ZyXEL Communications USG20W-VPN VPN Firewall User Manual Book

ZyXEL Communications Corporation VPN Firewall Book

USG20(W)-VPN Series User’s Guide391CHAPTER 24USG SecuExtender (Windows)The USG automatically loads the USG SecuExtender for Windows client program to your computer after a successful login to an SSL VPN tunnel with network extension support enabled. Note: For information on using the USG SecuExtender for Mac client program, please see its User’s Guide at the download library on the ZyXEL website.The USG SecuExtender (Windows) lets you:• Access servers, remote desktops and manage files as if you were on the local network. • Use applications like e-mail, file transfer, and remote desktop programs directly without using a browser. For example, you can use Outlook for e-mail instead of the USG’s web-based e-mail. • Use applications, even proprietary applications, for which the USG does not offer SSL application objects. The applications must be installed on your computer. For example, to use the VNC remote desktop program, you must have the VNC client installed on your computer.24.1 The USG SecuExtender IconThe USG SecuExtender icon color indicates the SSL VPN tunnel’s connection status.Figure 271 USG SecuExtender Icon • Green: the SSL VPN tunnel is connected. You can connect to the SSL application and network resources. You can also use another application to access resources behind the USG.• Gray: the SSL VPN tunnel’s connection is suspended. This means the SSL VPN tunnel is connected, but the USG SecuExtender will not send any traffic through it until you right-click the icon and resume the connection.• Red: the SSL VPN tunnel is not connected. You cannot connect to the SSL application and network resources.24.2 StatusRight-click the USG SecuExtender icon in the system tray and select Status to open the Status screen. Use this screen to view the USG SecuExtender’s connection status and activity statistics.

Chapter 24 USG SecuExtender (Windows)USG20(W)-VPN Series User’s Guide392Figure 272 USG SecuExtender Status The following table describes the labels in this screen.24.3 View LogIf you have problems with the USG SecuExtender, customer support may request you to provide information from the log. Right-click the USG SecuExtender icon in the system tray and select Logto open a notepad file of the USG SecuExtender’s log. Table 149 USG SecuExtender StatusLABEL DESCRIPTIONConnection StatusSecuExtender IP AddressThis is the IP address the USG assigned to this remote user computer for an SSL VPN connection.DNS Server 1/2 These are the IP addresses of the DNS server and backup DNS server for the SSL VPN connection.DNS (Domain Name System) maps a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. Your computer uses the DNS server specified here to resolve domain names for resources you access through the SSL VPN connection.WINS Server 1/2 These are the IP addresses of the WINS (Windows Internet Naming Service) and backup WINS servers for the SSL VPN connection. The WINS server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. Network 1~8 These are the networks (including netmask) that you can access through the SSL VPN connection.ActivityConnected Time This is how long the computer has been connected to the SSL VPN tunnel.Transmitted This is how many bytes and packets the computer has sent through the SSL VPN connection.Received This is how many bytes and packets the computer has received through the SSL VPN connection.

$Chapter 24 USG SecuExtender (Windows)USG20(W)-VPN Series User’s Guide393Figure 273 USG SecuExtender Log Example 24.4 Suspend and Resume the ConnectionWhen the USG SecuExtender icon in the system tray is green, you can right-click the icon and select Suspend Connection to keep the SSL VPN tunnel connected but not send any traffic through it until you right-click the icon and resume the connection.24.5 Stop the ConnectionRight-click the icon and select Stop Connection to disconnect the SSL VPN tunnel. 24.6 Uninstalling the USG SecuExtenderDo the following if you need to remove the USG SecuExtender.1Click start > All Programs > ZyXEL > USG SecuExtender > Uninstall ZyWALL SecuExtender.2In the confirmation screen, click Yes.################################################################################################[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Build Datetime: Feb 24 2009/10:25:07[ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] rasphone.pbk: C:\Documents and Settings\11746\rasphone.pbk[ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] SecuExtender.log: C:\Documents and Settings\11746\SecuExtender.log[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Check Parameters[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Connect to 172.23.31.19:443/10444[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Parameter is OK[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Checking System status...[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Checking service (first) ...[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] SecuExtender Helper is running[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] System is OK[ 2009/03/12 13:35:50 ][SecuExtender Agent][DEBUG] Connect to 2887196435/443[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] Handshake LoopCounter: 0[ 2009/03/12 13:35:50 ][SecuExtender Agent][DETAIL] 611 bytes of handshake data received$

Chapter 24 USG SecuExtender (Windows)USG20(W)-VPN Series User’s Guide394Figure 274 Uninstalling the USG SecuExtender Confirmation 3Windows uninstalls the USG SecuExtender.Figure 275 USG SecuExtender Uninstallation

USG20(W)-VPN Series User’s Guide395CHAPTER 25L2TP VPN25.1 OverviewL2TP VPN uses the L2TP and IPSec client software included in remote users’ Android, iOS, Windows or Mac OS X operating systems for secure connections to the network behind the USG. The remote users do not need their own IPSec gateways or third-party VPN client software. Figure 276 L2TP VPN Overview25.1.1 What You Can Do in this Chapter•Use the L2TP VPN screen (see Section 25.2 on page 396) to configure the USG’s L2TP VPN settings. •Use the VPN Setup Wizard screen in Quick Setup (Chapter 4 on page 49) to configure the USG’s L2TP VPN settings.25.1.2 What You Need to KnowThe Layer 2 Tunneling Protocol (L2TP) works at layer 2 (the data link layer) to tunnel network traffic between two peers over another network (like the Internet). In L2TP VPN, an IPSec VPN tunnel is established first and then an L2TP tunnel is built inside it. See Chapter 21 on page 332 for information on IPSec VPN.IPSec Configuration Required for L2TP VPNYou must configure an IPSec VPN connection prior to proper L2TP VPN usage (see Chapter 25 on page 395 for details). The IPSec VPN connection must:• Be enabled.• Use transport mode.•Use Pre-Shared Key authentication.• Use a VPN gateway with the Secure Gateway set to 0.0.0.0 if you need to allow L2TP VPN clients to connect from more than one IP address.

Chapter 25 L2TP VPNUSG20(W)-VPN Series User’s Guide396Using the Quick Setup VPN Setup WizardThe VPN Setup Wizard is an easy and convenient way to configure the L2TP VPN settings. Click Configuration > Quick Setup > VPN Setup > VPN Settings for L2TP VPN Settings to get started.Policy RouteThe Policy Route for return traffic (from LAN to L2TP clients) is automatically created when USG adds a new L2TP connection, allowing users access the resources on a network without additional configuration. However, if some of the traffic from the L2TP clients needs to go to the Internet, you will need to create a policy route to send that traffic from the L2TP tunnels out through a WAN trunk. This task can be easily performed by clicking the Allow L2TP traffic through WAN checkbox at Quick Setup > VPN Setup > Allow L2TP traffic through WAN.Figure 277 Policy Route for L2TP VPN 25.2 L2TP VPN ScreenClick Configuration > VPN > L2TP VPN to open the following screen. Use this screen to configure the USG’s L2TP VPN settings. Note: Disconnect any existing L2TP VPN sessions before modifying L2TP VPN settings. The remote users must make any needed matching configuration changes and re-establish the sessions using the new settings.Click on the icons to go to the OneSecurity.com website where there is guidance on configuration walkthroughs, troubleshooting, and other information.LAN_SUBNETL2TP_POOL

Chapter 25 L2TP VPNUSG20(W)-VPN Series User’s Guide397Figure 278 Configuration > VPN > L2TP VPNThe following table describes the fields in this screen. Table 150 Configuration > VPN > L2TP VPNLABEL DESCRIPTIONShow Advanced Settings / Hide Advanced SettingsClick this button to display a greater or lesser number of configuration fields.Create new Object Use to configure any new settings objects that you need to use in this screen.Enable L2TP Over IPSecUse this field to turn the USG’s L2TP VPN function on or off. VPN Connection Select the IPSec VPN connection the USG uses for L2TP VPN. All of the configured VPN connections display here, but the one you use must meet the requirements listed in IPSec Configuration Required for L2TP VPN on page 395.Note: Modifying this VPN connection (or the VPN gateway that it uses) disconnects any existing L2TP VPN sessions.IP Address Pool Select the pool of IP addresses that the USG uses to assign to the L2TP VPN clients. Use Create new Object if you need to configure a new pool of IP addresses. This should not conflict with any WAN, LAN, DMZ or WLAN subnet even if they are not in use.Authentication MethodSelect how the USG authenticates a remote user before allowing access to the L2TP VPN tunnel.The authentication method has the USG check a user’s user name and password against the USG’s local database, a remote LDAP, RADIUS, a Active Directory server, or more than one of these. Authentication Server CertificateSelect the certificate to use to identify the USG for L2TP VPN connections. You must have certificates already configured in the My Certificates screen. The certificate is used with the EAP, PEAP, and MSCHAPv2 authentication protocols.

Chapter 25 L2TP VPNUSG20(W)-VPN Series User’s Guide39825.2.1 Example: L2TP and USG Behind a NAT Router If the USG (Z) is behind a NAT router (N), then do the following for remote clients (C) to access the network behind the USG (Z) using L2TP over IPv4.1Create an address object in Configuration > Object > Address for the WAN IP address of the NAT router.2Go to Configuration > VPN > IPSec VPN > VPN Connection and click Add for IPv4Configuration to create a new VPN connection.3Select Remote Access (Server Role) as the VPN scenario for the remote client. Allowed User The remote user must log into the USG to use the L2TP VPN tunnel.Select a user or user group that can use the L2TP VPN tunnel. Use Create new Object if you need to configure a new user account. Otherwise, select any to allow any user with a valid account and password on the USG to log in.Keep Alive Timer The USG sends a Hello message after waiting this long without receiving any traffic from the remote user. The USG disconnects the VPN tunnel if the remote user does not respond.First DNS Server, Second DNS ServerSpecify the IP addresses of DNS servers to assign to the remote users. You can specify these IP addresses two ways.Custom Defined - enter a static IP address.From ISP - use the IP address of a DNS server that another interface received from its DHCP server.First WINS Server, Second WINS Server The WINS (Windows Internet Naming Service) server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using. Type the IP addresses of up to two WINS servers to assign to the remote users. You can specify these IP addresses two ways.Apply Click Apply to save your changes in the USG.Reset Click Reset to return the screen to its last-saved settings. Table 150 Configuration > VPN > L2TP VPN (continued)LABEL DESCRIPTION

Chapter 25 L2TP VPNUSG20(W)-VPN Series User’s Guide3994Select the NAT router WAN IP address object as the Local Policy.5Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured.

USG20(W)-VPN Series User’s Guide400CHAPTER 26BWM (Bandwidth Management)26.1 OverviewBandwidth management provides a convenient way to manage the use of various services on the network. It manages general protocols (for example, HTTP and FTP) and applies traffic prioritization to enhance the performance of delay-sensitive applications like voice and video.26.1.1 What You Can Do in this ChapterUse the BWM screens (see Section 26.2 on page 404) to control bandwidth for services passing through the USG, and to identify the conditions that define the bandwidth control.26.1.2 What You Need to KnowWhen you allow a service, you can restrict the bandwidth it uses. It controls TCP and UDP traffic. Use policy routes to manage other types of traffic (like ICMP).Note: Bandwidth management in policy routes has priority over TCP and UDP traffic policies.If you want to use a service, make sure both the security policy allow the service’s packets to go through the USG.Note: The USG checks security policies before it checks bandwidth management rules for traffic going through the USG.Bandwidth management examines every TCP and UDP connection passing through the USG. Then, you can specify, by port, whether or not the USG continues to route the connection.BWM TypeThe USG supports three types of bandwidth management: Shared, Per user and Per-Source-IP.The Shared BWM type is selected by default in a bandwidth management rule. All matched taffic shares the bandwidth configured in the rule. If the BWM type is set to Per user in a rule, each user that matches the rule can use up to the configured bandwidth by his/her own. Select the Per-Source-IP type when you want to set the maximum bandwidth for traffic from an individual source IP address.In the following example, you configure a Per user bandwidth management rule for radius-users to limit outgoing traffic to 300 kbs. Then all radius-users (A, B and C) can send 300 kbps of traffic.

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide401DiffServ and DSCP MarkingQoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types. DiffServ (Differentiated Services) is a class of service (CoS) model that marks packets so that they receive specific per-hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired. This allows the intermediary DiffServ-compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going.Connection and Packet Directions Bandwidth management looks at the connection direction, that is, from which interface the connection was initiated and to which interface the connection is going. A connection has outbound and inbound packet flows. The USG controls the bandwidth of traffic of each flow as it is going out through an interface or VPN tunnel. • The outbound traffic flows from the connection initiator to the connection responder. • The inbound traffic flows from the connection responder to the connection initiator. For example, a LAN1 to WAN connection is initiated from LAN1 and goes to the WAN.• Outbound traffic goes from a LAN1 device to a WAN device. Bandwidth management is applied before sending the packets out a WAN interface on the USG. • Inbound traffic comes back from the WAN device to the LAN1 device. Bandwidth management is applied before sending the traffic out a LAN1 interface.

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide402Figure 279 LAN1 to WAN Connection and Packet Directions Outbound and Inbound Bandwidth LimitsYou can limit an application’s outbound or inbound bandwidth. This limit keeps the traffic from using up too much of the out-going interface’s bandwidth. This way you can make sure there is bandwidth for other applications. When you apply a bandwidth limit to outbound or inbound traffic, each member of the out-going zone can send up to the limit. Take a LAN1 to WAN policy for example. • Outbound traffic is limited to 200 kbps. The connection initiator is on the LAN1 so outbound means the traffic traveling from the LAN1 to the WAN. Each of the WAN zone’s two interfaces can send the limit of 200 kbps of traffic. • Inbound traffic is limited to 500 kbs. The connection initiator is on the LAN1 so inbound means the traffic traveling from the WAN to the LAN1.Figure 280 LAN1 to WAN, Outbound 200 kbps, Inbound 500 kbps Bandwidth Management Priority• The USG gives bandwidth to higher-priority traffic first, until it reaches its configured bandwidth rate.• Then lower-priority traffic gets bandwidth. • The USG uses a fairness-based (round-robin) scheduler to divide bandwidth among traffic flows with the same priority.• The USG automatically treats traffic with bandwidth management disabled as priority 7 (the lowest priority). ConnectionBWMBWMOutboundInboundLAN1InboundOutbound500 kbps200 kbps

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide403Maximize Bandwidth UsageMaximize bandwidth usage allows applications with maximize bandwidth usage enabled to “borrow” any unused bandwidth on the out-going interface.After each application gets its configured bandwidth rate, the USG uses the fairness- based scheduler to divide any unused bandwidth on the out-going interface amongst applications that need more bandwidth and have maximize bandwidth usage enabled.Unused bandwidth is divided equally. Higher priority traffic does not get a larger portion of the unused bandwidth.Bandwidth Management Behavior The following sections show how bandwidth management behaves with various settings. For example, you configure DMZ to WAN policies for FTP servers A and B. Each server tries to send 1000 kbps, but the WAN is set to a maximum outgoing speed of 1000 kbps. You configure policy A for server A’s traffic and policy B for server B’s traffic.Figure 281 Bandwidth Management BehaviorConfigured Rate EffectIn the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate. Priority EffectHere the configured rates total more than the available bandwidth. Because server A has higher priority, it gets up to it’s configured rate (800 kbps), leaving only 200 kbps for server B. Table 151 Configured Rate EffectPOLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATEA 300 kbps No 1 300 kbpsB 200 kbps No 1 200 kbpsTable 152 Priority EffectPOLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATEA 800 kbps Yes 1 800 kbpsB 1000 kbps Yes 2 200 kbps 1000 kbps1000 kbpsBWM1000 kbps

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide404Maximize Bandwidth Usage EffectWith maximize bandwidth usage enabled, after each server gets its configured rate, the rest of the available bandwidth is divided equally between the two. So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps. Then the USG divides the remaining bandwidth (1000 - 500 = 500) equally between the two (500 / 2 = 250 kbps for each). The priority has no effect on how much of the unused bandwidth each server gets.So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps. Priority and Over Allotment of Bandwidth EffectServer A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error. Even though the USG still attempts to let all traffic get through and not be lost, regardless of its priority, server B gets almost no bandwidth with this configuration. 26.2 The Bandwidth Management ScreenThe Bandwidth management screens control the bandwidth allocation for TCP and UDP traffic. You can use source interface, destination interface, destination port, schedule, user, source, destination information, DSCP code and service type as criteria to create a sequence of specific conditions, similar to the sequence of rules used by firewalls, to specify how the USG handles the DSCP value and allocate bandwidth for the matching packets.Click Configuration > BWM to open the following screen. This screen allows you to enable/disable bandwidth management and add, edit, and remove user-defined bandwidth management policies.The default bandwidth management policy is the one with the priority of “default”. It is the last policy the USG checks if traffic does not match any other bandwidth management policies you have configured. You cannot remove, activate, deactivate or move the default bandwidth management policy.Table 153 Maximize Bandwidth Usage EffectPOLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATEA 300 kbps Yes 1 550 kbpsB 200 kbps Yes 2 450 kbpsTable 154 Priority and Over Allotment of Bandwidth EffectPOLICY CONFIGURED RATE MAX. B. U. PRIORITY ACTUAL RATEA 1000 kbps Yes 1 999 kbpsB 1000 kbps Yes 2 1 kbps

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide405Figure 282 Configuration > Bandwidth ManagementThe following table describes the labels in this screen. See Section 26.2.1 on page 406 for more information as well. Table 155 Configuration > Bandwidth ManagementLABEL DESCRIPTIONEnable BWM Select this check box to activate management bandwidth. Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it.Activate To turn on an entry, select it and click Activate.Inactivate To turn off an entry, select it and click Inactivate.Move To change an entry’s position in the numbered list, select it and click Move to display a field to type a number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed.Status The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. The status icon is not available for the default bandwidth management policy.Priority This field displays a sequential value for each bandwidth management policy and it is not associated with a specific setting.This field displays default for the default bandwidth management policy.Description This field displays additional information about this policy.BWM Type This field displays the below types of BWM:•Shared, when the policy is set for all matched traffic•Per User, when the policy is set for an individual user or a user group•Per-Source-IP, when the policy is set for a source IPUser This is the type of user account to which the policy applies. If any displays, the policy applies to all user accounts.Schedule This is the schedule that defines when the policy applies. none means the policy always applies.Incoming Interface This is the source interface of the traffic to which this policy applies.Outgoing Interface This is the destination interface of the traffic to which this policy applies.Source This is the source address or address group for whom this policy applies. If any displays, the policy is effective for every source.Destination This is the destination address or address group for whom this policy applies. If any displays, the policy is effective for every destination.

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide40626.2.1 The Bandwidth Management Add/Edit ScreenThe Configuration > Bandwidth Management Add/Edit screen allows you to create a new condition or edit an existing one. DSCP Code These are the DSCP code point values of incoming and outgoing packets to which this policy applies. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment.any means all DSCP value or no DSCP marker.default means traffic with a DSCP value of 0. This is usually best effort trafficThe “af” options stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.Service Type App and the service name displays if you selected Application Object for the service type. An Application Object is a pre-defined service. Obj and the service name displays if you selected Service Object for the service type. A Service Object is a customized pre-defined service or another service. Mouse over the service object name to view the corresponding IP protocol number.BWM In/Pri/Out/Pri This field shows the amount of bandwidth the traffic can use.In - This is how much inbound bandwidth, in kilobits per second, this policy allows the matching traffic to use. Inbound refers to the traffic the USG sends to a connection’s initiator. If no displays here, this policy does not apply bandwidth management for the inbound traffic.Out - This is how much outgoing bandwidth, in kilobits per second, this policy allows the matching traffic to use. Outbound refers to the traffic the USG sends out from a connection’s initiator. If no displays here, this policy does not apply bandwidth management for the outbound traffic.Pri - This is the priority for the incoming (the first Pri value) or outgoing (the second Pri value) traffic that matches this policy. The smaller the number, the higher the priority. Traffic with a higher priority is given bandwidth before traffic with a lower priority. The USG ignores this number if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration.DSCP Marking This is how the USG handles the DSCP value of the incoming and outgoing packets that match this policy. In - Inbound, the traffic the USG sends to a connection’s initiator.Out - Outbound, the traffic the USG sends out from a connection’s initiator. If this field displays a DSCP value, the USG applies that DSCP value to the route’s outgoing packets.preserve means the USG does not modify the DSCP value of the route’s outgoing packets. default means the USG sets the DSCP value of the route’s outgoing packets to 0.The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences. Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings. Table 155 Configuration > Bandwidth ManagementLABEL DESCRIPTION

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide407802.1P MarkingUse 802.1P to prioritize outgoing traffic from a VLAN interface. The Priority Code is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic. "0" is the lowest priority level and "7" is the highest. The following table is a guide to types of traffic for the priority code. To access this screen, go to the Configuration > Bandwidth Management screen (see Section 26.2 on page 404), and click either the Add icon or an Edit icon.Figure 283 Configuration > Bandwidth Management > Edit (For the Default Policy)Table 156 Single Tagged 802.1Q Frame FormatDA SA TPID Priority VID Len/Etype Data FCS IEEE 802.1Q customer tagged frameTable 157 802.1Q Frame DA Destination Address Priority 802.1p PrioritySA Source Address Len/Etype Length and type of Ethernet frameTPID Tag Protocol IDentifier Data Frame dataVID VLAN ID FCS Frame Check SequenceTable 158 Priority Code and Types of TrafficPRIORITY TRAFFIC TYPES0 (lowest) Background1 Best Effort2 Excellent Effort3 Critical Applications4 Video, less than 100 ms latency and jitter5 Voice, less than 10 ms latency and jitter6 Internetwork Control7 (highest) Network Control

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide408Figure 284 Configuration > Bandwidth Management > Add/EditThe following table describes the labels in this screen. Table 159 Configuration > Bandwidth Management > Add/EditLABEL DESCRIPTIONCreate new Object Use to configure any new settings objects that you need to use in this screen.ConfigurationEnable Select this check box to turn on this policy.Description Enter a description of this policy. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.Criteria Use this section to configure the conditions of traffic to which this policy applies.

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide409BWM Type This field displays the below types of BWM rule:• Shared, when the policy is set for all users• Per User, when the policy is set for an individual user or a user group• Per Source IP, when the policy is set for a source IPUser Select a user name or user group to which to apply the policy. Use Create new Object if you need to configure a new user account. Select any to apply the policy for every user.Schedule Select a schedule that defines when the policy applies or select Create Object to configure a new one. Otherwise, select none to make the policy always effective.Incoming Interface Select the source interface of the traffic to which this policy applies.Outgoing Interface Select the destination interface of the traffic to which this policy applies.Source Select a source address or address group for whom this policy applies. Use Create new Object if you need to configure a new one. Select any if the policy is effective for every source.Destination Select a destination address or address group for whom this policy applies. Use Create new Object if you need to configure a new one. Select any if the policy is effective for every destination.DSCP Code Select a DSCP code point value of incoming packets to which this policy route applies or select User Defined to specify another DSCP code point. The lower the number the higher the priority with the exception of 0 which is usually given only best-effort treatment.any means all DSCP value or no DSCP marker.default means traffic with a DSCP value of 0. This is usually best effort trafficThe “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.User-Defined DSCP Code Use this field to specify a custom DSCP code point.Service Type Select Service Object if you want a specific service (defined in a service object) to which the policy applies.Service Object This field is available if you selected Service Object as the service type.Select a service or service group to identify the type of traffic to which this policy applies. any means all services.DSCP Marking Set how the USG handles the DSCP value of the incoming and outgoing packets that match this policy. Inbound refers to the traffic the USG sends to a connection’s initiator. Outbound refers to the traffic the USG sends out from a connection’s initiator. Select one of the pre-defined DSCP values to apply or select User Defined to specify another DSCP value. The “af” choices stand for Assured Forwarding. The number following the “af” identifies one of four classes and one of three drop preferences.Select preserve to have the USG keep the packets’ original DSCP value. Select default to have the USG set the DSCP value of the packets to 0.Bandwidth Shaping Configure these fields to set the amount of bandwidth the matching traffic can use.Table 159 Configuration > Bandwidth Management > Add/EditLABEL DESCRIPTION

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide410Inbound kbps Type how much inbound bandwidth, in kilobits per second, this policy allows the traffic to use. Inbound refers to the traffic the USG sends to a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the USG sends to the initiator. Traffic with bandwidth management disabled (inbound and outbound are both set to 0) is automatically treated as the lowest priority (7).If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth.Outbound kbps Type how much outbound bandwidth, in kilobits per second, this policy allows the traffic to use. Outbound refers to the traffic the USG sends out from a connection’s initiator. If you enter 0 here, this policy does not apply bandwidth management for the matching traffic that the USG sends out from the initiator. Traffic with bandwidth management disabled (inbound and outbound are both set to 0) is automatically treated as the lowest priority (7).If the sum of the bandwidths for routes using the same next hop is higher than the actual transmission speed, lower priority traffic may not be sent if higher priority traffic uses all of the actual bandwidth.Priority This field displays when the inbound or outbound bandwidth management is not set to 0. Enter a number between 1 and 7 to set the priority for traffic that matches this policy. The smaller the number, the higher the priority. Traffic with a higher priority is given bandwidth before traffic with a lower priority. The USG uses a fairness-based (round-robin) scheduler to divide bandwidth between traffic flows with the same priority.The number in this field is ignored if the incoming and outgoing limits are both set to 0. In this case the traffic is automatically treated as being set to the lowest priority (7) regardless of this field’s configuration.Maximize Bandwidth Usage This field displays when the inbound or outbound bandwidth management is not set to 0 and the BWM Type is set to Shared. Enable maximize bandwidth usage to let the traffic matching this policy “borrow” all unused bandwidth on the out-going interface. After each application or type of traffic gets its configured bandwidth rate, the USG uses the fairness-based scheduler to divide any unused bandwidth on the out-going interface among applications and traffic types that need more bandwidth and have maximize bandwidth usage enabled.Maximum If you did not enable Maximize Bandwidth Usage, then type the maximium unused bandwidth that traffic matching this policy is allowed to “borrow” on the out-going interface (in Kbps), here.802.1P Marking Use 802.1P to prioritize outgoing traffic from a VLAN interface.Priority Code This is a 3-bit field within a 802.1Q VLAN tag that’s used to prioritize associated outgoing VLAN traffic. "0" is the lowest priority level and "7" is the highest. See Table 158 on page 407. The setting configured here overwrites existing priority settings.Interface Choose a VLAN interface to which to apply the priority level for matching frames.Related SettingLog Select whether to have the USG generate a log (log), log and alert (log alert) or neither (no) when any traffic matches this policy.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.Table 159 Configuration > Bandwidth Management > Add/EditLABEL DESCRIPTION

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide41126.2.1.1 Adding Objects for the BWM PolicyObjects are parameters to which the Policy rules are built upon. There are three kinds of objects you can add/edit for the BWM policy, they are User, Schedule and Address objects. Click Configuration > BWM > Add > Create New Object > Add User to see the following screen. Figure 285 Configuration >BWM > Create New Object > Add UserThe following table describes the fields in the above screen. Table 160 Configuration > BWM > Create New Object > Add UserLABEL DESCRIPTIONUser Name Type a user or user group object name of the rule.User Type Select a user type from the drop down menu. The user types are Admin, Limited admin, User, Guest, Ext-user, Ext-group-user.

$Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide412Password Type a password for the user object. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long.Retype Retype the password to confirm.Description Enter a description for this user object. It is not used elsewhere. You can use alphanumeric and ()+/:=?!*#@$_%- characters, and it can be up to 60 characters long.Authentication Timeout SettingsChoose either Use Default setting option, which shows the default Lease Time of 1,440 minutes and Reauthentication Time of 1,440 minutes or you can enter them manually by choosing Use Manual Settings option.Lease Time This shows the Lease Time setting for the user, by default it is 1,440 minutes.Reauthentication Time This shows the Reauthentication Time for the user, by default it is 1,440 minutes.OK Click OK to save the setting.Cancel Click Cancel to abandon this screen.Table 160 Configuration > BWM > Create New Object > Add UserLABEL DESCRIPTION$

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide413Figure 286 Configuration > BWM > Create New Object > Add Schedule The following table describes the fields in the above screen. Table 161 Configuration > BWM > Create New Object > Add ScheduleLABEL DESCRIPTIONName Enter a name for the schedule object of the rule.Type Select an option from the drop down menu for the schedule object. It will show One Time or Recurring.Start Date Click the icon menu on the right to choose a Start Date for the schedule object.Start Time Click the icon menu on the right to choose a Start Time for the schedule object.Stop Date Click the icon menu on the right to choose a Stop Date for schedule object.Stop Time Click the icon menu on the right to choose a Stop Time for the schedule object.

Chapter 26 BWM (Bandwidth Management)USG20(W)-VPN Series User’s Guide414Figure 287 Configuration > BWM > Create New Object > Add AddressThe following table describes the fields in the above screen. Table 162 Configuration > BWM > Create New Object > Add AddressLABEL DESCRIPTIONName Enter a name for the Address object of the rule.Address Type Select an Address Type from the drop down menu on the right. The Address Types are Host, Range, Subnet, Interface IP, Interface Subnet, and Interface Gateway.IP Address Enter an IP address for the Address object.OK Click OK to save the setting.Cancel Click Cancel to abandon the setting.

$Chapter 27 Content FilteringUSG20(W)-VPN Series User’s Guide418Denied Access Message Enter a message to be displayed when content filter blocks access to a web page. Use up to 127 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%,”). For example, “Access to this web page is not allowed. Please contact the network administrator”.It is also possible to leave this field blank if you have a URL specified in the Redirect URL field. In this case if the content filter blocks access to a web page, the USG just opens the web page you specified without showing a denied access message.Redirect URL Enter the URL of the web page to which you want to send users when their web access is blocked by content filter. The web page you specify here opens in a new frame below the denied access message. Use “http://” or “https://” followed by up to 262 characters (0-9a-zA-Z;/?:@&=+$\.-_!~*'()%). For example, http://192.168.1.17/blocked access.Profile ManagementAdd Click Add to create a new content filter rule.Edit Click Edit to make changes to a content filter rule.Remove Click Remove the delete a content filter rule.Object Reference Select an entry and click Object References to open a screen that shows which settings use the entry. Click Refresh to update information on this screen.# This column lists the index numbers of the content filter profile.Name This column lists the names of the content filter profile rule.Description This column lists the description of the content filter profile rule.Reference This displays the number of times an Object Reference is used in a rule.License Status This read-only field displays the status of your content-filtering database service registration.Not Licensed displays if you have not successfully registered and activated the service.Expired displays if your subscription to the service has expired.Licensed displays if you have successfully registered the USG and activated the service.You can view content filter reports after you register the USG and activate the subscription service in the Registration screen. License Type This read-only field displays what kind of service registration you have for the content-filtering database.None displays if you have not successfully registered and activated the service.Standard displays if you have successfully registered the USG and activated the service.Trial displays if you have successfully registered the USG and activated the trial service subscription.Expiration Date This field displays the date your service license expires.Register Now This link appears if you have not registered for the service or the service has expired. Click this link to go to the screen where you can register for the service. Apply Click Apply to save your changes back to the USG.Reset Click Reset to return the screen to its last-saved settings. Table 163 Configuration > UTM Profile > Content Filter > Profile (continued)LABEL DESCRIPTION$

Chapter 27 Content FilteringUSG20(W)-VPN Series User’s Guide424Child Abuse Images Sites that portray or discuss children in sexual or other abusive acts. For example, a.uuzhijia.info.Computers & Technology Sites that contain information about computers, software, hardware, IT, peripheral and computer services, such as product reviews, discussions, and IT news. For example, www.informationsecurity.com.tw, blog.ithome.com.tw.Criminal Activity Sites that offer advice on how to commit illegal or criminal activities, or to avoid detection. These can include how to commit murder, build bombs, pick locks, etc. Also includes sites with information about illegal manipulation of electronic devices, hacking, fraud and illegal distribution of software. For example, www.hackbase.com, jia.hackbase.com, ad.adver.com.tw.Cults Sites relating to non-traditional religious practice typically known as "cults," that is, considered to be false, unorthodox, extremist, or coercive, with members often living under the direction of a charismatic leader. For example, www.churchofsatan.com, www.ccya.org.tw.Dating & Personals Sites that promote networking for interpersonal relationships such as dating and marriage. Includes sites for match-making, online dating, spousal introduction. For example, www.i-part.com.tw, www.imatchi.com.Download Sites Sites that contain downloadable software, whether shareware, freeware, or for a charge. Includes peer-to-peer sites. For example, www.hotdl.com, toget.pchome.com.tw, www.azroo.com.Education Sites sponsored by educational institutions and schools of all types including distance education. Includes general educational and reference materials such as dictionaries, encyclopedias, online courses, teaching aids and discussion guides. For example, www.tfam.museum, www.lksf.org, www.1980.org.tw..Entertainment Sites related to television, movies, music and video (including video on demand), such as program guides, celebrity sites, and entertainment news. For example, www.ctitv.com.tw, www.hboasia.com, www.startv.com.tw.Fashion & Beauty Sites concerning fashion, jewelry, glamour, beauty, modeling, cosmetics or related products or services. Includes product reviews, comparisons, and general consumer information. For example, women.sohu.com, baodian.women.sohu.com.Finance Sites related to banking, finance, payment or investment, including banks, brokerages, online stock trading, stock quotes, fund management, insurance companies, credit unions, credit card companies, and so on. For example, www.concords.com.tw, www.polaris.com.tw, www.bochk.com.Forums & Newsgroups Sites for sharing information in the form of newsgroups, forums, bulletin boards. For example, ck101.com, my.xuite.net, ptt.cc.Gambling Sites that offer or are related to online gambling, lottery, casinos and betting agencies involving chance. For example, www.taiwanlottery.com.tw, www.i-win.com.tw, www.hkjc.com.Games Sites relating to computer or other games, information about game producers, or how to obtain cheat codes. Game-related publication sites. For example, www.gamer.com.tw, www.wowtaiwan.com.tw, tw.lineage.gamania.com.General Sites that do not clearly fall into other categories, for example, blank Web pages. For example, bs.serving-sys.com, simg.sinajs.cn, i0.itc.cn.Government Sites run by governmental organizations, departments, or agencies, including police departments, fire departments, customs bureaus, emergency services, civil defense, counterterrorism organizations, military and hospitals. For example, www.ey.gov.tw, www.whitehouse.gov, www.npa.gov.tw.Greeting cards Sites that allow people to send and receive greeting cards and postcards. For example, www.e-card.com.tw, card.ivy.net.tw.Table 165 Managed Category Descriptions (continued)

Chapter 27 Content FilteringUSG20(W)-VPN Series User’s Guide425Hacking Sites that promote or give advice about how to gain unauthorized access to proprietary computer systems, for the purpose of stealing information, perpetrating fraud, creating viruses, or committing other illegal activity related to theft of digital information. For example, www.hackbase.com, www.chinahacker.com.Hate & Intolerance Sites that promote a supremacist political agenda, encouraging oppression of people or groups of people based on their race, religion, gender, age, disability, sexual orientation or nationality. For example, www.racist-jokes.com, aryan-nations.org, whitepower.com.Health & Medicine Sites containing information pertaining to health, healthcare services, fitness and well-being, including information about medical equipment, hospitals, drugstores, nursing, medicine, procedures, prescription medications, etc. For example, www.lksf.org, www.ohayo.com.tw.Illegal Drug Sites with information on the purchase, manufacture, and use of illegal or recreational drugs and their paraphernalia, and misuse of prescription drugs and other compounds For example, www.cannabis.net, www.amphetamines.com.Illegal Software Sites that illegally distribute software or copyrighted materials such as movies or music, software cracks, illicit serial numbers, illegal license key generators. For example, www.zhaokey.com.cn, www.tiansha.net.Image Sharing Sites that host digital photographs and images, online photo albums and digital photo exchanges. For example, photo.pchome.com.tw, photo.xuite.net, photobucket.com.Information Security Sites that provide legitimate information about data protection, including newly discovered vulnerabilities and how to block them. For example, www.informationsecurity.com.tw, www.itis.tw.Instant Messaging Sites that enable logging in to instant messaging services such as ICQ, AOL Instant Messenger, IRC, MSN, Jabber, Yahoo Messenger, and the like. For example, www.meebo.com, www.aim.com, www. ebuddy.com.Job Search Sites containing job listings, career information, assistance with job searches (such as resume writing, interviewing tips, etc.), employment agencies or head hunters. For example, www.104.com.tw, www.1111.com.tw, www.yes123.com.tw.Leisure & Recreation Sites relating to recreational activities and hobbies including zoos, public recreation centers, pools, amusement parks, and hobbies such as gardening, literature, arts & crafts, home improvement, home d?cor, family, etc. For example, tpbg.tfri.gov.tw, tw.fashion.yahoo.com, www.relaxtimes.com.tw.News Sites covering news and current events such as newspapers, newswire services, personalized news services, broadcasting sites, and magazines. For example, www.tvbs.com.tw?Awww.ebc.net.tw?Awww.iset.com.tw.Non-profits & NGOs Sites devoted to clubs, communities, unions, and non-profit organizations. Many of these groups exist for educational or charitable purposes. For example, www.tzuchi.org.tw, web.redcross.org.tw, www.lksf.org.Nudity Sites that contain full or partial nudity that are not necessarily overtly sexual in intent. Includes sites that advertise or sell lingerie, intimate apparel, or swimwear. For example, www.easyshop.com.tw, www.faster-swim.com.tw, image.baidu.com.Peer-to-Peer Sites that enable direct exchange of files between users without dependence on a central server. For example, www.eyny.com.Personal Sites Sites about or hosted by personal individuals, including those hosted on commercial sites. For example, blog.yam.com, www.wretch.cc, blog.xuite.net.Politics Sites that promote political parties or political advocacy, or provide information about political parties, interest groups, elections, legislation or lobbying. Also includes sites that offer legal information and advice. For example, www.kmt.org.tw, www.dpp.org.tw, cpc.people.com.cn.Table 165 Managed Category Descriptions (continued)

Chapter 27 Content FilteringUSG20(W)-VPN Series User’s Guide426Pornography/Sexually ExplicitSites that contain explicit sexual content. Includes adult products such as sex toys, CD-ROMs, and videos, adult services such as videoconferencing, escort services, and strip clubs, erotic stories and textual descriptions of sexual acts. For example, www.dvd888.com, www.18center.com, blog.sina.com.tw.Private IP Addresses Sites that are private IP addresses as defined in RFC 1918, that is, hosts that do not require access to hosts in other enterprises (or require just limited access) and whose IP address may be ambiguous between enterprises but are well defined within a certain enterprise. For example, 172.21.20.123, 192.168.35.62.Real Estate Sites relating to commercial or residential real estate services, including renting, purchasing, selling or financing homes, offices, etc. For example, www.sinyi.com.tw, www.yungching.com.tw, house.focus.cn.Religion Sites that deal with faith, human spirituality or religious beliefs, including sites of churches, synagogues, mosques and other houses of worship. For example, www.fgs.org.tw, www.twtaoism.net, www.fhl.net.Restaurants & Dining Sites that list, review, promote or advertise food, dining or catering services. Includes sites for recipes, cooking instruction and tips, food products, and wine advisors. For example, www.jogoya.com.tw, www.dintaifung.com.tw, www2.pizzahut.com.tw.School Cheating Sites that promote unethical practices such as cheating or plagiarism by providing test answers, written essays, research papers, or term papers. For example, www.zydk788.com, www.huafengksw.com.Search Engines & Portals Sites enabling the searching of the Web, newsgroups, images, directories, and other online content. Includes portal and directory sites such as white/yellow pages. For example, tw.yahoo.com, www.pchome.com.tw, www.google.com.tw.Sex Education Sites relating to sex education, including subjects such as respect for partner, abortion, gay and lesbian lifestyle, contraceptives, sexually transmitted diseases, and pregnancy. For example, apps.rockyou.com, www.howmama.com.tw, www.mombaby.com.tw.Shopping Sites for online shopping, catalogs, online ordering, auctions, classified ads. Excludes shopping for products and services exclusively covered by another category such as health & medicine. For example, shopping.pchome.com.tw, buy.yahoo.com.tw, www.tkec.com.tw.Social Networking Sites that enable social networking for online communities of various topics, for friendship, dating, or professional reasons. For example, www.facebook.com, www.flickr.com, www.groups.google.com.Sports Sites relating to sports teams, fan clubs, scores and sports news. Relates to all sports, whether professional or recreational. For example, www.yankees.com, www.nba.com, mlb.mlb.com.Streaming Media & DownloadsSites that deliver streaming content, such as Internet radio, Internet TV or MP3 and live or archived media download sites. Includes fan sites, or official sites run by musicians, bands, or record labels. For example, www.youtube.com, pfp.sina.com.cn, my.xunlei.com.Tasteless Sites with offensive or tasteless content such as bathroom humor or profanity. For example, comedycentral.com, dilbert.com.Translators Sites that translate Web pages or phrases from one language to another. These sites may be used to attempt to bypass a filtering system. For example, translate.google.com.tw, www.smartlinkcorp.com, translation.paralink.com.Transportation Sites that provide information about motor vehicles such as cars, motorcycles, boats, trucks, RVs and the like. Includes manufacturer sites, dealerships, review sites, pricing, , online purchase sites, enthusiasts clubs, etc. For example, www.toyota.com.tw, www.ford.com.tw, www.sym.com.tw.Table 165 Managed Category Descriptions (continued)

$Chapter 27 Content FilteringUSG20(W)-VPN Series User’s Guide43027.4 Content Filter Trusted Web Sites Screen Click Configuration > UTM Profile > Content Filter > Trusted Web Sites to open the TrustedWeb Sites screen. You can create a common list of good (allowed) web site addresses. When you configure Filter Profiles, you can select the option to check the Common Trusted Web Sites list. Use this screen to add or remove specific sites from the filter list. Remove Select an entry and click this to delete it. # This displays the index number of the forbidden web sites.Forbidden Web Sites This list displays the forbidden web sites already added.Enter host names such as www.bad-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are also blocked. For example, entering “*bad-site.com” also blocks “www.bad-site.com”, “partner.bad-site.com”, “press.bad-site.com”, and do on. You can also enter just a top level domain. For example, enter “*.com” to block all .com domains. Use up to 127 characters (0-9a-z-). The casing does not matter. “*” can be used as a wildcard to match any string. The entry must contain at least one “.” or it will be invalid.Blocked URL Keywords This section allows you to block Web sites with URLs that contain certain keywords in the domain name or IP address. Add Click this to create a new entry. Edit Select an entry and click this to be able to modify it. Remove Select an entry and click this to delete it. # This displays the index number of the blocked URL keywords.Blocked URL Keywords This list displays the keywords already added. Enter a keyword or a numerical IP address to block. You can also enter a numerical IP address.Use up to 127 case-insensitive characters (0-9a-zA-Z;/?:@&=+$\.-_!~*()%). “*” can be used as a wildcard to match any string. Use “|*” to indicate a single wildcard character.For example enter *Bad_Site* to block access to any web page that includes the exact phrase Bad_Site. This does not block access to web pages that only include part of the phrase (such as Bad for example). OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.Table 166 Configuration > UTM Profile > Content Filter > Profile > Custom Service (continued)LABEL DESCRIPTION$

Chapter 28 Anti-SpamUSG20(W)-VPN Series User’s Guide435configured black list helps catch spam e-mail and increases the USG’s anti-spam speed and efficiency. SMTP and POP3Simple Mail Transfer Protocol (SMTP) is the Internet’s message transport standard. It controls the sending of e-mail messages between servers. E-mail clients (also called e-mail applications) then use mail server protocols such as POP (Post Office Protocol) or IMAP (Internet Message Access Protocol) to retrieve e-mail. E-mail clients also generally use SMTP to send messages to a mail server. The older POP2 requires SMTP for sending messages while the newer POP3 can be used with or without it. This is why many e-mail applications require you to specify both the SMTP server and the POP or IMAP server (even though they may actually be the same server). The USG’s anti-spam feature checks SMTP (TCP port 25) and POP3 (TCP port 110) e-mails by default. You can also specify custom SMTP and POP3 ports for the USG to check. E-mail HeadersEvery email has a header and a body. The header is structured into fields and includes the addresses of the recipient and sender, the subject, and other information about the e-mail and its journey. The body is the actual message text and any attachments. You can have the USG check for specific header fields with specific values. E-mail programs usually only show you the To:, From:, Subject:, and Date: header fields but there are others such as Received: and Content-Type:. To see all of an e-mail’s header, you can select an e-mail in your e-mail program and look at its properties or details. For example, in Microsoft’s Outlook Express, select a mail and click File > Properties > Details. This displays the e-mail’s header. Click Message Source to see the source for the entire mail including both the header and the body.E-mail Header Buffer SizeThe USG has a 5 K buffer for an individual e-mail header. If an e-mail’s header is longer than 5 K, the USG only checks up to the first 5 K.DNSBLA DNS Black List (DNSBL) is a server that hosts a list of IP addresses known or suspected of having sent or forwarded spam. A DNSBL is also known as a DNS spam blocking list. The USG can check the routing addresses of e-mail against DNSBLs and classify an e-mail as spam if it was sent or forwarded by a computer with an IP address in the DNSBL.Finding Out MoreSee Section 28.8 on page 448 for more background information on anti-spam.28.2 Before You Begin• Before using the Anti-Spam features (IP Reputation, Mail Content Analysis and Virus Outbreak Detection) you must activate your Anti-Spam Service license.

Chapter 28 Anti-SpamUSG20(W)-VPN Series User’s Guide449Figure 301 DNSBL Spam Detection Example 1The USG receives an e-mail that was sent from IP address a.a.a.a and relayed by an e-mail server at IP address b.b.b.b. The USG sends a separate query to each of its DNSBL domains for IP address a.a.a.a. The USG sends another separate query to each of its DNSBL domains for IP address b.b.b.b.2DNSBL A replies that IP address a.a.a.a does not match any entries in its list (not spam). 3DNSBL C replies that IP address b.b.b.b matches an entry in its list.4The USG immediately classifies the e-mail as spam and takes the action for spam that you defined in the anti-spam policy. In this example it was an SMTP mail and the defined action was to drop the mail. The USG does not wait for any more DNSBL replies.Here is an example of an e-mail classified as legitimate based on DNSBL replies. DNSBL ADNSBL BDNSBL CIPs: a.a.a.a b.b.b.b12a.a.a.a Not spam34a.a.a.a?b.b.b.b?a.a.a.a?b.b.b.b?a.a.a.a?b.b.b.b?b.b.b.b Spam

Chapter 28 Anti-SpamUSG20(W)-VPN Series User’s Guide450Figure 302 DNSBL Legitimate E-mail Detection Example 1The USG receives an e-mail that was sent from IP address c.c.c.c and relayed by an e-mail server at IP address d.d.d.d. The USG sends a separate query to each of its DNSBL domains for IP address c.c.c.c. The USG sends another separate query to each of its DNSBL domains for IP address d.d.d.d.2DNSBL B replies that IP address d.d.d.d does not match any entries in its list (not spam). 3DNSBL C replies that IP address c.c.c.c does not match any entries in its list (not spam).4Now that the USG has received at least one non-spam reply for each of the e-mail’s routing IP addresses, the USG immediately classifies the e-mail as legitimate and forwards it. The USG does not wait for any more DNSBL replies.If the USG receives conflicting DNSBL replies for an e-mail routing IP address, the USG classifies the e-mail as spam. Here is an example.DNSBL ADNSBL BDNSBL CIPs: c.c.c.c d.d.d.d1c.c.c.c Not spam24c.c.c.c?d.d.d.d?c.c.c.c?d.d.d.d?c.c.c.c?d.d.d.d?d.d.d.d Not spam3

Chapter 28 Anti-SpamUSG20(W)-VPN Series User’s Guide451Figure 303 Conflicting DNSBL Replies Example 1The USG receives an e-mail that was sent from IP address a.b.c.d and relayed by an e-mail server at IP address w.x.y.z. The USG sends a separate query to each of its DNSBL domains for IP address a.b.c.d. The USG sends another separate query to each of its DNSBL domains for IP address w.x.y.z.2DNSBL A replies that IP address a.b.c.d does not match any entries in its list (not spam).3While waiting for a DNSBL reply about IP address w.x.y.z, the USG receives a reply from DNSBL B saying IP address a.b.c.d is in its list.4The USG immediately classifies the e-mail as spam and takes the action for spam that you defined in the anti-spam policy. In this example it was an SMTP mail and the defined action was to drop the mail. The USG does not wait for any more DNSBL replies.DNSBL ADNSBL BDNSBL CIPs: a.b.c.d w.x.y.z12a.b.c.d Not spam34a.b.c.d?w.x.y.z?a.b.c.d?w.x.y.z?a.b.c.d?w.x.y.z?a.b.c.d Spam!

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide453Inter-zone TrafficInter-zone traffic is traffic between interfaces or VPN tunnels in different zones. For example, in Figure 304 on page 452, traffic between VLAN 1 and the Internet is inter-zone traffic. This is the normal case when zone-based security and policy settings apply.Extra-zone Traffic• Extra-zone traffic is traffic to or from any interface or VPN tunnel that is not assigned to a zone. For example, in Figure 304 on page 452, traffic to or from computer C is extra-zone traffic. • Some zone-based security and policy settings may apply to extra-zone traffic, especially if you can set the zone attribute in them to Any or All. See the specific feature for more information.29.1.2 The Zone ScreenThe Zone screen provides a summary of all zones. In addition, this screen allows you to add, edit, and remove zones. To access this screen, click Configuration > Object > Zone.Figure 305 Configuration > Object > Zone The following table describes the labels in this screen. Table 176 Configuration > Object > ZoneLABEL DESCRIPTIONUser Configuration / System DefaultThe USG comes with pre-configured System Default zones that you cannot delete. You can create your own User Configuration zones Add Click this to create a new, user-configured zone.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove a user-configured trunk, select it and click Remove. The USG confirms you want to remove it before doing so.Object References Select an entry and click Object References to open a screen that shows which settings use the entry. Click Refresh to update information in this screen.# This field is a sequential value, and it is not associated with any interface.Name This field displays the name of the zone.Member This field displays the names of the interfaces that belong to each zone.Reference This field displays the number of times an Object Reference is used in a policy.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide45429.1.2.1 Zone EditThe Zone Edit screen allows you to add or edit a zone. To access this screen, go to the Zone screen (see Section 29.7.2 on page 497), and click the Add icon or an Edit icon.Figure 306 Configuration > Object > Zone > Add The following table describes the labels in this screen. 29.2 User/Group OverviewThis section describes how to set up user accounts, user groups, and user settings for the USG. You can also set up rules that control when users have to log in to the USG before the USG routes traffic for them. •The User screen (see Section 29.2.2 on page 457) provides a summary of all user accounts.Table 177 Configuration > Object > Zone > Add/EditLABEL DESCRIPTIONName For a system default zone, the name is read only.For a user-configured zone, type the name used to refer to the zone. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.Member List Available lists the interfaces and VPN tunnels that do not belong to any zone. Select the interfaces and VPN tunnels that you want to add to the zone you are editing, and click the right arrow button to add them. Member lists the interfaces and VPN tunnels that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them. OK Click OK to save your customized settings and exit this screen.Cancel Click Cancel to exit this screen without saving.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide455•The Group screen (see Section 29.2.3 on page 460) provides a summary of all user groups. In addition, this screen allows you to add, edit, and remove user groups. User groups may consist of access users and other user groups. You cannot put admin users in user groups•The Setting screen (see Section 29.2.4 on page 461) controls default settings, login settings, lockout settings, and other user settings for the USG. You can also use this screen to specify when users must log in to the USG before it routes traffic for them.•The MAC Address screen (see Section 29.2.5 on page 466) allows you to configure the MAC addresses or OUI (Organizationally Unique Identifier) of wireless clients for MAC authentication using the local user database. The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device.29.2.1 What You Need To KnowUser AccountA user account defines the privileges of a user logged into the USG. User accounts are used in security policies, in addition to controlling access to configuration and services in the USG.User TypesThese are the types of user accounts the USG uses. Note: The default admin account is always authenticated locally, regardless of the authentication method setting. (See Chapter 29 on page 510 for more information about authentication methods.)Ext-User AccountsSet up an ext-user account if the user is authenticated by an external server and you want to set up specific policies for this user in the USG. If you do not want to set up policies for this user, you do not have to set up an ext-user account.All ext-user users should be authenticated by an external server, such as AD, LDAP or RADIUS. If the USG tries to use the local database to authenticate an ext-user, the authentication attempt always fails. (This is related to AAA servers and authentication methods, which are discussed in those chapters in this guide.)Table 178 Types of User AccountsTYPE ABILITIES LOGIN METHOD(S)Admin Usersadmin Change USG configuration (web, CLI) WWW, TELNET, SSH, FTP, Consolelimited-admin Look at USG configuration (web, CLI)Perform basic diagnostics (CLI)WWW, TELNET, SSH, ConsoleAccess Usersuser Access network servicesBrowse user-mode commands (CLI)WWW, TELNET, SSHguest Access network services WWWext-user External user account WWWext-group-user External group user account WWW

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide456Note: If the USG tries to authenticate an ext-user using the local database, the attempt always fails.Once an ext-user user has been authenticated, the USG tries to get the user type (see Table 178 on page 455) from the external server. If the external server does not have the information, the USG sets the user type for this session to User.For the rest of the user attributes, such as reauthentication time, the USG checks the following places, in order.1User account in the remote server.2User account (Ext-User) in the USG.3Default user account for AD users (ad-users), LDAP users (ldap-users) or RADIUS users (radius-users) in the USG.See Setting up User Attributes in an External Server on page 468 for a list of attributes and how to set up the attributes in an external server.Ext-Group-User AccountsExt-Group-User accounts work are similar to ext-user accounts but allow you to group users by the value of the group membership attribute configured for the AD or LDAP server. See Section 29.8.5.1 on page 505 for more on the group membership attribute.User GroupsUser groups may consist of user accounts or other user groups. Use user groups when you want to create the same rule for several user accounts, instead of creating separate rules for each one.Note: You cannot put access users and admin users in the same user group.Note: You cannot put the default admin account into any user group.The sequence of members in a user group is not important.User AwarenessBy default, users do not have to log into the USG to use the network services it provides. The USG automatically routes packets for everyone. If you want to restrict network services that certain users can use via the USG, you can require them to log in to the USG first. The USG is then ‘aware’ of the user who is logged in and you can create ‘user-aware policies’ that define what services they can use. See Section 29.2.6 on page 467 for a user-aware login example.Finding Out More•See Section 29.2.6 on page 467 for some information on users who use an external authentication server in order to log in.• The USG supports TTLS using PAP so you can use the USG’s local user database to authenticate users with WPA or WPA2 instead of needing an external RADIUS server.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide458The user name can only contain the following characters:• Alphanumeric A-z 0-9 (there is no unicode support)• _ [underscores] •- [dashes]The first character must be alphabetical (A-Z a-z), an underscore (_), or a dash (-). Other limitations on user names are:• User names are case-sensitive. If you enter a user 'bob' but use 'BOB' when connecting via CIFS or FTP, it will use the account settings used for 'BOB' not ‘bob’.• User names have to be different than user group names.• Here are the reserved user names:To access this screen, go to the User screen (see Section 29.2.2 on page 457), and click either the Add icon or an Edit icon.Figure 308 Configuration > Object > User/Group > User > Add•adm •admin •any •bin •daemon•debug •devicehaecived•ftp •games •halt•ldap-users •lp •mail •news •nobody•operator •radius-users •root •shutdown •sshd•sync •uucp •zyxel

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide459The following table describes the labels in this screen. Table 180 Configuration > Object > User/Group > User > AddLABEL DESCRIPTIONUser Name Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved. See Section 29.2.2.2 on page 457.User Type This field displays the types of user accounts the USG uses: •admin - this user can look at and change the configuration of the USG•limited-admin - this user can look at the configuration of the USG but not to change it•user - this user has access to the USG’s services and can also browse user-mode commands (CLI).•guest - this user has access to the USG’s services but cannot look at the configuration.•ext-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-User Accounts on page 455 for more information about this type.•ext-group-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-Group-User Accounts on page 456 for more information about this type.Password This field is not available if you select the ext-user or ext-group-user type.Enter the password of this user account. It can consist of 4 - 31 alphanumeric characters.Retype This field is not available if you select the ext-user or ext-group-user type.Group Identifier This field is available for a ext-group-user type user account.Specify the value of the AD or LDAP server’s Group Membership Attribute that identifies the group to which this user belongs. Associated AAA Server ObjectThis field is available for a ext-group-user type user account. Select the AAA server to use to authenticate this account’s users.Description Enter the description of each user, if any. You can use up to 60 printable ASCII characters. Default descriptions are provided. Authentication Timeout SettingsIf you want the system to use default settings, select Use Default Settings. If you want to set authentication timeout to a value other than the default settings, select Use Manual Settings then fill your preferred values in the fields that follow.Lease Time If you select Use Default Settings in the Authentication Timeout Settings field, the default lease time is shown.If you select Use Manual Settings, you need to enter the number of minutes this user has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically (see Section 29.2.4 on page 461), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.Reauthentication TimeIf you select Use Default Settings in the Authentication Timeout Settings field, the default lease time is shown.If you select Use Manual Settings, you need to type the number of minutes this user can be logged into the USG in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out.Configuration ValidationUse a user account from the group specified above to test if the configuration is correct. Enter the account’s user name in the User Name field and click Test.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide461Figure 310 Configuration > Object > User/Group > Group > AddThe following table describes the labels in this screen. 29.2.4 User/Group Setting Screen The Setting screen controls default settings, login settings, lockout settings, and other user settings for the USG. You can also use this screen to specify when users must log in to the USG before it routes traffic for them.To access this screen, login to the Web Configurator, and click Configuration > Object > User/Group > Setting.Table 182 Configuration > Object > User/Group > Group > AddLABEL DESCRIPTIONName Type the name for this user group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User group names have to be different than user names.Description Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces.Member List The Member list displays the names of the users and user groups that have been added to the user group. The order of members is not important. Select users and groups from the Available list that you want to be members of this group and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them. Move any members you do not want included to the Available list. OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide462Figure 311 Configuration > Object > User/Group > SettingThe following table describes the labels in this screen. Table 183 Configuration > Object > User/Group > SettingLABEL DESCRIPTIONUser Authentication Timeout SettingsDefault Authentication Timeout SettingsThese authentication timeout settings are used by default when you create a new user account. They also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. # This field is a sequential value, and it is not associated with a specific entry.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide463User Type These are the kinds of user account the USG supports.•admin - this user can look at and change the configuration of the USG•limited-admin - this user can look at the configuration of the USG but not to change it•user - this user has access to the USG’s services but cannot look at the configuration•guest - this user has access to the USG’s services but cannot look at the configuration•ext-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-User Accounts on page 455 for more information about this type.•ext-group-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-Group-User Accounts on page 456 for more information about this type.Lease Time This is the default lease time in minutes for each type of user account. It defines the number of minutes the user has to renew the current session before the user is logged out.Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically (see Section 29.2.4 on page 461), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.Reauthentication Time This is the default reauthentication time in minutes for each type of user account. It defines the number of minutes the user can be logged into the USG in one session before having to log in again. Unlike Lease Time, the user has no opportunity to renew the session without logging out.Miscellaneous SettingsAllow renewing lease time automatically Select this check box if access users can renew lease time automatically, as well as manually, simply by selecting the Updating lease time automatically check box on their screen.Enable user idle detection This is applicable for access users.Select this check box if you want the USG to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The USG automatically logs out the access user once the User idle timeout has been reached.User idle timeout This is applicable for access users.This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the USG automatically logs out the access user.User Logon SettingsLimit the number of simultaneous logons for administration accountSelect this check box if you want to set a limit on the number of simultaneous logins by admin users. If you do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses.Maximum number per administration account This field is effective when Limit ... for administration account is checked. Type the maximum number of simultaneous logins by each admin user. Limit the number of simultaneous logons for access accountSelect this check box if you want to set a limit on the number of simultaneous logins by non-admin users. If you do not select this, access users can login as many times as they want as long as they use different IP addresses.Maximum number per access account This field is effective when Limit ... for access account is checked. Type the maximum number of simultaneous logins by each access user. Table 183 Configuration > Object > User/Group > Setting (continued)LABEL DESCRIPTION

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide46429.2.4.1 Default User Authentication Timeout Settings Edit ScreensThe Default Authentication Timeout Settings Edit screen allows you to set the default authentication timeout settings for the selected type of user account. These default authentication timeout settings also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings.To access this screen, go to the Configuration > Object > User/Group > Setting screen (see Section 29.2.4 on page 461), and click one of the Default Authentication Timeout Settings section’s Edit icons.Figure 312 Configuration > Object > User/Group > Setting > EditUser Lockout SettingsEnable logon retry limit Select this check box to set a limit on the number of times each user can login unsuccessfully (for example, wrong password) before the IP address is locked out for a specified amount of time.Maximum retry count This field is effective when Enable logon retry limit is checked. Type the maximum number of times each user can login unsuccessfully before the IP address is locked out for the specified lockout period. The number must be between 1 and 99.Lockout period This field is effective when Enable logon retry limit is checked. Type the number of minutes the user must wait to try to login again, if logon retry limit is enabled and the maximum retry count is reached. This number must be between 1 and 65,535 (about 45.5 days).Apply Click Apply to save the changes. Reset Click Reset to return the screen to its last-saved settings. Table 183 Configuration > Object > User/Group > Setting (continued)LABEL DESCRIPTION

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide465The following table describes the labels in this screen. 29.2.4.2 User Aware Login ExampleAccess users cannot use the Web Configurator to browse the configuration of the USG. Instead, after access users log into the USG, the following screen appears.Figure 313 Web Configurator for Non-Admin UsersTable 184 Configuration > Object > User/Group > Setting > EditLABEL DESCRIPTIONUser Type This read-only field identifies the type of user account for which you are configuring the default settings.•admin - this user can look at and change the configuration of the USG•limited-admin - this user can look at the configuration of the USG but not to change it.•user - this user has access to the USG’s services but cannot look at the configuration.•guest - this user has access to the USG’s services but cannot look at the configuration.•ext-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-User Accounts on page 455 for more information about this type.•ext-group-user - this user account is maintained in a remote server, such as RADIUS or LDAP. See Ext-Group-User Accounts on page 456 for more information about this type.Lease Time Enter the number of minutes this type of user account has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically (see Section 29.2.4 on page 461), the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.Reauthentication Time Type the number of minutes this type of user account can be logged into the USG in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide46729.2.5.1 MAC Address Add/Edit Screen This screen allows you to create a new allowed device or edit an existing one. To access this screen, go to the MAC Address screen (see Section 29.2.5 on page 466), and click either the Add icon or an Edit icon.Figure 315 Configuration > Object > User/Group > MAC Address > AddThe following table describes the labels in this screen. 29.2.6 User /Group Technical ReferenceThis section provides some information on users who use an external authentication server in order to log in.Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.MAC Address/OUIThis field displays the MAC address or OUI (Organizationally Unique Identifier of computer hardware manufacturers) of wireless clients using MAC authentication with the USG local user database.Description This field displays a description of the device identified by the MAC address or OUI.Table 186 Configuration > Object > User/Group > MAC Address (continued)LABEL DESCRIPTIONTable 187 Configuration > Object > User/Group > MAC Address > AddLABEL DESCRIPTIONMAC Address/OUIType the MAC address (six hexadecimal number pairs separated by colons or hyphens) or OUI (three hexadecimal number pairs separated by colons or hyphens) to identify specific wireless clients for MAC authentication using the USG local user database. The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device.Description Enter an optional description of the wireless device(s) identified by the MAC or OUI. You can use up to 60 characters, punctuation marks, and spaces.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide489The following table describes the labels in this screen. 29.5.2.2 Address Group Summary ScreenThe Address Group screen provides a summary of all address groups. To access this screen, click Configuration > Object > Address > Address Group. Click a column’s heading cell to sort the table entries by that column’s criteria. Click the heading cell again to reverse the sort order.Figure 330 Configuration > Object > Address > Address GroupTable 200 IPv4 Address Configuration > Add/EditLABEL DESCRIPTIONName Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.Address Type Select the type of address you want to create. Choices are: HOST, RANGE, SUBNET, INTERFACE IP, INTERFACE SUBNET, and INTERFACE GATEWAY.Note: The USG automatically updates address objects that are based on an interface’s IP address, subnet, or gateway if the interface’s IP address settings change. For example, if you change 1’s IP address, the USG automatically updates the corresponding interface-based, LAN subnet address object.IP Address This field is only available if the Address Type is HOST. This field cannot be blank. Enter the IP address that this address object represents.Starting IP AddressThis field is only available if the Address Type is RANGE. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents.Ending IP AddressThis field is only available if the Address Type is RANGE. This field cannot be blank. Enter the end of the range of IP address that this address object represents.Network This field is only available if the Address Type is SUBNET, in which case this field cannot be blank. Enter the IP address of the network that this address object represents.Netmask This field is only available if the Address Type is SUBNET, in which case this field cannot be blank. Enter the subnet mask of the network that this address object represents. Use dotted decimal format.Interface If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as theAddress Type, use this field to select the interface of the network that this address object represents.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide491Figure 331 IPv4/IPv6 Address Group Configuration > Add The following table describes the labels in this screen. 29.6 Service OverviewUse service objects to define TCP applications, UDP applications, and ICMP messages. You can also create service groups to refer to multiple service objects in other features. •Use the Service screens (Section 29.6.2 on page 492) to view and configure the USG’s list of services and their definitions. •Use the Service Group screens (Section 29.6.2 on page 492) to view and configure the USG’s list of service groups. Table 202 IPv4/IPv6 Address Group Configuration > AddLABEL DESCRIPTIONName Enter a name for the address group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.Description This field displays the description of each address group, if any. You can use up to 60 characters, punctuation marks, and spaces.Member List The Member list displays the names of the address and address group objects that have been added to the address group. The order of members is not important. Select items from the Available list that you want to be members and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them. Move any members you do not want included to the Available list. OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide49229.6.1 What You Need to KnowIP ProtocolsIP protocols are based on the eight-bit protocol field in the IP header. This field represents the next-level protocol that is sent in this packet. This section discusses three of the most common IP protocols.Computers use Transmission Control Protocol (TCP, IP protocol 6) and User Datagram Protocol (UDP, IP protocol 17) to exchange data with each other. TCP guarantees reliable delivery but is slower and more complex. Some uses are FTP, HTTP, SMTP, and TELNET. UDP is simpler and faster but is less reliable. Some uses are DHCP, DNS, RIP, and SNMP.TCP creates connections between computers to exchange data. Once the connection is established, the computers exchange data. If data arrives out of sequence or is missing, TCP puts it in sequence or waits for the data to be re-transmitted. Then, the connection is terminated.In contrast, computers use UDP to send short messages to each other. There is no guarantee that the messages arrive in sequence or that the messages arrive at all.Both TCP and UDP use ports to identify the source and destination. Each port is a 16-bit number. Some port numbers have been standardized and are used by low-level system processes; many others have no particular meaning.Unlike TCP and UDP, Internet Control Message Protocol (ICMP, IP protocol 1) is mainly used to send error messages or to investigate problems. For example, ICMP is used to send the response if a computer cannot be reached. Another use is ping. ICMP does not guarantee delivery, but networks often treat ICMP messages differently, sometimes looking at the message itself to decide where to send it.Service Objects and Service GroupsUse service objects to define IP protocols.• TCP applications• UDP applications• ICMP messages• user-defined services (for other types of IP protocols)These objects are used in policy routes, and security policies.Use service groups when you want to create the same rule for several services, instead of creating separate rules for each service. Service groups may consist of services and other service groups. The sequence of members in the service group is not important.29.6.2 The Service Summary ScreenThe Service summary screen provides a summary of all services and their definitions. In addition, this screen allows you to add, edit, and remove services.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide494The following table describes the labels in this screen. 29.6.3 The Service Group Summary Screen The Service Group summary screen provides a summary of all service groups. In addition, this screen allows you to add, edit, and remove service groups.To access this screen, log in to the Web Configurator, and click Configuration > Object > Service > Service Group.Figure 334 Configuration > Object > Service > Service Group Table 204 Configuration > Object > Service > Service > EditLABEL DESCRIPTIONName Type the name used to refer to the service. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.IP Protocol Select the protocol the service uses. Choices are: TCP, UDP, ICMP, ICMPv6, and User Defined.Starting PortEnding PortThis field appears if the IP Protocol is TCP or UDP. Specify the port number(s) used by this service. If you fill in one of these fields, the service uses that port. If you fill in both fields, the service uses the range of ports.ICMP Type This field appears if the IP Protocol is ICMP or ICMPv6.Select the ICMP message used by this service. This field displays the message text, not the message number.IP Protocol NumberThis field appears if the IP Protocol is User Defined.Enter the number of the next-level protocol (IP protocol). Allowed values are 1 - 255.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide496The following table describes the labels in this screen. 29.7 Schedule Overview Use schedules to set up one-time and recurring schedules for policy routes, security policies, and content filtering. The USG supports one-time and recurring schedules. One-time schedules are effective only once, while recurring schedules usually repeat. Both types of schedules are based on the current date and time in the USG. Note: Schedules are based on the USG’s current date and time.•Use the Schedule summary screen (Section 29.7.2 on page 497) to see a list of all schedules in the USG. •Use the One-Time Schedule Add/Edit screen (Section 29.7.2.1 on page 498) to create or edit a one-time schedule.•Use the Recurring Schedule Add/Edit screen (Section 29.7.2.2 on page 499) to create or edit a recurring schedule.• Use the Schedule Group screen (Section 29.7.3 on page 500) to merge individual schedule objects as one object.29.7.1 What You Need to KnowOne-time SchedulesOne-time schedules begin on a specific start date and time and end on a specific stop date and time. One-time schedules are useful for long holidays and vacation periods.Recurring SchedulesRecurring schedules begin at a specific start time and end at a specific stop time on selected days of the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, and Saturday). Recurring Table 206 Configuration > Object > Service > Service Group > EditLABEL DESCRIPTIONName Enter the name of the service group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.Description Enter a description of the service group, if any. You can use up to 60 printable ASCII characters.Member List The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important. Select items from the Available list that you want to be members and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them. Move any members you do not want included to the Available list. OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide49929.7.2.2 The Recurring Schedule Add/Edit ScreenThe Recurring Schedule Add/Edit screen allows you to define a recurring schedule or edit an existing one. To access this screen, go to the Schedule screen (see Section 29.7.2 on page 497), and click either the Add icon or an Edit icon in the Recurring section.Figure 338 Configuration > Object > Schedule > Edit (Recurring)The Year, Month, and Day columns are not used in recurring schedules and are disabled in this screen. The following table describes the remaining labels in this screen. OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.Table 208 Configuration > Object > Schedule > Edit (One Time) (continued)LABEL DESCRIPTIONTable 209 Configuration > Object > Schedule > Edit (Recurring)LABEL DESCRIPTIONConfigurationName Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.Date TimeStartTime Specify the hour and minute when the schedule begins each day.•Hour - 0 - 23•Minute - 0 - 59StopTime Specify the hour and minute when the schedule ends each day.•Hour - 0 - 23•Minute - 0 - 59WeeklyWeek Days Select each day of the week the recurring schedule is effective.OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide501Figure 340 Configuration > Schedule > Schedule Group > AddThe following table describes the fields in the above screen.29.8 AAA Server Overview You can use a AAA (Authentication, Authorization, Accounting) server to provide access control to your network. The AAA server can be a Active Directory, LDAP, or RADIUS server. Use the AAA Server screens to create and manage objects that contain settings for using AAA servers. You use Table 211 Configuration > Schedule > Schedule Group > AddLABEL DESCRIPTIONGroup MembersName Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.Description Enter a description of the service group, if any. You can use up to 60 printable ASCII characters.Member List The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important. Select items from the Available list that you want to be members and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them. Move any members you do not want included to the Available list. OK Click OK to save your changes back to the USG.Cancel Click Cancel to exit this screen without saving your changes.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide502AAA server objects in configuring ext-group-user user objects and authentication method objects (see Chapter 29 on page 510). 29.8.1 Directory Service (AD/LDAP)LDAP/AD allows a client (the USG) to connect to a server to retrieve information from a directory. A network example is shown next. Figure 341 Example: Directory Service Client and Server The following describes the user authentication procedure via an LDAP/AD server. 1A user logs in with a user name and password pair. 2The USG tries to bind (or log in) to the LDAP/AD server. 3When the binding process is successful, the USG checks the user information in the directory against the user name and password pair. 4If it matches, the user is allowed access. Otherwise, access is blocked. 29.8.2 RADIUS Server RADIUS (Remote Authentication Dial-In User Service) authentication is a popular protocol used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS authentication allows you to validate a large number of users from a central location.Figure 342 RADIUS Server Network Example29.8.3 ASASASAS (Authenex Strong Authentication System) is a RADIUS server that works with the One-Time Password (OTP) feature. Purchase a USG OTP package in order to use this feature. The package

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide504Figure 343 Basic Directory Structure Distinguished Name (DN) A DN uniquely identifies an entry in a directory. A DN consists of attribute-value pairs separated by commas. The leftmost attribute is the Relative Distinguished Name (RDN). This provides a unique name for entries that have the same “parent DN” (“cn=domain1.com, ou=Sales, o=MyCompany” in the following examples). cn=domain1.com, ou = Sales, o=MyCompany, c=UScn=domain1.com, ou = Sales, o=MyCompany, c=JPBase DN A base DN specifies a directory. A base DN usually contains information such as the name of an organization, a domain name and/or country. For example, o=MyCompany, c=UK where o means organization and c means country. Bind DN A bind DN is used to authenticate with an LDAP/AD server. For example a bind DN of cn=zywallAdmin allows the USG to log into the LDAP/AD server using the user name of zywallAdmin. The bind DN is used in conjunction with a bind password. When a bind DN is not specified, the USG will try to log in as an anonymous user. If the bind password is incorrect, the login will fail.29.8.5 Active Directory or LDAP Server SummaryUse the Active Directory or LDAP screen to manage the list of AD or LDAP servers the USG can use in authenticating users. Click Configuration > Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. RootUSJapanSprintUPSNECSalesRD3QACSOSalesRDCountries (c) Organizations Organization Units Unique Common Name (cn)

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide505Figure 344 Configuration > Object > AAA Server > Active Directory (or LDAP) The following table describes the labels in this screen. 29.8.5.1 Adding an Active Directory or LDAP ServerClick Object > AAA Server > Active Directory (or LDAP) to display the Active Directory (or LDAP) screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Table 212 Configuration > Object > AAA Server > Active Directory (or LDAP) LABEL DESCRIPTIONAdd Click this to create a new entry.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Object ReferencesSelect an entry and click Object References to open a screen that shows which settings use the entry. # This field is a sequential value, and it is not associated with a specific AD or LDAP server.Name This field displays the name of the Active Directory.Server Address This is the address of the AD or LDAP server.Base DN This specifies a directory. For example, o=ZyXEL, c=US.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide506Figure 345 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide507The following table describes the labels in this screen. Table 213 Configuration > Object > AAA Server > Active Directory (or LDAP) > AddLABEL DESCRIPTIONName Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes. Description Enter the description of each server, if any. You can use up to 60 printable ASCII characters. Server Address Enter the address of the AD or LDAP server.Backup Server AddressIf the AD or LDAP server has a backup server, enter its address here.Port Specify the port number on the AD or LDAP server to which the USG sends authentication requests. Enter a number between 1 and 65535. This port number should be the same on all AD or LDAP server(s) in this group. Base DN Specify the directory (up to 127 alphanumerical characters). For example, o=ZyXEL,c=US. This is only for LDAP.Use SSL Select Use SSL to establish a secure connection to the AD or LDAP server(s). Search time limit Specify the timeout period (between 1 and 300 seconds) before the USG disconnects from the AD or LDAP server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the AD or LDAP server(s) or the AD or LDAP server(s) is down. Case-sensitive User NamesSelect this if the server checks the case of the usernames.Bind DN Specify the bind DN for logging into the AD or LDAP server. Enter up to 127 alphanumerical characters. For example, cn=zywallAdmin specifies zywallAdmin as the user name. Password If required, enter the password (up to 15 alphanumerical characters) for the USG to bind (or log in) to the AD or LDAP server. Retype to Confirm Retype your new password for confirmation.Login Name AttributeEnter the type of identifier the users are to use to log in. For example “name” or “e-mail address”. Alternative Login Name Attribute If there is a second type of identifier that the users can use to log in, enter it here. For example “name” or “e-mail address”. Group Membership AttributeAn AD or LDAP server defines attributes for its accounts. Enter the name of the attribute that the USG is to check to determine to which group a user belongs. The value for this attribute is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values. For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”.Domain Authentication for MSChapSelect the Enable checkbox to enable domain authentication for MSChap.This is only for Active Directory.User Name Enter the user name for the user who has rights to add a machine to the domain.This is only for Active Directory.User Password Enter the password for the associated user name.This is only for Active Directory.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide50829.8.6 RADIUS Server SummaryUse the RADIUS screen to manage the list of RADIUS servers the USG can use in authenticating users. Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Figure 346 Configuration > Object > AAA Server > RADIUS The following table describes the labels in this screen. Retype to Confirm Retype your new password for confirmation.This is only for Active Directory.Realm Enter the realm FQDN.This is only for Active Directory.NetBIOS Name Type the NetBIOS name. This field is optional. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN which allows local computers to find computers on the remote network and vice versa.Configuration ValidationUse a user account from the server specified above to test if the configuration is correct. Enter the account’s user name in the Username field and click Test.OK Click OK to save the changes. Cancel Click Cancel to discard the changes. Table 213 Configuration > Object > AAA Server > Active Directory (or LDAP) > Add (continued)LABEL DESCRIPTIONTable 214 Configuration > Object > AAA Server > RADIUSLABEL DESCRIPTIONAdd Click this to create a new entry.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Object ReferencesSelect an entry and click Object References to open a screen that shows which settings use the entry.# This field displays the index number. Name This is the name of the RADIUS server entry.Server Address This is the address of the AD or LDAP server.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide50929.8.6.1 Adding a RADIUS Server Click Configuration > Object > AAA Server > RADIUS to display the RADIUS screen. Click the Add icon or an Edit icon to display the following screen. Use this screen to create a new AD or LDAP entry or edit an existing one. Figure 347 Configuration > Object > AAA Server > RADIUS > Add The following table describes the labels in this screen. Table 215 Configuration > Object > AAA Server > RADIUS > AddLABEL DESCRIPTIONName Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes. Description Enter the description of each server, if any. You can use up to 60 printable ASCII characters.Server Address Enter the address of the RADIUS server.Authentication PortSpecify the port number on the RADIUS server to which the USG sends authentication requests. Enter a number between 1 and 65535. Backup Server AddressIf the RADIUS server has a backup server, enter its address here.Backup Authentication PortSpecify the port number on the RADIUS server to which the USG sends authentication requests. Enter a number between 1 and 65535.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide51029.9 Auth. Method Overview Authentication method objects set how the USG authenticates wireless, HTTP/HTTPS clients, and peer IPSec routers (extended authentication) clients. Configure authentication method objects to have the USG use the local user database, and/or the authentication servers and authentication server groups specified by AAA server objects. By default, user accounts created and stored on the USG are authenticated locally.•Use the Configuration > Object > Auth. Method screens (Section 29.9.3 on page 511) to create and manage authentication method objects.29.9.1 Before You Begin Configure AAA server objects before you configure authentication method objects. 29.9.2 Example: Selecting a VPN Authentication MethodAfter you set up an authentication method object in the Auth. Method screens, you can use it in the VPN Gateway screen to authenticate VPN users for establishing a VPN connection. Refer to the chapter on VPN for more information. Follow the steps below to specify the authentication method for a VPN connection. Timeout Specify the timeout period (between 1 and 300 seconds) before the USG disconnects from the RADIUS server. In this case, user authentication fails. Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down. NAS IP Address Type the IP address of the NAS (Network Access Server).Case-sensitive User NamesSelect this if you want configure your username as case-sensitive.Key Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the USG. The key is not sent over the network. This key must be the same on the external authentication server and the USG. Group Membership AttributeA RADIUS server defines attributes for its accounts. Select the name and number of the attribute that the USG is to check to determine to which group a user belongs. If it does not display, select user-defined and specify the attribute’s number. This attribute’s value is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values. For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”.OK Click OK to save the changes. Cancel Click Cancel to discard the changes. Table 215 Configuration > Object > AAA Server > RADIUS > Add (continued)LABEL DESCRIPTION

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide5111Access the Configuration > VPN > IPSec VPN > VPN Gateway > Edit screen.2Click Show Advance Setting and select Enable Extended Authentication. 3Select Server Mode and select an authentication method object from the drop-down list box. 4Click OK to save the settings. Figure 348 Example: Using Authentication Method in VPN 29.9.3 Authentication Method ObjectsClick Configuration > Object > Auth. Method to display the screen as shown. Note: You can create up to 16 authentication method objects. Figure 349 Configuration > Object > Auth. Method The following table describes the labels in this screen. Table 216 Configuration > Object > Auth. MethodLABEL DESCRIPTIONAdd Click this to create a new entry.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Object ReferencesSelect an entry and click Object References to open a screen that shows which settings use the entry. # This field displays the index number.Method Name This field displays a descriptive name for identification purposes.Method List This field displays the authentication method(s) for this entry.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide51229.9.3.1 Creating an Authentication Method Object Follow the steps below to create an authentication method object.1Click Configuration > Object > Auth. Method.2Click Add.3Specify a descriptive name for identification purposes in the Name field. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”. 4Click Add to insert an authentication method in the table.5Select a server object from the Method List drop-down list box.6You can add up to four server objects to the table. The ordering of the Method List column is important. The USG authenticates the users using the databases (in the local user database or the external authentication server) in the order they appear in this screen. If two accounts with the same username exist on two authentication servers you specify, the USG does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. Note: You can NOT select two server objects of the same type. 7Click OK to save the settings or click Cancel to discard all changes and return to the previous screen. Figure 350 Configuration > Object > Auth. Method > Add The following table describes the labels in this screen. Table 217 Configuration > Object > Auth. Method > AddLABEL DESCRIPTIONName Specify a descriptive name for identification purposes. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”.Add Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.Edit Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide51329.10 Certificate OverviewThe USG can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. •Use the My Certificates screens (see Section 29.10.3 on page 516 to Section 29.10.3.3 on page 522) to generate and export self-signed certificates or certification requests and import the CA-signed certificates.•Use the Trusted Certificates screens (see Section 29.10.4 on page 523 to Section 29.10.4.2 on page 527) to save CA certificates and trusted remote host certificates to the USG. The USG trusts any valid certificate that you have imported as a trusted certificate. It also trusts any valid certificate signed by any of the certificates that you have imported as a trusted certificate. 29.10.1 What You Need to KnowWhen using public-key cryptology for authentication, each host has two keys. One key is public and can be made openly available. The other key is private and must be kept secure. These keys work like a handwritten signature (in fact, certificates are often referred to as “digital signatures”). Only you can write your signature exactly as it should look. When people know what your signature looks like, they can verify whether something was signed by you, or by someone else. In the same way, your private key “writes” your digital signature and your public key allows people to verify whether data was signed by you, or by someone else. This process works as follows.Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Move To change a method’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.The ordering of your methods is important as USG authenticates the users using the authentication methods in the order they appear in this screen.# This field displays the index number.Method List Select a server object from the drop-down list box. You can create a server object in the AAA Server screen. The USG authenticates the users using the databases (in the local user database or the external authentication server) in the order they appear in this screen. If two accounts with the same username exist on two authentication servers you specify, the USG does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server. OK Click OK to save the changes. Cancel Click Cancel to discard the changes. Table 217 Configuration > Object > Auth. Method > Add (continued)LABEL DESCRIPTION

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide5141Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the message content has not been altered by anyone else along the way. Tim generates a public key pair (one public key and one private key). 2Tim keeps the private key and makes the public key openly available. This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is really from him or not. 3Tim uses his private key to sign the message and sends it to Jenny.4Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from Tim, and that although other people may have been able to read the message, no-one can have altered it (because they cannot re-sign the message with Tim’s private key).5Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s public key to verify the message.The USG uses certificates based on public-key cryptology to authenticate users attempting to establish a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the data that you send through an established connection depends on the type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.The certification authority uses its private key to sign certificates. Anyone can then use the certification authority’s public key to verify the certificates.A certification path is the hierarchy of certification authority certificates that validate a certificate. The USG does not trust a certificate if any certificate on its path has expired or been revoked. Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The USG can check a peer’s certificate against a directory server’s list of revoked certificates. The framework of servers, software, procedures and policies that handles keys is called PKI (public-key infrastructure).Advantages of CertificatesCertificates offer the following benefits.• The USG only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate. • Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys.Self-signed CertificatesYou can have the USG act as a certification authority and sign its own certificates.Factory Default CertificateThe USG generates its own unique self-signed certificate when you first turn it on. This certificate is referred to in the GUI as the factory default certificate.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide515Certificate File FormatsAny certificate that you want to import has to be in one of these file formats:• Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.• PEM (Base-64) encoded X.509: This Privacy Enhanced Mail format uses lowercase letters, uppercase letters and numerals to convert a binary X.509 certificate into a printable form.• Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. A PKCS #7 file is used to transfer a public key certificate. The private key is not included. The USG currently allows the importation of a PKS#7 file that contains a single certificate. • PEM (Base-64) encoded PKCS#7: This Privacy Enhanced Mail (PEM) format uses lowercase letters, uppercase letters and numerals to convert a binary PKCS#7 certificate into a printable form.• Binary PKCS#12: This is a format for transferring public key and private key certificates. The private key in a PKCS #12 file is within a password-encrypted envelope. The file’s password is not connected to your certificate’s public or private passwords. Exporting a PKCS #12 file creates this and you must provide it to decrypt the contents when you import the file into the USG. Note: Be careful not to convert a binary file to text during the transfer process. It is easy for this to occur since many programs use text files by default. 29.10.2 Verifying a CertificateBefore you import a trusted certificate into the USG, you should verify that you have the correct certificate. You can do this using the certificate’s fingerprint. A certificate’s fingerprint is a message digest calculated using the MD5 or SHA1 algorithm. The following procedure describes how to check a certificate’s fingerprint to verify that you have the actual certificate. 1Browse to where you have the certificate saved on your computer. 2Make sure that the certificate has a “.cer” or “.crt” file name extension.Figure 351 Remote Host Certificates3Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide516Figure 352 Certificate Details 4Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection. 29.10.3 The My Certificates Screen Click Configuration > Object > Certificate > My Certificates to open the My Certificates screen. This is the USG’s summary list of certificates and certification requests.Figure 353 Configuration > Object > Certificate > My Certificates

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide517The following table describes the labels in this screen. 29.10.3.1 The My Certificates Add ScreenClick Configuration > Object > Certificate > My Certificates and then the Add icon to open the My Certificates Add screen. Use this screen to have the USG create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.Table 218 Configuration > Object > Certificate > My CertificatesLABEL DESCRIPTIONPKI Storage Space in UseThis bar displays the percentage of the USG’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.Add Click this to go to the screen where you can have the USG generate a certificate or a certification request.Edit Double-click an entry or select it and click Edit to open a screen with an in-depth list of information about the certificate.Remove The USG keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action.Object References You cannot delete certificates that any of the USG’s features are configured to use. Select an entry and click Object References to open a screen that shows which settings use the entry. # This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name. Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.SELF represents a self-signed certificate. CERT represents a certificate issued by a certification authority.Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information. Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.Valid From This field displays the date that the certificate becomes applicable. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.Import Click Import to open a screen where you can save a certificate to the USG.Refresh Click Refresh to display the current validity status of the certificates.

$Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide518Figure 354 Configuration > Object > Certificate > My Certificates > AddThe following table describes the labels in this screen. Table 219 Configuration > Object > Certificate > My Certificates > AddLABEL DESCRIPTIONName Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.Subject Information Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although you must specify a Host IP Address, Host IPv6 Address, Host Domain Name, or E-Mail. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information.Select a radio button to identify the certificate’s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-mail address is for identification purposes only and can be any string.A domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods.An e-mail address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore.Organizational Unit Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.$

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide519If you configured the My Certificate Create screen to have the USG enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen. Click Return and check your information in the MyCertificate Create screen. Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the USG to enroll a certificate online.Organization Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.Town (City) Identify the town or city where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.State, (Province) Identify the state or province where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.Country Identify the nation where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.Key Type Select RSA to use the Rivest, Shamir and Adleman public-key algorithm.Select DSA to use the Digital Signature Algorithm public-key algorithm.Key Length Select a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space.Extended Key UsageServer Authentication Select this to have USG generate and store a request for server authentication certificate.Client Authentication Select this to have USG generate and store a request for client authentication certificate.IKE Intermediate Select this to have USG generate and store a request for IKE Intermediate authentication certificate.Create a self-signed certificateSelect this to have the USG generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates.Create a certification request and save it locally for later manual enrollmentSelect this to have the USG generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.Copy the certification request from the My Certificate Details screen (see Section 29.10.3.2 on page 520) and then send it to the certification authority.Create a certification request and enroll for a certificate immediately onlineSelect this to have the USG generate a request for a certificate and apply to a certification authority for a certificate. You must have the certification authority’s certificate already imported in the TrustedCertificates screen.When you select this option, you must select the certification authority’s enrollment protocol and the certification authority’s certificate from the drop-down list boxes and enter the certification authority’s server address. You also need to fill in the Reference Number and Key if the certification authority requires them. OK Click OK to begin certificate or certification request generation.Cancel Click Cancel to quit and return to the My Certificates screen.Table 219 Configuration > Object > Certificate > My Certificates > Add (continued)LABEL DESCRIPTION

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide52029.10.3.2 The My Certificates Edit ScreenClick Configuration > Object > Certificate > My Certificates and then the Edit icon to open the My Certificate Edit screen. You can use this screen to view in-depth certificate information and change the certificate’s name. Figure 355 Configuration > Object > Certificate > My Certificates > Edit

$Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide521The following table describes the labels in this screen. Table 220 Configuration > Object > Certificate > My Certificates > EditLABEL DESCRIPTIONName This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.Certification Path This field displays for a certificate, not a certification request.Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself).If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The USG does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.Refresh Click Refresh to display the certification path.Certificate InformationThese read-only fields display detailed information about the certificate. Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). “X.509” means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.Version This field displays the X.509 version number. Serial Number This field displays the certificate’s identification number given by the certification authority or generated by the USG.Subject This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O), State (ST), and Country (C).Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same as the Subject Name field.“none” displays for a certification request. Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. The USG uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).Valid From This field displays the date that the certificate becomes applicable. “none” displays for a certification request. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request. Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the USG uses RSA encryption) and the length of the key set in bits (1024 bits for example).Subject Alternative NameThis field displays the certificate owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL). Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.Basic Constraint This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. This field does not display for a certification request.$

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide52229.10.3.3 The My Certificates Import Screen Click Configuration > Object > Certificate > My Certificates > Import to open the MyCertificate Import screen. Follow the instructions in this screen to save an existing certificate to the USG. Note: You can import a certificate that matches a corresponding certification request that was generated by the USG. You can also import a certificate in PKCS#12 format, including the certificate’s public and private keys.The certificate you import replaces the corresponding request in the My Certificates screen.You must remove any spaces from the certificate’s filename before you can import it.MD5 Fingerprint This is the certificate’s message digest that the USG calculated using the MD5 algorithm. SHA1 Fingerprint This is the certificate’s message digest that the USG calculated using the SHA1 algorithm. Certificate in PEM (Base-64) Encoded FormatThis read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a binary certificate into a printable form.You can copy and paste a certification request into a certification authority’s web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment.You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).Export Certificate OnlyUse this button to save a copy of the certificate without its private key. Click this button and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.Password If you want to export the certificate with its private key, create a password and type it here. Make sure you keep this password in a safe place. You will need to use it if you import the certificate to another device.Export Certificate with Private KeyUse this button to save a copy of the certificate with its private key. Type the certificate’s password and click this button. Click Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.OK Click OK to save your changes back to the USG. You can only change the name.Cancel Click Cancel to quit and return to the My Certificates screen.Table 220 Configuration > Object > Certificate > My Certificates > Edit (continued)LABEL DESCRIPTION

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide523Figure 356 Configuration > Object > Certificate > My Certificates > ImportThe following table describes the labels in this screen. 29.10.4 The Trusted Certificates ScreenClick Configuration > Object > Certificate > Trusted Certificates to open the Trusted Certificates screen. This screen displays a summary list of certificates that you have set the USG to accept as trusted. The USG also accepts any valid certificate signed by a certificate on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certificates. Figure 357 Configuration > Object > Certificate > Trusted Certificates Table 221 Configuration > Object > Certificate > My Certificates > ImportLABEL DESCRIPTIONFile Path Type in the location of the file you want to upload in this field or click Browse to find it.You cannot import a certificate with the same name as a certificate that is already in the USG.Browse Click Browse to find the certificate file you want to upload. Password This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported. OK Click OK to save the certificate on the USG.Cancel Click Cancel to quit and return to the My Certificates screen.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide524The following table describes the labels in this screen. 29.10.4.1 The Trusted Certificates Edit Screen Click Configuration > Object > Certificate > Trusted Certificates and then a certificate’s Edit icon to open the Trusted Certificates Edit screen. Use this screen to view in-depth information about the certificate, change the certificate’s name and set whether or not you want the USG to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.Table 222 Configuration > Object > Certificate > Trusted CertificatesLABEL DESCRIPTIONPKI Storage Space in UseThis bar displays the percentage of the USG’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.Edit Double-click an entry or select it and click Edit to open a screen with an in-depth list of information about the certificate.Remove The USG keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action.Object ReferencesYou cannot delete certificates that any of the USG’s features are configured to use. Select an entry and click Object References to open a screen that shows which settings use the entry. # This field displays the certificate index number. The certificates are listed in alphabetical order. Name This field displays the name used to identify this certificate. Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.Issuer This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.Valid From This field displays the date that the certificate becomes applicable. Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.Import Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the USG.Refresh Click this button to display the current validity status of the certificates.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide525Figure 358 Configuration > Object > Certificate > Trusted Certificates > Edit

$Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide526The following table describes the labels in this screen. Table 223 Configuration > Object > Certificate > Trusted Certificates > EditLABEL DESCRIPTIONName This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate. If the issuing certification authority is one that you have imported as a trusted certificate, it may be the only certification authority in the list (along with the end entity’s own certificate). The USG does not trust the end entity’s certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.Refresh Click Refresh to display the certification path.Enable X.509v3 CRL Distribution Points and OCSP checking Select this check box to turn on/off certificate revocation. When it is turned on, the USG validates a certificate by getting Certificate Revocation List (CRL) through HTTP or LDAP (can be configured after selecting the LDAP Server check box) and online responder (can be configured after selecting the OCSP Server check box).OCSP Server Select this check box if the directory server uses OCSP (Online Certificate Status Protocol).URL Type the protocol, IP address and path name of the OCSP server. ID The USG may need to authenticate itself in order to assess the OCSP server. Type the login name (up to 31 ASCII characters) from the entity maintaining the server (usually a certification authority).Password Type the password (up to 31 ASCII characters) from the entity maintaining the OCSP server (usually a certification authority).LDAP Server Select this check box if the directory server uses LDAP (Lightweight Directory Access Protocol). LDAP is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates.Address Type the IP address (in dotted decimal notation) of the directory server. Port Use this field to specify the LDAP server port number. You must use the same server port number that the directory server uses. 389 is the default server port number for LDAP.ID The USG may need to authenticate itself in order to assess the CRL directory server. Type the login name (up to 31 ASCII characters) from the entity maintaining the server (usually a certification authority).Password Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority).Certificate InformationThese read-only fields display detailed information about the certificate. Type This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.Version This field displays the X.509 version number. Serial Number This field displays the certificate’s identification number given by the certification authority.Subject This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).$

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide52729.10.4.2 The Trusted Certificates Import Screen Click Configuration > Object > Certificate > Trusted Certificates > Import to open the Trusted Certificates Import screen. Follow the instructions in this screen to save a trusted certificate to the USG.Note: You must remove any spaces from the certificate’s filename before you can import the certificate.Issuer This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country. With self-signed certificates, this is the same information as in the Subject Name field.Signature Algorithm This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).Valid From This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.Valid To This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the USG uses RSA encryption) and the length of the key set in bits (1024 bits for example).Subject Alternative NameThis field displays the certificate’s owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL).Key Usage This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.Basic Constraint This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path.MD5 Fingerprint This is the certificate’s message digest that the USG calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate. SHA1 Fingerprint This is the certificate’s message digest that the USG calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.Certificate This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a binary certificate into a printable form.You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).Export Certificate Click this button and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.OK Click OK to save your changes back to the USG. You can only change the name.Cancel Click Cancel to quit and return to the Trusted Certificates screen.Table 223 Configuration > Object > Certificate > Trusted Certificates > Edit (continued)LABEL DESCRIPTION

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide53129.12 SSL Application OverviewYou use SSL application objects in SSL VPN. Configure an SSL application object to specify the type of application and the address of the local computer, server, or web site SSL users are to be able to access. You can apply one or more SSL application objects in the VPN > SSL VPN screen for a user account/user group. •Use the SSL Application screen (Section 29.12.2 on page 533) to view the USG’s configured SSL application objects. •Use the SSL Application Edit screen to create or edit web-based application objects to allow remote users to access an application via standard web browsers (Section 29.12.2.1 on page 533). • You can also use the SSL Application Edit screen to specify the name of a folder on a Linux or Windows file server which remote users can access using a standard web browser (Section 29.12.2.1 on page 533). 29.12.1 What You Need to KnowApplication Types You can configure the following SSL application on the USG. • Web-based A web-based application allows remote users to access an intranet site using standard web browsers. Remote User Screen LinksAvailable SSL application names are displayed as links in remote user screens. Depending on the application type, remote users can simply click the links or follow the steps in the pop-up dialog box to access. Remote Desktop ConnectionsUse SSL VPN to allow remote users to manage LAN computers. Depending on the functions supported by the remote desktop software, they can install or remove software, run programs, change settings, and open, copy, create, and delete files. This is useful for troubleshooting, support, administration, and remote access to files and programs. The LAN computer to be managed must have VNC (Virtual Network Computing) or RDP (Remote Desktop Protocol) server software installed. The remote user’s computer does not use VNC or RDP client software. The USG works with the following remote desktop connection software:RDP• Windows Remote Desktop (supported in Internet Explorer)VNC•RealVNC•TightVNC

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide532•UltraVNCFor example, user A uses an SSL VPN connection to log into the USG. Then he manages LAN computer B which has RealVNC server software installed. Figure 362 SSL-protected Remote Management WeblinksYou can configure weblink SSL applications to allow remote users to access web sites. 29.12.1.1 Example: Specifying a Web Site for AccessThis example shows you how to create a web-based application for an internal web site. The address of the web site is http://info with web page encryption. 1Click Configuration > Object > SSL Application in the navigation panel. 2Click the Add button and select Web Application in the Type field. In the Server Type field, select Web Server. Enter a descriptive name in the Display Name field. For example, “CompanyIntranet”. In the URLAddress field, enter “http://my-info”. Select Web Page Encryption to prevent users from saving the web content. Click OK to save the settings. The configuration screen should look similar to the following figure. Figure 363 Example: SSL Application: Specifying a Web Site for Access https://ASSLB

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide53329.12.2 The SSL Application ScreenThe main SSL Application screen displays a list of the configured SSL application objects. ClickConfiguration > Object > SSL Application in the navigation panel. Figure 364 Configuration > Object > SSL Application The following table describes the labels in this screen. 29.12.2.1 Creating/Editing an SSL Application ObjectYou can create a web-based application that allows remote users to access an application via standard web browsers. You can also create a file sharing application that specify the name of a folder on a file server (Linux or Windows) which remote users can access. Remote users can access files using a standard web browser and files are displayed as links on the screen. To configure an SSL application, click the Add or Edit button in the SSL Application screen and select Web Application or File Sharing in the Type field. The screen differs depending on what object type you choose. Note: If you are creating a file sharing SSL application, you must also configure the shared folder on the file server for remote access. Refer to the document that comes with your file server. Table 227 Configuration > Object > SSL Application LABEL DESCRIPTIONAdd Click this to create a new entry.Edit Double-click an entry or select it and click Edit to be able to modify the entry’s settings. Remove To remove an entry, select it and click Remove. The USG confirms you want to remove it before doing so.Object ReferencesSelect an entry and click Object References to open a screen that shows which settings use the entry.# This field displays the index number. Name This field displays the name of the object. Address This field displays the IP address/URL of the application server or the location of a file share. Type This field shows whether the object is a file-sharing, web-server, Outlook Web Access, Virtual Network Computing, or Remote Desktop Protocol SSL application.

Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide534Figure 365 Configuration > Object > SSL Application > Add/Edit: Web Application Figure 366 Configuration > Object > SSL Application > Add/Edit: File Sharing The following table describes the labels in this screen. Table 228 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTIONCreate new ObjectUse this to configure any new settings objects that you need to use in this screen.ObjectType Select Web Application or File Sharing from the drop-down list box. Web Application

$Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide535Server Type This field only appears when you choose Web Application as the object type.Specify the type of service for this SSL application. Select Web Server to allow access to the specified web site hosted on the local network. Select OWA (Outlook Web Access) to allow users to access e-mails, contacts, calenders via Microsoft Outlook-like interface using supported web browsers. The USG supports one OWA object.Select VNC to allow users to manage LAN computers that have Virtual Network Computing remote desktop server software installed.Select RDP to allow users to manage LAN computers that have Remote Desktop Protocol remote desktop server software installed.Select Weblink to create a link to a web site that you expect the SSL VPN users to commonly use. Name Enter a descriptive name to identify this object. You can enter up to 31 characters (“0-9”, “a-z”, “A-Z”, “-” and “_”). Spaces are not allowed. URL This field only appears when you choose Web Application as the object type.This field displays if the Server Type is set to Web Server, OWA, or Weblink.Enter the Fully-Qualified Domain Name (FQDN) or IP address of the application server. Note: You must enter the “http://” or “https://” prefix. Remote users are restricted to access only files in this directory. For example, if you enter “\remote\” in this field, remote users can only access files in the “remote” directory. If a link contains a file that is not within this domain, then remote users cannot access it. Preview This field only appears when you choose Web Application or File Sharing as the object type.This field displays if the Server Type is set to Web Server, OWA or Weblink.Note: If your Internet Explorer or other browser screen doesn’t show a preview, it may be due to your web browser security settings. You need to add the USG’s IP address in the trusted sites of your web browser. For example, in Internet Explorer, click Tools > Internet Options > Security > Trusted Sites > Sites and type the USG’s IP address, then click Add. For other web browsers, please check the browser help.Click Preview to access the URL you specified in a new web browser screen. Entry Point This field only appears when you choose Web Application as the object type.This field displays if the Server Type is set to Web Server or OWA.This field is optional. You only need to configure this field if you need to specify the name of the directory or file on the local server as the home page or home directory on the user screen. Web Page EncryptionThis field only appears when you choose Web Application as the object type.Select this option to prevent users from saving the web content. Table 228 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTION$

$Chapter 29 ObjectUSG20(W)-VPN Series User’s Guide536Shared Path This field only appears when you choose File Sharing as the object type.Specify the IP address, domain name or NetBIOS name (computer name) of the file server and the name of the share to which you want to allow user access. Enter the path in one of the following formats. “\\<IP address>\<share name>” “\\<domain name>\<share name>” “\\<computer name>\<share name>” For example, if you enter “\\my-server\Tmp”, this allows remote users to access all files and/or folders in the “\Tmp” share on the “my-server” computer. OK Click OK to save the changes and return to the main SSL Application Configuration screen. Cancel Click Cancel to discard the changes and return to the main SSL Application Configuration screen. Table 228 Configuration > Object > SSL Application > Add/Edit: Web Application/File Sharing LABEL DESCRIPTION$

ZyXEL Communications USG20W-VPN VPN Firewall User Manual Book

ZyXEL Communications Corporation VPN Firewall Book

Contents

Users Manual Part 4

Navigation menu

Namespaces

Views

Navigation