ZyXEL Communications MAX200HW2 WiMAX Router User Manual UserMan I88MAX200HW2 revised

ZyXEL Communications Corporation WiMAX Router UserMan I88MAX200HW2 revised

User manual revised 2

 Chapter 12SIPMAX-200HW2 Series User s Guide 15312.1.7.2  Use NATIf you know the NAT router!s public IP address and SIP port number, you can use the Use NAT feature to manually configure the ZyXEL Device to use a them in the SIP messages. This eliminates the need for STUN or a SIP ALG.You must also configure the NAT router to forward traffic with this port number to the ZyXEL Device. 12.1.7.3  STUNSTUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) allows the ZyXEL Device to find the presence and types of NAT routers and/or firewalls between it and the public Internet. STUN also allows the ZyXEL Device to find the public IP address that NAT assigned, so the ZyXEL Device can embed it in the SIP data stream. STUN does not work with symmetric NAT routers or firewalls. See RFC 3489 for details on STUN.The following figure shows how STUN works. 1The ZyXEL Device (A) sends SIP packets to the STUN server (B).2The STUN server (B) finds the public IP address and port number that the NAT router used on the ZyXEL Device!s SIP packets and sends them to the ZyXEL Device.3The ZyXEL Device uses the public IP address and port number in the SIP packets that it sends to the SIP server (C).Figure 102   STUN12.1.7.4  Outbound ProxyYour VoIP service provider may host a SIP outbound proxy server to handle all of the ZyXEL Device!s VoIP traffic. This allows the ZyXEL Device to work with any type of NAT router and eliminates the need for STUN or a SIP ALG. Turn off a SIP ALG on a NAT router in front of the ZyXEL Device to keep it from retranslating the IP address (since this is already handled by the outbound proxy server).12.1.8  Voice CodingA codec (coder/decoder) codes analog voice signals into digital signals and decodes the digital signals back into voice signals. The ZyXEL Device supports the following codecs. G.711 is a Pulse Code Modulation (PCM) waveform codec. PCM measures analog signal amplitudes at regular time intervals (sampling) and converts them into digital bits (quantization). Quantization "reads# the analog signal and then "writes# it to the nearest digital value. For this reason, a digital sample is usually slightly different from its analog original (this difference is known as "quantization noise#).
Chapter 12SIPMAX-200HW2 Series User s Guide154G.711 provides excellent sound quality but requires 64kbps of bandwidth. G.723 is an Adaptive Differential Pulse Code Modulation (ADPCM) waveform codec. Differential (or Delta) PCM is similar to PCM, but encodes the audio signal based on the difference between one sample and a prediction based on previous samples, rather than encoding the sample!s actual quantized value. Many thousands of samples are taken each second, and the differences between consecutive samples are usually quite small, so this saves space and reduces the bandwidth necessary. However, DPCM produces a high quality signal (high signal-to-noise ratio or SNR) for high difference signals (where the actual signal is very different from what was predicted) but a poor quality signal (low SNR) for low difference signals (where the actual signal is very similar to what was predicted). This is because the level of quantization noise is the same at all signal levels. Adaptive DPCM solves this problem by adapting the difference signal!s level of quantization according to the audio signal!s strength. A low difference signal is given a higher quantization level, increasing its signal-to-noise ratio. This provides a similar sound quality at all signal levels.G.723 provides high quality sound and requires 20 or 40 kbps. G.729 is an Analysis-by-Synthesis (AbS) hybrid waveform codec. It uses a filter based on information about how the human vocal tract produces sounds. The codec analyzes the incoming voice signal and attempts to synthesize it using its list of voice elements. It tests the synthesized signal against the original and, if it is acceptable, transmits details of the voice elements it used to make the synthesis. Because the codec at the receiving end has the same list, it can exactly recreate the synthesized audio signal.G.729 provides good sound quality and reduces the required bandwidth to 8kbps.12.1.9  PSTN Call Setup SignalingPSTNs (Public Switched Telephone Networks) use DTMF or pulse dialing to set up telephone calls.Dual-Tone Multi-Frequency (DTMF) signaling uses pairs of frequencies (one lower frequency and one higher frequency) to set up calls. It is also known as Touch Tone? Each of the keys on a DTMF telephone corresponds to a different pair of frequencies.Pulse dialing sends a series of clicks to the local phone office in order to dial numbers.312.1.10  MWI (Message Waiting Indication)Enable Message Waiting Indication (MWI) enables your phone to give you a message%waiting (beeping) dial tone when you have one or more voice messages. Your VoIP service provider must have a messaging system that sends message-waiting-status SIP packets as defined in RFC 3842.3.The ZyXEL Device supports DTMF at the time of writing.
 Chapter 12SIPMAX-200HW2 Series User s Guide 15512.1.11  Custom Tones (IVR)IVR (Interactive Voice Response) is a feature that allows you to use your telephone to interact with the ZyXEL Device. The ZyXEL Device allows you to record custom tones for the CallerRinging Tone and On Hold Tone functions. The same recordings apply to both the caller ringing and on hold tones. 12.1.11.1  Recording Custom TonesUse the following steps if you would like to create new tones or change your tones: 1Pick up the phone and press **** on your phone!s keypad and wait for the message that says you are in the configuration menu. 2Press a number from 1101~1108 on your phone followed by the # key.3Play your desired music or voice recording into the receiver!s mouthpiece. Press the #key.4You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done.12.1.11.2  Listening to Custom TonesDo the following to listen to a custom tone:1Pick up the phone and press **** on your phone!s keypad and wait for the message that says you are in the configuration menu.2Press a number from 1201~1208 followed by the # key to listen to the tone.3You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done.12.1.11.3  Deleting Custom TonesDo the following to delete a custom tone:1Pick up the phone and press **** on your phone!s keypad and wait for the message that says you are in the configuration menu.2Press a number from 1301~1308 followed by the # key to delete the tone of your choice. Press 14 followed by the # key if you wish to clear all your custom tones.3You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done.12.1.12  Quality of Service (QoS)Quality of Service (QoS) refers to both a network's ability to deliver data with minimum delay and the networking methods used to provide bandwidth for real-time multimedia applications. Table 58   Custom Tones DetailsLABEL DESCRIPTIONTotal Time for All Tones128 seconds for all custom tones combinedMaximum Time per Individual Tone 20 secondsTotal Number of Tones Recordable8You can record up to eight different custom tones but the total time must be 128 seconds or less.
Chapter 12SIPMAX-200HW2 Series User s Guide15612.1.12.1  Type Of Service (ToS)Network traffic can be classified by setting the ToS (Type Of Service) values at the data source (for example, at the ZyXEL Device) so a server can decide the best method of delivery, that is the least cost, fastest route and so on. 12.1.12.2  DiffServDiffServ is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.412.1.12.3  DSCP and Per-Hop Behavior DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field. Figure 103   DiffServ: Differentiated Service FieldDSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping. The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different priorities of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.12.1.12.4  VLANVirtual Local Area Network (VLAN) allows a physical network to be partitioned into multiple logical networks. Only stations within the same group can communicate with each other. Your ZyXEL Device can add IEEE 802.1Q VLAN ID tags to voice frames that it sends to the network. This allows the ZyXEL Device to communicate with a SIP server that is a member of the same VLAN group. Some ISPs use the VLAN tag to identify voice traffic and give it priority over other traffic.4.The ZyXEL Device does not support DiffServ at the time of writing.DSCP(6-bit)Unused(2-bit)
 Chapter 12SIPMAX-200HW2 Series User s Guide 15712.2  SIP Screens12.2.1  SIP Settings ScreenUse this screen to maintain basic information about each SIP account. Your VoIP service provider (the company that lets you make phone calls over the Internet) should provide this. You can also enable and disable each SIP account. To access this screen, click VoIP > SIP > SIP Settings.Figure 104   VoIP > SIP > SIP SettingsEach field is described in the following table.Table 59   VoIP > SIP > SIP SettingsLABEL DESCRIPTIONSIP Account Select the SIP account you want to see in this screen. If you change this field, the screen automatically refreshes.SIP SettingsActive SIP AccountSelect this if you want the ZyXEL Device to use this account. Clear it if you do not want the ZyXEL Device to use this account.NumberEnter your SIP number. In the full SIP URI, this is the part before the @ symbol.  You can use up to 127 printable ASCII characters.SIP Local PortEnter the ZyXEL Device s listening port number, if your VoIP service provider gave you one. Otherwise, keep the default value.SIP Server AddressEnter the IP address or domain name of the SIP server provided by your VoIP service provider. You can use up to 95 printable ASCII characters. It does not matter whether the SIP server is a proxy, redirect or register server.SIP Server PortEnter the SIP server s listening port number, if your VoIP service provider gave you one. Otherwise, keep the default value.
Chapter 12SIPMAX-200HW2 Series User s Guide15812.2.2  Advanced SIP Setup ScreenUse this screen to maintain advanced settings for each SIP account. To access this screen, click Advanced Setup in VoIP > SIP > SIP Settings.REGISTERServer AddressEnter the IP address or domain name of the SIP register server, if your VoIP service provider gave you one. Otherwise, enter the same address you entered in the SIP Server Address field. You can use up to 95 printable ASCII characters.REGISTERServer PortEnter the SIP register server s listening port number, if your VoIP service provider gave you one. Otherwise, enter the same port number you entered in the SIPServer Port field.SIP Service DomainEnter the SIP service domain name. In the full SIP URI, this is the part after the @ symbol.  You can use up to 127 printable ASCII Extended set characters.Send Caller IDSelect this if you want to send identification when you make VoIP phone calls. Clear this if you do not want to send identification.AuthenticationUser NameEnter the user name for registering this SIP account, exactly as it was given to you. You can use up to 95 printable ASCII characters.PasswordEnter the user name for registering this SIP account, exactly as it was given to you. You can use up to 95 printable ASCII Extended set characters.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.Advanced Setup Click this to edit the advanced settings for this SIP account. The Advanced SIP Setup screen appears.Table 59   VoIP > SIP > SIP SettingsLABEL DESCRIPTION
 Chapter 12SIPMAX-200HW2 Series User s Guide 159Figure 105   VoIP > SIP > SIP Settings > Advanced
Chapter 12SIPMAX-200HW2 Series User s Guide160Each field is described in the following table.Table 60   VoIP > SIP > SIP Settings > AdvancedLABEL DESCRIPTIONSIP AccountThis field displays the SIP account you see in this screen.SIP Server SettingsURL TypeSelect whether or not to include the SIP service domain name when the ZyXEL Device sends the SIP number.SIP - include the SIP service domain nameTEL - do not include the SIP service domain nameExpiration DurationEnter the number of seconds your SIP account is registered with the SIP register server before it is deleted. The ZyXEL Device automatically tries to re-register your SIP account when one-half of this time has passed. (The SIP register server might have a different expiration.)Register Re-send timerEnter the number of seconds the ZyXEL Device waits before it tries again to register the SIP account, if the first try failed or if there is no response.Session ExpiresEnter the number of seconds the conversation can last before the call is automatically disconnected. Usually, when one-half of this time has passed, the ZyXEL Device or the other party updates this timer to prevent this from happening.Min-SEEnter the minimum number of seconds the ZyXEL Device accepts for a session expiration time when it receives a request to start a SIP session. If the request has a shorter time, the ZyXEL Device rejects it.RTP Port RangeStart PortEnd PortEnter the listening port number(s) for RTP traffic, if your VoIP service provider gave you this information. Otherwise, keep the default values.To enter one port number, enter the port number in the Start Port and End Portfields.To enter a range of ports,#enter the port number at the beginning of the range in the Start Port field#enter the port number at the end of the range in the End Port field.Voice CompressionSelect the type of voice coder/decoder (codec) that you want the ZyXEL Device to use.G.711 provides high voice quality but requires more bandwidth (64 kbps).#G.711A is typically used in Europe.#G.711u is typically used in North America and Japan.G.723 provides good voice quality, and requires 20 or 40 kbps.In contrast, G.729 requires only 8 kbps.The ZyXEL Device must use the same codec as the peer. When two SIP devices start a SIP session, they must agree on a codec.Primary CompressionTypeSelect the ZyXEL Device s first choice for voice coder/decoder.Secondary CompressionTypeSelect the ZyXEL Device s second choice for voice coder/decoder. Select None if you only want the ZyXEL Device to accept the first choice.Third CompressionTypeThis field is disabled if Secondary Compression Type is None.Select the ZyXEL Device s third choice for voice coder/decoder. Select None if you only want the ZyXEL Device to accept the first or second choice.
 Chapter 12SIPMAX-200HW2 Series User s Guide 161DTMF Mode Control how the ZyXEL Device handles the tones that your telephone makes when you push its buttons. You should use the same mode your VoIP service provider uses.RFC 2833 - send the DTMF tones in RTP packetsPCM - send the DTMF tones in the voice data stream. This method works best when you are using a codec that does not use compression (like G.711). Codecs that use compression (like G.729) can distort the tones.SIP INFO - send the DTMF tones in SIP messagesSTUNActiveSelect this if all of the following conditions are satisfied.#There is a NAT router between the ZyXEL Device and the SIP server.#The NAT router is not a SIP ALG.#Your VoIP service provider gave you an IP address or domain name for a STUN server.Otherwise, clear this field.Server AddressEnter the IP address or domain name of the STUN server provided by your VoIP service provider.Server PortEnter the STUN server s listening port, if your VoIP service provider gave you one. Otherwise, keep the default value.Use NATActiveSelect this if you want the ZyXEL Device to send SIP traffic to a specific NAT router. You must also configure the NAT router to forward traffic with the specified port to the ZyXEL Device. This eliminates the need for STUN or a SIP ALG.Server AddressEnter the public IP address or domain name of the NAT router.Server PortEnter the port number that your SIP sessions use with the public IP address of the NAT router.Outbound ProxyActiveSelect this if your VoIP service provider has a SIP outbound server to handle voice calls. This allows the ZyXEL Device to work with any type of NAT router and eliminates the need for STUN or a SIP ALG. Turn off any SIP ALG on a NAT router in front of the ZyXEL Device to keep it from retranslating the IP address (since this is already handled by the outbound proxy server).Server AddressEnter the IP address or domain name of the SIP outbound proxy server. Server PortEnter the SIP outbound proxy server s listening port, if your VoIP service provider gave you one. Otherwise, keep the default value.NAT Keep AliveActiveSelect this to stop NAT routers between the ZyXEL Device and SIP server (a SIP proxy server or outbound proxy server) from dropping the SIP session. The ZyXEL Device does this by sending SIP notify messages to the SIP server based on the specified interval.Keep Alive with SIP ProxySelect this if the SIP server is a SIP proxy server.Keep Alive with Outbound ProxySelect this if the SIP server is an outbound proxy server. You must enable Outbound Proxy to use this.Keep Alive IntervalEnter how often (in seconds) the ZyXEL Device should send SIP notify messages to the SIP server.MWI (Message Waiting Indication)Table 60   VoIP > SIP > SIP Settings > AdvancedLABEL DESCRIPTION
Chapter 12SIPMAX-200HW2 Series User s Guide16212.2.3  SIP QoS ScreenUse this screen to maintain ToS and VLAN settings for the ZyXEL Device. To access this screen, click VoIP > SIP > QoS.EnableSelect this if you want to hear a waiting (beeping) dial tone on your phone when you have at least one voice message. Your VoIP service provider must support this feature.Expiration TimeKeep the default value, unless your VoIP service provider tells you to change it. Enter the number of seconds the SIP server should provide the message waiting service each time the ZyXEL Device subscribes to the service. Before this time passes, the ZyXEL Device automatically subscribes again.Fax OptionThis field controls how the ZyXEL Device handles fax messages.G.711 Fax PassthroughSelect this if the ZyXEL Device should use G.711 to send fax messages. The peer devices must also use G.711.T.38 Fax RelaySelect this if the ZyXEL Device should send fax messages as UDP or TCP/IP packets through IP networks. This provides better quality, but it may have inter-operability problems. The peer devices must also use T.38.Call ForwardCall Forward TableSelect which call forwarding table you want the ZyXEL Device to use for incoming calls. You set up these tables in VoIP > Phone Book > Incoming Call Policy.Caller RingingEnableCheck this box if you want people to hear a customized recording when they call you. Caller Ringing ToneSelect the tone you want people to hear when they call you. See Section 12.1.11 on page 155 for information on how to record these tones.On HoldEnableCheck this box if you want people to hear a customized recording when you put them on hold. On Hold ToneSelect the tone you want people to hear when you put them on hold. See Section12.1.11 on page 155 for information on how to record these tones.<BackClick this to return to the SIP Settings screen without saving your changes.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.Table 60   VoIP > SIP > SIP Settings > AdvancedLABEL DESCRIPTION
 Chapter 12SIPMAX-200HW2 Series User s Guide 163Figure 106   VoIP > SIP > QoSEach field is described in the following table.Table 61   VoIP > SIP > QoSLABEL DESCRIPTIONSIP TOS Priority SettingEnter the priority for SIP voice transmissions. The ZyXEL Device creates Type of Service priority tags with this priority to voice traffic that it transmits.RTP TOS Priority SettingEnter the priority for RTP voice transmissions. The ZyXEL Device creates Type of Service priority tags with this priority to RTP traffic that it transmits.Voice VLAN IDSelect this if the ZyXEL Device has to be a member of a VLAN to communicate with the SIP server. Ask your network administrator, if you are not sure. Enter the VLAN ID provided by your network administrator in the field on the right. Your LAN and gateway must be configured to use VLAN tags.Otherwise, clear this field.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.
Chapter 12SIPMAX-200HW2 Series User s Guide164
MAX-200HW2 Series User s Guide 165CHAPTER 13PhoneUse these screens to configure the phone you use to make phone calls with the ZyXEL Device.13.1  Phone OverviewYou can configure the volume, echo cancellation, VAD settings and custom tones for the phone port on the ZyXEL Device. You can also select which SIP account to use for making outgoing calls.13.1.1  Voice Activity Detection/Silence Suppression/Comfort NoiseVoice Activity Detection (VAD) detects whether or not speech is present. This lets the ZyXEL Device reduce the bandwidth that a call uses by not transmitting "silent packets# when you are not speaking.When using VAD, the ZyXEL Device generates comfort noise when the other party is not speaking. The comfort noise lets you know that the line is still connected as total silence could easily be mistaken for a lost connection.13.1.2  Echo Cancellation G.168 is an ITU-T standard for eliminating the echo caused by the sound of your voice reverberating in the telephone receiver while you talk.13.1.3  Supplementary Phone Services OverviewSupplementary services such as call hold, call waiting, call transfer, etc. are generally available from your VoIP service provider. The ZyXEL Device supports the following services: Call Hold Call Waiting Making a Second Call Call Transfer Call Forwarding Three-Way Conference Internal Calls Caller ID CLIP (Calling Line Identification Presentation)
Chapter 13PhoneMAX-200HW2 Series User s Guide166 CLIR (Calling Line Identification Restriction)To take full advantage of the supplementary phone services available though the ZyXEL Device's phone port, you may need to subscribe to the services from your VoIP service provider.13.1.3.1  The Flash KeyFlashing means to press the hook for a short period of time (a few hundred milliseconds) before releasing it. On newer telephones, there should be a "flash" key (button) that generates the signal electronically. If the flash key is not available, you can tap (press and immediately release) the hook by hand to achieve the same effect. However, using the flash key is preferred since the timing is much more precise. The ZyXEL Device may interpret manual tapping as hanging up if the duration is too longYou can invoke all the supplementary services by using the flash key. 13.1.3.2  Europe Type Supplementary Phone ServicesThis section describes how to use supplementary phone services with the Europe TypeCallService Mode. Commands for supplementary services are listed in the table below.After pressing the flash key, if you do not issue the sub-command before the default sub-command timeout (2 seconds) expires or issue an invalid sub-command, the current operation will be aborted.13.1.3.2.1  European Call HoldCall hold allows you to put a call (A) on hold by pressing the flash key. If you have another call, press the flash key and then "2# to switch back and forth between caller A and B by putting either one on hold.Press the flash key and then "0# to disconnect the call presently on hold and keep the current call on line.Table 62   European Type Flash Key CommandsCOMMAND SUB-COMMAND DESCRIPTIONFlash Put a current call on hold to place a second call.Switch back to the call (if there is no second call).Flash0Drop the call presently on hold or reject an incoming call which is waiting for answer.Flash1Disconnect the current phone connection and answer the incoming call or resume with caller presently on hold.Flash21. Switch back and forth between two calls.2. Put a current call on hold to answer an incoming call.3. Separate the current three-way conference call into two individual calls (one is on-line, the other is on hold).Flash3Create three-way conference connection.Flash *98#Transfer the call to another phone.
 Chapter 13PhoneMAX-200HW2 Series User s Guide 167Press the flash key and then "1# to disconnect the current call and resume the call on hold.If you hang up the phone but a caller is still on hold, there will be a remind ring.13.1.3.2.2  European Call Waiting This allows you to place a call on hold while you answer another incoming call on the same telephone (directory) number. If there is a second call to a telephone number, you will hear a call waiting tone. Take one of the following actions. Reject the second call.Press the flash key and then press "0#. Disconnect the first call and answer the second call.Either press the flash key and press "1#, or just hang up the phone and then answer the phone after it rings. Put the first call on hold and answer the second call.Press the flash key and then "2#.13.1.3.2.3  European Call TransferDo the following to transfer an incoming call (that you have answered) to another phone.1Press the flash key to put the caller on hold.2When you hear the dial tone, dial "*98## followed by the number to which you want to transfer the call. to operate the Intercom.3After you hear the ring signal or the second party answers it, hang up the phone.13.1.3.2.4  European Three-Way ConferenceUse the following steps to make three-way conference calls.1When you are on the phone talking to someone, place the flash key to put the caller on hold and get a dial tone. 2Dial a phone number directly to make another call.3When the second call is answered, press the flash key and press "3# to create a three-way conversation.4Hang up the phone to drop the connection.5If you want to separate the activated three-way conference into two individual connections (one is on-line, the other is on hold), press the flash key and press "2#.13.1.3.3  USA Type Supplementary ServicesThis section describes how to use supplementary phone services with the USA TypeCallService Mode. Commands for supplementary services are listed in the table below.
Chapter 13PhoneMAX-200HW2 Series User s Guide168After pressing the flash key, if you do not issue the sub-command before the default sub-command timeout (2 seconds) expires or issue an invalid sub-command, the current operation will be aborted.13.1.3.3.1  USA Call HoldCall hold allows you to put a call (A) on hold by pressing the flash key. If you have another call, press the flash key  to switch back and forth between caller A and Bby putting either one on hold.If you hang up the phone but a caller is still on hold, there will be a remind ring.13.1.3.3.2  USA Call Waiting This allows you to place a call on hold while you answer another incoming call on the same telephone (directory) number. If there is a second call to your telephone number, you will hear a call waiting tone. Press the flash key to put the first call on hold and answer the second call.13.1.3.3.3  USA Call TransferDo the following to transfer an incoming call (that you have answered) to another phone.1Press the flash key to put the caller on hold.2When you hear the dial tone, dial "*98## followed by the number to which you want to transfer the call. to operate the Intercom.3After you hear the ring signal or the second party answers it, hang up the phone.13.1.3.3.4  USA Three-Way ConferenceUse the following steps to make three-way conference calls.1When you are on the phone talking to someone, place the flash key to put the caller on hold and get a dial tone. 2Dial a phone number directly to make another call.3When the second call is answered, press the flash key, wait for the sub-command tone and press "3# to create a three-way conversation.4Hang up the phone to drop the connection.5If you want to separate the activated three-way conference into two individual connections (one is on-line, the other is on hold), press the flash key, wait for the sub-command tone and press "2#.Table 63   USA Type Flash Key CommandsCOMMAND SUB-COMMAND DESCRIPTIONFlash Put a current call on hold to place a second call. After the second call is successful, press the flash key again to have a three-way conference call.Put a current call on hold to answer an incoming call.Flash *98#Transfer the call to another phone.
 Chapter 13PhoneMAX-200HW2 Series User s Guide 16913.2  Phone Screens13.2.1  Analog Phone ScreenUse this screen to control which SIP accounts and PSTN line each phone uses. To access this screen, click VoIP > Phone > Analog Phone.Figure 107   VoIP > Phone > Analog PhoneEach field is described in the following table.Table 64   VoIP > Phone > Analog PhoneLABEL DESCRIPTIONPhone Port SettingsSelect the phone port you want to see in this screen. If you change this field, the screen automatically refreshes.Outgoing Call UseSIP1Select this if you want this phone port to use the SIP1 account when it makes calls. If you select both SIP accounts, the ZyXEL Device tries to use SIP2 first.SIP2Select this if you want this phone port to use the SIP2 account when it makes calls. If you select both SIP accounts, the ZyXEL Device tries to use SIP2 first.Incoming Call apply toSIP1Select this if you want to receive phone calls for the SIP1 account on this phone port. If you select more than one source for incoming calls, there is no way to distinguish between them when you receive phone calls.SIP2Select this if you want to receive phone calls for the SIP2 account on this phone port. If you select more than one source for incoming calls, there is no way to distinguish between them when you receive phone calls.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.Advanced Setup Click this to edit the advanced settings for this phone port. The Advanced Analog Phone Setup screen appears.
Chapter 13PhoneMAX-200HW2 Series User s Guide17013.2.2  Advanced Analog Phone Setup ScreenUse this screen to edit advanced settings for each phone port. To access this screen, click Advanced Setup in VoIP > Phone > Analog Phone.Figure 108   VoIP > Phone > Analog Phone > AdvancedEach field is described in the following table.Table 65   VoIP > Phone > Analog Phone > AdvancedLABEL DESCRIPTIONAnalog Phone This field displays the phone port you see in this screen.Voice Volume ControlSpeaking VolumeEnter the loudness that the ZyXEL Device uses for speech that it sends to the peer device. -1 is the quietest, and 1 is the loudest.Listening VolumeEnter the loudness that the ZyXEL Device uses for speech that it receives from the peer device. -1 is the quietest, and 1 is the loudest.Echo CancellationG.168 ActiveSelect this if you want to eliminate the echo caused by the sound of your voice reverberating in the telephone receiver while you talk.Dialing Interval SelectDialing Interval SelectEnter the number of seconds the ZyXEL Device should wait after you stop dialing numbers before it makes the phone call. The value depends on how quickly you dial phone numbers.If you select Active Immediate Dial in VoIP > Phone > Common, you can press the pound key (#) to tell the ZyXEL Device to make the phone call immediately, regardless of this setting.VAD SupportSelect this if the ZyXEL Device should stop transmitting when you are not speaking. This reduces the bandwidth the ZyXEL Device uses.<BackClick this to return to the Analog Phone screen without saving your changes.Apply Click this to save your changes and to apply them to the ZyXEL Device.Reset Click this to set every field in this screen to its last-saved value.
 Chapter 13PhoneMAX-200HW2 Series User s Guide 17113.2.3  Common Phone Settings ScreenUse this screen to activate and deactivate immediate dialing. To access this screen, click VoIP > Phone > Common.Figure 109   VoIP > Phone > CommonEach field is described in the following table.13.2.4  Phone Region ScreenUse this screen to maintain settings that often depend on which region of the world the ZyXEL Device is in. To access this screen, click VoIP > Phone > Region.Figure 110   VoIP > Phone > RegionEach field is described in the following table.Table 66   VoIP > Phone > CommonLABEL DESCRIPTIONActive Immediate DialSelect this if you want to use the pound key (#) to tell the ZyXEL Device to make the phone call immediately, instead of waiting the number of seconds you selected in the Dialing Interval Select in VoIP > Phone > Analog Phone.If you select this, dial the phone number, and then press the pound key if you do not want to wait. The ZyXEL Device makes the call immediately. Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.Table 67   VoIP > Phone > RegionLABEL DESCRIPTIONRegion Settings Select the place in which the ZyXEL Device is located. Do not select Default.Call Service Mode Select the mode for supplementary phone services (call hold, call waiting, call transfer and three-way conference calls) that your VoIP service provider supports.Europe Type - use supplementary phone services in European modeUSA Type - use supplementary phone services American modeYou might have to subscribe to these services to use them. Contact your VoIP service provider.
Chapter 13PhoneMAX-200HW2 Series User s Guide172Apply Click this to save your changes and to apply them to the ZyXEL Device.Reset Click this to set every field in this screen to its last-saved value.Table 67   VoIP > Phone > RegionLABEL DESCRIPTION
MAX-200HW2 Series User s Guide 173CHAPTER 14Phone BookUse these screens to maintain call-forwarding rules and speed-dial settings.14.1  Phone Book OverviewSpeed dial provides shortcuts for dialing frequently used (VoIP) phone numbers. It is also required if you want to make peer-to-peer calls. In peer-to-peer calls, you call another VoIP device directly without going through a SIP server. In the ZyXEL Device, you must set up a speed dial entry in the phone book in order to do this. Select Non-Proxy (Use IP or URL) inthe Type column and enter the callee!s IP address or domain name. The ZyXEL Device sends SIP INVITE requests to the peer VoIP device when you use the speed dial entry.You do not need to configure a SIP account in order to make a peer-to-peer VoIP call.14.2  Phone Book Screens14.2.1  Incoming Call Policy ScreenUse this screen to maintain rules for handling incoming calls. You can block, redirect, or accept them. To access this screen, click VoIP > Phone Book > Incoming Call Policy.
Chapter 14Phone BookMAX-200HW2 Series User s Guide174Figure 111   VoIP > Phone Book > Incoming Call PolicyYou can create two sets of call-forwarding rules. Each one is stored in a call-forwarding table. Each field is described in the following table.Table 68   VoIP > Phone Book > Incoming Call PolicyLABEL DESCRIPTIONTable Number Select the call-forwarding table you want to see in this screen. If you change this field, the screen automatically refreshes.Forward to Number SetupThe ZyXEL Device checks these rules, in the order in which they appear, after it checks the rules in the Advanced Setup section.Unconditional Forward to NumberSelect this if you want the ZyXEL Device to forward all incoming calls to the specified phone number, regardless of other rules in the Forward to Numbersection. Specify the phone number in the field on the right.Busy Forward to NumberSelect this if you want the ZyXEL Device to forward incoming calls to the specified phone number if the phone port is busy. Specify the phone number in the field on the right. If you have call waiting, the incoming call is forwarded to the specified phone number if you reject or ignore the second incoming call.No Answer Forward to NumberSelect this if you want the ZyXEL Device to forward incoming calls to the specified phone number if the call is unanswered. (See No Answer Waiting Time.) Specify the phone number in the field on the right.No Answer Waiting TimeThis field is used by the No Answer Forward to Number feature and No Answerconditions below.Enter the number of seconds the ZyXEL Device should wait for you to answer an incoming call before it considers the call is unanswered.Advanced SetupThe ZyXEL Device checks these rules before it checks the rules in the Forward to Number section.
 Chapter 14Phone BookMAX-200HW2 Series User s Guide 17514.2.2  Speed Dial ScreenYou have to create speed-dial entries if you want to make peer-to-peer calls or call SIP numbers that use letters. You can also create speed-dial entries for frequently-used SIP phone numbers. Use this screen to add, edit, or remove speed-dial entries. To access this screen, click VoIP > Phone Book > Speed Dial.#This field is a sequential value, and it is not associated with a specific rule. The sequence is important, however. The ZyXEL Device checks each rule in order, and it only follows the first one that applies.ActivateSelect this to enable this rule. Clear this to disable this rule.Incoming Call NumberEnter the phone number to which this rule applies.Forward to NumberEnter the phone number to which you want to forward incoming calls from the Incoming Call Number. You may leave this field blank, depending on the Condition.ConditionSelect the situations in which you want to forward incoming calls from the Incoming Call Number, or select an alternative action.Unconditional - The ZyXEL Device immediately forwards any calls from the Incoming Call Number to the Forward to Number.Busy - The ZyXEL Device forwards any calls from the Incoming Call Number to the Forward to Number when your SIP account already has a call connected.No Answer - The ZyXEL Device forwards any calls from the Incoming Call Number to the Forward to Number when the call is unanswered. (See NoAnswer Waiting Time.)Block - The ZyXEL Device rejects calls from the Incoming Call Number.Accept - The ZyXEL Device allows calls from the Incoming Call Number. You might create a rule with this condition if you do not want incoming calls from someone to be forwarded by rules in the Forward to Number section.Apply Click this to save your changes and to apply them to the ZyXEL Device.Reset Click this to set every field in this screen to its last-saved value.Table 68   VoIP > Phone Book > Incoming Call PolicyLABEL DESCRIPTION
Chapter 14Phone BookMAX-200HW2 Series User s Guide176Figure 112   VoIP > Phone Book > Speed DialEach field is described in the following table.Table 69   VoIP > Phone Book > Speed DialLABEL DESCRIPTIONSpeed Dial Use this section to create or edit speed-dial entries.Speed Dial Select the speed-dial number you want to use for this phone number.NumberEnter the SIP number you want the ZyXEL Device to call when you dial the speed-dial number.NameEnter a name to identify the party you call when you dial the speed-dial number. You can use up to 127 printable ASCII characters.TypeSelect Use Proxy if you want to use one of your SIP accounts to call this phone number.Select Non-Proxy (Use IP or URL) if you want to use a different SIP server or if you want to make a peer-to-peer call. In this case, enter the IP address or domain name of the SIP server or the other party in the field below.AddClick this to use the information in the Speed Dial section to update the Speed Dial Phone Book section.Speed Dial Phone BookUse this section to look at all the speed-dial entries and to erase them.Speed DialThis field displays the speed-dial number you should dial to use this entry. You should dial the numbers the way they appear in the screen.NumberThis field displays the SIP number the ZyXEL Device calls when you dial the speed-dial number.NameThis field displays the name of the party you call when you dial the speed-dial number.DestinationThis field is blank, if the speed-dial entry uses one of your SIP accounts. Otherwise, this field shows the IP address or domain name of the SIP server or other party. (This field corresponds with the Type field in the Speed Dial section.)
 Chapter 14Phone BookMAX-200HW2 Series User s Guide 177ModifyUse this field to edit or erase the speed-dial entry.Click the Edit icon to copy the information for this speed-dial entry into the Speed Dial section, where you can change it.Click the Remove icon to erase this speed-dial entry.Clear Click this to erase all the speed-dial entries.Reset Click this to set every field in this screen to its last-saved value.Table 69   VoIP > Phone Book > Speed DialLABEL DESCRIPTION
Chapter 14Phone BookMAX-200HW2 Series User s Guide178
MAX-200HW2 Series User s Guide 179CHAPTER 15FirewallUse these screens to enable, configure and disable the firewall that protects your ZyXEL Device and your LAN from unwanted or malicious traffic.15.1  Firewall OverviewOriginally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. Of course, firewalls cannot solve every security problem. A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy. It should never be the only mechanism or method employed. For a firewall to guard effectively, you must design and deploy it appropriately. This requires integrating the firewall into a broad information-security policy. In addition, specific policies must be implemented within the firewall itself.15.1.1  Stateful Inspection Firewall. Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency; however, they may lack the granular application level access control or caching that some proxies support. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises.15.1.2  About the ZyXEL Device FirewallThe ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated. The ZyXEL Device's purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The ZyXEL Device is installed between the LAN and a WiMAX base station connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.
Chapter 15FirewallMAX-200HW2 Series User s Guide180The ZyXEL Device has one Ethernet (LAN) port. The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web.  However, "inbound access# is not allowed (by default) unless the remote host is authorized to use a specific service.15.1.3  Guidelines For Enhancing Security With Your Firewall1Change the default password via web configurator.2Think about access control before you connect to the network in any way.3Limit who can access your router.4Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.5For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces.6Protect against IP spoofing by making sure the firewall is active.7Keep the firewall in a secured (locked) room.15.1.4  The Firewall, NAT and Remote ManagementFigure 113   Firewall Rule Directions15.1.4.1  LAN-to-WAN rules LAN-to-WAN rules are local network to Internet firewall rules. The default is to forward all traffic from your local network to the Internet. You can block certain LAN-to-WAN traffic in the Services screen (click the Services tab). All services displayed in the Blocked Services list box are LAN-to-WAN firewall rules that block those services originating from the LAN. Blocked LAN-to-WAN packets are considered alerts. Alerts are "higher priority logs# that include system errors, attacks and attempted access to blocked web sites. Alerts appear in red in the View Log screen. You may choose to have alerts e-mailed immediately in the Log Settings screen.
 Chapter 15FirewallMAX-200HW2 Series User s Guide 181LAN-to-LAN/ZyXEL Device means the LAN to the ZyXEL Device LAN interface. This is always allowed, as this is how you manage the ZyXEL Device from your local computer.15.1.4.2  WAN-to-LAN rulesWAN-to-LAN rules are Internet to your local network firewall rules. The default is to block all traffic from the Internet to your local network. How can you forward certain WAN to LAN traffic? You may allow traffic originating from the WAN to be forwarded to the LAN by: Configuring NAT port forwarding rules. Configuring One-to-One and Many-One-to-One NAT mapping rules in the SMT NAT menus.  Configuring WAN or LAN & WAN access for services in the Remote Managementscreens or SMT menus. When you allow remote management from the WAN, you are actually configuring WAN-to-WAN/ZyXEL Device firewall rules. WAN-to-WAN/ZyXEL Device firewall rules are Internet to the ZyXEL Device WAN interface firewall rules. The default is to block all such traffic. When you decide what WAN-to-LAN packets to log, you are in fact deciding what WAN-to-LAN and WAN-to-WAN/ZyXEL Device packets to log. Forwarded WAN-to-LAN packets are not considered alerts.15.2  Triangle RouteWhen the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks.Figure 114   Ideal Firewall Setup15.2.1  The "Triangle Route# ProblemA traffic route is a path for sending or receiving data packets between two Ethernet devices. You may have more than one connection to the Internet (through one or more ISPs). If an alternate gateway is on the LAN (and its IP address is in the same subnet as the ZyXEL Device!s LAN IP address), the "triangle route# (also called asymmetrical route) problem may occur. The steps below describe the "triangle route# problem. 1A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN.2The ZyXEL Device reroutes the SYN packet through Gateway Aon the LAN to the WAN.
Chapter 15FirewallMAX-200HW2 Series User s Guide1823The reply from the WAN goes directly to the computer on the LAN without going through the ZyXEL Device. As a result, the ZyXEL Device resets the connection, as the connection has not been acknowledged.Figure 115   !Triangle Route" Problem15.2.2  Solving the "Triangle Route# ProblemIf you have the ZyXEL Device allow triangle route sessions, traffic from the WAN can go directly to a LAN computer without passing through the ZyXEL Device and its firewall protection. Another solution is to use IP alias. IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for each logical network. It!s like having multiple LAN networks that actually use the same physical cables and ports. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the ZyXEL Device to your LAN. The following steps describe such a scenario.1A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN. 2The ZyXEL Devicereroutes the packet to Gateway A, which is in Subnet 2. 3The reply from the WAN goes to the ZyXEL Device. 4The ZyXEL Device then sends it to the computer on the LAN in Subnet 1.Figure 116   IP Alias
 Chapter 15FirewallMAX-200HW2 Series User s Guide 18315.3  Firewall Screens15.3.1  General Firewall ScreenUse this screen to configure the basic settings for your firewall. To access this screen, click Security > Firewall > General.Figure 117   Security > Firewall > GeneralEach field is described in the following table.15.3.2  Firewall Services ScreenUse this screen to enable service blocking, to set up the date and time service blocking is effective, and to maintain the list of services you want to block. To access this screen, click Security > Firewall > Services.Table 70   Security > Firewall > GeneralLABEL DESCRIPTIONEnable Firewall Select this to activate the firewall. The ZyXEL Device controls access and protects against Denial of Service (DoS) attacks when the firewall is activated.Bypass Triangle RouteSelect this if you want to let some traffic from the WAN go directly to a computer in the LAN without passing through the ZyXEL Device. See the appendices for more information about triangle route topology.Max NAT/Firewall Session Per UserSelect the maximum number of NAT rules and firewall rules the ZyXEL Device enforces at one time. The ZyXEL Device automatically allocates memory for the maximum number of rules, regardless of whether or not there is a rule to enforce. This is the same number you enter in Network > NAT > General.Packet Direction This field displays each direction that packets pass through the ZyXEL Device.Log Select the situations in which you want to create log entries for firewall events.No Log - do not create any log entriesLog Blocked - (LAN to WAN only) create log entries when packets are blockedLog Forwarded - (WAN to LAN only) create log entries when packets are forwardedLog All - create log entries for every packetApply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.
Chapter 15FirewallMAX-200HW2 Series User s Guide184Figure 118   Security > Firewall > ServicesEach field is described in the following table.Table 71   Security > Firewall > ServicesLABEL DESCRIPTIONService SetupEnable Services BlockingSelect this to activate service blocking. The Schedule to Block section controls what days and what times service blocking is actually effective, however.Available ServicesThis is a list of pre-defined services (destination ports) you may prohibit your LAN computers from using. Select the port you want to block, and click Add to add the port to the Blocked Services field.A custom port is a service that is not available in the pre-defined Available Services list. You must define it using the Type and Port Number fields. See Appendix F on page 333 for some examples of services.Blocked Services This is a list of services (ports) that are inaccessible to computers on your LAN when service blocking is effective. To remove a service from this list, select the service, and click Delete.Type Select TCP or UDP, based on which one the custom port uses.Port Number Enter the range of port numbers that defines the service. For example, suppose you want to define the Gnutella service. Select TCP type and enter a port range of 6345-6349.Add Click this to add the selected service in Available Services to the Blocked Services list.Delete Select a service in the Blocked Services, and click this to remove the service from the list.Clear All Click this to remove all the services in the Blocked Services list.Schedule to Block
 Chapter 15FirewallMAX-200HW2 Series User s Guide 185Day to Block Select which days of the week you want the service blocking to be effective.Time of Day to BlockSelect what time each day you want service blocking to be effective. Enter times in 24-hour format; for example, 3:00pm should be entered as 15:00.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.Table 71   Security > Firewall > ServicesLABEL DESCRIPTION
Chapter 15FirewallMAX-200HW2 Series User s Guide186
MAX-200HW2 Series User s Guide 187CHAPTER 16CertificatesThis chapter gives background information about public-key certificates and explains how to use the Certificates screens. 16.1  Certificates OverviewThe ZyXEL Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner!s identity and public key. Certificates provide a way to exchange public keys for use in authentication.A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the ZyXEL Device to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure. These keys work like a handwritten signature (in fact, certificates are often referred to as "digital signatures#). Only you can write your signature exactly as it ought to look. When people know what your signature ought to look like, they can verify whether something was signed by you, or by someone else. In the same way, your private key "writes# your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. This process works as follows.1Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). 2Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. 3Tim uses his private key to sign the message and sends it to Jenny.4Jenny receives the message and uses Tim!s public key to verify it. Jenny knows that the message is from Tim, and she knows that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim!s private key).5Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny!s public key to verify the message.
Chapter 16CertificatesMAX-200HW2 Series User s Guide188The ZyXEL Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.The certification authority uses its private key to sign certificates. Anyone can then use the certification authority!s public key to verify the certificates.A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been revoked. Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyXEL Device can check a peer!s certificate against a directory server!s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).16.1.1  Advantages of CertificatesCertificates offer the following benefits. The ZyXEL Device only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate.  Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.16.2  Self-signed CertificatesYou can have the ZyXEL Device act as a certification authority and sign its own certificates.16.3  Factory Default CertificateThe ZyXEL Device generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. 16.3.1  Certificate File FormatsAny certificate that you want to import has to be in one of these file formats: Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.
 Chapter 16CertificatesMAX-200HW2 Series User s Guide 189 Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The ZyXEL Device currently allows the importation of a PKS#7 file that contains a single certificate.  PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.Be careful to not convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default. 16.4  Certificate Configuration Screens SummaryThis section summarizes how to manage certificates on the ZyXEL Device.Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyXEL Device!s CA-signed certificates.Use the Trusted CAs screens to save CA certificates and trusted remote host certificates to the ZyXEL Device. The ZyXEL Device will trust any valid certificate that you have imported as a trusted certificate. It will also trust any valid certificate signed by any of the certificates that you have imported as a trusted certificate.16.5  Verifying a CertificateBefore you import a certificate into the ZyXEL Device, you should verify that you have the correct certificate. This is especially true of trusted certificates since the ZyXEL Device also trusts any valid certificate signed by any of the imported trusted certificates.16.5.1  Checking the Fingerprint of a Certificate on Your ComputerA certificate!s fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificate!s fingerprint to verify that you have the actual certificate. 1Browse to where you have the certificate saved on your computer. 2Make sure that the certificate has a ".cer# or ".crt# file name extension.Figure 119   Remote Host Certificates
Chapter 16CertificatesMAX-200HW2 Series User s Guide1903Double-click the certificate!s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.Figure 120   Certificate Details 4Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.16.6  My Certificates Screen Click Security > Certificates > My Certificates to open the My Certificates screen. This is the ZyXEL Device!s summary list of certificates and certification requests.
 Chapter 16CertificatesMAX-200HW2 Series User s Guide 191Figure 121   Security > Certificates > My Certificates      The following table describes the labels in this screen. Table 72   Security > Certificates > My CertificatesLABEL DESCRIPTIONPKI Storage Space in UseThis bar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.#This field displays the certificate index number. The certificates are listed in alphabetical order. NameThis field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. TypeThis field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.SELF represents a self-signed certificate. *SELF represents the default self-signed certificate which signs the imported remote host certificates.CERT represents a certificate issued by a certification authority.SubjectThis field displays identifying information about the certificate s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. IssuerThis field displays identifying information about the certificate s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.Valid FromThis field displays the date that the certificate becomes applicable. Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.
Chapter 16CertificatesMAX-200HW2 Series User s Guide19216.6.1  My Certificates Create ScreenClick Security > Certificates > My Certificates and then the Create icon to open the MyCertificates Create screen. Use this screen to have the ZyXEL Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.ModifyClick the Details icon to open a screen with an in-depth list of information about the certificate.Click the Export icon to save a copy of the certificate without its private key. Browse to the location you want to use and click Save.Click the Remove icon to delete a certificate. A window displays asking you to confirm that you want to delete the certificate. Subsequent certificates move up by one when you take this action.The ZyXEL Device keeps all of your certificates unless you specifically delete them. Uploading new firmware or default configuration file does not delete your certificates.You cannot delete certificates that any of the ZyXEL Device s features are configured to use.ImportClick Import to open a screen where you can save a certificate to the ZyXEL Device.CreateClick Create to go to the screen where you can have the ZyXEL Device generate a certificate or a certification request.RefreshClick Refresh to display the current validity status of the certificates.Table 72   Security > Certificates > My Certificates (continued)LABEL DESCRIPTION
 Chapter 16CertificatesMAX-200HW2 Series User s Guide 193Figure 122   Security > Certificates > My Certificates > CreateThe following table describes the labels in this screen. Table 73   Security > Certificates > My Certificates > CreateLABEL DESCRIPTIONCertificate NameType a name to identify this certificate. You can use up to 31 alphanumeric and ;$~!@#$%^&()_+[]{} ,.=- characters.Subject InformationUse these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Nameis mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information.Common Name Select a radio button to identify the certificate s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-mail address is for identification purposes only and can be any string.A domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods.An e-mail address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore.Organizational UnitIdentify the organizational unit or department to which the certificate owner belongs. You can use up to 63 characters. You can use alphanumeric characters, the hyphen and the underscore.OrganizationIdentify the company or group to which the certificate owner belongs. You can use up to 63 characters. You can use alphanumeric characters, the hyphen and the underscore.
Chapter 16CertificatesMAX-200HW2 Series User s Guide194CountryIdentify the state in which the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.Key LengthSelect a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space.Enrollment OptionsThese radio buttons deal with how and when the certificate is to be generated.Create a self-signed certificateSelect Create a self-signed certificate to have the ZyXEL Device generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates.Create a certification request and save it locally for later manual enrollmentSelect Create a certification request and save it locally for later manual enrollment to have the ZyXEL Device generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.Copy the certification request from the My Certificate Details screen (see Section 16.6.2 on page 195) and then send it to the certification authority.Create a certification request and enroll for a certificate immediately onlineSelect Create a certification request and enroll for a certificate immediately online to have the ZyXEL Device generate a request for a certificate and apply to a certification authority for a certificate. You must have the certification authority s certificate already imported in the Trusted CAs screen.When you select this option, you must select the certification authority s enrollment protocol and the certification authority s certificate from the drop-down list boxes and enter the certification authority s server address. You also need to fill in the Reference Number and Key if the certification authority requires them. Enrollment ProtocolThis field applies when you select Create a certification request and enroll for a certificate immediately online. Select the certification authority s enrollment protocol from the drop-down list box.Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco.Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510.CA Server Address This field applies when you select Create a certification request and enroll for a certificate immediately online. Enter the IP address (or URL) of the certification authority server.For a URL, you can use up to 511 of the following characters. a-zA-Z0-9'()+,/:.=?;!*#@$_%-CA CertificateThis field applies when you select Create a certification request and enroll for a certificate immediately online. Select the certification authority s certificate from the CA Certificate drop-down list box.You must have the certification authority s certificate already imported in the Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the ZyXEL Device's list of certificates of trusted certification authorities.Table 73   Security > Certificates > My Certificates > CreateLABEL DESCRIPTION
 Chapter 16CertificatesMAX-200HW2 Series User s Guide 195If you configured the My Certificate Create screen to have the ZyXEL Device enroll a certificate and the certificate enrollment is not successful, you see a screen with a Returnbutton that takes you back to the My Certificate Create screen. Click Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyXEL Device to enroll a certificate online.16.6.2  My Certificate Details Screen Click Security > Certificates > My Certificates and then the Details iconto open the MyCertificate Details screen. You can use this screen to view in-depth certificate information and change the certificate!s name. Request AuthenticationWhen you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol. Just the Key field displays if your certification authority uses the SCEP enrollment protocol. For the reference number, use 0 to 99999999.For the key, use up to 31 of the following characters. a-zA-Z0-9;|`~!@#$%^&*()_+\{}':,./<>=-ApplyClick Apply to begin certificate or certification request generation.CancelClick Cancel to quit and return to the My Certificates screen.Table 73   Security > Certificates > My Certificates > CreateLABEL DESCRIPTION
Chapter 16CertificatesMAX-200HW2 Series User s Guide196Figure 123   Security > Certificates > My Certificates > Details     The following table describes the labels in this screen.  Table 74   Security > Certificates > My Certificates > DetailsLABEL DESCRIPTIONNameThis field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;$~!@#$%^&()_+[]{} ,.=- characters.PropertySelect Default self-signed certificate which signs the imported remote host certificates to use this certificate to sign the remote host certificates you upload in the Security > Certificates > Trusted CAs screen.Certification PathThis field displays for a certificate, not a certification request.Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself).If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The ZyXEL Device does not trust the certificate and displays !Not trusted" in this field if any certificate on the path has expired or been revoked.RefreshClick Refresh to display the certification path.Certificate InformationThese read-only fields display detailed information about the certificate.
 Chapter 16CertificatesMAX-200HW2 Series User s Guide 197TypeThis field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate s owner signed the certificate (not a certification authority).  !X.509" means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.VersionThis field displays the X.509 version number. !Serial NumberThis field displays the certificate s identification number given by the certification authority or generated by the ZyXEL Device.SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).IssuerThis field displays identifying information about the certificate s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Name field.!none" displays for a certification request. Signature AlgorithmThis field displays the type of algorithm that was used to sign the certificate. The ZyXEL Device uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).Valid FromThis field displays the date that the certificate becomes applicable. !none" displays for a certification request. Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. !none" displays for a certification request. Key AlgorithmThis field displays the type of algorithm that was used to generate the certificate s key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).Subject Alternative NameThis field displays the certificate owner$s IP address (IP), domain name (DNS) or e-mail address (EMAIL). Key UsageThis field displays for what functions the certificate s key can be used. For example, !DigitalSignature" means that the key can be used to sign certificates and !KeyEncipherment" means that the key can be used to encrypt text.Basic ConstraintThis field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority s certificate and   !Path Length Constraint=1" means that there can only be one certification authority in the certificate s path. This field does not display for a certification request. MD5 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm. SHA1 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm. Table 74   Security > Certificates > My Certificates > DetailsLABEL DESCRIPTION
Chapter 16CertificatesMAX-200HW2 Series User s Guide19816.6.3  My Certificate Import Screen Click Security > Certificates > My Certificates > Import to open the My Certificate Import screen. Follow the instructions in this screen to upload an existing certificate to the ZyXEL Device. You can import a certificate that matches a corresponding certification request that was generated by the ZyXEL Device. The certificate you import replaces the corresponding request in the My Certificates screen.You must remove any spaces from the certificate!s filename before you can import it.Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert the binary certificate into a printable form. You can copy and paste a certification request into a certification authority s web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment.You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).ApplyClick Apply to save your changes back to the ZyXEL Device. You can only change the name.CancelClick Cancel to quit and return to the My Certificates screen.Table 74   Security > Certificates > My Certificates > DetailsLABEL DESCRIPTION
 Chapter 16CertificatesMAX-200HW2 Series User s Guide 199Figure 124   Security > Certificates > My Certificates > ImportThe following table describes the labels in this screen.  16.7  Trusted CAs   Click Security > Certificates > Trusted CAs to open the Trusted CAs screen. This screen displays a summary list of certificates of the certification authorities that you have set the ZyXEL Device to accept as trusted. The ZyXEL Device accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities. Table 75   Security > Certificates > My Certificates > ImportLABEL DESCRIPTIONFile Path Type in the location of the file you want to upload in this field or click Browse to find it.You cannot import a certificate with the same name as a certificate that is already in the ZyXEL Device.Browse Click Browse to find the certificate file you want to upload. ApplyClick Apply to save the certificate on the ZyXEL Device.CancelClick Cancel to quit and return to the My Certificates screen.
Chapter 16CertificatesMAX-200HW2 Series User s Guide200Figure 125   Security > Certificates > Trusted CAsThe following table describes the labels in this screen. Table 76   Security > Certificates > Trusted CAsLABEL DESCRIPTIONPKI Storage Space in UseThis bar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.#This field displays the certificate index number. The certificates are listed in alphabetical order. NameThis field displays the name used to identify this certificate. SubjectThis field displays identifying information about the certificate s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.IssuerThis field displays identifying information about the certificate s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.CRL IssuerThis field displays Yes if the certification authority issues CRL (Certificate Revocation Lists) for the certificates that it has issued and you have selected the Check incoming certificates issued by this CA against a CRL check box in the certificate s details screen to have the ZyXEL Device check the CRL before trusting any certificates issued by the certification authority. Otherwise the field displays No.ModifyClick the Details icon to open a screen with an in-depth list of information about the certificate.Use the Export icon to save the certificate to a computer. Click the icon and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.Click the Remove icon to delete the certificate. A window displays asking you to confirm that you want to delete the certificate. Note that subsequent certificates move up by one when you take this action.
 Chapter 16CertificatesMAX-200HW2 Series User s Guide 20116.8  Trusted CA Details  Click Security > Certificates > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen. Use this screen to view in-depth information about the certification authority!s certificate, change the certificate!s name and set whether or not you want the ZyXEL Device to check a certification authority!s list of revoked certificates before trusting a certificate issued by the certification authority.Figure 126   Security > Certificates > Trusted CAs > DetailsImportClick Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the ZyXEL Device.RefreshClick this button to display the current validity status of the certificates.Table 76   Security > Certificates > Trusted CAs (continued)LABEL DESCRIPTION
Chapter 16CertificatesMAX-200HW2 Series User s Guide202The following table describes the labels in this screen.  Table 77   Security > Certificates > Trusted CAs > DetailsLABEL DESCRIPTIONNameThis field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).Property Check incoming certificates issued by this CA against a CRLSelect this check box to have the ZyXEL Device check incoming certificates that are issued by this certification authority against a Certificate Revocation List (CRL).Clear this check box to have the ZyXEL Device not check incoming certificates that are issued by this certification authority against a Certificate Revocation List (CRL).Certification PathClick the Refresh button to have this read-only text box display the end entity s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity s certificate. If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the end entity s own certificate). The ZyXEL Device does not trust the end entity s certificate and displays !Not trusted" in this field if any certificate on the path has expired or been revoked.RefreshClick Refresh to display the certification path.Certificate InformationThese read-only fields display detailed information about the certificate. TypeThis field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate s owner signed the certificate (not a certification authority).  X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.VersionThis field displays the X.509 version number. Serial NumberThis field displays the certificate s identification number given by the certification authority.SubjectThis field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).IssuerThis field displays identifying information about the certificate s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the SubjectName field.Signature AlgorithmThis field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).Valid FromThis field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.Key AlgorithmThis field displays the type of algorithm that was used to generate the certificate s key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).
 Chapter 16CertificatesMAX-200HW2 Series User s Guide 20316.9  Trusted CA Import   Click Security > Certificates > Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen. Follow the instructions in this screen to save a trusted certification authority!s certificate from a computer to the ZyXEL Device. The ZyXEL Device trusts any valid certificate signed by any of the imported trusted CA certificates.You must remove any spaces from the certificate s filename before you can import the certificate.MD5 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.SHA1 FingerprintThis is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert the binary certificate into a printable form. You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).ApplyClick Apply to save your changes back to the ZyXEL Device. You can only change the name and/or set whether or not you want the ZyXEL Device to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority.CancelClick Cancel to quit and return to the Trusted CAs screen.Table 77   Security > Certificates > Trusted CAs > Details (continued)LABEL DESCRIPTION
Chapter 16CertificatesMAX-200HW2 Series User s Guide204Figure 127   Security > Certificates > Trusted CAs > ImportThe following table describes the labels in this screen.Table 78   Security > Certificates > Trusted CAs ImportLABEL DESCRIPTIONFile Path Type in the location of the file you want to upload in this field or click Browse to find it.Choose... Click Choose... to find the certificate file you want to upload. ApplyClick Apply to save the certificate on the ZyXEL Device.CancelClick Cancel to quit and return to the Trusted CAs screen.
MAX-200HW2 Series User s Guide 205CHAPTER 17Content FilterUse these screens to create and enforce policies that restrict access to the Internet based on content.17.1  Content Filtering OverviewInternet content filtering allows you to create and enforce Internet access policies tailored to their needs. Content filtering is the ability to block certain web features or specific URL keywords.The ZyXEL Device can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. The ZyXEL Device also allows you to define time periods and days during which the ZyXEL Device performs content filtering.17.2  Content Filtering Screens17.2.1  Content Filter ScreenUse this screen to set up a trusted IP address, which web features are restricted, and which keywords are blocked when content filtering is effective. To access this screen, click Security > Content Filter > Filter.
Chapter 17Content FilterMAX-200HW2 Series User s Guide206Figure 128   Security > Content Filter > FilterEach field is described in the following table.Table 79   Security > Content Filter > FilterLABEL DESCRIPTIONTrusted IP SetupTrusted Computer IP AddressYou can allow a specific computer to access all Internet resources without the restrictions you set in these screens. Enter the IP address of the trusted computer.Restrict Web FeaturesSelect the web features you want to disable. If a user downloads a page with a restricted feature, that part of the web page appears blank or grayed out.ActiveX - This is a tool for building dynamic and active Web pages and distributed object applications. When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again.Java - This is used to build downloadable Web components or Internet and intranet business applications of all kinds.Cookies - This is used by Web servers to track usage and to provide service based on ID.Web Proxy - This is a server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service. When a proxy server is located on the WAN, it is possible for LAN users to avoid content filtering restrictions.Keyword BlockingEnable URL Keyword BlockingSelect this if you want the ZyXEL Device to block Web sites based on words in the web site address. For example, if you block the keyword bad,http://www.website.com/bad.html is blocked.Keyword Type a keyword you want to block in this field. You can use up to 64 printable ASCII characters. There is no wildcard character, however.Add Click this to add the specified Keyword to the Keyword List. You can enter up to 64 keywords.Keyword List This field displays the keywords that are blocked when Enable URL Keyword Blocking is selected. To delete a keyword, select it, click Delete, and click Apply.
 Chapter 17Content FilterMAX-200HW2 Series User s Guide 20717.2.2  Content Filter Schedule ScreenUse this screen to set up the schedule when content filtering is effective. To access this screen, click Security > Content Filter > Schedule.Figure 129   Security > Content Filter > ScheduleEach field is described in the following table.Delete Click Delete to remove the selected keyword in the Keyword List. The keyword disappears after you click Apply.Clear All Click this button to remove all of the keywords in the Keyword List.Denied Access MessageEnter the message that is displayed when the ZyXEL Device s content filter feature blocks access to a web site.Apply Click this to save your changes and to apply them to the ZyXEL Device.Cancel Click this to set every field in this screen to its last-saved value.Table 79   Security > Content Filter > FilterLABEL DESCRIPTIONTable 80   Security > Content Filter > ScheduleLABEL DESCRIPTIONDay to Block Select which days of the week you want content filtering to be effective.Time of Day to BlockSelect what time each day you want content filtering to be effective. Enter times in 24-hour format; for example, 3:00pm should be entered as 15:00.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.
Chapter 17Content FilterMAX-200HW2 Series User s Guide208
MAX-200HW2 Series User s Guide 209CHAPTER 18Static RouteUse these screens to configure static routes on the ZyXEL Device.18.1  Static Route OverviewEach remote node specifies only the network to which the gateway is directly connected, and the ZyXEL Device has no knowledge of the networks beyond. For instance, the ZyXEL Device knows about network N2 in the following figure through remote node Router 1. However, the ZyXEL Device is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the ZyXEL Device about the networks beyond the remote nodes.Figure 130   Example of Static Routing Topology18.2  Static Route Screens18.2.1  IP Static Route ScreenUse this screen to look at static routes in the ZyXEL Device. To access this screen, click Management > Static Route > IP Static Route.
Chapter 18Static RouteMAX-200HW2 Series User s Guide210The first static route is the default route and cannot be modified or deleted.Figure 131   Management > Static Route > IP Static RouteEach field is described in the following table.18.2.2  IP Static Route Edit ScreenUse this screen to edit a static route in the ZyXEL Device. To access this screen, click an Editicon in Management > Static Route > IP Static Route.Table 81   Management > Static Route > IP Static RouteLABEL DESCRIPTION#This field is a sequential value, and it is not associated with a specific rule. The sequence is important, however. The ZyXEL Device checks each rule in order, and it follows only the first one that applies.Name This field displays the name that describes the static route.Active This field shows whether this static route is active (Yes) or not (No).Destination This field displays the destination IP address(es) that this static route affects.Gateway This field displays the IP address of the gateway to which the ZyXEL Device should send packets for the specified Destination. The gateway is a router or a switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.Modify Use this field to edit or erase the static route.Click the Edit icon to open the IP Static Route Edit screen for this static route.Click the Remove icon to erase this static route.
 Chapter 18Static RouteMAX-200HW2 Series User s Guide 211Figure 132   Management > Static Route > IP Static Route > EditEach field is described in the following table.Table 82   Management > Static Route > IP Static Route > EditLABEL DESCRIPTIONRoute Name Enter the name of the static route.Active Select this if you want the static route to be used. Clear this if you do not want the static route to be used.Private Select this if you do not want the ZyXEL Device to tell other routers about this static route. For example, you might select this if the static route is in your LAN. Clear this if you want the ZyXEL Device to tell other routers about this static route.Destination IP AddressEnter one of the destination IP addresses that this static route affects.IP Subnet Mask Enter the subnet mask that defines the range of destination IP addresses that this static route affects. If this static route affects only one IP address, enter 255.255.255.255.Gateway IP AddressEnter the IP address of the gateway to which the ZyXEL Device should send packets for the specified Destination. The gateway is a router or a switch on the same network segment as the device's LAN or WAN port. The gateway helps forward packets to their destinations.Metric Usually, you should keep the default value. This field is related to RIP. See Chapter 9 on page 119 for more information.The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". The smaller the metric, the lower the "cost". RIP uses hop count as the measurement of cost, where 1 is for a directly-connected network. The metric must be 1-15; if you use a value higher than 15, the routers assume the link is down.Apply Click this to save your changes and to apply them to the ZyXEL Device.Cancel Click this to return to the previous screen without saving your changes.
Chapter 18Static RouteMAX-200HW2 Series User s Guide212
MAX-200HW2 Series User s Guide 213CHAPTER 19Remote MGMTUse these screens to control which computers can use which services to access the ZyXEL Device on each interface.19.1  Remote Management OverviewRemote management allows you to determine which services/protocols can access which ZyXEL Device interface (if any) from which computers.You may manage your ZyXEL Device from a remote location via:To disable remote management of a service, select Disable in the corresponding Server Access field.You may only have one remote management session running at a time. The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows.1Telnet2HTTP19.1.1  Remote Management LimitationsRemote management over LAN or WAN will not work when:1A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. 2You have disabled that service in one of the remote management screens.3The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the ZyXEL Device will disconnect the session immediately.4There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time.19.1.2  Remote Management and NATWhen NAT is enabled:Table 83   #Internet (WAN only) #ALL (LAN and WAN)#LAN only #Neither (Disable).
Chapter 19Remote MGMTMAX-200HW2 Series User s Guide214 Use the ZyXEL Device!s WAN IP address when configuring from the WAN.  Use the ZyXEL Device!s LAN IP address when configuring from the LAN.19.1.3  System TimeoutThere is a default system management idle timeout of five minutes (three hundred seconds). The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. You can change the timeout period in the Maintenance > System > Generalscreen.19.2  Remote Management Screens19.2.1  WWW ScreenUse this screen to control HTTP access to your ZyXEL Device. To access this screen, click Management > Remote MGMT > WWW.Figure 133   Management > Remote MGMT > WWWEach field is described in the following table.19.2.2  Telnet ScreenUse this screen to control Telnet access to your ZyXEL Device. To access this screen, click Management > Remote MGMT > Telnet.Table 84   Management > Remote MGMT > WWWLABEL DESCRIPTIONServer Port Enter the port number this service can use to access the ZyXEL Device. The computer must use the same port number.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secured Client IP AddressSelect All to allow any computer to access the ZyXEL Device using this service.Select Selected to only allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click this to save your changes.Reset Click this to set every field in this screen to its default value.
 Chapter 19Remote MGMTMAX-200HW2 Series User s Guide 215Figure 134   Management > Remote MGMT > TelnetEach field is described in the following table.19.2.3  FTP ScreenUse this screen to control FTP access to your ZyXEL Device. To access this screen, click Management > Remote MGMT > FTP.Figure 135   Management > Remote MGMT > FTPEach field is described in the following table.Table 85   Management > Remote MGMT > TelnetLABEL DESCRIPTIONServer Port Enter the port number this service can use to access the ZyXEL Device. The computer must use the same port number.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secured Client IP AddressSelect All to allow any computer to access the ZyXEL Device using this service.Select Selected to only allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click this to save your changes.Reset Click this to set every field in this screen to its default value.Table 86   Management > Remote MGMT > FTPLABEL DESCRIPTIONServer Port Enter the port number this service can use to access the ZyXEL Device. The computer must use the same port number.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.
Chapter 19Remote MGMTMAX-200HW2 Series User s Guide21619.3  SNMPSimple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyXEL Device supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyXEL Device through the network. The ZyXEL Device supports SNMP version one (SNMPv1) and version two (SNMPv2). The next figure illustrates an SNMP management operation.SNMP is only available if TCP/IP is configured.Figure 136   SNMP Management ModelAn SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyXEL Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices. Secured Client IP AddressSelect All to allow any computer to access the ZyXEL Device using this service.Select Selected to only allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click this to save your changes and to apply them to the ZyXEL Device.Reset Click this to set every field in this screen to its default value.Table 86   Management > Remote MGMT > FTPLABEL DESCRIPTION
 Chapter 19Remote MGMTMAX-200HW2 Series User s Guide 217The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include such as number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects.SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: Get - Allows the manager to retrieve an object variable from the agent.  GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.  Set - Allows the manager to set values for object variables within an agent.  Trap - Used by the agent to inform the manager of some events.19.3.1  Supported MIBsThe ZyXEL Device supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.19.3.2  SNMP Traps The ZyXEL Device will send traps to the SNMP manager when any one of the following events occurs:19.3.3  Configuring SNMPTo change your ZyXEL Device!s SNMP settings, click Advanced > Remote MGMT > SNMP. The screen appears as shown.Use this screen to control FTP access to your ZyXEL Device. To access this screen, click Management > Remote MGMT > SNMP.Table 87   SNMP TrapsTRAP # TRAP NAME DESCRIPTION0coldStart (defined in RFC-1215)A trap is sent after booting (power on).1warmStart (defined in RFC-1215)A trap is sent after booting (software reboot).4authenticationFailure (defined in RFC-1215)A trap is sent to the manager when receiving any SNMP get or set requirements with the wrong community (password).6whyReboot (defined in ZYXEL-MIB)A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start).6a For intentional reboot: A trap is sent with the message "System reboot by user!" if reboot is done intentionally, (for example, download new files, CI command "sys reboot", etc.).6b For fatal error:  A trap is sent with the message of the fatal code if the system reboots because of fatal errors.
Chapter 19Remote MGMTMAX-200HW2 Series User s Guide218Figure 137   Management > Remote MGMT > SNMPThe following table describes the labels in this screen.19.3.4  DNS ScreenUse this screen to control DNS access to your ZyXEL Device. To access this screen, click Management > Remote MGMT > DNS.Table 88   Remote Management: SNMPLABEL DESCRIPTIONSNMP ConfigurationGet Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests.Set Community Enter the Set community, which is the password for incoming Set requests from the management station. The default is public and allows all requests.Trap Community Enter the trap community, which is the password sent with each trap to the SNMP manager. The default is public and allows all requests.Trap Destination Enter the IP address of the station to send your SNMP traps to.SNMPPort You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.Access Status Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secured Client IP A secured client is a !trusted" computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service.Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click this button to save your customized settings and exit this screen. Reset Click this button to set each field in this screen to its default value.
 Chapter 19Remote MGMTMAX-200HW2 Series User s Guide 219Figure 138   Management > Remote MGMT > DNSEach field is described in the following table.19.3.5  Security ScreenUse this screen to control how your ZyXEL Device responds to other types of requests. To access this screen, click Management > Remote MGMT > Security.Figure 139   Management > Remote MGMT > SecurityTable 89   Management > Remote MGMT > DNSLABEL DESCRIPTIONServer Port This field is read-only. This field displays the port number this service uses to access the ZyXEL Device. The computer must use the same port number.Server Access Select the interface(s) through which a computer may access the ZyXEL Device using this service.Secured Client IP AddressSelect All to allow any computer to access the ZyXEL Device using this service.Select Selected to only allow the computer with the IP address that you specify to access the ZyXEL Device using this service.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.
Chapter 19Remote MGMTMAX-200HW2 Series User s Guide220Each field is described in the following table.Table 90   Management > Remote MGMT > SecurityLABEL DESCRIPTIONRespond to Ping onSelect the interface(s) on which the ZyXEL Device should respond to incoming ping requests.Disable - the ZyXEL Device does not respond to any ping requests.LAN - the ZyXEL Device only responds to ping requests received from the LAN.WAN - the ZyXEL Device only responds to ping requests received from the WAN.LAN & WAN - the ZyXEL Device responds to ping requests received from the LAN or the WAN.Do not respond to requests for unauthorized servicesSelect this to prevent outsiders from discovering your ZyXEL Device by sending requests to unsupported port numbers. If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. Your ZyXEL Device supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed.If you clear this, your ZyXEL Device replies with an ICMP Port Unreachable packet for a port probe on unused UDP ports and with a TCP Reset packet for a port probe on unused TCP ports. Apply Click this to save your changes.Cancel Click this to set every field in this screen to its default value.
MAX-200HW2 Series User s Guide 221CHAPTER 20UPnPUse this screen to set up UPnP.20.1  Introducing Universal Plug and PlayUniversal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.20.1.1  How do I know if I'm using UPnP? UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP compatible device installed on your network will appear as a separate icon. Selecting the icon of a UPnP device will allow you to access the information and properties of that device. 20.1.2  NAT TraversalUPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP network devices can automatically configure network addressing, announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following: Dynamic port mapping Learning public IP addresses Assigning lease times to mappingsWindows Messenger is an example of an application that supports NAT traversal and UPnP. See Chapter 10 on page 129 for further information about NAT.20.1.3  Cautions with UPnPThe automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention.
Chapter 20UPnPMAX-200HW2 Series User s Guide22220.1.4  UPnP and ZyXELZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP& Implementors Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being tested.The ZyXEL Device only sends UPnP multicasts to the LAN.See later sections for examples of installing UPnP in Windows XP and Windows Me as well as an example of using UPnP in Windows.20.2  UPnP Examples20.2.1  Installing UPnP in Windows ExampleThis section shows how to install UPnP in Windows Me and Windows XP. 20.2.1.1  Installing UPnP in Windows MeFollow the steps below to install the UPnP in Windows Me. 1Click Start and Control Panel. Double-click Add/Remove Programs.2Click on the Windows Setup tab and select Communication in the Componentsselection box. Click Details.Figure 140   Add/Remove Programs: Windows Setup: Communication
 Chapter 20UPnPMAX-200HW2 Series User s Guide 2233In the Communications window, select the Universal Plug and Play check box in the Components selection box. Figure 141   Add/Remove Programs: Windows Setup: Communication Components4Click OK to go back to the Add/Remove Programs Properties window and click Next.5Restart the computer when prompted. 20.2.1.2  Installing UPnP in Windows XPFollow the steps below to install the UPnP in Windows XP.1Click Start and Control Panel.2Double-click Network Connections.3In the Network Connections window, click Advanced in the main menu and select Optional Networking Components  .Figure 142   Network Connections4The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details.
Chapter 20UPnPMAX-200HW2 Series User s Guide224Figure 143   Windows Optional Networking Components Wizard5In the Networking Services window, select the Universal Plug and Play check box. Figure 144   Networking Services6Click OK to go back to the Windows Optional Networking Component Wizard window and click Next.
 Chapter 20UPnPMAX-200HW2 Series User s Guide 22520.2.2  Using UPnP in Windows XP ExampleThis section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device.Make sure the computer is connected to a LAN port of the ZyXEL Device. Turn on your computer and the ZyXEL Device. 20.2.2.1  Auto-discover Your UPnP-enabled Network Device1Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.2Right-click the icon and select Properties.Figure 145   Network Connections3In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.
Chapter 20UPnPMAX-200HW2 Series User s Guide226Figure 146   Internet Connection Properties 4You may edit or delete the port mappings or click Add to manually add port mappings.
 Chapter 20UPnPMAX-200HW2 Series User s Guide 227Figure 147   Internet Connection Properties: Advanced SettingsFigure 148   Internet Connection Properties: Advanced Settings: Add5When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.6Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
Chapter 20UPnPMAX-200HW2 Series User s Guide228Figure 149   System Tray Icon7Double-click on the icon to display your current Internet connection status.Figure 150   Internet Connection Status20.2.2.2  Web Configurator Easy AccessWith UPnP, you can access the web-based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first. This becomes helpful if you do not know the IP address of the ZyXEL Device.Follow the steps below to access the web configurator.1Click Start and then Control Panel.2Double-click Network Connections.3Select My Network Places under Other Places.
 Chapter 20UPnPMAX-200HW2 Series User s Guide 229Figure 151   Network Connections4An icon with the description for each UPnP-enabled device displays under LocalNetwork.5Right-click on the icon for your ZyXEL Device and select Invoke. The web configurator login screen displays.
Chapter 20UPnPMAX-200HW2 Series User s Guide230Figure 152   Network Connections: My Network Places6Right-click on the icon for your ZyXEL Device and select Properties. A properties window displays with basic information about the ZyXEL Device. Figure 153   Network Connections: My Network Places: Properties: Example
 Chapter 20UPnPMAX-200HW2 Series User s Guide 23120.3  UPnP ScreenUse this screen to set up UPnP in your ZyXEL Device. To access this screen, click Management > UPnP.Figure 154   Management > UPnPEach field is described in the following table.Table 91   Management > UPnPLABEL DESCRIPTIONDevice Name This field identifies your device in UPnP applications.Enable the Universal Plug and Play (UPnP) Feature Select this to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the ZyXEL Device's IP address. You still have to enter the password, however.Allow users to make configuration changes through UPnPSelect this to allow UPnP-enabled applications to automatically configure the ZyXEL Device so that they can communicate through the ZyXEL Device. For example, using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application. Allow UPnP to pass through FirewallSelect this to allow traffic from UPnP-enabled applications to bypass the firewall. Clear this if you want the firewall to check UPnP application packets (for example, MSN packets).Apply Click this to save your changes and to apply them to the ZyXEL Device.Cancel Click this to set every field in this screen to its default value.
Chapter 20UPnPMAX-200HW2 Series User s Guide232
MAX-200HW2 Series User s Guide 233CHAPTER 21SystemUse this screen to set up general system settings, change the system mode, change the password, configure the DDNS server settings, and set the current date and time.21.1  System Features Overview21.1.1  System NameSystem Name is for identification purposes. However, because some ISPs check this name you should enter your computer's  "Computer Name".  In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the SystemName. In Windows 2000, click Start, Settings and Control Panel and then double-click System.Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name. In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyXEL Device System Name.21.1.2  Domain NameThe Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name) on each individual computer, the domain name can be assigned from the ZyXEL Device via DHCP.21.1.3  DNS Server Address AssignmentUse DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyXEL Device can get the DNS server addresses in the following ways.1The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNSServer fields in the SYSTEM General screen.
Chapter 21SystemMAX-200HW2 Series User s Guide2342If the ISP did not give you DNS server information, leave the DNS Server fields in  the SYSTEM General screen set to 0.0.0.0 for the ISP to dynamically assign the DNS server IP addresses.21.1.4  Dynamic DNSDynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect. Your friends or relatives will always be able to call you even if they don't know your IP address.First of all, you need to have registered a dynamic DNS account with www.dyndns.org. This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name. The Dynamic DNS service provider will give you a password or key.Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.If you have a private WAN IP address, then you cannot use Dynamic DNS.21.1.5  Pre-defined NTP Time Servers ListThe ZyXEL Device uses the following pre-defined list of NTP time servers if you do not specify a time server or it cannot synchronize with the time server you specified.The ZyXEL Device can use this pre-defined list of time servers regardless of the Time Protocol you select.When the ZyXEL Device uses the pre-defined list of NTP time servers, it randomly selects one server and tries to synchronize with it. If the synchronization fails, then the ZyXEL Device goes through the rest of the list in order from the first one tried until either it is successful or all the pre-defined NTP time servers have been tried.Table 92   Pre-defined NTP Time Serversntp1.cs.wisc.eduntp1.gbg.netnod.sentp2.cs.wisc.edutock.usno.navy.milntp3.cs.wisc.eduntp.cs.strath.ac.uk
 Chapter 21SystemMAX-200HW2 Series User s Guide 23521.1.6  Resetting the TimeThe ZyXEL Device resets the time in the following instances: When the ZyXEL Device starts up. When you click Apply in the Time Setting Screen. 24-hour intervals after starting.21.2  System Screens21.2.1  General System ScreenUse this screen to change the ZyXEL Device!s mode, set up the ZyXEL Device!s system name, domain name, idle timeout, and administrator password. To access this screen, click Maintenance > System > General.Figure 155   Maintenance > System > GeneralEach field is described in the following table.ntp1.sp.setime1.stupi.setick.stdtime.gov.twtock.stdtime.gov.twtime.stdtime.gov.twTable 92   Pre-defined NTP Time ServersTable 93   Maintenance > System > GeneralLABEL DESCRIPTIONSystem SetupSystem NameEnter your computer's  "Computer Name". This is for identification purposes, but some ISPs also check this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes !-" and underscores "_" are accepted.
Chapter 21SystemMAX-200HW2 Series User s Guide23621.2.2  Dynamic DNS ScreenUse this screen to set up the ZyXEL Device as a dynamic DNS client. To access this screen, click Maintenance > System > Dynamic DNS.Figure 156   Maintenance > System > Dynamic DNSDomain NameEnter the domain name entry that is propagated to DHCP clients on the LAN. If you leave this blank, the domain name obtained from the ISP is used. Use up to 38 alphanumeric characters. Spaces are not allowed, but dashes !-" and periods "." are accepted.Administrator Inactivity TimerEnter the number of minutes a management session can be left idle before the session times out. After it times out, you have to log in again. A value of "0" means a management session never times out, no matter how long it has been left idle. This is not recommended. Long idle timeouts may have security risks. The default is five minutes. Password SetupOld PasswordEnter the current password you use to access the ZyXEL Device.New PasswordEnter the new password for the ZyXEL Device. You can use up to 30 characters. As you type the password, the screen displays an asterisk (*) for each character you type.Retype to ConfirmEnter the new password again.Apply Click this to save your changes and to apply them to the ZyXEL Device.Reset Click this to set every field in this screen to its default value.Table 93   Maintenance > System > GeneralLABEL DESCRIPTION
 Chapter 21SystemMAX-200HW2 Series User s Guide 237Each field is described in the following table.21.2.3  Time Setting ScreenUse this screen to set the date, time, and time zone in the ZyXEL Device. To access this screen, click Maintenance > System > Time Setting.Table 94   Maintenance > System > Dynamic DNSLABEL DESCRIPTIONDynamic DNS SetupEnable Dynamic DNSSelect this to use dynamic DNS.Service Provider Select the name of your Dynamic DNS service provider.Dynamic DNS TypeSelect the type of service that you are registered for from your Dynamic DNS service provider.Host Name Enter the host name. You can specify up to two host names, separated by a comma (",").User Name Enter your user name.Password Enter the password assigned to you.Enable Wildcard OptionSelect this to enable the DynDNS Wildcard feature.Enable offline optionThis field is available when CustomDNS is selected in the DDNS Type field. Select this if your Dynamic DNS service provider redirects traffic to a URL that you can specify while you are off line. Check with your Dynamic DNS service provider.IP Address Update PolicyUse WAN IP AddressSelect this if you want the ZyXEL Device to update the domain name with the WAN port's IP address.Dynamic DNS server auto detect IP addressSelect this if you want the DDNS server to update the IP address of the host name(s) automatically. Select this optionwhen there are one or more NAT routers between the ZyXEL Device and the DDNS server.Note: The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server.Use specified IP addressSelect this if you want to use the specified IP address with the host name(s). Then, specify the IP address. Use this option if you have a static IP address.Apply Click this to save your changes and to apply them to the ZyXEL Device.Reset Click this to set every field in this screen to its default value.
Chapter 21SystemMAX-200HW2 Series User s Guide238Figure 157   Maintenance > System > Time SettingEach field is described in the following table.Table 95   Maintenance > System > Time SettingLABEL DESCRIPTIONCurrent Time and DateThis section displays the current date and time.Time and Date SetupManual Select this if you want to specify the current date and time in the fields below.New Time Enter the new time in this field, and click Apply.New Date Enter the new date in this field, and click Apply.Get from Time ServerSelect this if you want to use a time server to update the current date and time in the ZyXEL Device.Time ProtocolSelect the time service protocol that your time server uses.Check with your ISP or network administrator, or use trial-and-error to find a protocol that works.Daytime (RFC 867) - This format is day/month/year/time zone.Time (RFC 868) - This format displays a 4-byte integer giving the total number of seconds since 1970/1/1 at 0:0:0.NTP (RFC 1305) - This format is similar to Time (RFC 868).Time Server AddressEnter the IP address or URL of your time server. Check with your ISP or network administrator if you are unsure of this information.Time Zone SetupTime ZoneSelect the time zone at your location.Daylight SavingsSelect this if your location uses daylight savings time. Daylight savings is a period from late spring to early fall when many places set their clocks ahead of normal local time by one hour to give more daytime light in the evening.
 Chapter 21SystemMAX-200HW2 Series User s Guide 239Start DateEnter which hour on which day of which week of which month daylight-savings time starts.End DateEnter which hour on the which day of which week of which month daylight-savings time ends.Apply Click this to save your changes and to apply them to the ZyXEL Device.Reset Click this to set every field in this screen to its last-saved value.Table 95   Maintenance > System > Time SettingLABEL DESCRIPTION
Chapter 21SystemMAX-200HW2 Series User s Guide240
MAX-200HW2 Series User s Guide 241CHAPTER 22LogsUse these screens to look at log entries and alerts and to configure the ZyXEL Device!s log and alert settings.22.1  Logs OverviewFor a list of log messages, see Section 22.3 on page 245.22.1.1  AlertsAn alert is a type of log that warrants more serious attention. Some categories such as SystemErrors consist of both logs and alerts.22.1.2  Syslog LogsThere are two types of syslog: event logs and traffic logs. The device generates an event log when a system event occurs, for example, when a user logs in or the device is under attack. The device generates a traffic log when a "session" is terminated. A traffic log summarizes the session's type, when it started and stopped the amount of traffic that was sent and received and so on.  An external log analyzer can reconstruct and analyze the traffic flowing through the device after collecting the traffic logs.
Chapter 22LogsMAX-200HW2 Series User s Guide242The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type. Table 96   Syslog LogsLOG MESSAGE DESCRIPTIONEvent Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" devID="<mac address>" cat="<category>"This message is sent by the system ("RAS" displays as the system name if you haven t configured one) when the router generates a syslog. The facility is defined in the Log Settings screen. The severity is the log s syslog class. The definition of messages and notes are defined in the various log charts throughout this appendix. The !devID" is the MAC address of the router s LAN port. The !cat" is the same as the category in the router s logs.Traffic Log: <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="Traffic Log" note="Traffic Log" devID="<mac address>" cat="Traffic Log" duration=seconds sent=sentBytes rcvd=receiveBytes dir="<from:to>" protoID=IPProtocolID proto="serviceName" trans="IPSec/Normal"This message is sent by the device when the connection (session) is closed. The facility is defined in the Log Settings screen. The severity is the traffic log type. The message and note always display "Traffic Log". The "proto" field lists the service name. The "dir" field lists the incoming and outgoing interfaces ("LAN:LAN", "LAN:WAN",  "LAN:DEV" for example).Table 97   RFC-2408 ISAKMP Payload TypesLOG DISPLAY PAYLOAD TYPESA Security AssociationPROP ProposalTRANS TransformKE Key ExchangeID IdentificationCER CertificateCER_REQ Certificate RequestHASH HashSIG SignatureNONCE NonceNOTFY NotificationDEL DeleteVID Vendor ID
 Chapter 22LogsMAX-200HW2 Series User s Guide 24322.2  Logs Screens22.2.1  Log Viewer ScreenUse this screen to look at log entries and alerts. Alerts are written in red. To access this screen, click Maintenance > Logs > View Log.Figure 158   Maintenance > Logs > View LogClick a column header to sort log entries in descending (later-to-earlier) order. Click again to sort in ascending order. The small triangle next to a column header indicates how the table is currently sorted (pointing downward is descending; pointing upward is ascending). Each field is described in the following table.22.2.2  Log Settings ScreenUse this screen to configure where the ZyXEL Device sends logs and alerts, the schedule for sending logs, and which logs and alerts are sent or recorded.To access this screen, click Maintenance > Logs > Log Settings.Table 98   Maintenance > Logs > View LogLABEL DESCRIPTIONDisplay Select a category whose log entries you want to view. To view all logs, select AllLogs. The list of categories depends on what log categories are selected in the Log Settings page.Email Log Now Click this to send the log screen to the e-mail address specified in the Log Settings page.Refresh Click Refresh to renew the log screen. Clear Log Click Clear Log to clear all the log entries, regardless of what is shown on the log screen.#This field is a sequential value, and it is not associated with a specific log entry.Time This field displays the time the log entry was recorded.Message This field displays the reason for the log entry. See Section 22.3 on page 245.Source This field displays the source IP address and the port number of the incoming packet. In many cases, some or all of this information may not be available.Destination This field lists the destination IP address and the port number of the incoming packet. In many cases, some or all of this information may not be available.Note This field displays additional information about the log entry.
Chapter 22LogsMAX-200HW2 Series User s Guide244Figure 159   Maintenance > Logs > Log SettingsEach field is described in the following table.Table 99   Maintenance > Logs > Log SettingsLABEL DESCRIPTIONE-mail Log SettingsMail Server Enter the server name or the IP address of the mail server the ZyXEL Device should use to e-mail logs and alerts. Leave this field blank if you do not want to send logs or alerts by e-mail.Mail Subject Enter the subject line used in e-mail messages the ZyXEL Device sends.Send Log to Enter the e-mail address to which log entries are sent by e-mail. Leave this field blank if you do not want to send logs by e-mail.Send Alerts to Enter the e-mail address to which alerts are sent by e-mail. Leave this field blank if you do not want to send alerts by e-mail.
 Chapter 22LogsMAX-200HW2 Series User s Guide 24522.3  Log Message DescriptionsThe following tables provide descriptions of example log messages.Log Schedule Select the frequency with which the ZyXEL Device should send log messages by e-mail.#Daily#Weekly#Hourly#When Log is Full#None. If the Weekly or the Daily option is selected, specify a time of day when the E-mail should be sent. If the Weekly option is selected, then also specify which day of the week the E-mail should be sent. If the When Log is Full option is selected, an alert is sent when the log fills up. If you select None, no log messages are sent.Day for Sending LogThis field is only available when you select Weekly in the Log Schedule field.Select which day of the week to send the logs.Time for Sending LogThis field is only available when you select Daily or Weekly in the Log Schedulefield.Enter the time of day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs.Clear log after sending mailSelect this to clear all logs and alert messages after logs are sent by e-mail.Syslog Logging Syslog logging sends a log to an external syslog server used to store logs.Active Select this to enable syslog logging.Syslog Server IP AddressEnter the server name or IP address of the syslog server that logs the selected categories of logs.Log Facility Select a location. The log facility allows you to log the messages in different files in the syslog server. See the documentation of your syslog for more details.Active Log and AlertLog Select the categories of logs that you want to record. Send immediate alertSelect the categories of alerts that you want the ZyXEL Device to send immediately.Apply Click this to save your changes and to apply them to the ZyXEL Device.Cancel Click this to set every field in this screen to its last-saved value.Table 99   Maintenance > Logs > Log SettingsLABEL DESCRIPTIONTable 100   System Error LogsLOG MESSAGE DESCRIPTIONWAN connection is down. The WAN connection is down. You cannot access the network through this interface.%s exceeds the max. number of session per host!This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.
Chapter 22LogsMAX-200HW2 Series User s Guide246Table 101   System Maintenance LogsLOG MESSAGE DESCRIPTIONTime calibration is successfulThe device has adjusted its time based on information from the time server.Time calibration failed The device failed to get information from the time server.WAN interface gets IP: %s The WAN interface got a new IP address from the DHCP or  PPPoE server.DHCP client gets %s A DHCP client got a new IP address from the DHCP server.DHCP client IP expired A DHCP client's IP address has expired.DHCP server assigns %s The DHCP server assigned an IP address to a client.Successful WEB login Someone has logged on to the device's web configurator interface.WEB login failed Someone has failed to log on to the device's web configurator interface.TELNET Login Successfully Someone has logged on to the router via telnet.TELNET Login Fail Someone has failed to log on to the router via telnet.Successful FTP login Someone has logged on to the device via ftp.FTP login failed Someone has failed to log on to the device via ftp.NAT Session Table is Full! The maximum number of NAT session table entries has been exceeded and the table is full.Time initialized by Daytime ServerThe device got the time and date from the Daytime server.Time initialized by Time serverThe device got the time and date from the time server.Time initialized by NTP serverThe device got the time and date from the NTP server.Connect to Daytime server failThe device was not able to connect to the Daytime server.Connect to Time server fail The device was not able to connect to the Time server.Connect to NTP server fail The device was not able to connect to the NTP server.Too large ICMP packet has been droppedThe device dropped an ICMP packet that was too large.Configuration Change: PC = 0x%x, Task ID = 0x%xThe device is saving configuration changes.Table 102   Access Control LogsLOG MESSAGE DESCRIPTIONFirewall default policy: [ TCP | UDP | IGMP | ESP | GRE | OSPF ] <Packet Direction>Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched the default policy and was blocked or forwarded according to the default policy s setting.Firewall rule [NOT] match:[ TCP | UDP | IGMP | ESP | GRE | OSPF ] <Packet Direction>, <rule:%d>Attempted TCP/UDP/IGMP/ESP/GRE/OSPF access matched (or did not match) a configured firewall rule (denoted by its number) and was blocked or forwarded according to the rule.
 Chapter 22LogsMAX-200HW2 Series User s Guide 247Triangle route packet forwarded: [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall allowed a triangle route session to pass through.Packet without a NAT table entry blocked: [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The router blocked a packet that didn't have a corresponding NAT table entry.Router sent blocked web site message: TCPThe router sent a message to notify a user that the router blocked access to a web site that the user requested.Exceed maximum sessions per host (%d).The device blocked a session because the host's connections exceeded the maximum sessions per host.Firewall allowed a packet that matched a NAT session: [ TCP | UDP ]A packet from the WAN (TCP or UDP) matched a cone NAT session and the device forwarded it to the LAN.Table 103   TCP Reset LogsLOG MESSAGE DESCRIPTIONUnder SYN flood attack, sent TCP RSTThe router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) Exceed TCP MAX incomplete, sent TCP RSTThe router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.) Peer TCP state out of order, sent TCP RSTThe router sent a TCP reset packet when a TCP connection state was out of order.Note: The firewall refers to RFC793 Figure 6 to check the TCP state.Firewall session time out, sent TCP RSTThe router sent a TCP reset packet when a dynamic firewall session timed out.The default timeout values are as follows:ICMP idle timeout: 3 minutesUDP idle timeout:  3 minutesTCP connection (three way handshaking) timeout: 270 secondsTCP FIN-wait timeout: 2 MSL (Maximum Segment Lifetime set in the TCP header).TCP idle (established) timeout (s): 150 minutesTCP reset timeout: 10 secondsExceed MAX incomplete, sent TCP RSTThe router sent a TCP reset packet when the number of incomplete connections (TCP and UDP) exceeded the user-configured threshold. (Incomplete count is for all TCP and UDP connections through the firewall.)Note: When the number of incomplete connections (TCP + UDP) > !Maximum Incomplete High", the router sends TCP RST packets for TCP connections and destroys TOS (firewall dynamic sessions) until incomplete connections < !Maximum Incomplete Low".Access block, sent TCP RSTThe router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism (via CI command: sysfirewall tcprst).Table 102   Access Control Logs (continued)LOG MESSAGE DESCRIPTION
Chapter 22LogsMAX-200HW2 Series User s Guide248 For type and code details, see Table 112 on page 251.Table 104   Packet Filter LogsLOG MESSAGE DESCRIPTION[ TCP | UDP | ICMP | IGMP | Generic ] packet filter matched (set: %d, rule: %d)Attempted access matched a configured filter rule (denoted by its set and rule number) and was blocked or forwarded according to the rule.Table 105   ICMP LogsLOG MESSAGE DESCRIPTIONFirewall default policy: ICMP <Packet Direction>, <type:%d>, <code:%d>ICMP access matched the default policy and was blocked or forwarded according to the user's setting.Firewall rule [NOT] match: ICMP <Packet Direction>, <rule:%d>, <type:%d>, <code:%d>ICMP access matched (or didn t match) a firewall rule (denoted by its number) and was blocked or forwarded according to the rule. Triangle route packet forwarded: ICMPThe firewall allowed a triangle route session to pass through.Packet without a NAT table entry blocked: ICMPThe router blocked a packet that didn t have a corresponding NAT table entry.Unsupported/out-of-order ICMP: ICMPThe firewall does not support this kind of ICMP packets or the ICMP packets are out of order.Router reply ICMP packet: ICMP The router sent an ICMP reply packet to the sender.Table 106   CDR LogsLOG MESSAGE DESCRIPTIONboard %d line %d channel %d, call %d, %s C01 Outgoing Call dev=%x ch=%x %sThe router received the setup requirements for a call. !call" is the reference (count) number of the call. !dev" is the device type (3 is for dial-up, 6 is for PPPoE). "channel" or !ch" is the call channel ID.For example, "board 0 line 0 channel 0, call 3, C01 Outgoing Call dev=6 ch=0 "Means the router has dialed to the PPPoE server 3 times.board %d line %d channel %d, call %d, %s C02 OutCall Connected %d %sThe PPPoE or dial-up call is connected.board %d line %d channel %d, call %d, %s C02 Call TerminatedThe PPPoE or dial-up call was disconnected.Table 107   PPP LogsLOG MESSAGE DESCRIPTIONppp:LCP Starting The PPP connection s Link Control Protocol stage has started.ppp:LCP Opening The PPP connection s Link Control Protocol stage is opening.ppp:CHAP Opening The PPP connection s Challenge Handshake Authentication Protocol stage is opening.ppp:IPCP StartingThe PPP connection s Internet Protocol Control Protocol stage is starting.
 Chapter 22LogsMAX-200HW2 Series User s Guide 249For type and code details, see Table 112 on page 251.ppp:IPCP Opening The PPP connection s Internet Protocol Control Protocol stage is opening.ppp:LCP Closing The PPP connection s Link Control Protocol stage is closing.ppp:IPCP Closing The PPP connection s Internet Protocol Control Protocol stage is closing.Table 108   UPnP LogsLOG MESSAGE DESCRIPTIONUPnP pass through Firewall UPnP packets can pass through the firewall.Table 109   Content Filtering LogsLOG MESSAGE DESCRIPTION%s: Keyword blocking The content of a requested web page matched a user defined keyword.%s: Not in trusted web listThe web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites.%s: Forbidden Web site The web site is in the forbidden web site list.%s: Contains ActiveX The web site contains ActiveX.%s: Contains Java appletThe web site contains a Java applet.%s: Contains cookie The web site contains a cookie.%s: Proxy mode detectedThe router detected proxy mode in the packet.%s: Trusted Web site The web site is in a trusted domain.%s When the content filter is not on according to the time schedule.Waiting content filter server timeoutThe external content filtering server did not respond within the timeout period.DNS resolving failed The ZyXEL Device cannot get the IP address of the external content filtering via DNS query.Creating socket failed The ZyXEL Device cannot issue a query because TCP/IP socket creation failed, port:port number.Connecting to content filter server failThe connection to the external content filtering server failed.License key is invalid The external content filtering license key is invalid.Table 110   Attack LogsLOG MESSAGE DESCRIPTIONattack [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.attack ICMP (type:%d, code:%d)The firewall detected an ICMP attack. land [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack.Table 107   PPP Logs (continued)LOG MESSAGE DESCRIPTION
Chapter 22LogsMAX-200HW2 Series User s Guide250land ICMP (type:%d, code:%d)The firewall detected an ICMP land attack. ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall detected an IP spoofing attack on the WAN port.ip spoofing - WAN ICMP (type:%d, code:%d)The firewall detected an ICMP IP spoofing attack on the WAN port.icmp echo : ICMP (type:%d, code:%d)The firewall detected an ICMP echo attack. syn flood TCP The firewall detected a TCP syn flood attack.ports scan TCP The firewall detected a TCP port scan attack.teardrop TCP The firewall detected a TCP teardrop attack.teardrop UDP The firewall detected an UDP teardrop attack.teardrop ICMP (type:%d, code:%d)The firewall detected an ICMP teardrop attack. illegal command TCP The firewall detected a TCP illegal command attack.NetBIOS TCP The firewall detected a TCP NetBIOS attack.ip spoofing - no routing entry [ TCP | UDP | IGMP | ESP | GRE | OSPF ]The firewall classified a packet with no source routing entry as an IP spoofing attack.ip spoofing - no routing entry ICMP (type:%d, code:%d)The firewall classified an ICMP packet with no source routing entry as an IP spoofing attack.vulnerability ICMP (type:%d, code:%d)The firewall detected an ICMP vulnerability attack. traceroute ICMP (type:%d, code:%d)The firewall detected an ICMP traceroute attack. ports scan UDPThe firewall detected a UDP port scan attack.Firewall sent TCP packet in response to DoS attack TCPThe firewall sent TCP packet in response to a DoS attackICMP Source Quench ICMPThe firewall detected an ICMP Source Quench attack.ICMP Time Exceed ICMPThe firewall detected an ICMP Time Exceed attack.ICMP Destination Unreachable ICMPThe firewall detected an ICMP Destination Unreachable attack.ping of death. ICMPThe firewall detected an ICMP ping of death attack.smurf ICMPThe firewall detected an ICMP smurf attack.Table 111   Remote Management LogsLOG MESSAGE DESCRIPTIONRemote Management: FTP deniedAttempted use of FTP service was blocked according to remote management settings.Remote Management: TELNET deniedAttempted use of TELNET service was blocked according to remote management settings.Table 110   Attack Logs (continued)LOG MESSAGE DESCRIPTION
 Chapter 22LogsMAX-200HW2 Series User s Guide 251Remote Management: HTTP or UPnP deniedAttempted use of HTTP or UPnP service was blocked according to remote management settings.Remote Management: WWW deniedAttempted use of WWW service was blocked according to remote management settings.Remote Management: HTTPS deniedAttempted use of HTTPS service was blocked according to remote management settings.Remote Management: SSH deniedAttempted use of SSH service was blocked according to remote management settings.Remote Management: ICMP Ping response deniedAttempted use of ICMP service was blocked according to remote management settings.Remote Management: DNS deniedAttempted use of DNS service was blocked according to remote management settings.Table 112   ICMP NotesTYPE CODE DESCRIPTION0Echo Reply0Echo reply message3Destination Unreachable0Net unreachable1Host unreachable2Protocol unreachable3Port unreachable4A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF)5Source route failed4Source Quench0A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.5Redirect0Redirect datagrams for the Network1Redirect datagrams for the Host2Redirect datagrams for the Type of Service and Network3Redirect datagrams for the Type of Service and Host8Echo0Echo message11 Time Exceeded0Time to live exceeded in transit1Fragment reassembly time exceeded12 Parameter Problem0Pointer indicates the errorTable 111   Remote Management LogsLOG MESSAGE DESCRIPTION
Chapter 22LogsMAX-200HW2 Series User s Guide25213 Timestamp0Timestamp request message14 Timestamp Reply0Timestamp reply message15 Information Request0Information request message16 Information Reply0Information reply messageTable 113   SIP LogsLOG MESSAGE DESCRIPTIONSIP Registration Success by SIP:SIP Phone NumberThe listed SIP account was successfully registered with a SIP register server.SIP Registration Fail by SIP:SIP Phone NumberAn attempt to register the listed SIP account with a SIP register server was not successful.SIP UnRegistration Success by SIP:SIP Phone NumberThe listed SIP account s registration was deleted from the SIP register server.SIP UnRegistration Fail by SIP:SIP Phone NumberAn attempt to delete the listed SIP account s registration from the SIP register server failed.Table 114   RTP LogsLOG MESSAGE DESCRIPTIONError, RTP init fail The initialization of an RTP session failed.Error, Call fail: RTP connect failA VoIP phone call failed because the RTP session could not be established.Error, RTP connection cannot closeThe termination of an RTP session failed.Table 115   FSM Logs: Caller SideLOG MESSAGE DESCRIPTIONVoIP Call Start Ph[Phone Port Number] <- Outgoing Call NumberSomeone used a phone connected to the listed phone port to initiate a VoIP call to  the listed destination.VoIP Call Established Ph[Phone Port] -> Outgoing Call NumberSomeone used a phone connected to the listed phone port to make a VoIP call to the listed destination.VoIP Call End Phone[Phone Port]A VoIP phone call made from a phone connected to the listed phone port has terminated.Table 112   ICMP Notes (continued)TYPE CODE DESCRIPTION

Navigation menu