ZyXEL Communications MAX200HW2 WiMAX Router User Manual UserMan I88MAX200HW2 revised

ZyXEL Communications Corporation WiMAX Router UserMan I88MAX200HW2 revised

UserManual.wiki >

ZyXEL Communications >

MAX200HW2 User Manual >

User manual revised 2

Chapter 12SIPMAX-200HW2 Series User s Guide 15312.1.7.2 Use NATIf you know the NAT router!s public IP address and SIP port number, you can use the Use NAT feature to manually configure the ZyXEL Device to use a them in the SIP messages. This eliminates the need for STUN or a SIP ALG.You must also configure the NAT router to forward traffic with this port number to the ZyXEL Device. 12.1.7.3 STUNSTUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) allows the ZyXEL Device to find the presence and types of NAT routers and/or firewalls between it and the public Internet. STUN also allows the ZyXEL Device to find the public IP address that NAT assigned, so the ZyXEL Device can embed it in the SIP data stream. STUN does not work with symmetric NAT routers or firewalls. See RFC 3489 for details on STUN.The following figure shows how STUN works. 1The ZyXEL Device (A) sends SIP packets to the STUN server (B).2The STUN server (B) finds the public IP address and port number that the NAT router used on the ZyXEL Device!s SIP packets and sends them to the ZyXEL Device.3The ZyXEL Device uses the public IP address and port number in the SIP packets that it sends to the SIP server (C).Figure 102 STUN12.1.7.4 Outbound ProxyYour VoIP service provider may host a SIP outbound proxy server to handle all of the ZyXEL Device!s VoIP traffic. This allows the ZyXEL Device to work with any type of NAT router and eliminates the need for STUN or a SIP ALG. Turn off a SIP ALG on a NAT router in front of the ZyXEL Device to keep it from retranslating the IP address (since this is already handled by the outbound proxy server).12.1.8 Voice CodingA codec (coder/decoder) codes analog voice signals into digital signals and decodes the digital signals back into voice signals. The ZyXEL Device supports the following codecs. G.711 is a Pulse Code Modulation (PCM) waveform codec. PCM measures analog signal amplitudes at regular time intervals (sampling) and converts them into digital bits (quantization). Quantization "reads# the analog signal and then "writes# it to the nearest digital value. For this reason, a digital sample is usually slightly different from its analog original (this difference is known as "quantization noise#).

Chapter 12SIPMAX-200HW2 Series User s Guide154G.711 provides excellent sound quality but requires 64kbps of bandwidth. G.723 is an Adaptive Differential Pulse Code Modulation (ADPCM) waveform codec. Differential (or Delta) PCM is similar to PCM, but encodes the audio signal based on the difference between one sample and a prediction based on previous samples, rather than encoding the sample!s actual quantized value. Many thousands of samples are taken each second, and the differences between consecutive samples are usually quite small, so this saves space and reduces the bandwidth necessary. However, DPCM produces a high quality signal (high signal-to-noise ratio or SNR) for high difference signals (where the actual signal is very different from what was predicted) but a poor quality signal (low SNR) for low difference signals (where the actual signal is very similar to what was predicted). This is because the level of quantization noise is the same at all signal levels. Adaptive DPCM solves this problem by adapting the difference signal!s level of quantization according to the audio signal!s strength. A low difference signal is given a higher quantization level, increasing its signal-to-noise ratio. This provides a similar sound quality at all signal levels.G.723 provides high quality sound and requires 20 or 40 kbps. G.729 is an Analysis-by-Synthesis (AbS) hybrid waveform codec. It uses a filter based on information about how the human vocal tract produces sounds. The codec analyzes the incoming voice signal and attempts to synthesize it using its list of voice elements. It tests the synthesized signal against the original and, if it is acceptable, transmits details of the voice elements it used to make the synthesis. Because the codec at the receiving end has the same list, it can exactly recreate the synthesized audio signal.G.729 provides good sound quality and reduces the required bandwidth to 8kbps.12.1.9 PSTN Call Setup SignalingPSTNs (Public Switched Telephone Networks) use DTMF or pulse dialing to set up telephone calls.Dual-Tone Multi-Frequency (DTMF) signaling uses pairs of frequencies (one lower frequency and one higher frequency) to set up calls. It is also known as Touch Tone? Each of the keys on a DTMF telephone corresponds to a different pair of frequencies.Pulse dialing sends a series of clicks to the local phone office in order to dial numbers.312.1.10 MWI (Message Waiting Indication)Enable Message Waiting Indication (MWI) enables your phone to give you a message%waiting (beeping) dial tone when you have one or more voice messages. Your VoIP service provider must have a messaging system that sends message-waiting-status SIP packets as defined in RFC 3842.3.The ZyXEL Device supports DTMF at the time of writing.

Chapter 12SIPMAX-200HW2 Series User s Guide 15512.1.11 Custom Tones (IVR)IVR (Interactive Voice Response) is a feature that allows you to use your telephone to interact with the ZyXEL Device. The ZyXEL Device allows you to record custom tones for the CallerRinging Tone and On Hold Tone functions. The same recordings apply to both the caller ringing and on hold tones. 12.1.11.1 Recording Custom TonesUse the following steps if you would like to create new tones or change your tones: 1Pick up the phone and press **** on your phone!s keypad and wait for the message that says you are in the configuration menu. 2Press a number from 1101~1108 on your phone followed by the # key.3Play your desired music or voice recording into the receiver!s mouthpiece. Press the #key.4You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done.12.1.11.2 Listening to Custom TonesDo the following to listen to a custom tone:1Pick up the phone and press **** on your phone!s keypad and wait for the message that says you are in the configuration menu.2Press a number from 1201~1208 followed by the # key to listen to the tone.3You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done.12.1.11.3 Deleting Custom TonesDo the following to delete a custom tone:1Pick up the phone and press **** on your phone!s keypad and wait for the message that says you are in the configuration menu.2Press a number from 1301~1308 followed by the # key to delete the tone of your choice. Press 14 followed by the # key if you wish to clear all your custom tones.3You can continue to add, listen to, or delete tones, or you can hang up the receiver when you are done.12.1.12 Quality of Service (QoS)Quality of Service (QoS) refers to both a network's ability to deliver data with minimum delay and the networking methods used to provide bandwidth for real-time multimedia applications. Table 58 Custom Tones DetailsLABEL DESCRIPTIONTotal Time for All Tones128 seconds for all custom tones combinedMaximum Time per Individual Tone 20 secondsTotal Number of Tones Recordable8You can record up to eight different custom tones but the total time must be 128 seconds or less.

Chapter 12SIPMAX-200HW2 Series User s Guide15612.1.12.1 Type Of Service (ToS)Network traffic can be classified by setting the ToS (Type Of Service) values at the data source (for example, at the ZyXEL Device) so a server can decide the best method of delivery, that is the least cost, fastest route and so on. 12.1.12.2 DiffServDiffServ is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.412.1.12.3 DSCP and Per-Hop Behavior DiffServ defines a new DS (Differentiated Services) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field. Figure 103 DiffServ: Differentiated Service FieldDSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping. The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network. Based on the marking rule, different kinds of traffic can be marked for different priorities of forwarding. Resources can then be allocated according to the DSCP values and the configured policies.12.1.12.4 VLANVirtual Local Area Network (VLAN) allows a physical network to be partitioned into multiple logical networks. Only stations within the same group can communicate with each other. Your ZyXEL Device can add IEEE 802.1Q VLAN ID tags to voice frames that it sends to the network. This allows the ZyXEL Device to communicate with a SIP server that is a member of the same VLAN group. Some ISPs use the VLAN tag to identify voice traffic and give it priority over other traffic.4.The ZyXEL Device does not support DiffServ at the time of writing.DSCP(6-bit)Unused(2-bit)

Chapter 12SIPMAX-200HW2 Series User s Guide 15712.2 SIP Screens12.2.1 SIP Settings ScreenUse this screen to maintain basic information about each SIP account. Your VoIP service provider (the company that lets you make phone calls over the Internet) should provide this. You can also enable and disable each SIP account. To access this screen, click VoIP > SIP > SIP Settings.Figure 104 VoIP > SIP > SIP SettingsEach field is described in the following table.Table 59 VoIP > SIP > SIP SettingsLABEL DESCRIPTIONSIP Account Select the SIP account you want to see in this screen. If you change this field, the screen automatically refreshes.SIP SettingsActive SIP AccountSelect this if you want the ZyXEL Device to use this account. Clear it if you do not want the ZyXEL Device to use this account.NumberEnter your SIP number. In the full SIP URI, this is the part before the @ symbol. You can use up to 127 printable ASCII characters.SIP Local PortEnter the ZyXEL Device s listening port number, if your VoIP service provider gave you one. Otherwise, keep the default value.SIP Server AddressEnter the IP address or domain name of the SIP server provided by your VoIP service provider. You can use up to 95 printable ASCII characters. It does not matter whether the SIP server is a proxy, redirect or register server.SIP Server PortEnter the SIP server s listening port number, if your VoIP service provider gave you one. Otherwise, keep the default value.

Chapter 12SIPMAX-200HW2 Series User s Guide15812.2.2 Advanced SIP Setup ScreenUse this screen to maintain advanced settings for each SIP account. To access this screen, click Advanced Setup in VoIP > SIP > SIP Settings.REGISTERServer AddressEnter the IP address or domain name of the SIP register server, if your VoIP service provider gave you one. Otherwise, enter the same address you entered in the SIP Server Address field. You can use up to 95 printable ASCII characters.REGISTERServer PortEnter the SIP register server s listening port number, if your VoIP service provider gave you one. Otherwise, enter the same port number you entered in the SIPServer Port field.SIP Service DomainEnter the SIP service domain name. In the full SIP URI, this is the part after the @ symbol. You can use up to 127 printable ASCII Extended set characters.Send Caller IDSelect this if you want to send identification when you make VoIP phone calls. Clear this if you do not want to send identification.AuthenticationUser NameEnter the user name for registering this SIP account, exactly as it was given to you. You can use up to 95 printable ASCII characters.PasswordEnter the user name for registering this SIP account, exactly as it was given to you. You can use up to 95 printable ASCII Extended set characters.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.Advanced Setup Click this to edit the advanced settings for this SIP account. The Advanced SIP Setup screen appears.Table 59 VoIP > SIP > SIP SettingsLABEL DESCRIPTION

Chapter 12SIPMAX-200HW2 Series User s Guide 159Figure 105 VoIP > SIP > SIP Settings > Advanced

Chapter 12SIPMAX-200HW2 Series User s Guide160Each field is described in the following table.Table 60 VoIP > SIP > SIP Settings > AdvancedLABEL DESCRIPTIONSIP AccountThis field displays the SIP account you see in this screen.SIP Server SettingsURL TypeSelect whether or not to include the SIP service domain name when the ZyXEL Device sends the SIP number.SIP - include the SIP service domain nameTEL - do not include the SIP service domain nameExpiration DurationEnter the number of seconds your SIP account is registered with the SIP register server before it is deleted. The ZyXEL Device automatically tries to re-register your SIP account when one-half of this time has passed. (The SIP register server might have a different expiration.)Register Re-send timerEnter the number of seconds the ZyXEL Device waits before it tries again to register the SIP account, if the first try failed or if there is no response.Session ExpiresEnter the number of seconds the conversation can last before the call is automatically disconnected. Usually, when one-half of this time has passed, the ZyXEL Device or the other party updates this timer to prevent this from happening.Min-SEEnter the minimum number of seconds the ZyXEL Device accepts for a session expiration time when it receives a request to start a SIP session. If the request has a shorter time, the ZyXEL Device rejects it.RTP Port RangeStart PortEnd PortEnter the listening port number(s) for RTP traffic, if your VoIP service provider gave you this information. Otherwise, keep the default values.To enter one port number, enter the port number in the Start Port and End Portfields.To enter a range of ports,#enter the port number at the beginning of the range in the Start Port field#enter the port number at the end of the range in the End Port field.Voice CompressionSelect the type of voice coder/decoder (codec) that you want the ZyXEL Device to use.G.711 provides high voice quality but requires more bandwidth (64 kbps).#G.711A is typically used in Europe.#G.711u is typically used in North America and Japan.G.723 provides good voice quality, and requires 20 or 40 kbps.In contrast, G.729 requires only 8 kbps.The ZyXEL Device must use the same codec as the peer. When two SIP devices start a SIP session, they must agree on a codec.Primary CompressionTypeSelect the ZyXEL Device s first choice for voice coder/decoder.Secondary CompressionTypeSelect the ZyXEL Device s second choice for voice coder/decoder. Select None if you only want the ZyXEL Device to accept the first choice.Third CompressionTypeThis field is disabled if Secondary Compression Type is None.Select the ZyXEL Device s third choice for voice coder/decoder. Select None if you only want the ZyXEL Device to accept the first or second choice.

Chapter 12SIPMAX-200HW2 Series User s Guide 161DTMF Mode Control how the ZyXEL Device handles the tones that your telephone makes when you push its buttons. You should use the same mode your VoIP service provider uses.RFC 2833 - send the DTMF tones in RTP packetsPCM - send the DTMF tones in the voice data stream. This method works best when you are using a codec that does not use compression (like G.711). Codecs that use compression (like G.729) can distort the tones.SIP INFO - send the DTMF tones in SIP messagesSTUNActiveSelect this if all of the following conditions are satisfied.#There is a NAT router between the ZyXEL Device and the SIP server.#The NAT router is not a SIP ALG.#Your VoIP service provider gave you an IP address or domain name for a STUN server.Otherwise, clear this field.Server AddressEnter the IP address or domain name of the STUN server provided by your VoIP service provider.Server PortEnter the STUN server s listening port, if your VoIP service provider gave you one. Otherwise, keep the default value.Use NATActiveSelect this if you want the ZyXEL Device to send SIP traffic to a specific NAT router. You must also configure the NAT router to forward traffic with the specified port to the ZyXEL Device. This eliminates the need for STUN or a SIP ALG.Server AddressEnter the public IP address or domain name of the NAT router.Server PortEnter the port number that your SIP sessions use with the public IP address of the NAT router.Outbound ProxyActiveSelect this if your VoIP service provider has a SIP outbound server to handle voice calls. This allows the ZyXEL Device to work with any type of NAT router and eliminates the need for STUN or a SIP ALG. Turn off any SIP ALG on a NAT router in front of the ZyXEL Device to keep it from retranslating the IP address (since this is already handled by the outbound proxy server).Server AddressEnter the IP address or domain name of the SIP outbound proxy server. Server PortEnter the SIP outbound proxy server s listening port, if your VoIP service provider gave you one. Otherwise, keep the default value.NAT Keep AliveActiveSelect this to stop NAT routers between the ZyXEL Device and SIP server (a SIP proxy server or outbound proxy server) from dropping the SIP session. The ZyXEL Device does this by sending SIP notify messages to the SIP server based on the specified interval.Keep Alive with SIP ProxySelect this if the SIP server is a SIP proxy server.Keep Alive with Outbound ProxySelect this if the SIP server is an outbound proxy server. You must enable Outbound Proxy to use this.Keep Alive IntervalEnter how often (in seconds) the ZyXEL Device should send SIP notify messages to the SIP server.MWI (Message Waiting Indication)Table 60 VoIP > SIP > SIP Settings > AdvancedLABEL DESCRIPTION

Chapter 12SIPMAX-200HW2 Series User s Guide 163Figure 106 VoIP > SIP > QoSEach field is described in the following table.Table 61 VoIP > SIP > QoSLABEL DESCRIPTIONSIP TOS Priority SettingEnter the priority for SIP voice transmissions. The ZyXEL Device creates Type of Service priority tags with this priority to voice traffic that it transmits.RTP TOS Priority SettingEnter the priority for RTP voice transmissions. The ZyXEL Device creates Type of Service priority tags with this priority to RTP traffic that it transmits.Voice VLAN IDSelect this if the ZyXEL Device has to be a member of a VLAN to communicate with the SIP server. Ask your network administrator, if you are not sure. Enter the VLAN ID provided by your network administrator in the field on the right. Your LAN and gateway must be configured to use VLAN tags.Otherwise, clear this field.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.

Chapter 12SIPMAX-200HW2 Series User s Guide164

MAX-200HW2 Series User s Guide 165CHAPTER 13PhoneUse these screens to configure the phone you use to make phone calls with the ZyXEL Device.13.1 Phone OverviewYou can configure the volume, echo cancellation, VAD settings and custom tones for the phone port on the ZyXEL Device. You can also select which SIP account to use for making outgoing calls.13.1.1 Voice Activity Detection/Silence Suppression/Comfort NoiseVoice Activity Detection (VAD) detects whether or not speech is present. This lets the ZyXEL Device reduce the bandwidth that a call uses by not transmitting "silent packets# when you are not speaking.When using VAD, the ZyXEL Device generates comfort noise when the other party is not speaking. The comfort noise lets you know that the line is still connected as total silence could easily be mistaken for a lost connection.13.1.2 Echo Cancellation G.168 is an ITU-T standard for eliminating the echo caused by the sound of your voice reverberating in the telephone receiver while you talk.13.1.3 Supplementary Phone Services OverviewSupplementary services such as call hold, call waiting, call transfer, etc. are generally available from your VoIP service provider. The ZyXEL Device supports the following services: Call Hold Call Waiting Making a Second Call Call Transfer Call Forwarding Three-Way Conference Internal Calls Caller ID CLIP (Calling Line Identification Presentation)

Chapter 13PhoneMAX-200HW2 Series User s Guide 167Press the flash key and then "1# to disconnect the current call and resume the call on hold.If you hang up the phone but a caller is still on hold, there will be a remind ring.13.1.3.2.2 European Call Waiting This allows you to place a call on hold while you answer another incoming call on the same telephone (directory) number. If there is a second call to a telephone number, you will hear a call waiting tone. Take one of the following actions. Reject the second call.Press the flash key and then press "0#. Disconnect the first call and answer the second call.Either press the flash key and press "1#, or just hang up the phone and then answer the phone after it rings. Put the first call on hold and answer the second call.Press the flash key and then "2#.13.1.3.2.3 European Call TransferDo the following to transfer an incoming call (that you have answered) to another phone.1Press the flash key to put the caller on hold.2When you hear the dial tone, dial "*98## followed by the number to which you want to transfer the call. to operate the Intercom.3After you hear the ring signal or the second party answers it, hang up the phone.13.1.3.2.4 European Three-Way ConferenceUse the following steps to make three-way conference calls.1When you are on the phone talking to someone, place the flash key to put the caller on hold and get a dial tone. 2Dial a phone number directly to make another call.3When the second call is answered, press the flash key and press "3# to create a three-way conversation.4Hang up the phone to drop the connection.5If you want to separate the activated three-way conference into two individual connections (one is on-line, the other is on hold), press the flash key and press "2#.13.1.3.3 USA Type Supplementary ServicesThis section describes how to use supplementary phone services with the USA TypeCallService Mode. Commands for supplementary services are listed in the table below.

Chapter 13PhoneMAX-200HW2 Series User s Guide168After pressing the flash key, if you do not issue the sub-command before the default sub-command timeout (2 seconds) expires or issue an invalid sub-command, the current operation will be aborted.13.1.3.3.1 USA Call HoldCall hold allows you to put a call (A) on hold by pressing the flash key. If you have another call, press the flash key to switch back and forth between caller A and Bby putting either one on hold.If you hang up the phone but a caller is still on hold, there will be a remind ring.13.1.3.3.2 USA Call Waiting This allows you to place a call on hold while you answer another incoming call on the same telephone (directory) number. If there is a second call to your telephone number, you will hear a call waiting tone. Press the flash key to put the first call on hold and answer the second call.13.1.3.3.3 USA Call TransferDo the following to transfer an incoming call (that you have answered) to another phone.1Press the flash key to put the caller on hold.2When you hear the dial tone, dial "*98## followed by the number to which you want to transfer the call. to operate the Intercom.3After you hear the ring signal or the second party answers it, hang up the phone.13.1.3.3.4 USA Three-Way ConferenceUse the following steps to make three-way conference calls.1When you are on the phone talking to someone, place the flash key to put the caller on hold and get a dial tone. 2Dial a phone number directly to make another call.3When the second call is answered, press the flash key, wait for the sub-command tone and press "3# to create a three-way conversation.4Hang up the phone to drop the connection.5If you want to separate the activated three-way conference into two individual connections (one is on-line, the other is on hold), press the flash key, wait for the sub-command tone and press "2#.Table 63 USA Type Flash Key CommandsCOMMAND SUB-COMMAND DESCRIPTIONFlash Put a current call on hold to place a second call. After the second call is successful, press the flash key again to have a three-way conference call.Put a current call on hold to answer an incoming call.Flash *98#Transfer the call to another phone.

Chapter 13PhoneMAX-200HW2 Series User s Guide 16913.2 Phone Screens13.2.1 Analog Phone ScreenUse this screen to control which SIP accounts and PSTN line each phone uses. To access this screen, click VoIP > Phone > Analog Phone.Figure 107 VoIP > Phone > Analog PhoneEach field is described in the following table.Table 64 VoIP > Phone > Analog PhoneLABEL DESCRIPTIONPhone Port SettingsSelect the phone port you want to see in this screen. If you change this field, the screen automatically refreshes.Outgoing Call UseSIP1Select this if you want this phone port to use the SIP1 account when it makes calls. If you select both SIP accounts, the ZyXEL Device tries to use SIP2 first.SIP2Select this if you want this phone port to use the SIP2 account when it makes calls. If you select both SIP accounts, the ZyXEL Device tries to use SIP2 first.Incoming Call apply toSIP1Select this if you want to receive phone calls for the SIP1 account on this phone port. If you select more than one source for incoming calls, there is no way to distinguish between them when you receive phone calls.SIP2Select this if you want to receive phone calls for the SIP2 account on this phone port. If you select more than one source for incoming calls, there is no way to distinguish between them when you receive phone calls.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.Advanced Setup Click this to edit the advanced settings for this phone port. The Advanced Analog Phone Setup screen appears.

Chapter 13PhoneMAX-200HW2 Series User s Guide17013.2.2 Advanced Analog Phone Setup ScreenUse this screen to edit advanced settings for each phone port. To access this screen, click Advanced Setup in VoIP > Phone > Analog Phone.Figure 108 VoIP > Phone > Analog Phone > AdvancedEach field is described in the following table.Table 65 VoIP > Phone > Analog Phone > AdvancedLABEL DESCRIPTIONAnalog Phone This field displays the phone port you see in this screen.Voice Volume ControlSpeaking VolumeEnter the loudness that the ZyXEL Device uses for speech that it sends to the peer device. -1 is the quietest, and 1 is the loudest.Listening VolumeEnter the loudness that the ZyXEL Device uses for speech that it receives from the peer device. -1 is the quietest, and 1 is the loudest.Echo CancellationG.168 ActiveSelect this if you want to eliminate the echo caused by the sound of your voice reverberating in the telephone receiver while you talk.Dialing Interval SelectDialing Interval SelectEnter the number of seconds the ZyXEL Device should wait after you stop dialing numbers before it makes the phone call. The value depends on how quickly you dial phone numbers.If you select Active Immediate Dial in VoIP > Phone > Common, you can press the pound key (#) to tell the ZyXEL Device to make the phone call immediately, regardless of this setting.VAD SupportSelect this if the ZyXEL Device should stop transmitting when you are not speaking. This reduces the bandwidth the ZyXEL Device uses.<BackClick this to return to the Analog Phone screen without saving your changes.Apply Click this to save your changes and to apply them to the ZyXEL Device.Reset Click this to set every field in this screen to its last-saved value.

Chapter 13PhoneMAX-200HW2 Series User s Guide172Apply Click this to save your changes and to apply them to the ZyXEL Device.Reset Click this to set every field in this screen to its last-saved value.Table 67 VoIP > Phone > RegionLABEL DESCRIPTION

MAX-200HW2 Series User s Guide 173CHAPTER 14Phone BookUse these screens to maintain call-forwarding rules and speed-dial settings.14.1 Phone Book OverviewSpeed dial provides shortcuts for dialing frequently used (VoIP) phone numbers. It is also required if you want to make peer-to-peer calls. In peer-to-peer calls, you call another VoIP device directly without going through a SIP server. In the ZyXEL Device, you must set up a speed dial entry in the phone book in order to do this. Select Non-Proxy (Use IP or URL) inthe Type column and enter the callee!s IP address or domain name. The ZyXEL Device sends SIP INVITE requests to the peer VoIP device when you use the speed dial entry.You do not need to configure a SIP account in order to make a peer-to-peer VoIP call.14.2 Phone Book Screens14.2.1 Incoming Call Policy ScreenUse this screen to maintain rules for handling incoming calls. You can block, redirect, or accept them. To access this screen, click VoIP > Phone Book > Incoming Call Policy.

Chapter 14Phone BookMAX-200HW2 Series User s Guide174Figure 111 VoIP > Phone Book > Incoming Call PolicyYou can create two sets of call-forwarding rules. Each one is stored in a call-forwarding table. Each field is described in the following table.Table 68 VoIP > Phone Book > Incoming Call PolicyLABEL DESCRIPTIONTable Number Select the call-forwarding table you want to see in this screen. If you change this field, the screen automatically refreshes.Forward to Number SetupThe ZyXEL Device checks these rules, in the order in which they appear, after it checks the rules in the Advanced Setup section.Unconditional Forward to NumberSelect this if you want the ZyXEL Device to forward all incoming calls to the specified phone number, regardless of other rules in the Forward to Numbersection. Specify the phone number in the field on the right.Busy Forward to NumberSelect this if you want the ZyXEL Device to forward incoming calls to the specified phone number if the phone port is busy. Specify the phone number in the field on the right. If you have call waiting, the incoming call is forwarded to the specified phone number if you reject or ignore the second incoming call.No Answer Forward to NumberSelect this if you want the ZyXEL Device to forward incoming calls to the specified phone number if the call is unanswered. (See No Answer Waiting Time.) Specify the phone number in the field on the right.No Answer Waiting TimeThis field is used by the No Answer Forward to Number feature and No Answerconditions below.Enter the number of seconds the ZyXEL Device should wait for you to answer an incoming call before it considers the call is unanswered.Advanced SetupThe ZyXEL Device checks these rules before it checks the rules in the Forward to Number section.

Chapter 14Phone BookMAX-200HW2 Series User s Guide 17514.2.2 Speed Dial ScreenYou have to create speed-dial entries if you want to make peer-to-peer calls or call SIP numbers that use letters. You can also create speed-dial entries for frequently-used SIP phone numbers. Use this screen to add, edit, or remove speed-dial entries. To access this screen, click VoIP > Phone Book > Speed Dial.#This field is a sequential value, and it is not associated with a specific rule. The sequence is important, however. The ZyXEL Device checks each rule in order, and it only follows the first one that applies.ActivateSelect this to enable this rule. Clear this to disable this rule.Incoming Call NumberEnter the phone number to which this rule applies.Forward to NumberEnter the phone number to which you want to forward incoming calls from the Incoming Call Number. You may leave this field blank, depending on the Condition.ConditionSelect the situations in which you want to forward incoming calls from the Incoming Call Number, or select an alternative action.Unconditional - The ZyXEL Device immediately forwards any calls from the Incoming Call Number to the Forward to Number.Busy - The ZyXEL Device forwards any calls from the Incoming Call Number to the Forward to Number when your SIP account already has a call connected.No Answer - The ZyXEL Device forwards any calls from the Incoming Call Number to the Forward to Number when the call is unanswered. (See NoAnswer Waiting Time.)Block - The ZyXEL Device rejects calls from the Incoming Call Number.Accept - The ZyXEL Device allows calls from the Incoming Call Number. You might create a rule with this condition if you do not want incoming calls from someone to be forwarded by rules in the Forward to Number section.Apply Click this to save your changes and to apply them to the ZyXEL Device.Reset Click this to set every field in this screen to its last-saved value.Table 68 VoIP > Phone Book > Incoming Call PolicyLABEL DESCRIPTION

Chapter 14Phone BookMAX-200HW2 Series User s Guide176Figure 112 VoIP > Phone Book > Speed DialEach field is described in the following table.Table 69 VoIP > Phone Book > Speed DialLABEL DESCRIPTIONSpeed Dial Use this section to create or edit speed-dial entries.Speed Dial Select the speed-dial number you want to use for this phone number.NumberEnter the SIP number you want the ZyXEL Device to call when you dial the speed-dial number.NameEnter a name to identify the party you call when you dial the speed-dial number. You can use up to 127 printable ASCII characters.TypeSelect Use Proxy if you want to use one of your SIP accounts to call this phone number.Select Non-Proxy (Use IP or URL) if you want to use a different SIP server or if you want to make a peer-to-peer call. In this case, enter the IP address or domain name of the SIP server or the other party in the field below.AddClick this to use the information in the Speed Dial section to update the Speed Dial Phone Book section.Speed Dial Phone BookUse this section to look at all the speed-dial entries and to erase them.Speed DialThis field displays the speed-dial number you should dial to use this entry. You should dial the numbers the way they appear in the screen.NumberThis field displays the SIP number the ZyXEL Device calls when you dial the speed-dial number.NameThis field displays the name of the party you call when you dial the speed-dial number.DestinationThis field is blank, if the speed-dial entry uses one of your SIP accounts. Otherwise, this field shows the IP address or domain name of the SIP server or other party. (This field corresponds with the Type field in the Speed Dial section.)

Chapter 14Phone BookMAX-200HW2 Series User s Guide 177ModifyUse this field to edit or erase the speed-dial entry.Click the Edit icon to copy the information for this speed-dial entry into the Speed Dial section, where you can change it.Click the Remove icon to erase this speed-dial entry.Clear Click this to erase all the speed-dial entries.Reset Click this to set every field in this screen to its last-saved value.Table 69 VoIP > Phone Book > Speed DialLABEL DESCRIPTION

Chapter 14Phone BookMAX-200HW2 Series User s Guide178

MAX-200HW2 Series User s Guide 179CHAPTER 15FirewallUse these screens to enable, configure and disable the firewall that protects your ZyXEL Device and your LAN from unwanted or malicious traffic.15.1 Firewall OverviewOriginally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term "firewall" is a system or group of systems that enforces an access-control policy between two networks. It may also be defined as a mechanism used to protect a trusted network from an untrusted network. Of course, firewalls cannot solve every security problem. A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy. It should never be the only mechanism or method employed. For a firewall to guard effectively, you must design and deploy it appropriately. This requires integrating the firewall into a broad information-security policy. In addition, specific policies must be implemented within the firewall itself.15.1.1 Stateful Inspection Firewall. Stateful inspection firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also "inspect" the session data to assure the integrity of the connection and to adapt to dynamic protocols. These firewalls generally provide the best speed and transparency; however, they may lack the granular application level access control or caching that some proxies support. Firewalls, of one type or another, have become an integral part of standard security solutions for enterprises.15.1.2 About the ZyXEL Device FirewallThe ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated. The ZyXEL Device's purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The ZyXEL Device can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The ZyXEL Device is installed between the LAN and a WiMAX base station connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.

Chapter 15FirewallMAX-200HW2 Series User s Guide180The ZyXEL Device has one Ethernet (LAN) port. The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP and the World Wide Web. However, "inbound access# is not allowed (by default) unless the remote host is authorized to use a specific service.15.1.3 Guidelines For Enhancing Security With Your Firewall1Change the default password via web configurator.2Think about access control before you connect to the network in any way.3Limit who can access your router.4Don't enable any local service (such as telnet or FTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network.5For local services that are enabled, protect against misuse. Protect by configuring the services to communicate only with specific peers, and protect by configuring rules to block packets for the services at specific interfaces.6Protect against IP spoofing by making sure the firewall is active.7Keep the firewall in a secured (locked) room.15.1.4 The Firewall, NAT and Remote ManagementFigure 113 Firewall Rule Directions15.1.4.1 LAN-to-WAN rules LAN-to-WAN rules are local network to Internet firewall rules. The default is to forward all traffic from your local network to the Internet. You can block certain LAN-to-WAN traffic in the Services screen (click the Services tab). All services displayed in the Blocked Services list box are LAN-to-WAN firewall rules that block those services originating from the LAN. Blocked LAN-to-WAN packets are considered alerts. Alerts are "higher priority logs# that include system errors, attacks and attempted access to blocked web sites. Alerts appear in red in the View Log screen. You may choose to have alerts e-mailed immediately in the Log Settings screen.

Chapter 15FirewallMAX-200HW2 Series User s Guide 181LAN-to-LAN/ZyXEL Device means the LAN to the ZyXEL Device LAN interface. This is always allowed, as this is how you manage the ZyXEL Device from your local computer.15.1.4.2 WAN-to-LAN rulesWAN-to-LAN rules are Internet to your local network firewall rules. The default is to block all traffic from the Internet to your local network. How can you forward certain WAN to LAN traffic? You may allow traffic originating from the WAN to be forwarded to the LAN by: Configuring NAT port forwarding rules. Configuring One-to-One and Many-One-to-One NAT mapping rules in the SMT NAT menus. Configuring WAN or LAN & WAN access for services in the Remote Managementscreens or SMT menus. When you allow remote management from the WAN, you are actually configuring WAN-to-WAN/ZyXEL Device firewall rules. WAN-to-WAN/ZyXEL Device firewall rules are Internet to the ZyXEL Device WAN interface firewall rules. The default is to block all such traffic. When you decide what WAN-to-LAN packets to log, you are in fact deciding what WAN-to-LAN and WAN-to-WAN/ZyXEL Device packets to log. Forwarded WAN-to-LAN packets are not considered alerts.15.2 Triangle RouteWhen the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks.Figure 114 Ideal Firewall Setup15.2.1 The "Triangle Route# ProblemA traffic route is a path for sending or receiving data packets between two Ethernet devices. You may have more than one connection to the Internet (through one or more ISPs). If an alternate gateway is on the LAN (and its IP address is in the same subnet as the ZyXEL Device!s LAN IP address), the "triangle route# (also called asymmetrical route) problem may occur. The steps below describe the "triangle route# problem. 1A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN.2The ZyXEL Device reroutes the SYN packet through Gateway Aon the LAN to the WAN.

Chapter 15FirewallMAX-200HW2 Series User s Guide1823The reply from the WAN goes directly to the computer on the LAN without going through the ZyXEL Device. As a result, the ZyXEL Device resets the connection, as the connection has not been acknowledged.Figure 115 !Triangle Route" Problem15.2.2 Solving the "Triangle Route# ProblemIf you have the ZyXEL Device allow triangle route sessions, traffic from the WAN can go directly to a LAN computer without passing through the ZyXEL Device and its firewall protection. Another solution is to use IP alias. IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for each logical network. It!s like having multiple LAN networks that actually use the same physical cables and ports. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the ZyXEL Device to your LAN. The following steps describe such a scenario.1A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN. 2The ZyXEL Devicereroutes the packet to Gateway A, which is in Subnet 2. 3The reply from the WAN goes to the ZyXEL Device. 4The ZyXEL Device then sends it to the computer on the LAN in Subnet 1.Figure 116 IP Alias

Chapter 15FirewallMAX-200HW2 Series User s Guide 18315.3 Firewall Screens15.3.1 General Firewall ScreenUse this screen to configure the basic settings for your firewall. To access this screen, click Security > Firewall > General.Figure 117 Security > Firewall > GeneralEach field is described in the following table.15.3.2 Firewall Services ScreenUse this screen to enable service blocking, to set up the date and time service blocking is effective, and to maintain the list of services you want to block. To access this screen, click Security > Firewall > Services.Table 70 Security > Firewall > GeneralLABEL DESCRIPTIONEnable Firewall Select this to activate the firewall. The ZyXEL Device controls access and protects against Denial of Service (DoS) attacks when the firewall is activated.Bypass Triangle RouteSelect this if you want to let some traffic from the WAN go directly to a computer in the LAN without passing through the ZyXEL Device. See the appendices for more information about triangle route topology.Max NAT/Firewall Session Per UserSelect the maximum number of NAT rules and firewall rules the ZyXEL Device enforces at one time. The ZyXEL Device automatically allocates memory for the maximum number of rules, regardless of whether or not there is a rule to enforce. This is the same number you enter in Network > NAT > General.Packet Direction This field displays each direction that packets pass through the ZyXEL Device.Log Select the situations in which you want to create log entries for firewall events.No Log - do not create any log entriesLog Blocked - (LAN to WAN only) create log entries when packets are blockedLog Forwarded - (WAN to LAN only) create log entries when packets are forwardedLog All - create log entries for every packetApply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.

Chapter 15FirewallMAX-200HW2 Series User s Guide184Figure 118 Security > Firewall > ServicesEach field is described in the following table.Table 71 Security > Firewall > ServicesLABEL DESCRIPTIONService SetupEnable Services BlockingSelect this to activate service blocking. The Schedule to Block section controls what days and what times service blocking is actually effective, however.Available ServicesThis is a list of pre-defined services (destination ports) you may prohibit your LAN computers from using. Select the port you want to block, and click Add to add the port to the Blocked Services field.A custom port is a service that is not available in the pre-defined Available Services list. You must define it using the Type and Port Number fields. See Appendix F on page 333 for some examples of services.Blocked Services This is a list of services (ports) that are inaccessible to computers on your LAN when service blocking is effective. To remove a service from this list, select the service, and click Delete.Type Select TCP or UDP, based on which one the custom port uses.Port Number Enter the range of port numbers that defines the service. For example, suppose you want to define the Gnutella service. Select TCP type and enter a port range of 6345-6349.Add Click this to add the selected service in Available Services to the Blocked Services list.Delete Select a service in the Blocked Services, and click this to remove the service from the list.Clear All Click this to remove all the services in the Blocked Services list.Schedule to Block

Chapter 15FirewallMAX-200HW2 Series User s Guide 185Day to Block Select which days of the week you want the service blocking to be effective.Time of Day to BlockSelect what time each day you want service blocking to be effective. Enter times in 24-hour format; for example, 3:00pm should be entered as 15:00.Apply Click this to save your changes.Reset Click this to set every field in this screen to its last-saved value.Table 71 Security > Firewall > ServicesLABEL DESCRIPTION

Chapter 15FirewallMAX-200HW2 Series User s Guide186

MAX-200HW2 Series User s Guide 187CHAPTER 16CertificatesThis chapter gives background information about public-key certificates and explains how to use the Certificates screens. 16.1 Certificates OverviewThe ZyXEL Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner!s identity and public key. Certificates provide a way to exchange public keys for use in authentication.A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You can use the ZyXEL Device to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. When using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure. These keys work like a handwritten signature (in fact, certificates are often referred to as "digital signatures#). Only you can write your signature exactly as it ought to look. When people know what your signature ought to look like, they can verify whether something was signed by you, or by someone else. In the same way, your private key "writes# your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. This process works as follows.1Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). 2Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. 3Tim uses his private key to sign the message and sends it to Jenny.4Jenny receives the message and uses Tim!s public key to verify it. Jenny knows that the message is from Tim, and she knows that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim!s private key).5Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny!s public key to verify the message.

Chapter 16CertificatesMAX-200HW2 Series User s Guide188The ZyXEL Device uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.The certification authority uses its private key to sign certificates. Anyone can then use the certification authority!s public key to verify the certificates.A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been revoked. Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyXEL Device can check a peer!s certificate against a directory server!s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).16.1.1 Advantages of CertificatesCertificates offer the following benefits. The ZyXEL Device only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate. Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.16.2 Self-signed CertificatesYou can have the ZyXEL Device act as a certification authority and sign its own certificates.16.3 Factory Default CertificateThe ZyXEL Device generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate. 16.3.1 Certificate File FormatsAny certificate that you want to import has to be in one of these file formats: Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates. PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.

Chapter 16CertificatesMAX-200HW2 Series User s Guide 189 Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The ZyXEL Device currently allows the importation of a PKS#7 file that contains a single certificate. PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.Be careful to not convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default. 16.4 Certificate Configuration Screens SummaryThis section summarizes how to manage certificates on the ZyXEL Device.Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the ZyXEL Device!s CA-signed certificates.Use the Trusted CAs screens to save CA certificates and trusted remote host certificates to the ZyXEL Device. The ZyXEL Device will trust any valid certificate that you have imported as a trusted certificate. It will also trust any valid certificate signed by any of the certificates that you have imported as a trusted certificate.16.5 Verifying a CertificateBefore you import a certificate into the ZyXEL Device, you should verify that you have the correct certificate. This is especially true of trusted certificates since the ZyXEL Device also trusts any valid certificate signed by any of the imported trusted certificates.16.5.1 Checking the Fingerprint of a Certificate on Your ComputerA certificate!s fingerprints are message digests calculated using the MD5 or SHA1 algorithms. The following procedure describes how to check a certificate!s fingerprint to verify that you have the actual certificate. 1Browse to where you have the certificate saved on your computer. 2Make sure that the certificate has a ".cer# or ".crt# file name extension.Figure 119 Remote Host Certificates

Chapter 16CertificatesMAX-200HW2 Series User s Guide1903Double-click the certificate!s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.Figure 120 Certificate Details 4Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.16.6 My Certificates Screen Click Security > Certificates > My Certificates to open the My Certificates screen. This is the ZyXEL Device!s summary list of certificates and certification requests.

Chapter 16CertificatesMAX-200HW2 Series User s Guide 191Figure 121 Security > Certificates > My Certificates The following table describes the labels in this screen. Table 72 Security > Certificates > My CertificatesLABEL DESCRIPTIONPKI Storage Space in UseThis bar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.#This field displays the certificate index number. The certificates are listed in alphabetical order. NameThis field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. TypeThis field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.SELF represents a self-signed certificate. *SELF represents the default self-signed certificate which signs the imported remote host certificates.CERT represents a certificate issued by a certification authority.SubjectThis field displays identifying information about the certificate s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. IssuerThis field displays identifying information about the certificate s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.Valid FromThis field displays the date that the certificate becomes applicable. Valid ToThis field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.

Chapter 16CertificatesMAX-200HW2 Series User s Guide19216.6.1 My Certificates Create ScreenClick Security > Certificates > My Certificates and then the Create icon to open the MyCertificates Create screen. Use this screen to have the ZyXEL Device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.ModifyClick the Details icon to open a screen with an in-depth list of information about the certificate.Click the Export icon to save a copy of the certificate without its private key. Browse to the location you want to use and click Save.Click the Remove icon to delete a certificate. A window displays asking you to confirm that you want to delete the certificate. Subsequent certificates move up by one when you take this action.The ZyXEL Device keeps all of your certificates unless you specifically delete them. Uploading new firmware or default configuration file does not delete your certificates.You cannot delete certificates that any of the ZyXEL Device s features are configured to use.ImportClick Import to open a screen where you can save a certificate to the ZyXEL Device.CreateClick Create to go to the screen where you can have the ZyXEL Device generate a certificate or a certification request.RefreshClick Refresh to display the current validity status of the certificates.Table 72 Security > Certificates > My Certificates (continued)LABEL DESCRIPTION

$Chapter 16CertificatesMAX-200HW2 Series User s Guide 193Figure 122 Security > Certificates > My Certificates > CreateThe following table describes the labels in this screen. Table 73 Security > Certificates > My Certificates > CreateLABEL DESCRIPTIONCertificate NameType a name to identify this certificate. You can use up to 31 alphanumeric and ;$~!@#$%^&()_+[]{} ,.=- characters.Subject InformationUse these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Nameis mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information.Common Name Select a radio button to identify the certificate s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-mail address is for identification purposes only and can be any string.A domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods.An e-mail address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore.Organizational UnitIdentify the organizational unit or department to which the certificate owner belongs. You can use up to 63 characters. You can use alphanumeric characters, the hyphen and the underscore.OrganizationIdentify the company or group to which the certificate owner belongs. You can use up to 63 characters. You can use alphanumeric characters, the hyphen and the underscore.$

Chapter 16CertificatesMAX-200HW2 Series User s Guide194CountryIdentify the state in which the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.Key LengthSelect a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space.Enrollment OptionsThese radio buttons deal with how and when the certificate is to be generated.Create a self-signed certificateSelect Create a self-signed certificate to have the ZyXEL Device generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates.Create a certification request and save it locally for later manual enrollmentSelect Create a certification request and save it locally for later manual enrollment to have the ZyXEL Device generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.Copy the certification request from the My Certificate Details screen (see Section 16.6.2 on page 195) and then send it to the certification authority.Create a certification request and enroll for a certificate immediately onlineSelect Create a certification request and enroll for a certificate immediately online to have the ZyXEL Device generate a request for a certificate and apply to a certification authority for a certificate. You must have the certification authority s certificate already imported in the Trusted CAs screen.When you select this option, you must select the certification authority s enrollment protocol and the certification authority s certificate from the drop-down list boxes and enter the certification authority s server address. You also need to fill in the Reference Number and Key if the certification authority requires them. Enrollment ProtocolThis field applies when you select Create a certification request and enroll for a certificate immediately online. Select the certification authority s enrollment protocol from the drop-down list box.Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco.Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.509 working group of the Internet Engineering Task Force (IETF) and is specified in RFC 2510.CA Server Address This field applies when you select Create a certification request and enroll for a certificate immediately online. Enter the IP address (or URL) of the certification authority server.For a URL, you can use up to 511 of the following characters. a-zA-Z0-9'()+,/:.=?;!*#@$_%-CA CertificateThis field applies when you select Create a certification request and enroll for a certificate immediately online. Select the certification authority s certificate from the CA Certificate drop-down list box.You must have the certification authority s certificate already imported in the Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the ZyXEL Device's list of certificates of trusted certification authorities.Table 73 Security > Certificates > My Certificates > CreateLABEL DESCRIPTION

$Chapter 16CertificatesMAX-200HW2 Series User s Guide 195If you configured the My Certificate Create screen to have the ZyXEL Device enroll a certificate and the certificate enrollment is not successful, you see a screen with a Returnbutton that takes you back to the My Certificate Create screen. Click Return and check your information in the My Certificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyXEL Device to enroll a certificate online.16.6.2 My Certificate Details Screen Click Security > Certificates > My Certificates and then the Details iconto open the MyCertificate Details screen. You can use this screen to view in-depth certificate information and change the certificate!s name. Request AuthenticationWhen you select Create a certification request and enroll for a certificate immediately online, the certification authority may want you to include a reference number and key to identify you when you send a certification request. Fill in both the Reference Number and the Key fields if your certification authority uses CMP enrollment protocol. Just the Key field displays if your certification authority uses the SCEP enrollment protocol. For the reference number, use 0 to 99999999.For the key, use up to 31 of the following characters. a-zA-Z0-9;|`~!@#$%^&*()_+\{}':,./<>=-ApplyClick Apply to begin certificate or certification request generation.CancelClick Cancel to quit and return to the My Certificates screen.Table 73 Security > Certificates > My Certificates > CreateLABEL DESCRIPTION$

$Chapter 16CertificatesMAX-200HW2 Series User s Guide196Figure 123 Security > Certificates > My Certificates > Details The following table describes the labels in this screen. Table 74 Security > Certificates > My Certificates > DetailsLABEL DESCRIPTIONNameThis field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;$~!@#$%^&()_+[]{} ,.=- characters.PropertySelect Default self-signed certificate which signs the imported remote host certificates to use this certificate to sign the remote host certificates you upload in the Security > Certificates > Trusted CAs screen.Certification PathThis field displays for a certificate, not a certification request.Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself).If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The ZyXEL Device does not trust the certificate and displays !Not trusted" in this field if any certificate on the path has expired or been revoked.RefreshClick Refresh to display the certification path.Certificate InformationThese read-only fields display detailed information about the certificate.$