you will define the remote network s IP address as well as its netmask After pressing Ok you will return to the Add VPN Connection dialog where you can choose the network just configured Network Editors 3 Give networks and subretworks custom names Tou dp i tan later use lie names when creating de Detined networks Name aide Subnet mask 12 168 00 0 255 255 255 0 New II Remove Network pame LAN Fideos 192 168 100 Subrermesto 255 255 Network Editor hod VPM Connection AN Sne Ecg remanente om Jay Add VPN connection In the Authentication key field you should choose the preshared key previously created myVPNKey The encryption and authentication settings have to be consistent with those defined when creating the tunnel in edgeBOX so you should confirm this by selecting Properties in the Add VPN Conn
113. Internet Message Access Protocol Used to access mailboxes VOIP Voice Over Internet Protocol Used by edgeBOX s PBX SNMP Simple Network Management Protocol FTP File Transfer Protocol Used to update the users personal page and intranet server HTTP Used to communicate with the web server 2006 Critical Links SA Quick Start 17 2 2 6 e POPS Post Office Protocol Used to access mailboxes e CII Computer Telephony Integration Used to access edgeBOX s PBX text management console e SAMBA Open source implementation of Microsoft s SMB protocol To grant access to a service in a specific interface just check the box in the cell corresponding to the intersection of the service line with the interface column When in doubt the user is advised to leave unchecked at least the services in the external WAN interface The user may also check Web Server Configuration which will allow him to enter e Default Name for intranet Server The default name to access the intranet server e Allow user directories If this option is checked each user will be allowed to have a personal web page Pressing Enter will lead you to the final page Final page Complete Configuration In this page you are given the opportunity to review all information entered in the previous steps This is the final opportunity to confirm all the data entered before applying the edgeBOX configuration The options availabl
114. Langtae English he Change 4 5 7 4 Root Email Notifications and other status messages may be sent via email to the administrator responsible for the edgeBOX The user interface will be updated when the Change button is clicked Root Email Set email address of the root user where notifications and status messages will be sent Click on the Change button to set the email address Admin Opllons SpeedTouch Firrmeare Web Locale Raat Email bags Landing Page Get Emil book Ems Change 4 5 7 5 Logs Sets the amount of time log information is kept in the system The number of months information is kept will have a direct impact on the time span of the reports produced by the reporting module Be careful not to save too much information or you may run out of space Admin Options SpeedTouch Firmware Web Locals Rant Email Loge Landino Page Logs Keep Logs For months 1 Change 4 5 7 6 Landing Page With this option you can customise several aspects of the login page your local network users will use to authenticate if the option Require users to login was checked on the Firewall panel The following items may be configured Notice This option allows you to customize the message that will appear under the login form fields By default this message will be blank After changing the message select the upload button to make this change permanent Disclaimer 2006 Cr
115. Links SA 224 edgeBOX User s Guide v4 0 9 3 9 4 QoS classes assigned to WAN EWAN connections Access to the Internet time interval and services Access to edgeBOX s services time interval and services Access to the EWAN time interval and services wn MMM mM Access to IPsec VPNs As have been mentioned before this kind of policies are handled at the firewall level After an user authenticates appropriate firewall rules are loaded in order to enforce his group policy An user authenticating from a PC in the LAN will in fact revert to an IP MAC address pair and each rule loaded will refer to this pair If the group to which the user belongs to was granted access to the Internet a firewall rule will be loaded allowing all traffic originating from this host to the Internet If a group contains an IP address and users are required to login is enabled then firewall rules reflecting this group s policy featuring this IP will automatically be loaded making it a static entry A typical use of this feature is to automatically allow servers to access the Internet Suppose you have a Windows update server By making its IP a member of a group with access to the Internet will automatically enable access to the Internet for this server Putting all together Suppose a user inside a LAN tries to access the Internet or an edgeBOX service and Require users to login is enabled The complete sequence of events is as follows
116. MZ Finally we need to enable mailscanning Do the following Select Mailscanner under Security Select the Mailscanner tab Chech the Virus scanning checkbox Choose an antivirus scanning engine ClamAV is the only engine shipped with edgeBOX Select it Select Apply mM WM UN UN UN Step 6 Backups In this scenario edgeBOX will perform a full backup to the FTP server running on the Wek server To do so 8 In Control Centre choose Backup under the System menu Enter the following information Backup Type Standard Backup Time Hours 3 Minutes 0 Backup Address Select the wizard button Follow the wizard and enter the following information Interactive backup FTP Server Address 10 1 0 1 Port 21 Authentication Yes Username edgebox_backup Password a4nwq12 Destination directory Press Finish Select the Schedule button Step 7 VoIP features In our scenario besides the common features reviewed for the branch office such as internal extensions call rules and LCR we need more advanced features The need for a call centre and to be able to access internal extensions at the same time needs an advanced IVR configuration combined with DID routes Also as a means to enforce call permissions to users and to avoid users from the branch office to be able to place calls though the remote switch authentication will be used Finally a ITSP will be configured to demonstrate the use of LCR So to
117. Message Protocol Internet Message Access Protocol Internet Protocol IP Security Internet Service Provider Internet Telephony Service Provider Interactive Voice Response Local Area Network Lightweight Directory Access Protocol LDAP Interchange Format Logical Link Control Media Access Control Mail Exchange Network Address Translation Name Server Network Time Protocol Object Identifier Private Branch eXchange Primary Domain Controller Adobe Portable Document Format Post Office Protocol Plain Old Telephone Service Point To Point Over ATM Point To Point Over Ethernet Point To Point Tunnelling Protocol Pre Shared Key Public Switched Telephone Network Quality Of Service Session Initiation Protocol Small Medium Enterprise Simple Mail Transfer Protocol Simple Network Management Protocol Secure Shell Service Set Identifier Transport Control Protocol Transport Layer Security User Datagram Protocol Universal Mobile Telecommunications Service Uniform Resource Identifier Uniform Resource Locator Universal Serial Bus Virtual Circuit Virtual Channel Identifier Voice Over Internet Protocol Virtual Path Identifier Virtual Private Network Wide Area Network Wired Equivalent Privacy Windows Internet Naming Service Wi fi Protected Access edgeBOX User s Guide v4 0 Table of Contents Part Introducing edgeBOX 1 1 POWERING Up the EE 2 2 Connecting to the network circa ninia 2 3 Connecting to
118. OR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Except as contained in this notice the name of acopyright holder shall not be used in advertising or otherwise to promote the sale use or other dealings in this Software without prior written authorization of the copyright holder 9 DB Copyright c 1990 2002 Sleepycat Software All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 Redistributions in any form must be accompanied by information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software The source code must either be included in the distribution or be available for no more than the cost of distribution plus a nominal fee and must be freely redistributable under reasonable conditions For an executable file complete source code means the source code for all modules it contains It does not
119. PN s Press OK Select the admins group and press Edit Check Allow Internet Access Set the Start Hours to 0 00 Set the Stop Hours to 23 59 Check Allow Service Access Set the Start Hours to 0 00 Set the Stop Hours to 23 59 Check all services Check Allow Enterprise Access Set the Start Hours to 0 00 Set the Stop Hours to 23 59 Check Authorize access to VPN s Press OK 2006 Critical Links SA Configuration Examples 181 MMMM MMMM Select the servers group and press Edit Check Allow Internet Access Set the Start Hours to 00 00 Set the Stop Hours to 23 59 Uncheck Allow Service Access Uncheck Allow Enterprise Access Uncheck Authorize access to VPN s Press OK 6 2 5 Step 5 Services The services running on the HQ edgeBOX will be mainly accessible from the LAN The requirements are LO LC LO UN HTTP Internal site to host the Intranet accessible through intra company internal SMTP Receives mail and forwards it to the mail server on the DMZ Sends mail from the internal hosts Samba Windows sharing service LAN users only Antivirus Mailscanner service To configure edgeBOX for this scenario do the following WM UN UN MMMM MMMM MM In Control Centre select the HTTP option under the Services menu Select No in User Directories In Virtual Hosts press New Select LAN for Virtual Host Enter intra in Server Name
120. Packets RE 203 By Iinlerlace OCCUIFONCEOS scaricare iia 204 2006 Critical Links SA Contents VIII By Protocol OP APAPm e EN 205 dejo es e o AAPP APP 206 By EE tee 207 By Source Port OCCUFFONCOS enrutador liada 208 By Destination Port Packets sccecesssessseeeesseensseeeeeeesseeeeeeooeaseeeeeoensseeeeesoonseeeseooonsseeeeeooeaseeeesoonnnsseeseeonnseessnsonens 209 By Destination Port OGCUIFENGCES E 210 By Source Address Packets EE 211 By Source Address OCCUTFENCEOS E 212 By Destination Address Packets unnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnne nnnnnnnn nnmnnn nnmnnn nnmnnn nnan 213 By Destination Address Occurrences 0ccccccccccccccccccconnnnnnncnr nr 214 By Service PACH CIS E 215 BY Service QCCUITENCES E 216 ECH 10 W 217 O VOM ini a ini a 218 p lt o EEEE EE 218 TOD DOUCES A A o 219 TOP Destination COIN E 220 TOP li Tit E 221 po 221 E Wa dd TC cano pd 221 VITUSOS ele WEE 221 infections Ratio ME 221 Part IX Appendix A Authentication 223 1 Authentication architecture cccccceeceeeeeneeceseeneeenscenseesseessensecnsecussonsecassonseosseeasseneseneens 223 2 Require users to login VS Group Policies onccconnccconnnccccccncoconcncnencnnonenancononannrennnnrrrnnannnnnans 223 3 Putting all TOS Me EE 224 A Remote CONTIG EC e sssrinin iaa aaa 224 Part X Appendix B VPN Setup 2
121. Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA 204 edgeBOX User s Guide v4 0 atem Uaoe Webs Deg d Droen Server Firewall 508 St SH Create Bis 2 cred Bs ntertace Packers Ey Interface Ocurrences E A By Protocol Packets o by Interface traffic number of packets Gr Protocol COcurrences By Source Port Packets By Source Port Oocurrences By Destinati n Port Packets By Destination Port Oe prengest br 2 541 En Source digress Packets Es Spe Adresses EE E ER Ey Destination Address Packets ae 12 13 Ey Destination Address Gute By Service Packets By Service Ocurrences nopos45 24 21 8 4 4 By Interface Occurrences This report shows the number of occurrences traffic was rejected per physical interface ett etc This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA Reporting 205 8 4 5 server Proxy Server Firewall sysiog vor acte BY Ir ertaca COUIITAnCeS SC Ey Protacol Packets by interface traffic number of occurrences By Protocol Ocurrences By Source Port Packets By Source Port Ocurrencez By Destination Fort Packets By Destination Port Ocurernces By Source Address Packets ley Source Address currantes Ey Destination
122. S 2 converter supplied e Connect a monitor to the monitor port located in the rear panel e The screen should display a prompt requesting a login password to be entered Connecting to edgeBOX s serial port Yet another way to access the CLI is to connect to edgeBOX s serial port You may use a terminal program like HyperTerminal Configuration should be as follows Bit per second 38400 Data bits 8 Parity None Stop bits 1 Flow Control Hardware wn MW un un LO 2006 Critical Links SA Introducing edgeBOX 5 Part Seine KI Bite ber second Ati Date ll Panty Nore Stop bite 1 Elowsontiol Hardware i Configuring a new connection using HyperTerminal e edoebox Hyper lerminal KIBR Fie Edi Ven Call Transfer Help Dis 503 nm E edoeBOX console login admin Pass ez 1 5 Powering down the box To switch off the box press the front panel button The system will perform a shutdown and will power off The shutdown command may also be issued either from the web interface or from the command line For more information on shutting down edgeBOX please see Logoff 2006 Critical Links SA edgeBOX User s Guide v4 0 Quick Start How to quickly install and configure edgeBOX In this chapter you ll learn how to quickly configure edgeBOX using the web interface For details on how to connect to edgeBOX s web interface see Connectin
123. SEND Informational HASH NOTIFY 124025 Default RECY Informational HASH NOTIFY 124055 Default SEND Informational Kee 124055 Default RECY Informational HASH NOTIFY 124125 Default SEND Informational HASH NOTIFY 124125 Default RECY Intemational HASH NOTIFY 124155 Default SEND Informational HASH NOTIFY 124155 Default RECY Informational HASH NOTIFY 124225 Default SEND Informational HASH NOT NN 124225 Default RECY Informational THASHTINOTIEY Pt AT A NI A A D EE Ka Current line 41 max lines 10000 console 10 2 PPTP VPNs Next it will be shown how to setup a PPTP VPN connection to edgeBOX using Microsoft Windows PPTP client edgeBOX setup just requires the PPTP service to be started and an user authorised to use PPTP VPNs to exist 2006 Critical Links SA Appendix B VPN Setup New User Ham Lzer Usemame lara Real Name Lara Croft Grout genetic Y ez22 Password Confirm Password mz Tole V PPTP C Windows use System Network Senices Security G oS Polleias Statea Users Wizards Help VEN PPTE Configuration Semice State HUMMING Aive Comectons User Authentication Tops Local Authentication O Remote Authertization Remote Haos Corprttrater IS IP Ranges Local 192 168 100 254 Remote From 192 168 100 240 Remote To 192 183 100 250 Time Status ntormatin A ec edgebo Microsoft Wi
124. Simple Network Management Protocol This panel controls the SNMP agent running on the edgeBOX System Metwork Senices Security aos Policies State Users Wizards Help SUMP Configuration SHMP Ho Configuration J Enable Ro Community Alto Queries only fromt Restrint access below this abject SUMP Trap Configuration Hi Enable traps Trap sSortmurity Host to send traps to Close Apply Status ia omata IEN eet edgebo 4 5 9 1 SNMP RO Configuration Configures read only access to the edgeBOX Enable RO Community 2006 Critical Links SA 158 edgeBOX User s Guide v4 0 Enables the SNMP agent and allows read only access to report the status of the edgeBOX Community The name of the community used when requesting access to the SNMP agent Avoid well known strings such as public private or ones that are easy to guess e g edgebox Specifically public is not allowed Allow queries from The host name or IP address of a computer which will be granted sole access to the SNMP agent Queries from any other address will be rejected Restrict access below this object Enter an object identifier OID Access to objects below this level by any SNMP client are not allowed 4 5 9 2 SNMP Trap Configuration Allows notifications to be sent for requests to access objects by an SNMP client Enable Traps Enable notifications to be sent Community The
125. Tel 351 239989100 Fax 351 239989119 http www criticalsoftware com http www edgebox net edgebox support critical links com 2006 Critical Links SA END USER LICENSE AGREEMENT EULA 261 2006 Critical Links SA 262 edgeBOX User s Guide v4 0 16 Licence texts LICENSE TEXTS FOR OPEN SOURCE COMPONENTS AGRREGATED IN THE SAME MEDIA AS EDGEBOX SOFTWARE Version 1 March 2005 1 GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright C 1989 1991 Free Software Foundation Inc 59 Temple Place Suite 330 Boston MA 02111 1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed Preamble The licenses for most software are designed to take away your freedom to share and change it By contrast the GNU General Public License is intended to guarantee your freedom to share and change free software to make sure the software is free for all its users This General Public License applies to most of the Free Software Foundation s software and to any other program whose authors commit to using it Some other Free Software Foundation software is covered by the GNU Library General Public License instead You can apply it to your programs too When we speak of free software we are referring to freedom not price Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of
126. ULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION 12 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THEPOSSIBILITY OF SUCH DAMAGES 2 The OpenLDAP Public License Version 2 7 7 September 2001 Redistribution and use of this software and associated documentation Software with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain copyright statements and notices 2 Redistributions in binary form must reproduce applicable copyright statements and notices this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution and 3 Redistributions must contain a verbatim copy of this document The OpenLDAP Foundation may revise this license from time to time Each revision is distinguished by a version number You may use this S
127. X as a PDC To configure edgeBOX to work as a PDC all it has to be done is to check the PDC Support option on the Samba panel Samba Corfetapnon Sence State RUNNING Global Shares Homes Bewes USS Printers Global Global Warkateup myeloma SID EE EE TE ECHTEN Servet Name gode EOW Server fe Wine Suppen LP Suppan edgeBOX configured as PDC for mydomain To add a machine to edgeBOX s domain select System under the Windows Control Panel and then select the Computer Name tab Select the Change button In the dialog window that pops up select the Domain option and enter your domain name in our example it was mydomain After you select OK to confirm the domain change you will be required to supply credentials of a user belonging to the domain administrator s group In edgeBOX you have to specifically supply the username Administrator which has the same password as the admin user defaults to root 2006 Critical Links SA Appendix D Using Gamba 245 Computer Name Changes You can change the name and the membership of this computer Changes may allect access to network tesources Computer Mame Changes Computer name laptoppool Full computer name laptoppaoi Enter the mame and password of an accountwith permission Lea name E adininistrator Password ege Member of Domain Mydomain O Workgroup AA join domain dialog change domain dialog If the
128. X software is distributed according to the End User License Agreement EULA included in Annex A of this User Guide By using the software you agree to be bound by this EULA If you do not agree to the terms and limitations of the EULA you should not use the software Product Support For product technical support please visit the following web site http www edgebox net or contact us at the following email address edgebox support criticalsoftware com CRITICAL LINKS S A PARQUE INDUSTRIAL DE TAVEIRO LOTE 48 3045 504 COIMBRA PORTUGAL TEL 351 239989100 FAX 351 239989119 CRITICAL LINKS S A POLO TECNOLOGICO DE LISBOA LOTE 1 ESTRADA DO PACO DO LUMIAR 1600 546 LISBOA PORTUGAL TEL 351 217101192 FAX 351 217101103 CRITICAL SOFTWARE LIMITED 111 NORTH MARKET STREET SUITE 670 SAN JOSE CALIFORNIA USA 95113 TEL 1 408 9711231 FAX 1 408 3513330 Acronyms HTTP IMAP IPSEC UMTS VOIP WINS WPA Active Directory Asymmetric Digital Subscriber Line Access Point Command Line Interface Common Name Canonical Name Database Domain Component Dynamic Host Configuration Protocol Direct Inward Dialing Domain Name Server Differentiated Services Code Control Point Encapsulating Security Payload Enterprise Wide Area Network File Transfer Protocol Foreign eXchange Office Foreign eXchange Subscriber General Routing Encapsulation HyperText Transfer Protocol Inter Asterisk eXchange Internet Control
129. Yes Ka as ler Statys infarmation EE Terminated edgebo DNS configuration page Next we will describe each element present in the main panel 3 2 1 1 Service State This item is read only and provides information on the status of the service i e if it is started or stopped 3 2 1 2 Domain Name In this table you have the list of domains configured their tyoe and access type After you run the wizard at least one entry should be shown here the one corresponding to the local private domain edgeBOX automatically creates the forward and reverse zones and a set of hosts depending on the configuration entered The available options are Hosts New Edit and Delete Bomam Name bona ama Bensi Type Adtess Type lacalloc Master Internal Hosts j mew J po belers 2006 Critical Links SA 34 edgeBOX User s Guide v4 0 3 2 1 2 1 New This option allows configuration of a new domain After you select this option a pop up window will appear requiring you to enter the following information 3 2 1 2 2 Edit fhomain Information oad tor mai Doman Mame toatl toe Domain Type Master Deman eties Internal Network Address 192 168 100 0 Name Servar IP 192168100254 New Domain Window Domain Name the name of the new domain Domain Type Select a value from the list The available selections are Master and Forward
130. a nabwork plane Hoy abla connecbons Ki Sel dp Homa ot small offing petot ED 4 3 S UP wireless network far is hors or small ali A Ua yarli _ Corners ii How acorns ton repra PP dees Other Places Fa knon s My Computer E Mp Documees y Tersi Documents vn Aies ag rais If you want to close the safe before its time expires go to the utilities menu and follow the Close 2006 Critical Links SA Appendix D Using Gamba 249 this box link next to the safe you want to close You will need to supply the password for the safe If the operation completes successfully the message Box closed will be displayed edgebox edgebox Main Menu Sub Sates Main Menu neset Close box sube sais BOX closed Cartticate i d Downliad EWAN Please enter password to close box box0 Contrata Click here t qu to safes list sword and lose bux 2006 Critical Links SA 250 edgeBOX User s Guide v4 0 13 Appendix E Virtual Hosts You can host several websites in edgeBOX and access them using different hostnames The HTTP server will fetch the correct website requested This is the web server s virtual hosts feature Next is a description on how to create virtual hosts Suppose you want to have an internal domain local loc and want to have two websites www local loc the main website for example a company s website and a departmental website for example marketin
131. a warranty and that users may redistribute the program under these conditions and telling the user how to view a copy of this License Exception if the Program itself is interactive but does not normally print such an announcement your work based on the Program is not required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Program the distribution of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition mere aggregation of another work not based on the Program with the Program or with a work based on the Program on a volume of a storage or distribution medium does not bring the other work under the scope of this License 3 You may copy and distribute the Program or a work based on it under Sect
132. ace assigned to a new box Boxes can range in size from 4 to 1024 Mbytes Time Limit The period a temporary box is available Periods range from 30 minutes up to 12 hours 2006 Critical Links SA 56 edgeBOX User s Guide v4 0 Max The maximum number of Boxes that can be active at a given time Up to 20 Boxes may be active at one time Global Shares Homes Boxes LSE Printers Boxes E Actes Sige Limit D I ue e Time Lirit Heirs i i I Mave og sl 3 2 6 6 USB Printers The edgeBOX has 4 USB ports that can be used to connect printers that can be shared on the network Note In order to be able to share a printer the Samba service must be running Connected Displays a list of the printers currently plugged into the edgeBOX Before a printer can be shared it must be configured Select a printer and click on the Add button to add it to the list of configured printers Configured Displays a list of the printers currently shared over the network To remove a printer from the network select it from the list and click the Remove button 2006 Critical Links SA Network Configuration Reference 57 ri E E Connected ao 3 a i Bez 3 2 Web Filtering The edgeBOX provides a web page filtering service that can be used to block access to web sites Filtering can be performed on either domain names or by checking URLs for certain keywords
133. aimer in the documentation and or other materials provided with the distribution 3 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY HARVARD AND ITS CONTRIBUTORS ASIS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL HARVARD OR ITS CONTRIBUTORS BELIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE 10 Expat Copyright c 1998 1999 2000 Thai Open Source Software Center Ltd and Clark Cooper Copyright c 2001 2002 Expat maintainers Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software
134. ain is local loc the edgeBOX is located on 192 168 100 254 and edgeBOX s LDAP server root password is secret then the replica section will look like replica uri 1dap 192 168 100 254 tls critical binddn cn Manager dc local dcsloc bindmethod simple credentials secret Important note You will need a certificate in order to perform replication between the master LDAP server and edgeBOX s local LDAP server since we re using TLS to perform this replication You will need to download the certificate file located at http 192 168 100 254 certs Remember that you will have to select the Apply button for changes to become effective 2006 Critical Links SA Network Configuration Reference 51 Witerryet 2 Moll Server ks up ma Foire Hih Es upper sar pp cig MPAs Edge 2 This nessage la seri io Edgibor 2 gt Edgeboa 2 recenes Me e mes 98 looks up LEAP information and fist re the 1 An small rressaga amusa for eserim A WI ONS vc Etoni pvr vz Mail Serve aa e MTA for ewer MTA dor Oe messaga SC Soe cis ll if LDAP sere zx d performs molh Miplicaorn with Matt A sare Edgubox and Ego 2 y EdgeBox 2 domain 2 switch ns op server MX Y K ie MN set rd Tor domar EdgeBox 1 Ss z ji L to tad domain1 DNS server __ A possible LDAP Mail Routing scenario 3 2 6 Samba The Samba service allows edgeBOX to interact with other hos
135. al actions which in turn may trigger events such as creating conferences queues or connecting to another context thus resulting in a navigation flow between different contexts The IVR system was implemented as a tree structure see picture bellow making it easy to understand the concept of navigating through the contexts Each child node is either an action or a new context which may be expanded or minimised To add new actions to a context select its icon and press Edit Context or alternatively double click its icon System Metwork Senvces Security Got Polistes State Users Wizards Hale Of Contianration Service State RUNING Phones etc Calls Cut aura cals PV Festus Hardware caniin PYR Eiir pa EJ ive l SES Ia War 2 Call Rules Dz Playback welcome DIO Routes E Goto wr Sound Manager El t Playback goodbye i t Mangup Edit Context Status information IE cinco edgebox 3 2 8 2 1 1 Edit Context This panel allows you to modify a particular context After selecting the desired trigger on the left panel its list of actions will be visible on the panel on the right Specifically you will be able to Add new actions by pressing the button Add Action A popup window will appear requiring you to enter the action s details Remove actions by pressing the button Remove Action after selecting the desired action and Modify an action s priority selecting the d
136. al configuration is performed the LAN will most likely be connected to a switch or hub connected to an internal network The interface used to connect to the Internet will depend on the method used If another LAN or an external Cable or ADSL modem is to be used then the interface to use will be the WAN interface This is an Ethernet port located on the leftmost part of the rear panel HAN talca Wema S External EdgeBox ADSL Cable modem 2006 Critical Links SA edgeBOX User s Guide v4 0 1 3 1 4 Connecting to an external ADSL cable modem If the internal ADSL modem is to be used then you will just have to plug a telephone cable from the wall jack providing the ADSL service to the ADSL port located in the rear panel miseria AC fl Pa ingira EdgeBox Connecting to the Internet using the internal ADSL modem If you want to use a supported USB ADSL modem then you may use any of the USB ports located on the rear panel Before setting up ADSL make sure that your modem is correctly powered up and connected to edgeBOX Connecting to edgeBOX s console It is also possible to connect directly to the console which provides a command line interface CLI This method provides a limited subset of commands and is recommended only for advanced users To connect to edgeBOX s console e Connect a keyboard to any of the USB ports located on the rear panel you may use the supplied USB P
137. al hosts access to the remote network VPN Information General Setvites Access Host Hist Local Hosts visibte bo External Hosts IP Metmask Protocol Lea Hosts Denied Access ke Remote LAN SE a By default external hosts will not have access to any host in the network This option allows you to configure local hosts visibility from the external network Available actions are Add and Delete Add After selecting Add a popup window will appear requesting the following information Origin The IP address for the host in the network to which we want to grant access e Netmask The netmask to apply Port The port which we want to grant access This option may be disabled or ignored depending on your choice of protocol A range of ports may be specified by checking the Range box The ports listed in the From and To fields will be granted access Protocol Select from the list Available choices are TCP UDP ICMP and ALL If ALL or ICMP are selected then Port will be ignored Delete Deletes an entry from this table After selecting the entry press Delete Removing an entry from this table is the same as denying access to the host service from hosts in the external network 2006 Critical Links SA 108 edgeBOX User s Guide v4 0 By default all hosts in the network will be able to use the tunnel This option allows you to configure local hosts access to the
138. ange this setting if you have a static configuration on the WAN side otherwise this list is populated automatically from the information fetched from the DHCP or PPP server on connection setup There are two actions possible New A pop window will appear Just enter the IP address for the Name Server Delete Select the Name Server IP and then select Apply for the changes to become effective Transfer Format Select a value from the list Available values are One at a time and Many Determines the format used by the server to transfer zones many will pack as many records as possible into a maximum sized message whereas one will place a single record in each message Max Transfer Time Maximum time allowed for inbound zone transfers Lookup Directly Select a value from the list Allowed values are Yes No If set to Yes and a query sent to a forwarder isn t answered the server will try to answer it If set to No the server will forward queries to forwarders only 2006 Critical Links SA Network Configuration Reference 37 3 2 2 Dynamic DNS This panel allows you to configure the edgeBOX built in client for Dynamic DNS services This kind of service is usually used when you don t have a static IP configuration on the WAN side and still want to access your machine by a name of your choice The edgeBOX supports DynDNS http www dyndns org and No IP http www no ip org
139. ary form with the major components compiler kernel and so on of the operating system on which the executable runs unless that component itself accompanies the executable It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system Such a contradiction means you cannot use both them and the Library together in an executable that you distribute 7 You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities not covered by this License and distribute such a combined library provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted and provided that you do these two things a Accompany the combined library with a copy of the same work based on the Library uncombined with any other library facilities This must be distributed under the terms of the Sections above b Give prominent notice with the combined library of the fact that part of it is a work based on the Library and explaining where to find the accompanying uncombined form of the same work 8 You may not copy modify sublicense link with or distribute the Library except as expressly provided under this License Any attempt otherwise to copy modify sublicense link with or distribute the Library is void and will automatically ter
140. assphrase Enter an ascii string for example 4444PPPP LO UN UN UN UN UU UU UN After entering this information select Apply If the wireless status is not Running press the Start button Remember that client stations have to be configured according to these parameters For details on configuring client stations to connect to edgeBOX s AP check Appendix C 6 1 4 Step 4 Services and users accounts Next services configuration In our scenario the requirements for a small office are Web server for the company only no homepages for the users 2006 Critical Links SA 174 edgeBOX User s Guide v4 0 SMTP server 8 Windows Share services for the internal LAN VoIP Services check step 6 To configure edgeBOX for such a scenario perform the following actions Login to the Control Centre Select HTTP under the Services menu Select No in User Directories Press Apply If the service state is Stopped press the Start button To be able to upload files to the web server you need to set a webmaster s password To do so Inthe same panel enter the password for the webmaster in the New Password field enter again the same password in the Confirm Password field Press the Change button You can now upload files to the webserver using the webmaster username with the password entered The files should be uploaded to the inter directory To setup the SMTP serve
141. atJan 71212392006 installed edgebox reports 40 37 40 38 Sun Jan 8 20 43 54 2006 installed epak jL 1 0 155 1 1 0 200 Sun Jan 6 20 43 55 2006 installed edgebox peps 4 O s000002 251 _ 0 s000002 256 Sun Jan 8 20 44 00 2006 installed edgebox conexent GD3 13 04 Sun Jan 3 20 44 00 2006 installed g A A z Le A aile SI e gt E d OA a MA a N Clear Update Log Update System Status Idle UL Ka check mal Ststus imfurmatior A esoo edgebo 4 5 8 2 Configuration Update Mode There are three ways to install the updates Automatic updates are downloaded and installed on edgeBOX without any action from an administrator except if the packages to install require either a system reboot or a service restart In the later case the updates must be installed manually Semi automatic updates are downloaded to edgeBOX and an administrator selects the ones to install from the list of available updates from the System Update panel Manual the list of available updates is displayed in the System Update menu and an administrator selects which ones to download and install Click on the Change button to activate the selected Update mode 2006 Critical Links SA 156 edgeBOX User s Guide v4 0 System Update Configuration Configlraliary Update Mode Manual Change If Automatic updates are selected the following fields are presented Check for update
142. ata Encryption AES Additionally the network key to be used must also be supplied Remember that if you choose to use a preshared key it must have exactly 64 hexadecimal characters If this connection is configured to be established manually when you try to connect to it a dialog window will be shown asking you to supply the network key Association Authenicati r Conmerbon Network name 15510 Wireless nature kou This network require a ey for Ihe following Network Authentication WPAPS E pe Dataenrmuppor AES a Nestwitirk ken ergeseeg Confirm network key estesero Wireless Configuration 2006 Critical Links SA Appendix C Connecting to Wireless 243 a sateen rae A WEES 4 valebnoag Geld rahled ar e Leg il Beran click Related Tasks Tuer acta sales a hee ae e rl Ep annert i HAL Fela dy team about wweless Y lleno P Chanige advabce Joare Li Lo at Network key dialog 2006 Critical Links SA 244 edgeBOX User s Guide v4 0 12 Appendix D Using Samba In this appendix it will be shown how to use some of Samba s features namely how to use edgeBOX as a PDC and how to use the safes functionality Remember that users must be authorised to use Windows use upon their creation in the system Regular Services Wireless Security Wor _ PETF ie Windows use user creation dialog 12 1 edgeBO
143. available for the remote edgeBOX users making local calls making call conferences etc allowing you to make a conference call between to remote offices with no costs 3 2 8 3 4 1 Add Allows you to add a new remote switch configuration You must supply the following data Prefix prefix to identify this connection Name connection name Secret password used to register with the remote edgeBOX Host remote edgeBOX address Codecs codecs to be used during calls between the two edgeBOXs local and remote SIb Remote Serge Pret NS 0 Secret IR Host Puedes am A 3 2 8 3 5 Enum Config edgeBOX supports Enum which is a service mapping PSTN telephone numbers into VoIP URLs If you activate Enum servers edgeBOX will send a query to each active server to try to lookup the called PSTN number If a matching answer is received the call will use the VolP URL returned and so transparently divert to the Internet having no cost Otherwise the call will follow the route configured in the LCR 2006 Critical Links SA Network Configuration Reference 81 System Metwork Senices Security GoS Policies State Users Wizards Hein ob Certis Service State LINING Phones Kee Calle Outbound Calls Pay Features Hardware Generic Bruny Contig 1 2184 ag lv 21 64 arpe Enum Contid Close Stop Apply Status Information Forminato edgebo x
144. ayed once the operation is completed a green colour will indicate the operation has been completed successfully or in case of failure the bar will be coloured red Note if you were already acquainted with edgeBOX s control centre graphical interface you will notice that the log and the help panels have been dropped in this version leaving more space in the main panel This manual is now available online through the User Manual option in the Help menu 2006 Critical Links SA edgeBOX User s Guide v4 0 2 2 Now we will show how to use the network configuration wizard to quickly configure edgeBOX This is the preferred method for configuring edgeBOX if you are not a networking expert as it will lead you through each step dealing with only the basic elements Network administrators or users with a good knowledge of computer networking may consult the reference chapters to see how the different features and services are configured The Initial Setup Wizard System Network Senices Security G oS Polleias Stata Users Wizards Help Welcome to the Initial Setup Wizard This 1nit1ial setup wizard s intended to provide an easy way to get your new eagebOX up and running in the least amount of time You will De cuiden step hy step through a series of contiguration panels with all the necessary information provided co help you set up the network configure the services available and ensure the edoeb is Secure To co
145. batim copies of the Program s source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and give any other recipients of the Program acopy of this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee 2 You may modify your copy or copies of the Program or any portion of it thus forming a work based on the Program and copy and distribute such modifications or work under the terms of Section above provided that you also meet all of these conditions a You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change b You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty or else saying that you provide
146. be available If you turn this setting on you will be able to control access to services and filter some type of attacks lf require users to login is enabled then you will not be able to change this setting it will be turned on by default WebAdmin Access Wan This checkbox controls whether the web administration interface can or cannot be accessed from the 2006 Critical Links SA 98 edgeBOX User s Guide v4 0 external network When the firewall is enabled this setting will be changed to deny automatically Remember that if you are accessing the web interface from the external network and you deny access to it you will not be able to reconnect again Ewan This checkbox controls whether the web administration interface can or cannot be accessed from the enterprise network Again when you turn your firewall on this setting will be changed to deny Remember that if you are accessing the web interface from the enterprise network and you deny access to it you will not be able to reconnect again Services This panel allows you to grant or revoke access to the services running on edgeBOX for hosts in the internal external and enterprise networks To grant access to a service in a network just check the cell corresponding to the intersection of the service line with the network column When you disable the firewall all services are enabled by default when you enable the firewall access to all serv
147. bled and you will need to provide information on VPI VCI and Encapsulation Check the information your ISP has given you e Keep Alive Check this option if you want edgeBOX to keep trying to connect while a 2006 Critical Links SA 22 edgeBOX User s Guide v4 0 connection is not successfully established otherwise edgeBOX will try for only 30 seconds e Obtain IP automatically Check this option if you want the IP address to be fetched dynamically during connection setup e Query DNS Check this option if you want DNS servers to be fetched on connection setup WAN LAN EWAN Histrame and Domain WAN Configuration IP information PPPoE Status Thu Ga Nov 2005 16 52 37 LTH dhe Pup IP MNeimask Gewa Priman ONS Secondary DNS Username Po Password internal Modern vn lb VCI las Encapsulation LLC ll le Keep Alwe wl Obtain IP automaticalhy Lol Quapy DNS Apati PPPoA In this case you are configuring an ADSL connection for an internal modem Check PPPoE with an internal modem as the options listed there are similar UMTS In this case you are configuring the gateway providing a connection to a UMTS or 3G cellular network In addition to the fields specifying the IP address Netmask Gateway address and DNS servers that show the configuration of the WAN network interface the following fields are used to configure the cellular connection
148. button to place the action in the appropriate position Press OK 2006 Critical Links SA 186 edgeBOX User s Guide v4 0 6 4 Apply your changes This concludes our scenario IPsec VPN In our scenario we want to provide a connection between the internal LANs of each site This could be accomplished using the EWAN interface However that would require a separate line Another way of connecting the LANs is by using an IPsec VPN tunnel By doing so traffic between LANs is tunneled through the Internet The disadvantage is that the required encryption will place an additional overhead in the connection Suppose then the following requirements Computers in the HQs site need to access all computers in the remote office Computers in the branch office will need to access all computers in the HQs site All services in each edgeBOX must be available to computers on the other site These are very generic requirements ccesses can be fine tuned to exclude either machines to be visible from the other site or machines not to be able to use the VPN at all To configure a VPN between the two sites perform the following actions Inthe Control Centre of the HQ s edgeBOX select the IPsec VPN option under the Security menu A window will pop up Enter the following information Choose Network Check the Start on system boot checkbox Tunnel Name branchtumnel Remote Network 192 168 1 0 this
149. cal Links SA 112 edgeBOX User s Guide v4 0 3 3 5 1 Shares Scanner This panel allows you to configure edgeBOX s shares scanner Options include Enabling shares scanning and choosing the engine to use General options such as scheduling notifications and infected file deletion Shares Scanner MailScanner AntiVirus Engines Mrs Virus Scanner Clamar Gpflesg Ce Pare areas Files Je send Summary by e Mail NatFieation EM root locathost Scheduled Scanning Time to Perform Scanns 15308 FRM 3 3 5 1 1 Virus Virus Scanner The Virus Scanning package to use Possible choices are Sophos McAfee ClamAV or None Virus Scanning Check this option if you want to enable virus scanning Shates Scanner MailScarmer Anti Virus Engines Witla e Minus Scanning 3 3 5 1 2 Options Remove Infected Files If you check this option then files found to be infected will be deleted Send summary by e Mail Check this option if you want a shares scan report to be sent by email 2006 Critical Links SA Network Configuration Reference 113 Notification E mail The email address where the shares scan report will be sent Scheduled Scanning Use this option to configure the time when scans will be performed poops Remove Infected Files 1 Seri Summary bie e Mail leeft atam EMail rootiilocslhosk Schediiled Searminy Time to Parform Scans
150. cation key would you like ta Give the pie shated ke a hare that is for your reference only Tope the shared seciel greate twice toavoid typos Use the lingerpant to verily the secret with the other party involved y SCH inthe communication without revealing the actual secret Greate an authentication key pair and a certificate Bie das bey Ru e al l TES Kam mike Shaied secret essesane Confirm shared secret eeeeeeee From SHAA 7 e22 2tb2 Cancel lt Back Co Enh Cancel initial dialog window entering the pre shared key a SSH Sentinel Policy Editor Secunty Polen Key Management E 2 Tiusted Policy Servers 44 Tilsted Ceitificates Ga Certification Authorities 5 Remote Hosts it 8 Directory Services 2 My Keys host kep gt e laptoppool certificate i Add new preshared hay 2 myVPNkey 15 Add LU aa Desarigtion The keps thal are Used for authenticating the local host OK Cancel Apply the new key appears under My Keys Next switch to the first tab Security Policy where the tunnel will be defined Start by expanding VPN Connections and selecting Add after which you should press the Add button The Add VPN Connection dialog window will pop up 2006 Critical Links SA 230 edgeBOX User s Guide v4 0 a SSH Sentinel Policy Editor E curily Policy Key Management Policy E Detaull 4 PretPSeo
151. ck will be synchronised with a timeserver Available options are described next Date Enter the current date either by inserting the values directly or using the up down controls Timezone Select from the list of available values Time Enter the current time either by inserting the values directly or using the up down controls Daylight Saving Time This option is read only Use Network Time Protocol By checking this option the NTP protocol will be used to fetch the time from a server NTP Server The server from which the time will be fetched This list will only be available if the previous control is 2006 Critical Links SA 148 edgeBOX User s Guide v4 0 checked SEO FRNA Dates De 115 Month 1 Si Year sopes Timezone EuropeLishon ilies A I Use bietwork Time Protocol NTP Server 4 5 4 Syslog This menu option allows you to configure remote logging You need to configure a syslog server to accept connections from the edgeBOX The available options on this page are now described Remote Logging Checking this option will activate this feature Remote Location The IP address for the remote syslog server to which edgeBOX will send its logs 4 5 5 Quota Beal Quotas Def ull quate For neu users Pllesysteny Max Space MB Max Files Mal Dr 16 United Home Dir It iLinlitnited Quota Configuration Page This menu option allows you to configure disk quotas By
152. ckin Delete will eliminate that entry on the port forwarding table 3 3 3 VPNIPSec In this page you can review and change your IPSec VPN configuration These kinds of VPNs are especially suited for establishing tunnels between two private networks over the Internet connecting them securely Globally you can perform two actions corresponding to the buttons present in the lower panel toggle the service status Start Stop and commit your changes Apply The elements present in this page are described below internat EdgeBox EdgeBox 2006 Critical Links SA 104 edgeBOX User s Guide v4 0 IPSec VPN connecting two private networks System Metvork Servces Security Gos Paolletas State Users Wizards Help VE Confort ablon Serete State STOPPER Active Tunnels bode Subpet Canhection Statue Remote Gateua u Remote SuUbree Ven Turina Marve Startup Remote Gateway Remote Network add UU Ede Delete stat stop close start status Taher ation e Terminated e da g e bo gt 3 3 3 1 Service State This element is read only and gives the service status information running or stopped 3 3 3 2 Active Tunnels This table shows you the active tunnels list For each tunnel the following information will be displayed local subnet connection status remote gateway and remote subnet 3 3 3 3 VPN s This table gives a list of the tunnels currently configured Possible Opera
153. ction for the authentication configuration you should see a list of users the imported users Select the Groups tab You should see an entry for the generic group Press New to create a new group Enter admins in the Group Name field and press OK Press New to create a new group Enter servers in the Group Name field and press OK Select the servers group and press Edit In the pop up window select Add IP In the pop up enter 10 1 0 1 in the IP Address field and press OK Press OK Select the Users tab Edit each user and move it to the desired group Assign the right service permissions by default all users will have permission to use regular services Next we will change permissions for each group After creation a group will not have permission to use Or access any service To configure group permissions the way It was described earlier LO UN UN UN UN UN LN LON LON LON LN UN UU UU UN LON LON LON LON LN UU UU UU UN UN OM In the Control Centre select the Groups option under the Policies menu Select the generic group and press Edit Check Allow Internet Access Set the Start Hours to 12 00 Set the Stop Hours to 14 00 Check Allow Service Access Set the Start Hours to 0 00 Set the Stop Hours to 23 59 all day Check the following services VolP FTP HTTP and Samba Check Allow Enterprise Access Set the Start Hours to 0 00 Set the Stop Hours to 23 59 Check Authorize access to V
154. ctozaft Networks a Network Authentication pl LI File and Printer Sharing for Microsoft Networks Dista engt wi 3 Network Monitor Diver Es 57 AEGIS Protocol NEEE 802 1x1 42319 l Ir Install Uninstall Pappan T Cesonption Allows your computer fo access resources ona Microsoft melwak j 2 Show Sep in notificatian atea when connected Notify me when thie connection has limited ot no connectivity Thra computerto computer ad hoc neteork males abcess points are mol used Wireless Network Connection Eer EES On the Authentication tab select Protected EAP PEAP as the EAP type Press the Properties button On the dialog window that pops up uncheck the Validate server certificate checkbox and select Secure password as the Authentication Method Press the Configure button 2006 Critical Links SA Appendix C Connecting to Wireless 241 Protected EAP Properties Associaton Authentication Connection E We SEN i aidate server certificate Erika t be iil tie t 1H NR C ABA ECOM Root CA WR Cl Autoridad Certificadora de la Asociacion Madopal del Notaria C Autondad Certificadora del Colegio Nacional de Correduria P Ci Saltimore EZ by DST L Belgatom E Trust Primary CA _ CEW HKT SecureNel GA asch Fl ei HET Securenet CA Class P Aulhenticate a quest when user or computer intarmation is unavailable ODER ort Ce T
155. d class for more details on quality of service see Traffic Control The default values are upBE and downBE meaning all traffic will have the same treatment You can however choose from the lists to give the Internet traffic to and or from this group some priority by selecting another value 4 2 1 3 2 Allow enterprise access If this option is unchecked this group will not have access to the enterprise network and the next panel will be disabled If you check this option you can then fine tune enterprise access using the options available in the next panel which are 8 Time Period 8 Incoming and 8 Outgoing 4 2 1 3 2 1 Time Period You can grant access for the whole day the default or just to a time interval Insert the limits for this interval directly in the fields or using the up down controls 2006 Critical Links SA 136 edgeBOX User s Guide v4 0 4 2 1 3 2 2 Incoming By default all incoming traffic from the enterprise network is denied access to the internal network With this option you can allow incoming traffic based on its origin port and or protocol This table displays the list of allowed connections The options available are Add and Delete Add Creates a new entry in the table After selecting Add a popup window will appear requiring you to enter the following information e Origin IP The IP address for the host network we want to allow which is startin
156. d type of files To make the previous changes effective you will have to select the Schedule button Balin Conbauradiiorl Backup State SCHEDULE Backup Type Standard Backup Tire Hei Le Minutes qe Backup Address ES Wizard BackapNow Il sebo Gear Restore Configuration If Activate Backup is checked then the Restore Configuration panel will also be enabled providing the following options Note The same Wizard is used to create the path to where the backups are stored Backups may be restored from either a remote FTP server or from a USB disk connected to the edgeBOX Location The location where the backup files are located Clicking on the Wizard button displays a dialogue 2006 Critical Links SA Advanced Topics 151 4 5 7 4 5 7 1 panel and the Wizard will take the administrator through the steps required to create the path to the backup Get Info After filling these fields selecting Get Info will fetch the list of available backups from the location supplied Each row in the backups list will display the backup start time and end time Selecting a row in the backups list will make its description appear in the list on the right The backup description lists the available items backed up A standard backup will include the following items e Web hosts e User directories e Variable data backup and e Configuration backup A confi
157. de v4 0 Protocol protocol used in the rejected packet TCP UDP or ICMP Src Adress source address of the rejected packet Src Port source port of the rejected packet Dst Address destination address IP the packet was trying to access Dst Port destination port specific port the packet was trying to access WM WM N uN un UN Service type of service of the packet if applicable for example HTTP HTTPS FTP System Usage Web Server Proxy Server Hiewall sysiog vor AntiVirus Chaine Matening Ey Interface Packets Date o By Interface Ocurrences ee SNE A By Protocol Packets t eee i By Protocol Qeurrences Protacat a gt By Source Port Packets Ihtertace ALL X By Source Port Ocurrencez Kee i By Destination Fort rackets ee By Destination Port Our enee Destinator Address ssh Ey Source Address Packets as ei By Saute Address Geurrenites By Destination Address Packets Ey Destination Address eutre te gel Sre Address Sic Port L t Aires Det Port By Service Packets Unalowed opp top gra gaisa 19434 eeh KC 139 By Service DOcurtencez Unallowed ppp top 33 148 53 108 4054 ES 324017954 445 Unalcwed Seet udp 7251489 as SEI 1029 Unallowed Seet udp 7022344888 45604 B32407954 N02 Unallowed Seet udp 7022344888 45604 6324017954 107
158. ding is available on the WAN and EWAN network interfaces 2006 Critical Links SA 102 edgeBOX User s Guide v4 0 NT Configuracion E Karte Mat Pott Forward Polk Forward Derin Wa visible part LAN Hast TP LAN Hast Port La ee ee EWAN visible perk LAN Hast IP Lan Hist Port Ca Je Ise Add This option adds a new entry to the port forwarding table If you select add a pop up window will appear requiring you to add the following information e External port The port that will be seen from external networks e Internal IP Internal host IP address where the service will be running and e Internal Port Port where the service will be running on the internal host The External Range check box allows a range of ports using the From and To fields to mapped to the Internal IP address Requests on all the ports in the range will be mapped to the single internal port If the Internal Range box is checked then there is a one to one mapping from the external port number to the corresponding internal port number Pori Fonvarding Information Port Forwarding Information External E CO From Inherrjal IP Internal Pork 2006 Critical Links SA Network Configuration Reference 103 Edit Allows you to modify an existing port forwarding definition The options available are the same as when entering a new configuration Delete After selecting an entry cli
159. dr root 0 6 detey 00 00 00 delay 00 ee ee ene a A e ee ee eee 2006 04 11 D nn sende K0BNO50C028536 frem roct site 233 class nropte 1 megid 2006 2006 01 11 bontos A md siten233 class hropts 1 megidl 2006 2006 01 11 00 00 05 EEN DESCH fromeroot site 253 class nropts 1 meyil 2008 A AC E RT e Ce a igh mitema ae et eee aam ee eee een ee elena O eee nee en eee dene e E ET SPA ar Dr TEE EEN CN Mamas sman a E e e e E E EN A A Eh A A a 8 6 VoIP The reports in this group show information about edgeBOX s VoIP functionality and are presented in both graphical and tabular format It is possible to export them in pdf format 8 6 1 Top Callers This report shows the top 10 number of calls per caller id phone where the call originated The values presented in this report will be very similar to the ones in Top Sources unless there is an extension or phone change 2006 Critical Links SA Reporting 219 Server broxy Server Frewall Sysiog VOP antisvina C Fez reg C Pe2b chert C Lies Chet Top Callers ales 004 8 8 6 2 Top Sources This report shows the top 10 number of calls per source extension where the call originated for example 8601 The values presented in this report will be very similar to the ones in Top Callers unless there is an extension or phone change 2006 Critical Links SA 220 edgeBOX User s Guide v4 0 8 6 3 T
160. e select its Start Stop check box so that a check is visible 2006 Critical Links SA Advanced Topics 161 4 6 4 System Network Senices Security oS Paolicias State Users Wizards Help Service State Name Service Status Start3Stop fe RUNNING BC A ms RUNNING Jl emie RUNNING BC http STOPPED JE voip RUNNING Jl samba RUNNING vl ssh RUNNING le a lahap RIJNNING Jl Si System State Services Messa08 War Close Apply Status irormaton TTT eri edgebo Traffic Control This page allows you to view traffic control statistics per interface To see non zero values you will have to start the traffic control service and assign traffic control classes either to groups or to services For more information on configuring traffic control please see Traffic Control Each tab on this page represents an interface currently WAN and EWAN but the elements present in each are the same We will describe these elements now The statistics presented in these tab pages are based on information collected in the last 15 minutes Upload information This panel displays statistics about outbound traffic The panel contains an indicator with the percentage of bandwidth consumed and below a table with the following information total bandwidth bps dropped packets transmitted bytes and transmitted packets Download information This panel displays statistics about inbo
161. e are e Previous Returns to the previous step Since this option is also available in each step we can in fact perform a correction on any data entered in the previous steps e Cancel Aborts the configuration All data is lost and the configuration is not applied This option is also available in each step e Finish The configuration is applied to the box After selecting Finish please be patient as this operation may take some time to execute One of two situations may occur e You kept the internal interface LAN IP address After the process is completed you will return to the general information page the first page you saw after you successfully logged in to the box where you can run a quick check on the box configuration or e You changed the internal interface LAN IP address You will loose the connection with the web interface Depending on your client PC configuration you may have to change its settings Please wait some time 5 minutes and reconnect to the web interface pointing your browser to the new internal address of edgeBOX port 8010 or 8011 For example if the new address given to the LAN interface was 10 1 1 254 you should point your browser to http 10 1 1 254 8010 or http 10 1 1 254 8011 2006 Critical Links SA 18 edgeBOX User s Guide v4 0 3 1 3 1 1 Network Configuration Reference In the previous chapter we ve seen how to quickly upload a working configuratio
162. e connection must then be initiated by the client VPN Information General Services Access Host General O Network Host Start on system boot Tunnel Name mu Uriel Pre shared key 12345678 v Pertsct Forward Secrecy Key Lifetime 8h Y Encryption DES v Althantication MDS se Ok Cancel Also if you wish to be able to access any of edgeBOX s services then you should check them in the Services Access panel 2006 Critical Links SA Appendix B VPN Setup 227 VPN Information If have to grant access explicitly to the machines you want to access inside edgeBOX s LAN In the following example we chose to grant access to all hosts in the internal network VPN Information After applying the data entered you can start the service The screen on edgeBOX s control centre will look like the following picture 2006 Critical Links SA 228 edgeBOX User s Guide v4 0 System Network Senices Security GoS Palleias State Users Wizards Help VEN Configuistion Semice State RUNNING Active Tunrele Local S bret Connection Status Remote Gateway Remote Subnet VPNs Tunnel Name Startup Remote Gateway Remote Nelwork my Tunnel z Bosch amer Add UU Edt Delete Stat UU stop _ Goss ze Status ntormation Terminated e el g e D O lt Next we will show how to configure and establish a co
163. e for configuration are the maximum size of safes their maximum availability and the maximum number of safes active at the same time Global Shates Homes Boxes SB Printers Elo es e fitive Sie Limit MBE E Al Time Lem auch d EI Nas VE Configuration options for safes Any LAN user can request a safe accessing the utilities page htip lt lan address gt 8010 and following the Services option The following page will be displayed edgebom Main Menu Public Estes ad EWAN Certificate Welcome to edgeBOX utilities What you can do here Use the left menu to choose one of the several options You can e Configure a temporary password protected safe so you can transfer files between different computers Download the server certificate for LDAP synchronization edgeBOX utilities entry page Follow the link Public Safes Currently available safes will be displayed as well as the current safes configuration parameters To create a new safe select Create a new safe 2006 Critical Links SA Appendix D Using Gamba 247 edgebox Mam Menu euicsses Public useable safes Download Ewan Certificate Currently available safes Maximum size 16 mb Masia tire 60 minutes All safes are available Create new cate Public Safes Select the desired settings for your safe Sizes available will always be less than or equal to the maximum size confi
164. e is the ability to have a voice mailbox where people calling during off work hours can leave messages Internal extensions can be assigned to an user upon user creation or created separately It is not possible to assign an extension to an existing user To configure edgeBOX to the scenario described we will start by creating an extension In Control Centre choose VoIP under the Services menu The first panel is the phone s panel Press the New Phone button Enter the following information Protocol SIP Extension Name jdoe Extension Number 401 Password 625 Check Active Voicemail Voicemail PIN 2333 Email address doe Wbranch local To illustrate how you can automatically create an extension upon user creation create an user in the following way In Control Centre choose Management under Users Press New The New User creation dialog window will pop up Enter the following information Username voicemail Real Name voicemail Group generic Password and Confirm Password 4u4me Check the following services under accesses VoIP A VoIP panel will become available bellow Fill in the fields with the following values Extension Number 400 Extension Password 2341 Pin 2131 2006 Critical Links SA 176 edgeBOX User s Guide v4 0 Permissions local calls This user was created solely with the intention of demonstrating how an extension may be created wh
165. e the settings for WAN In each tab corresponding to one particular interface you have a list of the services QoS configured Each row lists a given configuration Possible actions are Add Edit and Delete Add After selecting Add a popup window will be displayed requiring you to enter the following information 2006 Critical Links SA Advanced Topics 141 4 4 2 4 4 3 WAN Hew QoS Service Configuration Direction META Qos Class domnBE Protocol tep Saree Adelress Destination Address Port Add ServiceQoS Window e Direction Whether the traffic is arriving from the Internet or Enterprise network InBound or being sent across the Internet or Enterprise network Outbound e QoS class QoS class to assign to the traffic for this service For Outbound traffic choose from well known values upBE upBronze upSilver upGold or you may also choose pipes if they were created beforehand For Inbound traffic choose from downBE and downPremium e Protocol Choose from the list available options are TCP UDP GRE or ESP e Source Address specifies the address where the traffic originates e Remote Address specifies the destination address where the traffic is delivered For Inbound traffic checking the Use Local Address box will specify the edgeBOX as the Remote destination Address For Outbound traffic checking the Use Local Address box will specify the edgeBOX as the
166. eB Through this menu option you can review and change your wireless configuration The actions available are togge the service state Start Stop and Apply changes These actions are available through the buttons in the lower panel Possible scenarios for wireless configurations are depicted above edgeBOX supports 802 1x authentication allowing you to use its integrated authentication or use an external authentication server Support for WPA is also included Wireless configuration is divided into two panels accessed through their tabs Basic and Advanced Each of these panels is described next 3 1 2 1 Basic In this panel you can configure general elements such as SSID channel selection whether to ignore clients with broadcast SSIDs or not and client access Each of these options is described next 2006 Critical Links SA 24 edgeBOX User s Guide v4 0 Basic Advanced Petes Configuiratiar Wireless Status RUIN ssib edgebos ap Channel Selettion Ga wd ignore clients with Broadcast 55101 K lou All Siente Allowed Cents 10 05 4 41 10 7f 3 1 2 1 1 Wireless Status This element is read only and shows you the service current state of the service Possible values are Stopped and Running 3 1 2 1 2 SSID Public name for your wireless network 3 1 2 1 3 Channel Selection Select from the list Available values are 1 to 12 lf you experience signal degradation
167. eBox 2 EdgaBox 1 d Marie for publicd mala cam and private damain cann rowed bs ehterdsedomaln com i e S see nrivatedomain com enterprisedomair carn not regen cuina Lee intermal rator EhB Sh inter demo mieri access Op switch DNS configurations supported by edgeBOX In this option you can review and change your DNS configuration DNS Domain Name Server is a service that looks up information related to a domain edgeBOX supports DNS through the well known named server It is possible to configure master and forward type name servers as well as granting query access from internal or external networks In the main panel you have the options which you may configure On the bottom you have two buttons corresponding to two different actions e Stop Start The caption on this button will change depending on the service status this button allows you to toggle its status e Apply This button allows you to change the configuration while keeping the current service status 2006 Critical Links SA Network Configuration Reference System Network Senices Securify GoS Pallcias State Users Wizards Help DS Configuration Service State RIMNING Domain Name Domain Name Domain Type Access Type Jocatloc Master Irterral l Hosts New Edit Delete 33 Servers to forwardto Transfer Format Many v Max Transfer Time 1 200 minutes Lookup Directly
168. eave this option unchecked edgeBOX s Radius server will be used With the new integrated authentication mechanism the user s password to be used here will be the user s account password Note that you will need to authorise access to wireless networking during the user s account creation Radius Accounting If you decide to use an external Radius server for authentication you will also have the option of using an external Radius accounting server which may not be the same one You will have to provide the following Radius Accounting IP the external server s IP address Radius Accounting Password the external server s password Radius Accounting Port the external server s port 2006 Critical Links SA 28 edgeBOX User s Guide v4 0 3 1 2 2 3 2 Encryption type Allows you to choose the encryption scheme to be used Possible values are WEP and WPA Epcreption pe Ce WEP a CPE WEP If selected dynamic session WEP keys will be used During the authentication handshake session keys are exchanged These session keys are later used to compute dynamic keys making encryption more difficult to crack WPA If selected WPA encryption will be used Typically you will need to provide an initial key which will then be used to compute a temporal key thus resulting in an unique key for each client AP association Care should be taken in choosing this key as a weak choice will make this scheme prone
169. ecked in the Firewall panel for more information see Firewall Configuration users will have to authenticate to be able to access services and resources For example if a client PC tries to access the Internet a login window similar to the one above will be displayed After entering your username and password another popup window will be displayed this time indicating you have successfully logged in You must keep this window open to be able to access the network resources If you close this window you will be denied access and you will have to log in again User Data Management So far we ve used the web interface for configuring edgeBOX s services after logging in with the admin username An ordinary user may also log in in using the same web interface allowing them to manage their data After logging in the user may choose one of two panels selecting either General or VolP 2006 Critical Links SA 166 edgeBOX User s Guide v4 0 5 2 1 General After selecting the General page the user will be presented with a screen similar to the one in the picture below The following options will be available Name 8 Password and Confirm 8 Activate mail forward Your disk quotas and Activate vacation mail response After changing any of these options the user has to select Apply for changes to become effective To leave this interface the user may select Logout A G
170. ection dialog 2006 Critical Links SA Appendix B VPN Setup 231 Rule Properties Proposal Parameters Gan jal ensral Advanced qe Set the preferred value of each parameter of the IKE and Remote endpoint IPSec proposal El Secunty gateway 192 168 IE proposal ZE Dance rola LAN j Encrpptior dot iPoec IKE proposal SES S Integrity tunetiony gt Authentication key muVPNkey d Em Proposal template normal TH Acquite virtual IP address IPSec propesat A virtual IP addres ddiess f PNR RETENE ech a Ge is an addtess fram Settings Encryption ala cit Den ded allh icao Integrity uni The VPM gateway map require IKE Ape i Auth RADIUS or CHAP authentication _ Settings Settings IPSec mode PFS group Ciesonption Change MODP 1024 group 2 aDES HMAC MDS MODF 1024 group 2 LJ Attach Oni the selected values to the proposal E Ca Rule Properties Proposal Parameters The Rule Properties dialog window will be visible Under IPSec IKE proposal select Settings and make the necessary changes in the dialog window that pops up Proposal Parameters namely in the encryption algorithm and integrity function After confirming all your choices you should return to the Policy Editor window where the tunnel just created should now be visible under VPN Connections To open
171. ective Edit Allows you to modify the selected entry To make this change effective don t forget to select the Apply button Delete Select the entry you want to delete and then click on Delete Don t forget to click Apply to make this change effective 3 2 5 2 2 Webmail Domain Allows you to choose the domain which you want to set as your webmail domain Only one domain may be a web mail domain For details on using and accessing the web mail functionality check Web Mail 3 2 5 2 3 Storage If you choose local then all mail will be stored on edgeBOX if you choose remote you will have to provide a hostname to which all mail will be relayed 2006 Critical Links SA Network Configuration Reference 45 3 2 5 2 4 Max Connections The maximum number of simultaneous connections After this number connections will be rejected If set to inf then there will be no limit 3 2 5 2 5 Max Message Size The maximum size of messages that will be accepted Setting it to mt will accept messages of any size 3 2 5 2 6 Block Unresolvable Domains Checking this option will cause all mail that arrives from un resolvable domains to be refused This is the default behavior for security reasons as this is a very common technique used by spammers 3 2 5 2 7 SMTP Relay Support Checking this option means that you are allowing relay from users authenticated through POP3 This will be a limited authorisation as it
172. elect the Mobile tab bellow 8 Fil in the Prefix field with 9 and press Ada In Route select mMISDN 1 Apply your changes Calls made to the mobile network those starting with a 9 will be routed to the PSTN To route International calls through VoIP buster perform the following actions Select the International tab Fill in the Prefix field with 00 and press Ada In Route select VolPBuster Apply your changes Two more features are needed in order to build our scenario the sound manager and the queues Typically you will want to upload your own sound files you may want to translate the existing files to your own language or create new messages not found in the system files Suppose you have a file message gsm you want to upload to edgeBOX Perform the following actions Select the Incoming Calls tab Select the Sound Manager tab on the right Inthe Upload Sound File panel press the Browse button Select your sound file Press the Upload button The uploaded file will now be available under My Sound Files Queues are used typically in call centre scenarios where a caller will wait other calls to be serviced until his own is answered Calls in queues are answered by agents so we will start by configuring an agent Perform the following actions Select the PBX Features tab Select the Agents tab on the right Under Callback Login check Enable Enter 555
173. en Fotoe pre X Lite X Lite is a SIP softphone It can be downloaded from http www xten com index php menu download Installation and basic configuration Such as audio are out of the scope of this text Next the connection configuration options are displayed 2006 Critical Links SA Appendix F Softphone configuration 253 al SIS Selecting back until the root menu is reached and then expanding the Network options change the Out Bound SIP Proxy The softphone is now configured and should be able to register in the edgeBOX You can then dial 9999 to test your connection 2006 Critical Links SA 254 edgeBOX User s Guide v4 0 14 2 Idefisk Idefisk is an IAX2 softphone which can be downloaded from htip www asteriskguru com tools idefisk_beta php Next the connection configuration options are displayed ES KE up E i H d Bingi HIE II j tala lih DUHR ali Lier Again the number 9999 can be dialed to test if the connection is working properly 2006 Critical Links SA Appendix F Softphone configuration 255 14 3 Express Talk Express Talk is a SIP softphone which can be downloaded from http www nch com au talk index 5 Iberise V132 E EE to dial d a k A PaaS ees Next the connection configuration options are shown Kaul Audo
174. en you add an user to the system This automatically creates an extension with the voicemail name The only data that actually will be assigned to the user is the pin and the permissions only used when authentication is used in VoIP So we now have two extensions jdoe 401 and voicemail 400 Next we are going to show how to make the extension 400 available for callers from the PSTN For this the IVR will be used Perform the following actions Select VolP under Services Select the Incoming Calls tab Select the ivr and press Edit Context On the panel that follows select Add Action In the pop up window New IVR Action enter the following information Select After Press under Trigger Actions and enter 401 Select Dial under Actions In Action Parameters select 401 jdoe Press OK This action will appear in the IVR tree Apply the changes WM MMMM To be able to access the PSTN network you need to configure outgoing routes To do so Select VoIP under Services Select the upper Outbound Calls tab Select the LCR tab on your right On the tabs bellow you should select the type of call for which you want to define a route Available types are Local Long Distance International Mobile and Free After selecting a type of call for example Local you should define the prefixes you are going to use and the route for this type of calls If a prefix is not defined the call
175. eneral op info Name sara Passwords Contra E Activate Mall Forward Your disk quotas Filesystem Used Space MB Max Space ME Used Files Max Files Mai Dir k 116 io Unimteg Home Bir o 16 3 Untienitedt Cl Activate vacation mall response Enter vacation response here Statue Infonya BR cios edgebo 5 2 1 1 Name This element is read only and is the name of the user currently logged in 5 2 1 2 Password and Confirm These fields are used to update the user s password If left blank no change will be made 5 2 1 3 Activate mail forward If this option is checked incoming mail for this user will be redirected to the email address entered in the field next to this option 2006 Critical Links SA Using edgeBOX 167 5 2 1 4 9 2 1 5 9 2 2 5 2 2 1 5 2 2 2 Your disk quotas This table is included for informative purposes only it displays the quotas configured and the space currently used by this user Activate vacation mail response If you check this option then the sender of an incoming email message for this user will receive an email with the message configured in the box that follows VolP This panel allows the user to configure some VoIP settings and to check voicemail messages Settings This panel allows the user to configure some VolP settings The following options are available Caller ID the name by which cal
176. ent with least calls answered Random selects an agent randomly Mm WM un un UN RR with Memory RoundRobin with memory remembers which agent answered last and selects the next one Max Callers maximum number of calls that can be placed on this queue Queue Priority queue s relative priority to other queues configured Music on Hold music that will be played when the call is queued 2006 Critical Links SA 84 edgeBOX User s Guide v4 0 Announce Hold Time set to Yes if you want queue position to be announced set to No otherwise Leave When Empty set to Yes if you want calls queued to be terminated if there are no agents assigned to the queue E us TT Dlls Names T A Anunce Boston Freen en Ernster Ringel 2 Max Callers fo d Queue Priority IMecium Music bn el Cetegte para mpaurcs Hold Time D Vee No Les Wher Epi mes iN Agents For a queue to work correctly agents must by assigned to it since queued calls are answered by agents To associate an agent with a queue select the Agents tab page The agents assigned to this queue are displayed in a tabular manner To associate an agent with a queue select the desired agent in the agents list and the press the Add button To remove an existing association select it on the table and press Remove Note that for having an agent available on the agents list it must have been previously created using
177. ently discarded e Bounce A rejection message is sent to the sender and e Attachment The original message is converted to the attachment of the message RBL Servers This feature allows you to have a anti spam protection based on existing soammers databases The Realtime Blackhole List After checking this option you will have to provide hosts serving these lists To manage the list you have two options Add and Delete BBL Server Information REL Serer Lance rratinc Server Add Inserts a new host in the list of hosts that will be queried to check if the incoming mail domain was blacklisted After selecting Add a popup window will appear Insert the hostname and select Ok 2006 Critical Links SA 116 edgeBOX User s Guide v4 0 You then have to select Apply for changes to become effective You can have as many hosts as you like At the time of this publication examples of hosts providing such lists are list dsbl org sbl spamhaus org and bl spamcop net Delete Deletes an entry for a host from the list You have to select Apply to make this change effective 3 3 5 2 1 3 More Options hate pl Notify Senders Send Notices Notices Te postmaster Notify Sender If you check this option notifications will be sent to infected messages senders Send Notices If you check this option then every time a soam message is received a specific user will be notified
178. er SipPhone After selecting the desired provider you will need to supply a name for this provider and the necessary credentials username and password After pressing the Ok button this provider will be available to use in a LCR route Provider rtd VOIP Provider label pom Provider Mames Pas ywarel al cel If the desired provider is not found on the list you can add it by using the Custom option and filling in the necessary fields Protocol the protocol used by the provider Host the provider s server address NAT activate if the provider is behind a router firewall and wn MM M Codecs select the codecs to be used these codecs have to be supported by the provider Using this option also allows you to use a SIP proxy for outbound calls 3 2 8 3 4 Remote Switch The Remote Switching functionality allows the creation of an IAX trunk between two edgeBOXs Calls between these devices benefit from an optimised connection resulting in a better use in bandwidth You can check the remote switches configured in the system which are displayed in tabular form Options available are Add to add a remote switch configuration 2006 Critical Links SA Network Configuration Reference 79 Edit to modify an existing remote switch configuration and Delete to remove a remote switch configuration System Network Senices Security oof Polistes State Users Wizards Hein
179. er ICMP or ALL The Range check box allows a range of ports using the From and To fields to be specified for the incoming traffic e Protocol Select from the list Possible values are TCP UDP ICMP and ALL After selecting OK you will also have to select OK in the main panel for changes to become effective Delete Deletes an entry from the table denying traffic for this connection After selecting the entry from the table selecting Delete will remove it You have to select OK in the main panel for changes to become effective 2006 Critical Links SA Advanced Topics 133 Allowing incoming connections will only apply if NAT is not active for the external interface i e the edgeBOX is working in pure router mode for this interface If this is not the case the internal network will not be visible from the outside and connections will always have to originate from the inside 4 2 1 1 2 3 Outgoing By default all outgoing traffic is allowed i e traffic originating from the internal network to the Internet is granted access With this option we can deny outgoing traffic based on its destination port and or protocol This table displays the list of connections denied The options available are Add and Delete Add Creates a new entry in this table After selecting Add a popup window will appear requiring you to enter the following information e Destinati
180. er the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OFLIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE 2006 Critical Links SA Licence texts 271 Copyright c 1995 1996 The President and Fellows of Harvard University All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following discl
181. ering E DOM EEN Words i RTE YOP PE E O Ginet New Basic Advanced Codecs Privacy Edit Delete INCOMINOGAlS EE IVR Editor Edit Context Add Action Goto Action Remove Action Internal Add Action Call Rules Add Rule DID Routes Add Route Sound Manager Outbound Fe UE Prefixes LCR Providers Add Remote Switch Add Enum Config Authentication PBX Features Manage Queues Add Queue Agents Add Agent Conferences Add Room Parking Hunt Groups Add HuntGroup Voicemail 2006 Critical Links SA Contents IV TCI ME 92 781 E CHE 92 o A A A 93 SINALOA E E EEE EE 93 Gr 9 e SE 94 ANAOQUSFXOD EXO ad da 95 ET EE 95 3 SecUri VS IVD anna 96 SIT UNN 96 el 97 IC EAR 99 o 100 O o tdcnaaasataea A 100 Porn FOrwWard nr ias 101 VUE 103 SSCS Stale arado data 104 AOINE TUS ode 104 IN cate E 104 ee WEE 104 ETC HE 105 Network HOSI EEN 105 Start on er 105 A 105 Remote Network INSIWOTK OM lisas ina 105 Remote Netmask Network only 105 Remote Gateway Network only 105 Ei eg acetates E AE E E ese EE T EEA E E ESET 106 MOSTIR ROSTON E 106 Perfect FOFW AIG SECI SCY iaa 106 POUT EE 106 CG viele SE 106 A1 et ue le WEE 106 Services PPP 0 IA 106 ele dE 106 Local Hosts ViebleioEviemalHoets 107 Local Hosts Denied Access to Remote AN 108 EO sciaenddon ou dana Pedmanstusedacusmianiensedelionsedeuasiadiceincten 108 tn A 108 VPNPPTP sra 108 le 109 KEE
182. ermanent select Apply from the main panel Eliminating an entry from this list means that you are allowing connections from that entry Ban list Entry Dap Lei Ent y Types Firal Alte talle 3 2 5 3 2 Relay Domain List 3 2 5 4 A list with domains or hosts that will be allowed to relay mail Relaying is denied for hosts on the Internet with this list you can configure a list of trusted domains or hosts which you are willing to relay mail for Two actions are possible Add and Delete Add After you select Add a popup window will appear requesting the domain or host name After selecting OK you have to select Apply on the main panel for changes to become effective Delete Deletes an entry from the relay domain s list After selecting the domain you want to eliminate and thus deny relaying again select Delete You then have to select Apply in the main panel for this change to become effective Alias In this panel you may edit the aliases list 2006 Critical Links SA Network Configuration Reference 47 Service State UM Global ACCES Control Alas LD Alize postmaster rool MAILER DAEMON ron Add Edit Delete 3 2 5 4 1 E Mail Aliases With this element you can provide alternate names for individual users forward mail to another host or create mailing lists This table has some predefined aliases related
183. es In Policies you will see why you may be interested in having machines as members of a group After selecting Add IP a popup window will appear asking you to enter the IP address After selecting OK you still have to select OK in the main popup for the changes to become effective Delete After selecting the user or IP address you want to remove select Delete You will have to select OK in the main popup for changes to become effective If you have selected a user they will be assigned to the generic group if you have selected an IP address it will be removed Delete After selecting a group Delete will remove it All users belonging to this group will be assigned to the group generic All IPs assigned to this group will be deleted 4 2 Policies Policy group configuration will be covered in this section We will see the items available for configuration that as a whole will form a policy to apply to a group To access group policies choose in the menu Policies the submenu Groups A page similar to this will be displayed 2006 Critical Links SA 130 edgeBOX User s Guide v4 0 System Network Senices Security GoS Pollcias State Users Wizards Help Gout Palley Groups Marne Internet Access Service Access Enterprise Access Ideneric 4 i w Edt Close TTT edgebo Policy Groups Configuration On this page is a list of groups and the
184. esired action and using the up down buttons on the right 2006 Critical Links SA 66 edgeBOX User s Guide v4 0 System Network Sences Security QoS Policies State Users Wizards Help V loen Service State RUNING Pare emp Loupe Sais egene Hardware Generic yeni m R Me e EJ ive E Or Start Op Tita Status information REN Gein edgebo x lt This window allows you to add a new action to a context First you will need to define which event will trigger this action There are four different types of triggers After Press a sequence entered by the caller On Start this action will be automatically triggered when a context is called Timeout this action will be triggered if there was no input from the caller 30 seconds after this context was called 8 Invalid this action is fired if the caller inputs a sequence with no action assigned to it in the context 2006 Critical Links SA Network Configuration Reference 67 Li x Hew VR Action Trager conditions C Ane Press C On Star C On Timeout Invstia Entry Action Acton oi k Achen Parameters Extension to dal let a heousa k DK Cannel The following action types are available Dial a call will be placed for the chosen extension You may choose any extension previously configured using the phones panel as well as any FXS mode analogue ports or a
185. ess If this option is unchecked the group will not have access to the services running on the box and the next panel will be disabled If you check this option you may then fine tune service access using the options available in the next panel which are described below Time Period You can grant access for the whole day the default or just to a time interval Insert the limits for this interval directly in the fields or using the up down controls Services In this table you can choose exactly what services the group will be able to access A check in the cell s service will grant access not checking it will revoke access to it Enterprise Access In this panel we can configure the enterprise access options This panel works in a similar way to the Internet access panel except that this one applies to the enterprise network The available items are 8 Quality of Service and 2006 Critical Links SA Advanced Topics 135 Allow enterprise access Group Policy Eriterpmise Access Quality uF Service Upload Class pre w Dawnload Glass downBE wl E allia Enterprise Access Tithe Period Start Hours OS Minutes DZ Stop Hours 2351 Minutes 59 5 Tncoming IP Netmask Protocol 4 Co VIN Connections 2 Authorize access to VPNs 4 2 1 3 1 Quality of Service Protocol add Delete Ok Cancel SS EEN y You can set both an upload class and a downloa
186. ess 192 168 100 200 will have the hostname mobile 200 local loc 3 2 3 3 2 Delete After selecting the interval to remove press Delete Check the status returned to confirm the operation completed successfully 3 2 3 4 MAC IP This panel defines relations between MAC addresses and IP addresses Host machines whose MAC address is listed here may still fetch the IP dynamically however this value will always be the same The actions available are New and Delete 3 2 3 4 1 New After selecting New a dialogue panel will be displayed The following information must be provided MAC address the network card address To find this address you may use the command ipconfig all in windows or ifconfig in UNIX e P address the IP address to be assigned After selecting OK check the status returned to confirm the operation was successful 2006 Critical Links SA 40 edgeBOX User s Guide v4 0 DHCP MAG IP Association DK DIID Assocation MAZ Address j HRA ATH IP Address 3 2 3 4 2 Delete Select the MAC IP relation you want to eliminate and then select Delete Check the status to confirm the operation was successful 3 2 4 HTTP In this panel you can review and change the configuration for the http service running on edgeBOX which is provided by an Apache web server Two actions are possible performed with the two buttons on the bottom most panel toggle service statu
187. evening hours It is also possible to define special rules for weekends and holidays At least one rule needs to be defined for incoming calls To define a new rule select the Add Rule button Rules can also be modified using the Edit Rule button and removed using the Delete Rule button 2006 Critical Links SA 70 edgeBOX User s Guide v4 0 System Matwork Seances Security Go Policies State Users Wizards Hein Wo Coursen Sence State TNNG Phares Inca Cats Jeugtougd Cals PEN Features Hardware Generic Incoming Rulez se Atay SAtorday 0200 3355 E Actions IA armar E Goto ivr 8 Hana dd Rule Eat Rule Ella ges an ae Status intormetion 3 2 8 2 3 1 Add Rule This panel allows you to create a call rule For each rule definition the time frame to which it applies and the actions to be executed have to be defined Time frame Weekdays If you select this option you will need to select the weekdays between which this rule will be applied For example if we want to define a rule to be applied during the weekend the limits should be defined as Saturday and Sunday Month Days If you select this option you will need to select the month days between which this rule will be applied Use this option when you want to define a rule to be applied to an holiday Hours Regardless of the option selected for days Weekdays or Month Days you will also need
188. ever EdgeBox a a LAN hares PE T Lager pocessing te kiemel does eende the login paga i S 2006 Critical Links SA Advanced Topics 143 Possible Remote Authentication Scenario This menu option controls the method used to authenticate users and to grant access to services Several different scenarios are possible User credentials may be stored locally or fetched from a remote server This refers to authentication i e the way a user proves his identity If the user supplies the correct credentials access to the system is granted according to a predefined policy and to those services which a user has been setup for Policies act at the firewall level They define access to the Internet to services to the enterprise network and to VPNs Another concept is service authorisation During user creation besides ordinary user data such as username and password the set of services a user is allowed to access is also defined These will be the only services the user will be allowed to use These definitions may also be stored locally or remotely Available configuration types are thus Local Server Remote LDAP Server and Remote Radius Server Grbbeptk abiop Configuracion Authentication Local Servet Gotas f i oo Purge Existing Local sers If you use local server authentication user credentials will be validated against local user data The authentication architecture
189. ew Gi Parameters SS Connections Save bk Apnly Selecting Configuration will display the following information on the panel on the right 2006 Critical Links SA Appendix B VPN Setup 233 ofge a VPN turinet Rightclick on Configurati n anc select New Phase 1 Phase 1 zpeches the IRE Ken negotiation Rightolick onthe selected Phase 1 ond select Add Phase 2 es lia de Pisc senkun parameters bat a Any Phase 1 Configuration may contain several Phase 2 Configuratione ky Glick or Savesand Apply o sppiu the chances you made VPN tunnel configuration is done in two steps To start phase 1 right click on Configuration and select New Phase 1 The following window will be then visible Remember that the security settings must be consistent with the settings entered when the tunnel was created on edgeBOX Change the remaining parameters to fit your situation in our example 192 168 2 180 is edgeBOX s external interface and 192 168 2 95 is the client s IP address of the interface to be used After pressing Saving amp Apply right click myVPN and select Add Phase 2 w TheGreenBow VPN Client File VPN Configuration Tools gt e Console AN ber Lu i Mk SR RM Si Console Parameters Name mV PN Gi Parameters SS Connect Inteiface 192168295 D SS Connections Remote Gateway IER 68 2 18H e Preshared Kev Cornfitra C Certificate IKE i Enotyotion 3DES Pl Advanced Authenticatio
190. features e Network connections using ADSL or Cable modems e Optional internal ADSL modem e Supports both dynamic and static addresses allowing the configuration of a registered domain name if available e DHCP server on the Intranet side with optional automatic name range generation e Web server presence on both the Internet and Intranet side Optional users home pages e DNS Domain name server for both local private domain or as a master name server on the Internet e Internet Mail server with anti spam control and LDAP based mail routing This service is available if you have a registered domain and static IP address on the Internet side e Supports SMTP relay for Road Warriors e Full access control for both internal services and Internet access e User based access control Control access to resources based on the username e Group based access control e See who is on your network and from what IP address e User time and traffic based accounting Supports optional Radius session servers e Supports three types of user authentication Local Radius and LDAP e Configuration and User data backup and restore e System updates from a remote server Keeps your system updated with the latest security patches e Dynamic DNS Supports both the DynDNS and No IP services e Optional Wireless Access Point feature e IMAP and POPS servers Integrated mail access using the internal web server e VPN gateway based on both the IPSEC
191. fic was rejected per destination port This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA Reporting 211 By interface Onurrences S Ey Protocol Packets by destination port traffic number of occurrences Ey Protacol Ocurrences 0 By Source Port Packets By Source Port Oocurrences By Destination Fort Packets pe Destination Port Ouren By Source Address Packets By Source Address Qcurrentes By Destination Address Packets Ey Destination Address cutre By Service Packets By Service Ocurrences 8 4 11 By Source Address Packets This report shows the rejected traffic per source address in packets This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA 212 edgeBOX User s Guide v4 0 Server r Server Fie wal sysiog voir Antivirus Ex interface Gcurrences By Protocol Packets Gu Protocol Ocurrences By Source Port Packets By Source Port Ocurrences By Destination Port Packets y Destination Port Ocurrences UE Source Adee Ess Patt Ss Es Source Address Ocurrenbes By Destination Adehess Packets By Destination Address cutre By Service Packets By Service Ocurrences 8 4 12 By Source Address Occurrences 1627108397 5003
192. for the situation 2006 Critical Links SA 68 edgeBOX User s Guide v4 0 Said Fies ve v i eai besche ER ee Play File Paii d Files Lil o LU a pm PPP PPP PPP Pe Pee eee eee eel CO ED SED ESD ED unt r e ei E Jim eevee Sr on om mom P Gi E Cancel One of the most important IVR actions is the Goto action which allows navigation between the available contexts After selecting this action you need to supply the target context This may be a previously created context or a new context If you want to create a new context select the New Context option and insert the new context name The edit context panel is divided in two main sections On the left side it is possible to select the event that will trigger its actions After selecting an event its actions will be visible in the right panel The actions are ordered by priority with the top most being the ones executed first The Up and Down buttons allow you to change the actions execution order Remember that you will need to press the OK button to confirm your changes The IVR edition panel will then be visible again where you can check all changes made to the context If you ve created a goto action to a new context it is possible to select this context to edit its actions Allows you to remove an action from a context 3 2 8 2 2 Internal This panel allows you to configure inte
193. free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things To protect your rights we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to certain responsibilities for you if you distribute copies of the software or if you modify it For example if you distribute copies of such a program whether gratis or for a fee you must give the recipients all the rights that you have You must make sure that they too receive or can get the source code And you must show them these terms so they know their rights We protect your rights with two steps 1 copyright the software and 2 offer you this license which gives you legal permission to copy distribute and or modify the software Also for each author s protection and ours we want to make certain that everyone understands that there is no warranty for this free software If the software is modified by someone else and passed on we want its recipients to know that what they have is not the original so that any problems introduced by others will not reflect on the original authors reputations Finally any free program is threatened constantly by software patents We wish to avoid the danger that redistributors of a free program will i
194. g local loc To have this configuration you should perform the following steps Create DNS hosts for the websites you want to create In this case if the internal IP of edgeBOX is 192 168 100 254 you will have to create A records in DNS pointing to this address for www and marketing For information on creating records on DNS check Hosts Next you will need to upload files for your websites For clarity you can create two separate directory trees for your websites The steps to do this are 8 In control centre under the HT TP panel change the webmaster s password if you haven t done so yet Connect to edgeBOX s FTP server with the webmaster username Create a directory to host the marketing website files for example at the same level as inter the directory for the main website Upload the files for you websites For the virtual hosts configuration under the HTTP panel select New in the virtual hosts section to create a new virtual host In the window that pops up insert the following Virtual Host LAN in this case we are configuring a LAN only accessible virtual host Server Name marketing Document Root change to path and insert marketing the name of the directory created this is a relative path to the web site s root Email the email for the webmaster responsible for this website It is not a mandatory field After applying this information you will be able to access marketing local loc Howeve
195. g the connection e Netmask The netmask to apply e Port The service port we want to allow access to this option will be disabled if the protocol chosen is either ICMP or ALL The Range check box allows a range of ports using the From and To fields to be specified for the incoming traffic on the EWAN network interface e Protocol Select from the list Possible values are TCP UDP ICMP and ALL Delete Deletes an entry from the table denying traffic for this connection After selecting the entry from the table selecting Delete will remove it You have to select OK in the main panel for changes to become effective Allowing incoming connections will only apply if NAT is not active for the enterprise interface i e the edgeBOX is working in pure router mode for this interface If this is not the case the internal network will not be visible from the enterprise and connections will always have to originate from the inside 4 2 1 3 2 3 Outgoing By default all outgoing tratfic is allowed i e traffic originating from the internal network to the enterprise network is granted access With this option outgoing traffic can be denied based on its destination port and or protocol This table displays the list of connections denied The options available are Add and Delete Add Creates a new entry in the table After selecting Add a popup window will appear requiring you to enter the followi
196. g to the network 3 Administration BP ecortinc Mo services edgebo x Espyriqm 0 lalo Critical Software SA All Rights reser Initial page Administration ei Username lt weng Password 8 edgebo x Login LoginP age After pointing your web browser to the web interface URL you will be presented with a page similar to the figure above Here you will be able to select between the administration page the reporting page and the services page for more information on these features please see Reporting and Services After following the Administration link you will be presented with the login page To log in type username admin password root This is the default password for the administration account The user is advised to change this password as soon as possible For instructions on changing the administration password see Change Password 2006 Critical Links SA Quick Start 7 System Network Senyees Security Gol Polleias State Users Wizards Help L Netware Informador Sy stan Skats bos Status Interface up CPL Tale Cay Timestamp Fri 300 ec 2005 17 42 37 LITE A Memory ino Type pppoe CT a Wi Es SE rage Jee Co ip 52 240 179 54 tireget Used P N tmask 155 255 255 255 Storage E llsed oie Gateway 62148 128 91 UpTime Sd 23h S2m Primary DNS 127 001 Secondary DS Firewall nomaa Authorization oft Free ep NAT Lon
197. gram or works based on it 6 Each time you redistribute the Program or any work based on the Program the recipient automatically receives a license from the original licensor to copy distribute or modify the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties to this License 7 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Program at all For example if a patent license would not permit royalty free redistribution of the Program by all those who receive copies directly or indirectly through you then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular circumstance the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances It is
198. group to which this user will be assigned If no groups are available at the time of creation a group named generic will be created and this user will be added to it Password and Confirm Password The password to be used by this user to authenticate on the system The user is advised to choose the password carefully following a set of well known guidelines not using any infomration personally related to them mixing characters with non alphanumeric symbols etc Accesses The services this user will be able to use Check the services desired to enable access to them Available options are regular services services running on edgeBOX such as SMTP POP3 FTP and the Internet Wireless if 802 1x authentication is used VolP PPTP and Windows use Samba If you check VoIP then additional options will be available for configuration Extension Number The extension number to be used by this user Extension Password The password used to register Pin The pin to be entered if authentication is turned on to check which type of calls the user has permission to make Permissions The type of calls the user is allowed to make Available options are Local calls Long distance calls Mobile calls International calls and Any type of calls Each of these types include its predecessors so Long distance calls include Local 2006 Critical Links SA Advanced Topics 127 calls Mobile calls include both Long
199. gs enter the following information Server Name 10 1 0 1 Base Name dc company dc internal LDAP Username cn Administrator a user with permission to do LDAP binding LDAP Password and Confirm LDAP Password password for the user Check the options Active Directory Purge Existing Local Users and Import Users Select Apply Following the same policy as in the remote branch office all unnecessary services will be denied access at the firewall level The DNS Email and Web servers will be placed in the DMZ The SMTP server in edgeBOX needs to be accessible from the external network because it will receive email perform virus scanning and forward it to the server in the DMZ The list of services available from the external network will then be SMTP and SSH From the DMZ no service needs to be accessible The services available to LAN users will be DNS SSH FTP HTTP Voip and Samba To configure edgeBOX for this scenario do the following In Control Centre select the Firewall option under Security Check Require users To Login and uncheck Ewan and Wan in Webadmin access Check Select All Uncheck all services except SMTP and SSH for external DNS SSH FTP HTTP VolP and Samba for internal Apply your configuration UN UN UN UN UU UU UN For the DMZ configuration it is not enough to perform the actual physical connections all hosts placed in the DMZ have to be made visible Suppose the DNS is located at 212
200. guration backup will include only the configuration data To restore backed up data follow the next steps e Fetch the list of backups from the backup server e Choose from the list of available backups e Inthe description list check the item you want to restore e Select Restore e Check the status returned Restore Coarfour ablar Location Wizard Get Info Back Lips Cheseription 006 01 11 18 28 00 2006 01 41 18 25 60 Wie hosts Ger Dia 1 00 200640 111 23 5300 Liser directories Mariable data backup Configuration Backup Restore Config This menu option allows you to configure several aspects of edgeBOX s configuration such as the administration password the locale the root email the length of time for which edgeBOX will keep logs and also to upload SpeedTouch s firmware and to customize the landing page Admin Options This option allows you to change the administration password We strongly advise you change this password before connecting edgeBOX to any network default values are login admin password root Enter the new password in fields New Password and Confirm Password and select Change Check the status returned for errors 2006 Critical Links SA 152 edgeBOX User s Guide v4 0 4 5 7 2 4 5 7 3 Admin Options SpeedTouch Flirmnware Web Locale Pont Emall Logs Landing Page Arlette shor Oe Change Password Mew Passw
201. gured as well as the maximum time the safe will be available To create the safe select Create safe edgebox Main Meant Pubic Sates oowniosd ewan Create a new safe Certificate Please choose the size you wish for the safe Size 2Mb Y Max Time minutes 560 Crests safe tr 20 Dack Safe creation window If the safe was successfully created credentials to access it will be displayed edgebom Mari Mend Public Safes Fj D ish ed Bownload Eu Atl Certibcate Your safe is up and ready for use Username boxa Password DevxxeDpax credentials to access the safe Selecting Public Safes again will now display the safe just created 2006 Critical Links SA 248 edgeBOX User s Guide v4 0 Public useable safes Currently available safes Maximum size 116 Mb Maximum time 60 minutes Current in use safes Box name Expires im box0D 3538 seconds Close this box Create new safe 4 Public safes list To use the safe access it like a normal windows share entering the credentials supplied to authenticate Connect to ebox fetal ls Connecting to 192 168 100 254 lisar name boxo Password Cl Remember my password L o Jl zeegt Jl Browsen Ca S 197 168 100 254 File Edit Wem Favores Todls Help za DO Bss Krees Dt Address d t92 186 100 254 Al box0 Network Tasks A Printer and Faxes e Add
202. hange a port operation mode the PBX will be reinitialised and all ongoing calls will be hung up Edit ISDN Port o X EEN Port Porl Mutpber fi MNT mode Ce TE mode wuer add MAN Surber Ok Restore Cancel 3 2 8 5 2 ISDN PRI One of the types of VoIP cards supported by edgeBOX is PRI Digium cards These cards may have one two or four spans All spans detected will be displayed in a tabular manner where you can also check some other span settings Span Number port number Span Mode port working mode Available values are T1 or E1 This mode can be configured using a card jumper Span Ports number of ports associated with the span 31 ports in E1 mode 22 ports in 2006 Critical Links SA 94 edgeBOX User s Guide v4 0 T1 mode Group Number group to which the span belongs to SwitchType type of span to which the line will be connected to Some of the span properties can be changed To do so select the desired span and press the Edit Port button You may also double click the desired span Swstem Network Semces Security Gol Polctes State Users Wizards Help Wal Cerf igen Service State RUNING Phones incaico Calle Cuibieuhid cals PEM Festus Hariiwere perio PRI Shane Configuration Statue Information 3 2 8 5 2 1 Edit Port The following settings may be changed Signalling signall
203. has undergone major changes in edgeBOX version 4 Besides the services authorisation feature mentioned in the previous section authentication for all services is now fully integrated so any change in the type of authentication used will be immediately reflected in all services For details on edgeBOX s authentication architecture please see appendix A Whether you choose a local or remote authentication scheme having credentials stored locally or remotely a default structure is always created for each user consisting of a home directory group policy definition etc When the authentication scheme used is local this structure is created on user creation when it is remote the structure is created upon the user s first successful authentication No matter which authentication scheme is chosen the option Purge Existing Local Users will always be available This option allows you to delete all user data from edgeBOX This is particularly important when you change the type of authentication scheme used as it prevents inconsistencies appearing You should always select this option when changing the authentication type 4 5 1 1 Remote RADIUS Server Authentication If you choose Remote Radius Server a table will be populated with the servers to be used 2006 Critical Links SA 144 edgeBOX User s Guide v4 0 configured You can use more than one server causing them to be queried in sequence If the first one is
204. he Edit Share panel is displayed It contains the following fields Name The name of the shared directory This field is disabled and cannot be changed Path 2006 Critical Links SA Network Configuration Reference 55 3 2 6 4 3 2 6 5 The path to the folder on the edgeBOxX file system This field is disabled and cannot be changed Description A brief description of the folder and what it contains Admins A list of user names separated by semi colons that are allowed to administer the shared folder e g admin bob sarah Public Check this box if the shared folder is publicly accessible Browseable Check this box if the shared folder can be browsed Writeable Check this box if the shared folder can be written to Homes Authorised users can have a home directory on the edgeBOX The home directory works as a network folder only accessible to the user Active Activates the home directories for authorised edgeBOX users The amount of space available to each user may be controlled by setting disk space quotas Browseable Allows other edgeBOX users read only access to users home directories Global Shates Homes penes USE Primbere Hames CAE cre ms Boxes Boxes are a great way to allow users to exchange files using a temporary folder Boxes can be request via the edgeBOX Services web page Active Activates the Boxes service Size Limit The amount of disk sp
205. he network host and e Device the interface to use Choose from the list e Select OK Check the status returned 3 1 3 2 Edit To modify an existing route follow these steps In the route table select the desired route and press the Edit button you may also double click 2006 Critical Links SA Network Configuration Reference 31 e Change the desired information e Select OK Check the status returned 3 1 3 3 Delete To delete an existing route follow these steps e Inthe routing table select the route to delete e Select Delete e Check the Status returned to see if the operation was successful 3 2 Services Menu This menu option allows you to review and configure the settings for the services running on edgeBOX namely DNS Dynamic DNS DHCP HTTP SMIP Samba Web filtering and VoIP 2006 Critical Links SA 32 edgeBOX User s Guide v4 0 3 2 1 DNS Y Iimernel Z K E Masia d Z ia D Edgar aries mary SS hi server dor miblicdomam com Host on the Internel DNS ppes com Ki sl re Edgeio inreanes opp query fron ap iee het fie ghis piacan Cam ISP s DNS server publicdomain com y ir on the rimel EREA and witemal messi WAN intedeece EWAH barras Queries tor ame pnssdo man mars re locperdal lo EdpeBax 2 n i EdgeBox 1 Edg
206. his functionality System Update where you check for and install the new updates and Configuration where you set the configuration mode and options 4 5 8 1 System Update Available Updates Displays a list of all of the updates that are currently available for edgeBOX and have not yet been installed System Update Log Reports all of the updates that have been applied to edgeBOX The list can be cleared by clicking on the Clear Update Log button Update System Status 2006 Critical Links SA Advanced Topics 155 Reports the current progress of the update process download installation of packages Check Clicking this button will immediately check for new updates Whether the update is reported downloaded or installed will depend on the Update model selected Install Installs all the Available Updates where the Install checkbox has been checked System Network Sernices Security GoS Pollcias State Users Wizards Help System paste pr System Update Configuration Si tam Liniste Available Updates Install Name Installed Version Available Version Description BC Jedgebox paps Ho Hee H System Update Log Name Previous Version Mew Version Installation Date Status fedgebox peps i UE _ 0 s000002 250 o patjan 7 10 56 32 2006 installed All edgebox peps 4 04 s000002 250 0 s000002 251 Sat Jan 7 12 12 37 2006 installed edgebox pdp OSI _ 4 0 152 _ B
207. ices will be disabled Ser Y ICES Service internal External Enterprise das 5i E E smtp kel El Li idap Lk i EI ssh EI E Ei iman ka La voip 4 EI Tel snmp E HI M H Ei m E intep E mi El popa La mg E Jl samba i w _ SCH El Select Ai Black List The list applies to the external interface only The hosts in this list will be denied any connection to edgeBOX The actions available are Add Edit and Delete Add Selecting this option will make a pop up window appear Just enter the IP address for the host you want to blacklist and then press OK Edit Allows you to modify an entry in the black list table A pop up window will appear filled with the entry selected Press OK to change this entry in the table Delete After selecting the host you want to eliminate from the list of blacklisted hosts select Delete The line will be deleted from the list You need to select Apply from the changes to become effective 2006 Critical Links SA Network Configuration Reference 99 3 3 1 2 DMZ According to the definition a DMZ is a small subnetwork that sits between a trusted internal network for example a Corporate internal network and an untrusted external network such as the Internet This kind of network is used as a buffer between the two networks hosts placed in this network are accessible either from trusted and
208. ics last 24h last week or last month To do this select the desired option in the radio button and press Search to generate the corresponding graphic You can also generate a table with the average received traffic bytes s per day and per physical interface Here brO stands for the LAN interface ima stands for the intermediate queuing interface eth2 stands for EWan interface ethO stands for WAN interface lo stands for the Loop back interface and wlan or athO depending on the specific wireless card used stands for Wireless interface eth interfaces assume the form ethn where n can be 0 1 2 or 3 depending on the number of Ethernet cards in edgeBOX Network Transmitted packets This report shows the traffic transmitted by the box at the interfaces WAN LAN and EWAN in packets per second This information is presented in graphical format You are able to define the time frame for these statistics last 24h last week or last month To do this select the desired option in the radio button and press Search to generate the corresponding graphic You can also generate a table with the average received traffic bytes s per day and per physical interface Here brO stands for the LAN interface ima stands for the intermediate queuing interface eth2 stands for EWan interface ethO stands for WAN interface lo stands for the Loop back interface and
209. il message From Email origin e mail address of notification messages From String name of the entity originating notification messages Attach Message when active the voicemail message is attached to the notification message in audio format Body Message Language language used in notification messages There are two available options English and Portuguese Signature signature of the notification messages 2006 Critical Links SA 92 edgeBOX User s Guide v4 0 System Meatwork Senices Security Gas Policias State Users Wizards Help Wolz Cordon Service State TUNING PHONES Kapp Gate Cunticurid Cale PBX Features marcara Gari Volcamall Extension Jose Mas Messages ton HuntGeouge pes ip ml Molceraall Motitiratons Settings Fron Siring EE Asch Message ves Body Message Larusage res A Signature espesor From Emil BOgeBOM ments prise com Status Information oe eens 3 2 8 5 Hardware edgeBOX supports automatic hardware detection All supported VoIP cards are detected and the system is automatically configured so these cards can be used by the IP PBX Only information related to the card currently installed in the system will be displayed in this panel The supported VolP cards are ISDN BRI ISDN PRI and Analogue FXO FXS 3 2 8 5 1 ISDN BRI edgeBOX supports BRI VoIP cards It is possible to configure global settings such as the coun
210. include source code for modules or files that typically accompany the major components of the operating system on which the executable file runs THIS SOFTWARE IS PROVIDED BY SLEEPYCAT SOFTWARE AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE OR NON INFRINGEMENT ARE DISCLAIMED IN NO EVENT SHALL SLEEPYCAT SOFTWARE BELIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE Copyright c 1990 1993 1994 1995 The Regents of the University of California All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 Neith
211. ing used by this span Available options are PRI_CPE used on the client side PRI_NET used on the network side SwitchType switching used by the line Available options are EurolSDN used in Europe National used in the USA Context incoming calls context by default is incoming Group group to which this span is associated to 2006 Critical Links SA Network Configuration Reference 95 3 2 8 5 3 Analogue FXO FXS 3 2 8 6 To allow connection to analogue lines edgeBOX supports TDM Digium cards FXO and FXS modules may be installed in this card FXO Module should be connected to an analogue line allowing you to receive or make calls using the PSTN network FXS Module should be connected to an analogue phone In these type of cards the only configurable parameter is the LoadZone where the country initials may be selected so the dialtone used will be appropriate All ports detected as FXS will be available when editing the IVR and in the internal extensions management system All ports detected as FXO will be available as outbound routes in the LCR management system Generic This panel allows you to configure edgeBOX PBX s general options Logs Allows you to keep logs of calls made via edgeBOX Bear in mind that if you want to have VoIP reports you will have to set this option to Yes otherwise there will be no data available to display Manager If you enable the
212. intelligence at the edge of the network Critical www critical links com links edgebox Internet Server Appliance User s Guide V4 0 Copyright This manual is copyrighted by Critical Links SA Disclaimer Precautions have been taken to assure accuracy of the information written in this user s manual Typographic or pictorial errors that are brought to our attention will be corrected in subsequent issues Product specifications in this manual are nominal and are provided for the convenience of our customers They are all correct at the date of publication Critical Links reserves the right to make product changes from time to time without prior notification which may change certain specifications or characteristics shown We therefore recommend you to check for changes or updates before using for customer projects or further product developments No material will be accepted for return unless Critical Links grants permission in writing The handling installation and usage of the edgeBOX are applicable to certain environments and may be required for code compliance Features of the device will not provide protection against abuse misuse improper installation or maintenance It is important that installation operation and maintenance are performed in accordance with instructions supplied in the manual Electricity and electrical devices must always be treated with caution and respect End User License Agreement EULA The edgeBO
213. ion 2 in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following a Accompany it with the complete corresponding machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or b Accompany it with a written offer valid for at least three years to give any third party for a charge no more than your cost of physically performing source distribution a complete machine readable copy of the corresponding source code to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or c Accompany it with the information you received as to the offer to distribute corresponding source code This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer in accord with Subsection b above The source code for a work means the preferred form of the work for making modifications to 1t For an executable work complete source code means all the source code for all modules it contains plus any associated interface definition files plus the scripts used to control compilation and installation of the executable However as a special exception the source 2006 Critical Links SA 264 edgeBOX User s Guide v4 0 code distributed need no
214. ion will be performed by edgeBOX s Radius server No additional configuration is needed such as Radius user creation Authorisation for PPTP VPN use is configured in the User Management panel 2006 Critical Links SA 110 edgeBOX User s Guide v4 0 Authenticatory Tepe Local Authentication Retiote Authentication 3 3 4 3 2 Remote Authentication Displays the remote Radius server used to authenticate users Authentication Type E Local Authentication Ce Remote Authentication kampis Radius Configuraticn Server TP Server Dart 1812 Password ses Add makes a popup window will appear requesting you the following information e Server IP IP address for the Radius server e Server Port The port where the radius daemon is running e Password shared secret between edgeBOX and the radius server e Timeout amount of time after which the connection will timeout in seconds After selecting OK you have to select Apply in the main panel to make changes effective Delete After selecting an entry select Delete to eliminate it from the table You have to select Apply to make this change effective 3 3 4 4 IP ranges TP Anges Local Remate From 192 168 100 240 Remote Tor 1152168100250 This element has the following information Local This is edgeBOX s LAN interface IP address The remote client PC will use this address as the 20
215. iority upGold upSilver upBronze and upBE The latter is the default QoS class with the lowest priority You may also reserve a percentage of bandwidth for custom classes pipes In the event of congestion this percentage of bandwidth is always guaranteed for these pipes The elements available are Maximum Uprate Premium Bandwidth and DSCP Marking hipload tntormalyary Maximum prate 99999 t Premium Bandwidth y n DEE O if 26 30 40 50 60 0 ap 90 Tatal Bandwidth US Pipe Mame Associ ted 9e Add Edit Delete OSEP Marking 4 3 2 1 Maximum Uprate Maximum available bandwidth for the outbound connection 4 3 2 2 Premium Bandwidth The bandwidth percentage reserved to upload priority traffic You can then further subdivide this bandwidth assigning a percentage of this bandwidth to sub connections pipes In case of congestion the bandwidth is guaranteed for each of these pipes The table present in the next panel displays the current pipes configuration To manage the pipe list you have 3 operations available Ada Edit and Delete Add After selecting Add a popup window will display The following information will be required e Pipe Name The identification for this pipe e Associated Percentage The percentage of the Premium bandwidth reserved for this pipe After selecting OK the Total Bandwidth indicator will be updated reflecting the amount of premium bandwidth al
216. ir access to the services running on the box to the Internet and to the enterprise network If the cell is unchecked then the group has no access to this resource if the cell is checked then the group has some level of access to this resource 4 2 1 Editing a Group Policy To edit a policy for a group select the row corresponding to the desired group and select Edit The following options can be configured 8 Internet Access 8 Service Access 8 Enterprise Access 8 VPN Connections 2006 Critical Links SA Advanced Topics 131 4 2 1 1 Internet Access Group Policy Miterat Gccess Quate of Service Upload Classy Mies Download Class downBe e Allow Trikernet Access Time Period Stare Hours 05 Minutes O E top Hours 23 2 Mines 39 Incamiria S Nal use aes e For a outa Ster eres Allow Service rcass Group Policy Edit Window This panel allows configuration of the Internet access options The available items are 8 Quality of Service and 8 Allow Internet Access 4 2 1 1 1 Quality of Service You can set both an upload class and a download class for more details on quality of service check Traffic Control The default values are upBE and downBE meaning all traffic will have the same treatment You can however choose from the lists to give the Internet traffic to and or from this group some priority by selecting another value 4 2 1 1 2 Allow
217. itical Links SA 154 edgeBOX User s Guide v4 0 This option allows you to customize the disclaimer text that will appear on the bottom of the page After editing the disclaimer message select the upload button to make this change permanent Company Logo This option allows you to insert your company logo Use the Browse button to fetch the image file from your hard disk and the upload button to store it on edgeBOX You can check the upload progress through the progress bar System Metwork Senices Security Gol Polleias State Users Wizards Help Configuration Aphons ha Admin Options SpesdTolich Firmware Web Locale Root Emall Legs Landing Page Landa age Contiguratiar Uplosd Tes Notice Dsrdamer SS Foure requested Co Luthenticate in order to center Sa private network Please provide your E username and password below Ir Fou re a employee and do not have a username amd password please contact your system Sms E TE youre a wisitor te and you need Co access Ehe internet Please request e quest Laer ELE k Upload Comparte Lega image Fila i Browse Progress 7 geg 2tstus rt orimnsbon K edgebo 4 5 8 System Update Updates are available for all software installed on edgeBOX The updates include new functionality and performance increases for network services as well as updates to improve security and correct any vulnerability reported There are two panels which you may use to access t
218. lect the Retrieve button A table should be visible if there is information available for the user entered 4 6 6 Accumulated Session In this page you can produce a report very similar to the one in the previous option the same fields but this time the values shown will be the accumulated values for all sessions No data needs to be entered here as these values are computed for all users 4 6 7 Session Details In this page you can produce reports like the one shown below Here you will have a report displayed in tabular form for all sessions for a specific user during a specified interval To produce a report e Enter the username for whom you want to produce this report in the Username field e Enter the start date in the From fields using the up down controls or editing the field directly 2006 Critical Links SA Advanced Topics 163 e Enter the end date in the To fields using the up down controls or editing the field directly e Select the Retrieve button After you hit the Retrieve button a Session Summary table should be visible A session is defined to be the time between a user login and logout so each row will contain the start date and time login time IP IP address from where the user logged in and stop date and time logout time If you select an entry and hit the View info button a window will pop up showing bandwidth usage per interface for the
219. lected The following panels are available Global Access Control Alias and LDAP Each of these panels is selected using the appropriate tab and is described in the following sections 2006 Critical Links SA Network Configuration Reference 3 2 5 1 Service State This element is read only and shows the current service status running or stopped 3 2 5 2 Global In this panel you can configure general email options such as 8 Email domain s for which you will be receiving email Type of storage used Max simultaneous connections Max message size Blocking of unresolvable domains and wn WD WD WO LO 43 2006 Critical Links SA 44 edgeBOX User s Guide v4 0 Sete State RUNNING D ores mm Global Access Gontrol Aias TRAF labial Email Domaints pb Local loc Ca Ise Ise Webmail Domain Select Webmail Domain Al storage Gei Local i o Remit he Max Connections art Pes 1 KBytes F Block Unresclvable Tomate V SMTP Relay Subpart 3 2 5 2 1 Email Domain s A list with the alternate hostnames for this host and domains for which it will accept mail Each entry has to be a full qualified domain name Available actions are Add Edit and Delete Add After selecting this option enter the Domain name select OK then click on the Apply button to make this change eff
220. licking the radio button and tabular format 2006 Critical Links SA 196 edgeBOX User s Guide v4 0 8 3 5 Size Distribution Extensions inabili teatrini imag adnan appliomtioniqgtetstiean Fenns dpe atu ite awazerlpe ghliiin ATT testlar tente imaneipag aplico nine aaisan MU pa ETS tesehl avanse npt Liha ye Ly un Apple atugel aplican medal applicatontodeby applieafin ripear uentallttypes Content Type 250 600 750 gt This report shows the types of extensions for the files passing through the proxy server for example gif or exe This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA Reporting 197 System Usage Webserver Proxy Server Firewall Sysiog vor Anti Virus Methods Top Level Destinations Second Level Destinations C pe s0 Chat Pie 2 Chere Lines Chart Uc Size Distribution lt dynamie gt 1 058 8 3 6 TCP Time This report shows the values of the TCP time time the proxy server takes to process a client request in milliseconds organised by ranges The values displayed will be for example lt 0 1 msec lt 0 2 msec lt 100000 msec lt 1e10 msec This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio
221. locked Enable Check this box to enable web filtering based on a specific word in a URL Add Edit Delete Delete All These buttons are used to edit the list of words currently filtered Add from file A list of words can be stored in an external text file and loaded into the list in a single step Clicking on this button displays a file dialog panel which allows you to locate the file on the local file system where the browser is being displayed 3 2 8 VoIP edgeBOX integrates the Asterisk IP PBX to deliver a comprehensive Internet telephony solution Its virtual PBX allows for the integration of ordinary VolP extensions with analogue or digital ISDN phone lines The VoIP configuration options are divided into six main categories which are not completely independent Phones Incoming Calls Outbound Calls PBX Features Hardware and Generic 3 2 8 1 Phones A phone is a VoIP client using one of the supported VoIP protocols SIP or IAX It may be a physical phone or a softphone ie a telephony application you can check a list of softphones at http www voip info org wiki VOIP Phones SoftPhones After phones have been added to the system and associated with an extension all VoIP clients need to register with edgeBOX to use the services it provides In this panel the list of phones and extensions known to the system is displayed in a table Available operations are New Edit and Delete 2006
222. ls will be identified to the called party Secret password used to register with edgeBOX The user will also be able to enable voicemail By doing so a PIN and an email address to receive notifications must be supplied General VOIP y Settings Settings Inbox Sera Caller ES Sacrett EE ll C Enable Email Dip Inbox This panel allows the user to check the list of voicemail messages Individual messages may be played selecting the desired message and pressing the Play button 2006 Critical Links SA 168 edgeBOX User s Guide v4 0 General VoIP opamai Settings mbox Statue farias j EA ar E mi SAAR 5 3 Web Mail Welcome to the WebMail Username Password ee Language English Amencan Web Mail Login Page 2006 Critical Links SA Using edgeBOX 169 If you have the SMTP service running with a web mail domain defined see SMTP Email Domains the HTTP server running and you have allowed access to it you may access the email service through a web browser All you have to do is point your browser to the webmail directory on edgeBOX s web server For example if edgeBOX s LAN interface is configured with address 192 168 100 254 then you should point your browser to http 192 168 100 254 webmail 2006 Critical Links SA 170 edgeBOX User s Guide
223. m startup or in documentation online or textual provided with the package Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met l Redistributions of source code must retain the copyright notice this list of conditions and the following disclaimer d Redistributions in binary form must reproduce the above copyright notice this list of conditions and the 2006 Critical Links SA Licence texts 269 following disclaimer in the documentation and or other materials provided with the distribution J All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes cryptographic software written by Eric Young eay cryptsoft com The word cryptographic can be left out if the routines from the library being used are not cryptographic related 4 If you include any Windows specific code or a derivative thereof from the apps directory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL
224. mail for the responsible for this domain 2006 Critical Links SA 42 edgeBOX User s Guide v4 0 Wirtual Host Information Mitos Host TnborraaEkar Virtual Host ENT Server Mamei Giota Hot fe ser i 7 Path Email 3 2 4 5 2 Edit This option allows you to change a Virtual host configuration The fields available are the same as for the new virtual host window 3 2 4 5 3 Delete An entry has to be selected To make this change effective select Apply 3 2 4 6 Change Webmaster password 3 2 9 This option allows you to change the password for user webmaster The user webmaster has FTP access and owns the directory tree for the intranet and Internet websites The FTP root directory will initially contain two directories intra and inter corresponding to these websites but more may be created for example for virtual hosts websites To change the password type the password in the New Password and Confirm Password fields and select the button Change Remember that this account is initially disabled so you will have to set a password in order to use it SMTP This page allows you to review and change your mail server configuration The edgeBOX implements this service using Sendmail Again the actions available are toggling the service state Start Stop and applying Apply changes There are two buttons on the lower panel that trigger these actions when se
225. mbination of DID routes with call rules and a more complex IVR tree All PBX features can be included in the IVR but in our example we are going to use only the queues configured previously support and financial The way our scenario is going to be built is quite simple 8 The IVR tree will have two child nodes ivr1 and ivr2 The first one will be a context like the one in the branch office allowing access to the internal extensions The second one will implement the call centre A DID route will be created with a phone number Dialing this phone number will allow us to enter the ivr2 branch corresponding to the call centre This rule will have precedence The default Call rule will not enter the IVR root but the ivr1 context instead This way the internal extensions will be available and off work hours rules will apply Let s start with the IVR configuration For simplicity sake s we will not implement a full call centre but just the menu entries to join the queues To build the configuration do the following LO UN UN UN LO UN UN UN Select the Incoming Calls tab Select ivr and press Edit Context A panel with the ivr tree is displayed Press the Add Action button Select After Press and enter 1 notice this is irrelevant as this action will never happen Under Actions select Goto in Action In Select Context select New Context Enter ivr1 Repeat the previous step creating an ivr2 context Press
226. ment If you would like to enter into a Distribution or OEM Agreement please contact Critical Software S A 3 7 This license does not entitles the user to any maintenance and technical support for the Licensed Software provided by CRITICAL or its Partner s Annual Maintenance and Support may be purchased separately from CRITICAL or its Partners Please contact CRITICAL for more information 4 License Restrictions 5 4 1 You may not reverse engineer decompile or disassemble the Licensed Software except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation 4 2 You may not sell rent lease or sublicense the Licensed Software 4 3 You may not modify the Software or create derivative works based upon the Software 4 4 The Licensed Software is licensed as a single product lts component parts may not be separated for use beyond the the authorized Computer 4 5 You may permanently transfer all of your rights under this EULA only as part of a sale or transfer of the Computer provided you retain no copies you transfer all of the Licensed software including all component parts the media and printed materials any upgrades this EULA and if applicable the Certificate s of Authenticity AND the recipient agrees to the terms of this EULA If the Licensed Software is an upgrade any transfer must include all prior versions of the Licensed Software For value added support
227. minate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 9 You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Library or its derivative works These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Library or any work based on the Library you indicate your acceptance of this License to do so and all its terms and conditions for copying distributing or modifying the Library or works based on it 10 Each time you redistribute the Library or any work based on the Library the recipient automatically receives a license from the original licensor to copy distribute link with or modify the Library subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties with this License 11 If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of this License If you ca
228. n MDS sl Key frag DHI024 Save amp Apply E VPN ready Tunnel B 3 VPN ready Phase 1 Mans my PN VPN Client address 0 D 0 D Address pe Subnet addiess D D SubrelMask 255 ee ee 0 ESP Enciyption ES D P2 Advanced HA Made Tunnel si Y PES Group DHIR v Open Tunel Save b Apply Tume B Phase 2 In phase 2 for a RoadWarrior configuration select 0 0 0 0 as your VPN client address To access edgeBOX s LAN select Subnet address in Address type and fill in the data for Remote LAN address and Subnet Mask we used edgeBOX s default settings 192 168 100 0 24 Don t forget to check if the encryption and authentication schemes used are consistent with those configured in edgeBOx After entering all the required information press Save amp Apply 2006 Critical Links SA 234 edgeBOX User s Guide v4 0 Ze TheGreenBow VPN Client Fle VPN Configuration Tools 2 Phase 2 IPSec Configuration Gi Parameters Name Lea Parameters I SS Connections VPN Diet address H 0D 0 D SS Caneco EZ MV PNV PNP 1921681 Tunnel ESP 3DE Address type Subnet addiess si Flembte LAN address 182188 EE Subnet Matk 255 ee ee 0 ESP Enciyption 3065 x P2 Advanced Authentication MDS D GG K a Close Turpel Y PES Group DHIR Chise Tunnel Save amp Appl Save amp Appl 3 VPN Tunnel opened Tunnel E VPN Tunnel opened Tunnel opened Connections
229. n Port CGacketzy By Destination Port Ocurrerices By Source Address Packets By Source Address Ocurrentes By Destination Address Packets Ey Destination Address Ocurre Ey Service Packets By Service Ocurrencez 8 4 7 By Source Port Packets This report shows the rejected traffic per source port in packets This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA 208 edgeBOX User s Guide v4 0 8 4 8 By Interface Packets By interface Geurrerces Ey Protacal Packets By Protocol Ocultences d Source Port Packets By Source Port Ocurrences By Destination Port Packets By Destination Port Ouere B Source Address Packets Ey Source Adress Ourantes Ey Destination Address Packets By Destination Address Ocurre Ey Service Packets By Service Ocurrences By Source Port Occurrences 31280 567 by source port traffic number of occurrences Traga S 24 p00 13 This report shows the number of occurrences traffic was rejected per source port This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA Reporting 209 Server roxy Server Fhewal syss Vo stoe Be 30 Chant Pe 2D Chart Cl ies Chert
230. n call an extension on the remote site Suppose there is a remote 400 extension dialing 67400 will allow you to call it 2006 Critical Links SA Services 189 1 1 7 2 7 3 Services On the initial page besides Administration and Reports you will find a third option Services This option was mentioned briefly in Boxes Virtual Public Safe We will now see how it works in detail Please note this option will only be available for users connected through the LAN interface Also the HTTP and the Samba services must be running After following the Services link on the initial page you will enter the services page where the following options are available Main menu Public Safes and Ewan Certificate Main Menu This option will take you back to the services initial page where some information is displayed about the operations available Public Safes Every user may configure a temporary storage space which will be available for a limited interval of time The administrator initially configures the maximum space and time available using the Samba panel in the control centre thus activating this feature This page may then be used to create the safes After choosing this option the list of existing safes will be displayed showing the remaining time active The options available are create a new safe remove a safe and go back Create a new safe You will be asked to choose the si
231. n to edgeBOX using the setup wizard In this chapter the web interface pages used to configure network options will be fully covered allowing us to fine tune the setup This chapter is intended as a reference for network administrators and experienced networking users Network Menu This menu option allows you to review and configure the network settings specifically 8 Connectivity interfaces hostname and domain information edgeBOX s Wireless access point if available and Static Routes Interfaces This menu option allows you to review and change the following settings e Hostname and Domain Information e LAN Ethernet Configuration e EWAN Ethernet Configuration and e WAN Ethernet Configuration To access each of these options select the appropriate tab 2006 Critical Links SA Network Configuration Reference 19 System Network Senices Security GoS Pallcias State Users Wizards Help A Network Interfaces TWAN LAN EWAN l Hostname and Domain WAN Configuratori IP information PPPOE l Status Fri 30 Dec 2005 17 42 37 UTE Interface up IP Netmaski Gateway Primary DNS Secondary DNS Liserriarie ADSL 633 uwebsides Password F Keep Alive V Obtain IF automatically Query EINS Apply e E Statys infarmatan einer edgebo 3 1 1 1 Hostname and Domain Configuration To change the hostname and or the domain configuration follow these steps
232. nario we want to be able to access the the external interface by hostname so the no ip service will be used To do so On your web browser go to no ip s website Create an account and then create an host with the name branchoffice In edgeBOX s Control Centre select Dynamic DNS under the Services menu Insert the following information DNS Server No IP Hostname branchoffice Username Password Confirm Password fill in with your credentials Apply your configuration After a while you should be able to access branchoffice no ip org 6 1 2 Step 2 LAN connection and security Next we are going to configure the LAN interface and the security settings For the internal network we can assume as this is a small office a class C network will be enough So supposing the ip address for the LAN interface is 192 168 1 254 and the network address is 192 168 1 0 24 perform 2006 Critical Links SA 172 edgeBOX User s Guide v4 0 the following actions Inthe Control Centre under the Network menu choose the Interfaces option Inthe Interfaces panel choose the LAN tab Fill in the fields with the following data IP 192 168 1 254 Netmask 255 255 255 0 Select Apply Next the hostname and internal domain will be configured Suppose we choose edgebox for the hostname and branch local for the internal domain In the same panel select the Hostname and Domain tab
233. ndividually obtain patent licenses in effect making the program proprietary To prevent this we have made it clear that any patent must be licensed for everyone s free use or not licensed at all The precise terms and conditions for copying distribution and modification follow GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License The Program below refers to any such program or work and a work based on the Program means either the Program or any derivative work under copyright law that is to say a work containing the Program or a portion of it either verbatim or with modifications and or translated into another language Hereinafter translation is included without limitation in the term modification Each licensee is addressed as you 2006 Critical Links SA Licence texts 263 Activities other than copying distribution and modification are not covered by this License they are outside its scope The act of running the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program independent of having been made by running the Program Whether that is true depends on what the Program does 1 You may copy and distribute ver
234. ndows New Connection Wizard will be used to create a PPTP connection 10 2 1 New connection wizard 235 After selecting the New Connection Wizard an initial welcome window will be shown Select Next to proceed to the Network Connection Type In this window select Connect to the network at my workplace and then press Next The Network Connection dialog window will be shown where you should choose the Virtual Private Network connection option and press Next 2006 Critical Links SA 236 edgeBOX User s Guide v4 0 New Connection Wizard Network Connection Type What do vou want todo Connect to the Internet Cormect lo the Interet zo you can browse the Web and read email New Connection Wizard Welcome to the New Connection Wizard This wizard helpe pou Connect to the Inte nel Network Connection How do vou want to connect lo the network al your workplace Create the following connector L Dial up connection Connectuusiig a modem and a regular phone line ot an Integrated Services Di Network ISON phone tine WW i i Vittual Private Network connection Connect lo the network Using a Wittial private network VPN conmectior over Iiterrrat i i i Connect lo private network such ar your workplace G Connect to the network at mp workplace Connect to a business network using diabup or VPN so you can wark from home a field offica Or another loca
235. nformation about interfaces the upper table and another showing information about the connections established For the interfaces table each entry will contain the following information name state if it is up or down bytes in and bytes out for the sum of inbound and outbound bytes transferred via the interface For the connections table each entry will contain the following information source lP user the connection s origin the user will be displayed only if selective authorisation is on source port destination IP and destination port 2006 Critical Links SA 160 edgeBOX User s Guide v4 0 System Network Semices Security QoS Pollctes State Users Wizards Help niterFaces Name ze re R Mp Bytes In Cannechons Source IP User Destination IF Ee 921583255 221582145 SERA E EE E EE 132 168 322 e Bytes ic ret res ethics si IN viet edgebo 4 6 3 Services This page will display a table with service state information For each service line currently the following services are listed FTP DNS SMTP HTTP asterisk samba and DHCP you will have a column displaying the current service state and a column with a check box that will allow you to change the service state To change the service state proceed as follows otherwise it will be stopped e Select the Apply button If you want to start a servic
236. ng scheme has to be static You may however have a dynamic addressing scheme and use a Dynamic DNS service for more information see Dynamic DNS If you don t have a registered domain or plan to use a Dynamic DNS service leave this option unchecked 2006 Critical Links SA 10 edgeBOX User s Guide v4 0 System Network Senices Security Gout Pollciaes State Users Wizards Help Initai Satiri Steph 1 Registered Dinta 2 Registered Domain Hostname edgebox Public Domain edgebox net Secondary Name Server ID joa 33 4 V Local Mailbox Storage IP 192468275 Netmmask 255 255 254 0 Gateway 1921883105 Primary DNS 1921653104 Secondary DNS Connection Type Cable LAN sl Nest Cancel Statys infarmation BE eet edgebo Options for Registered Domain If you don t have a registered domain you may still choose between a static or dynamic addressing scheme by checking or unchecking Obtain IP automatically If you don t check this option you will be required to enter the following information e IP i e the IP address for the WAN interface e Netmask the netmask to be used on the WAN interface e Gateway or the gateway which will route traffic to and from the Internet and e Primary and Secondary DNS The IP addresses for your Name servers e If you check Query DNS the DNS configuration will be fetched during connection setup checking this option will deactiva
237. ng information e Destination IP Host or network address which we want to deny connections to e Netmask The netmask to apply e Destination Port The service port we want to deny access to This option will be disabled if the protocol is either ICMP or ALL The Range check box allows a range of ports using the From and To fields to be specified for the outgoing traffic on the EWAN network interface e Protocol Select from the list Possible values are TCP UDP ICMP and ALL Delete Deletes an entry from the table allowing traffic for this connection After selecting the entry from the table selecting Delete will remove it You have to select OK in the main panel for changes to become effective 2006 Critical Links SA Advanced Topics 137 4 2 1 4 VPN Connections If Authorise access to VPN s is checked then we are allowing the members of the group to use IPSEC VPN tunnels otherwise access Is denied Bear in mind that this definition will override the access granted in the VPN configuration 4 3 Traffic Control System Network Senices Security QoS Pollcias State Users Wizards Help Service Informstion Service State STOPPED Wan Ewan Lea Intormatian Maxirauny Upratey 99999 KBits s y 0 10 20 30 40 50 60 70 BO 20 e Total Bandwidth f o gt Premium Bandwidth Pipe Name Associated Ye Add Edt Delete E DSCP Marking
238. nitions files in the Library will not necessarily be able to recompile the application to use the modified definitions b Use a suitable shared library mechanism for linking with the Library A suitable mechanism is one that 1 uses at run time acopy of the library already present on the user s computer system rather than copying library functions into the executable and 2 will operate properly with a modified version of the library if the user installs one as long as the modified version is interface compatible with the version that the work was made with c Accompany the work with a written offer valid for at least three years to give the same user the materials 2006 Critical Links SA 274 edgeBOX User s Guide v4 0 specified in Subsection 6a above for a charge no more than the cost of performing this distribution d If distribution of the work is made by offering access to copy from a designated place offer equivalent access to copy the above specified materials from the same place e Verify that the user has already received a copy of these materials or that you have already sent this user a copy For an executable the required form of the work that uses the Library must include any data and utility programs needed for reproducing the executable from it However as a special exception the materials to be distributed need not include anything that is normally distributed in either source or bin
239. nnection using two supported clients SSH Sentinel and GreenBow 10 1 1 SSH Sentinel It will now be shown how to configure an IPsec tunnel using SSH Sentinel After installing this application an icon will be visible in the tray bar After clicking on this icon a menu will be visible where the Run Policy Editor option should be chosen On the window that pops up choose the Key Management tab and expand My Keys Select new preshared key and press the Add button The New Authentication Key wizard will be started a SSH Sentinel Policy Editor Secunty Polley Key Management 23 Trusted Policy Servers Qf Trusted Certificates Gs Cettification Authorities Bi Remote Hosts e 28 Ditectoyy Services Sj My Keys host hep Sc laptoppool certificate 15 Addi ag L aa Hemove Propeities Desurigtion Pre shated hey Key management panel On the initial dialog window you should choose Create a pre shared key and then select Next 2006 Critical Links SA Appendix B VPN Setup 229 The actual key is entered in the second wizard dialog window where you should also enter a name to identify this key After you do this you may press the Finish button New Authentication Key A Pre Shared Key Information Create Pre Shared Key y Type in the shared d This wizaid guides pou through the generation of a rew O authentication key What kind of ar authenti
240. nnnnnnnnnnnnnnnrrrrrrrrrrrrrrrrrrrrrrrererrrerereerereeennenne 143 o WEE 144 Soe 145 SIE ees 145 Remote LDAP Server Autbenticatton non nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnns 145 2006 Critical Links SA Contents VI e lr Le Te NP 146 Dae EIME aserrada 147 SU oO E 148 A Q_ PP Anne 148 BackUp 99 A oceqcasescugtousane ce lt senccsesgnacecteasecousccasseneceusececcenssevssuaeecteeseces 149 a o A o E E 150 RESTOS E e e D 150 o e 151 o A o A 151 Spec BR ouch ien tracto dai 152 o ak Meee sere eRe Ne te Cem ee tec SRE SER RE ORD i SEU See A 152 eieiei un UNE 153 ee GE 153 ESN VIN FP Le 153 GERT EN EE 154 E S i PEE IENE E N NSE E E E NIE E 154 Ea e EI le EEN 155 A A Pe PE SES CCE ASA 157 SNMP RO ee tel te EE 157 SNMP Trap CONMMQUIATION E 158 Be Le S 158 Logom Resta ite e E 158 6 Stat MONO priciest EE 159 SS E 159 NETWORK 00000 ios 159 ELE 160 lic WEE 161 Accumulated e TE A EE 162 AccUmulated SESSION E 162 SESSION DES eo od id 162 A Pa e P A zz 163 Part V Using edgeBOX 165 L LOGIN WOW sacacasa rica 165 2 User Data REEL 165 PPP e Pm 166 PI e A 166 Password and Confm nono RR RR RR RR RR RR RR RR RR RRRRnnnnnnnnnnnnnnnnnnneninininins 166 PRT AST aU TO EE 166 NIE US e le 167 Activate VACATION IMEI e E e 167 CTS 167 let SE 167 Ile et 2 167 VV ODD E UU 168 Part VI Configuration Examples 170 1 Scenario 1
241. nnot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Library at all For example if a patent license would not permit royalty free redistribution of the Library by all those who receive copies directly or indirectly through you then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library If any portion of this section is held invalid or unenforceable under any particular circumstance the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 2006 Critical Links SA Licence texts 275
242. notification of CRITICAL of the transfer is strongly recommended 4 6 In the event that you fail to comply with this EULA CRITICAL may immediately terminate the license and you must destroy all copies of the Software with all other rights of both parties and all other provisions of this EULA surviving any such termination Limited Software Warranty 5 1 CRITICAL warrants that the Licensed Software will function substantially in accordance with the documentation and specification for its operation for a period of 30 thirty days and will work on a best effort basis to correct flaws However the Licensed Software is licensed without any warranty of merchantability or fitness for any particular purpose 5 2 CRITICAL shall not be responsible for any consequential or any other direct or indirect damages arising from the use of the Licensed Software or related components or documentation even if it has been advised of the possibility of such damages 5 3 No oral or written information or advice given by CRITICAL its dealers distributors agents or employees shall create a warranty or in any way increase the scope of any warranty provided herein 2006 Critical Links SA END USER LICENSE AGREEMENT EULA 259 5 4 You may have other rights and these rights as a consumer may vary from country to country 6 Upgrades If the Licensed Software is an upgrade from another product whether or not from CRITICAL you ma
243. ntinue with this wizard click the Next at the bottom of the panel er click the Cancel button to end this process Nest Cancel Statys irfarmation ee edgebo Wizard Welcome Page To start the configuration wizard select Initial Setup from the Wizards menu The welcome page shown will appear Pressing Next will lead you to step 1 If you plan to use a supported USB ADSL modem make sure it is properly powered up and connected to edgeBOX before booting the box or it will not be detected 2006 Critical Links SA Quick Start 9 2 2 1 Step 1 Registered Domain System Network Senices Security GoS Paolleias State Users Wizards Help Inita Satiri Sheth Registered Dom El Registered Domain Sbtain IP automatically Connection Type Cable lAN wi Nest Carcel Status information OE net edgebo Step 1 Registered Domain In Step 1 you will be required to enter information describing your Internet connection and domain If you have a registered domain then you should check Registered Domain The following options will then be displayed e Hostname i e the name edgeBOX will be known by in this domain e Public Domain the name of the registered domain e Secondary Name Server IP the IP address of a secondary name server for your domain if it exists and e Local Mailbox Storage Having a registered domain inactivates the check box Obtain IP automatically the addressi
244. ny NT mode digital ports available in BRI cards Voicemail the call will be forwarded to the chosen extension s voicemail You may choose any extension with an active voicemail Goto The call will be routed to another context For more details check Goto Action Hangup this action will terminate the call Wait a pause is introduced in the call You will need to specify the number of seconds this pause will last Queue the call will be forwarded to a queue You may choose any queue previously configured in the system MeetMe this call will join a conference You may choose any static conference previously configured in the system HuntGroup all phones associated with the selected huntgroup will ring The call will be forwarded to the first one to answer You may choose any hunt group previously configured in the system PlayBack the selected sound file will be played and all numbers entered by the caller will be ignored Background the selected sound file will be played but this time all numbers entered by the caller will be processed and resulting actions will be performed To select a sound file press the Select Sound File button A new popup window will display allowing you to choose the sound file either from System Files or from My Sound Files files uploaded by the administrator You may listen to the files using the Play button This way you may choose the sound file most appropriate
245. o limit this access by enforcing an access policy This is done by enabling Require users to login on the Firewall panel The policies are enforced at the firewall level This is always the first level of access to be tested if users are required to login here users refer to LAN users any connections of the type mentioned above the exceptions is to edgeBOX s authentication page and to edgeBOX s control centre are denied they are in fact discarded by the firewall If an user wants to access the Internet the following steps must be taken The user accesses edgeBOX s authentication page or some website running on port 80 which causes a redirection to edgeBOX s authentication page The user enters his credentials username password If the credentials entered were valid the user may or may not be granted access depending on his group policy From this moment on and if this user s policy grants him access to the Internet he will be able to access any remote service Furthermore a pop up window will be displayed allowing him to log out This pop up window must be kept open to keep the user authenticated If this window is closed and no network traffic is detected originating from this user s machine the authentication will time out and the user will have to re authenticate in order to access the Internet The timeout is set to five minutes Group policies allow the following items to be configured 2006 Critical
246. oftware under terms of this license revision or under the terms of any subsequent revision of the license THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OPENLDAP FOUNDATION ITS CONTRIBUTORS OR THE AUTHOR S OR OWNER S OF THE SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale use or other dealing in this Software without specific written prior permission Title to copyright in this Software shall at all times remain with copyright holders OpenLDAP is a registered trademark of the OpenLDAP Foundation Copyright 1999 2001 The OpenLDAP Foundation Redwood City California USA All Rights Reserved Permission to copy and distribute verbatim copies of this document is granted 2006 Critical Links SA
247. on 6 Any executables containing that work also fall under Section 6 whether or not they are linked directly with the Library itself 6 As an exception to the Sections above you may also combine or link a work that uses the Library with the Library to produce a work containing portions of the Library and distribute that work under terms of your choice provided that the terms permit modification of the work for the customer s own use and reverse engineering for debugging such modifications You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License You must supply a copy of this License If the work during execution displays copyright notices you must include the copyright notice for the Library among them as well as a reference directing the user to the copy of this License Also you must do one of these things a Accompany the work with the complete corresponding machine readable source code for the Library including whatever changes were used in the work which must be distributed under Sections 1 and 2 above and if the work is an executable linked with the Library with the complete machine readable work that uses the Library as object code and or source code so that the user can modify the Library and then relink to produce a modified executable containing the modified Library It is understood that the user who changes the contents of defi
248. on IP Host or network address which we want to deny connections to e Netmask The netmask to apply e Destination Port The service port we want to deny access to This option will be disabled if the protocol chosen is either ICMP or ALL The Range check box allows a range of ports using the From and To fields to be specified for the outgoing traffic e Protocol Select from the list Possible values are TCP UDP ICMP and ALL After selecting OK you will also have to select OK in the main panel for changes to become effective Delete Deletes an entry from the table allowing traffic for this connection After selecting the entry from the table selecting Delete will remove it You have to select OK in the main panel for changes to become effective 2006 Critical Links SA 134 edgeBOX User s Guide v4 0 4 2 1 2 4 2 1 3 Service Access Group Policy SE e Allow Service Access Time Perlod Stark Hours OS Minutes 05 Stom Mous 235 Minutes 59 Services law Disallow Enterpllse Access Quality oF Service Upload Class upBE wll Download Glass dote Ls Aliow Enterprise Access Time Period Start Hours Ri Minutes SE stop Hous 295 Minutes 29 Incamirig Netas Service Acesss In this panel we can configure the access options for the services The items available for this option are Allow Service Acc
249. onnection Premium Bandwidth Available bandwidth percentage that will be assigned to priority download traffic In the download connection there are just two QoS classes downBE and downPremium Traffic belonging to the QoS class downPremium will have an amount of bandwidth reserved in case of congestion whereas for downBE best effort the default no guarantee will be given Daten sc fraen alen Meiran Douprzter 99999 pits tal ge CL Premium Barcyidth Yoa ly ay al 0 40 20 30 40 50 1660 70 80 40 2006 Critical Links SA 140 edgeBOX User s Guide v4 0 4 4 4 4 1 Services QoS System Metwork Serices Security Go Pollas State Users Wizards Help wan Ewan reten l Qos Class Protocol Source ddress Bestination Address Port inbound douwr g dep 000 000 10 0 0 0 11 dd por Delte close Ay St Stu aora EN et edgebo Services QoS Configuration Page This option allows you to set QoS classes to services overriding any QoS settings for group traffic You will be able to configure QoS classes by interface protocol and port You can for example assign a special upload class for the Internet email service and another for your enterprise email When you select this option a page like the one shown above will display You have two tabs each corresponding to one interface WAN and EWAN Again the options available for each tab are quite similar So we will just describ
250. oose PPTP VPN in Type of VPN VPN Properties General Options Security Networking Advanced Type of VPN PETE EN This connection uses the tallowina tems wi EST wh tryk rte zez intemat Pratacel TEPAP ms QoS Packet Scheduler iM JS Fila and Printer Shanna for Microsoft Networks Si El Client for Mictosott Networks Das niption Netman Packet capture driver that allows the Netman UI ta acquire packets Irom Ihe local network After that select Internet Protocol TCP IP In the window that pops up select Advanced Uncheck the Use default gateway on remote network and confirm until you see the dialing window You will then be ready to establish the PPTP VPN connection 2006 Critical Links SA 238 edgeBOX User s Guide v4 0 10 2 3 Advanced CPAP Settings General DNS WINS This checkbox only apples when you are connected to local network anda dial up network simultaneously When checked data thal edit be zent on thedocal netwerk is lorwanded to the dial up network GEN i Connecting to edgeBOX To connect to edgeBOX s PPTP VPN server just enter the user s credentials and select Connect Connect YPN Ci Savethis username and password for the following users Me oil Vere zc le Connect Cancel Properties After the connection is successfully established a small hint will be displayed near the tray bar
251. op Destination Context C pe so Chan C ere ies tet Top Sources E emn ne 626 21 330089104 36 This report shows the top 10 number of calls per destination context e internals calls to the same edgeBOX remote calls to a different edgeBOX and outbound external calls to PSTN or PLMN 2006 Critical Links SA Reporting 221 Ines Chere ait raphy Destination Context 0 30 ay 50 1519 TO Inten zl hrtha Ratio be Sita 8 6 4 Top Minutes This report shows the top 10 number of calls per caller id phone where the call originated in minutes This report will only present results if authentication is on 8 6 5 Top Accounts This report shows the top 10 number of calls per account pin corresponding to a specific user or group of users that initiated a call This report will only present results if authentication is on 8 7 Anti Virus The reports in this group show information about edgeBOX s anti virus It is possible to export them in pdf format 8 7 1 Viruses Found This report shows the top 10 viruses found in e mail passing through the box 8 7 2 Infections Ratio This report shows the ratio of e mails passing through the box clean Vs infected 2006 Critical Links SA 222 edgeBOX User s Guide v4 0 SS ee Iesel e F pa We Vi irises Found mate Pe sothant C mezpomet Lines et Clean infected E Mails
252. or doe Wbranch local These credentials will also be valid when using the Windows Sharing service 2006 Critical Links SA Configuration Examples 175 6 1 5 Step 5 Remote users connection In our scenario remote users will be able to connect to the branch office s internal network To be able to do so the PPTP VPN server must be enabled To configure the PPTP VPN server perform the following actions In Control Centre select VPN PPTP under the Security menu Choose the range for the IPs assigned to remote clients In Remote From enter 192 168 1 200 and in Remote To enter 192 168 1 210 ten clients Select Apply to commit your changes If the service state is not running press the Start button Remote users connecting to edgeBOX s PPTP VPN server must be given proper authorisation to do so To authorise the user created previously to connect follow these steps Select Management under the Users menu Select the user in the table jdoe Double click or press Edit The User Edit window will pop up Check the PPTP checkbox under Accesses Press OK Step 6 VoIP features For a small office our scenario will have the basic VoIP functionality internal extensions accessible from the outside and a remote switch configuration to the HQ which will be dealt with in a separate section The extensions will also have the possibility to call the PSTN Another interesting featur
253. ord Carifirni Password Administration Options SpeedTouch Firmware edgeBOX provides direct support for the SpeedTouch 330 USB ADSL modem This section allows you to upload the firmware for a unit attached to the edgeBOX You need to upload the correct firmware the first time you plug the modem into the edgeBOX Firmware Revision Displays the current version number of the firmware running on a SpeedTouch modem if one is currently connected to the edgeBOX Firmware File Select a file containing the firmware updates from the computer where the edgeBOX administration application is being used by clicking on the Browse button Once selected clicking on the Upload button will upload and install the firmware on the modem Progress Displays the progress of the firmware update after the Upload button is clicked Adrin Options SpeedTouch Firmware web Locale Root Emall Logs Lending Page Speedtouch Flema Upload Fitnete Jntorabop Firmware Revision El Upload and Install Armara Files Browse Progress lpload Web Locale The language used in the Control Centre to administer the edgeBOX can be selected GUI Language Select the language used by the edgeBOX Control Centre Currently English and Portuguese are 2006 Critical Links SA Advanced Topics 153 supported Admin Options SpesdToiich Firmware Web Locale Root Eral Loge Landing Page Mieh Local GUI
254. ouble clicking the desired agent or remove an agent selecting the Delete Agent button 2006 Critical Links SA 86 edgeBOX User s Guide v4 0 System Network Senices Security Go Policies State Users Wizarda Help Dobei gute 3 2 8 4 2 1 Add Agent Allows you to create a new agent You will need to supply the following elements 3 2 8 4 3 Conferences Agent ID number identifying this agent PIN PIN number the agent will use to authenticate Agent Name name for this agent Login Extension extension this agent will use to register in a queue If this method is used the phone must remain off hook online ew Agent edgeBOX supports two types of conferences 2006 Critical Links SA Network Configuration Reference 87 Dynamic conferences and Static conferences To activate dynamic conferences check the Users can Create Conferences option You will also need to supply an extension for this purpose by default it is 9000 In this type of conference any registered user may dial the pre defined extension and create a conference by pressing a number To join this conference users just have to dial the pre defined dynamic conferences extension 9000 in Our example and enter the conference number Static conferences have to be created beforehand by the administrator The list of static conferences
255. paragraph 6 below 3 Redistributions in binary form must reproduce the Copyright Notice these license terms and the disclaimer limitation of liability set forth as paragraph 6 below in the documentation and or other materials provided with the distribution For the purposes of binary distribution the Copyright Notice refers to the following language Copyright c 1998 2003 Sendmail Inc All rights reserved 4 Neither the name of Sendmail Inc nor the University of California nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission The name sendmail is a trademark of Sendmail Inc 5 All redistributions must comply with the conditions imposed by the University of California on certain embedded code whose copyright notice and conditions for redistribution are as follows a Copyright c 1988 1993 The Regents of the University of California All rights reserved b Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 11 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution
256. r the main website will not probably be available and so you will need to create another virtual host this time for your main web site Select New again to add a virtual host and enter the following data 8 Virtual Host LAN Server Name www Document Root inter After applying this information you should be able to access your main site using http www local loc and the marketing website using http marketing local loc 2006 Critical Links SA Appendix F Softphone configuration 251 14 Appendix F Softphone configuration Next it will be shown how to configure three different softphones There is a wide variety of softohones available The following will be shown X Lite Idefisk Express Talk First on the edgeBOX side a phone must be added to the system That happens automatically upon user creation when access to the VolP service is granted New User hisw Laser Lisername Real Name sg Password Confirm Password Aeresses Regular Services _ PRTP VoIP Extension Number Extansi n Password Pink Permissions DT wrete s Security e volP _ Wintlows use 444 eee 1333 Local calls Y Ok Cancel The extension name will have the same name as the user s username 2006 Critical Links SA 252 edgeBOX User s Guide v4 0 14 1 Yat Configuration Service State RUNI ng W J Sp Hardware Ger w
257. r do the following Select SMTP under the Services menu In Email Domains select Add and enter branchoffice no ip org Select OK Select branchoffice no ip org in Webmail Domain Repeat the previous step for the branch local domain edgeBOX will now accept mail for both the external and internal domains Select the Access Control tab In Relay Domain List select Add and enter the branch local domain Press OK Select Apply If the service state is Stopped press the Start button LO LO MMMM To configure Windows sharing services perform the following actions Select Samba under the Services menu 8 Fill in the fields with the following information Workgroup edgebox Server Name edgebox Uncheck Wins Support and PDC Support Select Apply If the service state is stopped press the Start button To be able to use these services you have to create user accounts To create a user account perform the following actions Select Management under the Users menu Press New Make sure the Users tab is selected Inthe pop up window that displays enter the following information Username oe Real Name John Doe Group generic Password edg Box Confirm Password edg Box Accesses Check Regular Services and Windows Use This user account will be able to fetch mail using the POP3 service using these credentials The email account will be doe Wbranchoffice no ip org
258. raphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA 216 edgeBOX User s Guide v4 0 System Usage Web Server Proxy Server Firewall sysiog Var Anti virus nie C pe aoichan ps pre Lines Cha By Protocol Packets by service traffic number of packets By Protocol Ocurrences o mp woco 4609 2000 2500 Apod 23500 400 4500 6 000 5 990 mg By Source Port Packets g r i 7 By Source Port Ocurrences By Destination Port Packets micuseth de By Destination Port Ocurrenicesy By Source Address Packets By Source Address Ocurrentes By Destination Address Packets Ey Destination Address cutre By Service Packets By Service Ocurrences nethrorsen malen hmm netblos pa duti me muebouchs e sawi WI a such 8 4 16 By Service Occurrences This report shows the number of occurrences traffic was rejected per service e g http This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA Reporting 217 Es interface Ocurrences By Protacal Packets Br Protocol Ocurrences Ey Source Port Packets By Source Port Ocurrences By Destination Port Packets By Destination Port Ocurrerces By Source Address Packets Ey Source Address currantes By Destination Address Packets
259. rce and effect 7 9 All questions concerning this EULA shall be directed to Critical Software S A Parque Industrial de Taveiro Lote 48 3045 504 Coimbra Portugal Attention General Manager edgebox support critical links com 7 6 CRITICAL and other trademarks contained in the Software are trademarks or registered trademarks of Critical Software S A Third party trademarks trade names product names and logos may be the trademarks or registered trademarks of their respective owners You may not remove or alter any trademark trade names product names logo copyright or other proprietary notices legends symbols or labels in the Software This EULA does not authorize you to use Critical s or its licensors names or any of their respective trademarks 8 Open Source Software Components 5 5 The EdgeBox software is shipped in the same medium as open source software components that are specifically not covered by this EULA 5 6 This EULA only covers software components that have been developed and are propriety of Critical Software SA 5 7 The Open Source software components aggregated in the same medium as EdgeBox Software have their own end user license agreements Please see Annex A for their respective license text Manufacturer of Licensed Software is 2006 Critical Links SA 260 edgeBOX User s Guide v4 0 Critical Software S A Parque Industrial de Taveiro Lote 48 3045 504 Coimbra Portugal
260. ready used by existing pipes You will not be able to create more pipes after this bandwidth reaches 100 Remember to select Apply in the main panel for changes to become effective Edit Select the pipe you want to change and then select Edit A popup window similar to the one in Ada 2006 Critical Links SA Advanced Topics 139 4 3 2 3 4 3 3 will appear allowing you to change all the information entered After selecting OK the table will be updated as well as the bandwidth indicator You will not be able to make changes if the total pipes bandwidth exceeds 100 Remember to select Apply in the main panel for changes to become effective Delete Select the pipe you want to delete and press Delete The pipe will be removed from the list and the bandwidth indicator will be updated Remember to select Apply in the main panel for changes to become effective Mos Information Pine Irtotmabtonp Pipe Marre Associated Percentage ok Cancel DSCP Marking Check this box if you want packets classified and marked in accordance with the diffserv architecture Enable this feature only if you have a QoS diffserv agreement with your ISP on the WAN side Download Information In this section you can configure the QoS settings for incoming traffic The elements available are described next Maximum Downrate Maximum available bandwidth for the download c
261. related with outgoing calls An outgoing call needs a route to be configured There are two different kinds of outgoing routes Direct connection to the PSTN network using hardware installed on edgeBOX and a VolP Provider properly configured 3 2 8 3 1 Prefixes In order to discriminate the type of calls that can be placed a prefix needs to be configured There are different types of calls which will need a prefix Outgoing calls using predefined routes and Calls to extensions belonging to another edgeBOX Remote Switch 2006 Critical Links SA Network Configuration Reference 75 System Network Semces Security GoS Policies State Users Wizards Help Mob Comfou son Service State MINING phones Iricaivina Calle Outbound Calls pay Features Hardware Geneck Prefixe Corifiquration Prefixes il Gulbound Cate jo D Pente an fex G sue aw Status Information rs Terminated ed g ebox 3 2 8 3 2 LCR Outbound calls identified by the appropriate prefix can be divided into five different groups Local calls Long distance calls Mobile calls International calls and n N N un LO Free Calls For each of these groups you will have to configure at least a route and the prefixes that will identify the group to which the call belongs For instance an international call will always be preceded by the 00 prefix This prefix will identify a call as belonging to the
262. report shows the number of times pages hosted on the web server Apache have been accessed You can choose the type of graph to see Pie 3D Pie 2D or line by clicking the radio button This information is also presented in tabular format listing the hosted pages Host and the respective number of occurrences Agent This report shows the number of requests made to the web server by user agent You can choose the type of graph to see Pie 3D Pie 2D or line by clicking the radio button This information is also presented in tabular format You can see the number of requests number of occurrences made by each operation system browser For example you can see that the Windows 2003 Firefox made six requests to the agent Proxy Server The reports in this group show information about edgeBOX s Proxy Server usage It is possible to export them in pdf format Methods This report shows the number of occurrences of each type of HTTP method that passed through the proxy server to the web server It is possible to select the type of graphic Pie 3D Pie 2D or line by clicking the radio button This information is also presented in tabular format You can check the number of occurrences for each type of method oer post head options and propfind For example you can see that the method get had 356 occurrences For a complete list of methods please check Request methods 2006 Critical Links SA
263. responding to the server configuration you want to change select the Edit button A popup window similar to the one in Add will be visible allowing you to change the information already entered After selecting OK you will have to select Apply in the main window for changes to become effective 4 5 1 1 3 Delete Removes a server from the list After selecting the server to delete select the Delete button Remember to select Apply in the main panel for changes to become effective 4 5 1 2 Remote LDAP Server Authentication If you choose Remote LDAP Server the following information will be required 2006 Critical Links SA 146 edgeBOX User s Guide v4 0 Authe ticallot EshhHguratior Authentication Bemote LOAP Server se settings Server Mams Base Nare de example de com Up Lissrmames iz 7 c Usernamel sp DAPR Password contin LOSP Passudre Lutte Active Directory Usefor Authorizati n Purge Existing Local Lisers Options available for Remote LDAP Authentication e Server Name The IP address for the remote LDAP server Base Name The active directory domain configured e LDAP Username A username that will be used to make the LDAP binding e LDAP Password The password for the above username e Confirm LDAP Password Used to confirm the password supplied in the previous option Additionally the following options will be available
264. rexample you could type the name af uo workplace or the hame 0f server you wilconnectto a Cosi Cas JU Le Cas Jue E Connection Name Public Network VPN Server Selection The Connection Availability dialog window will then be shown Select the option that best fits your case After pressing Next the final dialog will be shown After pressing the Finish button the connection dialog will be shown Before establishing the connection you should change some of its properties To do that select Properties New Connection Wizard Completing the New Connection Wizard You have successfully completed the steps needed to create the following cormectiorr VPN New Connection Wizard Connection Availabilily You can make he new connection available to any user or only to yourself A contecti n that is created for your Use only is savedin pour user account andis not ayallable unless you are lagaed on Create this connection lor O Anyone s use The connection will be saved in the Network Connecban folder To create the connection arid close this wizard click Finish Back net Carical Back Finish Carical Connection Availability Final dialog 2006 Critical Links SA Appendix B VPN Setup 237 Connect YPN Password Cl Save this username and password for the folowing Users connection dialog 10 2 2 Editing the PPTP connection properties select the Networking tab and ch
265. right notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and distribute a copy of this License along with the Library You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee 2 You may modify your copy or copies of the Library or any portion of it thus forming a work based on the Library and copy and distribute such modifications or work under the terms of Section 1 above provided that you also meet all of these conditions a The modified work must itself be a software library b You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change c You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License d If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility other than as an argument passed when the facility is invoked then you must make a good faith effort to ensure that in the event an application does not supply such function or table the facility still operates and performs whatever part of its purpose remains meaningful For example a function in a library to compute square roots has a purpose that is entirely well defined independent of the application Therefore
266. rnal extension routes By default a route is created at phone creation time when you supply an extension number These routes may be completely changed though This panel is similar to the IVR s context edition panel The extensions are shown on the left panel and its actions are shown on the right side 2006 Critical Links SA Network Configuration Reference 69 System Metwork Senices Security Gos Policies State Users Wizards Halp deelt Sence rte RUNING phares Incalnisgicals oukaund cals PEM Pests Hardas canei IV atte sss 7 ere After Drees 0 Up Call Rules After Dress 502 After Dress SC bb After Press SO after Dress PO after Prosa 603 after Press Eny After Press ER after Prosa E after Prosa Ep after Prosa Ep After Press pn after Pres B11 t Age Presa At Aa Schon DE Routes Sound Marader ep Appl a eee l Terminated ed g eb O lt 3 2 8 2 2 1 Add Action The options presented in this panel are the same as the ones in the IVR editor s Add Action 3 2 8 2 3 Call Rules edgeBOX allows you to define rules to deal with incoming calls according to the hour day in which they arrive This way the administrator may define different actions depending on the hour of the day For example it is possible to play a message warning the company is closed during
267. route for your WAN network where the gateway to access the Internet is located For example if the network is 192 168 170 254 32 e g a point to point link the entry may be e P destination 192 168 170 254 e Netmask 255 255 255 255 e Gateway 0 0 0 0 Device WAN e A default route this is typically the gateway address present in the WAN configuration the one used to access the Internet For example if your gateway has the IP address 192 168 170 254 then the entry will be e IP destination 0 0 0 0 2006 Critical Links SA 30 edgeBOX User s Guide v4 0 e Netmask 0 0 0 0 e Gateway 192 168 170 254 s Device WAN Should you need to manually edit edgeBOX s routing table the operations available are Add Edit and Delete Syster Network Senices Security GoS Pollcias Stata Users Wizards Help Route Sonhlauration IP destination Netinaste Gateway Device 192 168 100 0 Fee 255 295 0 bann lan 192 168 200 00 1255 255 255 0 0 0 0 0 Jawan oS ees Poe al had bated a SE E SEH D nn wan 6 0 5 0 0 0 0 1192 168 3 104 wan Add Edit f Delete Close Statys infarmaton IN esrinosos edgebo 3 1 3 1 Add To add a new route follow these steps e Select Add e Enter the following information e P destination the destination network host e Netmask the netmask to apply e Gateway the gateway to use to reach t
268. s State Users Wizards Help Basic Advanced Advarwed Wireless Comfluurstinn Security Type O Static WEP keys 2 IEEE 82 1 OWA 02 tx Configuration C Use Remote Radius Server Radius Authentication IP Radius Authentication Password Raditis Authentication Port Radius Accounting Polis Redius Accounting IP Radius Accounting Password Radius Accounting Port Eneryplion Type Statvs infarmatian IEN neg edgebo 3 1 2 2 1 Security Type Select the security scheme to be used Possible values are Static WEP keys IEEE 802 1x and WPA Basic Advanced Advanced Wieles x2onHguratiorn Ed Static WEP keys IEEE 802 1 eo WPA 3 1 2 2 2 Static WEP keys Choose from the list Possible values are None 40 64 bit key and 104 128 bit key 2006 Critical Links SA 26 edgeBOX User s Guide v4 0 Basit Advanced iji Adv ricad leg Cahar Sadun Type 5 stable WEF keys Py TEER ROZ Le CO WER WEP gg Conhiguratiqn ANER Morne If you choose none then encryption will not be enabled and your network will be vulnerable to connections from non authorised hosts With the other two options you are activating encryption and choosing the key length to be 64 or 128 bits You may specify 4 different keys but only one may be active for transmission at a time This key has to be distributed to clients who wish to connect to the network Bear in mind that thi
269. s Start Stop and apply changes made to the configuration button Apply The available configuration options are described next System Network Senices Securty GoS Pollcias Stato Users Wizards Help HTTP Configu sian Servica State PUNO Server Name Max Access 450 User Directories Me wl Virtual Hosts Virtual Host Server Namie Document Bert Emall New edit Delete Change webmaster password New Password Confirm Password Close Stop Apply Statusinformabion IEN eer edgebo 3 2 4 1 Service State This element is read only and has the current status for the http server Running or Stopped 2006 Critical Links SA Network Configuration Reference 41 3 2 4 2 Server Name This information is read only 3 2 4 3 Max Access Here we set the maximum number of simultaneous access connections to the web server 3 2 4 4 User Directories Select from the list Possible values Yes No If set to Yes users will have a personal web page That homepage will be located on the user s home directory under the public_html directory The user will be able to manage their personal webpage through FTP after logging on they will be placed in this directory automatically The URL to access a user s personal webpage will be formed from the concatenation of the main URL with username For example if the main URL is http edgebox domain then noname
270. s Wizards Help DHEP Configuration Service State RUNING Domain Name Jocal joc Ranges Start IF End 1P 192 186 100 100 1192168 10 200 Pref pc 3 New Delete Mat IF MAC Address New Delete Close Status informaban DO Terminates Service State Fixed IP Stop edgebo This information is read only and provides the service status i e running or stopped Domain name This information is also read only it provides the internal domain name Ranges This panel defines the range of IP addresses that will be assigned dynamically You may define several address intervals as long as they don t overlap For each address interval defined you can define a prefix that will be added to the last portion of the IP assigned to form the hostname sent The operations available are New and Delete 2006 Critical Links SA Network Configuration Reference 39 3 2 3 3 1 New DHCP Range PHCP A anos Tafortratioel Start IP End IPs Prefix New DHCP Range window After selecting New a pop up window will appear The following information must be entered e Start IP Lower end of the IP address interval e End IP Higher end of the IP address interval e Prefix String to be concatenated to the address sent to form the hostname For example if you enter mobile for the prefix and the domain is called local loc then the host with IP addr
271. s every Sets the interval for checking whether updates are available Choose either 6 12 or 24 hours Start hour Sets the time to begin checking for updates each day Notify when need to Some updates require either a network service to be restarted or for more important updates edgeBOX must be rebooted Depending on what you choose for this item a window will pop up after you log on to the Control Centre warning you there are updates available that require action after being installed system Update Configuration it Plou ablar Update Mode Autamiatie E Check for updates suerg 6 hours ze Start Heu Hour OSI Mme O5 Notify me When need Ep Reboot the system Y Chania If Semi Automatic updates are selected the following fields are presented Check for updates every Sets the time interval for checking whether updates are available Choose either 6 12 or 24 hours Start hour Sets the time to begin checking for updates each day Notify me when updates are available If this box is checked after you log on to the Control Centre a window will pop up informing you new updates are available 2006 Critical Links SA Advanced Topics 157 System Update Configuration Configuratii Update Mode Semi Automatic Check for updates every 5 hours ze i Notify mewhen updates are awailable 4 5 9 SNMP The status of the edgeBOX can be queried using the
272. s passing through the proxy server in bytes organised by ranges This information is presented in graphical Pie 3D Pie 2D or line selected by clicking the radio button and tabular format 2006 Critical Links SA Reporting 201 emer Pro Seve Firewell Sysing va Antivirus Be 30 Chart E Pig 2D CHert C Ukes Chert Size Distribution j by Ne EEES JOER opp 144 10000 00060 012 ios Distr tice 8 4 Firewall The reports in this group show information about edgeBOX s firewall It is possible to export them in pdf format 8 4 1 Firewall This report provides general information of the firewall behaviour It is possible to customise a filter to limit the data presented and make analysis easier The following fields are available date must use the format yyyy mm dd type of protocol All UDP or TCP interface All LAN WAN or EWAN destination port destination address You will have to press the Search button to retrieve the data The results of the applied filter are presented in a table with the following columns Date last 100 entries or selected dates Packets number of rejected packets Chain reason why the packet was rejected for example dangerous un allowed Interface physical interface where the rejected packet arrived for example etho 2006 Critical Links SA 202 edgeBOX User s Gui
273. s scheme is now relatively easy to break To allow some degree of security keys should be changed regularly which may not be manageable if there are many clients connecting to the access point Advanced Wireless tangado SeEclintyt Ty Static WEP keys IEEE OS Lo COWRA WEP Kep cml laaa WEP 04 128 bit key Selected AAN KAAN 0 KN JOGOS KN Y ey 1 aae 299 20ap Sege geen DI Oley 2 Oey Okey 4 j Should WEP be used we advise you to at least configure one form of encryption 3 1 2 2 3 IEEE 802 1x In this panel you may configure IEEE 802 1x authentication and encryption 2006 Critical Links SA Network Configuration Reference 27 Basic Advanced Agnes lees ConHau stich Sea pipe O Static WEP keys a IEEE 602 5 J WPA S02 te Configuration 2 Use Remote Kadus Server Radus Authenticaticn E Radius Aueren Password Radus Authentication Fort Kacdius Gcrcoupbod Radius Accounting b s Accedunt iP Radius Accounting Pass uvcirtl Radus Accalsritirig Pert 3 1 2 2 3 1 802 1x configuration Use Remote Radius Server Check this option if you want to use an external Radius server as the authentication server for IEEE 802 1x You will need to provide the following Radius Authentication IP the external server s IP address Radius Authentication Password the external server s password Radius Authentication Port the external server s port If you l
274. shing version number If the Program specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Program does not specify a version number of this License you may choose any version ever published by the Free Software Foundation 10 If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software 2006 Critical Links SA Licence texts 265 Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 11 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHO
275. sing or otherwise to promote the sale use or other dealings in this Software without prior written authorization from him 15 Licence for libxslt Copyright C 2001 2002 Thomas Broyer Charlie Bozeman and Daniel Veillard All Rights Reserved Permission is hereby granted free of charge to any person obtaining a copy of this software and associated documentation files the Software to deal in the Software without restriction including without limitation the rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software 1s furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Except as contained in this notice the name of the authors shall not be used in advertising or otherwise to promote the sale use or other dealings in this Software without prior written authorization from him 2006
276. standard and PPTP protocol e Traffic control in both Inbound and outbound Possibility of getting a share of the available bandwidth reserved for important users in your company or for high priority traffic types such as voice e Support for a dynamic Intranet with content management capabilities 2006 Critical Links SA 2 edgeBOX User s Guide v4 0 When you open your edgeBOX package you should find the following items e edgeBOx e Power supply unit and cable e PS2 USB keyboard adaptor depending on version e Installation amp configuration guide 1 1 Powering Up the Box To connect the appliance to the main power source follow the directions described below e Connect the AC adaptor to the power socket located on edgeBOX s rear panel using the power cable e Connect the power adaptor to an electrical outlet e To switch on the appliance press the button located on the front panel A blue light will then be visible indicating the box is properly powered 1 2 Connecting to the network The next step will be to physically connect the appliance to the network Although it can be used in several different topologies edgeBOX is preloaded with a default factory configuration Enterprise Private LAN WAN DMZ Internal ADSL RS232 console modem opt Cable ADSL ethernet based modems 802 11byg UMTS etc AUX 2nd port LAN opt edgeBOX s Twister Model rear panel Typically the
277. stering with edgeBOX Default IP This option will be available if you ve selected Dynamic in the previous option The default value is unchecked If you check this option you will need to supply an IP address which will be used by edgeBOX to try to communicate with the client if it hasn t registered yet Port port where edgeBOX will accept connections Default ports are 5060 SIP and 4059 IAX2 DTMF Mode the way the client deals with DTMF signaling This parameter should be consistent with the client configuration Available options are Inband DTMF signaling within the call Note that this type of signaling is not supported by the GSM codec r c2833 Info Can Reinvite SIP Only When active for some time a call may be turned into a direct connection between endpoints so edgeBOX will not be in the communication path If this is not the desired behaviour then this option should be unchecked NoTransfer IAX2 Only Similar to the previous option When active all calls are routed through edgeBOX avoiding a direct connection between clients Codecs are used when converting an analogue voice signal to a digital one edgeBOX supports several types of codecs allowing a flexible client configuration The choice of the codec to be used usually results from a compromise between sound quality and bandwidth used Available codecs are 2006 Critical Links SA Network Configuration Reference 63 Kew Phone
278. t Advenced Codecs Privacy Allows you to modify details for existing phones All fields may be changed except the extension name Allows you to delete a phone There will be times when you will not be able to perform this action Specifically when This extension is used in a context for example in a Dial action For more information check IVR Editor This extension is used in an incoming rule for more information check Call Rules This extension s voicemail is used in an action If you try to delete a phone which meets one of these conditions a pop up window will be displayed warning you Incoming Calls This panel allows you to configure incoming call functionality for example for calls originating from the PSTN network or internal calls between phones registered with edgeBOX Several options are available for configuration namely LO MW LO un mM DID Routes and Sound Manager You access each of this panels selecting the appropriate tab on the right 2006 Critical Links SA Network Configuration Reference 65 3 2 8 2 1 IVR Editor edgeBOX provides a flexible IVR system fully integrating all of edgeBOX s VoIP PBX functionalities allowing the administrator to create response menus for a large range of applications Callers using a touch tone phone will be able to navigate these menus by pressing the appropriate numbers An IVR system is made of contexts Each context can have sever
279. t choose the Users menu option and then the Management submenu A page like the one shown bellow will be displayed On this page you have two panels the Users and the Groups panel You may access each panel selecting the appropriate tab 2006 Critical Links SA Advanced Topics 125 System Metwork Senices Security aos Pulltias Stata Users Wizards Help Managment Schema LOCA sl Users Groups User Management Liser Lisesraime ropp Real Nannie Illl stas informatica EN terio edgebox UserManagementP age 4 1 1 Users You can check the users listed in the table Available actions for users are New Edit and Delete 2006 Critical Links SA 126 edgeBOX User s Guide v4 0 New New User New Lkzer Lisame Real Name Password Confirm Password Aeresses Regular Services T Wireless Security D Tvoo _ PPTP vandows use New User Window Creates a new user After selecting New a popup window similar to the one shown above will be displayed requiring you to enter the following information Username The login name that will identify this user on edgeBOX The login name cannot be greater than 8 characters has to start with a non numeric character and cannot contain special characters Real Name This field is optional and is meant to identify the user No special characters can be used Group The
280. t include anything that is normally distributed in either source or binary form with the major components compiler kernel and so on of the operating system on which the executable runs unless that component itself accompanies the executable If distribution of executable or object code is made by offering access to copy from a designated place then offering equivalent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and all its terms and conditions for copying distributing or modifying the Pro
281. table To test it try to ping a machine on the other site It may be useful to access the machines by name instead of IP address You can configure a Forward domain in each DNS server To do so In the HQ s Control Centre select DNS under the Services menu Press the New button under Domain Name The Domain Information window will pop up Enter the following information Domain Name branch local Domain Type Forward Domain Access Internal Network Address 192 168 1 0 Name Server IP 192 168 1 254 Press OK and then Apply in the main panel In the branch office s Control Centre perform the same action Enter the following information Domain Name company internal Domain Type Forward Domain Access Internal Network Address 10 1 0 0 Name Server IP 10 1 0 254 Press OK and then Apply in the main panel MM Remote Switch To allow for calls between internal extensions on the company s headquarters office and internal extensions on the remote office an AX trunk may be configured between sites All the other PBX functionalities will also be available To configure an IAX trunk between the two sites you will have to modify the configurations on both of their edgeBOXes So on the headquarters edgeBOX perform the following actions Under the VoIP panel select the Outbound Calls tab On the prefix panel the first tab on the left select 6 for the remote switch prefix All calls to a remote s
282. tains the following elements Version The antivirus engine version installed This element is read only Date of most recent IDE files The date the last virus definitions file was installed Update IDE Files Selecting this button will download the latest virus definition files You must have a current Sophos license in order to do this The edgeBOX also performs this update automatically on a daily basis 3 3 5 3 2 2 Upload and Install This panel allows you to install a McAfee antivirus engine e Download the antivirus engine from the McAfee website Bear in mind that you need to buy the appropriate number of licenses to use this software e Hit the Browse button and navigate to the location where you saved the antivirus engine file select it 2006 Critical Links SA Network Configuration Reference 123 e Hit the Upload button and wait until the progress bar reaches 100 Check the status returned to confirm the command was successful The transfer is done via FTP so make sure that FTP traffic is allowed on the LAN side on your firewall configuration 3 3 5 3 3 Clamav This panel allows you to check and update Clamav s IDE files Clamav is a free antivirus engine and is shipped with edgeBOX Version The antivirus engine version installed This element is read only Date of most recent IDE files The date of the last virus definitions file installed Update IDE Files Selecting this button
283. te the DNS controls If you check this option then all this information will be fetched automatically from a DHCP server When in doubt check this option The last option will be to choose the connection type There are two available choices e Cable LAN if you plan to connect your WAN interface to an external cable modem or to a local area network or e ADSL In the first case you will always use the WAN Ethernet port located on edgeBOX s rear panel Either case will be transparent to you However for ADSL depending on you box configuration you may have two options PPPoE and PPPoA No matter which setup you choose you will always have to provide information of the username password for your ISP account In addition if you choose 2006 Critical Links SA Quick Start 11 PPPoE and internal modem or PPPOA you will have to provide the VPI VCI and encapsulation information choose from the list of possible values LLC or VC Ask your ISP for this information if you don t have it System Network Senices Security QoS Pollctes Statea Users Wizards Help Initai Satiri Steth 1 Registered Droa El Reaistered Domain Obtain IP automatically Connection Type ADSL PPPOE wl Uselnarie ADSL7 BIS webside Password Next Cancel Statys infarmation IEN veer edgebo ADSL information internal modem not available After entering all the above information press Next to proceed to step 2
284. that refer to this License so that they refer to the ordinary GNU General Public License version 2 instead of to this License If a newer version than version 2 of the ordinary GNU General Public License has appeared then you can specify that version instead if you wish Do not make any other change 2006 Critical Links SA Licence texts 273 in these notices Once this change is made in a given copy it is irreversible for that copy so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy This option is useful when you wish to copy part of the code of the Library into a program that is not a library 4 You may copy and distribute the Library or a portion or derivative of it under Section 2 in object code or executable form under the terms of Sections and 2 above provided that you accompany it with the complete corresponding machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange If distribution of object code is made by offering access to copy from a designated place then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code even though third parties are not compelled to copy the source along with the object code 5 A program that contains no derivative of any portion of the Library
285. the Agents panel 2006 Critical Links SA Network Configuration Reference 85 x add Agents Agent Selecp amet meal Add Agent EI Agent Nama Remove Settings Agents o Cancel 3 2 8 4 2 Agents This panel allows you to manage agents that will later be associated with queues and configure general agent settings Essentially there are two different strategies for agents either the agent logs on and remains logged on until an inbound call is assigned or an agent logs on and then logs off and gets called in the event of an inbound call Agent Settings Callback Login If you enable this option agents will be called when an inbound call arrives You will need to supply an extension that will be used by the agents to log on The agents will call this extension and after entering their agent ids and pin numbers they will be ready to answer calls from queues they are associated with Other options available are Auto LogOff Time time in seconds after which the agent will be logged off from the system if the call is not answered Require Ack if set to Yes the agent will have to press to accept an incoming call Music on Hold music the agent will listen to while waiting a new incoming call Agents Configured agents are displayed in a tabular manner You may create new agenis selecting the Add agent button modify an agent settings selecting the Edit Agent button or d
286. the Loop back interface and wlan or att depending on the specific wireless card used stands for Wireless interface eth interfaces assume the form ethn where n can be 0 1 2 or 3 depending on the number of Ethernet cards in edgeBOX Network Transmitted bytes This report shows the traffic transmitted by the box at the interfaces WAN LAN and EWAN in bytes per second This information is presented in graphical format You are able to define the time frame for these statistics last 24h last week or last month To do this select the desired option in the radio button and press Search to generate the corresponding graphic You can also generate a table with the average received traffic bytes s per day and per physical interface Here brO stands for the LAN interface ima stands for the intermediate queuing interface eth2 stands for EWan interface ethO stands for WAN interface lo stands for the Loop back interface and wlan or att depending on the specific wireless card used stands for Wireless interface eth interfaces assume the form ethn where n can be 0 1 2 or 3 depending on the number of Ethernet cards in edgeBOX Network Received packets This report shows the traffic received by the box at the several WAN LAN and EWAN in packets per second This information is presented in graphical format You are able to define the time frame for these statist
287. this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project or use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL
288. this moment on client machines on your internal network will be able to access the Internet Next you may wish to configure the DHCP server to allow your LAN s client workstations to have their IP configuration fetched dynamically from edgeBOX To do so Select the DHCP option under the Services menu If there is a range already configured and it doesn t fit your needs select it and press Delete 2006 Critical Links SA Configuration Examples 173 In Ranges select New Enter the following information Start IP 192 168 1 100 End IP 192 168 1 200 Prefix pc Select OK and apply your changes Client machines with a dynamic configuration will be able to fetch all their IP configuration from edgeBOX and to connect to the Internet As have been said although there is the need to protect the internal network from attacks from the Internet we will not use authentication A good policy is to deny access to all services except those we will be providing As such only the following services will be allowed access from the Internet SMTP electronic mail SSH secure shell HTTP web server and POP3 read mail remotely The EWAN interface will not be connected so all services will be disabled For the LAN interface besides the services mentioned for the WAN interface the following services are also allowed DNS VoIP FTP and Samba Access to the webadmin will only be allowed from the inside net
289. tion In this step you will be required to enter information regarding user access and traffic logging The following information may be entered e User authorisation If you choose on access to services resources will be dependent on user authentication the user has to enter their username password Typically a profile is configured for a group of users which will then share a particular configuration for accessing services resources When in doubt choose off e Authentication Choose the method for authenticating users from the list Available methods are 2006 Critical Links SA Quick Start 15 e Local Server local accounts are used e Remote LDAP Server e Radius Remote Server When in doubt choose Local which is the default Initial setup Step 4 L tberteeton Gutbortzatoer Wiser Atbottzstion on Oa Authentication Remote LDAP Server Server edyekox EE decesainpls gece EDAP Username cn acimir Lrrsusetrarmmgl cnegroupy LOAP Password PPRERTETETT Traftic tog Off wl Options for remote LDAP authentication Iniial Setge Step 4 Authentication authorization User Authorization on OF Authentication Remote RADIUS Server Server IPs SEERA 10 ServerPorti 1812 Passwnrd ergebdy Timeout E seconds Traffici g op E Options for remote RADIUS authentication e Traffic Log Choose between the a
290. tion network O Set up an advanced connection l Connect directly to another computer using your senal parallel or infrared port or setup his computer 2a hal ther computers carcormect toit To gontinue click Next ETE Cos Ja a Cas Je L Initial dialog Network Connection Type Network Connection In the next step you will be required to enter a name to identify your PPTP connection Press Next to proceed to the Public Network window and choose the option best suited to your situation After you press Next the VPN Server Selection window will be shown Here you will be required to enter the host name or IP address of your edgeBOX This will be the external IP address After you do this select Next to proceed to the next step New Connection Wizard New Connection Wizard Connection Name Specify a name lor this connection to vour workplace Public Network VPN Server Selection Windows can make sure th public network is connected first Whatis the name or ddrees of the VPN server Windows carr automatically dial the initial connection to the Internet or other public Type the host ame or Internet Protocol IP address of the computer to whith gou Tope a name tor this connection m the tallowind box ine R network before establishing the virtual connection connecting cere Nema EH Host name or IP address for example microsoft com or 187 24011 VPN Automatically dial this initial connections 3921092180 Fo
291. tions are Add Edit and Delete 3 3 3 3 1 Add Adds a new tunnel configuration After selecting this option a popup window will appear where the following panels will be available 8 General 8 Service Access and 2006 Critical Links SA Network Configuration Reference 105 Host 3 3 3 3 1 1 General This panel allows you to configure general VPN settings WEN Information General Ce Network D Host Start on system boot Tunnel Mare Remote Networls Remota Netmack paints Gataia Pre shared key e Perfect Forward Secrecy Key Lifetime 3h Bel Encryptian FADES ai Authentication MES a ok Gene Choose between establishing a tunnel between the internal network and another network or between the internal network and a host The available fields will vary according to this choice if you ve chosen Network then you will have to configure a remote network a remote netmask and a remote gateway If you have chosen Host then you will have to enter whether the host has a dynamic or static address and in the later case indicate which address it has Checking this option will activate this tunnel when edgeBOX boots A label chosen to identify this tunnel The IP address of the network we want to establish a tunnel with Netmask to apply to the remote network IP address The IP address for the gateway connecting
292. tions can be delegated on remote servers allowing for a multitude of different configurations and scenarios 2006 Critical Links SA Appendix A Authentication 225 Due to the concept of system wide authentication all services will be authenticated against the scheme chosen be it local or remote There are some services however namely PPTP and Wireless that allow you to use another Radius server to perform authentication The following matrix displays the possible combinations for authentication authorisation schemes Local Radius Remote Radius Remote Radius Remote Radius Remote LDAP Remote LDAP The first line matches edgeBOX s local configuration all local You can have a remote configuration replicating this configuration in which Radius performs authorisation having a LDAP backend performing authentication authorisation Special remarks have to be made when you delegate authorisation authentication on a remote server As users are remote they are not known to edgeBOX before they make their first successful login Before this happens no user account is created locally and the same applies for edgeBOX s local Radius and LDAP servers edgeBOX always keeps a local copy If you are using local authorisation you will still be able to edit user s permissions In this scenario after an user logins in for the first time he will be granted permission to only access regular services Bear in mind that although
293. to dictionary attacks Two options are available Passphrase and PSK Pre Shared Key Passphrase You will need to provide an ASCII passphrase PSK You will need to provide a hexadecimal pre shared key Encrypbion Tepe O WER e WPA WPA Coeflgueshicn C Passphiase O Dk AER ECK KEE CEA 3 1 2 2 4 WPA The options available here are covered in IEEE 802 1x s Encryption type 2006 Critical Links SA Network Configuration Reference 29 lage Advanced vivre Milbeless ConPRNUFStiGe Sen ty He O Stabic WEP keys J IEEE GO Ka WPA ahiman Passphrase ey PSE H 3 1 3 Routes In this option you can review and change your routes configuration Provided the interfaces were correctly configured you should not need to make any changes After you run the setup wizard you may have the following entries in the route table e A route for your internal network For example if your internal network is 192 168 100 0 24 then you should have the following entry e IP destination 192 168 100 0 e Netmask 255 255 255 0 e Gateway 0 0 0 0 e Device LAN this is the internal network interface e A route for your enterprise network If your enterprise network is 192 168 100 200 0 24 then you should have the following entry e IP destination 192 168 200 0 e Netmask 255 255 255 0 e Gateway 0 0 0 0 e Device EWAN this is the enterprise interface e A
294. try national prefix as well as the prefix used to make international calls Another option available for configuration is the call volume which may vary between an 8db gain or loss This value should be adjusted depending on the network All ports detected will be displayed on the table where its operation mode can be checked Ports are initialised in TE operation mode by default There are two port operation modes possible TE mode ports should be connected to ISDN lines 2006 Critical Links SA Network Configuration Reference 93 NT mode ports should be connected to ISDN phones You may change the port working mode To do so select the desired port and press the Edit Port button You may also double click the desired port 3 2 8 5 1 1 Edit Port When editing a BRI port you can configure the port operation mode Available values are NT or TE This panel also allows you to supply the msns In TE mode the msns will be needed in order to be able to use DID routes In NT mode you will need to define the msns in order to distinguish between the phones connected to the bus The msns associated with the phones must be configured accordingly All ports detected as working in NT mode will be available as phones when editing the IVR and in internal extensions management In the same way all ports detected as working in TE mode will be available as outbound routes when editing the LCR Note that if you c
295. ts as if it was a Windows server Besides the usual file and printer sharing services edgeBOX s may also act as a PDC and WINS server WINS performs name registration and resolution Windows clients can query a WINS server directly instead of using the usual broadcast method thus resulting in an improvement in performance the hosts don t need to process broadcast packets When edgeBOX acts as a PDC users desktop preferences are stored in edgeBOX roaming profiles and their home directory is mounted locally as Z drive The service is provided to all authorised users listed on the Users panel The following panels are available each accessible through its tab Global Shares Homes Boxes and USB Printers 2006 Critical Links SA 52 edgeBOX User s Guide v4 0 Samha Citeam Service State RUNNING Global shares i Homet Boxee USB PANES alobal workgroup EBAK Sit S 1 5 21 2721 191 084 050936490 690441065 Set yer Name edgeBOx Volt Server el Wins support 2 PE Support Winns pits Server Local el Address 3 2 6 1 Service State Reports the current state of the Samba service Stopped or Running If the service is Stopped it can be started by clicking on the Start button at the bottom right hand corner of the panel Similarly if the service is Running it can be stopped by clicking on the Stop button 3 2 6 2 Global This panel allows you to configure general Samba settings s
296. tunnel Available actions are Add and Delete Add After selecting Add a popup window will appear requesting the following information e Origin The IP address for the host in the network to which we want to deny access to the tunnel e Netmask The netmask to apply e Port The port which we want to deny access to This option may be disabled or ignored depending on your choice of protocol A range of ports may be specified by checking the Range box The ports listed in the From and To fields will be denied access e Protocol Select from the list Available choices are TCP UDP ICMP and ALL If ALL or ICMP are selected then Port will be ignored Delete Deletes an entry from this table After selecting the entry press Delete Eliminating an entry from this table is the same as granting access to the tunnel for a host in the network 3 3 3 3 2 Edit This option allows you to change an IPSec tunnel configuration Select a tunnel from the list and a popup window similar to the one in Add will appear You can change the same options 3 3 3 3 3 Delete Removes a tunnel configuration Select the IPSec tunnel you want to delete and then select the Delete button 3 3 4 VPN PPTP In this page you can review and change your PPTP VPN configuration PPTP is used to establish VPN tunnels across the Internet This allows remote users to access the internal network from anywhere on the Internet
297. uch as Workgroup name server string WINS and PDC options 3 2 6 2 1 Global This section is used to make the Samba service accessible to Windows clients Workgroup The name of the Windows workgroup that Windows clients must belong to access the services provided Server Name A brief description of the edgeBOX server to make it easier to identify when browsing the network Wins Support If you check this option edgeBOX will act as a WINS server providing WINS name service registration and resolution An additional options panel will allow you to configure its role PDC Support If you check this option edgeBOX will act as a Windows Primary Domain Controller After aplying 2006 Critical Links SA Network Configuration Reference 53 the SID for this domain will be visible next to the Workgroup 3 2 6 2 2 Wins Options Server Available options are Local or Remote If set to Local edgeBOX will act as a WINS server If set to Remote edgeBOX will use a remote WINS server In the later case the following options will also be enabled Act as Proxy If you check this option edgeBOX will act as a WINS proxy relaying registration and resolution requests from itself to another WINS server edgeBOX will send the response back to the original client Address Allows you to specify the IP address for the remote WINS server to be used Wins ors zerean Local w Address 3 2 6 3 Shares Displays a list
298. und traffic The panel contains an indicator with the percentage of bandwidth consumed and below a table with the following information total bandwidth bps dropped packets transmitted bytes and transmitted packets Class information This panel contains a table with statistics by traffic control class For each traffic control class we have the following information total bandwidth consumed bps dropped packets transmitted bytes and transmitted packets 2006 Critical Links SA 162 edgeBOX User s Guide v4 0 System Network Senices Security GoS Policias State Users Wizards Help A Wan Ewan Upload Information Total Bandwidth ne Total Bandwidth Drop Rate Tx Bytes Tx Packets O p it H 4 Tormad Ibm Total BandWwidth ES 7 Total Bandwidth Drop Rate Tx Bytes Tx Packets H ne o D Ssss Imfurmaticn Class Total BandWidth Dron Rate Tx Bytes Tx Packets upPretium 10 9 H 0 pG d H H 0 LipSilver d H H G upBronze 0 D ip 0 UBE o H H 0 downPretiuin d LV ip D Oort o 0 H a Statys infarmaton IEN vient edgebo 4 6 5 Accumulated History If you have selective user authorisation on this page allows you to produce reports similar to the one shown below For each day the accumulated values for session time and traffic per interface are computed for a user To produce a report for a specific user e Enter the username for the user you want to produce a report for in the Username field e Se
299. unique serial numbers or alternatively a USB dongle 2 Ownership The foregoing license gives you limited license to use the Software CRITICAL retain all right title and interest including all copyright and intellectual property rights in and to the Licensed Software and all copies thereof All rights not specifically granted in this EULA including Federal and International Copyrights are reserved by CRITICAL 3 License Grants 3 1 f the Licensed Software is in use on a certain Computer you may not use or copy the Licensed Software to additional Computers except where provisions within this agreement have been made 3 2 The software is activated by a license key provided by CRITICAL at the time of purchase Please refer to the license details in the User Manual provided to you by Critical Software 3 3 The Licensed Software is designed to function only within Computer models that are qualified by Critical Please see EdgeBox web page for more details Attempts to use the 2006 Critical Links SA 258 edgeBOX User s Guide v4 0 Licensed Software on other computers are in violation of the EULA 3 4 You may use software back up utilities to make a back up copy of the Licensed Software You may use the back up copy solely for archival purposes 3 5 Your license rights under this EULA are non exclusive 3 6 Certain rights are not granted under this Agreement but may be available under a separate agree
300. uption of data Next we will describe how to configure Mai Dir 16 intfernel y automatic backups and how to perform a restore from a previous backup 149 2006 Critical Links SA 150 edgeBOX User s Guide v4 0 4 5 6 1 4 5 6 2 Backup Configuration Backup State Shows whether backups are scheduled or not Backup Type Choose from the list Possible values are Standard and Config Standard backup performs a full backup of the system whereas a Config backup will only save the configuration files Backup Time The time of the day at which backups will be performed Enter the values directly in the fields or use the up down controls Backup Address Specifies the destination for the backup A Wizard is used to create the full path to the destination A dialogue panel is displayed taking the administrator through the steps required For backups using FTP to a remote server the Wizard asks for the address of the FTP server port number default is 21 if authentication is required the username and password for the remote server are required otherwise an anonymous login is used and finally the directory on the remote server where the backup will be stored For backup to a local USB disk the Wizard asks for the destination disk from the devices currently connected to the edgeBOX and the directory where the backup will be stored Backup Now Immediately starts a backup of the selecte
301. users login to the system 2006 Critical Links SA 128 edgeBOX User s Guide v4 0 4 1 2 Groups Syster Network Sernices Security GoS Pollcias State Users Wizards Help Managament Schema LOCAL Usere Groups Sup Management Groupe Groups generic Status irfarmaton RN rout edgeboxx Regardless of the authentication scheme chosen Local or Remote you should check if a group called generic already exists This is the group where users will be placed by default so you must ensure that it exists and configure its policies before users log into your network The options available are New Edit and Delete New Creates a new group After selecting New a window will popup requiring you to enter the new group name After selecting OK the new group will be immediately created Selecting Cancel will abort the group creation 2006 Critical Links SA Advanced Topics 129 Edit Letrmun Ed Group Group Name oenen Group serps ee Sessions hara 2 Addie Delete e H Cancel Edit Group Window Edit After selecting the group from the list Edit will make a popup window similar to the one shown above appear In this window are listed the users and IP for the group selected Available options are Add IP and Delete Add IP Besides containing users a group may also contain IP address
302. vailable values Off 15 minutes 30 minutes and 60 2006 Critical Links SA 16 edgeBOX User s Guide v4 0 minutes This will set the interval between traffic logs If user authorisation is set to off you may also leave this setting off Pressing Next will take you to Step 5 which is the final step in this setup 2 2 5 Step 5 Service Configuration System Network Senices Securify QoS Policias State Users Wizards Help Thiiths Seturi Stet S Sarvice Coniduration Services Service Internal Access External Access Enterprise Access Igris M MH E al smtp E LI LI idap M M E ssh M M E inves M LI L voip M LI Ol snmp Jl Oo Ol a Sa a V Web Server Configuration Default Name for intranet server intra local loc Fl Allow veer directores Previous Next Cancel States Information OOOO cine edgebox Step 5 Service Configuration In this step you will be required to configure access to the services running on the box You may grant access to the internal network LAN external network WAN and the enterprise network EWAN The following services may be configured DNS Domain Name Server Used to lookup domain data SMTP Simple Mail Transfer Protocol Used for email LDAP Lightweight Directory Access Protocol Used to access directory services SSH Used to connect to a remote shell under a secure channel IMAP
303. will default to International In our simple scenario Suppose we have a BRI card and no ITSPs configured Then the only outgoing route will be the device provided by our BRI card It is enough to configure a route for International calls and no prefixes this way all calls will default to International and will be routed through this device To configure the route do the following In the LCR panel select the International tab Under LCR select the route for the outgoing device in Route If you have a BRI card most probably it will be mISDN 1 Press Add The route will be added to the list of routes in the tree Press Apply You may now call the PSTN MM WWMM Finally on our scenario we want a message to be played and a voice mailbox to be available when call arrive during off work hours To do so Select the Incoming Calls tab Select the Call Rules tab on your right Press the Add Rule button A dialog window will pop up 8 Fill in the fields with the following information Rule Name Offwork Select Weekdays Select Monday in From Select Friday in To Select 18 00 in the From hours fields Select 23 59 in the To hours fields 2006 Critical Links SA Configuration Examples 177 In Action select Answer This will be the first action In Action select Playback Press the Select File button to chose a sound file This file will be played after the call is answered
304. witch will start with this prefix Select the forth tab on the right Remote Switch The remote switch panel will be displayed Select Add to add a new remote switch The New Remote Switch pop up window will display Enter the following information Prefix 7 Name rshqbranch Secret not4u2know host branchoffice no ip org check the Allow Incoming Calls checkbox WM MW N uN un UN select the gsm codec Select the OK button and Apply your changes Next the same configuration must be performed at the remote site The only difference here is that on host you should enter the headquarter s office 2006 Critical Links SA 188 edgeBOX User s Guide v4 0 hostname edgebox company com So for simplicity we will assume the same prefixes on the remote site The information entered when adding a new remote switch on the remote site s edgebox will then be Prefix 7 Name rshqbranch Secret not4u2know host edgebox company com check the Allow Incoming Calls checkbox WM LO A un un Mm select the gsm codec At least on of the Allow Incoming Calls checkbox must be checked in order to allow calls to be made between sites If by some reason you wish to restrict access to one of the sites uncheck this checkbox on the sites configuration In this scenario the sites will be connected through the Internet so the gsm codec was chosen uses less bandwidth To test this configuration you ca
305. with management You can choose to redirect mail for these aliases to another user so that they receive the notifications You may also define more descriptive names for your users instead of your 8 letter login names Each entry has on the first column the alias name and on the second column the email address to which it will expand There are two operations available Add and Delete Note the root alias will not appear on this list as it is configured elsewhere System menu Config submenu Add If you select this operation a popup window will appear requesting the following information e Alias the name of the alias you want to create e Email s the email or list of emails to which this alias will expand e After selecting OK don t forget to select Apply so the changes become effective Delete To delete an alias select it from the list and press Delete Don t forget to select Apply to make this change effective 2006 Critical Links SA 48 edgeBOX User s Guide v4 0 EmaibAtases Em all Gase InEormnacion Alias 3 2 5 9 LDAP In this panel you can configure the mail server to perform LDAP based rerouting of a particular address to either a different host or a different address edgeBOX s LDAP mail routing function follows the LDAP Schema for Intranet Mail Routing Internet Draft Document Initially you will have to perform synchronization between the LDAP server
306. work To load this configuration follow these steps Select the Firewall option under the menu Security Make sure the Require users to login option is unchecked Make sure the Enable Firewall option is checked Make sure the Wan and Ewan checkboxes in WebAdmin Access are unchecked Check the Select All checkbox All services will be allowed in all interfaces Uncheck all options under the Enterprise column EWAN Uncheck all options under External except SMTP SSH HTTP and POP3 Uncheck all options under Internal except DNS SMTP VoIP FTP HTTP POP3 and Samba UN UN UN UN UN UN UU UN Apply your configuration 6 1 3 Step 3 Wireless connection Even for a small office it is useful to be able to connect to the network using a wireless connection The way allowed stations are managed is out of the scope of this text We will assume WPA security will be used to avoid connections from unwanted stations The SSID will be branchAP the channel chosen will be 7 and we will also want our AP not to be discovered by broadcasts To perform this configuration do the following Select Wireless option under the Network menu In the Basic panel enter the following information SSID branchAP Channel selection 7 Check the Ignore clients with broadcast SSID checkbox Check the Allow All Clients checkbox Select the Advanced tab Under Security Type select WPA In the panel WPA Configuration select P
307. y always continue to use it under the terms of that version You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes PHP freely available from lt http www php net gt THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THEPOSSIBILITY OF SUCH DAMAGE This software consists of voluntary contributions made by many individuals on behalf of the PHP Group The PHP Group can be contacted via Email at group php net For more information on the PHP Group and the PHP project please see lt http www php
308. y use or transfer the Licensed Software only in conjunction with that upgraded product unless you destroy the upgraded product If the Licensed Software is an upgrade of a CRITICAL product you now may use that upgraded product only in accordance with this EULA 7 General 7 1 This EULA shall be governed by the laws of Portugal without giving effect to principles of conflict of laws You hereby consent to the exclusive jurisdiction and venue of the courts sitting in Lisbon Portugal to resolve any disputes arising under this EULA 7 2 This EULA contains the complete agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements or understandings whether oral or written You agree that any varying or additional terms contained in any purchase order or other written notification or document issued by you in relation to the Software licensed hereunder shall be of no effect The failure or delay of CRITICAL to exercise any of its rights under this EULA or upon any breach of this EULA shall not be deemed a waiver of those rights or of the breach 7 3 No CRITICAL dealer agent or employee is authorized to make any amendment to this EULA 7 4 lf any provision of this Agreement shall be held by a court of competent jurisdiction to be contrary to law that provision will be enforced to the maximum extent permissible and the remaining provisions of this Agreement will remain in full fo
309. you check this option MailScanner will mark every infected message and every message that for some reason had its attachments removed Mark Unscanned Messages If you check this option every message not scanned by MailScanner will be marked Warning Is Attachment If you check this option then warnings for dangerous or infected attachments will be included as an attachment If this option is not selected then the warnings will simply be included as inline text Anti Virus Engines This panel allows you to perform the installation of anti viruses engines where applicable and update their IDE files Select the desired antivirus engine using the named tab on the right Currently the supported anti viruses engines are Sophos McAfee and Clamav 2006 Critical Links SA 120 edgeBOX User s Guide v4 0 System Network Semices Security qos Policies State Users Wizards Help MaltScannar Configure stian lil Shares Scanner MailScanner Anti Virus Engines Sophos ones a Mentes Cma Version i za Date of mpst recent IDE Fie Upload and Mhstall Sophos File j i Browse i Progress Upload Update Automatic Updates fi Username Password nrtste An Des ly i Ef cinsa anne 167 Status Information Terminated edgeboxx 3 3 5 3 1 Sophos This panel allows you to upload the Sophos antivirus engine required
310. ze and the time the safe will be active These values are limited by the values entered by the administrator After confirming the values the username and password for accessing the safe will be displayed on the screen You will then be able to access the safe in the same way you access a share Remove safe In the existing safes listing there will be a link which will allow you to remove a safe before it is automatically deleted by the system You will have to supply the username and passwords used to access the safe EWAN Certificate Choosing this option will display the EWAN certificate on the screen 2006 Critical Links SA 190 edgeBOX User s Guide v4 0 8 Reporting The reporting module can be accessed from the initial page following the Reports link If you havent yet authenticated in the system you will be asked to submit your credentials After entering the reporting module it is possible to check the available reports and choose the one to view Reporting Ze Username Password edgebo 8 1 System Usage The reports in this group show information about edgeBOX s system usage It is possible to export them in pdf format 8 1 1 CPU This report shows CPU usage in percentage per type of process user s process system processes IO Wait processes and idle This information is displayed in graphical and table format 8 1 2 Load This report shows the system load in the past 12 hours
Download Pdf Manuals
Related Search