D-Link DWC-1000 + 3x DWL-2600AP
Contents
1. System Check Schedules Lice Traps List Access Control List IP Address Delete Tools gt Admin gt SNMP System Info The controller is identified by an SNMP manager via the System Information The identifier settings The SysName set here is also used to identify the controller for SysLog logging 162 Wireless Controller User Manual Figure 109 SNMP system information for this controller ea a sea Admin gt Date and Time SNMP LOGOUT Log Settings This page displays the current SNMP configuration of the router The following MIB Management Information Base fields are displayed and can be modified here Save Settings Don t Save Settings SNMP System Information Dynamic DNS 9 4 Configuring Time Zone and NTP Tools gt Date and Time You can configure your time zone whether or not to adjust for Daylight Savings Time and with which Network Time Protocol NTP server to synchronize the date and time You can choose to set Date and Time manually which will store the information on the controller real time clock RTC If the controller has access to the internet the most accurate mechanism to set the controller time is to enable NTP server communication XW Accurate date and time on the controller is critical for firewall schedules Wi Fi power saving support to disable APs at certain times of the day and accurate logging Please follow the steps b2. 1c af f7 1f 1d 40 2 1c af f7 1f 1d 51 dwe naren New Authentication 0d 00 12 34 1c af f7 1t 1d 40 2 1c af f7 1f 1d 51 dwc naren Roam 0d 00 20 55 1c af f7 1f 20 c0 2 1c af f7 1f 20 d1 dwc naren New Authentication 0d 00 23 55 Refresh Purge History This page includes the following button e Refresh Updates the page with the latest information e Purge History To purge the history when the list of entries is full e View Details Shows the details of the detected clients 82 Wireless Controller User Manual 4 7 AP Management Valid Access Point Configuration Setup gt AP Management gt Valid AP MAC Address This field shows the MAC address of the AP To change this field you must delete the entire Valid AP configuration and then enter the correct MAC address from the page that lists all Valid Aps Location To help you identify the AP you can enter a location This field accepts up to 32 alphanumeric characters AP Mode You can configure the AP to be in one of three modes e Standalone The AP acts as an individual access point in the network e Managed If an AP is in Managed Mode the Administrator Web UI and SNMP services on the AP are disabled e Rogue Select Rogue as the AP mode if you wish to be notified through an SNMP trap if enabled when this AP is detected in the network Profile If you configure multiple AP Profiles you can select the profile to assign
3. 149 Wireless Controller User Manual Figure 102 SSL VPN Portal configuration SETUP ADVANCED TOOLS STATUS PORTAL LAYOUT CONFIGURATION LOGOUT Internet This page allows you to add a new portal layout or edit the configuration of an existing portal layout The details will then be displayed in the List of Portal Layouts table on the SSL YPN Server gt Portal Layouts page under the YPN menu Save Settings Don t Save Settings Portal Layout and Theme Name Portal Layout Name Portal Site Title Optional Banner Title Optional Banner Message Optional Display banner message on login page HTTP meta tags for cache control recommended Activex web cache cleaner SSL PN Portal Pages to Display PN Tunnel page Port Forwarding 150 Wireless Controller User Manual Chapter 8 Advanced Configuration Tools USB Device Setup Setup gt USB Settings gt USB Status 8 1 The DWC 1000 Wireless controller has a USB interface for printer access file sharing There is no configuration on the GUI to enable USB device support Upon inserting your USB storage device printer cable the DWCwill automatically detect the type of connected peripheral USB Mass Storage also referred to as a share port files on a USB disk connected to the DWC can be accessed by LAN users as a network drive USB Printer The DWC can provide the LAN with access to printers connected through the USB Th
4. If you would like to utilize our easy to use Web based Wizards to assist you in connecting your new D Link Systems Router to the Internet dick on the button below Internet Connection Setup Wizard Note Before launching these wizards please make sure you have followed all steps outlined in the Quick Installation Guide induded in the package Manual Internet Connection Options If you would like to configure the Internet settings of your new D Link Systems Router manually then dick on the button below Manual Internet Connection Setup You can start using the Wizard by logging in with the administrator password for the controller Once authenticated set the time zone that you are located in and then choose the type of ISP connection type DHCP Static PPPoE PPTP L2TP Depending on the connection type a username password may be required to register this controller with the ISP In most cases the default settings can be used if the ISP did not specify that parameter The last step in the Wizard is to click the Connect 35 Wireless Controller User Manual 3 2 button which confirms the settings by establishing a link with the ISP Once connected you can move on and configure other features in this controller WAN Configuration Setup gt Internet Settings gt Option1 Setup You must either allow the controller to detect WAN connection type automatically or configure manually the following
5. Configured Probe Requests Rate Test This test checks whether the client has exceeded the configured rate for transmitting probe requests Configured De Authentication Requests Rate Test This test checks whether the client has exceeded the configured rate for transmitting de authentication requests Maximum Authentication Failures Test This test checks whether the client has exceeded the maximum number of failed authentications Authentication with Unknown AP Test This test checks whether a client in the Known Client database is authenticated with an unknown AP Client Threat Mitigation Select enable to send de authentication messages to clients that are in the Known Clients database but are associated with unknown APs The Authentication with Unknown AP Test must also be enabled in order for the mitigation to take place Select disable to allow clients in the Known Clients database to remain authenticated with an unknown AP Known Client Database Lookup Method When the controller detects a client on the network it performs a lookup in the Known Client database Specify whether the controller should use the local or RADIUS database for these lookups Known Client Database RADIUS Server Name If the known client database lookup method is RADIUS then this field specifies the RADIUS server name 158 Wireless Controller User Manual Rogue Detected Trap Interval Specify the interval in seconds between transmissions of the
6. Save Settings Don t Save Settings S Security Captive Portal UPnP Enable Application Rules Do you want to enable UPnP LAN Firewall Settings Advanced Network UPnP Port map Table The UPnP Port map Table has the details of UPnP devices that respond to the controller advertisements The following information is displayed for each detected device UPnP Port map Table Active Protocol Int Port Ext Port IP Address Refresh e Active A yes no indicating whether the port of the UPnP device that established a connection is currently active e Protocol The network protocol i e HTTP FTP etc used by the DWC e Int Port Internal Port The internal ports opened by UPnP if any e Ext Port External Port The external ports opened by UPnP if any e IP Address The IP address of the UPnP device detected by this controller Click Refresh to refresh the portmap table and search for any new UPnP devices 24 Wireless Controller User Manual 2 5 Captive Portal LAN users can gain internet access via web portal authentication with the DWC Also referred to as Run Time Authentication a Captive Portal is ideal for a web caf scenario where users initiate HTTP connection requests for web access but are not interested in accessing any LAN services Firewall policies underneath will define which users require authentication for HTTP access and when a matching user request is made the DWC will intercept the r
7. SiteB oe DWC DWC a Inside Inside 10 10 10 0 10 20 20 0 Printer Printer Personal computers Personal computers 117 Wireless Controller User Manual Figure 77 Example of three IPsec client connections to the internal network through the DWC IPsec gateway DNS Server 10 10 10 163 al Personal Computer Internal network DWC Using VPN Software Client ree N Inside BSA Outside riiin Erz 10 10 10 0 i aa Personal Computer WINS Server Using VPN Software Client 10 10 10 133 Personal Computer Using VPN Software Client 118 Wireless Controller User Manual 6 1 VPN Wizard Setup gt Wizard gt VPN Wizard You can use the VPN wizard to quickly create both IKE and VPN policies Once the IKE or VPN policy is created you can modify it as required Figure 78 VPN Wizard launch screen DWC 1000 ADVANCED TOOLS STATUS gt WLAN Global Settings VPN WIZARD LOGOUT This page will guide you through common and easy steps to configure IPsec VPN policies AP Management VPN Setup Wizard If you would like to utilize our easy to use Web based Wizards to assist you in VPN Configuration click on the button below LAN QoS VPN Setup Wizard Manual VPN Configuration Options If you would like to configure the VPN Policies of your new D Link Systems Router manually dick on the button below Manual VPN Configuration To easily establish a VPN t
8. ADVANCED TOOLS STATUS POLL LIST This page contain ail the information stot IP Address amp Vian value which can be configured for peer controlies amp controllers The IP Discovery list can contain the IP addresses of peer controle and APs for the UWS to Giscover and associate with as part of the WLAN List of IP Adresses 192 168 10 101 4 VLAN 1 4094 e L2 VLAN Discovery The D Link Wireless Device Discovery Protocol is a good discovery method to use if the controller and APs are located in the same Layer 2 multicast domain The wireless controller periodically sends a multicast packet containing the discovery message on each VLAN enabled for discovery This page includes the following buttons e Add Adds the data in the IP Address or VLAN field to the appropriate list e Delete Deletes the selected entry from the IP or VLAN list 29 Wireless Controller User Manual Wireless Discovery status Status gt Global Info gt IP Discovery The IP Discovery list can contain the IP addresses of peer controller and APs for the UWS to discover and associate with as part of the WLAN IP Address Shows the IP address of the device configured in the IP Discovery list Status The wireless discovery status is in one of the following states e Not Polled The controller has not attempted to contact the IP address in the L3 IP Discovery list e Polled The controller has attempted
9. When used in a multiclient server configuration it allows the server to release an authentication certificate for every client using signature and Certificate authority An Open VPN can be established through this controller Check Uncheck this and click save settings to start stop openvpn server e Mode OpenVPN daemon mode It can run in server mode client mode or access server client mode In access server client mode the user has to download the auto login profile from the Openvpn Access Server and upload the same to connect e Server IP OpenVPN server IP address to which the client connects Applicable in client mode e Vpn Network Address of the Virtual Network e Vpn Netmask Netmask of the Virtual Network 128 Wireless Controller User Manual e Port The port number on which openvpn server or Access Server runs e Tunnel Protocol The protocol used to communicate with the remote host Ex Tcp Udp Udp is the default e Encryption Algorithm The cipher with which the packets are encrypted Ex BF CBC AES 128 AES 192 and AES 256 BF CBC is the default e Hash algorithm Message digest algorithm used to authenticate packets Ex SHA1 SHA256 and SHA512 SHAI is the default e Tunnel Type Select Full Tunnel to redirect all the traffic through the tunnel Select Split Tunnel to redirect traffic to only specified resources added from openVpnClient Routes through the tunnel Full Tunnel is the default e Enable
10. authenticate connecting VPN gateways or clients or to be authenticated by remote entities ive gt Cc e Porta Sass inser Trusted Certificates CA Certificate CA Identity Subject Name Issuer Name Expiry Time Application Rules gt Website Filter Active Self Certificates C Name Subject Name Serial Number Issuer Name Expiry Time Upload Delete Self Certificate Requests oos gt IP MAC Binding New Self Certificate Delete e Radius Settings Controller Settings 8 3 WIDS Security 8 3 1 WIDS AP configration Advanced gt WIDS Security gt AP The WIDS AP Configuration page allows you to activate or deactivate various threat detection tests and set threat detection thresholds in order to help detect rogue APs on the wireless network These changes can be done without disrupting network connectivity Since some of the work is done by access points the controller needs to send messages to the APs to modify its WIDS operational properties Administrator configured rogue AP If the source MAC address is in the valid AP database on the controller or on the RADIUS server and the AP type is marked as Rogue then the AP state is Rogue 154 Wireless Controller User Manual Managed SSID from an unknown AP This test checks whether an unknown AP is using the managed network SSID A hacker may set up an AP with managed SSID to fool users into associating with the AP and
11. e Click Edit to update an existing user e Click Delete to clear an existing user 138 Wireless Controller User Manual Figure 94 Available Users with login status and associated Group w oe a LOGOUT Peer Controllers gt This page shows a list of available users in the system A user can add delete and edit the users also This Page can also be used for setting policies on users List of Users Captive Portal gt Application Rules site Filter Edit Delete Firewall Settings 7 1 1 Users and Passwords Advanced gt Users gt Users The user configurations allow creating users associated to group The user settings contain the following key components e User Name This is unique identifier of the user e First Name This is the user s first name e Last Name This is the user s last name e Select Group A group is chosen from a list of configured groups e Password The password associated with the user name e Confirm Password The same password as above is required to mitigate against typing errors e Idle Timeout The session timeout for the user It is recommended that passwords contains no dictionary words from any language and is a mixture of letters both uppercase and lowercase numbers and symbols The password can be up to 30 characters 139 Wireless Controller User Manual Figure 95 User configuration options USERS CONFIGURATION LOGOUT
12. e Start To initiate the channel plan algorithm Figure 55 Manual Channel Plan Product Page DWC 1000 ELP Helpful Hint Channel Plan 5 GHz 802 11 a n 2 4 GHz 802 11 bigin Channel Plan Algorithm Current Status None Start USB Settings Proposed Channel Assignments No proposed channel plan entries exist WIRELESS CONTROLLER Wireless Controller User Manual RF Management Manual Power Adjustment Plan Setup gt AP Management gt RF Management gt Manual Power Adjustment Plan If you select Manual as the Power Adjustment Mode on the Configuration tab you can manually initiate the power adjustment algorithm on the Manual Power Adjustments page Current Status Shows the Current Status of the plan which is one of the following states e None The power adjustment algorithm has not been manually run since the last controller reboot e Algorithm In Progress The power adjustment algorithm is running e Algorithm Complete The power adjustment algorithm has finished running e A table displays to indicate proposed power adjustments Each entry shows the AP along with the current and new power levels e Apply In Progress The controller is adjusting the power levels that the APs use e Apply Complete The algorithm and power adjustment are complete AP MAC Address Identifies the AP MAC address Identifies the AP MAC address Location Identifies the location of the
13. onfiguration Controller IP Address Configuration Timestamp 0 0 0 0 None Jan 1 00 00 00 1970 Refresh WIRELESS CONTROLLER This page includes the following buttons e Refresh Updates the page with the latest information Peer Controller Managed AP Status Status gt Global Info gt Peer Controller gt Managed AP The Peer Controller Managed AP Status page displays information about the APs that each peer controller in the cluster manages Use the menu above the table to select the peer controller with the AP information to display Each peer controller is identified by its IP address MAC Address Shows the MAC address of each AP managed by the peer controller 71 Wireless Controller User Manual Peer Controller IP Shows the IP address of the peer controller that manages the AP This field displays when All is selected from the drop down menu Location The descriptive location configured for the managed AP AP IP Address The IP address of the AP Profile The AP profile applied to the AP by the controller Hardware ID The Hardware ID associated with the AP hardware platform Figure 42 Peer Controller Managed AP Status Helpful Hints LOGOUT Hint Text goes here Peer Controller Managed AP Status Active Sessions MAC Address Peer Switch IP Location AP IP Address Profile Hardware ID Active VPNs 1c af f7 1f 24 40 192 168 1 67 2 2 hw_dw18600 Refresh WIRELESS CONTROL
14. s addresses is set by the prefix length field 14 Wireless Controller User Manual Figure 2 IPv6 LAN and DHCPv6 configuration onc 1000 oeo E meres IPV6 LAN CONFIG This page allows user to IPv6 related LAN configurations Don t Save Settings Disable DHCPv6 Server i dlink com 255 Use DNS Proxy List of IPv6 Address Pools Start Address List of Prefixes for Prefix Delegation Edit Delete XW If you change the IP address and click Save Settings the GUI will not respond Open a new connection to the new IP address and log in again Be sure the LAN host the machine used to manage the router has obtained IP address from newly assigned pool or has a static IP address in the router s LAN subnet before accessing the router via changed IP address As with an IPv4 LAN network the router has a DHCPv6 server If enabled the router assigns an IP address within the specified range plus additional specified information to any LAN PC that requests DHCP served addresses 15 Wireless Controller User Manual The following settings are used to configure the DHCPv6 server DHCP Mode The IPv6 DHCP server is either stateless or stateful If stateless is selected an external IPv6 DHCP server is not required as the IPv6 LAN hosts are auto configured by this controller In this case the controller advertisement daemon RADVD must be configured on this device and ICMPv6 controller d
15. the subnet mask of the LAN behind the peer XW Note The IP address range used on the remote LAN must be different from the IP address range used on the local LAN 4 Review the settings and click Connect to establish the tunnel The Wizard will create an Auto IPsec policy with the following default values for a VPN Client or Gateway policy these can be accessed from a link on the Wizard page 120 Wireless Controller User Manual XW The VPN Wizard is the recommended method to set up an Auto IPsec policy Once the Wizard creates the matching IKE and VPN policies required by the Auto policy one can modify the required fields through the edit link Refer to the online help for details Easy Setup Site to Site VPN Tunnel If you find it difficult to configure VPN policies through VPN wizard use easy setup site to site VPN tunnel This will add VPN policies by importing a file containing vpn policies 6 2 Configuring IPsec Policies Setup gt VPN Settings gt IPsec gt IPsec Policies An IPsec policy is between this controller and another gateway or this controller and a IPsec client on a remote host The IPsec mode can be either tunnel or transport depending on the network being traversed between the two policy endpoints e Transport This is used for end to end communication between this controller and the tunnel endpoint either another IPsec gateway or an IPsec VPN client on a host Only the data payload is encryp
16. 1 List of Peer Controllers Vendor Software Protocol Discovery Managed AP IP Address Age ID Version Version Reason Count 192 168 1 185D Link 4 0 0 1 IP Poll 0d 00 01 34 Refresh WIRELESS CONTROLLER This page includes the following buttons e Refresh Updates the page with the latest information Peer Controller Configuration Status Status gt Global Info gt Peer Controller gt Configuration You can push portions of the controller configuration from one controller to another controller in the cluster The Peer Controller Configuration Status page displays information about the configuration sent by a peer controller in the cluster It also identifies the IP address of each peer controller that received the configuration information Wireless Controller User Manual Peer IP Address Shows the IP address of each peer wireless controller in the cluster that received configuration information Configuration Controller IP Address Shows the IP Address of the controller that sent the configuration information Configuration Identifies which parts of the configuration the controller received from the peer controller Timestamp Shows when the configuration was applied to the controller The time is displayed as UTC time and therefore only useful if the administrator has configured each peer controller to use NTP Figure 41 Peer Controller Configuration Status Configuration atus Managed AP
17. 2 4 Universal Plug and Play UPnP Advanced gt Advanced Network gt UPnP Universal Plug and Play UPnP is a feature that allows the controller to discovery devices on the network that can communicate with the controller and allow for auto configuration If a network device is detected by UPnP the controller can open internal or external ports for the traffic protocol required by that network device Once UPnP is enabled you can configure the controller to detect UPnP supporting devices on the LAN or a configured VLAN If disabled the controller will not allow for automatic device configuration Configure the following settings to use UPnP 23 Wireless Controller User Manual e Advertisement Period This is the frequency that the controller broadcasts UPnP information over the network A large value will minimize network traffic but cause delays in identifying new UPnP devices to the network e Advertisement Time to Live This is expressed in hops for each UPnP packet This is the number of steps a packet is allowed to propagate before being discarded Small values will limit the UPnP broadcast range A default of 4 is typical for networks with few switches Figure 9 UPnP Configuration m i EE ET TE Please enable UPnP to refresh UPnP Portmap Table Peer Controllers LOGOUT UPnP Universal Plug and Play is a feature that allows for automatic discovery of devices that can communicate with this security appliance
18. A 49 3 4 2 Dynamic Routing RIP oo ec eccccessceeesceseeseeecseesecseeseceaeesesaecsesseeseeeeeeeeeegs 52 3 4 3 Static ROUTING oo ccc ccccccccssssesscscseeseceescesecsesecsececsecsecessecsecesseesecessessecessecseceeneeas 53 3 5 WAN Port SettingS lt s22cnci onisa desl ermianadi ne wakes nance nts 54 Monitoring Status and Statistics 0 0 eeecesceseseseeeeseseeseseseeeceeseneeseseeececseneestsceeceeseneeates 56 4 1 System OVE Vie W ana e E A A TE AR 56 4 1 IDEVICS Status EEEE PEE E nee ied A 56 4 1 2 Resource UtiliZation no cece ccccessccccssscecessseccesssececssseccessssecerssseeesssevcessaseees 58 4 2 PARTIC STATISTICS hee tensests cars lated etch elle et ca ATE EEEE OEA E EROA 60 4 2 1 Wired Port Statistics ooo ee ceseceescecssecessceeseecesecessecesseceseecessevenseceseeeseeenss 60 4 3 Active CONNECTIONS 20 lee eee ceececssecessceessecesccessecesscecasecesseecssecnssesensecessereneeeess 61 4 3 1 Sessions through the Controller ceececeeseseseeeesesceeeeeseeeseeeeeeeesteeeseseaeeeeseeeeees 61 43 2 WAN GIGS sci eee teevexGeretlevavecsendorsst beanceenteee ceded Soenenle E ERORE 63 4 3 3 Active VPN TUNES n aa bees Aentis ela a AEM WA Miele 63 Wireless Controller User Manual Chapter 5 Chapter 6 Chapter 7 Chapter 8 4 4 ACCESS POINT StALUS ss cocci tessa veesenestavencarion E E nen dniemadnabeenmen enews 64 4 5 GlODAaStatus k ent eee E e eE a dh duel Sa E 69 4 6 Wireless Client Status sernir nied see
19. Can S Advanced Network D Allow Ping from Lan ICSA Settings Block ICMP Notification Block Fragmented Packets Tate llare Block Multicast Packets Block Spoofed IP Packets Radius Settings DoS Attacks SYN Flood Detect Rate max sec 116 Wireless Controller User Manual Chapter 6 IPsec PPTP L2TP VPN A VPN provides a secure communication channel tunnel between two gateway controller or a remote PC client The following types of tunnels can be created e Gateway to gateway VPN to connect two or more controller to secure traffic between remote sites e Remote Client client to gateway VPN tunnel A remote client initiates a VPN tunnel as the IP address of the remote PC client is not known in advance The gateway in this case acts as a responder e Remote client behind a NAT controller The client has a dynamic IP address and is behind a NAT controller The remote PC client at the NAT controller initiates a VPN tunnel as the IP address of the remote NAT controller is not known in advance The gateway WAN port acts as responder e PPTP server for LAN WAN PPTP client connections e L2TP server for LAN WAN L2TP client connections Figure 76 Example of Gateway to Gateway IPsec VPN tunnel using two DWC controllers connected to the Internet J gt E Internet G NR rs Outside hs i Outside 209 165 200 226 209 165 200 236 Site A
20. Client MAC Address Hint Text E 192 168 1 185 0 a6 70 8e bt 67 Disassociate View Client Details Refresh WIRELESS CONTROLLER This page includes the following buttons e Disassociate Disassociates the client from the managed AP e View Client Details Display associated client details e Refresh Updates the page with the latest information Detected Client Status Status gt Wireless Client Info gt Detected Clients Wireless clients are detected by the wireless system when the clients either attempt to interact with the system or when the system detects traffic from the clients The Detected Client Status page contains information about clients that have authenticated with an AP as well information about clients that disassociate and are no longer connected to the system MAC Address The Ethernet address of the client Wireless Controller User Manual Client Name Shows the name of the client if available from the Known Client Database If client is not in the database then the field is blank Client Status Shows the client status which can be one of the following e Authenticated The wireless client is authenticated with the wireless system e Detected The wireless client is detected by the wireless system but is not a security threat e Black Listed The client with this MAC address is specifically denied access via MAC Authentication e Rogue The client is classi
21. Figure 81 Figure 82 Figure 83 Figure 84 Figure 85 Figure 86 Figure 87 Figure 88 Figure 89 Figure 90 Figure 91 Figure 92 Figure 93 Figure 94 Figure 95 Figure 96 Figure 97 Figure 98 Available ALG support on the COntroller cecceccsseseseeeesescceceseseeseeeseeeseeeeeseaeeeseseeeees 108 Passthrough options for VPN tunnels eeeeeseeseeecsceeeeecseeeseeseeaeseceeeeeeecsesaeeeceesaeeesees 109 List of Available Application Rules showing 4 unique rules 0 00 ee eeeteeeenseteeeeeeeeerenee 110 Content Filtering used to block access to proxy servers and prevent ActiveX controls trom Daing downloaded o iseer A EAREN 111 Two trusted domains added to the Approved URLs List eee eeeeeceeeeeeeeeeeeeeeeeeeeees 112 One keyword added to the block list eeeseeeesescseeseseseeseecseeeeseseeececneeesaeeeeetecaeeenateesees 113 Export Approved URL JiStocsrncienaceinennni e a 114 The following example binds a LAN host s MAC Address to an IP address served by DWC 1000 If there is an IP MAC Binding violation the violating packet will be dropped ANC logs Will DE capture Tieners en E E E EER 115 Protecting the controller and LAN from internet attacks 0 0 0 ccc cceseecseseeseeeeeeeeeeeeseeees 116 Example of Gateway to Gateway IPsec VPN tunnel using two DWC controllers Connected to the Internet 0 ee ceeeceseescseesceecseesecseesecsseesesecseesecseeseenseeeesaeesesaeeseeaeeneees 117 Example of three IPsec cli
22. IPsec VPN SSL VPN differs from IPsec VPN mainly by removing the requirement of a pre installed VPN client on the remote host Instead users can securely login through the SSL User Portal using a standard web browser and receive access to configured network resources within the corporate LAN The controller supports multiple concurrent sessions to allow remote users to access the LAN over an encrypted link through a customizable user portal interface and each SSL VPN user can be assigned unique privileges and network resource access levels The remote user can be provided different options for SSL service through this controller e VPN Tunnel The remote user s SSL enabled browser is used in place of a VPN client on the remote host to establish a secure VPN tunnel A SSL VPN client Active X or Java based is installed in the remote host to allow the client to join the corporate LAN with pre configured access policy privileges At this point a virtual network interface is created on the user s host and this will be assigned an IP address and DNS server address from the controller Once established the host machine can access allocated network resources e Port Forwarding A web based ActiveX or Java client is installed on the client machine again Note that Port Forwarding service only supports TCP connections between the remote user and the controller The controller administrator can define specific services or applications that are avai
23. Optional Secondary DNS Server Optional Client Address Range Begin 192 168 251 1 Client Address Range End 192 168 251 254 LCP Timeout 60 Seconds The controller allows full tunnel and split tunnel support Full tunnel mode just sends all traffic from the client across the VPN tunnel to the controller Split tunnel mode only sends traffic to the private LAN based on pre specified client routes These client routes give the SSL client access to specific private networks thereby allowing access control over specific LAN services Client level configuration supports the following e Enable Split Tunnel Support With a split tunnel only resources which are referenced by client routes can be accessed over the VPN tunnel With full tunnel support if the split tunnel option is disabled the DWC 1000 acts in full tunnel mode all addresses on the private network are accessible over the VPN tunnel Client routes are not required DNS Suffix The DNS suffix name which will be given to the SSL VPN client This configuration is optional Primary DNS Server DNS server IP address to set on the network adaptor created on the client host This configuration is optional Secondary DNS Server Secondary DNS server IP address to set on the network adaptor created on the client host This configuration is optional Client Address Range Begin Clients who connect to the tunnel get a DHCP served IP address assigned to the network adap
24. Protocol over Ethernet Protocol for connecting a network of hosts to an ISP without the ISP having to manage the allocation of IP addresses Point to Point Tunneling Protocol Protocol for creation of VPNs for the secure transfer of data from remote clients to private servers over the Internet Remote Authentication Dial In User Service Protocol for remote user authentication and accounting Provides centralized management of usernames and passwords Rivest Shamir Adleman Public key encryption algorithm Transmission Control Protocol Protocol for transmitting data over the Internet with guaranteed reliability and in order delivery User Data Protocol Protocol for transmitting data over the Internet quickly but with no guarantee of reliability or in order delivery Virtual private network Network that enables IP traffic to travel securely over a public TCP IP VPN network by encrypting all traffic from one network to another Uses tunneling to encrypt all information at the IP level Windows Internet Name Service Service for name resolution Allows clients on different IP subnets to dynamically resolve addresses register themselves and browse the network without sending broadcasts 179 Appendix B Factory Default Settings a e e User login URL http 192 168 10 1 Local area network LAN Time zone adjusted for Daylight Saving Time sabled D D isabled except traffic on port 80 the HTTP port Outbound com
25. SNMP trap telling the administrator that rogue APs are present in the RF Scan database If you set the value to 0 the trap is never sent De Authentication Requests Threshold Interval Specify the number of seconds an AP should spend counting the DE authentication messages sent by wireless clients De Authentication Requests Threshold Value If controller receives more than specified messages during the threshold interval the test triggers Authentication Requests Threshold Interval Specify the number of seconds an AP should spend counting the authentication messages sent by wireless clients Authentication Requests Threshold Value If controller receives more than specified messages during the threshold interval the test triggers Probe Requests Threshold Interval Specify the number of seconds an AP should spend counting the probe messages sent by wireless clients Probe Requests Threshold Value Specify the number of probe requests a wireless client is allowed to send during the threshold interval before the event is reported as a threat Authentication Failure Threshold Value Specify the number of 802 1X authentication failures a client is allowed to have before the event is reported as a threat 159 Wireless Controller Figure 106 WIDS Client Configuration Dwc 1000 Global AP Profile WIDS Security gt Ey Captive Portal g Client gt WIDS CLIENT CONFIGURATION WIDS Client Configuration
26. This page allows a user to add new system users Save Settings Dont Save Settings Users Configuration ADMIN 4 7 2 Using SSL VPN Policies Setup gt VPN Settings gt SSL VPN Server gt SSL VPN Policies SSL VPN Policies can be created on a Global Group or User level User level policies take precedence over Group level policies and Group level policies take precedence over Global policies These policies can be applied to a specific network resource IP address or ranges on the LAN or to different SSL VPN services supported by the controller The List of Available Policies can be filtered based on whether it applies to a user group or all users global XW A more specific policy takes precedence over a generic policy when both are applied to the same user group global domain I e a policy for a specific IP address takes precedence over a policy for a range of addresses containing the IP address already referenced 140 Wireless Controller User Manual Figure 96 List of SSL VPN polices Global filter DWC 1000 ADVANCED TOOLS STATUS Please Enable Remote Management to activate SSL VPN Configurations Global Settings AP Management WLAN Visualization gt SSL VPN POLICIES LOGOUT Policies are useful to permit or deny access to specific network resources IP addresses or IP networks They may be defined at the user group or global level By Default a global PERMIT policy not displaye
27. Unified Wireless Controller Profile Name The Access Point profile name you added Use 0 to 32 characters Only alphanumeric characters are allowed No special characters are allowed Hardware Type Select the hardware type for the APs that use this profile The hardware type is determined in part by the number of radios the AP supports single or dual and the IEEE 802 11 modes that the radio supports a b g or a b g n The option available in the Hardware Type ID is e DWL 8600AP Dual Radio a b g n e DWL 3600AP Single Radio b g n e DWL 6600AP Dual Radio a b g n 31 Wireless Controller User Manual Wired Network Discovery VLAN ID Enter the VLAN ID that the controller uses to send tracer packets in order to detect APs connected to the wired network AP Profile Advanced gt AP Profile Access point configuration profiles are a useful feature for large wireless networks with APs that serve a variety of different users You can create multiple AP profiles on the Controller to customize APs based on location function or other criteria Profiles are like templates and once you create an AP profile you can apply that profile to any AP 32 Wireless Controller User Manual Figure 15 AP Profile List Captive Portal gt Application Rules DWC 1000 SETUP ADVANCED TOOLS STATUS mn a AP PROFILES SUMMARY Kocot From Access Point Profile Summary page you can create copy or delete AP profiles You ca
28. WLAN devices and establish communication with them the devices must have their own IP address must be able to find other WLAN devices and must be compatible When the controller discovers and validates APs the controller takes over the management of the AP If you configure the AP in Standalone mode the existing AP configuration is replaced by the default AP Profile configuration on the controller e L3 IP Discovery Select or clear this option to enable or disable IP based discovery of access points and peer wireless controller When the L3 IP Discovery option is selected IP polling is enabled and the controller will periodically poll each address in the configured IP List By default L3 IP Discovery is enabled e List of IP address Shows the list of IP addresses configured for discovery To remove entries from the list select one or more entries and click Delete Hold the shift key or control key to select specific entry e IP Address Range This text field is used to add a range of IP address entries to the IP List Enter the IP address at the start of the address range in the From field and enter the IP address at the end of the range in the To field then click Add All IP addresses in the range are added to the IP List Only the last octet is allowed to differ between the From address and the To address 28 Wireless Controller User Manual Figure 12 Configuring the Wireless Discovery DWC 1000 HT SETUP
29. allows local applications to access services on the private network without any special network configuration on the remote SSL VPN client machine It is important to ensure that the virtual PPP interface address of the VPN tunnel client does not conflict with physical devices on the LAN The IP address range for the SSL VPN virtual network adapter should be either in a different subnet or non overlapping range as the corporate LAN XW The IP addresses of the client s network interfaces Ethernet Wireless etc cannot be identical to the controller s IP address or a server on the corporate LAN that is being accessed through the SSL VPN tunnel 146 Wireless Controller User Manual Figure 100 SSL VPN client adapter and access configuration VPN Settings gt VLAN Settings DMZ Setup USB Settings DWC 1000 im sw ADVANCED TOOLS STATUS SSL VPN CLIENT LOGOUT An SSL VPN tunnel dient provides a point to point connection between the browser side machine and this device When a SSL VPN client is launched from the user portal a network adapter with an IP address DNS and WINS settings is automatically created which allows local applications to talk to services on the private network without any special network configuration on the remote SSL VPN dient machine Save Settings Don t Save Settings Client IP Address Range Enable Split Tunnel Support DNS Suffix Optional Primary DNS Server
30. and last continuous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address in this range The default starting address is 192 168 10 100 The default ending address is 192 168 10 254 These addresses should be in the same IP address subnet as the controller s LAN IP address You may wish to save part of the subnet range for devices with statically assigned IP addresses in the LAN Default Gateway Optional Enter the IP address of the controller which you want to make it as a default other than DWC 1000 Primary and Secondary DNS servers If configured domain name system DNS servers are available on the LAN enter their IP addresses here 12 Wireless Controller User Manual Domain Name Enter domain name WINS Server optional Enter the IP address for the WINS server or if present in your network the Windows NetBios server Lease Time Enter the time in hours for which IP addresses are leased to clients Enable DNS Proxy To enable the controller to act as a proxy for all DNS requests and communicate with the ISP s DNS servers click the checkbox Relay Gateway Enter the gateway address This is the only configuration parameter required in this section when DHCP Relay is selected as its DHCP mode 3 Click Save Settings to apply all changes Figure 1 Setup page for LAN TCP IP settings DWC 1000 mm sw ADVANCED TOOLS STATUS WLAN Global Settings AP Man
31. as follows e PPTP User These are PPTP VPN tunnel LAN users that can establish a tunnel with the PPTP server on the WAN e L2TP User These are L2TP VPN tunnel LAN users that can establish a tunnel with the L2TP server on the WAN e Xauth User This user s authentication is performed by an externally configured RADIUS or other Enterprise server It is not part of the local user database e SSLVPN User This user has access to the SSL VPN services as determined by the group policies and authentication domain of which it is a member The domain determined SSL VPN portal will be displayed when logging in with this user type e Admin This is the controller s super user and can manage the controller use SSL VPN to access network resources and login to L2TP PPTP servers on the WAN There will always be one default administrator user for the GUI 133 Wireless Controller User Manual e Guest User read only The guest user gains read only access to the GUI to observe and review configuration settings The guest does not have SSL VPN access e Captive Portal User These captive portal users has access through the controller The access is determined based on captive portal policies Idle Timeout This the log in timeout period for users of this group Figure 89 User group configuration DWC 1000 ADVANCED TOOLS STATUS GROUP CONFIGURATION Peer Controllers This page allows user to add a new user group Once t
32. basic settings to enable Internet connectivity e ISP Connection type Based on the ISP you have selected for the primary WAN link for this controller choose Static IP address DHCP client Point to Point Tunneling Protocol PPTP Point to Point Protocol over Ethernet PPPoE Layer 2 Tunneling Protocol L2TP Required fields for the selected ISP type become highlighted Enter the following information as needed and as provided by your ISP e PPPoE Profile Name This menu lists configured PPPoE profiles particularly useful when configuring multiple PPPoE connections i e for Japan ISPs that have multiple PPPoE support e ISP login information This is required for PPTP and L2TP ISPs e User Name e Password e Secret required for L2TP only e MPPE Encryption For PPTP links your ISP may require you to enable Microsoft Point to Point Encryption MPPE e Split Tunnel supported for PPTP and L2TP connection This setting allows your LAN hosts to access internet sites over this WAN link while still permitting VPN traffic to be directed to a VPN configured on this WAN port XW If split tunnel is enabled DWC won t expect a default route from the ISP server In such case user has to take care of routing manually by configuring the routing from Static Routing page Connectivity Type To keep the connection always on click Keep Connected To log out after the connection is idle for a period of time useful if your ISP costs are b
33. be a threat to network security The WIDS feature tracks the following types of management messages that each detected client sends e Probe Requests e 802 11 Authentication Requests e 802 11 De Authentication Requests 157 Wireless Controller User Manual e In order to help determine whether a client is posing a threat to the network by flooding the network with management traffic the system keeps track of the number of times the AP received each message type and the highest message rate detected in a single RF Scan report On the WIDS Client Configuration page you can set thresholds for each type of message sent and the APs monitor whether any clients exceed those thresholds or tests Not Present in OUI Database Test This test checks whether the MAC address of the client is from a registered manufacturer identified in the OUI database Known Client Database Test This test checks whether the client which is identified by its MAC address is listed in the Known Client Database and is allowed access to the AP either through the Authentication Action of Grant or through the White List global action If the client is in the Known Client Database and has an action of Deny or if the action is Global Action and it is globally set to Black List the client fails this test Configured Authentication Rate Test This test checks whether the client has exceeded the configured rate for transmitting 802 11 authentication requests
34. consists of a VLAN identifier and the numerical VLAN ID which is assigned to the VLAN membership The VLAN ID value can be any number from 2 to 4091 VLAN ID 1 is reserved for the default VLAN which is used for untagged frames received on the interface By enabling Inter VLAN Routing you 19 Wireless Controller User Manual will allow traffic from LAN hosts belonging to this VLAN ID to pass through to other configured VLAN IDs that have Inter VLAN Routing enabled Figure 5 Adding VLAN memberships to the LAN DWC 1000 iH SETUP ADVANCED TOOLS STATUS Operation succeeded WLAN Global Settings AVAILABLE VLANS LOGOUT This page shows a list of available VLANs which a user can edit or delete A user can add a new VLAN from this page as well AP Management WLAN Visualization gt VLAN1 2 VLAN Settings DMZ Setup gt USB Settings 2 2 1 Associating VLANs to ports In order to tag all traffic through a specific LAN port with a VLAN ID you can associate a VLAN to a physical port Setup gt VLAN Settings gt Port VLAN VLAN membership properties for the LAN and wireless LAN are listed on this page The VLAN Port table displays the port identifier the mode setting for that port and VLAN membership information The configuration page is accessed by selecting one of the four physical ports or a configured access point and clicking Edit The edit page offers the following configuration opt
35. database are given access to the SSL VPN portal with their Active Directory username and password If there are multiple Active Directory domains user can enter the details for up to two authentication domains e Timeout The timeout period for reaching the authentication server e Retries The number of retries to authenticate with the authentication server after which the DWC 1000 stops trying to reach the server Figure 90 SSLVPN Settings SSLVPN Settings Portal Name SSLVPN Authentication Type Radius MSCHAP Authentication Server 1 Authentication Server 2 Optional Authentication Server 3 fadmin Optional Authentication Secret 1 freee Authentication Secret 2 Optional LDAP attribute 1 LDAP attribute 2 E LDAP attribute 3 i LDAP attribute 4 ns Workgroup Second Workgroup a Optional LDAP Base DN E Second LDAP Base DN Options Active Directory Domain nn Second Active Directory Domain Optional Timeout 10 Seconds Retries 5 Login Policies To set login policies for the group select the corresponding group click Login policies The following parameters are configured e Group Name This is the name of the group that can have its login policy edited 135 Wireless Controller User Manual e Disable Login Enable to prevent the users of this group from logging into the devices management interface s e Deny Login from WAN interface Enable to prev
36. in the network but is not classified as a threat by the threat detection algorithms Age Time since this AP was last detected in an RF scan Status entries for the RF Scan Status page are collected at a point in time and eventually age out The age value for each entry shows how long ago the controller recorded the entry 68 Wireless Controller User Manual Figure 39 AP RF Scan Status n gt Helpful Hints Global Info A ee LELT Device Info gt D Hint text goes here Access Point Info LAN C s Info Wir ientinfo gt on e Physical Mode Channel netgear 1 802 11b g Unknown 0d 00 00 10 2 Unknown 0d 00 00 10 FVS318N_1 802 11 big 1 Unknown 0d 00 00 10 FVS318N_1 802 1 1big 7 00 0e 8e 20 09 4d rlinx prosoftO 802 1 1b g 1 Unknown 0d 00 00 10 00 0 8e 20 10 b5 rlinx prosoftO 802 1 1big 1 Unknown 0d 00 00 10 F 00 12 21 12 21 16 cisco_wc 802 1 1big 1 Unknown 0d 00 00 10 f 00 15 62 ff cf 46 1v220_1 802 1 1b g 1 Unknown 0d 00 00 10 00 18 e7 89 a9 d0 DSR 1000N_1 802 11 b g 1 Unknown 0c 00 00 10 r 00 1b 2f td ff 58 NETGEAR WGR614 802 11bg 11 Unknown 0d 00 02 10 7 00 1e 2a b3 20 b1 srxnlite 802 11b g 1 Unknown 0d 00 00 10 4 5 Global Status Peer Controller Status Status gt Global Info gt Peer Controller gt Status The Peer Controller Status page provides information about other Wireless Controllers in the network Peer wireless controllers wi
37. level allowed for the channel by the regulatory domain or the hardware capability e Manual In this mode you run the proposed power adjustments manually from the Manual Power Adjustments page e Interval In this mode the controller periodically calculates the power adjustments and applies the power for all APs The interval period begins when you click Submit Power Adjustment Interval This field determines how often the controller runs the power adjustment algorithm The algorithm runs automatically only if you set the power adjustment mode to Interval XW This setting gets applied to both radios of the AP This page includes the following button e Submit Updates the switch with the values you enter RF Management Channel Plan History Setup gt AP Management gt RF Management gt Channel Plan History The wireless controller stores channel assignment information for the APs it manages The Cluster Controller that controls the cluster maintains the channel history information for all controllers in the cluster On the Cluster Controller the page shows information about the radios on all APs managed by controllers in the cluster that are eligible for channel assignment and were successfully assigned a new channel Channel Plan The 5 GHz and 2 4 GHz radios use different channel plans so the controller tracks the channel history separately for each radio The channel information that displays on the page is only for
38. not connect by using the same SSID SSID Indicates the network on which the client is connected Client MAC Address The Ethernet address of the client station Figure 45 Associated Client SSID Status DWc 1000 HT SETUP ADVANCED TOOLS STATUS HELP Helpful Hints Global Info gt SSID ASSOCIATED CLIENT STATUS Description goes here Hint Te List of SSID Associated Clients SSID Client MAC Address MARIZUANA 0 a6 70 8e bf 67 Disassociate View Client Details Refresh WIRELESS CONTROLLER This page includes the following buttons e Disassociate Disassociates the client from the managed AP e View Client Details Display associated client details e Refresh Updates the page with the latest information 76 Wireless Controller User Manual Assocaited Client VAP Status Status gt Wireless Client Info gt Associated Clients gt VAP Status Each AP has 16 Virtual Access Points VAPs per radio and every VAP has a unique MAC address BSSID The VAP Associated Client Status page which shows information about the VAPs on the managed AP that have associated wireless clients To disconnect a client from an AP select the box next to the BSSID and then click Disassociate BSSID Indicates the Ethernet MAC address for the managed AP VAP where this client is associated SSID Indicates the SSID for the managed AP VAP where this client is associated AP MAC Address This field i
39. on configured port forwarding rules Internal host servers or TCP applications must be specified as being made accessible to remote users Allowing access to a LAN server requires entering the local server IP address and TCP port number of the application to be tunnelled The table below lists some common applications and corresponding TCP port numbers 144 Wireless Controller User Manual As a convenience for remote users the hostname FQDN of the network server can be configured to allow for IP address resolution This host name resolution provides users with easy to remember FQDN s to access TCP applications instead of error prone IP addresses when using the Port Forwarding service through the SSL User Portal To configure port forwarding following are required e Local Server IP address The IP address of the local server which is hosting the application e TCP port The TCP port of the application Once the new application is defined it is displayed in a list of configured applications for port forwarding allow users to access the private network servers by using a hostname instead of an IP address the FQDN corresponding to the IP address is defined in the port forwarding host configuration section e Local server IP address The IP address of the local server hosting the application The application should be configured in advance e Fully qualified domain name The domain name of the internal server is to be s
40. option allows the user to block access to certain Internet sites Up to 32 key words in the site s name web site URL can be specified which will block access to the site To setup URLs go to Approved URLs and Blocked Keywords page Save Settings J Don t Save Settings Content Filtering Configuration Enable Content Filtering Vv Website Filter gt Web Components Firewall Setting 5 8 2 Approved URLs Advanced gt Website Filter gt Approved URLs The Approved URLs is an acceptance list for all URL domain names Domains added to this list are allowed in any form For example if the domain yahoo is added to this list then all of the following URL s are permitted access from the LAN www yahoo com yahoo co uk etc Import export from a text or CSV file for Approved URLs is also supported 111 Wireless Controller User Manual Figure 71 Two trusted domains added to the Approved URLs List owc1o0 J a oo P Controllers gt AP Profile Q APPROVED URLS LOGOUT This page displays the approved URLs Approved URLs List Captive Portal gt Application Rules Edit Delete Add Website Filter Firewall Settings Import Approved URLs Add Approved URLs from File 5 8 3 Blocked Keywords Advanced gt Website Filter gt Blocked Keywords Keyword blocking allows you to block all website URL s or site content
41. option is set to allow for this firewall rule XW Enabling accepted packet logging through the firewall may generate a significant volume of log messages depending on the typical network traffic This is recommended for debugging purposes only In addition to network segment logging unicast and multicast traffic can be logged Unicast packets have a single destination on the network whereas broadcast or multicast packets are sent to all possible destinations simultaneously One other useful log control is to log packets that are dropped due to configured bandwidth profiles over a particular interface This data will indicate to the admin whether the bandwidth profile has to be modified to account for the desired internet traffic of LAN users 167 Wireless Controller User Manual Figure 112 Log configuration options for traffic through controller DWC 1000 ne SETUP ADVANCED mos STATUS admin O Log Settings LOGS CONFIGURATION LOGOUT This page allows user to configure system wide log settings Save Settings Don t Save Settings Routing Logs System Firmware Firmware via USB Dynamic DNS System Check System Logs All Unicast Traffic All Broadcast Multicast Traffic FTP Logs Redirected ICMP Packets Invalid Packets Other Events Logs Bandwidth Limit 9 5 2 Sendin
42. revealing password and other secure information Administrators with large networks who are using multiple clusters should either use different network names in each cluster or disable this test Otherwise if an AP in the first cluster detects APs in the second cluster transmitting the same SSID as APs in the first cluster then these APs are reported as rogues Managed SSID from a fake managed AP A hacker may set up an AP with the same MAC address as one of the managed APs and configure it to send one of the managed SSIDs This test checks for a vendor field in the beacons which is always transmitted by managed APs If the vendor field is not present then the AP is identified as a fake AP AP without an SSID SSID is an optional field in beacon frames To avoid detection a hacker may set up an AP with the managed network SSID but disable SSID transmission in the beacon frames The AP would still send probe responses to clients that send probe requests for the managed SSID fooling the clients into associating with the hacker s AP This test detects and flags APs that transmit beacons without the SSID field The test is automatically disabled if any of the radios in the profiles are configured not to send SSID field which is not recommended because it does not provide any real security and disables this test Fake managed AP on an invalid channel This test detects rogue APs that transmit beacons from the source MAC address of one of the
43. server from being overloaded you can limit the number of APs to be upgraded at a time In the Group Size field enter the number of APs that can be upgraded at the same time When one group completes the upgrade the next group begins the process Image Download Type Type of the image to be downloaded which can be one of the following e All images img_dw1l8600 and img dwl3600 6600 img dwl8600 img_ dwl3600 6600 Wireless Controller User Manual xw To download all images make sure you specify the file path and file name for both images in the appropriate File Path and File Name fields Managed AP The list shows all the APs that the controller manages If the controller is the Cluster Controller then the list shows the APs managed by all controllers in the cluster Each AP is identified by its MAC address IP address and Location in the lt MAC IP Location gt format To upgrade a single AP select the AP MAC address from the drop down list To upgrade all APs select All from the top of the list If All is selected the Group Size field will limit the number of simultaneous AP upgrades in order not to overwhelm the TFTP server Figure 57 Access Point Software Download DWwc 1000 i SETUP ADVANCED TOOLS STATUS WLAN Global Settings AP Management gt Description goes here Access Point Software Download er VPN Settings gt Server Address 0 0 0 0 VLAN Settings gt File Path DMZ Setup gt File Name
44. that contains the keywords in the configured list This is lower priority than the Approved URL List i e if the blocked keyword is present in a site allowed by a Trusted Domain in the Approved URL List then access to that site will be allowed Import export from a text or CSV file for keyword blocking is also supported 112 Wireless Controller User Manual Figure 72 One keyword added to the block list owc1000 Jf Pa ae Operation succeeded Peer Controllers AP Profile BLOCKED KEYWORDS LOGOUT You can block access to websites by entering complete URLs or keywords Keywords prevent access to websites that contain the specified characters in the URLs or the page contents The table lists all the Blocked keywords and allows several operations on the keywords Save Settings Dont Save Settings Blocked All URL Configuration Captive Portal Application Rules Block All URL Website Filter Blocked Keywords Status Enabled Edit Enable Disable Delete Import Blocked Keywords Radius Settin 5 8 4 Export Web Filter Advanced gt Website Filter gt Export Export Approved URLs Feature enables the user to export the URLs to be allowed to a csv file which can then be downloaded to the local host The user has to click the export button to get the csv file Export Blocked Keywords This feature enables the user to export the keywords to be blocked to a csv fi
45. the ISP rather ICMPv6 discover messages will originate from this gateway and will be used for auto configuration A third option to specify the IP address and prefix length of a preferred DHCPv6 server is available as well Figure 22 IPv6 WAN Setup page oc A oo a era IPV6 OPTION1 CONFIG This page allows user to IPv 6 related WAN1 configurations Don t Save Settings Internet Address IPv6 Static IP Address User Name admin Password eeeee Authentication Type Auto negotiate Dhcpv6 Options disable dhepv6 Primary DNS Server Secondary DNS Server Prefix Delegation Select this option to request controller advertisement prefix from any available DHCPv6 servers available on the ISP the obtained prefix is updated to the advertised prefixes on the LAN side This option can be selected only in Statesless Address Auto Configuration mode of DHCPv6 Client 43 Wireless Controller User Manual 3 2 7 When IPv6 is PPPoE type the following PPPoE fields are enabled Username Enter the username required to log in to the ISP Password Enter the password required to login to the ISP Authentication Type The type of Authentication in use by the profile Auto Negotiate PAP CHAP MS CHAP MS CHAPv2 Dhcpv6 Options The mode of Dhcpv6 client that will start in this mode disable dhcpv6 stateless dhcpv6 stateful dhcpv6 stateless dhcpv6 with prefix delegation Primary
46. the plan is applied once every 24 hours at the specified time e Manual With the manual channel plan mode you control and initiate the calculation and assignment of the channel plan You must manually run the channel plan algorithm and apply the channel plan to the APs e Interval In the interval channel plan mode the controller periodically calculates and applies the channel plan You can configure the interval to be from every 6 to every 24 hours The interval period begins when you click Submit 86 Wireless Controller User Manual Figure 53 RF configuration Product Page DWC 1000 Hardware on A1 DWC 1000 7 ADVANCED TOOLS STATUS HELP Helpful Hints WLAN Global Settings RF CONFIGURATION LOGOUT Ff Hint text AP Management WLAN Visualization gt Description goes here Internet Settings Submit Don t Save Settings Channel Configuration Channel Plan 5 GHz 802 11 ain 2 4 GHz 802 11 bigin Channel Plan Mode Fixed Time Manual Interval Channel Plan History Depth 5 Oto 10 Channel Plan Interval 6 to 24 Hours Channel Plan Fixed Time Hours Minutes Power Adjustment Configuration Channel Plan History Depth The channel plan history lists the channels the controller assigns each of the APs it manages after a channel plan is applied Entries are added to the history regardless of interval time o
47. the radio you select Operational Status This field shows whether the controller is using the automatic channel adjustment algorithm on the AP radios Last Iteration The number in this field indicates the most recent iteration of channel plan adjustments The APs that received a channel adjustment in 88 Wireless Controller User Manual previous iterations cannot be assigned new channels in the next iteration to prevent the same APs from being changed time after time Last Algorithm Time Shows the date and time when the channel plan algorithm last ran AP MAC Address This table displays the channel assigned to an AP in an iteration of the channel plan Location Radio Iteration Channel Figure 54 Channel Plan History Product Page DWC 1000 Channel Plan Channel Plan 5 GHz 802 11 ain 2 4 GHz 802 11 b g n Channel Plan History Operational Status Active Last Iteration 0 USB Settings Last Algorithm Time Jan 1 00 00 00 1970 List of Iterations No Channel Plan history entries exists RF Management Manual Channel Plan Setup gt AP Management gt RF Management gt Manual Channel Plan If you specify Manual as the Channel Plan Mode on the Configuration tab the Manual Channel Plan page allows you to initiate the channel plan algorithm To manually run the channel plan adjustment feature select the radio to update the channels on 5 GHz or 2 4 GHz and cli
48. the routing or loopback interface you configure for the controller features AP MAC Validation Method Add the MAC address of the AP to the Valid AP database which can be kept locally on the controller or in an external RADIUS server When the controller discovers an AP that is not managed by another ccontroller it looks up the MAC address of the AP in the Valid AP database If it finds the MAC address in the database the controller validates the AP and assumes management Select the database to use for AP validation and optionally for authentication if the Require Authentication Passphrase option is selected e Local If you select this option you must add the MAC address of each AP to the local Valid AP database e RADIUS If you select this option you must configure the MAC address of each AP in an external RADIUS server Require Authentication Passphrase Select this option to require APs to be authenticated before they can associate with the controller If you select this option you must configure the passphrase on the AP while it is in standalone mode as well as in the Valid AP database RADIUS Authentication Server Name Enter the name of the RADIUS server used for AP and client authentications The name can contain up to 32 alphanumeric characters Spaces underscores and dashes are also permitted The controller acts as the RADIUS client and performs all RADIUS transactions on behalf of the APs and wireless clients RADIUS
49. to the AP itself and manage it by using the Administrator Web User Interface UI CLI or SNMP If you select the Standalone mode the screen refreshes and different fields appear For Standalone mode the following fields are enabled Expected SSID Expected Channel Expected WDS Mode Network Mode Expected Security Mode and Expected Wired e Managed The AP is part of the D Link Wireless Controller and you manage it by using the Wireless Controller If an AP is in Managed Mode the Administrator Web UI and SNMP services on the AP are disabled e Rogue Select Rogue as the AP mode if you wish to be notified through an SNMP trap if enabled when this AP is detected in the network Additionally the when this AP is detected through an RF scan the status is listed as Rogue If you select the Rogue mode the screen refreshes and fields that do not apply to this mode are hidden 84 Wireless Controller User Manual Location To help you identify the AP you can enter a location This field accepts up to 32 alphanumeric characters Authentication Password You can require that the AP authenticate itself with the controller upon discovery Edit option and enter the password in this field The valid password range is between 8 and 63 alphanumeric characters The password in this field must match the password configured on the AP Profile If you configure multiple AP Profiles you can select the profile to assign to this AP Expe
50. tolerance is set to 70 Now every time a new connection is established the bandwidth increases After a certain number of connections say bandwidth reached 70 of 1Kbps the new connections will be spilled over to secondary WAN The maximum value of load tolerance is 80 and the least is 20 Protocol Bindings Refer Section 3 4 3 for details Load balancing is particularly useful when the connection speed of one WAN port greatly differs from another In this case you can define protocol bindings to route low latency services such as VOIP over the higher speed link and let low volume background traffic such as SMTP go over the lower speed link 47 Wireless Controller User Manual Figure 24 Load Balancing is available when multiple WAN ports are configured and Protocol Bindings have been defined DWC 1000 HEE SETUP ADVANCED TOOLS STATUS 3 3 3 OPTION MODE This page allows user to configure the policies on the two WAN ports for Internet connection Don t Save Settings Port Mode Option1 Round Robin Optiont y Option Failure Detection Method None DNS lookup using Option DNS Servers DNS lookup using DNS Servers 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 30 Protocol Bindings Advanced gt Routing gt Protocol Bindings Protocol bindings are required when the Load Balancing feature is in use Choosing from a list of configured services or any of the user defined servi
51. which provides policy based service management ensuring maximum productivity for your business operations The failover feature maintains data traffic without disconnecting when a landline connection is lost The Outbound Load Balancing feature adjusts outgoing traffic across two WAN interfaces and optimizes the system performance resulting in high availability The second WAN port can be configured as a DMZ port allowing you to isolate servers from your LAN e Robust VPN features A fully featured virtual private network VPN provides your mobile workers and branch offices with a secure link to your network DWC is capable of simultaneously managing 20 Secure Sockets Layer SSL VPN tunnels respectively empowering your mobile users by providing remote access to a central corporate database Site to site VPN tunnels use IP Security IPsec Protocol Point to Point Tunneling Protocol PPTP or Layer 2 Tunneling Protocol L2TP to facilitate branch office connectivity through encrypted virtual links The DWC support 75 simultaneous IPSec VPN tunnels respectively 1 1 About this User Manual This document is a high level manual to allow new D Link Wireless Controller users to configure connectivity WLAN configuration setup VPN tunnels establish firewall rules and AP management and perform general administrative tasks Typical deployment and use case scenarios are described in each section For more detailed setup instructions and explanations o
52. will remain unconnected until a failure is detected on the primary link either port can be assigned as the primary In the event of a failure on the primary port all internet traffic will be rolled over to the backup port When configured in Auto Failover mode the link status of the primary WAN port is checked at regular intervals as defined by the failure detection settings Note that both WAN1 and WAN2 can be configured as the primary internet link e Auto Rollover using WAN port e Primary WAN Selected WAN is the primary link WAN1 WAN2 e Secondary WAN Selected WAN is the secondary link Failover Detection Settings To check connectivity of the primary internet link one of the following failure detection methods can be selected e DNS lookup using WAN DNS Servers DNS Lookup of the DNS Servers of the primary link are used to detect primary WAN connectivity e DNS lookup using DNS Servers DNS Lookup of the custom DNS Servers can be specified to check the connectivity of the primary link e Ping these IP addresses These IP s will be pinged at regular intervals to check the connectivity of the primary link e Retry Interval is The number tells the controller how often it should run the above configured failure detection method e Failover after This sets the number of retries after which failover is initiated Load Balancing This feature allows you to use multiple WAN links and presumably multiple ISP s simultaneously
53. 0 0 0 0 IP Subnet Mask 0 0 0 0 User Name dlink Password oreo Service Optional Authentication Type Auto negotiate x Reconnect Mode AlwaysOn On Demand Maximum Idle Time 5 Secondary PPPoE Domain Name System DNS Servers DNS Server Source Get Dynamically from ISP Primary DNS Server 0 0 0 0 0 0 0 0 Secondary DNS Server Mac Address MAC Address Source Use Default Address MAC Address 00 00 00 00 00 00 3 2 5 Russia L2TP and PPTP WAN For Russia L2TP WAN connections you can choose the address mode of the connection to get an IP address from the ISP or configure a static IP address provided by the ISP For DHCP client connections you can choose the MAC address of the controller to register with the ISP In some cases you may need to clone the LAN host s MAC address if the ISP is registered with that LAN host 41 Wireless Controller User Manual Figure 21 Russia L2TP ISP configuration DWC 1000 ADVANCED TOOLS STATUS d gt OPTION1 SETUP LOGOUT WLAN Global Settings This page allows you to set up your Internet connection Ensure that you have the Internet connection information such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator Save Settings Don t Save Settings ISP Connection Type WLAN Visualization gt internet Settings VLAN Settings L2
54. 17 6 1 VPN A A APAE a o ME A EE E E E E ee eee E E 119 6 2 Configuring IPsec Policies 0 eececeeseesesescsseseseeeeseecseeceseeceececaeeceaeeeereeenseeeaees 121 6 2 1 Extended Authentication XAUTH sessesssessessssessesssssesssssesesessseseseseseseseseseseses 124 6 2 2 Internet over IPSEC tunnel eee eeseseseeseseecsceceseeeeeeecsceceseecseeeeneeeeateceesenteeeaees 124 6 3 Configuring VPN clients 0 ee ceeeececcsceseseeseseecsceceseecsececaeeceseecsececseseeaeeeeceeateeeates 125 6 4 PPT PEA TR MUnnels lt e sccntes state died atest E 125 6 4 1 PPTP Tunnel Support 0 ee eceecescceseseseseeseseseeeeseseseceessseeacseseceeneseearecseeeeneeeaees 125 6 4 2 gt L2TP Tunnel Supple asion i a i 127 6 4 3 OpenVPN Support urni a a a n 128 SOE VPN shisha E E E RAE RA RA Re ee 131 7 1 Groups and Users v 22 acini entering a aai 133 TAA Usersand Password oesccancnenicnnenin i uvsavecsteveccepeevaensvtcvece E 139 7 2 Using SSL VPN Policies 2 0 ceeceeeeceesceseseeeseceneeeesescsececaeeeeaeeceececseeeateceeeeneees 140 7 2 1 Using Network Resources ccccecccsseesceseesceseescesecseesecaeeseenseeeceaecaeeaesseserentenees 143 7 3 Application Port Forwarding esesesesesesessesesesesisrsrsrsesrsesrsrsrsrsesrsrsrsrsesrsrsrsrsrsese 144 7 4 SSL VPN Client Configuration 00 0 0 ceeceececescsseseseeeeseecseeceseecesescaeeeeaeeeeeeseneeeeaees 146 7 4 1 Creating Portal Layouts ssseseeeesesesseseseeeesesessesesresestsesseserrese
55. 30 hops intermediate controller between this controller and the destination will be displayed 9 9 3 DNS Lookup To retrieve the IP address of a Web FTP Mail or any other server on the Internet type the Internet Name in the text box and click Lookup If the host or domain entry exists you will see a response with the IP address A message stating Unknown Host indicates that the specified Internet Name does not exist XW This feature assumes there is internet access available on the WAN link s 176 Wireless 9 9 4 9 10 Controller User Manual Router Options The static and dynamic routes configured on this controller can be shown by clicking Display for the corresponding routing table Clicking the Packet Trace button will allow the controller to capture and display traffic through the DWC 1000 between the LAN and WAN interface as well This information is often very useful in debugging traffic and routing issues License Tools gt License You can activate AP6 and VPN licenses in this controller by providing valid Activation Key and click Activate key After activating license AP6 license you should be able to manage 6 more AP s VPN license activates the VPN license functionality on the DWC 1000 device Figure 120 Install License Firmware via Dynamic DNS System Check License Save Configuration DWC 1000 iggy SETUP ADVANCED STATUS LICENSES LOGOUT List of Available Licenses
56. 41 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3489 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3482 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3535 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3509 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3467 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3415 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3450 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3499 97 0 0 2 443 tcp TIME_WAIT Refresh 62 Wireless Controller User Manual 4 3 2 LAN Clients Status gt LAN Client Info gt LAN Clients The LAN clients to the controller are identified by an ARP scan through the LAN switch The NetBios name if available IP address and MAC address of discovered LAN hosts are displayed Figure 35 List of LAN hosts owe 1000 JJ ADVANCED os s Global Info gt Device Info gt LAN CLIENTS LOGOUT This page displays a list of LAN dients connected to the router IP Address MAC Address 192 168 10 100 F0 4D A2 59 28 E1 4 3 3 Active VPN Tunnels Status gt Active VPNs You can view and change the status connect or drop of the controllers IPsec security associations Here the active IPsec SAs security associations are listed along with the traffic details and tunnel state The traffic is a cumulative measure of transmitted received packets since the tunnel was established Ifa VPN policy state is IPsec SA Not Established it can be enabled by clicking the Connect button of the corresponding policy The Active IPsec SAs table displays a
57. AP which is set in the Valid AP database Radio Interface Identifies the radio Old Power Shows the earlier power level for the AP New Power Shows the proposed power level for the AP This page includes the following button e Start To initiate the power adjustment algorithm 91 Wireless Controller User Manual Figure 56 Manual Power Adjustment Plan Product Page DWC 1000 Hardware Version A1 DWC 1000 lf SETUP ADVANCED TOOLS STATUS HELP Helpful Hints MANUAL POWER ADJUSTMENTS LOGOUT f Hint text Description goes here Power Adjustment Algorithm Current Status None Start Proposed Power Adjustments AP MAC Address Location Radio Interface Old Power New Power No proposed power adjustment entries exist WIRELESS CONTROLLER Access Point Software Download Setup gt AP Management gt Software Download The wireless controller can upgrade software on the APs that it manages Server Address Enter the IP address of the host where the upgrade file is located The host must have a TFTP server installed and running File Path Enter the file path on the TFTP server where the software is located You may enter up to 96 characters File Name Enter the name of the upgrade file You may enter up to 32 characters and the file extension tar must be included Group Size When you upgrade multiple APs each AP contacts the TFTP server to download the upgrade file To prevent the TFTP
58. After configuring more than one WAN port the load balancing option is available to carry traffic over more than one link Protocol bindings are used to segregate and assign services over one WAN port in order to manage internet flow The configured failure detection method is used at regular intervals on all configured WAN ports when in Load Balancing mode DWC 1000 currently support three algorithms for Load Balancing Round Robin This algorithm is particularly useful when the connection speed of one WAN port greatly differs from another In this case you can define protocol bindings to route low latency services such as VOIP over the higher speed link 46 Wireless Controller User Manual and let low volume background traffic such as SMTP go over the lower speed link Protocol binding is explained in next section Spill Over If Spill Over method is selected WANI acts as a dedicated link till a threshold is reached After this WAN2 will be used for new connections You can configure spill over mode by using folloing options e Load Tolerance It is the percentage of bandwidth after which the controller switches to secondary WAN e Max Bandwidth This sets the maximum bandwidth tolerable by the primary WAN If the link bandwidth goes above the load tolerance value of max bandwidth the controller will spill over the next connections to secondary WAN For example if the maximum bandwidth of primary WAN is 1 Kbps and the load
59. Authentication Server Configured Indicates whether the RADIUS authentication server is configured RADIUS Accounting Server Name Enter the name of the RADIUS server used for reporting wireless client associations and disassociations The name can contain up to 32 alphanumeric characters Spaces underscores and dashes are also permitted RADIUS Accounting Server Configured Indicates whether the RADIUS accounting server is configured RADIUS Accounting Select this option to enable RADIUS accounting for wireless clients Country Code Select the country code that represents the country where your controller and APs operate When you click Submit a pop up message asks you to confirm the change Wireless regulations vary from country to country Make sure you select the correct country code so that your WLAN system complies with the regulations in your country 27 Wireless Controller User Manual 2 6 1 Wireless Discovery configuration The wireless controller can discover validate authenticate or monitor the following system devices e Peer wireless controllers APs e Wireless clients e Rogue APs e Rogue wireless clients Setup gt AP Management gt Poll List The wireless controller can discover peer wireless controller and APs regardless of whether these devices are connected to each other located in the same Layer 2 broadcast domain or attached to different IP subnets In order for the controller to discover other
60. Client wishes to access the LAN network then in SPLIT Tunnel mode you should add the LAN subnet as the Destination Network Save Settings Don t Save Settings SSL PN Client Route Configuration VPN Settings USB Settings Destination Network Subnet Mask 7 4 1 Creating Portal Layouts Setup gt VPN Settings gt SSL VPN Server gt Portal Layouts The controller allows you to create a custom page for remote SSL VPN users that is presented upon authentication There are various fields in the portal that are customizable for the domain and this allows the controller administrator to communicate details such as login instructions available services and other usage details in the portal visible to remote users During domain setup configured portal layouts are available to select for all users authenticated by the domain XW The default portal LAN IP address is https 192 168 10 1 scgi bin userPortal portal This is the same page that opens when the User Portal link is clicked on the SSL VPN menu of the controller GUI 148 Wireless Controller User Manual The controller administrator creates and edits portal layouts from the configuration pages in the SSL VPN menu The portal name title banner name and banner contents are all customizable to the intended users for this portal The portal name is appended to the SSL VPN portal URL As well the users assigned to this portal through their authenticatio
61. Client to Client communication Enable this to allow openvpn clients to communicate with each other in split tunnel case Disabled by default e Upload Access Server Client Configuration The user has to download the auto login profile and upload here to connect this controller to the OpenVPN Access Server e Certificates Select the set of certificates openvpn server uses First Row Set of certificates and keys the server uses Second Row Set of certificates and keys newly uploaded e Enable Tls Authentication Key Enabling this adds Tls authentication which adds an additional layer of authentication Can be checked only when the tls key is uploaded Disabled by default Click Save Settings to save the settings 129 Wireless Controller Figure 86 OpenVPN configuration E OpenVPN Server Client Configuration Server User Manual 128 10 0 0 255 255 0 0 Port 1194 Deiault 1194 Tunnel Protocol upp s Encryption Algorithm BF CBC Hash Algorithm SHAL Tunnel Type Full Tunnel gt Enable Client to Client Communication Upload Access Server Client Configuration Certificates CA Subject Server Client Cert Name Subject Name i C US ST CA L SanFrancsco C US ST CA L SanFrancsoo O Fort Funsion CN Openvpnina O Fort Funsion CN serverA na 130 Chapter 7 SSL VPN The controller provides an intrinsic SSL VPN feature as an alternate to the standard
62. DDNS provider such as DynDNS com DlinkDDNS com or Oray net Dont Save Settings Option Mode Option WAN Mode Use only single Option port Option1 Option1 DDNS Status Select the Dynamic DNS Service None Host and Domain Name User Name 9 9 Using Diagnostic Tools Tools gt System Check The controller has built in tools to allow an administrator to evaluate the communication status and overall network health 175 Wireless Controller User Manual Figure 119 Controller diagnostics tools available in the GUI Jf EE T em IP Address Domain Name www dink com Dynamic DNS Ping Traceroute SYSTEM CHECK This page can be used for diagnostics purpose This page provides user with some diagnostic tools like ping traceroute and packet sniffer Ping or Trace an IP Address System Check Perform a DNS Lookup Internet Name Router Options Display the IPv4 Routing Table Display Display the IPv6 Routing Table Display Capture Packets Packet Trace 9 9 1 Ping This utility can be used to test connectivity between this controller and another device on the network connected to this controller Enter an IP address and click PING The command output will appear indicating the ICMP echo request status 9 9 2 Trace Route This utility will display all the controller present between the destination IP address and this controller Up to
63. DIUS Valid AP database This test may detect network misconfiguration as well as potential intrusion attempts The following parameters are checked e Channel Number e SSID e Security Mode e WDS Mode e Presence on a wired network Unexpected WDS device detected on network If the AP is classified as a Managed or Unknown AP and wireless distribution system WDS traffic is detected on the AP then the AP is considered to be Rogue Only stand alone APs that are explicitly allowed to operate in WDS mode are not reported as rogues by this test Unmanaged AP detected on wired network This test checks whether the AP is detected on the wired network If the AP state is Unknown then the test changes the AP state to Rogue The flag indicating whether AP is detected on the wired network is reported as part of the RF Scan report If AP is managed and is detected on the network then the controller simply reports this fact and doesn t change the AP state to Rogue In order for the wireless system to detect this threat the wireless network must contain one or more radios that operate in sentry mode Rogue Detected Trap Interval Specify the interval in seconds between transmissions of the SNMP trap telling the administrator that rogue APs are present in the RF Scan database If you set the value to 0 the trap is never sent Wired Network Detection Interval Specify the number of seconds that the AP waits before starting a new wired net
64. DNS Server Enter a valid primary DNS Server IP Address Secondary DNS Server Enter a valid secondary DNS Server IP Address Click Save Settings to save your changes Checking WAN Status Setup gt Internet Settings gt WANI Status The status and summary of configured settings for both WANI and WAN2 are available on the WAN Status page You can view the following key connection status information for each WAN port Connection time The connection uptime Connection type Dynamic IP or Static IP Connection state This is whether the WAN is connected or disconnected to an ISP The Link State is whether the physical WAN connection in place the Link State can be UP i e cable inserted while the WAN Connection State is down IP address subnet mask IP Address assigned Gateway IP address WAN Gateway Address 44 Wireless Controller User Manual Figure 23 Connection Status information of Optionl DWC 1000 i SETUP ADVANCED TOOLS STATUS OPTION1 STATUS LOGOUT The page provides current information regarding the WAN1 interface Along with the information a user can enable or disable his Internet connection from this page Optioni Status IPv4 1A 00 2B 10 1C 45 0 0 0 0 255 255 255 0 DOWN Disabled Dynamic IP DHCP Not Yet Connected VPN Settings VLAN Settings DMZ Setup LINK DOWN Use only single Option port Option1 0 0 0 0 0 0 0 0 0 0 0 0 MAC Address 14 00 2B 10 1C 45 IPv6 Address
65. Disable Delete Advanced Ne Move To First v Move 5 2 Defining Rule Schedules Tools gt Schedules Firewall rules can be enabled or disabled automatically if they are associated with a configured schedule The schedule configuration page allows you to define days of the week and the time of day for a new schedule and then this schedule can be selected in the firewall rule configuration page XW All schedules will follow the time in the controller s configured time zone Refer to the section on choosing your Time Zone and configuring NTP servers for more information 98 Wireless Controller User Manual Figure 62 List of Available Schedules to bind to a firewall rule DWC 1000 ADVANCED TOOLS STATUS Operation succeeded Log Settings SCHEDULES When you create a firewall rule you can specify a schedule when the rule applies The table lists all the Available Schedules for this device and allows several operations on the Schedules Firmware via USB End Time Start Time Days Dynamic DNS Guest Tuesday Wednesday Thursday 09 00 AM 05 00 PM System Check All Days 12 00 AM 11 59 PM Schedules Edit Delete 5 3 Configuring Firewall Rules Advanced gt Firewall Settings gt Firewall Rules All configured firewall rules on the controller are displayed in the Firewall Rules list This list also indicates whether the rule is enabled active or not and gives
66. Figure 118 Dynamic DNS configuration eececeeceesceseseseesesescececeseeeecseneeeeseeeeecaeneeeeseeeeecseneeasaeeeeees 175 Figure 119 Controller diagnostics tools available in the GUI 0 0 eceeeseeeeseceeeseseeeeeeseeeetseeeeees 176 Figure 1202 Install License easan ET cheats shea baabetanee gp davadaaees deems dhesheteodenion MOD IOS 177 Figure 121 After activating the LICENSE eeeecceesesecseneeseceeeeeseeeceeeseeeeneeseeeeneeseeecneeseeeeneeaeereneens 177 Wireless Controller User Manual Chapter 1 Introduction D Link Wireless Controller DWC DWC 1000 is a full featured wireless LAN controller designing for small network environment The centralized control function contains various access point management functions such as fast roaming inter subnet roaming automatic channel and power adjustment self healing etc The advanced wireless security function including rouge AP detection captive portal wireless intrusion detection system WIDS offers a strong wireless network protection avoiding attacks from hackers Optimal network security is provided via features such as virtual private network VPN tunnels IP Security IPsec Point to Point Tunneling Protocol PPTP Layer 2 Tunneling Protocol L2TP and Secure Sockets Layer SSL Empower your road warriors with clientless remote access anywhere and anytime using SSL VPN tunnels e Comprehensive Management Capabilities The DWC include dual WAN Gigabit Ethernet
67. GAINST CUSTOMER FOR LOSSES OR DAMAGES D LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D LINK RECEIVED FROM THE END USER FOR THE PRODUCT Wireless Controller User Manual Table of Contents Chapter 1 Chapter 2 Chapter 3 Chapter 4 aiizel lUe ilo p EEEE EE E EEEE OET eo ee ee 9 1 1 About this User MaN A e a a a aadi 9 1 2 Typographical Conventions s sssessesssessssesestesesrssseserreresrsssstserreresrssssesesreresesens 10 Configuring Your Network aoira na ea n E Sas NEN ENE Goi N EA 11 2 1 LAN CGontg ratig ienna ci ais ee A ee es 11 2 1 1 LAN Configuration in an IPV6 Network ccc cccesccccssesececseeseecceesececsesseeeeseesees 14 2 1 2 Configuring IPv6 Router Advertisements ccccccsesececssesseecneetececseeseeeeeesees 17 2 2 VLAN Configuration oo ceececcesesesceseseseeeesesesesceseeeeeesenesaeseeececseneaeseeeeecaeneeetaeeesees 19 2 2 1 Associating VLANS to ports eee eeesceeceseeseneeseceeeeesececeeeseeeeneeseeeeneeseeeeneeaeereneens 20 2 3 Configurable Port DMZ Setup ccccccccseseeccsseseescsseseescsecseeecsesseeeeseeseeeeneeaees 22 2 4 Universal Plug and Play UPMP ee eesseeescsseseeecseeseeecseeaeeecateaseeenseaeenenseae 23 2 5 Captive Portals is tec cn cuticeen at this tevsere ann e E E twsern Acticin dilation 25 2 6 WLAN global configuration ee eececeseseseeseeceeeeeseceeneesececneeseeeeneeseeeeneeseeeeneeaees 25 2 6 1 Wireless Discovery
68. Helpful Hints Hint Text goes here Detected Client Pre Authentication History No preauthentication history entries to display Refresh WIRELESS CONTROLLER This page includes the following button e Refresh Updates the page with the latest information Detected Client Roam History Status gt Wireless Client Info gt Roam History The wireless system keeps a record of clients as they roam from one managed AP to another managed AP MAC Address MAC address of the detected client AP MAC Address MAC Address of the managed AP to which the client authenticated Radio Interface Number Radio Number to which the client is authenticated VAP MAC Address VAP MAC address to which the client roamed SSID SSID Name used by the VAP New Authentication A flag indicating whether the history entry represents a new authentication or a roam event Age Time since the history entry was added 81 Wireless Controller User Manual Figure 50 Detected Client Roam History Helpful Hints DETECTED CLIENT ROAM HISTORY LOGOUT Hint text Description goes here Detected AP MAC Address MAC Address fO 7d 68 11 7a a32 _ List of Detected Clients Roam History AP MAC Address Radio VAP MAC Address SSID Time Since Event 1c af f7 1f 1d 40 2 1c af f7 1f 1d 51 dwc naren New Authentication 0d 00 01 53 1c af f7 1f 20 c0 2 1c af f7 1f 20 d1 dwe naren Roam 0d 00 08 59
69. LER Configuration Receive Status Global Info gt Config Receive Status The Peer Controller Configuration feature allows you to send the critical wireless configuration from one controller to all other controllers In addition to keeping the controllers synchronized this function enables the administrator to manage all wireless controllers in the cluster from one controller The Peer Controller Configuration Received Status page provides information about the configuration a controller has received from one of its peers Current Receive Status Indicates the global status when wireless configuration is received from a peer controller The possible status values are as follows e Not Started e Receiving Configuration 72 Wireless Controller User Manual e Saving Configuration e Applying AP Profile Configuration e Success e Failure Invalid Code Version e Failure Invalid Hardware Version e Failure Invalid Configuration Last Configuration Received Peer controller IP Address indicates the last controller from which this controller received any wireless configuration data Configuration Indicates which portions of configuration were last received from a peer controller which can be one or more of the following e Global e Discovery e Channel Power e AP Database e AP Profiles e Known Client e Captive Portal e RADIUS Client e QoS ACL e QoS DiffServ If the controller has not received any configuration
70. LI login credentials are shared with the GUI for administrator users To access the CLI type cli in the SSH or console prompt and login with administrator user credentials 161 Wireless Controller User Manual 9 3 SNMP Configuration Tools gt Admin gt SNMP SNMP is an additional management tool that is useful when multiple controller in a network are being managed by a central Master system When an external SNMP manager is provided with this controller Management Information Base MIB file the manager can update the controller hierarchal variables to view or update configuration parameters The controller as a managed device has an SNMP agent that allows the MIB configuration variables to be accessed by the Master the SNMP manager The Access Control List on the controller identifies managers in the network that have read only or read write SNMP credentials The Traps List outlines the port over which notifications from this controller are provided to the SNMP community managers and also the SNMP version v1 v2c v3 for the trap Figure 108 SNMP Users Traps and Access Control magne see T gt Admin Date and Time SNMP LOGOUT Log Settings A Simple Network Management Protocol SNMP lets you monitor and manage your router from an SNMP manager SNMP provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security Firmware via USB
71. S Global Info gt ASSOCIATED CLIENTS STATISTICS LOGOUT Device Info gt Access Point Info gt LAN Clients Info gt Associated Clients Statistics Wireless ClientInfo gt Packets Bytes Logs gt MAC Address Transmitted Transmitted Traffic Monitor gt E 0 a6 70 8e bf 67 4 684 Refresh Deta Active VPNs Refresh This page includes the following button e Refresh Updates the page with the latest information e View Details Shows detailed status associated client 96 Wireless Controller User Manual Chapter 5 Securing the Private 5 1 Network You can secure your network by creating and applying rules that your controller uses to selectively block and allow inbound and outbound Internet traffic You then specify how and to whom the rules apply To do so you must define the following e Services or traffic types examples web browsing VoIP other standard services and also custom services that you define e Direction for the traffic by specifying the source and destination of traffic this is done by specifying the From Zone LAN WAN DMZ and To Zone LAN WAN DMZ e Schedules as to when the controller should apply rules e Any Keywords in a domain name or on a URL of a web page that the controller should allow or block e Rules for allowing or blocking inbound and outbound Internet traffic for specified services on specified schedules e MAC addresses of devices t
72. SUMMARY Access Point Info Description goes here LAN Clients Info MAC Address IP Address Age Status Radio Channel Iv 1c af f7 1f 24 40 192 168 10 100 Oh 0m 10s No Database Entry N A Delete All H i Acknowledge View Details Refresh Manage WIRELESS CONTROLLER MAC Address Shows the MAC address of the access point IP Address The network address of the access point Age Shows how much time has passed since the AP was last detected and the information was last updated Status Shows the access point status e Managed The AP profile configuration has been applied to the AP and it s operating in managed mode e No Database Entry MAC address of the AP does not appear in the local or RADIUS Valid AP database e Authentication Failed AP The AP failed to be authenticated by the controller or RADIUS server Since AP is not configured as a valid AP which the correct local or RADIUS authentication information e Failed The controller lost contact with the AP a failed entry will remain in the managed AP database unless you remove it Note that a managed AP will temporarily show a failed status during a reset 65 Wireless Controller User Manual e Rogue The AP has not attempted to contact the controller and the MAC address of the AP is not in the Valid AP database Radio Shows the wireless radio mode the AP is using Channel Shows the operating channel for the radio This page inclu
73. TP Username Password w Dynamic IP Static IP 192 168 1 41 255 255 255 0 0 0 0 0 192 168 1 64 dlink eoccce AlwaysOn OnDemand Domain Name System DNS Servers DNS Server Source Get Dynamically from ISP w 3 2 6 WAN Configuration in an IPv6 Network Advanced gt IPv6 gt IPv6 Option Config For IPv6 WAN connections this controller can have a static IPv6 address or receive connection information when configured as a DHCPv6 client In the case where the ISP assigns you a fixed address to access the internet the static configuration settings must be completed In addition to the IPv6 address assigned to your controller the IPv6 prefix length defined by the ISP is needed The default IPv6 Gateway address is the server at the ISP that this controller will connect to for accessing the internet The primary and secondary DNS servers on the ISP s IPv6 network are used for resolving internet addresses and these are provided along with the static IP address and prefix length from the ISP 42 Wireless Controller User Manual When the ISP allows you to obtain the WAN IP settings via DHCP you need to provide details for the DHCPv6 client configuration The DHCPv6 client on the gateway can be either stateless or stateful If a stateful client is selected the gateway will connect to the ISP s DHCPv6 server for a leased address For stateless DHCP there need not be a DHCPv6 server available at
74. USB Licence Model License Activation Activation Key Activate Key Figure 121 After activating the License System Check License DWC 1000 N E SETUP ADVANCED STATUS License Activation Succeded Please reboot the device TEER Licence Model Activation Code Expires 0 DWC 1000 AP6 8E0BA0B0EA5827FB159911000 Perpetual License Activation Activation Code Activate 177 Wireless Controller User Manual Appendix A Glossary pare Address Resolution Protocol Broadcast protocol for mapping IP addresses to MAC addresses CHAP Challenge Handshake Authentication Protocol Protocol for authenticating users to an ISP Dynamic DNS System for updating domain names in real time Allows a domain name to be assigned to a device with a dynamic IP address DHCP Dynamic Host Configuration Protocol Protocol for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them Domain Name System Mechanism for translating H 323 IDs URLs or e mail IDs into IP addresses Also used to assist in locating remote gatekeepers and to map IP addresses to hostnames of administrative domains Fully qualified domain name Complete domain name including the host portion Example serverA companyA com FTP File Transfer Protocol Protocol for transferring files between network nodes HTTP Hypertext Transfer Protocol Protocol used by web browsers and web servers to transfe
75. USB Settings Group Size fio 1 to 6 Image Download Type All images x SOFTWARE DOWNLOAD LOGOUT l1c af f7 1f 24 40 192 168 1 67 Local OUI Database Summary Setup gt AP Management gt Local OUI Database To help identify AP and Wireless Client adapter manufacturers detected in the wireless network the wireless controller contains a database of registered Organizationally Unique Identifiers OUIs This is a read only list with over 10 000 registrations From the Local OUI Database Summary page you can enter up to 64 user defined OUIs The local list is searched first so the same OUI can be located in the local list as well as the read only list OUI Value Enter the OUI that represents the company ID in the format XX XX XX where XX is a hexadecimal number between 00 and FF The first three bytes of the MAC address represents the company ID assignment 93 Wireless Controller User Manual XW The first byte of the OUI must have the least significant bit set to 0 For example 02 FF FF is a valid OUI but 03 FF FF is not OUI Description Enter the organization name associated with the OUI The name can be up to 32alphanumeric characters Figure 58 Local OUI Database WLAN Global Settings AP Management D WLAN Visualization gt Internet Settings LOCAL OUI DATABASE SUMMARY Melciol ths Description goes here Note No entries currently exist in the Local OU Database I
76. User Manual Wireless Controller D Link Corporation Copyright 2011 http www dlink com Wireless Controller User Manual User Manual DWC 1000 Wireless Controller Version 1 3 Copyright 2011 Copyright Notice This publication including all photographs illustrations and software is protected under international copyright laws with all rights reserved Neither this manual nor any of the material contained herein may be reproduced without written consent of the author Disclaimer The information in this document is subject to change without notice The manufacturer makes no representations or warranties with respect to the contents hereof and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revision or changes Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER E G DAMAGES FOR LOSS OF PROFIT SOFTWARE RESTORATION WORK STOPPAGE LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D LINK PRODUCT OR FAILURE OF THE PRODUCT EVEN IF D LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES FURTHERMORE D LINK WILL NOT BE LIABLE FOR THIRD PARTY CLAIMS A
77. When disabled all DHCP clients receive the DNS IP addresses of the ISP Wireless Controller User Manual To configure LAN Connectivity please follow the steps below 1 2 In the LAN Setup page enter the following information for your controller IP address factory default 192 168 10 1 XW If you change the IP address and click Save Settings the GUI will not respond Open a new connection to the new IP address and log in again Be sure the LAN host the machine used to manage the controller has obtained IP address from newly assigned pool or has a static IP address in the controller s LAN subnet before accessing the controller via changed IP address Subnet mask factory default 255 255 255 0 In the DHCP section select the DHCP mode None the controller s DHCP server is disabled for the LAN DHCP Server With this option the controller assigns an IP address within the specified range plus additional specified information to any LAN device that requests DHCP served addresses DHCP Relay With this option enabled DHCP clients on the LAN can receive IP address leases and corresponding information from a DHCP server on a different subnet Specify the Relay Gateway and when LAN clients make a DHCP request it will be passed along to the server accessible via the Relay Gateway IP address If DHCP is being enabled enter the following DHCP server parameters Starting and Ending IP Addresses Enter the first
78. Z IP address 192 168 12 222 Access to Web server simulated public IP address 10 1 0 52 Example 4 Block traffic by schedule if generated from specific range of machines Use Case Block all HTTP traffic on the weekends if the request originates from a specific group of machines in the LAN having a known range of IP addresses and anyone coming in through the Network from the WAN i e all remote users Configuration 1 Setup a schedule To setup a schedule that affects traffic on weekends only navigate to Security Schedule and name the schedule Weekend Define weekend to mean 12 am Saturday morning to 12 am Monday morning all day Saturday amp Sunday In the Scheduled days box check that you want the schedule to be active for specific days Select Saturday and Sunday e In the scheduled time of day select all day this will apply the schedule between 12 am to 11 59 pm of the selected day Click apply now schedule Weekend isolates all day Saturday and Sunday from the rest of the week 105 Wireless Controller User Manual Figure 65 Schedule configuration for the above example owc1000 Jf ADVANCED eT Admin Date and Time SCHEDULE CONFIGURATION Log Settings gt Firmware This page allows user to configure schedules These schedules then can be applied to firewall rules to achieve schedule based firewall Save Settin
79. _ Firmware Upgrade Notification Options This controller also supports an automated notification to determine if a newer firmware version is available for this controller By clicking the Check Now button in the notification section the controller will check a D Link server to see if a newer firmware version for this controller is available for download and update the Status field below 9 8 Dynamic DNS Setup Tools gt Dynamic DNS Dynamic DNS DDNS is an Internet service that allows controller with varying public IP addresses to be located using Internet domain names To use DDNS you must setup an account with a DDNS provider such as DynDNS org D Link DDNS or Oray net Each configured WAN can have a different DDNS service if required Once configured the controller will update DDNS services changes in the WAN IP address so that features that are dependent on accessing the controller WAN via FQDN will be 174 Wireless Controller User Manual directed to the correct IP address When you set up an account with a DDNS service the host and domain name username password and wildcard support will be provided by the account provider Figure 118 Dynamic DNS configuration DWC 1000 J sw ADVANCED TOOLS STATUS DYNAMIC DNS LOGOUT Dynamic DNS DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names To use DDNS you must setup an account with a
80. a summary of the From To zone as well as the services or users that the rule affects To create a new firewall rules follow the steps below 1 View the existing rules in the List of Available Firewall Rules table 1 To edit or add an outbound or inbound services rule do the following e To edit a rule click the checkbox next to the rule and click Edit to reach that rule s configuration page e To add a new rule click Add to be taken to a new rule s configuration page Once created the new rule is automatically added to the original table 2 Chose the From Zone to be the source of originating traffic either the secure LAN public DMZ or insecure WAN For an inbound rule WAN should be selected as the From Zone 3 Choose the To Zone to be the destination of traffic covered by this rule If the From Zone is the WAN the to Zone can be the public DMZ or secure LAN Similarly if the From Zone is the LAN then the To Zone can be the public DMZ or insecure WAN 4 Parameters that define the firewall rule include the following 99 Wireless Controller User Manual Service ANY means all traffic is affected by this rule For a specific service the drop down list has common services or you can select a custom defined service Action amp Schedule Select one of the 4 actions that this rule defines BLOCK always ALLOW always BLOCK by schedule otherwise ALLOW or ALLOW by schedule otherwise BLOCK A schedule must
81. a Dynamic Host Configuration Protocol DHCP server to the hosts on the WLAN or LAN network With DHCP PCs and other LAN devices can be assigned IP addresses as well as addresses for DNS servers Windows Internet Name Service WINS servers and the default gateway With the DHCP server enabled the controller s IP address serves as the gateway address for LAN and WLAN clients The PCs in the LAN are assigned IP addresses from a pool of addresses specified in this procedure Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the default DHCP and TCP IP settings are satisfactory If you want another PC on your network to be the DHCP server or if you are manually configuring the network settings of all of your PCs set the DHCP mode to none DHCP relay can be used to forward DHCP lease information from another LAN device that is the network s DHCP server this is particularly useful for wireless clients Instead of using a DNS server you can use a Windows Internet Naming Service WINS server A WINS server is the equivalent of a DNS server but uses the NetBIOS protocol to resolve hostnames The controller includes the WINS server IP address in the DHCP configuration when acknowledging a DHCP request from a DHCP client You can also enable DNS proxy for the LAN When this is enabled the controller then as a proxy for all DNS requests and communicates with the ISP s DNS servers
82. agement USB Settings LAN SETUP LOGOUT The LAN Configuration page allows you to configure the LAN interface of the router induding the DHCP Server which runs on it Save Settings Dont Save Settings LAN TCP IP Setup IP Address 192 168 10 1 Subnet Mask 255 255 255 0 DHCP Mode DHCP Server v Starting IP Address 192 168 10 100 Ending IP Address 192 168 10 254 Default Gateway Optional Primary DNS Server Secondary DNS Server Domain Name DLink WINS Server Lease Time 24 13 Wireless Controller User Manual 2 1 1 LAN Configuration in an IPv6 Network Advanced gt IPv6 gt IPv6 LAN gt IPv6 LAN Config In IPv6 mode the LAN DHCP server is enabled by default similar to IPv4 mode The DHCPv6 server will serve IPv6 addresses from configured address pools with the IPv6 Prefix Length assigned to the LAN XW IPv4 IPv6 mode must be enabled in the Advanced gt IPv6 gt Routing mode to enable IPv6 configuration options LAN Settings The default IPv6 LAN address for the router is fec0 1 You can change this 128 bit IPv6 address based on your network requirements The other field that defines the LAN settings for the router is the prefix length The IPv6 network subnet is identified by the initial bits of the address called the prefix By default this is 64 bits long All hosts in the network have common initial bits for their IPv6 address the number of common initial bits in the network
83. amic DNS name can be used Outbound LAN DMZ to WAN rules restrict access to traffic leaving your network selectively allowing only specific local users to access specific outside resources The default outbound rule is to allow access from the secure zone LAN to either the public DMZ or insecure WAN On other hand the default outbound rule is to deny access from DMZ to insecure WAN You can change this default behaviour in the Firewall Settings gt Default Outbound Policy page When the default outbound policy is allow always you can to block hosts on the LAN from accessing internet services by creating an outbound firewall rule for each service Figure 61 List of Available Firewall Rules owe 000 J OT Operation succeeded Peer Controllers AP Profile FIREWALL RULES LOGOUT A firewall is a security mechanism to selectively block or allow certain types of traffic in accordance with rules specified by network administrators You can use this page to manage the firewall rules that control traffic to and from your network The List of Available Firewall Rules table indudes all firewall rules for this device and allows several operations on the firewall rules Captive Portal List of Available Firewall Rules Application Rules From To g Dest Local Internet Zone Zone ee Hosts Server Dest Log ALLOW 192 168 17 15 2 ceed UN OME aa ee er C Status site Filter Firewall Settings ee Edit Enable
84. ased on logon times click Idle Timeout and enter the time in minutes to wait before disconnecting in the Idle Time field My IP Address Enter the IP address assigned to you by the ISP 36 Wireless Controller User Manual 3 2 1 3 2 2 3 2 3 Server IP Address Enter the IP address of the PPTP or L2TP server WAN Port IP address Your ISP assigns you an IP address that is either dynamic newly generated each time you log in or static permanent The IP Address Source option allows you to define whether the address is statically provided by the ISP or should be received dynamically at each login If static enter your IP address IPv4 subnet mask and the ISP gateway s IP address PPTP and L2TP ISPs also can provide a static IP address and subnet to configure however the default is to receive that information dynamically from the ISP WAN DNS Servers The IP Addresses of WAN Domain Name Servers DNS are typically provided dynamically from the ISP but in some cases you can define the static IP addresses of the DNS servers DNS servers map Internet domain names example www google com to IP addresses Click to indicate whether to get DNS server addresses automatically from your ISP or to use ISP specified addresses If its latter enter addresses for the primary and secondary DNS servers To avoid connectivity problems ensure that you enter the addresses correctly DHCP WAN For DHCP client connections you can choos
85. ave this response option enabled as needed Once the e mail server and recipient details are defined you can determine when the controller should send out logs E mail logs can be sent out based on a defined schedule by first choosing the unit i e the frequency of sending logs Hourly Daily or Weekly Selecting Never will disable log e mails but will preserve the e mail server settings 169 Wireless Controller User Manual Figure 113 E mail configuration as a Remote Logging option DWC 1000 SETUP ADVANCED STATUS REMOTE LOGGING CONFIGURATION Log Settings D This page allows user to configure the remote logging options for the router Save Settings Don t Save Settings Log Options Enable E Mail Logs Enable E Mail Logs E Mail Server Address SMTP Port Return E Mail Address Send to E Mail Address 1 Send to E Mail Address 2 Send to E Mail Address 3 Authentication with SMTP Server User Name Password Respond to Identd from SMTP Server Send E mail logs by Schedule An external Syslog server is often used by network administrator to collect and store logs from the controller This remote device typically has less memory constraints than the local Event Viewer on the controller GUI and thus can collect a considerable number of logs over a sustained period This is typically very useful for debugging network issues or to monitor controller
86. be preconfigured in order for it to be available in the dropdown list to assign to this rule Source amp Destination users For each relevant category select the users to which the rule applies e Any all users e Single Address enter an IP address e Address Range enter the appropriate IP address range Log traffic that is filtered by this rule can be logged this requires configuring the controller s logging feature separately QoS Priority Outbound rules where To Zone insecure WAN only can have the traffic marked with a QoS priority tag Select a priority level e Normal Service ToS 0 lowest QoS e Minimize Cost ToS 1 e Maximize Reliability ToS 2 e Maximize Throughput ToS 4 Minimize Delay ToS 8 highest QoS 5 Inbound rules can use Destination NAT DNAT for managing traffic from the WAN Destination NAT is available when the To Zone DMZ or secure LAN With an inbound allow rule you can enter the internal server address that is hosting the selected service You can enable port forwarding for an incoming service specific rule From Zone WAN by selecting the appropriate checkbox This will allow the selected service traffic from the internet to reach the appropriate LAN port via a port forwarding rule Translate Port Number With port forwarding the incoming traffic to be forwarded to the port number entered here 100 Wireless Controller User Manual External IP address The rule
87. can be bound to a specific WAN interface by selecting either the primary WAN or configurable port WAN as the source IP address for incoming traffic XW This controller supports multi NAT and so the External IP address does not necessarily have to be the WAN address On a single WAN interface multiple public IP addresses are supported If your ISP assigns you more than one public IP address one of these can be used as your primary IP address on the WAN port and the others can be assigned to servers on the LAN or DMZ In this way the LAN DMZ server can be accessed from the internet by its aliased public IP address 6 Outbound rules can use Source NAT SNAT in order to map bind all LAN DMZ traffic matching the rule parameters to a specific WAN interface or external IP address usually provided by your ISP Once the new or modified rule parameters are saved it appears in the master list of firewall rules To enable or disable a rule click the checkbox next to the rule in the list of firewall rules and choose Enable or Disable XW The controller applies firewall rules in the order listed As a general rule you should move the strictest rules those with the most specific services or addresses to the top of the list To reorder rules click the checkbox next to a rule and click up or down 101 Wireless Controller User Manual Figure 63 Example where an outbound SNAT rule is used to map an external IP address 209 156 200 225 t
88. ccess Point Software Download s sssssesssessssesserestsrssssestereststssesesteresestsstnesteresesrsstseseerese 93 Local OUI Database E E 94 Figure 59 Managed AP Statistics occ ecceccssesesseeesescseseseeeesesesseeeseeeescecseeeeseeeescesseeeeateeeees 95 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 Figure 65 Figure 66 WLAN Associated Clients 00 ieee eee ceeeecseceescccssecesseecsseceseccnseceseecaascnsssvensscnesevenseensaes 96 List of Available Firewall Rules oo ccc ccccsssccccssssececsssecessssecersssesecssssecessaseverssseeees 98 List of Available Schedules to bind to a firewall rule wo ee eee eee ceeeeecsseceseeeeeeeeeees 99 Example where an outbound SNAT rule is used to map an external IP address 209 156 200 225 to a private DMZ IP address 10 30 30 30 oo ee eeeseeeeteeeeeee 102 The firewall rule configuration page allows you to define the To From zone service action schedules and specify source destination IP addresses as needed 103 Schedule configuration for the above example ececeeeeesseceeeeeseeeeeeeeseeeeseeeeeeeaeeesees 106 LISHOT USER GETING Services ilo eidesdesd si vecodedecesdstdveecUnccndestaddeedoslecsevtdesddevetcescutdedcsdlecblotyerteets 107 Wireless Controller User Manual Figure 67 Figure 68 Figure 69 Figure 70 Figure 71 Figure 72 Figure 73 Figure 74 Figure 75 Figure 76 Figure 77 Figure 78 Figure 79 Figure 80
89. ces the type of traffic can be assigned to go over only one of the available WAN ports For increased flexibility the source network or machines can be specified as well as the destination network or machines For example the VOIP traffic for a set of LAN IP addresses can be assigned to one WAN and any VOIP traffic from the remaining IP addresses can be assigned to the other WAN link Protocol bindings are only 48 Wireless Controller User Manual applicable when load balancing mode is enabled and more than one WAN is configured Figure 25 Protocol binding setup to associate a service and or LAN source to a WAN and or destination network DWC 1000 SETUP ADVANCED TOOLS STATUS PROTOCOL BINDINGS LOGOUT This page allows user to add a new protocol binding rule for the WAN interfaces Save Settings Don t Save Settings Local Gateway Source Network Start Address End Address Advanced Network Routing 3 4 Routing Configuration Routing between the LAN and WAN will impact the way this controller handles traffic that is received on any of its physical interfaces The routing mode of the gateway is core to the behaviour of the traffic flow between the secure LAN and the internet 3 4 1 Routing Mode Setup gt Internet Settings gt Routing Mode This device supports classical routing network address translation NAT and transport mode routing e With classical routing devices on th
90. cited multicast packets this interval sets the maximum time between advertisements from the interface The actual duration between advertisements is a random value between one third of this field and this field The default is 30 seconds e RA Flags The router advertisements RA s can be sent with one or both of these flags Chose Managed to use the administered stateful protocol for address auto configuration If the Other flag is selected the host uses administered stateful protocol for non address auto configuration e Router Preference this low medium high parameter determines the preference associated with the RADVD process of the router This is useful if there are other RADVD enabled devices on the LAN as it helps avoid conflicts for IPv6 clients e MTU The router advertisement will set this maximum transmission unit MTU value for all nodes in the LAN that are autoconfigured by the router The default is 1500 e Router Lifetime This value is present in RA s and indicates the usefulness of this router as a default router for the interface The default is 3600 seconds Upon expiration of this value a new RADVD exchange must take place between the host and this router 17 Wireless Controller User Manual Figure 3 Configuring the Router Advertisement Daemon DWC 1000 ADVANCED TOOLS STATUS Please Set IP Mode to IPv4 IPv6 in Routing Mode Page to configure this page Firewall Settings This page allow
91. ck Start Channel Plan The 5 GHz and 2 4 GHz radios use different channel plans so the controller tracks the channel history separately for each radio The channel information that displays on the page is only for the radio you select Channel plan algorithm Current Status Shows the Current Status of the plan which is one of the following states e None The channel plan algorithm has not been manually run since the last controller reboot e Algorithm in Progress The channel plan algorithm is running Wireless Controller User Manual e Algorithm Complete The channel plan algorithm has finished running A table displays to indicate proposed channel assignments Each entry shows the AP along with the current and new channel To accept the proposed channel change click Apply You must manually apply the channel plan for the proposed assignments to be applied e Apply In Progress The controller is applying the proposed channel plan and adjusting the channel on the APs listed in the table e Apply Complete The algorithm and channel adjustment are complete Proposed Channel Assignments If no APs appear in the table after the algorithm is complete the algorithm does not recommend any channel changes e Current Channel Shows the current operating channel for the AP that the algorithm recommends for new channel assignments e New Channel Shows the proposed operating channel for the AP This page has the following button
92. client browser from the drop down menu and clicking Add This browser will then appear in the above list of Defined Browsers e Click Save Settings to save your changes 136 Wireless Controller User Manual Figure 92 Browser policies options owc1o0 J n Peer Controllers gt AP Profile SSIDs Captive Portal d Application Rules Website Filter Firewall Settings Users gt IP MAC Binding R Te gt k Controller Settings GROUPS LOGOUT This page allows user to add browser specific policies for available users Save Settings _ Don t Save Settings Group Policy By Client Browser Group Name Deny Login from Defined Browsers Allow Login from Defined Browsers Defined Browsers Add Defined Browser Policy by IP To set policies bye IP for the group select the corresponding group click Policy by IP The following parameters are configured e Group Name This is the name of the group that can have its login policy edited e Deny Login from Defined Browsers The list of defined browsers below will be used to prevent the users of this group from logging in to the controller GUI All non defined browsers will be allowed for login for this group e Allow Login from Defined Browsers The list of defined browsers below will be used to allow the users of this group from logging in to the controller GUI All non defined browsers will be d
93. configuration 00 eee ceeteesenseeeeceeseeeceeeseeecneeseeecneeaeereneenees 28 2 6 2 AP Profile Global Configuration cccceccesecesseseseseeseeeseeeeseeeseeeeaeeeeeeeeaeeeeaeeeeees 31 Connecting to the Internet WAN Setup ccccccsceseseeeeseseseeeeseseeeceeseeeeaeseeeeseaeeeatersees 35 3 1 Internet S tup Wardens par e A A EAE 35 3 2 WAN Configuratio Menes e ots a Soke BAG Gag eae EAR ER ARE OARS 36 3 2 1 CWAN Port lPaddressisiciccececeienscik a a a een hth aa a 37 3 2 2 WAN DNS Server a a a a n e a in e a 37 o EAE RD a O AA A AN E EEEE E E Aa E EE E EE ees 37 324a PPPOE iran hectare a a AAC RNa a See 9 r AA 38 3 2 5 Russia L2TP and PPTP WAN eee ceeecccssssecessesccsssseceessseceessseseneseeees 41 3 2 6 WAN Configuration in an IPV6 Network ccccccssesseecsseseeecneesecesseeeeesseesees 42 3 2 7 Checking WAN Status cc ccccccscsscsseseescsseseescseesececsecsececsessececsecsececsecaeeecseeaees 44 3 3 Features with Multiple WAN LINKS eeeeeecseeseeeceeceeecseeaeeeceesaeeeeeeeeeeeses 45 231 Auto FatlOVOGN 3 s c5ccc recess Seedeseevesdh code eeetteicibaa tessat oes aaa odes eat eden 46 3 3 2 Load Balancing sicssccitesdvauinstetscscevisissevseedeeaviascert reeeauasen selec EREE 46 3 3 3 Protocol Bindings s c ncicckundannnuci ening hentia hun Gans 48 3 4 Routing Configuration ccccccecesesesseseseseeseseseeeeecseneesesesececseneeaeseeesecseeeateeeeeeeatets 49 SiS ROUTING MOG oasis viscc casteve ck csssidenetiste A
94. configured CRITICAL level logging for the Wireless facility then 802 11 logs with severities CRITICAL ALERT and EMERGENCY are logged The severity levels available for logging are e EMERGENCY system is unusable e ALERT action must be taken immediately e CRITICAL critical conditions e ERROR error conditions e WARNING warning conditions e NOTIFICATION normal but significant condition e INFORMATION informational e DEBUGGING debug level messages 165 Wireless Controller User Manual Figure 111 Facility settings for Logging DWC 1000 ia SETUP ADVANCED STATUS Log Settings gt This page allows user to set the date and time for the router User can use the automatic or manual date and settings depending upon his choice System Save Settings Don t Save Settings aa Firmware via USB Logs Facility Dynamic DNS System Check Schedules Display and Send Logs The display for logging can be customized based on where the logs are sent either the Event Log viewer in the GUI the Event Log viewer is in the Status gt Logs page or a remote Syslog server for later review E mail logs discussed in a subsequent section follow the same configuration as logs configured for a Syslog server Tools gt Log Settings gt Logs Configuration This page allows you to determine the type of traffic through the controll
95. creased however large packets can introduce network lag and bring down the interface speed Note that a 1500 byte size packet is the largest allowed by the Ethernet protocol at the network layer The port speed can be sensed by the controller when Auto is selected With this option the optimal port settings are determined by the controller and network The duplex half or full can be defined based on the port support as well as one of three port speeds 10 Mbps 100 Mbps and 1000 Mbps i e 1 Gbps The default setting is 100 Mbps for all ports The default MAC address is defined during the manufacturing process for the interfaces and can uniquely identify this controller You can customize each WAN port s MAC address as needed either by letting the WAN port assume the current LAN host s MAC address or by entering a MAC address manually 54 Wireless Controller User Manual Figure 28 Physical WAN port settings ow ane ar Global This page allows user to configure advanced WAN options for the router ID Save Settings Dont Save Settings Options Pin Captive Portal Cc C Option1 Port Setup Advanced Network Option2 Port Setup Controller Settings 55 Wireless Controller User Manual Chapter 4 Monitoring Status and 4 1 4 1 1 Statistics System Overview The Status page allows you to get a detailed overview of the system configuration The settings f
96. cted SSID Enter the SSID that identifies the wireless network on the standalone AP Expected Channel Select the channel that the standalone AP uses If the AP is configured to automatically select a channel or if you do not want to specify a channel select Any Expected WDS Mode Standalone APs can use a Wireless Distribution System WDS link to communicate with each other without wires The menu contains the following options e Bridge Select this option if the standalone AP you add to the Valid AP database is configured to use one or more WDS links e Normal Select this option if the standalone AP is not configured to use any WDS links e Any Select this option if the standalone AP might use a WDS link Expected Security Mode Select the option to specify the type of security the AP uses e Any Any security mode e Open No security e WEP Static WEP or WEP 802 1X e WPA WAP2 WPA and or WPA2 Personal or Enterprise Expected Wired Network Mode If the standalone AP is allowed on the wired network select Allowed If the AP is not permitted on the wired network select Not Allowed Channel The Channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving The range of channels and the default channel are determined by the Mode of the radio interface and the country in which the APs operate Power The power level affects how far an AP broadcasts its RF signal If the power lev
97. d was already configured over all addresses and over all services ports Internet Settings View List of SSL VPN Policies For Global w Available Groups ADMIN Available Users admin Name Service Destination Permission Edit Delete To add a SSL VPN policy you must first assign it to a user group or make it global i e applicable to all SSL VPN users If the policy is for a group the available configured groups are shown in a drop down menu and one must be selected Similarly for a user defined policy a SSL VPN user must be chosen from the available list of configured users The next step is to define the policy details The policy name is a unique identifier for this rule The policy can be assigned to a specific Network Resource details follow in the subsequent section IP address IP network or all devices on the LAN of the controller Based on the selection of one of these four options the appropriate configuration fields are required i e choosing the network resources from a list of defined resources or defining the IP addresses For applying the policy to addresses the port range port number can be defined The final steps require the policy permission to be set to either permit or deny access to the selected addresses or network resources As well the policy can be specified for one or all of the supported SSL VPN services i e VPN tunnel Once defined the policy goes into effect immediate
98. d DMZ to access internal servers eg an internal FTP server using their externally known domain name This is also referred to as NAT loopback since LAN generated traffic is redirected through the firewall to reach LAN servers by their external name 50 Wireless Controller User Manual Figure 26 Routing Mode is used to configure traffic routing between WAN and LAN as well as Dynamic routing RIP DWC 1000 ADVANCED TOOLS STATUS gt ROUTING MODE Relcleliny AN Global Settings AP Management This page allows user to configure different routing modes like NAT Classical Routing and Transparent This page also allows to configure the RIP Routing Information Protocol Routing Mode between Option and LAN WLAN Visualization gt VLAN Settings DMZ Setup gt USB Settings gt Authentication for RIP 2B 2M Enable Authentication for RIP 2B 2M First Key Parameters MDS Key Id MD5 Auth Key Not Valid Before Not Valid After Second Key Parameters 51 Wireless Controller User Manual 3 4 2 Dynamic Routing RIP Setup gt Internet Settings gt Routing Mode Dynamic routing using the Routing Information Protocol RIP is an Interior Gateway Protocol IGP that is common in LANs With RIP this controller can exchange routing information with other supported controllers in the LAN and allow for dynamic adjustment of routing tables in or
99. der to adapt to modifications in the LAN without interrupting traffic flow The RIP direction will define how this controller sends and receives RIP packets Choose between e Both The controller both broadcasts its routing table and also processes RIP information received from other controllers This is the recommended setting in order to fully utilize RIP capabilities e Out Only The controller broadcasts its routing table periodically but does not accept RIP information from other controllers e In Only The controller accepts RIP information from other controller but does not broadcast its routing table e None The controller neither broadcasts its route table nor does it accept any RIP packets from other controllers This effectively disables RIP e The RIP version is dependent on the RIP support of other routing devices in the LAN e Disabled This is the setting when RIP is disabled e RIP 1 is a class based routing version that does not include subnet information This is the most commonly supported version e RIP 2 includes all the functionality of RIPv1 plus it supports subnet information Though the data is sent in RIP 2 format for both RIP 2B and RIP 2M the mode in which packets are sent is different RIP 2B broadcasts data in the entire subnet while RIP 2M sends data to multicast addresses If RIP 2B or RIP 2M is the selected version authentication between this controller and other controllers configured with t
100. des the following buttons e Delete All Manually clear all APs from the All Access Points status page except Managed Access Points e Manage Configure an Authentication Failed AP to be managed by the controller the next time it is discovered Select the check box next to the MAC address of the AP before you click Manage You will be presented with the Valid Access Point Configuration page You can then configure the AP and click Submit to save the AP in the local Valid AP database If you use a RADIUS server for AP validation you must add the MAC address of the AP to the AP database on the RADIUS server e Acknowledge Identify an AP as an Acknowledged Rogue Select the check box next to the MAC address of the AP before you click Acknowledge The controller adds the AP to the Valid AP database as an Acknowledged Rogue e View Details To view the details configured APs Select the check box next to the MAC address of the AP before you click View Details e Refresh Updates the page with the latest information Managed AP Status Status gt Access Point Info gt Managed AP Status In the Managed AP Status page you can access a variety of information about each AP that the controller manages 66 Wireless Controller User Manual Figure 38 Managed AP status Weleteltis Description goes here List of Managed APs MAC Address Peer Managed IP Address Age Status Profile Radio Interface Active Ses
101. e LAN can be directly accessed from the internet by their public IP addresses assuming appropriate firewall settings If your ISP has assigned an IP address for each of the computers that you use select Classic Routing 49 Wireless Controller User Manual NAT is a technique which allows several computers on a LAN to share an Internet connection The computers on the LAN use a private IP address range while the WAN port on the controller is configured with a single public IP address Along with connection sharing NAT also hides internal IP addresses from the computers on the Internet NAT is required if your ISP has assigned only one IP address to you The computers that connect through the controller will need to be assigned IP addresses from a private subnet Transparent routing between the LAN and WAN does not perform NAT Broadcast and multicast packets that arrive on the LAN interface are switched to the WAN and vice versa if they do not get filtered by firewall or VPN policies To maintain the LAN and WAN in the same broadcast domain select Transparent mode which allows bridging of traffic from LAN to WAN and vice versa except for controller terminated traffic and other management traffic All DWC features are supported in transparent mode assuming the LAN and WAN are configured to be in the same broadcast domain XW NAT routing has a feature called NAT Hair pinning that allows internal network users on the LAN an
102. e printer driver will have to be installed on the LAN host and traffic will be routed through the DWC between the LAN and printer To configure printer on a Windows machine follow below given steps Click Start on the desktop Select Printers and faxes option Right click and select add printer or click on Add printer present at the left menu Select the Network Printer radio button and click next select device isn t listed in case of Windows7 Select the Connect to printer using URL radio button Select a shared printer by name in case of Windows 7 and give the following URL http lt controller s LAN IP address gt 631 printers lt Model Name gt Model Name can be found in the USB status page of controller s GUTI Click next and select the appropriate driver from the displayed list Click on next and finish to complete adding the printer 151 Wireless Controller User Manual Figure 103 USB Device Detection USB SETTINGS LOGOUT This page displays information about the USB devices connected to the USB port s This page also allows user to do certain configurations on USB devices such as safely unmounting the devices USB 1 Device Not Connected Device Vendor Device Model Device Type Mount Status USB 2 Device Not Connected Device Vendor Device Model Device Type Mount Status 8 2 Authentication Certificates Advanced gt Certificates This gatewa
103. e the MAC address of the controller to register with the ISP In some cases you may need to clone the LAN host s MAC address if the ISP is registered with that LAN host 37 Wireless Controller User Manual Figure 17 Manual Option configuration omc JAN e E d gt WLAN Global Settings OPTION1 SETUP LOGOUT This page allows you to set up your Internet connection Ensure that you have the Internet connection information such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator Save Settings Don t Save Settings ISP Connection Type AP Management WLAN Visualization gt Internet Settings Network Settings LAN QoS gt VPN Settings Static IP 192 168 1 204 NA VLAN Settings DMZ Setup 255 255 255 0 USB Settings 192 168 1 2 Domain Name System DNS Servers 192 168 1 2 192 158 1 16 MAC Address Use this MAC Address 00 0B BB 7B 00 00 3 2 4 PPPoE Setup gt Internet Settings The PPPoE ISP settings are defined on the WAN Configuration page There are two types of PPPoE ISP s supported by the DWC 1000 the standard username password PPPoE and Japan Multiple PPPoE 38 Wireless Controller User Manual Figure 18 PPPoE configuration for standard ISPs owe Il momen reas sans d K LAN Global Settings OPTION1 SETUP LOGOUT AP Management P WLAN Visualization gt This page allows you to set u
104. eighbor details Shows the neighbour APs that the specified AP has discovered through periodic RF scans on the selected radio interface e View Neighbor Clients Shows information about wireless clients associated with an AP or detected by the AP radio e View VAP details Shows summary information about the virtual access points VAPs for the selected AP and radio interface on the APs that the controller manages AP RF Scan Status Status gt Access Point Info gt AP RF Scan Status The radios on each AP can periodically scan the radio frequency to collect information about other APs and wireless clients that are within range In normal operating mode the AP always scans on the operational channel for the radio MAC Address The Ethernet MAC address of the detected AP This could be a physical radio interface or VAP MAC SSID Service Set ID of the network which is broadcast in the detected beacon frame Physical Mode Indicates the 802 11 mode being used on the AP Channel Transmit channel of the AP Status Indicates the managed status of the AP whether this is a valid AP known to the controller or a Rogue on the network The valid values are e Managed The neighbor AP is managed by the wireless system e Standalone The AP is managed in standalone mode and configured as a valid AP entry local or RADIUS e Rogue The AP is classified as a threat by one of the threat detection algorithms e Unknown The AP is detected
105. el is too low wireless clients will not detect the signal or experience poor WLAN performance If the power level is too high the RF signal might interfere with other APs within range RF Management RF Configuration Setup gt AP Management gt RF Management gt RF Configuration The radio frequency RF broadcast channel defines the portion of the radio spectrum that the radio on the access point uses for transmitting and receiving The range of available channels for an access point is determined by the IEEE 802 11 mode also referred to as band of the access point 85 Wireless Controller User Manual The controller contains a channel plan algorithm that automatically determines which RF channels each AP should use to minimize RF interference When you enable the channel plan algorithm the controller periodically evaluates the operational channel on every AP it manages and changes the channel if the current channel is noisy Channel Plan Each AP is dual band capable of operating in the 2 4 GHz and 5 GHz frequencies The 802 11a n and 802 11b g n modes use different channel plans Before you configure channel plan settings select the mode to configure Channel Plan Mode This field indicates the channel assignment mode The mode of channel plan assignment can be one of the following e Fixed Time If you select the fixed time channel plan mode you specify the time for the channel plan and channel assignment In this mode
106. elow to configure the NTP server 5 Select the controller time zone relative to Greenwich Mean Time GMT 6 If supported for your region click to Enable Daylight Savings 7 Determine whether to use default or custom Network Time Protocol NTP servers If custom enter the server addresses or FQDN 163 Wireless Controller User Manual Figure 110 Date Time and NTP server setup DWC 1000 SETUP ADVANCED TOOLS STATUS 1 Date and Time DATE AND TIME LOGOUT This page allows us to set the date time and NTP servers Network Time Protocol NTP is a protocol that is used to synchronize computer clock time in a network of computers Accurate time across a network is important for many reasons Save Settings Don t Save Settings Firmware via USB Date and Time Dynamic DNS Current Router Time Fri Oct 7 05 25 08 GMT 2011 System Check Time Zone GMT 08 00 Pacific Time US and Canada Enable Daylight Saving Configure NTP Servers Set Date and Time Manually NTP Servers Configuration Default NTP Server Custom NTP Server Primary NTP Server 0 us pool ntp org Secondary NTP Server 1 us pool ntp org Time to re synchronize in 120 minutes Set Date And Time Year Month Day Hours Min 2017 i0 o7 05 25 9 5 Log Configuration This controller allows you to capture log messages for traffic through the firewall VPN and over the wireless AP As an admi
107. enied for login for this group e Defined Browsers This list displays the web browsers that have been added to the Defined Browsers list upon which group login policies can be defined Check Box At First Column Header Selects all the defined browsers in the table e Delete Deletes the selected browser s You can add to the list of Defined Browsers by selecting a client browser from the drop down menu and clicking Add This browser will then appear in the above list of Defined Browsers e Click Save Settings to save your changes 137 Wireless Controller User Manual Figure 93 IP policies options DWC 1000 ADVANCED TOOLS STATUS GROUPS LOGOUT Peer Controll WIDS Security Captive Portal This page allows user to add IP based policies specific policies for available users Don t Save Settings Groups Policy By Source IP Address Group Name Deny Login from Defined Addresses Application Rules Website Filter Firewall Settings Defined Addresses Source Address Type Network Address IP Address XW Login Policies Policy by Browsers Policy by IP are applicable SSL VPN user only Advanced gt Users gt Users The users page allows adding editing and deleting existing groups The user are associated to configured groups The lists of available users are displayed in the List of Users page with User name associated group and Login status e Click Add to create a user
108. ent connections to the internal network through the DWC IPsec gateway vacccsvecectecasdessodbvaoseodavdsvestbuasuova gud cvausbusstevagvbendoaavasveud avd yactavnosavdgvacsgubocsotevaavbevent 118 VPN Wizard IQuUnCh SCION 0 00 ee ceeesecceseeseccessessceessesscnensessecensessensnsesseeensesseesnseseeeensenees 119 IPSEC POLICY CONFIQUIATION 0 eee eeeeseeecsseseescseesesecsesaeeecaseaesecaesaesecaesaesecaeeaeeecaeaeereneeaseneate 122 IPsec policy configuration continued Auto policy via IKE 123 IPsec policy configuration continued Auto Manual Phase 2 ccceeeseeeeseeeeteeees 124 PPTP tunnel configuration PPTP Client ecceceescsseceseeseseecseeeeseeeeeeeeseeeeaeeeeeeeeneees 126 PPTP VPN connection status iciiisicnann a RA at based Ae etes 126 PPTP tunnel configuration PPTP Server eececseceeccsseseseesesescseeceseeceeeeneeeateeeeeeeatees 127 L2TP tunnel configuration L2TP Server eecececeescssesesseseseseeseceseeeesceeneeeeseeeeeeseseeeeaees 128 OpenVPN CONFIQUIATION i sses ree eaea ee eoa ia parE eE Eosi 130 Example of clientless SSL VPN connections to the DWC 1000 ccececsseeeeeees 132 List of groups nann aE Ea a E AEEA A A RE A R eaten 133 Usergroup conhguraton sceererega si eae re E E EE EEEE EE 134 SSLVPN Setting Se a a e tak ink eee a haan eae ead 135 Group login policies options 0 ee eeeeeeeesescececeseeeescscseceseeeecseneeeesceesecseneeatseeeeeeaeseeataeeesees 136 Browser POlicieS Opti
109. ent the users of this group from logging in from a WAN wide area network interface In this case only login through LAN is allowed Figure 91 Group login policies options Peer Controllers GROUPS This page allows user to add login policies for the available users SSID Save Settings Don t Save Settings Group Login Policies Group Name Disable Login Deny Login from Option Interface Policy by Browsers To set browser policies for the group select the corresponding group click Policy by Browsers The following parameters are configured e Group Name This is the name of the group that can have its login policy edited e Deny Login from Defined Browsers The list of defined browsers below will be used to prevent the users of this group from logging in to the controller s GUI All non defined browsers will be allowed for login for this group e Allow Login from Defined Browsers The list of defined browsers below will be used to allow the users of this group from logging in to the controllers GUI All non defined browsers will be denied for login for this group e Defined Browsers This list displays the web browsers that have been added to the Defined Browsers list upon which group login policies can be defined Check Box At First Column Header Selects all the defined browsers in the table e Delete Deletes the selected browser s You can add to the list of Defined Browsers by selecting a
110. equest and prompt for a username password The login credentials are compared against the RunTimeAuth users in user database prior to granting HTTP access XW Captive Portal is available for LAN users only and not for DMZ hosts Advanced gt Captive Portal gt Captive Portal Sessions The Active Runtime internet sessions through the controller firewall are listed in the below table These users are present in the local or external user database and have had their login credentials approved for internet access A Disconnect button allows the DWC 1000 admin to selectively drop an authenticated user Figure 10 Active Runtime sessions DWwc 1000 SETUP TOOLS STATUS HELP gt Helpful Hints Application Rules CAPTIVE PORTAL SESSIONS LOGOUT This page displays a list of active run time sessions on your router List of Captive Portal Sessions IP Adress 192 168 17 38 192 168 17 41 Intel AMT 2 6 WLAN global configuration Setup gt WLAN Global Settings Following are the options available to enable the WLAN function on DWC 1000 Enable WLAN Controller Select this option to enable WLAN controller functionality on the system Clear the option to administratively disable the WLAN controller If you clear the option all peer controller and APs that are associated with this controller are disassociated 25 Wireless Controller User Manual Disabling the WLAN controller does not af
111. er that is logged for display in Syslog E mailed logs or the Event Viewer Denial of service attacks general attack information login attempts dropped packets and similar events can be captured for review by the IT administrator Traffic through each network segment LAN WAN DMZ can be tracked based on whether the packet was accepted or dropped by the firewall Accepted Packets are those that were successfully transferred through the corresponding network segment i e LAN to WAN This option is particularly useful when the Default Outbound Policy is Block Always so the IT admin can monitor traffic that is passed through the firewall 166 Wireless Controller User Manual e Example If Accept Packets from LAN to WAN is enabled and there is a firewall rule to allow SSH traffic from LAN then whenever a LAN machine tries to make an SSH connection those packets will be accepted and a message will be logged Assuming the log option is set to Allow for the SSH firewall rule Dropped Packets are packets that were intentionally blocked from being transferred through the corresponding network segment This option is useful when the Default Outbound Policy is Allow Always e Example If Drop Packets from LAN to WAN is enabled and there is a firewall rule to block SSH traffic from LAN then whenever a LAN machine tries to make an SSH connection those packets will be dropped and a message will be logged Make sure the log
112. eseerestsesstnesteresesrsseseseerese 54 Physical WAN port settings 00 0 eseecsseseescsseseeecseesceecseacecnesaesecneaesecnesaceecneeaeereneeaeenentens 55 Device Status dS la a a araona a aeea OVRE E REIES E niay ENAA 57 Device Status display continued eee ceeceecsseceseeeeseseseeceseecsscecsenceaeecsececaeeeeaeeeseeeeneeeeates 58 Resource Utilization Statistics eee cseseeecsseeesceeseeecseeseeecseeaeeecsseacecaeeaeeecaseaeercaeeaeereaseas 59 Resource Utilization data CONTINUE 0 0 ee eeeecsseseeecneeseeecseeseeecneeseeecneeaeeecneeseeeeneeseeeeneees 59 Wireless Controller User Manual Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 Figure 51 Figure 52 Figure 53 Figure 54 Figure 55 Figure 56 Figure 57 Figure 58 Physical port Statistics caniaii a a EE A E A E 61 List of current Active Firewall Sessions s s ssesssseseseeresesesssseseerestsrsstsesreresrsessesesreresesess 62 List Of LAN NOSS iiaeaa A dustin A EEA A ia 63 List of current Active VPN Sessions cccccsseseseseeseseseeeeseseeeeecaeseneeseeeeecaeseeaeaceeeseeeneeeeates 64 AP SLATS orearen e Ra ee Aea aaa araa aea de aaan ae ee aeaa eA 65 Managed AP Status no E E EE E EAA 67 AP RF Scan StatUS hennen a a ace nate EA ATE 69 Peer Controller Status cceesesseseses
113. f desired you can add new OU entries Delete Delete All Refresh d gt VLAN Settings DMZ Setup gt OUI Value 00 00 00 USB Settings OUI Description Add 94 Wireless Controller User Manual 4 8 Associated Client Status Statistics Managed AP Statistics Status gt Traffic Monitor gt Managed AP Statistics The managed AP statistics page shows information about traffic on the wired and wireless interfaces of the access point This information can help diagnose network issues such as throughput problems The following figure shows the Managed Access Point Statistics page with a managed AP MAC Address This field shows the MAC address of the client station Interface This field shows the interface type WLAN or Ethernet Packet Transmitted This field shows the packet transmitted to the client station Packet Received This field shows the packet received to the client station Bytes Transmitted This field shows the bytes transmitted to the client station Bytes Received This field shows the bytes received to the client station Figure 59 Managed AP Statistics DWc 1000 im SETUP ADVANCED TOOLS STATUS Global Info d Device Info b MANAGED AP STATISTICS Kelcteltii Managed Access Point Statistics Packets Bytes Transmitted Received Transmitted Received Traffic Monitor gt 433 4285967 129837 M tevatsf7 1f 24 40 Active Sessions Active VPNs Ethernet 17385 1120043 1972000 View Detai
114. f each configuration parameter refer to the online help that can be accessed from each page in the controller GUI Wireless Controller User Manual 1 2 Typographical Conventions The following is a list of the various terms followed by an example of how that term is represented in this document e Product Name D Link Wireless Controller o Model numbers DWC 1000 e GUI Menu Path GUI Navigation Monitoring gt Controller Status e Important note XA 10 Chapter 2 Configuring Your Network It is assumed that the user has a machine for management connected to the LAN to the controller The LAN connection may be through the wired Ethernet ports available on the controller or once the initial setup is complete the DWC may also be managed through its wireless interface as it is bridged with the LAN Access the controller s graphical user interface GUI for management by using any web browser such as Microsoft Internet Explorer or Mozilla Firefox e Go to http 192 168 10 1 default IP address to display the controller s management login screen e Default login credentials for the management GUI e Username admin e Password admin XW If the controller s LAN IP address was changed use that IP address in the navigation bar of the browser to access the controller s management UI 2 1 LAN Configuration Setup gt Network Settings gt LAN Setup Configuration By default the controller functions as
115. fe80 1800 2bff fe10 1c45 64 Option State DOWN IPv6 Connection Type Dynamic IP DHCP IPv6 Connection State Not Yet Connected Gateway Primary DNS Secondary DNS The WAN status page allows you to Enable or Disable static WAN links For WAN settings that are dynamically received from the ISP you can Renew or Release the link parameters if required 3 3 Features with Multiple WAN Links This controller supports multiple WAN links This allows you to take advantage of failover and load balancing features to ensure certain internet dependent services are prioritized in the event of unstable WAN connectivity on one of the ports 45 Wireless Controller User Manual 3 3 1 3 3 2 Setup gt Internet Settings gt Option Mode To use Auto Failover or Load Balancing WAN link failure detection must be configured This involves accessing DNS servers on the internet or ping to an internet address user defined If required you can configure the number of retry attempts when the link seems to be disconnected or the threshold of failures that determines if a WAN port is down Auto Failover In this case one of your WAN ports is assigned as the primary internet link for all internet traffic The secondary WAN port is used for redundancy in case the primary link goes down for any reason Both WAN ports primary and secondary must be configured to connect to the respective ISP s before enabling this feature The secondary WAN port
116. fect non WLAN features on the controller such as VLAN or STP functionality WLAN Controller Operational Status Shows the operational status of the controller The status can be one of the following values e Enabled e Enable Pending e Disabled e Disable Pending Figure 11 WLAN global configuration DWC 1000 II ADVANCED TOOLS STATUS GLOBAL STATUS WLAN Global Settings This page will guide you through common and easy steps to configure your DWC 1000 router WLAN global settings Make sure that WLAN controller is being enabled AP Management gt WLAN Visuslization gt Don t Save Settings Wireless Global Configuration Enable WLAN Controller v WLAN Controller Operational Stat Enabled IP Address 192 168 10 1 AP Validation RADIUS Server Configuration RADIUS Authentication Server N Default RADIUS Server RADIUS Authentication Server Not Configured RADIUS Accounting Server Name Default RADIUS Server RADIUS Accounting Server Status Not Configured RADIUS Accounting Country Configuration Country Code US United States IP Address This field shows the IP address of the WLAN interface on the controller If the controller does not have the Routing Package installed or if routing is disabled the IP address is the network interface If the routing package is 26 Wireless Controller User Manual installed and enabled this is the IP address of
117. fied as a threat by one of the threat detection algorithms Age Time since any event has been received for this client that updated the detected client database entry Create Time Time since this entry was first added to the detected client s database Figure 48 Detected Client Status Product Page DWC Dash a DETECTED CLIENT STATUS Description goes here List of Detected Clients MAC Address Client Name Client Status Age Create time 00 07 0e b3 76 8d Detected 0d 00 02 16 0c 00 17 09 00 0e 8e 20 10 a4 0d 00 00 15 Od 00 17 09 00 0f 3d aa 46 a9 0d 00 03 46 0d 00 03 46 00 13 02 9a a7 bf 0d 00 00 46 0d 00 16 10 00 13 e8 da 22 85 0d 00 00 46 0d 00 17 09 00 14 d1 0 1 f1 35 0d 00 12 39 0d 00 13 39 00 16 01 73 07 33 0d 00 04 15 0d 00 05 45 00 17 9a 22 16 51 0d 00 02 16 Od 00 16 10 This page includes the following buttons e Delete Delete the selected client from the list If the client is detected again it will be added to the list e Delete All Deletes all non authenticated clients from the Detected Client database As clients are detected they are added to the database and appear in the list 79 Wireless Controller User Manual e Acknowledge All Rogues Clear the rogue status of all clients listed as rogues in the Detected Client database The status of an acknowledge client is returned to the status it had when it was first detected If the detected client fai
118. for another controller the value is None Timestamp Indicates the last time this controller received any configuration data from a peer controller The Peer Controller Managed AP Status page displays information about the APs that each peer controller in the cluster manages Use the menu above the table to select the peer controller with the AP information to display Each peer controller is identified by its IP address 73 Wireless Controller Figure 43 Configuration Receive Status ADVANCED Global Info G S EIVE STATUS Device Info Access Point Info S ration Received Status page provides ifiguration a switch has received from lientInfo p AP HAW Current Receive Status Not Started Last Configuration Received Active VPNs Peer Controller IP Address Configuration Timestamp ESS CONTROLLER 0 0 0 0 None Jan 1 00 00 00 1970 User Manual 74 Wireless Controller User Manual 4 6 Wireless Client Status Assocaited Client Status Status gt Wireless Client Info gt Associated Clients gt Status You can view a variety of information about the wireless clients that are associated with the APs the controller manages MAC Address The Ethernet address of the client station If the MAC address is followed by an asterisk the client is associated with an AP managed by a peer controller AP MAC Address The Ethernet address of the AP SSID The network on which the client is c
119. g Logs to E mail or Syslog Tools gt Log Settings gt Remote Logging Once you have configured the type of logs that you want the controller to collect they can be sent to either a Syslog server or an E Mail address For remote logging a key configuration field is the Remote Log Identifier Every logged message will contain the configured prefix of the Remote Log Identifier so that syslog servers or email addresses that receive logs from more than one controller can sort for the relevant device s logs Once you enable the option to e mail logs enter the e mail server s address IP address or FQDN of the SMTP server The controller will connect to this server when sending e mails out to the configured addresses The SMTP port and return e mail addresses are required fields to allow the controller to package the logs and 168 Wireless Controller User Manual send a valid e mail that is accepted by one of the configured send to addresses Up to three e mail addresses can be configured as log recipients In order to establish a connection with the configured SMTP port and server define the server s authentication requirements The controller supports Login Plain no encryption or CRAM MDS5 encrypted for the username and password data to be sent to the SMTP server Authentication can be disabled if the server does not have this requirement In some cases the SMTP server may send out IDENT requests and this controller can h
120. going into and out of the port is tagged Untagged coming into the port is not forwarded except for the default VLAN with PVID 1 which is untagged Trunk ports multiplex traffic for multiple VLANs over the same physical link e Select PVID for the port when the General mode is selected e Configured VLAN memberships will be displayed on the VLAN Membership Configuration for the port By selecting one more VLAN membership options for a General or Trunk port traffic can be routed between the selected VLAN membership IDs 21 Wireless Controller User Manual Figure 7 Configuring VLAN membership for a port DWC 1000 ADVANCED TOOLS STATUS VLAN CONFIGURATION LOGOUT This page allows user to configure the port VLAN WLAN Global Settings AP Management aera VLAN Configuration Internet Settings ink Wai Pat 2 Network Settings Mode FE PVID 1 VPN Settings VLAN Settings Apply Cancel DMZ Setup VLAN Membership Configuration Apply Cancel 2 3 Configurable Port DMZ Setup This controller supports one of the physical ports to be configured as a secondary WAN Ethernet port or a dedicated DMZ port A DMZ is a subnetwork that is open to the public but behind the firewall The DMZ adds an additional layer of security to the LAN as specific services ports that are exposed to the internet on the DMZ do not have to be exposed on the LAN It is recommended that hosts that must be exposed to the internet such as
121. gs Don t Save Settings Firmware via USB Schedule Name Dynamic DNS System Check Scheduled Days Schedules TN Do you want this schedule to be Al Days z sce al ns o pete Sa Monday Tuesday Wednesday Thursday Friday Saturday Sunday 2 Since we are trying to block HTTP requests it is a service with To Zone Insecure WANI WAN2 that is to be blocked according to schedule Weekend 3 Select the Action to Block by Schedule otherwise allow This will take a predefined schedule and make sure the rule is a blocking rule during the defined dates times All other times outside the schedule will not be affected by this firewall blocking rule 4 As we defined our schedule in schedule Weekend this is available in the dropdown menu 5 We want to block the IP range assigned to the marketing group Let s say they have IP 192 168 10 20 to 192 168 10 30 On the Source Users dropdown select Address Range and add this IP range as the from and To IP addresses 6 We want to block all HTTP traffic to any services going to the insecure zone The Destination Users dropdown should be any 7 We don t need to change default QoS priority or Logging unless desired clicking apply will add this firewall rule to the list of firewall rules 106 Wireless Controller User Manual 8 The last step is to enable this firewall rule Select the rule and click enable below
122. hat are being triggered based on outbound requests from a defined outgoing port 5 8 Web Content Filtering The gateway offers some standard web filtering options to allow the admin to easily create internet access policies between the secure LAN and insecure WAN Instead of creating policies based on the type of traffic as is the case when using firewall rules web based content itself can be used to determine if traffic is allowed or dropped 5 8 1 Content Filtering Advanced gt Website Filter gt Content Filtering Content filtering must be enabled to configure and use the subsequent features list of Trusted Domains filtering on Blocked Keywords etc Proxy servers which can be used to circumvent certain firewall rules and thus a potential security gap can be blocked for all LAN devices Java applets can be prevented from being downloaded from internet sites and similarly the gateway can prevent ActiveX controls from being downloaded via Internet Explorer For added security cookies which typically contain session information can be blocked as well for all devices on the private network 110 Wireless Controller User Manual Figure 70 Content Filtering used to block access to proxy servers and prevent ActiveX controls from being downloaded DWC 1000 SETUP ADVANCED TOOLS STATUS Peer Controllers AP Profile WIDS Security Captive Portal Application Rule CONTENT FILTERING LOGOUT This content filtering
123. hat should not access the internet e Port triggers that signal the controller to allow or block access to specified services as defined by port number e Reports and alerts that you want the controller to send to you You can for example establish restricted access policies based on time of day web addresses and web address keywords You can block Internet access by applications and services on the LAN such as chat rooms or games You can block just certain groups of PCs on your network from being accessed by the WAN or public DMZ network Firewall Rules Advanced gt Firewall Settings gt Firewall Rules Inbound WAN to LAN DMZ rules restrict access to traffic entering your network selectively allowing only specific outside users to access specific local resources By default all access from the insecure WAN side are blocked from accessing the secure LAN except in response to requests from the LAN or DMZ To allow outside devices to access services on the secure LAN you must create an inbound firewall rule for each service If you want to allow incoming traffic you must make the controllers WAN port IP address known to the public This is called exposing your host How you make your address known depends on how the WAN ports are configured for this controller you 97 Wireless Controller User Manual may use the IP address if a static address is assigned to the WAN port or if your WAN address is dynamic a DDNS Dyn
124. he same RIP version is required MD5 authentication is used in a first second key exchange process The authentication key validity lifetimes are configurable to ensure that the routing information exchange is with current and supported controllers detected on the LAN 52 Wireless Controller User Manual 3 4 3 Static Routing Advanced gt Routing gt Static Routing Advanced gt IPv6 gt IPv6 Static Routing Manually adding static routes to this device allows you to define the path selection of traffic from one interface to another There is no communication between this controller and other devices to account for changes in the path once configured the static route will be active and effective until the network changes The List of Static Routes displays all routes that have been added manually by an administrator and allows several operations on the static routes The List of IPv4 Static Routes and List of IPv6 Static Routes share the same fields with one exception e Name Name of the route for identification and management e Active Determines whether the route is active or inactive A route can be added to the table and made inactive if not needed This allows routes to be used as needed without deleting and re adding the entry An inactive route is not broadcast if RIP is enabled e Private Determines whether the route can be shared with other controllers when RIP is enabled If the route is made private then the r
125. his group is added a user can then add system users to it Save Settings Don t Save Settings WIDS Security Captive Portal gt Client Group Configuration anced Network gt Routing gt Certificates Users D IP MAC Binding Radius Settings Controller Settings When SSLVPN users are selected the SSLVPN settings are displayed with the following parameters as captured in SSLVPN Settings As per the Authentication Type SSL VPN details are configured e Authentication Type The authentication Type can be one of the following Local User Database default Radius PAP Radius CHAP Radius MSCHAP Radius MSCHAPv2 NT Domain Active Directory and LDAP e Authentication Secret If the domain uses RADIUS authentication then the authentication secret is required and this has to match the secret configured on the RADIUS server e Workgroup This is required is for NT domain authentication If there are multiple workgroups user can enter the details for up to two workgroups e LDAP Base DN This is the base domain name for the LDAP authentication server If there are multiple LDAP authentication servers user can enter the details for up to two LDAP Base DN 134 Wireless Controller User Manual e Active Directory Domain If the domain uses the Active Directory authentication the Active Directory domain name is required Users configured in the Active Directory
126. ic Monitor o o Not Yet Available o o Not Yet Available 11796 1095 0 Days 02 53 01 Active VPNs ey aa 4 3 Active Connections 4 3 1 Sessions through the controller Status gt Active Sessions This table lists the active internet sessions through the controllers firewall The session s protocol state local and remote IP addresses are shown 61 Wireless Controller User Manual Figure 34 List of current Active Firewall Sessions SETUP ADVANCED TOOLS STATUS ACTIVE SESSIONS LOGOUT This page displays a list of active sessions on your router Active Sessions Local Internet Protocol State 97 0 0 5 3465 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3525 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3491 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3459 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3487 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3408 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3493 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3431 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3479 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3515 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3501 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3527 97 0 0 2 443 tcp CLOSE 192 168 75 100 500 97 0 0 32 500 udp none 97 0 0 5 3427 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3519 97 0 0 2 443 tcp CLOSE 97 0 0 5 3507 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3543 97 0 0 2 443 tcp CLOSE 97 0 0 5 3437 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3409 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 3497 97 0 0 2 443 tcp TIME_WAIT 97 0 0 5 35
127. ied by its IP address or range of addresses e Mask Length Required when the governed resource is identified by a range of addresses within a subnet e Port range If the policy governs a type of traffic this field is used for defining TCP or UDP port number s corresponding to the governed traffic Leaving 142 Wireless Controller User Manual the starting and ending port range blank corresponds to all UDP and TCP traffic e Service This is the SSL VPN service made available by this policy The services offered are VPN tunnel port forwarding or both e Defined resources This policy can provide access to specific network resources Network resources must be configured in advance of creating the policy to make them available for selection as a defined resource Network resources are created with the following information e Permission The assigned resources defined by this policy can be explicitly permitted or denied 7 2 1 Using Network Resources Setup gt VPN Settings gt SSL VPN Server gt Resources Network resources are services or groups of LAN IP addresses that are used to easily create and configure SSL VPN policies This shortcut saves time when creating similar policies for multiple remote SSL VPN users Adding a Network Resource involves creating a unique name to identify the resource and assigning it to one or all of the supported SSL services Once this is done editing one of the created network resources a
128. ing a level of security that port forwarding does not offer XW Port triggering is not appropriate for servers on the LAN since there is a dependency on the LAN device making an outgoing connection before incoming ports are opened Some applications require that when external devices connect to them they receive data on a specific port or range of ports in order to function properly The controller must send all incoming data for that application only on the required port or range of 109 Wireless Controller User Manual ports The controller has a list of common applications and games with corresponding outbound and inbound ports to open You can also specify a port triggering rule by defining the type of traffic TCP or UDP and the range of incoming and outgoing ports to open when enabled Figure 69 List of Available Application Rules showing 4 unique rules Dwc 1000 ADVANCED TOOLS STATUS APPLICATION RULES LOGOUT The table lists all the available port triggering rules and allows several operations on the rules List of Available Application Rules Peer Controllers gt AP Profile WINS Sariurity WIDS Security Outgoing Ports Incoming Ports Start Port EndPort StartPort End Port Name Enable Protocol Interface Captive Portal b Application Rules D Edit Delete site Filter XboxUDP Yes TCP LAN 88 88 88 88 The application rule status page will list any active rules i e incoming ports t
129. ions e Mode The mode of this VLAN can be General Access or Trunk The default is access e In General mode the port is a member of a user selectable set of VLANs The port sends and receives data that is tagged or untagged with a VLAN ID If the data into the port is untagged it is assigned the defined PVID In the configuration from Figure 4 Port 3 is a General port with PVID 3 so untagged data into Port 3 will be assigned PVID 3 All tagged data sent out of the port with the same PVID will be untagged This is mode is typically used with IP Phones that have dual Ethernet ports Data coming from phone 20 Wireless Controller User Manual to the switch port on the controller will be tagged Data passing through the phone from a connected device will be untagged Figure 6 Port VLAN list DWC 1000 ADVANCED TOOLS STATUS PORT VLANS LOGOUT This page allows user to configure the port VLANs A user can choose ports and can add them into a VLAN Port VLANs WLAN Global Settings AP Management alization gt Internet S Settings LAN QoS VPN Settings VLAN Settings DMZ Setup USB Settings e In Access mode the port is a member of a single VLAN and only one All data going into and out of the port is untagged Traffic through a port in access mode looks like any other Ethernet frame e In Trunk mode the port is a member of a user selectable set of VLANs All data
130. iscovery messages are used by the host for auto configuration There are no managed addresses to serve the LAN nodes If stateful is selected the IPv6 LAN host will rely on an external DHCPv6 server to provide required configuration settings The domain name of the DHCPV6 server is an optional setting Server Preference is used to indicate the preference level of this DHCP server DHCP advertise messages with the highest server preference value to a LAN host are preferred over other DHCP server advertise messages The default is 255 The DNS server details can be manually entered here primary secondary options An alternative is to allow the LAN DHCP client to receive the DNS server details from the ISP directly By selecting Use DNS proxy this router acts as a proxy for all DNS requests and communicates with the ISP s DNS servers a WAN configuration parameter Primary and Secondary DNS servers If there are configured domain name system DNS servers available on the LAN enter the IP addresses here Lease Rebind time sets the duration of the DHCPv6 lease from this router to the LAN client IPv6 Address Pools This feature allows you to define the IPv6 delegation prefix for a range of IP addresses to be served by the gateway s DHCPv6 server Using a delegation prefix you can automate the process of informing other networking equipment on the LAN of DHCP information specific for the assigned prefix Prefix Delegation The follo
131. ith a user database user accounts created in the controller are used to authenticate users With a configured RADIUS server the controller connects to a RADIUS server and passes to it the credentials that it receives from the VPN client You can secure the connection between the controller and the RADIUS server with the authentication protocol supported by the server PAP or CHAP For RADIUS PAP the controller first checks in the user database to see if the user credentials are available if they are not the controller connects to the RADIUS server 6 2 2 Internet over IPSec tunnel In this feature all the traffic will pass through the VPN Tunnel and from the Remote Gateway the packet will be routed to Internet On the remote gateway side the outgoing packet will be SNAT ed 124 Wireless Controller User Manual 6 3 6 4 6 4 1 Configuring VPN clients Remote VPN clients must be configured with the same VPN policy parameters used in the VPN tunnel that the client wishes to use encryption authentication life time and PFS key group Upon establishing these authentication parameters the VPN Client user database must also be populated with an account to give a user access to the tunnel XW VPN client software is required to establish a VPN tunnel between the controller and remote endpoint Open source software such as OpenVPN or Openswan as well as Microsoft IPsec VPN software can be configured with the required IKE
132. lable to remote port forwarding users instead of access to the full LAN like the VPN tunnel XW ActiveX clients are used when the remote user accesses the portal using the Internet Explorer browser The Java client is used for other browsers like Mozilla Firefox Netscape Navigator Google Chrome and Apple Safari Wireless Controller User Manual Figure 87 Example of clientless SSL VPN connections to the DWC 1000 DNS Server 10 10 10 163 Clientless VPN Outside Internet J BE Clientless VPN WINS Server 10 10 10 133 Clientless VPN 132 Wireless Controller User Manual 7 1 Groups and Users Advanced gt Users gt Groups The group page allows creating editing and deleting groups The groups are associated to set of user types The lists of available groups are displayed in the List of Group page with Group name and description of group e Click Add to create a group e Click Edit to update an existing group e Click Delete to clear an exisiting group Figure 88 List of groups DWC 1000 ADVANCED TOOLS STATUS GROUPS LOGOUT This page shows the list of added groups to the router The user can add delete and edit the groups also Peer Controllers Captive Portal gt Edit Delete Firewall Settings Login Policies Policies By Browsers Policies By IP Group configuration page allows to create a group with a different type of users The user types are
133. le LASt sci cccessstszeecectict datas sees caeavaben E E 33 Internet Connection Setup Wizard 0 ee ceeeececesceseseseeseseseseeseseeececsenesaesceececaeseatseeeeecaenenaes 35 Manual Option configuration 2 eee eececeseecesescseeceseseseccaeecaesesececsencaeacsececaeeeeateceseseneeeeates 38 PPPoE configuration for standard ISPS 0 cccceesesseseseceseseseeeeseseeceaeseseceeaeeeeaeseeeeecaenenaes 39 Option1 configuration for Japanese Multiple PPPOE part 1 cc ceeeeeeeeseeeeeeeeeeees 40 Option1 configuration for Multiple PPPOE part 2 ccccceeseseeseseeceeeeeseeeesesenteeeaeeeeees 41 Russia L2TP ISP Configuration cceceseeceseccsseceseseesescseecesescsscecseneaeecsececaeeaeaceceeeeeneeeeates 42 Pye WAN S tUp Page seis iesecceetusis weecieieee ae a AT RA nda IS i RE ena 43 Connection Status information Of Option ee eeceseeseeeeseseeseceseeeeseecseeeeaeeceseeeseeeeateesees 45 Load Balancing is available when multiple WAN ports are configured and Protocol Bindings have been defined ee eee eesseseeecnseseeeeseeseecnesceecnesaeeecneeaeecneeseeeeneeseeseneeaeeeentens 48 Protocol binding setup to associate a service and or LAN source to a WAN and or CIESTINATON METWOKK e e a A E S A Gs aER 49 Routing Mode is used to configure traffic routing between WAN and LAN as well as DyMmarmic rOuting RIP esie esee eE E E RE N A 51 Static route configuration fields s ssesesneeesesesseseeresesrssesestereststssss
134. le which can then be downloaded to the local host The user has to click the export button to get the csv file 113 Wireless Controller User Manual Figure 73 Export Approved URL list Peer Controllers gt EXPORT WEB FILTER LOGOUT AP Profile ee Export Web Filter Export Approved URLs eer a apm Application Rules Website Filter gt Firewall Settings 5 9 IP MAC Binding Advanced gt IP MAC Binding Another available security measure is to only allow outbound traffic from the LAN to WAN when the LAN node has an IP address matching the MAC address bound to it This is IP MAC Binding and by enforcing the gateway to validate the source traffic s IP address with the unique MAC Address of the configured LAN node the administrator can ensure traffic from that IP address is not spoofed In the event of a violation i e the traffic s source IP address doesn t match up with the expected MAC address having the same IP address the packets will be dropped and can be logged for diagnosis 114 Wireless Controller User Manual Figure 74 The following example binds a LAN host s MAC Address to an IP address served by DWC 1000 If there is an IP MAC Binding violation the violating packet will be dropped and logs will be captured DWC 1000 ADVANCED TOOLS STATUS Operation succeeded Peer Controllers IP MAC BINDING LOGOUT AP Profile The table lists all the currently defined IP MAC Bi
135. list of active IPsec SAs Table fields are as follows 63 Wireless Controller User Manual Figure 36 List of current Active VPN Sessions DWC 1000 ADVANCED TOOLS STATUS The page will auto refresh in 2 seconds Global Info gt ACTIVE VPN LOGOUT This page displays the active VPN connections IPSEC as well as SSL Active IPsec SAs Policy Name Endpoint bx KB tx Packets State Action Active SSL VPN Connections UserName IP Address Local PPP Interface Peer PPP Interface IP Connect Status Action Connect Poll Interval 10 Seconds Start All active SSL VPN connections both for VPN tunnel and VPN Port forwarding are displayed on this page as well Table fields are as follows 4 4 Access Point status Status gt Access Point Info gt APs Summary The List of AP page shows summary information about managed failed and rogue access points the controller has discovered or detected The status entries can be deleted manually To clear all APs from the All Access Points status page except Managed Access Points click Delete All 64 Wireless Controller User Manual To configure an Authentication Failed AP to be managed by the controller the next time it is discovered select the check box next to the MAC address of the AP and click Manage You will be presented with the Valid Access Point Configuration page Figure 37 AP status Dwc 1000 Dashboard Global Info ACCESS POINTS
136. llows you to configure the object type either IP address or IP range associated with the service The Network Address Mask Length and Port Range Port Number can all be defined for this resource as required A network resource can be defined by configuring the following in the GUI e Resource name A unique identifier name for the resource e Service The SSL VPN service corresponding to the resource VPN tunnel Port Forwarding or All 143 Wireless Controller User Manual Figure 98 List of configured resources which are available to assign to SSL VPN policies DWC 1000 E SETUP ADVANCED TOOLS STATUS Operation succeeded WLAN Global Settings Please Enable Remote Management to activate SSL VPN Configurations AP Management RESOURCES You can configure resources to use when configuring SSL VPN policies Resources are groups of host names IP addresses or IP networks The table lists the resources that have been added and allows several operations on the resources List of Resources VPN Settings VLAN Settings DMZ Setup Delete Configure USB Settings 7 3 Application Port Forwarding Setup gt VPN Settings gt SSL VPN Server gt Port Forwarding Port forwarding allows remote SSL users to access specified network applications or services after they login to the User Portal and launch the Port Forwarding service Traffic from the remote user to the controller is detected and re routed based
137. ls View Radio Details View VAP Details Refresh This page includes the following button e View Details Shows detailed status information collected from the AP e View Radio details Shows detailed status for a radio interface 95 Wireless Controller User Manual e View VAP details Shows summary information about the virtual access points VAPs for the selected AP and radio interface on the APs that the controller manages e Refresh Updates the page with the latest information WLAN Assoicated Clients Status gt Traffic Monitor gt Associated Clients Statistics gt WLAN Associated Clients The wireless client can roam among APs without interruption in WLAN service The controller tracks the traffic the client sends and receives during the entire wireless session while the client roams among APs that the controller manages The controller stores statistics about client traffic while it is associated with a single AP as well as throughout the roaming session MAC Address This field shows the MAC address of the client station Packet Transmitted This field shows the packet transmitted to the client station Packet Received This field shows the packet received to the client station Bytes Transmitted This field shows the bytes transmitted to the client station Bytes Received This field shows the bytes received to the client station Figure 60 WLAN Associated Clients Dwc 1000 A SETUP ADVANCED TOOLS STATU
138. ls any of the tests that classify it as a threat it will be listed as a Rogue again e Refresh Updates the page with the latest information Pre Authorization History Status gt Wireless Client Info gt Pre Auth History To help authenticated clients roam without losing sessions and needing to re authenticate wireless clients can attempt to authenticate to other APs within range that the client could possibly associate with For successful pre authentication the target AP must have a VAP with an SSID and security configuration that matches that of the client including MAC authentication encryption method and pre shared key or RADIUS parameters The AP that the client is associated with captures all pre authentication requests and sends them to the controller MAC Address MAC address of the client AP MAC Address MAC Address of the managed AP to which the client has pre authenticated Radio Interface Number Radio number to which the client is authenticated which is either Radio 1 or Radio 2 VAP MAC Address VAP MAC address to which the client roamed SSID SSID Name used by the VAP Age Time since the history entry was added User Name Indicates the user name of client that authenticated via 802 1X Pre Authentication Status Indicates whether the client successfully authenticated and shows a status of Success or Failure 80 Wireless Controller User Manual Figure 49 Pre Auth History Product Page
139. ly The policy name SSL service it applies to destination network resource or IP addresses and permission deny permit is outlined in a list of configured policies for the controller 141 Wireless Controller User Manual Figure 97 SSL VPN policy configuration DWC 1000 ADVANCED TOOLS STATUS Please Enable Remote Management to activate SSL VPN Configurations WLAN Global Setting SSL VPN POLICY CONFIGURATION AP Management This page allows you to add a new SSL VPN Policy or edit the configuration of an existing SSL VPN Policy WLAN Visualization Save Settings Don t Save Settings Internet Settings Network Settings DMZ Setup gt SSL VPN Policy USB Settings Port Range Port Number Begin 0 65535 End 0 65535 Service VPN Tunnel To configure a policy for a single user or group of users enter the following information e Policy for The policy can be assigned to a group of users a single user or all users making it a global policy To customize the policy for specific users or groups the user can select from the Available Groups and Available Users drop down Apply policy to This refers to the LAN resources managed by the DWC 1000 and the policy can provide or prevent access to network resources IP address IP network etc Policy name This field is a unique name for identifying the policy IP address Required when the governed resource is identif
140. managed APs but on different channel from which the AP is supposed to be operating Managed SSID detected with incorrect security During RF Scan the AP examines beacon frames received from other APs and determines whether the detected AP is advertising an open network WEP or WPA If the SSID reported in the RF Scan is one of the managed networks and its configured security not match the detected security then this test marks the AP as rogue Invalid SSID from a managed AP This test checks whether a known managed AP is sending an unexpected SSID The SSID reported in the RF Scan is compared to the list of all configured SSIDs that are used by the profile assigned to the managed AP If the detected SSID doesn t match any configured SSID then the AP is marked as rogue 155 Wireless Controller User Manual AP is operating on an illegal channel The purpose of this test is to detect hackers or incorrectly configured devices that are operating on channels that are not legal in the country where the wireless system is set up Note In order for the wireless system to detect this threat the wireless network must contain one or more radios that operate in sentry mode Standalone AP with unexpected configuration If the AP is classified as a known standalone AP then the controller checks whether the AP is operating with the expected configuration parameters You configure the expected parameters for the standalone AP in the local or RA
141. munications to the Internet Enabled all Firewall Source MAC filtering Disabled Stealth mode Enabled Inbound communications from the Internet
142. n create up to 16 AP profiles on the Unified Wireless Controller Access Point Profile List Edit Delete Copy Apply Configure Radio Configure SSID For each AP profile you can configure the following features e Profile settings Name Hardware Type ID Wired Network Discovery VLAN ID e Radio settings e SSID settings Profile The Access Point profile name you added Use 0 to 32 characters Profile Status can have one of the following values e Associated The profile is configured and one or more APs managed by the controller are associated with this profile e Associated Modified The profile has been modified since it was applied to one or more associated APs the profile must be re applied for the changes to take effect e Apply Requested After you select a profile and click Apply the screen refreshes and shows that an apply has been requested e Apply In Progress The profile is being applied to all APs that use this profile 33 Wireless Controller User Manual During this process the APs reset and all wireless clients are disassociated from the AP e Configured The profile is configured but no APs managed by the controller currently use this profile XW Associate a profile with an AP Entry of the AP is valid and available in database of the controller This page includes the following buttons e Edit To edit the existing AP profile e Delete To delete the existing AP p
143. n domain can be presented with one or more of the controller s supported SSL services such as the VPN Tunnel page or Port Forwarding page To configure a portal layout and theme following information is needed Portal layout name A descriptive name for the custom portal that is being configured It is used as part of the SSL portal URL Portal site title The portal web browser window title that appears when the client accesses this portal This field is optional Banner title The banner title that is displayed to SSL VPN clients prior to login This field is optional Banner message The banner message that is displayed to SSL VPN clients prior to login This field is optional Display banner message on the login page The user has the option to either display or hide the banner message in the login page HTTP meta tags for cache control This security feature prevents expired web pages and data from being stored in the client s web browser cache It is recommended that the user selects this option ActiveX web cache cleaner An ActiveX cache control web cleaner can be pushed from the gateway to the client browser whenever users login to this SSL VPN portal SSL VPN portal page to display The User can either enable VPN tunnel page or Port Forwarding or both depending on the SSL services to display on this portal Once the portal settings are configured the newly configured portal is added to the list of portal layouts
144. nd rules and allows several operations on the rules SSIDs WIDS Security List of IP MAC Binding Captive Portal gt MAC Address AA 12 AA AA AA FF Client Application Rules Delete Website Filter Firewall Settings 5 10 Protecting from Internet Attacks Advanced gt Advanced Network gt Attack Checks Attacks can be malicious security breaches or unintentional network issues that render the controller unusable Attack checks allow you to manage WAN security threats such as continual ping requests and discovery via ARP scans TCP and UDP flood attack checks can be enabled to manage extreme usage of WAN resources Additionally certain Denial of Service DoS attacks can be blocked These attacks if uninhibited can use up processing power and bandwidth and prevent regular network services from running normally ICMP packet flooding SYN traffic flooding and Echo storm thresholds can be configured to temporarily suspect traffic from the offending source 115 Wireless Controller User Manual Figure 75 Protecting the controller and LAN from internet attacks Peer Controllers ATTACK CHECKS LOGOUT This page allows you to specify whether or not to protect against common attacks from the LAN and WAN networks Save Settings Dont Save Settings Option Security Checks Enable Stealth Mode Application Rules Block TCP flood LAN Security Checks Firewall Settings z Block UDP flood IPv6
145. ndicates the base AP Ethernet MAC address for the managed AP Radio Displays the managed AP radio interface the client is associated to and its configured mode Client MAC Address The Ethernet address of the client station Client IP Address The IP address of the client station Figure 46 Associated Client VAP Status Hint Text goes here Description goes here List of VAP Associated Clients AP Client BSSID SSID MAC Radio MAC Add Address T 1c at f7 1f 24 51 MARIZUANA 1c af f7 1f 24 40 2 802 11big n e0 a6 70 8e bf 67 169 254 36 132 Disassociate Refresh WIRELESS CONTROLLER This page includes the following buttons e Disassociate Disassociates the client from the managed AP e Refresh Updates the page with the latest information Wireless Controller User Manual Controller Assocaited Client Status Status gt Wireless Client Info gt Associated Clients gt Controller Status This shows information about the controller that manages the AP to which the client is associated Controller IP Address Shows the IP address of the controller that manages the AP to which the client is associated Client MAC Address Shows the MAC address of the associated client Figure 47 Controller Associated Client Status Product Pag D Helpful Hints CONTROLLER ASSOCIATED CLIENT STATUS LOGOUT Description goes here List of Controller Associated Clients Controller IP Address
146. nel Support Setup gt VPN Settings gt L2TP gt L2TP Server A L2TP VPN can be established through this controller Once enabled a L2TP server is available on the controller for LAN and WAN L2TP client users to access Once the L2TP server is enabled L2TP clients that are within the range of configured IP addresses of allowed clients can reach the controller s L2TP server Once authenticated by the L2TP server the tunnel endpoint L2TP clients have access to the network managed by the controller 127 Wireless Controller User Manual Figure 85 L2TP tunnel configuration L2TP Server DWC 1000 ADVANCED TOOLS STATUS L2TP SERVER LOGOUT WLAN Global Settings AP Management L2TP allows an external user to connect to your router through the internet forming a VPN This section allows you to enable disable L2TP server and define a range of IP addresses for cients connecting to your router The connected clients can function as if they are on your LAN they can communicate with LAN hosts access any servers present etc Sualization Internet Settings Network Settings Save Settings Dont Save Settings L2TP Server Configuration Starting IP Address Ending IP Address Authentication Supported 6 4 3 OpenVPN Support Setup gt VPN Settings gt OpenVPN gt OpenVPN Configuration OpenVPN allows peers to authenticate each other using a pre shared secret key certificates or username password
147. nformation such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator Save Settings Don t Save Settings Primary PPPoE Profile Configuration i Japanese multiple PPPoE DMZ Setup dlink Primary PPPoE Domain Name System DNS Servers Use These DNS Servers w 192 168 1 2 192 158 1 16 There are a few key elements of a multiple PPPoE connection e Primary and secondary connections are concurrent e Fach session has a DNS server source for domain name lookup this can be assigned by the ISP or configured through the GUI e The DWC 1000 acts as a DNS proxy for LAN users e Only HTTP requests that specifically identify the secondary connection s domain name for example flets will use the secondary profile to access the content available through this secondary PPPoE terminal All other HTTP HTTPS requests go through the primary PPPoE connection 40 Wireless Controller User Manual When Japanese multiple PPPoE is configured and secondary connection is up some predefined routes are added on that interface These routes are needed to access the internal domain of the ISP where he hosts various services These routes can even be configured through the static routing page as well Figure 20 Option1 configuration for Multiple PPPoE part 2 Secondary PPPoE Profile Configuration Address Mode Dynamic IP Static IP IP Address
148. nistrator you can monitor the type of traffic that goes through the controller and also be notified of potential attacks or errors when they are detected by the controller The following sections describe the log configuration settings and the ways you can access these logs 164 Wireless Controller User Manual 9 5 1 Defining What to Log Tools gt Log Settings gt Logs Facility The Logs Facility page allows you to determine the granularity of logs to receive from the controller There are three core components of the controller referred to as Facilities e Kernel This refers to the Linux kernel Log messages that correspond to this facility would correspond to traffic through the firewall or network stack e System This refers to application and management level features available on this controller including SSL VPN and administrator changes for managing the unit e Wireless This facility corresponds to the 802 11 driver used for providing AP functionality to your network e Locall UTM This facility corresponds to IPS Intrusion Prevention System which helps in detecting malicious intrusion attempts from the WAN For each facility the following events in order of severity can be logged Emergency Alert Critical Error Warning Notification Information Debugging When a particular severity level is selected all events with severity equal to and greater than the chosen severity are captured For example if you have
149. nual or Auto For Auto policies the Internet Key Exchange IKE protocol dynamically exchanges keys between two IPsec hosts The Phase 1 IKE parameters are used to define the tunnel s security association details The Phase 2 Auto policy parameters cover the security association lifetime and encryption authentication details of the phase 2 key negotiation The VPN policy is one half of the IKE VPN policy pair required to establish an Auto IPsec VPN tunnel The IP addresses of the machine or machines on the two VPN endpoints are configured here along with the policy parameters required to secure the tunnel 122 Wireless Controller User Manual Figure 80 IPsec policy configuration continued Auto policy via IKE Phase 1 IKE SA Parameters Exchange Mode Direction Type Nat Traversal On Off NAT Keep Alive Frequency in seconds Local Identifier Type l Local Wan IP z Local Identifier Remote Identifier Type l Remote Wan IP z Remote Identifier Encryption Algorithm l 3DES Authentication Algorithm SHAT o gt Authentication Method Pre shared key Pre shared key a Diffie Hellman DH Group Group 2 1024 bit SA Lifetime sec 20 Enable Dead Peer Detection O Detection Period 10 Reconnect after failure count E Enable Extended Authentication O Username fa dmin Password A Manual policy does not use IKE and instead relies on manual keying to exchange authentication paramete
150. o a private DMZ IP address 10 30 30 30 www example com Public IP Address 209 165 200 225 outside interface Source Address Translation 209 165 201 225 gt 10 30 30 30 DMZ interface DWC Inside interface 192 168 10 1 10 30 30 1 DMZ User Web Server 192 168 10 10 Private IP Address 10 30 30 30 Public IP Address 209 165 200 225 102 Wireless Controller User Manual Figure 64 The firewall rule configuration page allows you to define the To From zone service action schedules and specify source destination IP addresses as needed owe000 AE as ee FIREWALL RULES This page allows you to add a new firewall rule or edit the configuration of an existing firewall rule The details will then be displayed in the List of Available Firewall Rules table on the Firewall Rules page Save Settings Dont Save Settings WIDS Security Firewall Rule Configuration From Zone SECURE LAN X Available VLANs Defaut To Zone INSECURE Option w Available VLANs Default Service ANY v ee j Select Schedule Guest Source Hosts Any X From E To PE Destination Hosts Any v To 5 3 1 Firewall Rule Configuration Examples Example 1 Allow inbound HTTP traffic to the DMZ Situation You host a public web server on your local DMZ network You want to allow inbound HTTP requests from any outside IP address to the IP address of your web server at an
151. onnected BSSID The Ethernet MAC address for the managed AP VAP where this client is associated Status Shows status information about wireless clients that are associated with APs managed by the controller Figure 44 Associated Client Status cowe r000 J ewe ACVANGER ASSOCIATED CLIENTS STATUS Hint text goes here Description goes here List of Associated Clients MAC Address AP MAC MAC Address SSID BSSID Status Peer Associated Address e0 a6 70 8e bft 67 1c at f7 1f 24 40 MARIZUANA 1c af f7 1t 24 51 Authenticated Refresh This page includes the following buttons e Disassociate Disassociates the selected client from the managed AP e View Details Display associated client details e View AP Details Display associated AP details 75 Wireless Controller User Manual e View SSID Details Lists the SSIDs of the networks that each wireless client associated with a managed AP has used for WLAN access e View VAP Details Shows information about the VAPs on the managed AP that have associated wireless clients e View Neigh our AP Status Shows information about access points that the client detects Associated Client SSID Status Status gt Wireless Client Info gt Associated Clients gt SSID Status Each managed AP can have up to 16 different networks that each has a unique SSID Although several wireless clients might be connected to the same physical AP they might
152. ons ireen a A E E A 137 IPPOlICLESOPUOMS asahida t eiee deei iea 138 Available Users with login status and associated Group ccccceeceseeeeseseeseseteeeereneees 139 User configuration OptionS eeeeseeeseeerereseeererereeeeerreeererereeereereeeereeereereeerererererereeeeersrereee 140 List of SSL VPN polices Global filter 0 0 eececeecesesceseceseeeeseseseeceseecsececneeeeseeeeeeeeseeeeaees 141 SSL VPN policy configuration 00 0 eee eeeeesesceceseseeeesesesseceseeeeeesenesceseseeecaeseeaeseeeeecaeeeataeeesees 142 List of configured resources which are available to assign to SSL VPN policies 144 Wireless Controller User Manual Figure 99 List of Available Applications for SSL Port Forwarding cececsesseeseeseseeeeeseeeeeees 146 Figure 100 SSL VPN client adapter and access configuration eee eeceteeeeseseeeeseseeeeeeseeeeeeseeeeees 147 Figure 101 Configured client routes only apply in split tunnel mode eee eeeeeeeeeseseeeeeeeeeeeees 148 Figure 102 SSL VPN Portal configuration cceccecseseceseeseseseceseseseeecseseeaeseeececaeseseeseeeeecaeneeataeeesees 150 Figure 103 USB Device Detection 00 ce cccecceseseseeseseseeseseseeeesesescecesesececaesesecsceeeecaeaeeaeaeeeeeeseneeataeeeeees 152 Figure 104 Certificate summary for IPsec and HTTPS management ccseseseeeeseeeeeeeteeeeees 154 Figure 105 WIDS AP Configuration 0 eee ceeseseecesesesseseseeeesceesseeesc
153. or the wired and wireless interfaces are displayed in the DWC 1000 Status page and then the resulting hardware resource and controller usage details are summarized on the controller Dashboard Device Status Status gt Device Info gt Device Status The DWC 1000 Status page gives a summary of the controller configuration settings configured in the Setup and Advanced menus The static hardware serial number and current firmware version are presented in the General section The WAN and LAN interface information shown on this page are based on the administrator configuration parameters The radio band and channel settings are presented below along with all configured and active APs that are enabled on this controller 56 Wireless Controller User Manual Figure 29 Device Status display ou ee aovo LOGOUT DWC 1000 1 01841 _WW QBAA1AC000073 1A 00 2B 10 1C 45 IPv4 Address 0 0 0 0 255 255 255 0 IPv6 Address fe80 1800 2bff fe10 1c45 64 Option State DOWN NAT IPv4 only Disabled IPv4 Connection Type Dynamic IP DHCP IPv6 Connection Type Dynamic IP DHCPv6 IPv4 Connection State Not Yet Connected IPv6 Connection State Not Yet Connected Link State LINK DOWN Option Mode Use only single Option port Option1 Gateway 0 0 0 0 Primary DNS 0 0 0 0 Secondary DNS 0 0 0 0 Primary DNS IPv6 Secondary DNS IPv6 Option2 Information MAC Address 1A 00 2B 10 10 46 57 Wireless Controller U
154. oute will not be shared in a RIP broadcast or multicast This is only applicable for IPv4 static routes e Destination the route will lead to this destination host or IP address e IP Subnet Mask This is valid for IPv4 networks only and identifies the subnet that is affected by this static route e Interface The physical network interface WANI WAN2 DMZ or LAN through which this route is accessible e Gateway IP address of the gateway through which the destination host or network can be reached e Metric Determines the priority of the route If multiple routes to the same destination exist the route with the lowest metric is chosen 53 Wireless Controller User Manual Figure 27 Static route configuration fields STATIC ROUTE CONFIGURATION Relciel ing This page allows user to add a new static route WIDS Security Static Route Configuration Captive Portal Advanced Network p Routing Certificates 3 5 WAN Port Settings Advanced gt Advanced Network gt Option Port Setup The physical port settings for each WAN link can be defined here If your ISP account defines the WAN port speed or is associated with a MAC address this information is required by the controller to ensure a smooth connection with the network The default MTU size supported by all ports is 1500 This is the largest packet size that can pass through the interface without fragmentation This size can be in
155. p your Internet connection Ensure that you have the Internet connection information such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator PPPoE Profile Configuration PPPoE Username Password w Dynamic IP Static IP Password Service Authentication Type Reconnect Mode Maximum Idle Time Domain Name System DNS Servers Use These DNS Servers w 192 168 1 2 192 158 1 16 Most PPPoE ISP s use a single control and data connection and require username password credentials to login and authenticate the DWC 1000 with the ISP The ISP connection type for this case is PPPoE Username Password The GUI will prompt you for authentication service and connection settings in order to establish the PPPoE link For some ISP s most popular in Japan the use of Japanese Multiple PPPoE is required in order to establish concurrent primary and secondary PPPoE connections between the DWC 1000 and the ISP The Primary connection is used for the bulk of data and internet traffic and the Secondary PPPoE connection carries ISP specific i e control traffic between the DWC 1000 and the ISP 39 Wireless Controller User Manual Figure 19 Option1 configuration for Japanese Multiple PPPoE part 1 gt OPTION1 SETUP Relcieling This page allows you to set up your Internet connection Ensure that you have the Internet connection i
156. pecified Once the new FQDN is configured it is displayed in a list of configured hosts for port forwarding XW Defining the hostname is optional as minimum requirement for port forwarding is identifying the TCP application and local server IP address The local server IP address of the configured hostname must match the IP address of the configured application for port forwarding 145 Wireless Controller User Manual Figure 99 List of Available Applications for SSL Port Forwarding 7 4 DWC 1000 im sw ADVANCED TOOLS STATUS Operation succeeded PORT FORWARDING LOGOUT The Port Forwarding page allows you to detect and re route data sent from remote users to the SSL VPN gateway to predefined applications running on private networks List of Configured Applications for Port Forwarding Local Server IP Address TCP Port Number 97 0 0 64 125 Delete Add List of Configured Host Names for Port Forwarding Local Server IP Address Fully Qualified Domain Name 192 168 15 25 test Delete Add Delete SSL VPN Client Configuration Setup gt VPN Settings gt SSL VPN Client gt SSL VPN Client An SSL VPN tunnel client provides a point to point connection between the browser side machine and this controller When a SSL VPN client is launched from the user portal a network adapter with an IP address from the corporate subnet DNS and WINS settings is automatically created This
157. policy parameters to establish an IPsec VPN tunnel Refer to the client software guide for detailed instructions on setup as well as the controller s online help The user database contains the list of VPN user accounts that are authorized to use a given VPN tunnel Alternatively VPN tunnel users can be authenticated using a configured Radius database Refer to the online help to determine how to populate the user database and or configure RADIUS authentication PPTP L2TP Tunnels This controller supports VPN tunnels from either PPTP or L2TP ISP servers The controller acts as a broker device to allow the ISP s server to create a TCP control connection between the LAN VPN client and the VPN server PPTP Tunnel Support Setup gt VPN Settings gt PPTP gt PPTP Client PPTP VPN Client can be configured on this controller Using this client we can access remote network which is local to PPTP server Once client is enabled the user can access Status gt Active VPNs page and establish PPTP VPN tunnel clicking Connect To disconnect the tunnel click Drop 125 Wireless Controller User Manual Figure 82 PPTP tunnel configuration PPTP Client Internet Settings PPTP CLIENT Wireless Settings This page allows the user to configure PPTP VPN Client Network Settings Save Settings Don t Save Setting DMZ Setup 3 PPTP Client Configuration VPN Settings Enable PPTP Client w USB Settings VLAN Settings PPTP Client Config
158. r SSL users Subject Name This is the name that will be displayed as the owner of this certificate This should be your official registered or company name as IPsec or SSL VPN peers are shown this field Serial Number The serial number is maintained by the CA and used to identify this signed certificate Issuer Name This is the CA name that issued signed this certificate Expiry Time The date after which this signed certificate becomes invalid you should renew the certificate before it expires To request a self certificate to be signed by a CA you can generate a Certificate Signing Request from the gateway by entering identification parameters and passing it along to the CA for signing Once signed the CA s Trusted Certificate and signed certificate from the CA are uploaded to activate the self certificate validating the identity of this gateway The self certificate is then used in IPsec and SSL connections with peers to validate the gateway s authenticity 153 Wireless Controller User Manual Figure 104 Certificate summary for IPsec and HTTPS management onc J oo oo Peer Controllers CERTIFICATES Digital Certificates also known as X509 Certificates are used to authenticate the identity of users and systems and are issued by Certification Authorities CA such as VeriSign Thawte and other organizations Digital Certificates are used by this router during the Internet Key Exchange IKE authentication phase to
159. r channel plan mode The number you specify in this field controls the number of iterations of the channel assignment XW The APs changed in previous iterations cannot be assigned new channels in the next iteration This history prevents the same APs from being changed time after time Channel Plan Interval If you select the Interval channel plan mode you can specify the frequency at which the channel plan calculation and assignment occurs The interval time is in hours and you can specify an interval that ranges between every 6 hours to every 24 hours Channel Plan Fixed Time If you select the Fixed Time channel plan mode you can specify the time at which the channel plan calculation and assignment occurs The channel plan calculation will occur once every 24 hours at the time you specify Power Adjustment Mode You can set the power of the AP radio frequency transmission in the AP profile the local database or in the RADIUS server The power level in the AP profile is the default level for the AP and the power will 87 Wireless Controller User Manual not be adjusted below the value in the AP profile The settings in the local database and RADIUS server always override power set in the profile setting If you manually set the power the level is fixed and the AP will not use the automatic power adjustment algorithm You can configure the power as a percentage of maximum power where the maximum power is the minimum of power
160. r files Internet Key Exchange Mode for securely exchanging encryption keys in ISAKMP as part of building a VPN tunnel Internet Key Exchange Security Protocol Protocol for establishing security associations and cryptographic keys on the Internet ISAKMP IP security Suite of protocols for securing VPN tunnels by authenticating or encrypting IP packets in a data stream IPsec operates in either transport mode encrypts payload but not packet headers or tunnel mode encrypts both payload and packet headers jsp Internet service provider MAC Address Media access control address Unique physical address identifier attached to a network adapter TU Maximum transmission unit Size in bytes of the largest packet that can be passed on The MTU for Ethernet is a 1500 byte packet Network Address Translation Process of rewriting IP addresses as a packet passes through a AT controller or firewall NAT enables multiple hosts on a LAN to access the Internet using the single public IP address of the LAN s gateway controller NetBIOS Microsoft Windows protocol for file sharing printer sharing messaging authentication and name resolution NTP Network Time Protocol Protocol for synchronizing a controller to a single clock on the network known as the clock master fre Password Authentication Protocol Protocol for authenticating users to a remote access server anise 178 M N Wireless Controller User Manual Point to Point
161. ration settings for facility and severity This data is useful when evaluating IPsec VPN traffic and tunnel health 171 Wireless Controller User Manual Figure 115 VPN logs displayed in GUI event viewer DWC 1000 Em ADVANCED TOOLS saws f Dashboard VPN LOGS LOGOUT This page shows the VPN IPSEC related log Display Logs Global Info Device Info Access Point Info LAN Clients Info Fri Oct 07 03 39 23 2011 GMT 0000 DWC 1000 IKE INFO IKE started Wireless ClientInfo gt wana Logs Traffic Monitor Active VPNs Refresh Logs Clear Logs 9 6 Backing up and Restoring Configuration Settings Tools gt System You can back up the controller custom configuration settings to restore them to a different device or the same controller after some other changes During backup your settings are saved as a file on your host You can restore the controller saved settings from this file as well This page will also allow you revert to factory default settings or execute a soft reboot of the controller X IMPORTANT During a restore operation do NOT try to go online turn off the controller shut down the PC or do anything else to the controller until the Operation is complete This will take approximately 1 minute Once the LEDs are turned off wait a few more seconds before doing anything with the controller For backing up configuration or restoring a previously saved configura
162. re You can upgrade to a newer software version from the Administration web page In the Firmware Upgrade section to upgrade your firmware click Browse locate and select the firmware image on your host and click Upgrade After the new firmware image is validated the new image is written to flash and the controller is automatically rebooted with the new firmware The Firmware Information and also the Status gt Device Info gt Device Status page will reflect the new firmware version 173 Wireless Controller User Manual X IMPORTANT During firmware upgrade do NOT try to go online turn off the DWC 1000 shut down the PC or interrupt the process in anyway until the Operation is complete This should take only a minute or so including the reboot process Interrupting the upgrade process at specific points when the flash is being written to may corrupt the flash memory and render the controller unusable without a low level process of restoring the flash firmware not through the web GUI Figure 117 Firmware version information and upgrade option Date and Time Log Settings gt Firmware FIRMWARE LOGOUT This page allows user to upgrade downgrade the router firmware This page also shows the information regarding firmware version and build time Firmware Information Firmware via USB Dynamic DNS 1 01B41_WW Wed Sep 28 23 33 22 2011 Firmware Upgrade Locate amp select the upgrade file Browse
163. re era iso reaa e aiie eein 75 4 7 AP Management ersesecc rieni eiei ea nE E E E 83 4 8 Associated Client Status Statistics cc eeeseecesccsceceseeeeseeeeeeeseeeeseseeeeeseeeeees 95 Securing the Private Network 0 ccceecsceesceseseseeeescseseesesesececsenesaesceeceeaeneeateceeceeaeeeeateeeees 97 5 1 Firewall RUES t e e ae ian adenac sal Koes ea shad 97 5 2 Defining Rule Schedules 0 00 eeeceececeseseeseseseeescseeeseseeeeecseneeaesesececaeeeeateeeeseneets 98 5 3 Configuring Firewall RUl S ccccccceseseseeseseccsseseseeeeseecseeeesesceeeecaeneeaeseeeeeeseeenaees 99 5 3 1 Firewall Rule Configuration EXamples ceccsceceesssseseseeseseseeseceseeeeeeseseeeeaees 103 5 4 Security ON Custom Services ee eeeseseseeeescseeteseseeeeeeseeeaesceeeeeseeeeaeseseescaeneaees 107 5 5 ALG SUD DOM 4 Bessie ears E ae ie Se Ne ee he eee 107 5 6 VPN Passthrough for Firewall csceceeesccssesecseeeeseceeeeeseeeceeeseeecneeaeeeeneeseeeeneees 108 5 7 Application RUIS seinaka e i a iea e 109 5 8 Web Content Fiteinng sessen a a 110 5 81 Content FiItering ieee e a aea R E EE e tics 110 S2 Approved URES rers a e R A ER A R 111 SE i Blocked Keywords ecstatic ie aE E R sutlvbbesshtvecstves doles 112 Sek Exp Web FIO rensa e a R e E E 113 5 9 IP MAG Bid NO A ee 114 5 10 Protecting from Internet Attacks ssseseseseseseseseseseseseseresesesereresesenenesenerereses 115 ERA a a A E A PN E E N Sieben adiniaiiaiee eae 1
164. resestsesseseresestsseseseeresesrssesesee 171 9 6 Backing up and Restoring Configuration Settings 0 0 0 ceeeeseeseeeeseeneees 172 9 7 Upgrading wirelesss controller Firmware s sssssssseseseiersrsrererererererererererererereee 173 9 8 Dynamic DNS Setup cceececcsseseseseescscseesesesesecsesenseavscseceesenseaeseeececaeneeataeeesees 174 9 9 Using Diagnostic Tools 00 ec eesseseeecsseseeecsseaeeecsseaeeecaseaeecaeeaeeecaseaeereateaeerente 175 OED PIG TN E N E E AEE N ETEEN E EEE EOE A EEAO 176 O 9 2 Traco ROULC eaei aariaa a a e a aa ee e e ar aa re a 176 9 9 3 IDNS LOOKUP2 244 3 eE EEEE EEEE EE EEEE 176 9 9 4 OCIO oio gL ENEE a E EE EEEE E EE EE E 177 910 LICONSA MO A ns ho A AAS 177 ateo E E OET A EEE E E E eh Aisi E A lacie 178 Appendix B Factory Default Settings ec eceseseseesesescsceeeseseeececaenesacscsececacsesacacsesecaeneataeeetecaeeenaees 180 Wireless Controller User Manual List of Figures Figure 1 Setup page for LAN TCP IP settings cc cceeescesescsceseseseesescseneeaeseeececaeneaeseeeeecsenenetaeeesees 13 Figure 2 IPv6 LAN and DHCPV6 configuration 0 0 2 ceeceecesesesceseseseeeeecseneaeseeeeeesenesaesceeeecaeneeatseeesees 15 Figure 3 Configuring the Router Advertisement Daemon eeceseeceeseeseseseeeeseeeseeceseeeeseeeateeesteeeees 18 Figure 4 IPv6 Advertisement Prefix settings ce ecceeseescsseseeecseeseecseeesecseseesecsenaeeeceeeaeseceesaeeeeeeeaseres 19 Fig
165. rk portion of the address Typically this is 64 e Prefix Lifetime This defines the duration in seconds that the requesting node is allowed to use the advertised prefix It is analogous to DHCP lease time in an IPv4 network Figure 4 IPv6 Advertisement Prefix settings DWC 1000 SETUP ADVANCED TOOLS STATUS Application Rules Website Filter ADVERTISEMENT PREFIXES LOGOUT Firewall Settings Description Save Settings Don t Save Settings Advertise Prefixes Configuration IPv6 Prefix Type SLA ID IP 6 Prefix IPv6 Prefix Length Prefix Lifetime Seconds VLAN Configuration The controller supports virtual network isolation on the LAN with the use of VLANs LAN devices can be configured to communicate in a subnetwork defined by VLAN identifiers LAN ports can be assigned unique VLAN IDs so that traffic to and from that physical port can be isolated from the general LAN VLAN filtering is particularly useful to limit broadcast packets of a device in a large network VLAN support is disabled by default in the controller In the VLAN Configuration page enable VLAN support on the controller and then proceed to the next section to define the virtual network Setup gt VLAN Settings gt Available VLAN The Available VLAN page shows a list of configured VLANs by name and VLAN ID A VLAN membership can be created by clicking the Add button below the List of Available VLANs A VLAN membership entry
166. rofile e Add Allows to add a new AP profile e Copy Allows to copy the existing AP profile e Apply Update the AP profile configuration details entered e Configure Radio Allows to configure the AP profile Radio configuration e Configure SSID Allows to configure the AP profile VAP configuration 34 Wireless Controller User Manual Chapter 3 Connecting to the Internet WAN Setup This contoller has two WAN ports that can be used to establish a connection to the internet The following ISP connection types are supported DHCP Static PPPoE PPTP L2TP via USB modem It is assumed that you have arranged for internet service with your Internet Service Provider ISP Please contact your ISP or network administrator for the configuration information that will be required to setup the controller 3 1 Internet Setup Wizard Setup gt Wizard gt Internet The Internet Connection Setup Wizard is available for users new to networking By going through a few straightforward configuration pages you can take the information provided by your ISP to get your WAN connection up and enable internet access for your network Figure 16 Internet Connection Setup Wizard ADVANCED TOOLS STATUS D DWC 1000 Wizard INTERNET CONNECTION LOGOUT This page will guide you through common configuration tasks such as changing the password timezone and setting up of your internet connection Internet Connection Setup Wizard
167. rs between the two IPsec hosts The incoming and outgoing security parameter index SPI values must be mirrored on the remote tunnel endpoint As well the encryption and integrity algorithms and keys must match on the remote IPsec host exactly in order for the tunnel to establish successfully Note that using Auto policies with IKE are preferred as in some IPsec implementations the SPI security parameter index values require conversion at each endpoint DWC 1000 supports VPN roll over feature This means that policies configured on primary WAN will rollover to the secondary WAN in case of a link failure on a primary WAN This feature can be used only if your WAN is configured in Auto Rollover mode 123 Wireless Controller User Manual Figure 81 IPsec policy configuration continued Auto Manual Phase 2 Phase2 Manual Policy Parameters SPI Incoming SPI Outgoing Encryption Algorithm Key Length Key In Key Out Integrity Algorithm Key In Key Out Phase2 Auto Policy Parameters SA Lifetime Seconds z Encryption Algorithm 3DES x Key Length Integrity Algorithm PFS Key Group 6 2 1 Extended Authentication XAUTH You can also configure extended authentication XAUTH Rather than configure a unique VPN policy for each user you can configure the VPN gateway controller to authenticate users from a stored list of user accounts or with an external authentication server such as a RADIUS server W
168. sececsesseseseeeescseeseateeeesees 157 Figure 106 WIDS Client Configuration oo eecesceceesceseceseesesesesseseseeesecseneeaesceececsenesasaceeeecseneeataeeesees 160 Figure 107 Remote Management cc ceseseescssessescsseseescseeseeecseeseeecnseaeeecaeeaeeeneeseeecneeaeescneeaeeneneenees 161 Figure 108 SNMP Users Traps and Access COmtrol ccccccccesecsccssesscsescesececseesececseesececsesseeeeseees 162 Figure 109 SNMP system information for this controller 0 ee eeeeeeceseeseseeeeeseseeeeseseeeeeeseneeetaeeeeees 163 Figure 110 Date Time and NTP Server setup eecceeceessceseescesecseeseeseeseceaeecsaecsensecaesseeneeeeeeaees 164 Figure 111 Facility settings for Logging eessen 166 Figure 112 Log configuration options for traffic through controller 168 Figure 113 E mail configuration as a Remote Logging Option eee eescecsseseeseeeeseeecneeseeeeneesees 170 Figure 114 Syslog server configuration for Remote Logging COntinUed eceeeeseeeeeeeeeees 171 Figure 115 VPN logs displayed in GUI event viewer ee ececeseceseeeesescseeeeseeeeeeecseeesteceeeeseneeateesees 172 Figure 116 Restoring configuration from a saved file will result in the current configuration being overwritten and a reboot ee eeeesesccscseccecscseccecscseccsccsceececsscsnssssecsecessecsssssersnsesseeensens 173 Figure 117 Firmware version information and upgrade option ee eeeesceeseeteeeceeeeeeceeseeeeneesees 174
169. ser Manual Figure 30 Device Status display continued Option2 Information 1A 00 2B 10 1C 46 0 0 0 0 255 255 255 0 fe80 1800 2bff fe10 1c46 64 DOWN Disabled Dynamic IP DHCP Dynamic IP DHCPv6 Not Yet Connected Not Yet Connected LINK DOWN Use only single Option port Option1 0 0 0 0 0 0 0 0 0 0 0 0 1A 00 2B 10 1C 44 192 168 10 1 255 255 255 0 fe80 1800 2bff fe10 1c44 64 fe80 200 ff f200 0 64 fecd 1 64 4 1 2 Resource Utilization Status gt Device Info gt Dashboard The Dashboard page presents hardware and usage statistics The CPU and Memory utilization is a function of the available hardware and current configuration and traffic through the controller Interface statistics for the wired connections LAN WANI WAN2 DMZ VLANs provide indication of packets through and packets dropped by the interface Click refresh to have this page retrieve the most current statistics 58 Wireless Controller User Manual Figure 31 Resource Utilization statistics Grey fs aovo roos EZS DASHBOARD This page displays the resources being used in the system currently This page also shows the bandwidth used in form of bar graphs Bandwidth Usage Ml HTTP 1129 0 HTTPS 0 28 W DNS 185 0 Used Applications Select Interface ALL x HTTP 86 HTTPS 0 MB DNS 14 aS Figure 32 Resource Utilization data continued 59 Wireless Controller User Manual In
170. sesseseseeresesessesesee 148 Advanced Configuration TOols ccccccccssessssssesesesseceseeeescsenseceseeeeeceeneeasseeeeecseneeataeeesees 151 8 1 USB Device Setup cece eccccccsceseseseeseseseseeseseeeeecseneeseseeeeecacseeaeseeeeessenseetaeeeeeeeeees 151 8 2 Authentication Certificates c ce cceesescesescseeseseseeseecseeceseseeeeecseneaeseeeeecseneeeaees 152 8 3 WIDS SOCUIILY PEE EEEN EEEE O EATE bara 154 Wireless Controller User Manual 8 3 1 WIDS AP configration 00 eeceecesesesceseceseesesescsceceseeeeececseeceaeeceeeeeneeceatecsecsenteeeaees 154 8 3 2 WIDS Client Configuration cccecceecesessesesceseseseeeesceeseeeeseeceeeseneeceaeeeeeeseneeeeaees 157 Chapter 9 Administration amp ManageMent ceeceseesesescsseceseesesescseeeeseecececseeeeaeeceeecseeesateeeeeeeatees 161 9 1 Remote Manageme ntt eccsesseseseeseescseesesecseeeeeeceesaesecseeaeseseeeaeseeeesaeeeeaseaeeees 161 9 2 GEACCESS hese E Peele ects eile t ae cota he ai tioe toda k es 161 9 3 SNMP Configuratio Nenin a a a aaa 162 9 4 Configuring Time Zone and NTP ssssessssesssesessesesreresrssssesesresesrssssesenresesrsssseses 163 9 5 Eog Contiquration tacccuh acne ce chesen Gua aea E a e e E aE a 164 9 5 1 Defining What to LOG ee e e a A a e iias 165 9 5 2 Sending Logs to E mail or Syslog ssssessesesesesseseseeresrsessesesresesrssssesesresesrssssees 168 9 5 3 Event Log Viewer in GUI s ssssssessesesessesesresesesesseses
171. sine Not Present in OUI Database Disable est Enable Not Present in Known Client Disable Database Test Enable Configured Authentication Rate Enable x Test Fnahle Canfinured Prohe Remieete eme 7 User Manual SETUP ADVANCED TOOLS STATUS gt Meleto tis 160 Wireless Controller User Manual Chapter 9 Administration amp Management 9 1 Remote Management Both HTTPS and telnet access can be restricted to a subset of IP addresses The controller administrator can define a known PC single IP address or range of IP addresses that are allowed to access the GUI with HTTPS The opened port for SSL traffic can be changed from the default of 443 at the same time as defining the allowed remote management IP address range Figure 107 Remote Management mem F EE a Admin gt Date and Time Log Settings Firmware Firmware via USB Dynamic DNS System Check Schedules License REMOTE MANAGEMENT From this page a user can configure the remote management feature This feature can be used to manage the box remotely from WAN side Save Settings Dont Save Settings Remote Management Enable Enable Remote Management Enable Remote SSH Access Type From To IP Address HTTPS Port Number Enable Remote SNMP 9 2 CLI Access In addition to the web based GUI the gateway supports SSH and Telnet management for command line interaction The C
172. sions 1 802 11a n E 1c af f7 1f 24 40 192 168 10 100 Od 00 00 03 Authenticated 1 Default 2 802 11big n is View vaP Details Refresh WIRELESS CONTROLLER MAC Address The Ethernet address of the controller managed AP IP Address The network IP address of the managed AP Age Time since last communication between the Controller and the AP Status The current managed state of the AP The possible values are e Discovered The AP is discovered and by the controller but is not yet authenticated e Authenticated The AP has been validated and authenticated if authentication is enabled but it is not configured e Managed The AP profile configuration has been applied to the AP and it s operating in managed mode Failed The Controller lost contact with the AP a failed entry will remain in the managed AP database unless you remove it Note that a managed AP will temporarily show a failed status during a reset Profile The AP profile configuration currently applied to the managed AP The profile is assigned to the AP in the valid AP database Radio Interface Shows the wireless radio mode that each radio on the AP is using This page includes the following buttons e Delete Manually clear existing APs 67 Wireless Controller User Manual e View AP details Shows detailed status information collected from the AP e View Radio details Shows detailed status for a radio interface e View N
173. ssseseseescsesesseaesesesecsenesaesceesecaenssavaceeseeaensnavaeeeseeaenesaees 70 Peer Controller Configuration Status cccccceeseseesesescsseseseeeeseecseeeeaeecececseeeeaeeeeeeeeneeeeaees 71 Peer Controller Managed AP Status cccccccesessseeseseseeseseseeseecseeeeatsceececaeneeatsceececaeneeases 72 Configuration Receive Status oo eeceecesessssesesseseseseseeceseeeseceeseeceacecececseseeaeeeseeecseeeeateesees 74 Associated Client Status c 2 cecissesescseoptved aici a eae E nities share Nevin ties i ESE 75 Associated Client SSID Status occ cceeseeeeseseeeseseseeeeecaeeessesesececaeneaceceeeecaeenateeeeteeneees 76 Associated Client VAP Status ccc c ccceccdiia oee ee eiea esai ei 77 Controller Associated Client Status cccceeesesceseceseseseeeeseseseeceseeeeseecaeceaeeceeeseseeeeateesees 78 Detected Client Status en ern T O A ER T E 79 Pre AWR HSI V oeren E SS N ESE NRS 81 Detected Client Roam History cccccccceessssesesesceseseseeseecseeeeseseeececseneaeseeeeecaesenavaceeeecaenenases 82 Valid Access Point Configuration c ecccceseseeseseseseeseseeeeseseneeeeseecseeecseeeeaeeesececseseeateceeeeaeees 83 Adda Valid ACCESS POME annsna E ce iedensaess sons deebee 84 REF CONPQUIATION ssania E EE E AE S 87 Channel Plan HIStory ec E A wane na aan eat 89 Manual Channel Pla Nessin R O ER R 90 Manual Power Adjustment Plan s sesesesesesesesesesesesesesesesesesesrsesesesesesesesrsesesesesesesesesesesesese 92 A
174. ted and the IP header is not modified or encrypted e Tunnel This mode is used for network to network IPsec tunnels where this gateway is one endpoint of the tunnel In this mode the entire IP packet including the header is encrypted and or authenticated When tunnel mode is selected you can enable NetBIOS and DHCP over IPsec DHCP over IPsec allows this controller to serve IP leases to hosts on the remote LAN As well in this mode you can define the single IP address range of IPs or subnet on both the local and remote private networks that can communicate over the tunnel 121 Wireless Controller User Manual Figure 79 IPsec policy configuration DWC 1000 i s ADVANCED TOOLS STATUS IPSEC CONFIGURATION WLAN Global Settings AP Management This page allows user to add edit VPN IPsec policies which indudes Auto and Manual policies Save Settings Dont Save Settings Policy Name Policy Type Auto Policy w VLAN Settings IKE Version IKEv1 IKEv2 IPsec Mode Tunnel Mode USB Settings Select Local Gateway Option v Remote Endpoint IP Address w Enable Mode Config E Enable NetBIOS T Enable RollOver Protocol ESP w Enable DHCP T Local IP Subnet w Local Start IP Address Once the tunnel type and endpoints of the tunnel are defined you can determine the Phase 1 Phase 2 negotiation to use for the tunnel This is covered in the IPsec mode setting as the policy can be Ma
175. terface LAN Interface Option1 Interface DMZ Option2 Interface VLAN Port Incoming Packets Outgoing Packets Dropped In Packets Dropped Out Packets Active Info 4 2 Traffic Statistics 4 2 1 Wired Port Statistics Status gt Traffic Monitor gt Device Statistics Detailed transmit and receive statistics for each physical port are presented here Each interface WANI WAN2 DMZ LAN and VLANs have port specific packet level information provided for review Transmitted received packets port collisions and the cumulating bytes sec for transmit receive directions are provided for each interface along with the port up time If you suspect issues with any of the wired ports this table will help diagnose uptime or transmit level issues with the port 60 Wireless Controller User Manual The statistics table has auto refresh control which allows display of the most current port level data at each page refresh The default auto refresh for this page is 10 seconds Figure 33 Physical port statistics DWC 1000 SETUP ADVANCED TOOLS samus The page will auto refresh in 1 seconds Device Info gt Access Point Info gt LAN Clients Info DEVICE STATISTICS LOGOUT This page shows the Rx Tx packet and byte count for all the system interfaces It also shows the up time for all the interfaces System up Time 0 days 2 hours 55 minutes 53 seconds Tx Pis RePhts Clisons TxB s RxB s Uptime gt Traff
176. teways ALGs are security component that enhance the firewall and NAT support of this controller to seamlessly support application layer protocols In some cases enabling the ALG will allow the firewall to use dynamic ephemeral TCP UDP ports to communicate with the known ports a particular client application such as H 323 or RTSP requires without which the admin would have to open large number of ports to accomplish the same support Because the ALG understands the protocol used by the specific application that it supports it is a very secure and efficient way of introducing support for client applications through the controller s firewall 107 Wireless Controller User Manual Figure 67 Available ALG support on the controller Peer Controllers LOGOUT Application Level Gateway allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer control data protocols such as TFTP SIP RTSP Ds IPsec PPTP etc Each ALG provides special handling for a specific protocol or application A number of ALGs for common applications are enabled by default Save Settings Don t Save Settings 5 6 VPN Passthrough for Firewall Advanced gt Firewall Settings gt VPN Passthrough This controller s firewall settings can be configured to allow encrypted VPN traffic for IPsec PPTP and L2TP VPN tunnel connections between
177. the list to make sure the firewall rule is active 5 4 Security on Custom Services Advanced gt Firewall Settings gt Custom Services Custom services can be defined to add to the list of services available during firewall rule configuration While common services have known TCP UDP ICMP ports for traffic many custom or uncommon applications exist in the LAN or WAN In the custom service configuration menu you can define a range of ports and identify the traffic type TCP UDP ICMP for this service Once defined the new service will appear in the services list of the firewall rules configuration menu Figure 66 List of user defined services DWC 1000 ADVANCED TOOLS STATUS Operation succeeded Peer Controllers gt AP Profile CUSTOM SERVICES LOGOUT When you create a firewall rule you can specify a service that is controlled by the rule Common types of services are available for selection and you can create your own custom services This page allows creation of custom services against which firewall rules can be defined Once defined the new service will appear in the List of Available Custom Services table c ri ty d Captive Portal gt Application Rules b List OF Available Custom Services ICMP Type Port Range 4554 4556 Edit Delete Firewall Settings IPv6 gt gt ed Network 5 5 ALG support Advanced gt Firewall Settings gt ALGs Application Level Ga
178. the LAN and internet A specific firewall rule or service is not appropriate to introduce this passthrough support instead the appropriate check boxes in the VPN Passthrough page must be enabled 108 Wireless Controller User Manual Figure 68 Passthrough options for VPN tunnels owcx000 AA ae TF o VPN PASSTHROUGH LOGOUT This page allows user to configure VPN IPsec PPTP and L2TP passthrough on the router Enabled passthrough checkboxes have higher priority than firewall rules based on the same service Save Settings Don t Save Settings uv E K 5 7 Application Rules Advanced gt Application Rules gt Application Rules Application rules are also referred to as port triggering This feature allows devices on the LAN or DMZ to request one or more ports to be forwarded to them Port triggering waits for an outbound request from the LAN DMZ on one of the defined outgoing ports and then opens an incoming port for that specified type of traffic This can be thought of as a form of dynamic port forwarding while an application is transmitting data over the opened outgoing or incoming port s Port triggering application rules are more flexible than static port forwarding that is an available option when configuring firewall rules This is because a port triggering rule does not have to reference a specific LAN IP or IP range As well ports are not left open when not in use thereby provid
179. thin the same cluster exchange data about themselves their managed APs and clients The controller maintains a database with this data so you can view information about a peer such as its IP address and software version If the controller loses contact with a peer all of the data for that peer is deleted One controller in a cluster is elected as a Cluster Controller The Cluster Controller collects status and statistics from all the other controllers in the cluster including information about the APs peer controllers manage and the clients associated to those APs Cluster Controller IP Address IP address of the controller that controls the cluster Peer Controllers Displays the number of peer controller in the cluster List of Peer Controllers IP Address IP address of the peer wireless controller in the cluster Vendor ID Vendor ID of the peer controller software 69 Wireless Controller User Manual Software Version The software version for the given peer controller Protocol Version Indicates the protocol version supported by the software on the peer controller Discovery Reason The discovery method of the given peer controller which can be through an L2 Poll or IP Poll Managed AP Count Shows the number of APs that the controller currently manages Age Time since last communication with the controller in Hours Minutes and Seconds Figure 40 Peer Controller Status Product Page DWC Peer Controllers
180. tion please follow the steps below 8 To save a copy of your current settings click the Backup button in the Save Current Settings option The browser initiates an export of the configuration file and prompts to save the file on your host 172 Wireless Controller User Manual 9 To restore your saved settings from a backup file click Browse then locate the file on the host After clicking Restore the controller begins importing the file s saved configuration settings After the restore the controller reboots automatically with the restored settings 10 To erase your current settings and revert to factory default settings click the Default button The controller will then restore configuration settings to factory defaults and will reboot automatically See Appendix B for the factory default parameters for the controller Figure 116 Restoring configuration from a saved file will result in the current configuration being overwritten and a reboot oao TE ET e Log Settings gt SYSTEM LOGOUT This page allows user to do configuration related operations which indudes backup restore and factory System default This page also allows user to reboot the router Firmware Backup Restore Settings Firmware via USB Save Current Settings Dynamic DNS Restore Saved Settings Restore Factory Default settings Default Reboot Reboot 9 7 Upgrading wirelesss controller Firmware Tools gt Firmwa
181. to contact the IP address e Discovered The controller contacted the peer controller or the AP in the L3 IP Discovery list and has authenticated or validated the device e Discovered Failed The controller contacted the peer controller or the AP with IP address in the L3 IP Discovery list and was unable to authenticate or validate the device If the device is an access point an entry appears in the AP failure list with a failure reason Figure 13 Wireless Discovery status Wireless Reicleliay The IP Discovery Status page shows information about communication with the devices in the IP discovery list on the Set up gt AP Management gt Poll List page Ip Discovery ent Info lient In IP Add 192 168 10 101 Polled This page includes the following buttons e Refresh Updates the page with the latest information Wireless Controller User Manual 2 6 2 AP Profile Global Configuration Advanced gt AP Profile Access Point Profile Summary page you can Add Copy Edit Delete AP profiles To add a new profile click Add in AP Profile Summary page In the AP Profile Global Configuration page enter the name of the profile in the Profile Name field select Hardware type and enter the valid VLAN ID and then click Submit Figure 14 AP Profile Global Configuration LOGOUT From Access Point Profile Summary page you can create copy or delete AP profiles You can create up to 16 AP profiles on the
182. to this AP Figure 51 Valid Access Point Configuration Helpful Hints Hint text goes here MACAddress 00 00 00 00 00 00 Edit elet Add WIRELESS CONTROLLER 83 Wireless Controller This page has the following buttons e Edit To edit AP details in Valid AP page e Delete To delete a valid AP provide valid MAC address in Valid AP page e Add To add an AP in Valid AP page Figure 52 Add a Valid Access Point DWC 1000 HL SETUP ADVANCED TOOLS STATUS HELP User Manual Global gt f VALID AP AP Profile Description goes here Helpful Hints Mello Malia ha Submit Don t Save Settings Application Rules Valid Access Point Configuration Website Filter MAC address ew ettings AP Mode Managed Location admin Authentication Password eoco5ce UO edi Profile 1 Defautt gt Expected SSID Expected Channel Any Expected WDS Mode fany Expected Security Mode aiy 00 00 00 00 00 08 MAC Address This field shows the MAC address of the AP To change this field you must delete the entire Valid AP configuration and then enter the correct MAC address from the page that lists all Valid APs AP Mode You can configure the AP to be in one of three modes e Standalone The AP acts as an individual access point in the network You do not manage the AP by using the controller Instead you log on
183. tor from the range of addresses beginning with this IP address Client Address Range End The ending IP address of the DHCP range of addresses served to the client network adaptor 147 Wireless Controller User Manual Setup gt VPN Settings gt SSL VPN Client gt Configured Client Routes If the SSL VPN client is assigned an IP address in a different subnet than the corporate network a client route must be added to allow access to the private LAN through the VPN tunnel As well a static route on the private LAN s firewall typically this controller is needed to forward private traffic through the VPN Firewall to the remote SSL VPN client When split tunnel mode is enabled the user is required to configure routes for VPN tunnel clients e Destination network The network address of the LAN or the subnet information of the destination network from the VPN tunnel clients perspective is set here e Subnet mask The subnet information of the destination network is set here Figure 101 Configured client routes only apply in split tunnel mode owe J e SN re rr SSL YPN CLIENT ROUTE CONFIGURATION LOGOUT The Configured Client Routes entries are the routing entries which will be added by the SSL YPN Client such that only traffic to these destination addresses is redirected through the SSL YPN tunnels All other traffic is redirected using the native network interface of the hosts SSL VPN Clients For example if the SSL YPN
184. traffic over a long duration This controller supports up to 8 concurrent Syslog servers Each can be configured to receive different log facility messages of varying severity To enable a Syslog server select the checkbox next to an empty Syslog server field and assign the IP address or FQDN to the Name field The selected facility and severity level messages will be sent to the configured and enabled Syslog server once you save this configuration page s settings 170 Wireless Controller User Manual Figure 114 Syslog server configuration for Remote Logging continued SYS LOG SERVER CONFIGURATION SysLog Facility SysLog Severity SysLog Server1 SysLog Server2 SysLog Server3 SysLog Server4 SysLog Server5 SysLog Server6 SysLog Server SysLog Servers 9 5 3 Event Log Viewer in GUI Status gt Logs gt View All Logs The controller GUI lets you observe configured log messages from the Status menu Whenever traffic through or to the controller matches the settings determined in the Tools gt Log Settings gt Logs Facility or Tools gt Log Settings gt Logs Configuration pages the corresponding log message will be displayed in this window with a timestamp XW It is very important to have accurate system time manually set or from a NTP server in order to understand log messages Status gt Logs gt VPN Logs This page displays IPsec VPN log messages as determined by the configu
185. unnel using VPN Wizard follow the steps below 1 Select the VPN tunnel type to create e The tunnel can either be a gateway to gateway connection site to site or a tunnel to a host on the internet remote access e Set the Connection Name and pre shared key the connection name is used for management and the pre shared key will be required on the VPN client or gateway to establish the tunnel e Determine the local gateway for this tunnel if there is more than 1 WAN configured the tunnel can be configured for either of the gateways 119 Wireless Controller User Manual 2 Configure Remote and Local WAN address for the tunnel endpoints e Remote Gateway Type identify the remote endpoint of the tunnel by FQDN or static IP address e Remote WAN IP address FQDN This field is enabled only if the peer you are trying to connect to is a Gateway For VPN Clients this IP address or Internet Name is determined when a connection request is received from a client e Local Gateway Type identify this controller s endpoint of the tunnel by FQDN or static IP address e Local WAN IP address FQDN This field can be left blank if you are not using a different FQDN or IP address than the one specified in the WAN port s configuration 3 Configure the Secure Connection Remote Accessibility fields to identify the remote network e Remote LAN IP address address of the LAN behind the peer gateway e Remote LAN Subnet Mask
186. uration Server IP ie 10 10 10 _ i Remote Network Remote Netmask Username C Password oe Mppe Encryption 4 Idle Time Out 100 Seconds Action Connect Setup gt VPN Settings gt PPTP gt PPTP Server A PPTP VPN can be established through this controller Once enabled a PPTP server is available on the controller for LAN and WAN PPTP client users to access Once the PPTP server is enabled PPTP clients that are within the range of configured IP addresses of allowed clients can reach the controller s PPTP server Once authenticated by the PPTP server the tunnel endpoint PPTP clients have access to the network managed by the controller 126 Wireless Controller User Manual Figure 84 PPTP tunnel configuration PPTP Server DWwc 1000 ji ADVANCED TOOLS STATUS PPTP SERVER PPTP allows an external user to connect to your router through the internet This section allows you to enable disable PPTP server and define a range of IP addresses for dients connecting to your router The connected dients can function as if they are on your LAN they can communicate with LAN hosts access any servers present etc Save Settings Dont Save Settings PPTP Server Configuration PPTP Routing Mode DMZ Setup USB Settings d Starting IP Address Ending IP Address Authentication Supported PAP CHAP MS CHAP MS CHAPv2 6 4 2 L2TP Tun
187. ure 5 Adding VLAN memberships to the LAN 0 eceeeessescssesecseeeseeeeneeseeeeneesececneeaeeeeneeaeeeeneaees 20 Figure Gi Port EE N EEE E E aslo teva sito save avdo E E vd kode eikonsoeas E E AEE 21 Figure 7 Configuring VLAN membership for a port 00 0 eceeecesesceseceseeeeseseseeceseeeseeecseseeseececeeseeetateesees 22 Figure 8 DMZ COmfiQuration tceeeeecscesesecccesssecscnsesecscnsesesensesesensesesensesessensesesensssecsensseeeseneeeees 23 Figure 9 UPnP Configuration 2 0ccj ciesde cp ineneeiierg ete olin e E e winaa a a i ees 24 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Figure 30 Figure 31 Figure 32 Active Runtime sessions ee ecesescescececceccececcsccecuccsccnsuacsccnsuacsccessacsscessasascnssasacensaasaesese 25 WLAN global CONfiQuration ee eceseescsseseescseseeecseeaeeecseeaeeecaesaseecaseaeeecasacercaeeaeersaeeaeenenteas 26 Configuring the Wireless Discovery c csceseseesesesesseseseseeeeecseeeeseseeeeecaeneeataceeeecseneeatseeesees 29 Wireless Discovery Status 0 0 ec ecsseseescsseseescseeseecseeaeeecassaeeecassaeeecaeeaeeecaesaeeecaseaeerenseaeeneate 30 AP Profile Global Configuration cccccccceseesssseseseeseseseeeeeeseneeceseeeeecseneeeeseeeeeeaeeeeeeaeeeeeeeeees 31 APR Proti
188. user to configure Router Advertisement Daemon RADVD related configurations Save Settings Don t Save Settings Router Advertisement Daemon RADVD RADVD Status Advertise Mode Advertise Interval a RA Flags Managed Other Router Preference Power Saving MTU Router Lifetime Advertisement Prefixes Advanced gt IPv6 gt IPv6 LAN gt Advertisement Prefixes The router advertisements configured with advertisement prefixes allow this router to inform hosts how to perform stateless address auto configuration Router advertisements contain a list of subnet prefixes that allow the router to determine neighbors and whether the host is on the same link as the router The following prefix options are available for the router advertisements e IPv6 Prefix Type To ensure hosts support IPv6 to IPv4 tunnel select the 6to4 prefix type Selecting Global Local ISATAP will allow the nodes to support all other IPv6 routing options e SLA ID The SLA ID Site Level Aggregation Identifier is available when 6to4 Prefixes are selected This should be the interface ID of the router s LAN interface used for router advertisements e IPv6 Prefix When using Global Local ISATAP prefixes this field is used to define the IPv6 network advertised by this router 18 Wireless Controller User Manual e IPv6 Prefix Length This value indicates the number contiguous higher order bits of the IPv6 address that define up the netwo
189. web or email servers be placed in the DMZ network Firewall rules can be allowed to permit access specific services ports to the DMZ from both the LAN or WAN In the event of an attack to any of the DMZ nodes the LAN is not necessarily vulnerable as well Setup gt DMZ Setup gt DMZ Setup Configuration DMZ configuration is identical to the LAN configuration There are no restrictions on the IP address or subnet assigned to the DMZ port other than the fact that it cannot be identical to the IP address given to the LAN interface of this gateway 22 Wireless Controller User Manual Figure 8 DMZ configuration DWC 1000 SETUP ADVANCED TOOLS STATUS DMZ SETUP LOGOUT The De Militarized Zone DMZ is a network which when compared to the LAN has fewer firewall restrictions by default This zone can be used to host servers and give public access to them Save Settings Don t Save Settings DMZ Port Setup IP Address j7616 21 Subnet Mask 255 255 255 0 DHCP for DMZ Connected Computers DHCP Mode DHCP Server gt Starting IP Address fi76162100 8 Ending IP Address 17616 2254 DMZ Setup VPN Settings USB Settings Primary DNS Server Secondary DNS Server WINS Server Lease Time Relay Gateway DMZ Proxy Enable DNS Proxy XW In order to configure a DMZ port the controller configurable port must be set to DMZ in the Setup gt Internet Settings gt Configurable Port page
190. wing settings are used to configure the Prefix Delegation Prefix Delegation Select this option to enable prefix delegation in DHCPv6 server This option can be selected only in Stateless Address Auto Configuration mode of DHCPv6 server Prefix Address IPv6 prefix address in the DHCPvV6 server prefix pool Prefix Length Length prefix address 16 Wireless Controller User Manual 2 1 2 Configuring IPv6 Router Advertisements Router Advertisements are analogous to IPv4 DHCP assignments for LAN clients in that the router will assign an IP address and supporting network information to devices that are configured to accept such details Router Advertisement is required in an IPv6 network is required for stateless auto configuration of the IPv6 LAN By configuring the Router Advertisement Daemon on this router the DWC 1000 will listen on the LAN for router solicitations and respond to these LAN hosts with router advisements RADVD Advanced gt IPv6 gt IPv6 LAN gt Router Advertisement To support stateless IPv6 auto configuration on the LAN set the RADVD status to Enable The following settings are used to configure RADVD e Advertise Mode Select Unsolicited Multicast to send router advertisements RA s to all interfaces in the multicast group To restrict RA s to well known IPv6 addresses on the LAN and thereby reduce overall network traffic select Unicast only e Advertise Interval When advertisements are unsoli
191. work detection cycle If you set the value to 0 wired network detection is disabled 156 Wireless Controller User Manual AP De Authentication Attack Enable or disable the AP de authentication attack The wireless controller can protect against rogue APs by sending DE authentication Messages to the rogue AP The de authentication attack feature must be globally enabled in order for the wireless system to do this function Make sure that no legitimate APs are classified as rogues before enabling the attack feature This feature is disabled by default Figure 105 WIDS AP Configuration Dwc 1000 im SETUP ADVANCED TOOLS STATUS ontrollers WIDS AP CONFIGURATION LOGOUT AP Profile WIDS Security AP o Application Rules p f WIDS AP Configuration Website Filter TEREE Administrator configured rogue AP Managed SSID from an unknown AP Enable gt Managed SSID from a fake managed Enable Enable AP AP without an SSID Enable Fake managed AP on an invalid E f 8 3 2 WIDS Client Configuration Advanced gt WIDS Security gt Client The D Link Wireless Controller Wireless Intrusion Detection System WIDS can help detect intrusion attempts into the wireless network and take automatic actions to protect the network The settings you configure on the WIDS Client Configuration page help determine whether a detected client is classified as a rogue Clients classified as rogues are considered to
192. y time of day Solution Create an inbound rule as follows 103 Wireless Controller User Manual Example 2 Allow videoconferencing from range of outside IP addresses Situation You want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses 132 177 88 2 132 177 88 254 from a branch office Solution Create an inbound rule as follows In the example CUSeeMe the video conference service used connections are allowed only from a specified range of external IP addresses Example 3 Multi NAT configuration Situation You want to configure multi NAT to support multiple public IP addresses on one WAN port interface Solution Create an inbound rule that configures the firewall to host an additional public IP address Associate this address with a web server on the DMZ If you arrange with your ISP to have more than one public IP address for your use you can use the additional public IP addresses to map to servers on your LAN One of these public IP addresses is used as the primary IP address of the controller This address is used to provide Internet access to your LAN PCs through NAT The other addresses are available to map to your DMZ servers The following addressing scheme is used to illustrate this procedure WAN IP address 10 1 0 118 LAN IP address 192 168 10 1 subnet 255 255 255 0 104 Wireless Controller User Manual Web server host in the DM
193. y uses digital certificates for IPsec VPN authentication as well as SSL validation for HTTPS and SSL VPN authentication You can obtain a digital certificate from a well known Certificate Authority CA such as VeriSign or generate and sign your own certificate using functionality available on this gateway The gateway comes with a self signed certificate and this can be replaced by one signed by a CA as per your networking requirements A CA certificate provides strong assurance of the server s identity and is a requirement for most corporate network VPN solutions The certificates menu allows you to view a list of certificates both from a CA and self signed currently loaded on the gateway The following certificate data is displayed in the list of Trusted CA certificates CA Identity Subject Name The certificate is issued to this person or organization Issuer Name This is the CA name that issued this certificate Expiry Time The date after which this Trusted certificate becomes invalid 152 Wireless Controller User Manual A self certificate is a certificate issued by a CA identifying your device or self signed if you don t want the identity protection of a CA The Active Self Certificate table lists the self certificates currently loaded on the gateway The following information is displayed for each uploaded self certificate Name The name you use to identify this certificate it is not displayed to IPsec VPN peers o
Download Pdf Manuals
Related Search