C HAPTER
12
NAT
12.1 NAT Overview
NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in
a packet. For example, the source address of an outgoing packet, used within one network is
changed to a different IP address known within another network. Use Network Address Translation
(NAT) to make computers on a private network behind the USG available outside the private
network. If the USG has only one public IP address, you can make the computers in the private
network available by using ports to forward packets to the appropriate private IP address.
Suppose you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example),
port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a
third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address.
The NAT network appears as a single host on the Internet.
Figure 167 Multiple Servers Behind NAT Example
12.1.1 What You Can Do in this Chapter
Use the NAT screens (see Section 12.2 on page 255) to view and manage the list of NAT rules and
see their configuration details. You can also create new NAT rules and edit or delete existing ones.
12.1.2 What You Need to Know
NAT is also known as virtual server, port forwarding, or port translation.
12.2 The NAT Screen
The NAT summary screen provides a summary of all NAT rules and their configuration. In addition,
this screen allows you to create new NAT rules and edit and delete existing NAT rules. To access this
USG20(W)-VPN Series User’s Guide
255
Chapter 12 NAT
screen, login to the Web Configurator and click Configuration > Network > NAT. The following
screen appears, providing a summary of the existing NAT rules.
Click on the icons to go to the OneSecurity.com website where there is guidance on configuration
walkthroughs, troubleshooting, and other information.
Figure 168 Configuration > Network > NAT
The following table describes the labels in this screen.
Table 104 Configuration > Network > NAT
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify
the entry’s settings.
Remove
To remove an entry, select it and click Remove. The USG confirms you want to remove
it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
This field is a sequential value, and it is not associated with a specific entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This field displays the name of the entry.
Mapping Type
This field displays what kind of NAT this entry performs: Virtual Server, 1:1 NAT, or
Many 1:1 NAT.
Interface
This field displays the interface on which packets for the NAT entry are received.
Original IP
This field displays the original destination IP address (or address object) of traffic that
matches this NAT entry. It displays any if there is no restriction on the original
destination IP address.
Mapped IP
This field displays the new destination IP address for the packet.
Protocol
This field displays the service used by the packets for this NAT entry. It displays any if
there is no restriction on the services.
Original Port
This field displays the original destination port(s) of packets for the NAT entry. This
field is blank if there is no restriction on the original destination port.
Mapped Port
This field displays the new destination port(s) for the packet. This field is blank if there
is no restriction on the original destination port.
USG20(W)-VPN Series User’s Guide
256
Chapter 12 NAT
Table 104 Configuration > Network > NAT (continued)
LABEL
DESCRIPTION
Apply
Click this button to save your changes to the USG.
Reset
Click this button to return the screen to its last-saved settings.
12.2.1 The NAT Add/Edit Screen
The NAT Add/Edit screen lets you create new NAT rules and edit existing ones. To open this
window, open the NAT summary screen. (See Section 12.2 on page 255.) Then, click on an Add
icon or Edit icon to open the following screen.
Figure 169 Configuration > Network > NAT > Add
The following table describes the labels in this screen.
Table 105 Configuration > Network > NAT > Add
LABEL
DESCRIPTION
Create new Object
Use to configure any new settings objects that you need to use in this screen.
Enable Rule
Use this option to turn the NAT rule on or off.
Rule Name
Type in the name of the NAT rule. The name is used to refer to the NAT rule. You may
use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first
character cannot be a number. This value is case-sensitive.
USG20(W)-VPN Series User’s Guide
257
Chapter 12 NAT
Table 105 Configuration > Network > NAT > Add (continued)
LABEL
DESCRIPTION
Classification
Select what kind of NAT this rule is to perform.
Virtual Server - This makes computers on a private network behind the USG
available to a public network outside the USG (like the Internet).
1:1 NAT - If the private network server will initiate sessions to the outside clients,
select this to have the USG translate the source IP address of the server’s outgoing
traffic to the same public IP address that the outside clients use to access the server.
Many 1:1 NAT - If you have a range of private network servers that will initiate
sessions to the outside clients and a range of public IP addresses, select this to have
the USG translate the source IP address of each server’s outgoing traffic to the same
one of the public IP addresses that the outside clients use to access the server. The
private and public ranges must have the same number of IP addresses.
One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration
effort since you only create one rule.
Incoming Interface
Select the interface on which packets for the NAT rule must be received. It can be an
Ethernet, VLAN, bridge, or PPPoE/PPTP interface.
Original IP
Specify the destination IP address of the packets received by this NAT rule’s specified
incoming interface.
any - Select this to use all of the incoming interface’s IP addresses including dynamic
addresses or those of any virtual interfaces built upon the selected incoming interface.
User Defined - Select this to manually enter an IP address in the User Defined field.
For example, you could enter a static public IP assigned by the ISP without having to
create a virtual interface for it.
Host address - select a host address object to use the IP address it specifies. The list
also includes address objects based on interface IPs. So for example you could select
an address object based on a WAN interface even if it has a dynamic IP address.
User Defined
Original IP
This field is available if Original IP is User Defined. Type the destination IP address
that this NAT rule supports.
Original IP Subnet/
Range
This field displays for Many 1:1 NAT. Select the destination IP address subnet or IP
address range that this NAT rule supports. The original and mapped IP address
subnets or ranges must have the same number of IP addresses.
Mapped IP
Select to which translated destination IP address this NAT rule forwards packets.
User Defined - this NAT rule supports a specific IP address, specified in the User
Defined field.
HOST address - the drop-down box lists all the HOST address objects in the USG. If
you select one of them, this NAT rule supports the IP address specified by the address
object.
User Defined
Original IP
This field is available if Mapped IP is User Defined. Type the translated destination
IP address that this NAT rule supports.
Mapped IP Subnet/
Range
This field displays for Many 1:1 NAT. Select to which translated destination IP address
subnet or IP address range this NAT rule forwards packets. The original and mapped IP
address subnets or ranges must have the same number of IP addresses.
USG20(W)-VPN Series User’s Guide
258
Chapter 12 NAT
Table 105 Configuration > Network > NAT > Add (continued)
LABEL
DESCRIPTION
Port Mapping Type
Use the drop-down list box to select how many original destination ports this NAT rule
supports for the selected destination IP address (Original IP). Choices are:
Any - this NAT rule supports all the destination ports.
Port - this NAT rule supports one destination port.
Ports - this NAT rule supports a range of destination ports. You might use a range of
destination ports for unknown services or when one server supports more than one
service.
Service - this NAT rule supports a service such as FTP (see Object > Service >
Service)
Service-Group - this NAT rule supports a group of services such as all service objects
related to DNS (see Object > Service > Service Group)
Protocol Type
This field is available if Mapping Type is Port or Ports. Select the protocol (TCP,
UDP, or Any) used by the service requesting the connection.
Original Port
This field is available if Mapping Type is Port. Enter the original destination port this
NAT rule supports.
Mapped Port
This field is available if Mapping Type is Port. Enter the translated destination port if
this NAT rule forwards the packet.
Original Start Port
This field is available if Mapping Type is Ports. Enter the beginning of the range of
original destination ports this NAT rule supports.
Original End Port
This field is available if Mapping Type is Ports. Enter the end of the range of original
destination ports this NAT rule supports.
Mapped Start Port
This field is available if Mapping Type is Ports. Enter the beginning of the range of
translated destination ports if this NAT rule forwards the packet.
Mapped End Port
This field is available if Mapping Type is Ports. Enter the end of the range of
translated destination ports if this NAT rule forwards the packet. The original port
range and the mapped port range must be the same size.
Enable NAT
Loopback
Enable NAT loopback to allow users connected to any interface (instead of just the
specified Incoming Interface) to use the NAT rule’s specified Original IP address to
access the Mapped IP device. For users connected to the same interface as the
Mapped IP device, the USG uses that interface’s IP address as the source address for
the traffic it sends from the users to the Mapped IP device.
For example, if you configure a NAT rule to forward traffic from the WAN to a LAN
server, enabling NAT loopback allows users connected to other interfaces to also
access the server. For LAN users, the USG uses the LAN interface’s IP address as the
source address for the traffic it sends to the LAN server. See NAT Loopback on page
260 for more details.
If you do not enable NAT loopback, this NAT rule only applies to packets received on
the rule’s specified incoming interface.
Security Policy
By default the security policy blocks incoming connections from external addresses.
After you configure your NAT rule settings, click the Security Policy link to configure
a security policy to allow the NAT rule’s traffic to come in.
The USG checks NAT rules before it applies To-USG security policies, so To-USG
security policies, do not apply to traffic that is forwarded by NAT rules. The USG still
checks other security policies, according to the source IP address and mapped IP
address.
OK
Click OK to save your changes back to the USG.
Cancel
Click Cancel to return to the NAT summary screen without creating the NAT rule (if it
is new) or saving any changes (if it already exists).
USG20(W)-VPN Series User’s Guide
259
Chapter 12 NAT
12.3 NAT Technical Reference
Here is more detailed information about NAT on the USG.
NAT Loopback
Suppose an NAT 1:1 rule maps a public IP address to the private IP address of a LAN SMTP e-mail
server to give WAN users access. NAT loopback allows other users to also use the rule’s original IP
to access the mail server.
For example, a LAN user’s computer at IP address 192.168.1.89 queries a public DNS server to
resolve the SMTP server’s domain name (xxx.LAN-SMTP.com in this example) and gets the SMTP
server’s mapped public IP address of 1.1.1.1.
Figure 170 LAN Computer Queries a Public DNS Server
DNS
xxx.LAN-SMTP.com = 1.1.1.1
xxx.LAN-SMTP.com = ?
1.1.1.1
LAN
192.168.1.21
192.168.1.89
The LAN user’s computer then sends traffic to IP address 1.1.1.1. NAT loopback uses the IP address
of the USG’s LAN interface (192.168.1.1) as the source address of the traffic going from the LAN
users to the LAN SMTP server.
USG20(W)-VPN Series User’s Guide
260
Chapter 12 NAT
Figure 171 LAN to LAN Traffic
NAT
Source 192.168.1.1
Source 192.168.1.89
SMTP
SMTP
LAN
192.168.1.21
192.168.1.89
The LAN SMTP server replies to the USG’s LAN IP address and the USG changes the source address
to 1.1.1.1 before sending it to the LAN user. The return traffic’s source matches the original
destination address (1.1.1.1). If the SMTP server replied directly to the LAN user without the traffic
going through NAT, the source would not match the original destination address which would cause
the LAN user’s computer to shut down the session.
Figure 172 LAN to LAN Return Traffic
NAT
Source 192.168.1.21
Source 1.1.1.1
SMTP
SMTP
LAN
192.168.1.21
192.168.1.89
USG20(W)-VPN Series User’s Guide
261
C HAPTER
13
HTTP Redirect
13.1 Overview
HTTP redirect forwards the client’s HTTP request (except HTTP traffic destined for the USG) to a web
proxy server. In the following example, proxy server A is connected to the DMZ interface. When a
client connected to the LAN1 zone wants to open a web page, its HTTP request is redirected to
proxy server A first. If proxy server A cannot find the web page in its cache, a policy route allows it
to access the Internet to get them from a server. Proxy server A then forwards the response to the
client.
Figure 173 HTTP Redirect Example
LAN1
13.1.1 What You Can Do in this Chapter
Use the HTTP Redirect screens (see Section 13.2 on page 263) to display and edit the HTTP
redirect rules.
13.1.2 What You Need to Know
Web Proxy Server
A proxy server helps client devices make indirect requests to access the Internet or outside network
resources/services. A proxy server can act as a security policy or an ALG (application layer
gateway) between the private network and the Internet or other networks. It also keeps hackers
from knowing internal IP addresses.
USG20(W)-VPN Series User’s Guide
262
Chapter 13 HTTP Redirect
A client connects to a web proxy server each time he/she wants to access the Internet. The web
proxy provides caching service to allow quick access and reduce network usage. The proxy checks
its local cache for the requested web resource first. If it is not found, the proxy gets it from the
specified server and forwards the response to the client.
HTTP Redirect, Security Policy and Policy Route
With HTTP redirect, the relevant packet flow for HTTP traffic is:
Security Policy
HTTP Redirect
Policy Route
Even if you set a policy route to the same incoming interface and service as a HTTP redirect rule,
the USG checks the HTTP redirect rules first and forwards HTTP traffic to a proxy server if matched.
You need to make sure there is no security policy(s) blocking the HTTP requests from the client to
the proxy server.
You also need to manually configure a policy route to forward the HTTP traffic from the proxy server
to the Internet. To make the example in Figure 173 on page 262 work, make sure you have the
following settings.
For HTTP traffic between lan1 and dmz:
• a from LAN1 to DMZ security policy (default) to allow HTTP requests from lan1 to dmz.
Responses to this request are allowed automatically.
• a HTTP redirect rule to forward HTTP traffic from lan1 to proxy server A.
For HTTP traffic between dmz and wan1:
• a from DMZ to WAN security policy (default) to allow HTTP requests from dmz to wan1.
Responses to these requests are allowed automatically.
• a policy route to forward HTTP traffic from proxy server A to the Internet.
13.2 The HTTP Redirect Screen
To configure redirection of a HTTP request to a proxy server, click Configuration > Network >
HTTP Redirect. This screen displays the summary of the HTTP redirect rules.
Note: You can configure up to one HTTP redirect rule for each (incoming) interface.
USG20(W)-VPN Series User’s Guide
263
Chapter 13 HTTP Redirect
Figure 174 Configuration > Network > HTTP Redirect
The following table describes the labels in this screen.
Table 106 Configuration > Network > HTTP Redirect
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify
the entry’s settings.
Remove
To remove an entry, select it and click Remove. The USG confirms you want to remove
it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
This field is a sequential value, and it is not associated with a specific entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Name
This is the descriptive name of a rule.
Interface
This is the interface on which the request must be received.
Proxy Server
This is the IP address of the proxy server.
Port
This is the service port number used by the proxy server.
Apply
Click Apply to save your changes back to the USG.
Reset
Click Reset to return the screen to its last-saved settings.
13.2.1 The HTTP Redirect Edit Screen
Click Network > HTTP Redirect to open the HTTP Redirect screen. Then click the Add or Edit
icon to open the HTTP Redirect Edit screen where you can configure the rule.
Figure 175 Network > HTTP Redirect > Edit
USG20(W)-VPN Series User’s Guide
264
Chapter 13 HTTP Redirect
The following table describes the labels in this screen.
Table 107 Network > HTTP Redirect > Edit
LABEL
DESCRIPTION
Enable
Use this option to turn the HTTP redirect rule on or off.
Name
Enter a name to identify this rule. You may use 1-31 alphanumeric characters,
underscores(_), or dashes (-), but the first character cannot be a number. This
value is case-sensitive.
Interface
Select the interface on which the HTTP request must be received for the USG to
forward it to the specified proxy server.
Proxy Server
Enter the IP address of the proxy server.
Port
Enter the port number that the proxy server uses.
OK
Click OK to save your changes back to the USG.
Cancel
Click Cancel to exit this screen without saving.
USG20(W)-VPN Series User’s Guide
265
C HAPTER
14
ALG
14.1 ALG Overview
Application Layer Gateway (ALG) allows the following applications to operate properly through the
USG’s NAT.
• SIP - Session Initiation Protocol (SIP) - An application-layer protocol that can be used to create
voice and multimedia sessions over Internet.
• H.323 - A teleconferencing protocol suite that provides audio, data and video conferencing.
• FTP - File Transfer Protocol - an Internet file transfer service.
The following example shows SIP signaling (1) and audio (2) sessions between SIP clients A and B
and the SIP server.
Figure 176 SIP ALG Example
The ALG feature is only needed for traffic that goes through the USG’s NAT.
14.1.1 What You Need to Know
Application Layer Gateway (ALG), NAT and Security Policy
The USG can function as an Application Layer Gateway (ALG) to allow certain NAT un-friendly
applications (such as SIP) to operate properly through the USG’s NAT and security policy. The USG
dynamically creates an implicit NAT session and security policy session for the application’s traffic
from the WAN to the LAN. The ALG on the USG supports all of the USG’s NAT mapping types.
FTP ALG
The FTP ALG allows TCP packets with a specified port destination to pass through. If the FTP server
is located on the LAN, you must also configure NAT (port forwarding) and security policies if you
USG20(W)-VPN Series User’s Guide
266
Chapter 14 ALG
want to allow access to the server from the WAN. Bandwidth management can be applied to FTP
ALG traffic.
H.323 ALG
• The H.323 ALG supports peer-to-peer H.323 calls.
• The H.323 ALG handles H.323 calls that go through NAT or that the USG routes. You can also
make other H.323 calls that do not go through NAT or routing. Examples would be calls between
LAN IP addresses that are on the same subnet.
• The H.323 ALG allows calls to go out through NAT. For example, you could make a call from a
private IP address on the LAN to a peer device on the WAN.
• The H.323 ALG operates on TCP packets with a specified port destination.
• Bandwidth management can be applied to H.323 ALG traffic.
• The USG allows H.323 audio connections.
• The USG can also apply bandwidth management to traffic that goes through the H.323 ALG.
The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A
and B.
Figure 177 H.323 ALG Example
SIP ALG
• SIP phones can be in any zone (including LAN, DMZ, WAN), and the SIP server and SIP clients
can be in the same network or different networks. The SIP server cannot be on the LAN. It must
be on the WAN or the DMZ.
• There should be only one SIP server (total) on the USG’s private networks. Any other SIP servers
must be on the WAN. So for example you could have a Back-to-Back User Agent such as the
IPPBX x6004 or an asterisk PBX on the DMZ or on the LAN but not on both.
• Using the SIP ALG allows you to use bandwidth management on SIP traffic. Bandwidth
management can be applied to FTP ALG traffic. Use the option in the Configuration > BWM
screen to configure the highest bandwidth available for SIP traffic.
• The SIP ALG handles SIP calls that go through NAT or that the USG routes. You can also make
other SIP calls that do not go through NAT or routing. Examples would be calls between LAN IP
addresses that are on the same subnet.
• The SIP ALG supports peer-to-peer SIP calls. The security policy (by default) allows peer to peer
calls from the LAN zone to go to the WAN zone and blocks peer to peer calls from the WAN zone
to the LAN zone.
• The SIP ALG allows UDP packets with a specified port destination to pass through.
• The USG allows SIP audio connections.
• You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices behind the USG when
you enable the SIP ALG.
USG20(W)-VPN Series User’s Guide
267
Chapter 14 ALG
Peer-to-Peer Calls and the USG
The USG ALG can allow peer-to-peer VoIP calls for both H.323 and SIP. You must configure the
security policy and NAT (port forwarding) to allow incoming (peer-to-peer) calls from the WAN to a
private IP address on the LAN (or DMZ).
VoIP Calls from the WAN with Multiple Outgoing Calls
When you configure the security policy and NAT (port forwarding) to allow calls from the WAN to a
specific IP address on the LAN, you can also use policy routing to have H.323 (or SIP) calls from
other LAN or DMZ IP addresses go out through a different WAN IP address. The policy routing lets
the USG correctly forward the return traffic for the calls initiated from the LAN IP addresses.
For example, you configure the security policy and NAT to allow LAN IP address A to receive calls
from the Internet through WAN IP address 1. You also use a policy route to have LAN IP address A
make calls out through WAN IP address 1. Configure another policy route to have H.323 (or SIP)
calls from LAN IP addresses B and C go out through WAN IP address 2. Even though only LAN IP
address A can receive incoming calls from the Internet, LAN IP addresses B and C can still make
calls out to the Internet.
Figure 178 VoIP Calls from the WAN with Multiple Outgoing Calls
VoIP with Multiple WAN IP Addresses
With multiple WAN IP addresses on the USG, you can configure different security policy and NAT
(port forwarding) rules to allow incoming calls from each WAN IP address to go to a specific IP
address on the LAN (or DMZ). Use policy routing to have the H.323 (or SIP) calls from each of those
LAN or DMZ IP addresses go out through the same WAN IP address that calls come in on. The policy
routing lets the USG correctly forward the return traffic for the calls initiated from the LAN IP
addresses.
For example, you configure security policy and NAT rules to allow LAN IP address A to receive calls
through public WAN IP address 1. You configure different security policy and port forwarding rules
to allow LAN IP address B to receive calls through public WAN IP address 2. You configure
corresponding policy routes to have calls from LAN IP address A go out through WAN IP address 1
and calls from LAN IP address B go out through WAN IP address 2.
USG20(W)-VPN Series User’s Guide
268
Chapter 14 ALG
Figure 179 VoIP with Multiple WAN IP Addresses
14.1.2 Before You Begin
You must also configure the security policy and enable NAT in the USG to allow sessions initiated
from the WAN.
14.2 The ALG Screen
Click Configuration > Network > ALG to open the ALG screen. Use this screen to turn ALGs off
or on, configure the port numbers to which they apply, and configure SIP ALG time outs.
Figure 180 Configuration > Network > ALG
USG20(W)-VPN Series User’s Guide
269
Chapter 14 ALG
The following table describes the labels in this screen.
Table 108 Configuration > Network > ALG
LABEL
DESCRIPTION
Enable SIP ALG
Turn on the SIP ALG to detect SIP traffic and help build SIP sessions through the
USG’s NAT.
Enable SIP
Transformations
Select this to have the USG modify IP addresses and port numbers embedded in
the SIP data payload.
You do not need to use this if you have a SIP device or server that will modify IP
addresses and port numbers embedded in the SIP data payload.
Enable Configure SIP
Inactivity Timeout
Select this option to have the USG apply SIP media and signaling inactivity time out
limits.
SIP Media Inactivity
Timeout
Use this field to set how many seconds (1~86400) the USG will allow a SIP session
to remain idle (without voice traffic) before dropping it.
If no voice packets go through the SIP ALG before the timeout period expires, the
USG deletes the audio session. You cannot hear anything and you will need to make
a new call to continue your conversation.
SIP Signaling Inactivity
Timeout
Most SIP clients have an “expire” mechanism indicating the lifetime of signaling
sessions. The SIP user agent sends registration packets to the SIP server
periodically and keeps the session alive in the USG.
If the SIP client does not have this mechanism and makes no calls during the USG
SIP timeout, the USG deletes the signaling session after the timeout period. Enter
the SIP signaling session timeout value (1~86400).
Restrict Peer to Peer
Signaling Connection
A signaling connection is used to set up the SIP connection.
Restrict Peer to Peer
Media Connection
A media connection is the audio transfer in a SIP connection.
SIP Signaling Port
If you are using a custom UDP port number (not 5060) for SIP traffic, enter it here.
Use the Add icon to add fields if you are also using SIP on additional UDP port
numbers.
Additional SIP Signaling
Port (UDP) for
Transformations
If you are also using SIP on an additional UDP port number, enter it here.
Enable H.323 ALG
Turn on the H.323 ALG to detect H.323 traffic (used for audio communications) and
help build H.323 sessions through the USG’s NAT.
Enable H.323
Transformations
Select this to have the USG modify IP addresses and port numbers embedded in
the H.323 data payload.
Enable this if you want signaling connections to only arrive from the IP address(es)
you registered with. Signaling connections from other IP addresses will be dropped.
Enable this if you want media connections to only arrive from the IP address(es)
you registered with. Media connections from other IP addresses will be dropped.
You do not need to use this if you have a H.323 device or server that will modify IP
addresses and port numbers embedded in the H.323 data payload.
H.323 Signaling Port
If you are using a custom TCP port number (not 1720) for H.323 traffic, enter it
here.
Additional H.323
Signaling Port for
Transformations
If you are also using H.323 on an additional TCP port number, enter it here.
Enable FTP ALG
Turn on the FTP ALG to detect FTP (File Transfer Program) traffic and help build FTP
sessions through the USG’s NAT.
USG20(W)-VPN Series User’s Guide
270
Chapter 14 ALG
Table 108 Configuration > Network > ALG (continued)
LABEL
DESCRIPTION
Enable FTP
Transformations
Select this option to have the USG modify IP addresses and port numbers
embedded in the FTP data payload to match the USG’s NAT environment.
Clear this option if you have an FTP device or server that will modify IP addresses
and port numbers embedded in the FTP data payload to match the USG’s NAT
environment.
FTP Signaling Port
If you are using a custom TCP port number (not 21) for FTP traffic, enter it here.
Additional FTP Signaling
Port for
Transformations
If you are also using FTP on an additional TCP port number, enter it here.
Apply
Click Apply to save your changes back to the USG.
Reset
Click Reset to return the screen to its last-saved settings.
14.3 ALG Technical Reference
Here is more detailed information about the Application Layer Gateway.
ALG
Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP
addresses and port numbers in their packets’ data payload. The USG examines and uses IP address
and port number information embedded in the VoIP traffic’s data stream. When a device behind the
USG uses an application for which the USG has VoIP pass through enabled, the USG translates the
device’s private IP address inside the data stream to a public IP address. It also records session
port numbers and allows the related sessions to go through the security policy so the application’s
traffic can come in from the WAN to the LAN.
ALG and Trunks
If you send your ALG-managed traffic through an interface trunk and all of the interfaces are set to
active, you can configure routing policies to specify which interface the ALG-managed traffic uses.
You could also have a trunk with one interface set to active and a second interface set to passive.
The USG does not automatically change ALG-managed connections to the second (passive)
interface when the active interface’s connection goes down. When the active interface’s connection
fails, the client needs to re-initialize the connection through the second interface (that was set to
passive) in order to have the connection go through the second interface. VoIP clients usually reregister automatically at set intervals or the users can manually force them to re-register.
FTP
File Transfer Protocol (FTP) is an Internet file transfer service that operates on the Internet and over
TCP/IP networks. A system running the FTP server accepts commands from a system running an
FTP client. The service allows users to send commands to the server for uploading and downloading
files.
USG20(W)-VPN Series User’s Guide
271
Chapter 14 ALG
H.323
H.323 is a standard teleconferencing protocol suite that provides audio, data and video
conferencing. It allows for real-time point-to-point and multipoint communication between client
computers over a packet-based network that does not provide a guaranteed quality of service.
NetMeeting uses H.323.
SIP
The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles
the setting up, altering and tearing down of voice and multimedia sessions over the Internet. SIP is
used in VoIP (Voice over IP), the sending of voice signals over the Internet Protocol.
SIP signaling is separate from the media for which it handles sessions. The media that is exchanged
during the session can use a different path from that of the signaling. SIP handles telephone calls
and can interface with traditional circuit-switched telephone networks.
RTP
When you make a VoIP call using H.323 or SIP, the RTP (Real time Transport Protocol) is used to
handle voice data transfer. See RFC 1889 for details on RTP.
USG20(W)-VPN Series User’s Guide
272
C HAPTER
15
UPnP
15.1 UPnP and NAT-PMP Overview
The USG supports both UPnP and NAT-PMP to permit networking devices to discover each other and
connect seamlessly.
Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for
simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a
network, obtain an IP address, convey its capabilities and learn about other devices on the network.
In turn, a device can leave a network smoothly and automatically when it is no longer in use. A
gateway that supports UPnP is called Internet Gateway Device (IGD). The standardized Device
Control Protocol (DCP) is defined by the UPnP Forum for IGDs to configure port mapping
automatically.
NAT Port Mapping Protocol (NAT-PMP), introduced by Apple and implemented in current Apple
products, is used as an alternative NAT traversal solution to the UPnP IGD protocol. NAT-PMP runs
over UDP port 5351. NAT-PMP is much simpler than UPnP IGD and mainly designed for small home
networks. It allows a client behind a NAT router to retrieve the router’s public IP address and port
number and make them known to the peer device with which it wants to communicate. The client
can automatically configure the NAT router to create a port mapping to allow the peer to contact it.
15.2 What You Need to Know
UPnP hardware is identified as an icon in the Network Connections folder (Windows XP). Each UPnP
compatible device installed on your network will appear as a separate icon. Selecting the icon of a
UPnP device will allow you to access the information and properties of that device.
15.2.1 NAT Traversal
UPnP NAT traversal automates the process of allowing an application to operate through NAT. UPnP
network devices can automatically configure network addressing, announce their presence in the
network to other UPnP devices and enable exchange of simple product and service descriptions.
NAT traversal allows the following:
• Dynamic port mapping
• Learning public IP addresses
• Assigning lease times to mappings
Windows Messenger is an example of an application that supports NAT traversal and UPnP.
See the NAT chapter for more information on NAT.
USG20(W)-VPN Series User’s Guide
273
Chapter 15 UPnP
15.2.2 Cautions with UPnP and NAT-PMP
The automated nature of NAT traversal applications in establishing their own services and opening
security policy ports may present network security issues. Network information and configuration
may also be obtained and modified by users in some network environments.
When a UPnP or NAT-PMP device joins a network, it announces its presence with a multicast
message. For security reasons, the USG allows multicast messages on the LAN only.
All UPnP-enabled or NAT-PMP-enabled devices may communicate freely with each other without
additional configuration. Disable UPnP or NAT-PMP if this is not your intention.
15.3 UPnP Screen
Use this screen to enable UPnP and NAT-PMP on your USG.
Click Configuration > Network > UPnP to display the screen shown next.
Figure 181 Configuration > Network > UPnP
USG20(W)-VPN Series User’s Guide
274
Chapter 15 UPnP
The following table describes the fields in this screen.
Table 109 Configuration > Network > UPnP
LABEL
DESCRIPTION
Enable UPnP
Select this check box to activate UPnP on the USG. Be aware that anyone could use a
UPnP application to open the web configurator's login screen without entering the USG's
IP address (although you must still enter the password to access the web configurator).
Enable NAT-PMP
NAT Port Mapping Protocol (NAT-PMP) automates port forwarding to allow a computer in
a private network (behind the USG) to automatically configure the USG to allow
computers outside the private network to contact it.
Select this check box to activate NAT-PMP on the USG. Be aware that anyone could use
a NAT-PMP application to open the web configurator's login screen without entering the
USG's IP address (although you must still enter the password to access the web
configurator).
Allow UPnP or
NAT-PMP to
pass through
Firewall
Select this check box to allow traffic from UPnP-enabled or NAT-PMP-enabled
applications to bypass the security policy.
Clear this check box to have the security policy block all UPnP or NAT-PMP application
packets (for example, MSN packets).
Outgoing WAN
Interface
Select through which WAN interface(s) you want to send out traffic from UPnP-enabled
or NAT-PMP-enabled applications. If the WAN interface you select loses its connection,
the USG attempts to use the other WAN interface. If the other WAN interface also does
not work, the USG drops outgoing packets from UPnP-enabled or NAT-PMP-enabled
applications.
Support LAN List
The Available list displays the name(s) of the internal interface(s) on which the USG
supports UPnP and/or NAT-PMP.
To enable UPnP and/or NAT-PMP on an interface, you can double-click a single entry to
move it or use the [Shift] or [Ctrl] key to select multiple entriess and click the right
arrow button to add to the Member list. To remove an interface, select the name(s) in
the Member list and click the left arrow button.
Apply
Click Apply to save your changes back to the USG.
Reset
Click Reset to return the screen to its last-saved settings.
15.4 Technical Reference
The sections show examples of using UPnP.
15.4.1 Turning on UPnP in Windows 7 Example
This section shows you how to use the UPnP feature in Windows 7. UPnP server is installed in
Windows 7. Activate UPnP on the USG.
Make sure the computer is connected to a LAN port of the USG. Turn on your computer and the
USG.
Click the start icon, Control Panel and then the Network and Sharing Center.
USG20(W)-VPN Series User’s Guide
275
Chapter 15 UPnP
Click Change Advanced Sharing Settings.
Select Turn on network discovery and click Save Changes. Network discovery allows your
computer to find other computers and devices on the network and other computers on the network
to find your computer. This makes it easier to share files and printers.
USG20(W)-VPN Series User’s Guide
276
Chapter 15 UPnP
15.4.2 Using UPnP in Windows XP Example
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP
installed in Windows XP and UPnP activated on the USG.
Make sure the computer is connected to a LAN port of the USG. Turn on your computer and the
USG.
15.4.2.1 Auto-discover Your UPnP-enabled Network Device
Click start and Control Panel. Double-click Network Connections. An icon displays under
Internet Gateway.
Right-click the icon and select Properties.
Figure 182 Network Connections
In the Internet Connection Properties window, click Settings to see the port mappings there
were automatically created.
Figure 183 Internet Connection Properties
You may edit or delete the port mappings or click Add to manually add port mappings.
USG20(W)-VPN Series User’s Guide
277
Chapter 15 UPnP
Figure 184 Internet Connection Properties: Advanced Settings
Figure 185 Internet Connection Properties: Advanced Settings: Add
Note: When the UPnP-enabled device is disconnected from your computer, all port
mappings will be deleted automatically.
Select Show icon in notification area when connected option and click OK. An icon displays in
the system tray.
Figure 186 System Tray Icon
Double-click on the icon to display your current Internet connection status.
USG20(W)-VPN Series User’s Guide
278
Chapter 15 UPnP
Figure 187 Internet Connection Status
15.4.3 Web Configurator Easy Access
With UPnP, you can access the web-based configurator on the USG without finding out the IP
address of the USG first. This comes helpful if you do not know the IP address of the USG.
Follow the steps below to access the web configurator.
Click Start and then Control Panel.
Double-click Network Connections.
Select My Network Places under Other Places.
USG20(W)-VPN Series User’s Guide
279
Chapter 15 UPnP
Figure 188 Network Connections
An icon with the description for each UPnP-enabled device displays under Local Network.
Right-click on the icon for your USG and select Invoke. The web configurator login screen displays.
Figure 189 Network Connections: My Network Places
Right-click on the icon for your USG and select Properties. A properties window displays with basic
information about the USG.
USG20(W)-VPN Series User’s Guide
280
Chapter 15 UPnP
Figure 190 Network Connections: My Network Places: Properties: Example
USG20(W)-VPN Series User’s Guide
281
C HAPTER
16
IP/MAC Binding
16.1 IP/MAC Binding Overview
IP address to MAC address binding helps ensure that only the intended devices get to use privileged
IP addresses. The USG uses DHCP to assign IP addresses and records the MAC address it assigned
to each IP address. The USG then checks incoming connection attempts against this list. A user
cannot manually assign another IP to his computer and use it to connect to the USG.
Suppose you configure access privileges for IP address 192.168.1.27 and use static DHCP to assign
it to Tim’s computer’s MAC address of 12:34:56:78:90:AB. IP/MAC binding drops traffic from any
computer trying to use IP address 192.168.1.27 with another MAC address.
Figure 191 IP/MAC Binding Example
MAC: 12:34:56:78:90:AB
Tim
Jim
IP: 192.168.1.27
MAC: AB:CD:EF:12:34:56
IP: 192.168.1.27
16.1.1 What You Can Do in this Chapter
• Use the Summary and Edit screens (Section 16.2 on page 283) to bind IP addresses to MAC
addresses.
• Use the Exempt List screen (Section 16.3 on page 285) to configure ranges of IP addresses to
which the USG does not apply IP/MAC binding.
16.1.2 What You Need to Know
DHCP
IP/MAC address bindings are based on the USG’s dynamic and static DHCP entries.
USG20(W)-VPN Series User’s Guide
282
Chapter 16 IP/MAC Binding
Interfaces Used With IP/MAC Binding
IP/MAC address bindings are grouped by interface. You can use IP/MAC binding with Ethernet,
bridge, VLAN, and WLAN interfaces. You can also enable or disable IP/MAC binding and logging in
an interface’s configuration screen.
16.2 IP/MAC Binding Summary
Click Configuration > Network > IP/MAC Binding to open the IP/MAC Binding Summary
screen. This screen lists the total number of IP to MAC address bindings for devices connected to
each supported interface.
Figure 192 Configuration > Network > IP/MAC Binding > Summary
The following table describes the labels in this screen.
Table 110 Configuration > Network > IP/MAC Binding > Summary
LABEL
DESCRIPTION
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
This field is a sequential value, and it is not associated with a specific entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Interface
This is the name of an interface that supports IP/MAC binding.
Number of
Binding
This field displays the interface’s total number of IP/MAC bindings and IP addresses that the
interface has assigned by DHCP.
Apply
Click Apply to save your changes back to the USG.
16.2.1 IP/MAC Binding Edit
Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit
screen. Use this screen to configure an interface’s IP to MAC address binding settings.
USG20(W)-VPN Series User’s Guide
283
Chapter 16 IP/MAC Binding
Figure 193 Configuration > Network > IP/MAC Binding > Edit
The following table describes the labels in this screen.
Table 111 Configuration > Network > IP/MAC Binding > Edit
LABEL
DESCRIPTION
IP/MAC Binding Settings
Interface Name
This field displays the name of the interface within the USG and the interface’s IP
address and subnet mask.
Enable IP/MAC
Binding
Select this option to have this interface enforce links between specific IP
addresses and specific MAC addresses. This stops anyone else from manually
using a bound IP address on another device connected to this interface. Use this
to make use only the intended users get to use specific IP addresses.
Enable Logs for IP/
MAC Binding Violation
Select this option to have the USG generate a log if a device connected to this
interface attempts to use an IP address not assigned by the USG.
Static DHCP Bindings
This table lists the bound IP and MAC addresses. The USG checks this table when
it assigns IP addresses. If the computer’s MAC address is in the table, the USG
assigns the corresponding IP address. You can also access this table from the
interface’s edit screen.
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can
modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The USG confirms you want to
remove it before doing so.
This is the index number of the static DHCP entry.
IP Address
This is the IP address that the USG assigns to a device with the entry’s MAC
address.
MAC Address
This is the MAC address of the device to which the USG assigns the entry’s IP
address.
Description
This helps identify the entry.
OK
Click OK to save your changes back to the USG.
Cancel
Click Cancel to exit this screen without saving.
16.2.2 Static DHCP Edit
Click Configuration > Network > IP/MAC Binding > Edit to open the IP/MAC Binding Edit
screen. Click the Add or Edit icon to open the following screen. Use this screen to configure an
interface’s IP to MAC address binding settings.
USG20(W)-VPN Series User’s Guide
284
Chapter 16 IP/MAC Binding
Figure 194 Configuration > Network > IP/MAC Binding > Edit > Add
The following table describes the labels in this screen.
Table 112 Configuration > Network > IP/MAC Binding > Edit > Add
LABEL
DESCRIPTION
Interface Name
This field displays the name of the interface within the USG and the interface’s IP
address and subnet mask.
IP Address
Enter the IP address that the USG is to assign to a device with the entry’s MAC address.
MAC Address
Enter the MAC address of the device to which the USG assigns the entry’s IP address.
Description
Enter up to 64 printable ASCII characters to help identify the entry. For example, you
may want to list the computer’s owner.
OK
Click OK to save your changes back to the USG.
Cancel
Click Cancel to exit this screen without saving.
16.3 IP/MAC Binding Exempt List
Click Configuration > Network > IP/MAC Binding > Exempt List to open the IP/MAC
Binding Exempt List screen. Use this screen to configure ranges of IP addresses to which the USG
does not apply IP/MAC binding.
Figure 195 Configuration > Network > IP/MAC Binding > Exempt List
The following table describes the labels in this screen.
Table 113 Configuration > Network > IP/MAC Binding > Exempt List
LABEL
DESCRIPTION
Add
Click this to create a new entry.
Edit
Click an entry or select it and click Edit to modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The USG confirms you want to remove it
before doing so.
USG20(W)-VPN Series User’s Guide
285
Chapter 16 IP/MAC Binding
Table 113 Configuration > Network > IP/MAC Binding > Exempt List (continued)
LABEL
DESCRIPTION
This is the index number of the IP/MAC binding list entry.
Name
Enter a name to help identify this entry.
Start IP
Enter the first IP address in a range of IP addresses for which the USG does not apply IP/
MAC binding.
End IP
Enter the last IP address in a range of IP addresses for which the USG does not apply IP/MAC
binding.
Add icon
Click the Add icon to add a new entry.
Click the Remove icon to delete an entry. A window displays asking you to confirm that you
want to delete it.
Apply
Click Apply to save your changes back to the USG.
USG20(W)-VPN Series User’s Guide
286
C HAPTER
17
Layer 2 Isolation
17.1 Overview
Layer-2 isolation is used to prevent connected devices from communicating with each other in the
USG’s local network(s), except for the devices in the white list, when layer-2 isolation is enabled on
the USG and the local interface(s).
Note: The security policy control must be enabled before you can use layer-2 isolation.
In the following example, layer-2 isolation is enabled on the USG’s interface Vlan1. A printer, PC
and AP are in the Vlan1. The IP address of network printer (C) is added to the white list. With this
setting, the connected AP then cannot communicate with the PC (D), but can access the network
printer (C), server (B), wireless client (A) and the Internet.
Figure 196 Layer-2 Isolation Application
17.1.1 What You Can Do in this Chapter
• Use the General screen (Section 17.2 on page 288) to enable layer-2 isolation on the USG and
the internal interface(s).
• Use the White List screen (Section 17.3 on page 288) to enable and configures the white list.
USG20(W)-VPN Series User’s Guide
287
Chapter 17 Layer 2 Isolation
17.2 Layer-2 Isolation General Screen
This screen allows you to enable Layer-2 isolation on the USG and specific internal interface(s). To
access this screen click Configuration > Network > Layer 2 Isolation.
Figure 197 Configuration > Network > Layer 2 Isolation
The following table describes the labels in this screen.
Table 114 Configuration > Network > Layer 2 Isolation
LABEL
DESCRIPTION
Enable Layer2
Isolation
Select this option to turn on the layer-2 isolation feature on the USG.
Note: You can enable this feature only when the security policy is enabled.
Member List
The Available list displays the name(s) of the internal interface(s) on which you can
enable layer-2 isolation.
To enable layer-2 isolation on an interface, you can double-click a single entry to move it
or use the [Shift] or [Ctrl] key to select multiple entriess and click the right arrow button to
add to the Member list. To remove an interface, select the name(s) in the Member list
and click the left arrow button.
Apply
Click Apply to save your changes back to the USG.
Reset
Click Reset to return the screen to its last-saved settings.
17.3 White List Screen
IP addresses that are not listed in the white list are blocked from communicating with other devices
in the layer-2-isolation-enabled internal interface(s) except for broadcast packets.
To access this screen click Configuration > Network > Layer 2 Isolation > White List.
USG20(W)-VPN Series User’s Guide
288
Chapter 17 Layer 2 Isolation
Figure 198 Configuration > Network > Layer 2 Isolation > White List
The following table describes the labels in this screen.
Table 115 Configuration > Network > Layer 2 Isolation > White List
LABEL
DESCRIPTION
Enable White List Select this option to turn on the white list on the USG.
Note: You can enable this feature only when the security policy is enabled.
Add
Click this to add a new rule.
Edit
Click this to edit the selected rule.
Remove
Click this to remove the selected rule.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
This field is a sequential value, and it is not associated with a specific rule.
Status
This icon is lit when the rule is active and dimmed when the rule is inactive.
IP Address
This field displays the IP address of device that can be accessed by the devices connected
to an internal interface on which layer-2 isolation is enabled.
Description
This field displays the description for the IP address in this rule.
Apply
Click Apply to save your changes back to the USG.
Reset
Click Reset to return the screen to its last-saved settings.
17.3.1 Add/Edit White List Rule
This screen allows you to create a new rule in the white list or edit an existing one. To access this
screen, click the Add button or select an entry from the list and click the Edit button.
Note: You can configure up to 100 white list rules on the USG.
Note: You need to know the IP address of each connected device that you want to allow
to be accessed by other devices when layer-2 isolation is enabled.
USG20(W)-VPN Series User’s Guide
289
Chapter 17 Layer 2 Isolation
Figure 199 Configuration > Network > Layer 2 Isolation > White List > Add/Edit
The following table describes the labels in this screen.
Table 116 Configuration > Network > Layer 2 Isolation > White List > Add/Edit
LABEL
DESCRIPTION
Enable
Select this option to turn on the rule.
Host IP Address
Enter an IPv4 address associated with this rule.
Description
Specify a description for the IP address associated with this rule. Enter up to 60 characters,
spaces and underscores allowed.
OK
Click OK to save your changes back to the USG.
Cancel
Click Cancel to exit this screen without saving your changes.
USG20(W)-VPN Series User’s Guide
290
C HAPTER
18
Inbound Load Balancing
18.1 Inbound Load Balancing Overview
Inbound load balancing enables the USG to respond to a DNS query message!with a different IP
address for DNS name resolution. The USG checks which member interface has the least load and
responds to the DNS query message with the interface’s IP address.
In the following figure, an Internet host (A) sends a DNS query message to the DNS server (D) in
order to resolve a domain name of www.example.com. DNS server D redirects it to the USG (Z)’s
WAN1 with an IP address of 1.1.1.1. The USG receives the DNS query message and responds to it
with the WAN2’s IP address, 2.2.2.2, because the WAN2 has the least load at that moment.
Another Internet host (B) also sends a DNS query message to ask where www.example.com is. The
USG responds to it with the WAN1’s IP address, 1.1.1.1, since WAN1 has the least load this time.
Figure 200 DNS Load Balancing Example
A: Where is
www.example.com?
A: Where is
www.example.com?
Z: It’s 2.2.2.2.
1.1.1.1
D: Ask 1.1.1.1.
Internet
2.2.2.2
B: Where is
B: Where is
www.example.com?
www.example.com?
Z: It’s 1.1.1.1
1.1.1.1
D: Ask 1.1.1.1.
Internet
2.2.2.2
18.1.1 What You Can Do in this Chapter
• Use the Inbound LB screen (see Section 18.2 on page 292) to view a list of the configured DNS
load balancing rules.
• Use the Inbound LB Add/Edit screen (see Section 18.2.1 on page 293) to add or edit a DNS
load balancing rule.
USG20(W)-VPN Series User’s Guide
291
Chapter 18 Inbound Load Balancing
18.2 The Inbound LB Screen
The Inbound LB screen provides a summary of all DNS load balancing rules and the details. You
can also use this screen to add, edit, or remove the rules. Click Configuration > Network >
Inbound LB to open the following screen.
Note: After you finish the inbound load balancing settings, go to security policy and NAT
screens to configure the corresponding rule and virtual server to allow the Internet
users to access your internal servers.
Figure 201 Configuration > Network > DNS Inbound LB
The following table describes the labels in this screen.
Table 117 Configuration > Network > Inbound LB
LABEL
DESCRIPTION
Global Setting
Enable DNS Load
Balancing
Select this to enable DNS load balancing.
Configuration
Add
Click this to create a new entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can
modify the entry’s settings.
Remove
To remove an entry, select it and click Remove. The USG confirms you want to
remove it before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Move
To move an entry to a different number in the list, click the Move icon. In the field
that appears, specify the number to which you want to move the entry.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Priority
This field displays the order in which the USG checks the member interfaces of this
DNS load balancing rule.
Query Domain Name
This field displays the domain name for which the USG manages load balancing
between the specified interfaces.
Query From Address
This field displays the source IP address of the DNS query messages to which the
USG applies the DNS load balancing rule.
Query From Zone
The USG applies the DNS load balancing rule to the query messages received from
this zone.
USG20(W)-VPN Series User’s Guide
292
Chapter 18 Inbound Load Balancing
Table 117 Configuration > Network > Inbound LB (continued)
LABEL
DESCRIPTION
Load Balancing Member This field displays the member interfaces which the USG manages for load
balancing.
Algorithm
This field displays the load balancing method the USG uses for this DNS load
balancing rule.
Weighted Round Robin - Each member interface is assigned a weight. An
interface with a larger weight gets more chances to transmit traffic than an interface
with a smaller weight. For example, if the weight ratio of wan1 and wan2 interfaces
is 2:1, the USG chooses wan1 for 2 sessions’ traffic and wan2 for 1 session’s traffic
in each round of 3 new sessions.
Least Connection - The USG chooses choose a member interface which is handling
the least number of sessions.
Least Load - Outbound - The USG chooses a member interface which is handling
the least amount of outgoing traffic.
Least Load - Inbound - The USG chooses a member interface which is handling
the least amount of incoming traffic.
Least Load - Total - The USG chooses a member interface which is handling the
least amount of outgoing and incoming traffic.
Apply
Click this button to save your changes to the USG.
Reset
Click this button to return the screen to its last-saved settings.
18.2.1 The Inbound LB Add/Edit Screen
The Add DNS Load Balancing screen allows you to add a domain name for which the USG
manages load balancing between the specified interfaces. You can configure the USG to apply DNS
load balancing to some specific hosts only by configuring the Query From settings. Click
Configuration > Network > Inbound LB and then the Add or Edit icon to open this screen.
Figure 202 Configuration > Network > Inbound LB > Add
USG20(W)-VPN Series User’s Guide
293
Chapter 18 Inbound Load Balancing
The following table describes the labels in this screen.
Table 118 Configuration > Network > Inbound LB > Add/Edit
LABEL
DESCRIPTION
Create New Object
Use this to configure any new setting objects that you need to use in this screen.
General Settings
Enable
Select this to enable this DNS load balancing rule.
DNS Setting
Query Domain Name
Type up to 255 characters for a domain name for which you want the USG to manage
DNS load balancing. You can use a wildcard (*) to let multiple domains match the
name. For example, use *.example.com to specify any domain name that ends with
“example.com” would match.
Time to Live
Enter the number of seconds the USG recommends DNS request hosts to keep the
DNS entry in their caches before removing it. Enter 0 to have the USG not
recommend this so the DNS request hosts will follow their DNS server’s TTL setting.
Query From Setting
IP Address
Enter the IP address of a computer or a DNS server which makes the DNS queries
upon which to apply this rule.
DNS servers process client queries using recursion or iteration:
•
•
Zone
In recursion, DNS servers make recursive queries on behalf of clients. So you
have to configure this field to the DNS server’s IP address when recursion is
used.
In iteration, a client asks the DNS server and expects the best and immediate
answer without the DNS server contacting other DNS servers. If the primary DNS
server cannot provide the best answer, the client makes iteration queries to other
configured DNS servers to resolve the name. You have to configure this field to
the client’s IP address when iteration is used.
Select the zone of DNS query messages upon which to apply this rule.
Load Balancing
Member
Load Balancing
Algorithm
Select a load balancing method to use from the drop-down list box.
Select Weighted Round Robin to balance the traffic load between
interfaces based on their respective weights. An interface with a larger
weight gets more chances to transmit traffic than an interface with a
smaller weight. For example, if the weight ratio of wan1 and wan2
interfaces is 2:1, the USG chooses wan1 for 2 sessions’ traffic and wan2 for
every session’s traffic in each round of 3 new sessions.
Select Least Connection to have the USG choose the member interface which is
handling the least number of sessions.
Select Least Load - Outbound to have the USG choose the member interface which
is handling the least amount of outgoing traffic.
Select Least Load - Inbound to have the USG choose the member interface which
is handling the least amount of incoming traffic.
Select Least Load - Total to have the USG choose the member interface which is
handling the least amount of outgoing and incoming traffic.
Failover IP Address
Enter an alternate IP address with which the USG will respond to a DNS query
message when the load balancing algorithm cannot find any available interface.
Add
Click this to create a new member interface for this rule.
Edit
Double-click an entry or select it and click Edit to open a screen where you can
modify the entry’s settings.
USG20(W)-VPN Series User’s Guide
294
Chapter 18 Inbound Load Balancing
Table 118 Configuration > Network > Inbound LB > Add/Edit (continued)
LABEL
DESCRIPTION
Remove
To remove an entry, select it and click Remove. The USG confirms you want to
remove it before doing so.
This field displays the order in which the USG checks this rule’s member interfaces.
IP Address
This field displays the IP address of the member interface.
Monitor Interface
This field displays the name of the member interface. The USG manages load
balancing between the member interfaces.
Weight
This field is available if you selected Weighted Round Robin as the load balancing
algorithm. This field displays the weight of the member interface. An interface with a
larger weight gets more chances to transmit traffic than an interface with a smaller
weight.
OK
Click OK to save your changes back to the USG.
Cancel
Click Cancel to exit this screen without saving.
18.2.2 The Inbound LB Member Add/Edit Screen
The Add Load Balancing Member screen allows you to add a member interface for the DNS load
balancing rule. Click Configuration > Network > Inbound LB > Add or Edit and then an Add or
Edit icon to open this screen.
Figure 203 Configuration > Network > Inbound LB > Add/Edit > Add
The following table describes the labels in this screen.
Table 119 Configuration > Network > Inbound LB > Add/Edit > Add/Edit
LABEL
DESCRIPTION
Member
The USG checks each member interface’s loading in the order displayed here.
Monitor Interface
Select an interface to associate it with the DNS load balancing rule. This field also
displays whether the IP address is a static IP address (Static), dynamically assigned
(Dynamic) or obtained from a DHCP server (DHCP Client), as well as the IP address
and subnet mask.
Weight
This field is available if you selected Weighted Round Robin for the load balancing
algorithm.
Specify the weight of the member interface. An interface with a larger weight gets
more chances to transmit traffic than an interface with a smaller weight.
IP Address
USG20(W)-VPN Series User’s Guide
295
Chapter 18 Inbound Load Balancing
Table 119 Configuration > Network > Inbound LB > Add/Edit > Add/Edit (continued)
LABEL
DESCRIPTION
Same as Monitor
Interface
Select this to send the IP address displayed in the Monitor Interface field to the
DNS query senders.
Custom
Select this and enter another IP address to send to the DNS query senders.
OK
Click OK to save your changes back to the USG.
Cancel
Click Cancel to exit this screen without saving.
USG20(W)-VPN Series User’s Guide
296
C HAPTER
19
Web Authentication
19.1 Web Auth Overview
Web authentication can intercept network traffic, according to the authentication policies, until the
user authenticates his or her connection, usually through a specifically designated login web page.
This means all web page requests can initially be redirected to a special web page that requires
users to authenticate their sessions. Once authentication is successful, they can then connect to the
rest of the network or Internet.
As soon as a user attempt to open a web page, the USG reroutes his/her browser to a web portal
page that prompts him/her to log in.
Figure 204 Web Authentication Example
The web authentication page only appears once per authentication session. Unless a user session
times out or he/she closes the connection, he or she generally will not see it again during the same
session.
19.1.1 What You Can Do in this Chapter
• Use the Configuration > Web Authentication screens (Section 19.2 on page 298) to create
and manage web authentication policies.
• Use the Configuration > Web Authentication > SSO screen (Section 19.3 on page 302) to
configure how the USG communictates with a Single Sign-On agent.
USG20(W)-VPN Series User’s Guide
297
Chapter 19 Web Authentication
19.1.2 What You Need to Know
Single Sign-On
A SSO (Single Sign On) agent integrates Domain Controller and USG authentication mechanisms,
so that users just need to log in once (single) to get access to permitted resources.
Forced User Authentication
Instead of making users for which user-aware policies have been configured go to the USG Login
screen manually, you can configure the USG to display the Login screen automatically whenever it
routes HTTP traffic for anyone who has not logged in yet.
Note: This works with HTTP traffic only. The USG does not display the Login screen when
users attempt to send other kinds of traffic.
The USG does not automatically route the request that prompted the login, however, so users have
to make this request again.
19.2 Web Authentication Screen
The Web Authentication screen displays the web portal settings and web authentication policies
you have configured on the USG. The screen differs depending on what you select in the
Authentication field.
Click Configuration > Web Authentication to display the screen.
USG20(W)-VPN Series User’s Guide
298
Chapter 19 Web Authentication
Figure 205 Configuration > Web Authentication (Web Portal)
The following table gives an overview of the objects you can configure.
Table 120 Configuration > Web Authentication
LABEL
DESCRIPTION
Enable Web
Authentication
Select Enable Web Authentication to turn on the web authentication feature.
Internal Web
Portal
Once enabled, all network traffic is blocked until a client authenticates with the USG
through the specifically designated web portal.
Select this to use the default login page built into the USG. If you later assign a custom
login page, you can still return to the USG’s default page as it is saved indefinitely.
The login page appears whenever the web portal intercepts network traffic, preventing
unauthorized users from gaining access to the network.
You can customize the login page built into the USG in the System > WWW > Login
Page screen.
External Web
Portal
Login URL
Select this to use a custom login page from an external web portal instead of the default
one built into the USG. You can configure the look and feel of the web portal page.
Specify the login page’s URL; for example, http://IIS server IP Address/login.html.
The Internet Information Server (IIS) is the web server on which the web portal files are
installed.
Logout URL
Specify the logout page’s URL; for example, http://IIS server IP Address/logout.html.
The Internet Information Server (IIS) is the web server on which the web portal files are
installed.
Welcome URL
Specify the welcome page’s URL; for example, http://IIS server IP Address/welcome.html.
The Internet Information Server (IIS) is the web server on which the web portal files are
installed.
USG20(W)-VPN Series User’s Guide
299
Chapter 19 Web Authentication
Table 120 Configuration > Web Authentication (continued)
LABEL
Session URL
DESCRIPTION
Specify the session page’s URL; for example, http://IIS server IP Address/session.html.
The Internet Information Server (IIS) is the web server on which the web portal files are
installed.
Error URL
Specify the error page’s URL; for example, http://IIS server IP Address/error.html.
The Internet Information Server (IIS) is the web server on which the web portal files are
installed.
Download
Click this to download an example web portal file for your reference.
Exceptional
Services
Use this table to list services that users can access without logging in. In the list, select
one or more entries and click Remove to delete it or them. Keeping DNS as a member
allows users’ computers to resolve domain names into IP addresses. Click Add to add new
services that users can access without logging in.
Web
Authentication
Policy Summary
Use this table to manage the USG’s list of web authentication policies.
Add
Click this to create a new entry. Select an entry and click Add to create a new entry after
the selected entry.
Edit
Double-click an entry or select it and click Edit to open a screen where you can modify the
entry’s settings.
Remove
To remove an entry, select it and click Remove. The USG confirms you want to remove it
before doing so.
Activate
To turn on an entry, select it and click Activate.
Inactivate
To turn off an entry, select it and click Inactivate.
Move
To move an entry to a different number in the list, click the Move icon. In the field that
appears, specify the number to which you want to move the interface.
Status
This icon is lit when the entry is active and dimmed when the entry is inactive.
Priority
This is the position of the authentication policy in the list. The priority is important as the
policies are applied in order of priority. Default displays for the default authentication
policy that the USG uses on traffic that does not match any exceptional service or other
authentication policy. You can edit the default rule but not delete it.
Source
This displays the source address object to which this policy applies.
Destination
This displays the destination address object to which this policy applies.
Schedule
This field displays the schedule object that dictates when the policy applies. none means
the policy is active at all times if enabled.
Authentication
This field displays the authentication requirement for users when their traffic matches this
policy.
unnecessary - Users do not need to be authenticated.
required - Users need to be authenticated. They must manually go to the login screen.
The USG will not redirect them to the login screen.
force - Users need to be authenticated. The USG automatically displays the login screen
whenever it routes HTTP traffic for users who have not logged in yet.
Description
If the entry has a description configured, it displays here. This is n/a for the default policy.
Apply
Click this button to save your changes to the USG.
Reset
Click this button to return the screen to its last-saved settings.
USG20(W)-VPN Series User’s Guide
300
Chapter 19 Web Authentication
19.2.1 Creating Exceptional Services
This screen lists services that users can access without logging in. Click Add under Exceptional
Services in the previous screen to display this screen. You can change the list’s membership here.
Available services appear on the left. Select any services you want users to be able to access
without logging in and click the right arrow button -> to add them. The member services are on the
right. Select any service that you want to remove from the member list, and click the left arrow
Source Exif Data:
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.6
Linearized : Yes
Encryption : Standard V2.3 (128-bit)
User Access : Print, Copy, Extract
XMP Toolkit : Adobe XMP Core 4.0-c316 44.253921, Sun Oct 01 2006 17:14:39
Modify Date : 2016:02:02 11:57:43+08:00
Create Date : 2016:02:01 17:39:32+08:00
Metadata Date : 2016:02:02 11:57:43+08:00
Creator Tool : FrameMaker 9.0
Format : application/pdf
Title : Book.book
Creator : ZT01650
Document ID : uuid:29818a4b-71f3-43b3-8d47-47956a771b05
Instance ID : uuid:506ad295-9395-4f97-a19e-240517f9de1b
Producer : Acrobat Distiller 8.1.0 (Windows)
Page Count : 136
Author : ZT01650