LANCOM 821+.LANCOM 1711+ VPN.LANCOM 1721+ VPN 821 LC 821plus 1711plus 1721plus MANUAL EN
User Manual: 821
Open the PDF directly: View PDF .
Page Count: 79
Download | |
Open PDF In Browser | View PDF |
LANCOM Systems GmbH Adenauerstr. 20/B2 LANCOM 821+ LANCOM 1711+ VPN LANCOM 1721 VPN 52146 Würselen Germany E-Mail: info@lancom.eu Internet www.lancom.eu . . . c o n n e c t i n g y o u r b u s i n e s s LANCOM 821+ LANCOM 1711+ VPN LANCOM 1721+ VPN 쮿 110739/0409 쮿 Handbuch Manual 110739_LC-821plus-1711plus-1721p1 1 20.04.2009 10:32:30 LANCOM 821+ LANCOM 1711+ VPN LANCOM 1721+ VPN © 2009 LANCOM Systems GmbH, Wuerselen (). All rights reserved. While the information in this manual has been compiled with great care, it may not be deemed an assurance of product characteristics. LANCOM Systems shall be liable only to the degree specified in the terms of sale and delivery. The reproduction and distribution of the documentation and software supplied with this product and the use of its contents is subject to written authorization from LANCOM Systems. We reserve the right to make any alterations that arise as the result of technical development. Windows®, Windows Vista™, Windows NT® and Microsoft® are registered trademarks of Microsoft, Corp. The LANCOM Systems logo, LCOS and the name LANCOM are registered trademarks of LANCOM Systems GmbH. All other names or descriptions used may be trademarks or registered trademarks of their owners. Subject to change without notice. No liability for technical errors or omissions. Products from LANCOM Systems include software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http:/ /www.openssl.org/). Products from LANCOM Systems include cryptographic software written by Eric Young (eay@cryptsoft.com). Products from LANCOM Systems include software developed by the NetBSD Foundation, Inc. and its contributors. Products from LANCOM Systems contain the LZMA SDK developed by Igor Pavlov. LANCOM Systems GmbH Adenauerstr. 20/B2 52146 Wuerselen Germany www.lancom.eu Wuerselen, April 2009 110739/0409 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Preface Preface With the LANCOM Router you have chosen a powerful router that possesses integrated DSL respectively ADSL and ISDN interfaces by default as well as an integrated 4-port switch. With this router you can simply and comfortably connect individual PCs or whole local networks to the high-speed Internet. Model variants This user manual applies to the following models of the LANCOM Router series: LANCOM 821+ LANCOM 1721+ VPN LANCOM 1711+ VPN Model restriction The sections of the documentation that refer only to a range of models are marked either in the corresponding text itself or with appropriate comments placed beside the text. In the other parts of the documentation, all described models have been classified under the general term LANCOM Router. Security settings To maximize the security available from your product, we recommend that you undertake all of the security settings (e.g. firewall, encryption, access protection) that were not already activated when you purchased the product. The LANconfig Wizard 'Security Settings' will help you with this task. Further information is also available in the chapter 'Security settings'. We would additionally like to ask you to refer to our Internet site www.lancom.eu for the latest information about your product and technical developments, and also to download our latest software versions. 3 EN Thank you for placing your trust in this LANCOM Systems product. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Preface Components of the documentation The documentation of your device consists of the following parts: EN Installation Guide User manual PBX Functions manual Reference manual Menu Reference Guide You are now reading the user manual. It contains all information you need to put your device into operation. It also contains all of the important technical specifications. The Reference Manual is to be found as an Acrobat document (PDF file) at www.lancom.eu/download or on the CD supplied. It is designed as a supplement to the user manual and goes into detail on topics that apply to a variety of models. These include, for example: The system design of the operating system LCOS Configuration Management Diagnosis Security Routing and WAN functions Firewall Quality of Service (QoS) Virtual Private Networks (VPN) Virtual Local Networks (VLAN) Wireless networks (WLAN) Backup solutions LANCAPI Further server services (DHCP, DNS, charge management) The Menu Reference Guide (also available at www.lancom.eu/download or on the CD supplied) describes all of the parameters in LCOS, the operating system used by LANCOM products. This guide is an aid to users during the configuration of devices by means of WEBconfig or the telnet console. 4 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Preface This documentation was created by … ... several members of our staff from a variety of departments in order to ensure you the best possible support when using your LANCOM product. Our online services www.lancom.eu are available to you around the clock if you have any questions on the content in this manual, or if you require any further support. The area 'Support' will help you with many answers to frequently asked questions (FAQs). Furthermore, the knowledgebase offers you a large reserve of information. The latest drivers, firmware, utilities and documentation are constantly available for download. In addition, LANCOM Support is available. For telephone numbers and contact addresses for LANCOM Support, please refer to the enclosed leaflet or the LANCOM Systems Web site. Information symbols Very important instructions. Failure to observe these may result in damage. Important instruction that should be observed. Additional information that may be helpful but is not essential. 5 EN Should you find any errors, or if you would like to suggest improvements, please do not hesitate to send an e-mail directly to: info@lancom.eu LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Contents Contents 1 Introduction 1.1 How do ADSL and ADSL 2+ work? 1.2 What does VPN offer? EN 2 Installation 2.1 Package contents 9 10 14 14 2.2 System requirements 14 2.3 Status displays and interfaces 2.3.1 Device connectors 15 19 2.4 Hardware installation 22 2.5 Software installation 2.5.1 Starting the software setup 2.5.2 Which software should I install? 23 24 24 3 Basic configuration 25 3.1 What details are necessary? 3.1.1 TCP/IP settings 3.1.2 Configuration protection 3.1.3 Settings for the wireless LAN 3.1.4 Settings for the DSL connection 3.1.5 Settings for the ISDN Connection 3.1.6 Charge protection 25 25 27 28 29 29 29 3.2 Instructions for LANconfig 30 3.3 Instructions for WEBconfig 31 3.4 TCP/IP settings for PC workstations 35 4 Setting up Internet access 4.1 The Internet Connection Wizard 4.1.1 Instructions for LANconfig 4.1.2 Instructions for WEBconfig 6 9 37 39 39 40 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Contents 41 5.1 Which details are necessary? 5.1.1 General information 5.1.2 Settings for the TCP/IP router 5.1.3 Settings for the IPX router 5.1.4 Settings for NetBIOS routing 42 42 44 45 46 5.2 Instructions for LANconfig 47 5.3 1-Click-VPN for networks (site-to-site) 48 5.4 Instructions for WEBconfig 49 6 Providing dial- in access 51 6.1 Which details are necessary? 6.1.1 General information 6.1.2 Settings for TCP/IP 6.1.3 Settings for IPX 6.1.4 Settings for NetBIOS routing 51 52 53 54 54 6.2 Settings on the dial-in computer 6.2.1 Dialing-in via VPN 6.2.2 Dialing-in via ISDN 55 55 55 6.3 Instructions for LANconfig 56 6.4 1-Click-VPN for LANCOM Advanced VPN Client 56 6.5 Instructions for WEBconfig 57 7 Fax transmission with LANCAPI 58 7.1 Installing the LANCOM CAPI Faxmodem 59 7.2 Installing the MS Windows Fax Service 60 7.3 Sending a fax 7.3.1 Sending faxes from an office application 7.3.2 Sending faxes with the Windows Fax Service 61 61 61 8 Security settings 63 8.1 Security settings Wizard 8.1.1 LANconfig Wizard 8.1.2 WEBconfig Wizard 63 63 64 8.2 The security checklist 64 7 EN 5 Connecting two networks LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Contents 9 Advice & assistance 9.1 No WAN connection can be established 68 9.2 DSL data transfer is slow 68 9.3 Unwanted connections under Windows XP 69 9.4 Cable testing 69 EN 10 Appendix 71 10.1 Performance data and specifications 71 10.2 Connector wiring 10.2.1 WAN interface 10.2.2 ADSL interface 10.2.3 ISDN-S0 interface 10.2.4 Ethernet interface 10/100Base-T 10.2.5 Configuration interface (outband) 72 72 72 73 73 74 10.3 Declaration of conformity 74 11 Index 8 68 75 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 1: Introduction 1 Introduction The VPN option, which is either integrated already or can be activated subsquently, enables the LANCOM 1721+ VPN and LANCOM 1711+ VPN to act as powerful Dynamic VPN gateways for external offices or mobile users. The LANCOM Router models offer each a DSL or ADSL connector and also an ISDN connector. The ISDN line can be used as back-up for the DSL connection, for remote management of the router, as basis for the office communication via LANCAPI or for establishing VPN connections to remote sites with dynamic IP addresses. By using the Voice over IP function, these devices can transfer voice data over broadband Internet connections as well. 1.1 How do ADSL and ADSL 2+ work? ADSL (Asymmetric Digital Subscriber Line) is currently the most common technology for broadband Internet connections. Standard and almost ubiquitous telephone lines (analog or DSL) are the basis for DSL data transfer to the nearest telephone exchange. From here, the data is passed directly on to the Internet over high-speed connections. The asymmetric DSL variant ADSL was developed for applications where users receive large amounts of data but transmit only small amounts, such as when surfing in the WWW. ADSL subscribers can receive data at up to 8 Mbps ("downstream") and transmit at up to 800 kbps ("upstream"). ADSL providers are able to reduce these maximum rates as they please. To satisfy the strongly increasing demand for higher bandwidths, the standards ADSL 2 and ADSL 2+ provider higher data rates as a basis for applications such as video streaming or high-definition TV (HDTV) over the Internet. Depending on the Internet provider, ADSL 2 devices support downstream data rates of up to 12 Mbps, and ADSL 2+ devices support up to 24 Mbps. Handshake routines during connection establishment ensure that the standards ADSL, ADSL 2 and ADSL 2+ are intercompatible. Parallel to data transfer, ADSL also provides full and unlimited support for the classic applications in telephony (telephone, fax, answering machine, PBX). 9 EN The models LANCOM 821+, LANCOM 1721+ VPN and LANCOM 1711+ VPN are fully-featured routers that therefore also can be used in combination with the integrated firewall for providing secure Internet access to a complete local network (LAN). LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 1: Introduction This is facilitated by splitters which separate the voice frequencies from the data frequencies. EN 1.2 For LANCOM 1711+ VPN and LANCOM 1721+ VPN only What does VPN offer? A VPN (Virtual Private Network) can be used to set up secure data communications over the Internet. The models LANCOM 1721+ VPN and LANCOM 1711+ VPN are factory equipped to support VPN with 5 active tunnels. With the additional LANCOM VPN Option, VPN support can be extended to 25 active tunnels (incl. activated hardware accelerator). The following structure results when using the Internet instead of direct connections: HEADQUARTER LAN VPN GATEWAY SERVER BRANCH INTERNET LAN VPN ROUTER ROUTER LAPTOP All participants have fixed or dial-up connections to the Internet. Expensive dedicated lines are no longer needed. All that is required is the Internet connection of the LAN in the headquarters. Special switching devices or routers for dedicated lines to individual participants are superfluous. The subsidiary also has its own connection to the Internet. 10 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 1: Introduction The RAS PCs connect to the headquarters LAN via the Internet. The physical connection no longer exists directly between two participants; instead, the participants rely on their connection to the Internet. The access technology used is not relevant in this case: Broadband technology such as DSL (Digital Subscriber Line) is ideal. A conventional ISDN line can be used, too. The technologies of the individual participants do not have to be compatible to one another, as would be the case for conventional direct connections. A single Internet access can be used to establish multiple simultaneous logical connections to a variety of remote sites. The resulting savings and high flexibility makes the Internet (or any other IP network) an outstanding backbone for a corporate network. LANCOM 821+ LANCOM 1711+ VPN LANCOM 1721+ VPN What can your LANCOM Router do?The following table contains a direct comparison of the properties and functions of your devices with other models: ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Applications Internet access LAN to LAN coupling via VPN LAN to LAN coupling via ISDN ✔ RAS server (via VPN) RAS server (via ISDN) IP router IPX router (via ISDN), e.g. for coupling of Novell networks or dialling into Novell networks NetBIOS proxy for coupling of Microsoft peer-to-peer networks via ISDN DHCP and DNS server (for LAN and WAN) N:N mapping for coupling networks using the same IP address ranges Bridge function for coupling networks via ISDN connection ✔ ✔ ✔ ✔ ✔ ✔ ✔ 11 EN The Internet is available virtually everywhere and typically has low access costs. Significant savings can thus be achieved in relation to switched or dedicated connections, especially over long distances. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN LANCOM 821+ LANCOM 1711+ VPN LANCOM 1721+ VPN Chapter 1: Introduction ✔ ✔ ✔ ✔ ✔ 2 channels 4 channels 4 channels ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ISDN S0 bus in multi device-mode or in point-to-point mode with automatic D-channel protocol identification. Supports static and dynamic channel bundling per MLPPP and BACP as well as Stac data compression (Hi/fn) ✔ ✔ ✔ Port for external modem, analogue or GSM (requires LANCOM modem adapter kit; from LCOS 5.0) ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Port-Mapping to set up LAN ports as additional WAN ports Policy-based routing for policy-based selection of target routes EN Load-balancing for bundling of multiple DSL channels Backup solutions and load balancing with VRRP NAT Traversal (NAT-T) DMZ with configurable IDS checks PPPoE-Server WAN-RIP Spanning Tree Protocol Layer-2-QoS-Tagging ISDN leased lines LANCAPI server for the operating with office applications as fax or answering machine via ISDN interface WAN connection Connection for DSL or cable modem Integrated ADSL modem (ADSL2+ ready) LAN connection 4 individual Fast Ethernet LAN ports, switchable separately, e.g. as LAN switch or separate DMZ ports, auto crossover. USB connector USB 2.0 host port (full speed: 12 Mbps) for connecting a USB printer and for future extensions Security functions IPSec encryption in external software (VPN client) 5 integrated VPN tunnels for protection of network connections IPSec encryption in hardware (optional; activated with the VPN-25 option) IP masquerading (NAT, PAT) to conceal individual LAN workstations behind a single public IP address. 12 ✔ LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN LANCOM 1711+ VPN LANCOM 1721+ VPN ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Configuration with LANconfig or with web browser, additionally terminal mode for Telnet or other terminal programs, SNMP interface and TFTP server function. ✔ ✔ ✔ Remote configuration via ISDN (with ISDN-PPP connections e.g. via Windows network and dial-up connections) ✔ ✔ ✔ Serial configuration interface ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Stateful Inspection Firewall Firewall filter for blocking individual IP addresses, protocols and ports MAC address filter regulates, for example, LAN-workstation access to the IP routing function Protection of the configuration from brute-force attacks. EN LANCOM 821+ Chapter 1: Introduction Configuration Callback function with PPP authentication mechanisms for restriction to fixed ISDN telephone numbers FirmSafe with firmware versions for absolutely secure software upgrades Optional software extensions LANCOM VPN Option with 25 active tunnels for protection of network couplings Optional hardware extensions LANCOM Modem Adapter Kit for connection of analog or GSM modems to the serial interface ✔ 13 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation 2 Installation This chapter will assist you to quickly install hardware and software. First, check the package contents and system requirements. The device can be installed and configured quickly and easily if all prerequisites are fulfilled. EN 2.1 Package contents LANCOM 1711+ VPN LANCOM 1721+ VPN LANCOM 821+ Please check the package contents for completeness before starting the installation. In addition to the device itself, the package should contain the following accessories: Power adapter ✔ ✔ ✔ LAN connector cable (green plugs) ✔ ✔ ✔ ✔ WAN connector cable (dark blue plugs) ADSL connector cable (transparent plugs) ✔ ISDN connector cable (light blue plugs) ✔ ✔ ✔ ✔ Connector cable for the configuration interface ✔ ✔ ✔ LANCOM CD ✔ ✔ ✔ Printed documentation ✔ ✔ ✔ If anything is missing, please contact your retailer or the address stated on the delivery slip of the unit. 2.2 System requirements Computers that connect to a LANCOM must meet the following minimum requirements: 14 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation Operating system that supports TCP/IP, e.g. Windows Vista™, Windows XP, Windows Millennium Edition (Me), Windows 2000, Windows 98, Linux, BSD Unix, Apple Mac OS, OS/2. Access to the LAN via the TCP/IP protocol. 2.3 The LANtools also require a Windows operating system. A web browser under any operating system provides access to WEBconfig. EN Status displays and interfaces Meanings of the LEDs In the following sections we will use different terms to describe the behaviour of the LEDs: Blinking means, that the LED is switched on or off at regular intervals in the respective indicated colour. Flashing means, that the LED lights up very briefly in the respective colour and stay then clearly longer (approximately 10x longer) switched off. Inverse flashing means the opposite. The LED lights permanently in the respective colour and is only briefly interrupted. Flickering means, that the LED is switched on and off in irregular intervals. Front side The various LANCOM Router models have different numbers of indicators on the front panel depending on their functionality. LANCOM 821+ and LANCOM 1721+ VPN VPN ETH 4 ETH 2 ETH 3 ETH 1 ISDN Data ADSL Data ISDN Status Online ADSL Status Power LANCOM 1721 VPN not available on LANCOM 821+ VPN ETH 4 ETH 3 ETH 2 ETH 1 ISDN Data ISDN Status WAN Data WAN Status Online 1711+ VPN Power LANCOM 1711+ VPN 15 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation Top The two top-mounted LEDs enable the main function status to be assessed even if the device is positioned vertically. EN Power Online Power This LED indicates that the device is operational. After the device has been switched on, it will flash green for the duration of the self-test. After the selftest, either an error is output by a flashing red light code or the device starts and the LED remains lit green. off blinking Self-test when powering up green constantly on Device ready for use red/ green blinking alternately Device insecure: configuration password not assigned red blinking Time or connect-charge reached 16 Device off green The power LED flashes red/green in alternation until a configuration password has been specified. Without a configuration password, the configuration data of the LANCOM is insecure. Under normal circumstances, you would assign a configuration password during the basic configuration (see instructions in the following chapter). For information about a later assignment of the configuration password see the section “Security settings”. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation Reset connect charge protection. Increase the limit that has been reached. Completely deactivate the lock that has been triggered (set limit to '0'). Signal for reached time or connect-charge limit EN There's no need to worry if the Power LED blinks red and you can no longer connect to the WAN. This simply indicates that a preset time or connect-charge limit has been reached. There are three methods available for unlocking: Power Power Flashing Power LED but no connection? If a time or connect charge limit has been reached, you will be notified in LANmonitor. To reset the connect charge protection, select Reset Charge and Time Limits in the context menu (right mouse click). You can configure the connect charge settings in LANconfig under Management Costs (you will only be able to access this configuration if 'Complete configuration display' is selected under View Options…). You will find the connect charge protection reset in WEBconfig and all parameters under Expert Configuration Setup Charges- module. Online The online LED displays the general status of all WAN interfaces: Off ADSL status ( LANCOM 821+ and LANCOM 1721+ VPN only) No active connection Green Flashing Opening the first connection Green Inverse flashing Opening an additional connection Green On (permanently) At least one connection is established Red On (permanently) Error establishing the last connection Information on connection status at the ADSL connector: Off Interface deactivated Green Blinking/flashing Handshake/training Green Permanently Synchronization successful Red Flickering Error (CRC error, framing error, etc.) Red On (permanently) No synchronization, searching for remote station Red/ orange Blinking Hardware error 17 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation EN ADSL data ( LANCOM 821+ and LANCOM 1721+ VPN only) WAN Status (only LANCOM 1711+ VPN) Information on data traffic at the ADSL connector: Off No logical connection Green Blinking Opening the first connection Green Inverse flashing Opening an additional connection Green Permanently At least one logical connection is established Green Inverse flickering Data traffic (send or receive) Connection status of the WAN connection: off green WAN Data (only LANCOM 1711+ VPN) not connected blinking green invers flashing Establishing further connection green constantly on At least one connection established red constantly on Error while establishing connection Data traffic via the WAN connection: off ISDN status No network device connected green constantly on Connection to network device operational, no data traffic green flickering Data traffic (send or receive) Information on connection status at the ISDN S0 connector: Off Not connected or no S0 voltage (no error message) Green Blinking D-channel initialization (establishing contact to provider) Green On (permanently) D-channel operational Red Flickering D-channel error Red On (permanently) D-channel activation failed 18 Establishing first connection If the ISDN status LED goes off automatically, this does not indicate an error at the S0 bus. It is in fact because several ISDN connections and PBXs switch the S0 bus into power-saving mode after a certain LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation period of inactivity. When needed, the S0 bus automatically reactivates and the ISDN status LED illuminates in green. Status display for both ISDN B channels: off ETH No connection established green Blinking Dialling green Flashing Establishing first connection green Inverse flashing Establishing further connection green Constantly on Connection established via B channel green Flickering Data traffic (send or receive) EN ISDN Data LAN connector status in the integrated switch: Off VPN No networking device attached Green On (permanently) Connection to network device operational, not data traffic Green Flickering Data traffic Red Flickering Data packet collision Status of a VPN connection. Off 2.3.1 No VPN tunnel established Green Blinking Connection establishment Green Flashing First connection Green Inverse flashing Other connections Green On (permanently) VPN tunnels are established Device connectors The connections and switches of the router are located on the back panel: 19 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation LANCOM 821+ and LANCOM 1721+ VPN not available on LANCOM 821+ DC12V ETH4 ETH3 EN ETH2 ETH1 USB Config (COM) ISDN S0 ADSL Reset Voltage switch Connection for the included power adapter Switch with four 10/100Base-Tx connections USB connection Serial configuration port ISDN/S0 port ADSL port Reset switch LANCOM 1711+ VPN I DC 12 V ETH 4 ETH 3 ETH 2 ETH 1 WAN USB Voltage switch Connection for the included power adapter Switch with four 10/100Base-Tx connections WAN port USB connection ISDN/S0 port Serial configuration port 20 Config (COM) ISDN-S0 Reset LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation Reset switch Restarting the device (soft reset) – push the button for less than five seconds. The device will restart. Resetting the configuration (hard reset) – push the button for more than five seconds. All the device's LEDs will light up green and stay on. As soon as the reset switch is released, the device will restart with factory default settings. Reset button functions The reset button offers two basic functions—boot (restart) and reset (to the factory settings)—which are called by pressing the button for different lengths of time. It is not always possible to install a device under lock and key. There is consequently a risk that the configuration will be deleted by mistake if a co-worker presses the reset button too long. With the suitable setting, the behavior of the reset button can be controlled. Configuration tool Call WEBconfig, Telnet Expert configuration > Setup > Config Reset button This option controls the behavior of the reset button when it is pressed: Ignore: The button is ignored. Boot only: With a suitable setting, the behavior of the reset button can be controlled; the button is then ignored or a press of the button prompts a re-start only, however long it is held down. Please observe the following notice: The settings 'Ignore' or 'Boot only' makes it impossible to reset the configuration to the factory settings. If the password is lost for a device with this setting, there is no way to access the configuration! In this case the serial communications interface can be used to upload a new firmware version to the device—this resets the device to its factory settings, which results in the deletion of the former configuration. Instructions on firmware uploads via the serial configuration interface are available in the LCOS reference manual. 21 EN The reset switch has two different functions depending on the length of time that it is pressed: LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation Reset-or-boot (standard setting): Press the button briefly to re-start the device. Pressing the button for 5 seconds or longer restarts the device and resets the configuration to its factory settings. All LEDs on the device light up continuously. Once the switch is released the device will restart with the restored factory settings. EN 2.4 After resetting, the device starts completely unconfigured and all settings are lost. If possible be sure to backup the current device configuration before resetting. Hardware installation The installation of the LANCOM Router base station takes place in the following steps: LAN – connect the LANCOM Router to your LAN or to an individual PC. For that purpose, plug the included network cable (green plugs) into the LAN connector of the device and the other end into a free network connecting socket of your local network, into a free socket of a hub/switch or into the network socket of an individual PC. The LAN connector identifies automatically the transfer rate (10/100 Mbps) of the connected network device (autosensing). A parallel connection of devices with different speeds and types is possible. You should never have more than one unconfigured LANCOM Router in a network segment at any given time. All unconfigured LANCOM Router devices use the same IP address (with the final digits '254'), which would result in an address conflict. To avoid problems, always configure multiple LANCOM Router devices one at a time, immediately assigning each device a unique IP address (one that does not end with '254'). 821+/1721 only ADSL – connect the ADSL interface to the splitter using the supplied ADSL connector cable (transparent plugs). 1711+ only DSL – connect the WAN interface to the DSL modem socket using the supplied DSL connector cable (dark blue plugs). ISDN – to connect the LANCOM Router to the ISDN, plug one end of the supplied ISDN connector cable (light blue plugs) in the ISDN/S0 port 22 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation Configuration port – you may optionally connect the router directly to the serial port (RS-232, V.24) of a PC. Use the cable supplied for this purpose. Connect the configuration port of the LANCOM (LANCOM 821+ and LANCOM 1721+ VPN) or (LANCOM 1711+ VPN) with a free serial port of the PC. Alternatively you may connect an external modem (analogue or GSM) to the serial port using the LANCOM modem adapter kit, if you would like to make use of an additional WAN line for remote maintenance, backup connections or dynamic VPN. Connect to power – Connect socket using the included power adapter. of the unit to a power supply Use the supplied power supply unit only! Using an unsuitable power supply unit may cause damage or injury. Operational? – After a short device self-test the Power LED will be permanently lit. Green LAN LEDs indicate the LAN sockets that have functioning connections. 2.5 Devices with integrated ADSL modem could become quite warm during their operation. Concerning these models, please pay attention to the ambient air temperature range of max. 35°C. Make sure that the ventilation is sufficient. Do not stack the devices and do not expose them to direct insolation! Software installation The following section describes the installation of the Windows-compatible system software LANtools, as supplied. You may skip this section if you use your LANCOM VPN Router exclusively with computers running operating systems other than Windows. 23 EN (LANCOM 821+ and LANCOM 1721+ VPN) or (LANCOM 1711+ VPN) of the router and the other end into an ISDN/S0 multi-device mode or point-to-point mode connection. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 2: Installation 2.5.1 Starting the software setup Place the product CD into your drive. The setup program will start automatically. If the setup does not start automatically, run AUTORUN.EXE in the root directory of the LANCOM CD. EN In Setup, select Install software. The following selection menus will appear on screen: 2.5.2 Which software should I install? LANconfig is the Windows configuration program for all LANCOM routers and LANCOM access points. WEBconfig can be used alternatively or in addition via a web browser. With LANmonitor you can use a Windows computer to monitor all of your LANCOM routers and LANCOM access points. With Documentation you copy the documentation files onto your PC. Select the appropriate software options and confirm your choice with Next. The software is installed automatically. 24 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration 3 Basic configuration First of all this chapter presents the information that has to be entered for the basic configuration. This first section will help you to gather up all of the necessary data before you start the Wizard. You subsequently enter this information into the Setup Wizard. Starting the program and the following procedure are described step by step. LANconfig and WEBconfig each have their own description. With all of the necessary information collected in advance, this basic configuration can now take place quickly and in ease. At the end of this chapter we show you the necessary settings for the workplace computers in the LAN so that they can access the device without problem. 3.1 What details are necessary? The Basic Settings Wizard is used to set the LANCOM VPN Routers basic TCP/ IP parameters and to protect the device with a configuration password. The following description of the information required by the wizard is divided into the following configuration sections: 3.1.1 TCP/IP settings Protecting the configuration Wireless LAN details DSL connection details DSL connection details Configuring toll protection Security settings TCP/IP settings TCP/IP configuration can be performed in two different ways: Either fully automatically or manually. No user input is required if TCP/IP configuration is performed automatically. All parameters are set by the Setup Wizard on its own. When manual TCP/IP configuration is performed the wizard prompts for the usual TCP/IP parameters: IP address, network mask etc. (more on this later) 25 EN The basic configuration is conducted with a convenient Setup Wizard that provides step-by-step guidance through the configuration and that requests any necessary information. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration The fully automatic TCP/IP configuration is only possible in certain network environments. For this reason the Setup Wwizard analyses the connected LAN to see whether fully automatic configuration is possible or not. New LAN – fully automatic configuration possible EN The setup wizard offers to configure TCP/IP fully automatically if no network devices connected have yet been configured. This usually happens in the following situations: Only a single PC is going to be attached to the LANCOM VPN Router Setting up a new network Fully automatic TCP/IP configuration will not be offered if you are integrating the LANCOM VPN Router into an existing TCP/IP LAN. In this case please continue with the section 'Required information for manual TCP/IP configuration'. The result of fully automatic TCP/IP configuration is as follows: The LANCOM VPN Router is assigned the IP address '172.23.56.254' (network mask '255.255.255.0'). The integrated DHCP server is also activated so that the LANCOM VPN Router can assign the devices in the LAN IP addresses automatically. Should you still configure manually? Fully automatic TCP/IP configuration is optional. Instead of this you can select manual configuration. Make this selection after considering the following: Select automatic configuration if you are not familiar with networks and IP addresses. Select manual TCP/IP configuration if you are familiar with networks and IP addresses and one of the following statements is true: You have not yet used any IP addresses in your network but would like to now; You would like to specify the IP address for the router yourself and would like to assign it a user-defined address from one of the address ranges reserved for private use, for example '10.0.0.1' with a network mask of '255.255.255.0'. If you do this you simultaneously specify the address range that the DHCP server will subsequently use for the other devices in the network (provided the DHCP server is activated). You have so far also used IP addresses on the computers in the LAN. 26 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration Required information for manual TCP/IP configuration DHCP mode of operation Off: The IP addresses required must be entered manually. Server: The LANCOM VPN Router operates as DHCP server in the network; as a minimum its own IP address and the network mask must be assigned. Client: The LANCOM VPN Router obtains its address information from another DHCP server; no address information is required. IP address and network mask for the LANCOM VPN Router Assign the LANCOM VPN Router a free IP address from your LAN's address range and enter the network mask. Gateway address Enter the gateway's IP address if you have selected 'Off' as the DHCP mode of operation or if another network device is assuming the role of gateway in the 'Server' mode of operation. DNS server Enter the IP address of a DNS server to resolve domain names if you have selected 'Off' as the DHCP mode of operation or if another network device is assuming the role of DNS server in the 'Server' mode of operation. 3.1.2 Configuration protection Using a password secures access to the LANCOM VPN Router's configuration and thus prevents unauthorized modification. The device's configuration contains a great deal of sensitive data such as data for Internet access and should be protected by a password in all cases. Multiple administrators can be set up in the configuration of the LANCOM, each with differing access rights. Up to 16 different administrators can be set up for a LANCOM VPN Router. Further information can be found in the LCOS reference manual under “Managing rights for different administrators”. In the managed mode the LANCOM Wireless Routers and LANCOM Access Points automatically receive the same root password as the WLAN-Controller, assuming that no root password has been set in the device itself. 27 EN When performing manual TCP/IP configuration the Setup Wwizard prompts you for the following information: LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration 3.1.3 Settings for the wireless LAN Network name (SSID) EN The Basic Settings Wizard prompts for the access point's network name (frequently referred to as SSID – Service Set Identifier). The name is of your own choice. Several access points with the same name form a common wireless LAN. Open or closed wireless LAN? Mobile wireless devices select the desired wireless LAN by specifying the network name. Two methods serve to facilitate the specification of network name: Mobile wireless devices can search ("scan") the vicinity for wireless LANs and offer the wireless LANs they find in a list for selection. By using the network name 'ANY' the mobile wireless device registers with the nearest available wireless LAN. The wireless LAN can be "closed" in order to prevent this procedure. In this case it will not accept any devices attempting to register with the network name 'ANY'. Selecting a radio channel The access point operates in a specific radio channel. The radio channel is selected from a list of up to 13 channels in the 2.4 frequency band or up to 19 channels in the 5 GHz frequency band (individual radio channels are blocked in some countries. Please refer to the appendix for more details). The channel and frequency range used determine the operation if the common wireless standard, with the 5 GHz frequency range corresponding to the IEEE 802.11a/h standard and the 2.4 GHz frequency range determining operation in the IEEE 802.11g and IEEE 802.11b standards. If no other access points are operating within the access point's range, any radio channel can be set. Otherwise the channels in the 2.4 GHz band must be selected in such a way that they do not overlap and are as far apart as possible. In the 5 GHz band the automatic setting, where the LANCOM Access Point uses TPC and DFS to select the best channel is normally sufficient. 28 Please refer to the LCOS reference manual for more information on TPC and DFS. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration 3.1.4 Settings for the DSL connection The wizard will offer you a universal 'multimode' protocol that works with all common types of DSL connection. 3.1.5 Settings for the ISDN Connection If you wish to use the ISDN connection you can make the following settings: One or more ISDN MSNs on which the router should answer calls. MSNs are ISDN call numbers that your telephone company allocates to you. They are usually specified without a prefix. The numbers specified are only important for router functions (LAN-LAN coupling, RAS), but not for the remote configuration and LANCOM VPN Option. A prefix to access the public telephone network. It is normally only required when connecting via an ISDN PBX. Usually this is a '0'. This prefix is used for all outgoing calls. Finally you should know whether the telephone company transmits an ISDN metering pulse. This can be evaluated by the LANCOM Router for cost budgets and the accounting function. 3.1.6 Charge protection Charge protection prevents DSL connections being established above and beyond a predefined amount and therefore protects you from unexpectedly high connection charges. If you operate the LANCOM Router on a DSL link that is charged on a time basis you can set the maximum connection time in minutes. The budget can be completely deactivated by entering a value of '0'. In the basic settings, charge protection is set to a maximum value of 600 minutes in any seven day period. Please adjust this parameter to match your own requirements, or deactivate charge protection if you have agreed a tariff for unlimited traffic with your provider. 29 EN It may be necessary to enter the transmission protocol used for the DSL connection. The wizard will enter the correct setting for the most important DSL providers on its own. Only when the wizard does not list your provider must the transmission protocol used by your DSL provider be entered. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration 3.2 Instructions for LANconfig Start LANconfig with Start Programs LANCOM LANconfig. LANconfig automatically detects new LANCOM devices in the TCP/IP network. EN As standard, LANCOM Wireless Routers and LANCOM Access Points in managed mode are not displayed by LANconfig carrying out its device search. To display these devices, activate the option 'Search for managed APs'. If the search detects an unconfigured device, the Setup Wizard launches to help you with its basic settings, or indeed to handle the entire process on your behalf (assuming that the appropriate networking environment exists). 30 If the Setup Wizard does not start automatically, you can manually search for new devices at all interfaces (if the LANCOM VPN Router is connected via the serial configuration interface) or in the network (File Find devices). LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration If you cannot access an unconfigured LANCOM VPN Router, the problem may be the LAN netmask: In case there are less than 254 potential hosts available (netmask >'255.255.255.0'), you must ensure that the IP address 'x.x.x.254' is available in your subnet. Give the LANCOM an address from the applicable IP address range. Confirm with Next. In the window that follows, you first set the password to the configuration. Entries are case sensitive and should be at least 6 characters long. You also define whether the device can be configured from the local network only, or if remote configuration via WAN (i.e.. from a remote network) is to be permitted. Be aware that releasing this option also allows remote configuration over the Internet. Whichever option you select, make sure that configuration access is password protected. Charge protection is a function which can place a limit on the costs from WAN connections. Accept your entries with Next. Close the configuration with Finish. 3.3 See the section 'TCP/IP settings for PC workstations' for information on the settings that are required for computers in the LAN. Instructions for WEBconfig Device settings can be configured from any Web browser. WEBconfig configuration software is an integral component of the LANCOM. A Web browser is all that is required to access WEBconfig. WEBconfig offers similar Setup Wizards to LANconfig and hence provides the perfect conditions for easy configuration of the LANCOM – although, unlike LANconfig, it runs under any operating system with a Web browser. Secure with HTTPS WEBconfig offers secure (remote) configuration by encrypting the configuration data with HTTPS. 31 EN If you choose automatic TCP/IP configuration, you can continue with step . LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration https:// Always use the latest version of your browser to ensure maximum security. For Windows, LANCOM Systems GmbH recommends the latest version of the Internet Explorer. Accessing the device with WEBconfig EN To carry out a configuration with WEBconfig, you need to know how to contact the device. Device behavior and accessibility for configuration via a Web browser depend on whether the DHCP server and DNS server are active in the LAN already, and whether these two server processes share the assignment in the LAN of IP addresses to symbolic names. WEBconfig accesses the LANCOM either via its IP address, the device name (if configured), or by means of any name if the device has not yet been configured. Following power-on, unconfigured LANCOM devices first check whether a DHCP server is already active in the LAN. Depending on the situation, the device can either enable its own DHCP server or enable DHCP client mode. In the second operating mode, the device can retrieve an IP address for itself from a DHCP server in the LAN. If a LANCOM Wireless Router or LANCOM Access Point is centrally managed from a LANCOM WLAN Controller, the DHCP mode is switched from auto-mode to client mode upon provision of the WLAN configuration. Network without a DHCP server Not for centrally managed LANCOM Wireless Routers or LANCOM Access Points In a network without a DHCP server, unconfigured LANCOM devices enable their own DHCP server service when switched on and assign IP addresses, information on gateways, etc. to other computers in the LAN (provided they are set to automatic retrieval of IP addresses – auto DHCP). In this constellation, the device can be accessed by every computer with the auto DHCP function enabled with a Web browser under IP address 172.23.56.254. 32 With the factory settings and an activated DHCP server, the device forwards all incoming DNS requests to the internal Web server. This means that a connection can easily be made to set set up an unconfigured LANCOM by entering any name into a Web browser. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN EN Chapter 3: Basic configuration If the configuration computer does not retrieve its IP address from the LANCOM DHCP server, it determines the current IP address of the computer (with Start Run cmd and command ipconfig at the prompt under Windows 2000 or Windows XP or Windows Vista, with Start Run cmd and command winipcfg at the prompt under Windows Me or Windows 9x, or with command ifconfig in the console under Linux). In this case, the LANCOM can be accessed with address x.x.x.254 (the “x”s stand for the first three blocks in the IP address of the configuration computer). Network with DHCP server If a DHCP server for the assignment of IP addresses is active in the LAN, an unconfigured LANCOM device disables its own DHCP server, switches to DHCP client mode and retrieves an IP address from the DHCP server in the LAN. However, this IP address is initially unknown and accessing the device depends on the name resolution: If the LAN also has a DNS server for name resolution and this communicates the IP address/name assignment to the DHCP server, the device can be reached under name "- ", e.g. “-00a057xxxxxx”. http://-00a05700094A 33 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration The MAC address on a sticker on the base of the device. EN If there is no DNS server in the LAN, or if it is not coupled to the DHCP server, the device cannot be reached via the name. In this case the following options remain: Under LANconfig use the function "Find devices", or under WEBconfig use the "search for other devices" option from any other networked LANCOM. Use suitable tools to find out the IP address assigned to the LANCOM by DHCP and access the device directly using this IP address. Use the serial configuration interface to connect a computer running a terminal program to the device. Login When prompted for user name and password when accessing the device, enter your personal data in the appropriate fields. Observe the use of upper and lower case. If you used the general configuration access, only enter the corresponding password. The user name field remains blank in this case. 34 As an alternative, the login dialog provides a link for an encrypted connection over HTTPS. Always use the HTTPS connection for increased security whenever possible. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration Setup Wizards EN The setup Wizards allow quick and easy configuration of the most common device settings. Select the Wizard and enter the appropriate data on the following screens. 3.4 The settings are not stored in the device until inputs are confirmed on the last screen of the Wizard. TCP/IP settings for PC workstations It is extremely important to assign the correct addresses to all of the devices in the LAN. Also, all of these computers must know the IP addresses of two central stations in the LAN: Standard gateway – receives all packets which are not addressed to computers in the local network DNS server – translates network and computer names into their actual IP addresses. The LANCOM VPN Router can fulfill the functions of a standard gateway and also of a DNS server. It can also operate as a DHCP server, which automatically assigns IP addresses to all of the computers in the LAN. The correct TCP/IP configuration of a PC in the LAN depends essentially on the method used for assigning IP addresses in the LAN: IP address allocation by a LANCOM In this operating mode, a LANCOM uses DHCP to allocate not only an IP address to each PC in the LAN and WLAN (for devices with a radio module), but it also communicates its own IP address as the standard gateway and DNS server. For this reason, the PCs have to be set up to automatically retrieve their own IP address and those of the standard gateway and DNS server via DHCP. 35 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 3: Basic configuration IP address allocation by a separate DHCP server For this reason, the workstation PCs have to be set up to automatically retrieve their own IP address and those of the standard gateway and DNS server via DHCP. The DHCP server is to be programmed such that the IP address of the LANCOM is communicated to the PCs in the LAN as the standard gateway. The DHCP server should also communicate that the LANCOM is the DNS server. EN Manual IP address assignment If IP addresses in a network are statically assigned, then the IP address of the LANCOM is to be set as the standard gateway and DNS server in the TCP/IP configuration of each PC in the LAN. 36 Further information and help on the TCP/IP settings for your LANCOM VPN Router is available in the Reference Manual. For information on the network configuration of workstation PCs, refer to the documentation for the installed operating system. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 4: Setting up Internet access 4 Setting up Internet access The LANCOM provides a central point of Internet access for all of the computers in the LAN. For models not equipped with a WAN connector, a LAN interface is configured as a DSLoL connector and is connected to a compatible ADSL modem. The connection to the Internet provider can be established via any WAN connector, i.e. via ADSL, UMTS or ISDN (where available). Internet access via UMTS or ISDN can be used to backup an ADSL connection. When setting up Internet access via UMTS, please also take note of the information under the section → 'Setting up the UMTS profile'. The connection to the Internet provider can be established via any WAN connector, i.e. via DSL or ISDN (where available). Internet access via ISDN can be used to backup a DSL connection. INTERNET HEADQUARTER SERVER LAN ROUTER GATEWAY Which WAN interface? Setting up the Internet access is carried out with the help of a convenient Wizard. In the first step you select the WAN interface that is to be used for establishing the Internet connection. To establish an Internet connection via the DSL interface, an external ADSL modem first has to be connected to one of the device's ETH ports. When setting up the Internet access, you define which ETH port the ADLS modem has been connected to. Does the Setup Wizard know your Internet provider? The Wizard is preset with access data for the principal Internet providers in your country and offers you a selection list. If you find your Internet provider in this list, then you generally do not have to enter any additional parameters 37 EN The connection to the Internet provider can be established via the WAN connection which is connected to an ADSL or cable modem. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 4: Setting up Internet access to set up your Internet access. All that is required is the authentication data as supplied to you by your Internet provider. Internet provider unknown EN If the list in the Setup Wizard does not contain your provider, you will be asked step-by-step for all of the necessary data. This access data will have been supplied to you by your Internet provider. Other connection options In addition you can use the Wizard to activate or deactivate additional options (if supported by your Internet provider): Billing by time or flatrate – select the method by which you are billed by your Internet provider. In case of billing by time, you can set the LANCOM to cut connections automatically if no data flows for a certain time (the hold time). You can also set up line polling that detects inactive remote sites very quickly and, in such cases, can close the connection before the hold time expires. In case of flatrate billing you can also set up line polling to monitor the function of the remote site. Apart from that you can opt to keep flatrate connections permanently active ("keep-alive"). In case a connection should fail, it is re-established automatically. Creating a backup connection to the Internet The most common utilization of the backup solution is to provide an auxiliary Internet connection. When setting up an Internet connection, an the additional option is to create a second connection to the Internet via an alternative WAN interface. If the primary Internet access is set up to operate via the ADSL interface, you can set up your backup connection to operate via UMTS or ISDN. 38 When configuring the backup connection you can set up an alternative provider, if available. This allows you not only to overcome problems with the physical line, but also problems in your provider's own network as well. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 4: Setting up Internet access 4.1.1 The Internet Connection Wizard Instructions for LANconfig Mark your device in the selection window. From the command line, select Extras Setup Wizard. EN 4.1 In the selection menu, select the Setup Wizard, Set up Internet connection and confirm the selection with Next. In the following windows you select your country, your Internet provider if possible, and you enter your access data. Depending on availability the Wizard provides further options for your Internet connection. After entering all of the necessary data the Wizard then offers you the option of setting up a backup connection. Select the corresponding WAN interface to be used for the backup connection and enter the relevant access data for the Internet connection. The Wizard then sets up the alternative Internet access and at the same time creates the necessary entries into the backup table and also in the PPP table for checking the Internet connection. Please be aware that in the case of backup via UMTS, some of the services provided over the main Internet connection may not be available. Some UMTS service providers either prevent the use of VPN tunnels or VoIP applications or only allow them after payment of additional fees. Other providers assign IP addresses from an internal address range, so preventing applications that rely on public IP addresses from working. Please ask your UMTS provider for information on limitations that may apply. 39 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 4: Setting up Internet access The Wizard will inform you as soon as the entries are complete. Close the configuration with Finish. EN LANconfig: Fast starting of the Setup Wizards The fastest way of starting the Setup Wizards under LANconfig is to use the command button in the button bar. 4.1.2 Instructions for WEBconfig Select the entry Set up Internet connection from the main menu. In the following windows you select your country, your Internet provider if possible, and you enter your access data. Depending on availability the Wizard provides further options for your Internet connection. The wizard will inform you as soon as the entries are complete. Close the configuration with Finish. 40 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 5: Connecting two networks 5 Connecting two networks VPN: Connecting LANs over VPN ensures that the Internet-based connection between the two LANs has high-security protection. Each LAN must be equipped with a VPN-capable router. ISDN: Connectivity based on ISDN uses a direct connection between the two LANs via an ISDN connection. Each LAN must be equipped with a router with an ISDN interface. Setting up LAN-LAN connectivity is carried out with the familiar convenience of a Setup Wizard. Always configure both ends Both of the routers for LAN-LAN connectivity must be configured. Note that the configuration information at both ends must match. The following instructions assume that LANCOM Routers are being operated at both ends. It is possible to set up network connectivity between routers from other manufacturers. However, this mixed configuration frequently requires far-reaching modifications to both devices. In cases like this refer to the Reference Manual. Security aspects Of course your LAN has to be protected from unauthorized access. For this reason, a LANCOM provides a range of security mechanisms that offer an outstanding level of protection. VPN: VPN-based connectivity relies on IPsec for transferring data. The encryption methods employed are 3-DES, AES or Blowfish ISDN: Security for ISDN-based connectivity relies on password protection, a check of the ISDN number, and the call-back function. The ISDN call-back function cannot be set up by Wizard, but in the Expert Configuration only. Refer to the reference manual for information on this. 41 EN Network connectivity, also known as LAN-LAN connectivity, with the LANCOM Router is used for interconnecting two local area networks. LANLAN connectivity can be implemented in two basic ways: LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 5: Connecting two networks 5.1 Which details are necessary? The Wizard requests you for all of the necessary details step by step. If possible, you should have all of this information to hand before you start the Wizard. EN The significance of the information required by the Wizard can be explained by an example: Connectivity between a branch office and your main office. The two routers are named 'MAIN OFFICE' and 'BRANCH OFFICE'. The following tables indicate which entries are to be made for each of the two routers. Paths show how the entries relate to one another. 5.1.1 General information The following information is required for setting up LAN-LAN connectivity. The first column shows whether the information for network connectivity is required via VPN (simple method with pre-shared keys) and/or via ISDN. For further information on VPN-based network connectivity by other methods, refer to the LANCOM Reference Manual. Connectivity Entry Gateway 1 Gateway 2 VPN Does the remote site have an ISDN connection? Yes/No Yes/No VPN Type of local IP address Static/dynamic Static/dynamic VPN Type of remote IP address Static/dynamic Static/dynamic VPN + ISDN Name of the local device 'MAIN OFFICE' 'BRANCH OFFICE' VPN + ISDN Name of the remote site 'BRANCH OFFICE' 'MAIN OFFICE' VPN + ISDN ISDN-calling number of the remote device (0123) 123456 (0789) 654321 VPN + ISDN ISDN calling line ID of the remote device (0789) 654321 (0123) 123456 VPN Password for the secure transmission of the IP address 'Secret' 'Secret' VPN Shared Secret for encryption 'Secret' 'Secret' VPN IP address of remote device '10.0.2.100' '10.0.1.100' VPN + ISDN IP-network address of the remote network '10.0.2.0' '10.0.1.0' VPN + ISDN Netmask of the remote network '255.255.255.0' '255.255.255.0' 42 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 5: Connecting two networks Entry Gateway 1 Gateway 2 VPN + ISDN Domain descriptor in the remote network 'branch.company' 'headquarter.company' VPN Hide own stations when accessing remote network (extranet VPN)? Yes/No Yes/No ISDN TCP/IP routing for accessing the remote network? Yes/No Yes/No ISDN IPX routing for accessing the remote network? Yes/No Yes/No VPN + ISDN NetBIOS routing for accessing the remote network? Yes/No Yes/No VPN + ISDN Name of a local workgroup (for NetBIOS only) 'workgroup1' 'workgroup2' ISDN Data compression On/off On/off ISDN Channel bundling On/off On/off EN Connectivity Notes on the different settings: If you own device features an ISDN connection, the Wizard will ask you whether the remote site also has one. For VPN connections over the Internet, the type of IP address at each end must be specified. There are two types of IP address. Static and dynamic. The differences between these two IP address types are explained in the Reference Manual. The Dynamic VPN function makes it possible to establish VPN connections between gateways with dynamic IP addresses, and not only between gateways with static (fixed) IP addresses. An ISDN connection is required to actively establish VPN connections to remote sites that use dynamic IP addresses. If you have not yet given a name to your LANCOM, the Wizard will ask you to enter a new name for your device. Entering a name will cause your LANCOM to be renamed. Ensure that you give different names to the two remote devices. The name of the remote site is required for identifying the devices. In the field ISDN number the telephone number of the remote ISDN site is specified. Enter the full telephone number for the remote site, including all necessary prefixes (e.g. area codes). 43 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 5: Connecting two networks EN The ISDN calling line ID specified is used to identify and authenticate the caller. If a LANCOM Router is called, it compares the ISDN calling line ID entered for the remote site to the ID that is actually received over the D channel from the caller. An ISDN ID generally consists of the country code and an MSN. The password for the ISDN connection is an alternative to the ISDN calling line ID. This is used to authenticate the caller if no ISDN calling line ID is received. The password must be entered identically at both ends. It is used for calls in both directions. The shared secret is the central password for the VPN connection's security. It must be entered identically at both ends. Data compression improves transmission speeds without incurring extra costs. This is the completely different to the bundling of two ISDN channels by MLPPP (MultiLink-PPP): This doubles the bandwidth, although this generally doubles the connection costs as well. 5.1.2 Settings for the TCP/IP router In the TCP/IP network, correct addressing is of extreme importance. For network connectivity, it should be observed that both networks are logically separated. For this reason they require their own network number (e.g. '10.0.1.x' and '10.0.2.x'). The two network numbers must be different. 'server.main_office.com'pc1.branch_office. 10.0.2.10 10.0.1.2 10.0.1.100 (0123) 123456 LAN at the main office. IP: 10.0.1.0, Netmask: 255.255.255.0 VPN or ISDN connection 10.0.2.100 (0789) 654321 Branch office LAN. IP: 10.0.2.0, Netmask: 255.255.255.0 Domain: 'branch_office.com' all of IP addresses makes Unlike with Internet access, network connectivity visible in all participating networks, including those in the remote LAN, and 44 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 5: Connecting two networks not just that of the router. The computer with the IP address 10.0.2.10 in the branch-office LAN sees the server 10.0.1.2 at the main office and, with the appropriate rights, has access to it. The same applies in the other direction. DNS access to the remote LAN For example, the computer named 'pc1.branch_office.company (IP 10.0.2.10) can access the server at the main office by using its IP address or the name 'server.main_office.company'. There is just one requirement: The domain of the remote network must be entered into the Wizard. The domain can only be specified in the LANconfig Wizard. With WEBconfig, the necessary changes are made later in the Expert Configuration. Refer to the LANCOM Router reference manual for more detailed information. VPN extranet In the case of LAN-LAN connectivity via VPN, you can mask the individual computers behind another IP address. The operating mode referred to as 'extranet VPN' enables computers to be made visible from the remote LAN not with their own IP address, but with a freely definable address such as that of the VPN gateway. This avoids giving stations in a remote LAN direct access to the computers in your own LAN. For example, if extranet VPN mode is set up to provide access from the branch-office LAN to the main office from the IP address '10.10.2.100', and computer '10.10.2.10' then accesses the server '10.10.1.2', the server receives a request from the IP '10.10.2.100'. The actual address of the computer is masked. If LAN connectivity uses the extranet mode, the remote site does not receive the actual (masked) LAN addresses, but the IP address published by the LAN ('10.10.2.100' in the above example). The netmask in this case is '255.255.255.255'. 5.1.3 Settings for the IPX router VPN-based IPX-network connectivity cannot be set up in the Wizard. The Expert Configuration has to be used instead. Refer to the reference manual for information on this. 45 EN Remote computers in a TCP/IP network can be accessed not only with their IP addresses, but also by freely definable names with the aid of DNS. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 5: Connecting two networks Only LANCOM 821+ For connectivity between two typical IPX networks via a WAN, three IPX network numbers are necessary: For the LAN at the main office For the LAN at the branch office For the superordinate WAN EN The IPX network numbers for the main and branch office are each entered at their respective opposite sites. IPX internal net: 00020002 WAN IPX network no.: 00000009 VPN or ISDN connection (0123) 123456 LAN at the main office IPX network no.: 00000001 Binding: Ethernet_II (0789) 654321 LAN at the branch office IPX network no.: 00000002 Binding: Ethernet_II According to IPX convention, the three necessary network numbers are referred to as "external network numbers". Similar to IP network addresses, they apply for an entire LAN segment. Conversely, the IPX internal network numbers are for addressing a particular Novell server in the LAN. All three of these network numbers must differ not only from one another but also from all IPX internal network numbers being used. Furthermore, it may be necessary to specify the frame type (binding) used in the remote LAN. If a Novell server is operated in the remote network, it is not necessary to specify the remote IPX network number or the binding. In this case, the only requirement is the manual entry of the network number for the WAN. 5.1.4 Settings for NetBIOS routing NetBIOS routing is quick to set up: In addition to the specifying the TCP/IP protocol being used, the only other information required is the name of a Windows workgroup in the LAN used by the router. 46 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 5: Connecting two networks Instructions for LANconfig Carry out the configuration on both routers, one after the other. Launch the Wizard 'Connect two local area networks'. Follow the Wizard’s instructions and enter the necessary data. The Wizard will inform you when the required information is complete. You can then close the Wizard with Finish. Once you have completed the set-up of both routers, you can start testing the network connection. Try to communicate with a computer in the 47 EN 5.2 Remote Windows workgroups do not appear in the Windows network environment, but they can be contacted directly (e.g.by searching for a computer of known name). LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 5: Connecting two networks remote LAN (e.g. with ping). The LANCOM Router should automatically connect to the remote site and make contact to the requested computer. EN Ping – the quick test of a TCP/IP connection To test a TCP/IP connection, simply send a ping from your computer to a computer in the remote network. Details on the ping command are available from the documentation for your operating system. IPX connections can be tested by searching for a remote Novell server. NetBIOS connections can be tested by searching a computer in the remote Windows workgroup. 5.3 1-Click-VPN for networks (site-to- site) The site-to-site-to-site connectivity of networks is now very simple with the help of the 1-Click-VPN wizard. It is even possible to simultaneously couple multiple routers to a central network. In LANconfig, mark the routers at branch offices which are to be coupled to a central router via VPN. Use drag&drop by mouse to place the devices onto the entry for the central router. 48 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 5: Connecting two networks EN The 1-Click-VPN Site-to-Site Wizard will be started. Enter a name for this access and select the address under which the router is accessible from the Internet. Select whether connection establishment is to take place via the name or IP address of the central router, or via an ISDN connection. Enter the address or name of the central router, or its ISDN number. The final step is to define how the networks are to intercommunicate: The INTRANET at headquarters only is to be provided to the branch offices. All private networks at the branch offices can also be connected to one another via headquarters. 5.4 All entries for the central device are made just once and are then stored to the device properties. Instructions for WEBconfig In WEBconfig, VPN-based network connectivity cannot be set up in the Wizard. The Expert Configuration has to be used instead. Refer to the reference manual for information on this. Carry out the configuration on both routers, one after the other. In the main menu, launch the Wizard 'Connect two local area networks'. Follow the Wizard’s instructions and enter the necessary data. 49 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 5: Connecting two networks The Wizard will inform you when the required information is complete. You can then close the Wizard with Next. EN Once you have completed the set-up of both routers, you can start testing the network connection. Try to communicate with a computer in the remote LAN (e.g. with ping). The LANCOM Router should automatically connect to the remote site and make contact to the requested computer. 50 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 6: Providing dial- in access 6 Providing dial-in access VPN: RAS access via VPN provides a highly secure Internet-based connection between the LAN and the dial-in computer. The router in the LAN must support VPN; the dial-in computer needs any form of Internet access and a VPN client. ISDN: RAS access via ISDN provides a direct connection between the LAN and the dial-in computer over an ISDN phone line. The router in the LAN needs an ISDN interface. The dial-in computer needs an ISDN adapter or an ISDN modem. The protocol of data transfer is PPP. This ensures that all normal devices and operating systems are supported. Setting up dial-in access is carried out with the familiar convenience of a Setup Wizard. Security aspects Of course your LAN has to be protected from unauthorized access. For this reason, a LANCOM provides a range of security mechanisms that offer an outstanding level of protection. VPN: VPN-based connectivity relies on IPsec for transferring data. The encryption methods employed are 3-DES, AES or Blowfish ISDN: Security for ISDN-based connectivity relies on password protection, a check of the ISDN number, and the call-back function. 6.1 The ISDN call-back function cannot be set up by Wizard, but in the Expert Configuration only. Refer to the reference manual for information on this. Which details are necessary? The Wizard sets up an access account for just one user. For additional users, launch the Wizard again. 51 EN Your LANCOM can be set up with dial-in access accounts enabling individual computers to dial-in to your LAN and fully participate in the network for the duration of the connection. This service is called RAS (Remote Access Service). RAS access can be implemented in two basic ways: LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 6: Providing dial- in access 6.1.1 General information The following information is required for setting up RAS access. The first column shows whether the information for RAS access is required via VPN (simple method with pre-shared keys) and/or via ISDN. For further information on RAS access by other methods, refer to the LANCOM Reference Manual. EN Connectivity Entry VPN + ISDN User name VPN + ISDN Password VPN Shared Secret for encryption VPN Hide own stations when accessing remote network (extranet VPN)? ISDN Incoming caller ID number of the dial-in computer ISDN TCP/IP routing for accessing the remote network? ISDN IPX routing for accessing the remote network? VPN + ISDN IP address(es) for one or more dial-in computer(s): Fixed or dynamic from the IP address pool VPN + ISDN NetBIOS routing for accessing the remote network? VPN + ISDN Name of a local workgroup (for NetBIOS only) Notes on the different settings: User name and password: This access data serves to identify the user when dialing in. Incoming number: The optional ISDN calling line ID is used by the LANCOM Router for additional user authentication. This security function should not be employed if the user will be dialing-in from various ISDN connections. 52 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 6: Providing dial- in access You will find information on the other parameters required for RAS access in the chapter 'Connecting two networks'. The ISDN calling line ID (CLI) The CLI is ideal for authentication for two reasons: It is difficult to manipulate. It is transmitted free of charge via the ISDN D-channel. 6.1.2 Settings for TCP/IP TCP/IP requires that every active RAS is assigned an IP address. LAN at the main office. IP: 10.0.1.0 Remote computer IP: 10.0.1.101 VPN or ISDN connection 10.0.1.100 (0123) 123456 ISDN adapter User: 'SMITH' (0123) 777888 This IP address can be manually set to a fixed value when the user is created. A simpler option is to allow the LANCOM Router to assign the user with a free IP address when dialing in. In this case, all you have to do is to set the range of IP addresses which are to be available for assignment to the RAS users by the LANCOM Router. For both manual and automatic IP address assignment, ensure that the addresses are freely available in your local network. In our example, the PC is assigned with the IP address '10.0.1.101' when it dials in. This IP address allows the PC to fully participate in the LAN: With the appropriate rights, it can access any other device in the LAN. This relationship also applies in the other direction: The remote PC can be access from the LAN. 53 EN The ISDN Calling Line Identity (CLI)is the phone number of the calling party as transmitted to the called party. This is a number generally made up of the national dial code and an MSN. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 6: Providing dial- in access 6.1.3 Only LANCOM 821+ Settings for IPX For RAS dial-in to an IPX network, two IP network numbers have to be specified: the IPX network number of the main office An additional IPX network number for the superordinate WAN EN IPX internal net: 00020002 WAN IPX network no.: 00000009 VPN or ISDN connection (0123) 123456 LAN at the main office IPX network no.: 00000001, Binding: Ethernet_II Remote computer ISDN adapter User: 'SMITH' (0123) 777888 According to IPX convention, the necessary network numbers are referred to as "external network numbers". Similar to IP network addresses, they apply for an entire LAN segment. Conversely, the IPX internal network numbers are for addressing Novell servers in the LAN. All three of these network numbers must differ not only from one another but also from all IPX internal network numbers being used. Furthermore, it may be necessary to specify the frame type (binding) used in the remote LAN. If a Novell server is operated in the remote network, it is not necessary to specify the remote IPX network number or the binding. In this case, too, a network number for the WAN must be specified manually. 6.1.4 Settings for NetBIOS routing When working with NetBIOS, the only information required is the name of a Windows workgroup in the LAN used by the router. 54 The connection is not established automatically. The RAS user first has to manually establish a connection to the LANCOM Router with the LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 6: Providing dial- in access help of Dial-Up Networking. Once the connection has been established, the computer can access and search the other network (click on Search Computer, do not use the Network Neighborhood). 6.2.1 Settings on the dial-in computer Dialing-in via VPN EN 6.2 For dialing-in to a network via VPN, a computer needs: Internet access A VPN client LANCOM Systems offers you a 30-day test version of the LANCOM Advanced VPN Client on the CD supplied. A precise description of the VPN client and notes on its setup are also to be found on the CD. The Wizard then requests the parameters that were specified when setting up the RAS access in the LANCOM Router. 6.2.2 Dialing-in via ISDN A number of settings are required by the dial-in computer. This example is based on a Windows computer. Dial-Up Networking (or any other PPP client) installed correctly. Network protocol (TCP/IP, IPX) installed and associated with the dial-up adapter New connection in Dial-Up Networking with the phone number of the router Terminal adapter or ISDN card set up for PPPHDLC PPP selected and the dial-up server type, 'Activate compression in software' and 'Request encrypted password' switched off. Select the required network protocols (TCP/IP, IPX) Additional TCP/IP settings Assignment of IP address and name server address activated 'IP header compression' deactivated With these settings, a PC can dial-in to the remote LAN and access the network resource in the usual manner. 55 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 6: Providing dial- in access 6.3 Instructions for LANconfig EN Launch the 'Provide Remote Access (RAS, VPN, IPsec over WLAN)' Wizard. Follow the Wizard’s instructions and enter the necessary data. The Wizard will inform you when the required information is complete. You can then close the Wizard with Finish. Configure the access account on the dial-in PC as described. Subsequently test the connection (see box 'Ping – the quick test of a TCP/IP connection'). 6.4 1-Click-VPN for LANCOM Advanced VPN Client VPN accesses for employees who dial into the network with the LANCOM Advanced VPN Client are very easy to set up with the Setup Wizard and exported to a file. This file can then be imported as a profile by the LANCOM Advanced VPN Client. All of the information about the LANCOM VPN Router's configuration is also included, and then supplemented with randomly generated values (e.g. for the preshared key). Use LANconfig to start the 'Set up a RAS Account' wizard and select the 'VPN connection'. Activate the options 'LANCOM Advanced VPN Client' and 'Speed up configuration with 1-Click-VPN'. Enter a name for this access and select the address under which the router is accessible from the Internet. In the final step you can select how the access data is to be entered: 56 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 6: Providing dial- in access Save profile as an import file for the LANCOM Advanced VPN Client Send profile via e-mail Print out profile Sending a profile via e-mail could be a security risk should the e-mail be intercepted en route! To send the profile via e-mail, the device configuration must be set up with an SMTP account with the necessary access data. Further, the configuration computer requires an e-mail program that is set up as the standard e-mail application and that can be used by other applications to send e-mails. When setting up the VPN access, certain settings are made to optimize operations with the LANCOM Advanced VPN Client, including: Gateway: If defined in the LANCOM VPN Router, a DynDNS name is used here, or alternatively the IP address FQDN: Combination of the name of the connection, a sequential number and the internal domain in the LANCOM VPN Router. Domain: If defined in the LANCOM VPN Router, the internal domain is used here, or alternatively a a DynDNS name or IP address VPN IP networks: All IP networks defined in the device as type 'Intranet'. Preshared key: Randomly generated key 16 ASCII characters long. Connection medium: The LAN is used to establish connections. VoIP prioritization: VoIP prioritization is activated as standard. Exchange mode: The exchange mode to be used is 'Aggressive Mode'. IKE config mode: The IKE config mode is activated, the IP address information for the LANCOM Advanced VPN Client is automatically assigned by the LANCOM VPN Router. 6.5 Instructions for WEBconfig In the main menu, launch the Wizard 'Provide remote access (RAS)'. Follow the Wizard’s instructions and enter the necessary data. Configure the access account on the dial-in PC as described. Subsequently test the connection (see box 'Ping – the quick test of a TCP/IP connection'). 57 EN LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 7: Fax transmission with LANCAPI 7 Fax transmission with LANCAPI LANCAPI from LANCOM Systems is a specialized version of the widespread ISDN CAPI interface. CAPI stands for Common ISDN Application Programming Interface and it links ISDN adapters and communications software. This software in turn provides the computer with office-communications functions such as a fax or answering machine. EN The chief benefit from using LANCAPI is economical. LANCAPI provides all of the Windows workstations in a LAN with unlimited access to ISDN officecommunication functions such as fax, answering machine, online banking, and Eurofile transfer. Without any additional hardware, every workstation can make use of the full range of ISDN functions provided via the network. This completely dispenses with the need to equip workstations with expensive equipment such as ISDN adapters or modems. The sole requirement is to install the office-communication software on each workstation. PCs with fax software Fax ISDN ISDN adapter LANCAPI from LANCOM equips workstation PCs with a convenient fax transmission facility without having a fax machine connected to it. A number of components must be installed on the computer to support this: The LANCAPI client. This sets up the connection between your workstation PC and the LANCAPI server. The LANCOM CAPI Faxmodem. This tool simulates a fax machine on your computer. 58 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 7: Fax transmission with LANCAPI The MS Windows Fax Service. This is the interface between the fax applications and the virtual fax. PCs with fax software, LANCAPI client, CAPI Faxmodem and MS Windows Fax Service Fax LAN EN ISDN LANCOM with LANCAPI server Installing the LANCAPI client is described in the Reference Manual. This chapter deals with installing and configuring the LANCOM CAPI Faxmodem and MS Windows Fax Service. 7.1 Installing the LANCOM CAPI Faxmodem From the setup program on your LANCOM CD, select the entry LANCOM software installation. Select the option CAPI Faxmodem, click on Next and follow the instructions of the installation routine. 59 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 7: Fax transmission with LANCAPI EN After successful installation, the LANCOM CAPI Fax Modem is entered into the Control Panel under Phone and modem options. 7.2 Installing the MS Windows Fax Service Go to the Control Panel and select the option Printers and faxes. In the Printers and faxes window select the option Install a local fax printer. Then follow the instructions provided by the installation tool. In the current window, an icon for the new fax printer appears. To check the installation, click with the right-hand mouse key on the fax icon and select Properties. The LANCOM CAPI Faxmodem should be entered on the 'Devices' tab. 60 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 7: Fax transmission with LANCAPI 7.3 Sending a fax 7.3.1 EN After installing the necessary components, there are a number of ways to send a fax from your computer. If you have a file ready to send, you can send this straight from its application. On the other hand, if you just want to send a short note, you can use the MS Windows Fax Service itself. Alternatively you can use any fax program. Sending faxes from an office application Open your document in the usual manner with your office application and select the menu item File/Print. Define the fax device as the printer. Click on “OK”. A Wizard is displayed that guides you through the rest of the procedure. 7.3.2 Sending faxes with the Windows Fax Service Go to the Control Panel and open the Printers and faxes dialog. Double-click with the left-hand mouse key on the fax-device icon. 61 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 7: Fax transmission with LANCAPI EN The fax client console opens up. Select the menu item Send file/fax. A Wizard guides you through the remaining procedure. 62 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 8: Security settings 8 Security settings Your LANCOM features numerous security functions. This chapter provides you with all of the information you need to optimally protect your device. You can carry out the configuration of security settings very quickly and conveniently with the Security Wizards in LANconfig and WEBconfig. EN 8.1 Security settings Wizard Access to the configuration of a device allows access to more than just critical information (e.g. Internet password). Far more critical is that settings for security functions (e.g.the firewall) can be altered. Unauthorized access is not just a risk for the device itself, but for the entire network. Your LANCOM offers password-protected access to its configuration. This is activated during the initial basic configuration simply by entering a password. If the wrong password is entered a certain number of times, the device automatically blocks access to the configuration for a fixed period. You can modify the critical number of attempts and also the duration of the lock. By default, the device locks for five minutes after five incorrect entries of the password. Along with these basic settings, you can use the Security settings Wizard to check the settings of your wireless network (if so equipped). 8.1.1 LANconfig Wizard Mark your LANCOM in the selection window. From the command line, select Extras Setup Wizard. In the selection menu, select the Setup Wizard, Check security settings and confirm the selection with Next. 63 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 8: Security settings In the dialogs that follow you can set the password and select the protocols to be available for accessing the configuration from local and remote networks. In a subsequent step, you can set parameters for locking the configuration such as the number of incorrect password entries and the duration of the lock. EN For the firewall, you can activate stateful inspection, ping blocking, and the stealth mode. The Wizard will inform you as soon as the entries are complete. Close the configuration with Finish. 8.1.2 WEBconfig Wizard With WEBconfig you have the option to launch the Check security settings Wizard to check and change any settings. The following values are edited: Device password The protocols to be available for accessing the configuration from local and remote networks The parameters for locking the configuration (the number of incorrect password entries and the duration of the lock) 8.2 The security checklist The following checklists provide an overview of all security settings that are important to professionals. Most of the points in this checklist are uncritical for simple configurations. In these cases, the security settings in the basic configuration or that were set with the Security Wizard are sufficient. Detailed information about the security settings mentioned here are to be found in the reference manual. Have you protected the configuration with a password? The simplest way of protecting the configuration is to agree upon a password. If no password has been agreed for the device, the configuration is open to be changed by anybody. The field for entering the password is to be found in LANconfig in the 'Management' configuration area on the 'Security' tab. It is absolutely imperative to assign a password to the configuration if you want to enable remote configuration! 64 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Have you permitted remote configuration? If you do not require remote configuration, please ensure to switch it off. If you need to make use of remote configuration, ensure that you do not fail to password-protect the configuration (see the section above). The field for disenabling remote configuration is to be found in LANconfig in the 'Management' configuration area on the 'Security' tab. Under ‘Access rights – From remote networks’ select the option ‘denied’ for all methods of configuration. Have your password- protected the SNMP configuration? Protect the SNMP configuration with a password too. The field for password-protecting the SNMP configuration is also to be found in LANconfig in the 'Management' configuration area on the 'Security' tab. Have you activated the firewall? The stateful inspection firewall of LANCOM devices ensures that you local network cannot be attacked from the outside. Activate the firewall in LANconfig under 'Firewall/QoS' on the 'General' tab. Note that firewall security mechanisms (incl. IP masquerading, port filters, access lists) are active only for data connections that are transmitted via the IP router. Direct data connections via the bridge are not protected by the firewall! Are you using a 'deny all' firewall strategy? Maximum security and control is initially achieved by denying all data traffic from passing the firewall. The only connections to be accepted by the firewall are those that are to be explicitly permitted. This ensures that Trojan horses and certain types of e-mail virus are denied communication to the outside. Activate the firewall rules in LANconfig under 'Firewall/ QoS' on the 'Rules' tab. Instructions on this are to be found in the reference manual. Have you activated IP masquerading? IP masquerading refers to the concealment of local computers while they access the Internet. All that is revealed to the Internet is the IP number of the router module of the device. The IP address can be fixed or dynamically assigned by the provider. The computers in the LAN then use the router as a gateway and are not visible themselves. The router separates the Internet from the intranet like a wall. The application of IP masquerading is set in the routing table for every route individually. The routing 65 EN Chapter 8: Security settings LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 8: Security settings table can be found in the LANconfig in the configuration area 'IP router' on the 'Routing' tab. EN Have you used filters to close critical ports? The firewall filters in LANCOM devices offer filter functions for individual computers or entire networks. It is possible to set up source and destination filters for individual ports or port ranges. Furthermore, filters can be set for individual protocols or any combination of protocols (TCP/UDP/ ICMP). It is especially convenient to set up the filters with the aid of LANconfig. Under 'Firewall/QoS', the 'Rules' tab contains the functions for defining and editing filter rules. Have you excluded certain stations from accessing the device? A special filter list can be used to limit access to the device's internal functions via TCP/IP. The phrase "internal functions" refers to configuration sessions via LANconfig, WEBconfig, Telnet or TFTP. As standard this table contains no entries, meaning that computers with any IP address can use TCP/IP and Telnet or TFTP to commence accessing the device. The first time an IP address is entered with its associated netmask, the filter is activated and only the IP addresses contained in this entry are entitled to make use of internal functions. Further entries can be used to extend the circle of authorized parties. The filter entries can describe individual computers or even entire networks. The access list can be found in the LANconfig in the configuration area 'TCP/IP' on the 'General' tab. Do you store your saved LANCOM configuration to a safe location? Protect your saved configurations in a location that is safe from unauthorized access. Otherwise, byway of example, an unauthorized person may load your stored configuration file into another device and they can access the Internet at your expense. Have you activated the protection of your WAN access in case the device is stolen? After being stolen, the device can theoretically be operated at another location by unauthorized persons. Password-protected device configurations do not stop third parties from operating RAS access, LAN connectivity or VPN connections that are set up in the device: A thief could gain access to a protected network. The device’s operation can be protected by various means; for example, it will cease to function if there is an interruption to the power supply, or if the device is switched on in another location. 66 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 8: Security settings The scripting function can store the entire configuration in RAM only so that restarting the device will cause the configuration to be deleted. The configuration is not written to the non-volatile flash memory. A loss of power because the device has been relocated will cause the entire configuration to be deleted (for further information see the reference manual). Have you ensured that the reset button is safe from accidental configuration resets? Some devices simply cannot be installed under lock and key. There is consequently a risk that the configuration will be deleted by mistake if a coworker presses the reset button too long. The behavior of the reset button can be set so that a press is either ignored or it causes a re-start, depending on the time for which it is held pressed. 67 EN With the ISDN location verification, the device can only be operated at one particular ISDN connection. After being switched on, the device calls itself at the corresponding telephone number to check that it is still connected to the “correct” ISDN connection (for further information see the reference manual). LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 9: Advice & assistance 9 Advice & assistance See this chapter for first-aid assistance if some of the typical problems should occur. 9.1 No WAN connection can be established EN After starting, the router attempts automatically to connect to the Internet provider. During this phase, the Internet-connection status LED blinks green. If successful, this LED switches to constant green. If contact cannot be made, the Online LED illuminates red. This is generally due to one of the following causes: Problems with the cabling? For the DSL connection, use only the connector cable supplied. This cable must be connected to the Ethernet connector of the DSL modem or the network connector. The LED for the WAN connection must illuminate in green to show that it is physically connected. Is the correct transmission protocol selected? The transmission protocol is defined with the basic settings. The Basic Settings Wizard actually sets the correct protocol for a wide variety of DSL providers. If your DSL provider is unknown to the Wizard you have to set the protocol yourself. The protocol specified by your DSL provider should work without problem. You can check and adjust your protocol settings under: Configuration tool 9.2 Call LANconfig Communication General Communication layers WEBconfig Expert configuration Setup WAN module Layer list DSL data transfer is slow The data transfer rate of an broadband (Internet) DSL connection is dependent upon numerous factors, most of which are outside of one's own sphere of influence. Important factors aside from the bandwidth of one's own Internet connection are the Internet connection and current load of the desired target. Numerous other factors involving the Internet itself can also influence the transfer rate. 68 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 9: Advice & assistance Increasing the TCP/IP window size under Windows One common problem occurs when large amounts of data are sent and received simultaneously with a Windows PC using an asynchronous connection. This can cause a severe decrease in download speed. The cause of this problem is what is known as the TCP/IP receive window size of the Windows operating system that is set to a value too small for asynchronous connections. Instructions on how to increase the Windows size can be found in the Knowledge Base of the support section of the LANCOM web site (www.lancom.eu). 9.3 Unwanted connections under Windows XP Windows XP computers attempt to compare their clocks with a timeserver on the Internet at start-up. This is why when a Windows XP in the WLAN is started, a connection to the Internet is established by the LANCOM. To resolve this issue, you can turn off the automatic time synchronization on the Windows XP computers under Right mouse click on the time of day Properties Internet time. 9.4 Cable testing A cabling defect might have occurred, if no data is transmitted over LAN or WAN connection, although the configuration of the devices does not show any discernible errors. You can test the cabling with the built-in cable tester of your LANCOM. Change under WEBconfig to menu item Expert configuration Status LAN statistics Cable test. Enter here the name of the interface to be 69 EN If the actual transfer rate of a DSL connection is significantly below the fastest rate listed by the provider, there are only a few possible causes (apart from the above-mentioned external factors) which may involve one's own equipment. LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 9: Advice & assistance EN tested (e.g. “DSL1” or “LAN-1”). Pay attention to the correct spelling of the interfaces. Start the test for the specified interface by clicking on Execute. Change then to menu item Expert configuration Status LAN statistics Cable test results. The results of the cable test for the individual interfaces are show up in a list. The following results can occur: OK: Cable plugged in correctly, line ok. open with distance “0m”: No cable plugged in or interruption within less than 10 meters distance. open with indication of distance: Cable is plugged in, but defect (shortcircuited) at the indicated distance. Impedance error: The pair of cables is not terminated with the correct impedance at the other end. 70 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 10: Appendix 10 Appendix Performance data and specifications LANCOM 821+ Connections LANCOM 1721+ VPN LANCOM 1711+ VPN Ethernet LAN 4x 10/100Base-TX, auto sensing, switch with node/hub auto sensing WAN/ADSL ADSL over ISDN as per ITU G.992.1 Annex B (compatible to U-R2 connections of the Deutsche Telekom) or ADSL over POTS as per ITU G.992.1 Annex A ADSL over ISDN as per ITU 992.3, ITU G.992.5 Annex B (ADSL2+) or ADSL over POTS as per ITU G992.3 and ITU G.992.5 Annex A ISDN ISDN S0 bus Outband serial V.24/V.28 port (8 pol. mini DIN), in combination with LANCOM modem adapter kit suited for connection of external analogue or GSM modems Power supply 12V DC via external power supply. Permitted power supplies: NEST 12V/1A DC/S Hohlstkr 2.1/5.5mm (RoHS) LANCOM item no. 110524 Type identification on the power supply „Type: 15.2230S“ EN 10.1 10/100Base-TX, auto sensing Housing 210 x 143 x 45 mm (W x H x D), rugged plastic case, connectors on the rear side, stackable, provision for wall mounting Standards EU (CE certification: EN 55022, EN 55024, EN 60950) Environment / temperature range Temperature range 0°C to + 40°C at 80% max. Temperature range humidity (non condensing) 0°C to +55°C at 80% max. humidity (non condensing) Options Accessories LANCOM VPN Option 25 channels (hardware accelerated, max.25 simultaneous connections, 50 connections configurable) for VPN in WAN (Art. no.60083) LANCOM Modem Adapter Kit for connecting modems (analogue or GSM) to the serial configuration interface (Art. no. 110288) LANCOM Rack Mount Option (Art. no. 61501) LANCOM Advanced VPN Client (Art. no. 61600) LANCOM Advanced VPN Client (10 bulk) (Art. no. 61601) LANCOM Advanced VPN Client (25 bulk) (Art. no. 61602) 71 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 10: Appendix 10.2 10.2.1 LANCOM 1711+ VPN only Connector wiring WAN interface 8-pin RJ45 socket EN Connector 10.2.2 ADSL interface LANCOM 821+ and LANCOM 1721+ VPN only 6-pin RJ11 socket Connector 72 Pin IAE 1 T+ 2 T- 3 R+ 4 – 5 – 6 R- 7 – 8 – Pin IAE 1 – 2 – 3 a 4 b 5 – 6 – LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 10: Appendix 10.2.3 ISDN-S0 interface Connector 10.2.4 Pin Line IAE 1 – – 2 – – 3 T+ 2a 4 R+ 1a 5 R- 1b 6 T- 2b 7 – – 8 – – EN 8-pin RJ45 socket (ISO 8877, EN 60603-7) Ethernet interface 10/100Base-T 8-pin RJ45 sockets (ISO 8877, EN 60603-7) Connector Pin Line 1 T+ 2 T- 3 R+ 4 – 5 – 6 R- 7 – 8 – 73 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Chapter 10: Appendix 10.2.5 Configuration interface (outband) 8-pin Mini DIN socket EN Connector 10.3 Pin Line 1 CTS 2 RTS 3 RxD 4 RI 5 TxD 6 DSR 7 DCD 8 DTR U GND Declaration of conformity LANCOM Systems herewith declares that the devices of the type described in this documentation are in agreement with the basic requirements and other relevant regulations of the 1995/5/EC directive. The CE declarations of conformity for your device are available in the appropriate product area on the LANCOM Systems web site (www.lancom.eu). 74 LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Index Index 20 41, 51 A Accounting ADSL Connect Connector cable Transfer rates AES Answering machine Autosensing 20 14 9 41, 51 9 22 B Basic configuration Blowfish 25 41, 51 C Call-back function Callback function Calling Line Identity (CLI) CAPI interface charge lock Charge protection Common ISDN Application Programming Interface (CAPI) Configuration access Configuration file Configuration interface Connector cable Configuration password Configuration port Configuration protection Connector wiring ADSL interface Configuration port DSL interface Ethernet interface 29 41, 51 13 53 58 17 29, 31 58 31 66 13 14 64 20 13, 27, 30 72 72 74 72 73 ISDN S0 interface LAN interface Outband WAN interface Cost budget 73 73 74 73 29 D Data frequencies 10 65 Default gateway 35 DHCP 11, 26, 36 DHCP server 51 Dial-in access 55 Dial-up adapter DNS 45 DNS access to the remote LAN 11, 35 DNS server 14 Documentation 45 Domain 5 Download 9 Downstream DSL 68 data transfer is too slow E Encryption 41, 51 F Fax Firewall Block stations FirmSafe Firmware Flatrate 9 13, 66 66 13 5 38 H Hardware installation HTTPS 21 31 I ICMP 66 75 EN Numerics 10/100Base-TX 3 DES LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN EN Index Information symbols 5 14 Installation 22 ADSL 23 configuration port 22 DSL 22 ISDN 22 LAN 23 LANtools 23 power adapter 11, 37 Internet access 38 Authentication data 38 Flatrate 37 Internet access setup 37 Internet provider IP 66 Block ports 66 Filter 26, 27, 46, 66 IP address 22 IP address of the LANCOM 12, 65 IP masquerading 11 IP router 41, 51 IPsec 55 IPX 46, 54 Binding 46, 54 External network number 46 Frame type 54 Internal net number 46 IPX conventions 11 IPX router 45 Settings ISDN 14 Connector cable 53 D channel 29 MSN 20 S0 port 44, 52, 53 ISDN calling line ID ISDN connection 29 Basic settings 12 ISDN leased-line option 51 ISDN modem 76 ISDN number ISDN PBX ISDN S0 connection 43 29 12 L LAN Connector cable LAN to LAN coupling LANCAPI LANCOM VPN Option LANconfig Starting the Wizards LAN-LAN connectivity Required information LAN-LAN coupling LANmonitor LANtools System requirements M MAC address filter Metering pulse MSN N NAT – see IP masquerading NetBIOS NetBIOS proxy Netmask Network connectivity Security aspects Network mask Network segment 14 11 12, 29 13 24, 30 40 41 42 29 24 15 13 29 53 46 11 26 41 41, 51 27, 66 22, 46 P Package contents 14 27, 31, 41, 51 Password 44 Password for the ISDN connection PAT – see IP masquerading 9 PBX 48 Ping 14, 20 Power adapter LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Index R RAS Remote Access Service (RAS) Activate compression in software Configuring the dial-in computer IPX NetBIOS Server Setup Specify MSN TCP/IP User name Windows workgroup search Remote configuration Remote configuration via ISDN Reset connect charge protection. 20, Reset switch Resetting the configuration Restarting the device Router function Routing table S Security Firewall wizard Security settings wizard Security checklist Security settings SNMP Configuration protection Software installation SSID Standard gateway Status display ETH Power Status displays 51 55 29 11 55 55 54 54 11 51 29 53 52 54 31 13 17 21 21 21 9 65 64 63 64 68 65 23 28 35 19 16 Power Support Switch System preconditions System requirements T TCP TCP/IP Connect test Settings Settings to PCs in the LAN Windows size TCP/IP configuration Fully automatic Manual TCP/IP filter TCP/IP router Settings Telephone Telnet TFTP Transmission protocol 16, 17 5 20 14 14 66 15, 55 48 25 35 69 25, 26 25, 27 13, 66 44 9 66 66 68 U UDP Upstream 66 9 V Virtual Private Network Virtual Private Network (VPN) Voice frequencies Voltage switch VPN VPN client 10 11 10 20 10 55 W WAN Connector cable WEBconfig HTTPS System requirements 14 31 31 15 77 EN PPP PPP client Prefix for external line LANCOM 821+ – LANCOM 1711+ VPN – LANCOM 1721+ VPN Index EN Windows workgroup search 78 47
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Page Mode : UseOutlines XMP Toolkit : 3.1-701 Producer : Acrobat Distiller 7.0 (Windows) Creator Tool : FrameMaker 7.0 Modify Date : 2009:04:20 12:55:15+02:00 Create Date : 2009:04:20 12:11:19Z Metadata Date : 2009:04:20 12:55:15+02:00 Format : application/pdf Title : LANCOM 821+.LANCOM 1711+ VPN.LANCOM 1721+ VPN Creator : LANCOM Systems GmbH Document ID : uuid:bb84a556-87ee-40c4-8553-c98ed2aa0dce Instance ID : uuid:5a6d785f-3ca3-4a8c-981b-408897b165e2 Has XFA : No Page Count : 79 Author : LANCOM Systems GmbHEXIF Metadata provided by EXIF.tools