DSA-3600 User Guide
Contents
1. Earn On demand Account List Username Password Remaining Quota Status Remark Delete All 44h 54045498 Until 20079 191 13 30 Normal Room Delete Brim kfwBp250 Until 20074914 0 13 30 Mormal Kevin Delete 55m5 91750993 12 hr s Normal Jim Total 3 First Previous Mex Last Saro On demand Account List Username Password Remaining Quota Status Remark Delete All rd4h 54084898 Until 200711 1111 13 30 Morrnal Roormd 01 Delete Bf tm kAwBp25d Until 20071111 0 13 30 Normal Kevin Delete Total First Previous Next Last 2 2 Find the username and password for a specific customer a To find the username please log in PayPal gt Click History gt Locate the specific payment listing in the activity history log gt Click Details of the payment listing gt Username can be found in the Item Title field b To find the password associated with a specific username please log in DSA 3600 Users gt Authentication gt Click the Option On demand User gt On demand Account List gt Click View gt On demand Account List Search for the specific username Password can be found in the same record EZET On demand Account List Username Password Remaining Quota Status Remark Delete All 26331279 Until 2007 12 01 13 30 Expired Customer Mr Hu Delete 193 User Account Details Username Plan Type Quota Remaining Quota Creation Time Last Login Last Logout Logout Type Total Price Note Appen2. Name Server 1 Postfix local r Black List None v Authentication Database NT Domain vw Enable Local VPN O q gt Domain Controller Server kP Address Transparent Login Enable Disable Windows 2000 2003 or above e Server The IP address of the external NT Domain Server e Transparent Login Transparent Login means Windows NT Domain single sign on When Transparent Login is enabled clients will log in the system automatically after they have logged in the NT domain Thus clients only need to log in once Jd 4 2 1 6 Chapter 4 Web Interface Configuration Authentication Database ONDEMAND There are some deployment scenarios for example at venues such as coffee shops hotels restaurants etc where retail customers or casual visitors want to get wireless Internet access To offer the Wi Fi access either for commercial use or for free user accounts should be able to be created upon request and account tickets receipts should also be provided Therefore On demand User is designed as the authentication option for this type of deployment scenarios Authentication Server On demand User General Settings Ticket Customization Billing Plans External Payment Gateway On demand Account Creation On demand Account List 1 General Settings The common setting is for the On demand User authentication option The generated on demand users and all accounts related information such post
3. Web imagon bres Groves Book Gmi mon F Pop up Badhar Phy Pibes F Manage Add ons wirt oie Winker Lipdahs Full Serii Fii Singapore iniba Toits rana Basmi Weiran Heisarajes z jma ii a A sion Pr Googe Search FmFedinglecky beui pee n ES A A A PA Search tha web pages fom Singapore Google com sg oBenad in 20 F 0 Bahasa Melayu AL Ataun Programa Abowt Google 0 10 Googe com OT Doha dd remet in Second Inside the internet option menu click on the Advanced tap scroll down and look out for the printing option and tick the box for the print background colors and images then click OK 61 Chapter 4 Web Interface Configuration Googe Winton tt anit el etp rem Googie com eq v X p Web images News Guwa Books Gre mow Y 7 Allow active cortert frore CDs to run on My Computer 17 Allow active content to run in Mes on My Computer O Allow solbbasre to nun or instal even the cignature x nw TF Chack Fe publecher s carte ste rivet aor a lt gt Tales effect after you restart Internet Explorer Rechore ateanced wthnos d Reset Intemet Explorer settings Deiat al bargar ary filet cates nw Que Neset bd org and recate al the charged wating You Ad ordy woe he E pour browser a ando Hite Q treat rn e Last Printout the ticket and it will show the ticket together with the background 6
4. Access Control by MAC Address Status Disabled Access Control List Subnet Mask The default is 255 255 255 0 All devices in the network must share the same subnet mask Default Gateway The default is 192 168 1 1 Enter the gateway IP address for the network typically a router SNMP gt Public Community When SNMP is enabled modify the public community string gt Private Community When SNMP is enabled modify the private community string gt User Status Notification Select Enable or Disable the notification SYSLOG gt System Activity Select Enable to allow the logging of system actions such as logging a firmware upgrade gt Wireless Activity Select Enable to allow the logging of any wireless clients that connect to the AP gt Notice Select Enable to allow all other information to be logged gt Remote SYSLOG Server If you require more space to hold your logs please provide the IP address of 87 Chapter 4 Web Interface Configuration the Server The embedded memory can only have up to 300 logs Properties gt SSID Broadcast Select this option to enable the SSID to broadcast in your network When configuring the network it is suggested to enable this function but disable it when the configuration is complete With this enabled someone could easily obtain the SSID information with the site survey software and get unauthorized access to a private network With this disabled netw
5. Appendix I DHCP Relay The DSA 3600 supports DHCP Relay defined according to RFC 3046 For scaling reasons it is advantageous to set up an external DHCP server apart from using the internal DHCP server implemented in the DSA 3600 for assigning IP When client originated DHCP packets are forwarded to a DHCP server a new option called the Relay Agent Information option is inserted by the DHCP relay agent External DHCP servers that recognize the Relay Agent Information option may use this information to implement IP address or other parameter assignment policies The external DHCP server will echo the option back to the relay agent in server to client replies and strip off the option before forwarding the reply to the client A graphic example of connecting 2 gateways with an external DHCP server 10 1 1 100 10 1 1 200 10 1 1 254 Gateway 192 168 1254 192 168 2254 DHCP Server a 10 10 10 254 123 100 1 254 Please note that the Router and Gateway 1 connected to the DHCP Server have to be under the same network segment as the DHCP Server When a client requests IP address from Gateway 1 Public LAN through the build in DHCP relay agent of the DSA 3600 the DHCP server will receive a DHCP REQUEST packet with Option 82 a code defined in RFC 3046 A Circuit ID will be sent by the DSA 3600 when the DHCP relay is enabled to define where the packet is sent from and this Circuit ID will have a format of MAC_IP such as 00
6. transaction will also be automatically sent to the merchant owner administrator via PayPal 194 Appendix K Accepting Payments via PayPal 3 Reporting During normal operation the following steps will be necessary to generate transaction reports 3 1 Transaction activity during a period Please log in PayPal gt Click History gt Choose activity type from the Show field as the search criteria gt Specify the dates From and To fields for the period gt Click Search Overview Add Funds Withdraw Resolution Center Profile History view up to three months of monthly account statements lew this Search All Activity Simple view w Within The Past Day Fom iy p oe Month Day Year A Month Day Tear All Activity Simple View from Dec 31 2006 to Jan 30 2007 Date Type To From Name fEmail Status Details Action Gross Fee Wet Amount 3 2 Search for the transaction details for a specific customer Please log in PayPal gt Click History gt Click Advanced Search gt Enter the name for a specific customer as criteria in the Search For field and Choose Last Name or Last Name First Name in the In field gt Specify the time period gt Click Submit gt Click Details to view the transaction details Overview Add Funds Withdraw Resolution Center Profile History History Download My History Dispute Reports Adwanced Search View up to three months of monthly account statements View this History
7. Configure On demand Account Creation On demand Account List y Business Account Payment Gateway URL Identity Token Verify SSL Certificate Currency DSA 3600 Multi Service Business Gateway Help ge Logout External Payment Gateway O Disable PayPal Payment Page Configuration Ihttps Awww paypal comicgi bin webscr x Enable Disable USD U S Dollar vi Service Disclaimer Content We may collect and store the following personal information email address physical contact information credit card numbers and transactional information based on your activities on the Internet service provided by us If the information you provide cannot be verified we may 191 Appendix K Accepting Payments via PayPal Three fields are required Setting Description Business Account ID This is the Login ID email address that is associated with the PayPal Business Account Payment Gateway URL https www paypal com cgi bin webscr default URL for PayPal Identity Token Please log in PayPal after saving the above settings gt Click Profile gt Click Website Payment Preferences in the Selling Preferences section Scroll down to the section Payment Data Transfer optional Payment Data Transfer optional Payment Data Transfer allows you to receive notification of successful payments as they are made The use of Payment Data Transfer depends on your system configuration a
8. Authentication Protocol The configurations of the system must match the configurations of the remote RADIUS server RAP Password Authentication Protocol transmits password in plain text without encryption CHAP Challenge Handshake Authentication Protocol is a more secured authentication protocol with hash encryption Notice If the RADIUS Server does not assign idle timeout value the DSA 3600 will use the local idle timeout 51 4 2 1 4 Chapter 4 Web Interface Configuration Authentication Database LDAP The system supports authentication by an external LDAP authentication database There are two sets of LDAP server provided by the system primary and secondary which are for fault tolerance Click the hyperlink Configure for further configuration Enter the related information for the primary server and or the secondary server the secondary server is not required Information is required for fields with red asterisks These settings will be effective immediately after clicking the Apply button Authentication Option Server 4 Name Server 4 Postfix ldap Black List None v Authentication Database LDAP v Configure Enable Local VPN O q y Primary LDAP Server Server o F Domain Name IP Address Port O0 389 Base DN e g cn users dc domain dc com Account Attribute e g on Secondary LDAP Server Server Port Base DN Account Attribute Policy Mapping LDAP Policy Mapping Map LDAP Attrib
9. B WAN2 Name Tag SSID Encryption Policy Option ae etana gt WAN Traffic BLAN Port Mapping Default NA dlink None None On demand User Enabled y menccese Fome sz1 Gale None None LocalDB Disabled Configure E gua Network 8z1 H 6 Status dlink Z2 2 27 None None Local DB Disabled dlink 8Z3 3 a None None Local DB Disabled dlink S74 None None Local DB Disabled 5Z4 4 167 Appendix E Service Zones Deployment Examples Step 3 Configure the service zone accordingly Basic Settings Service Zone Status Enabled Disabled Service one Name Employee Operation Mode NAT Router Network Interface IP Address 192 168 2 1 i Subnet Mask 255 255 255 0 gt Configure the SSID Wireless Settings SSID 571 Employee Open System Ww Authentication Security Enable 802 1 Authentication Encryption None v gt Choose the authentication option and configure the login page Authentication Settings Authentication Required For l the Zone Enabled Disabled Auth Option Auth Database Posttix Default Enabled Local DB LOCAL local a Server 2 POPS pop3 O Authentication Options Server 3 RADIUS radius C F Server 4 LDAP Idap O L On demand User ONDEMAND ondemand L BIP SIF PSA Login Page Logout Page Custom Pages Login Success Page Login Success Page for Ondemand User Logout Success Page gt Choose the appropriate policy for this servi
10. Configuring It is displayed as Configuring when the newly discovered AP is being added to the list and being configured or new setting is being applied to the AP 4 Upgrading The AP is undergoing firmware upgrade 77 Chapter 4 Web Interface Configuration 5 Lost Unknown After DSA 3600 s rebooting and before it tries to probe the AP and determine the exact status the status will be displayed as Lost or Unknown temporarily Enter the hyperlink of AP Name General Settings AP Name 3100 1 General Remark Mone Firmware w2 20 LAN Interface Settings IP Address 192 168 1 3 LAN Gateway 192 168 1 1 Wireless Interface Settings Channel 3 Wireless LAN Data Rate Auto Access Control Settings Status Disabled Access Control EA Number of MAC Addresses gt General Setting Click Setting to enter the General Setting interface Revise the AP Name Admin Password and Remark here if desired Firmware information can also be viewed here General Settings Name 3100 1 E Admin Password Time Zone SNTP ShiT 08 00 Kuala Lumpur Singapore w SMTP Server IF 131 188 3 221 SNMP Disabled System Activity Enabled w Wireless Activity Enabled Syslog Motice Enabled Remote Syslog Disabled Firmware v2 20 Remark gt LAN Click LAN to enter the LAN interface Input the data of LAN including IP Address S
11. Dynamic and PPPoE WANZ2 Interface Setting None O Static Use the following IP settings Dynamic IP settings assigned automatically PPPoE WANZ e None The WAN2 Port is disabled e Static Select the option to specify a static IP address for WANZ2 interface manually when a static IP address is available for the system Specify the IP Address Subnet Mask Default Gateway Preferred DSN Server and Alternate DSN Server of WAN2 Port which should be applicable for the network environment WANZ2 Interface Setting O None Static Use the following IP settings IP Address tsi Subnet Mask i WAN2 Default Gateway nt Preferred DNS Server f Alternate DNS Server Ss O Dynamic IP settings assigned automatically PPPoE e Dynamic IP settings assigned automatically Select the option when a DHCP server is available in the network implementation above the WAN2 port of the system When Dynamic is selected the system works as a DHCP client and get an IP address for its WAN2 port automatically from the DHCP server WANZ2 Interface Setting None WAN O Static Lise the following IP settings Dynamic IP settings assigned automatically O PPPoE e PPPoE Select the option when PPPoE is the connection protocol provided by the network service providers When Dial on Demand is enabled there is a Maximum Idle Time available The system will disconnect itself from the Internet automatically when the Maximu
12. Help and Support E Keyboard Mouse Network Phone and Power Options Aa Y Modem o expo Printers and Regional and Scannersand Scheduled Sounds and Faxes Language Cameras Tasks Audio Devices g U hk e Y Speech System Taskbar and User Accounts VMware Tools Connection 2 Click the right button of the mouse on the Local s Network Connections Area Connection Icon and select Properties File Edit View Favorites ie Advanced Help Q Back v us O pe Search Kes Folders EE Address 4 Network Connections LAN or High Speed Internet Network Tasks ocal Area Connection Create a new nabled connection AMD PCNET Family PCI Ethern Q Set up a home or small Disable office network Status Disable this network Renal device ap a Repair this connection Bridge Connections mi Rename this connection View status of this connection Change settings of this connection Properties Other Places Create Shortcut Rename Control Panel My Network Places E My Documents 3 Select General label and choose Internet Local rea Connection Properties Protocol TCP IP and then click Properties Now General Authentication Advanced you can choose to use DHCP or specific IP address a BS AMDO PCNET Family PCI Ethernet Adapter please proceed to the following steps This connection uses the Following tems ll Client for Microsoft MHeteorks ON File an
13. On demand Account List All created On demand accounts are listed and related information on is also provided Search On demand Account List Username Password Remaining Quota Status Remark r44h 54848498 Until 20071 1111 13 30 Normal Room101 Delete fim k 7w8p25d Until 2007111 10 13 30 Normal Kevin Delete 55m5 9r7sq993 12 hr s Normal Jim Delete Total 3 First Previous Next Last Search A keyword can be used to search for the matching accounts that have been created the contents of Username and Remark fields will be searched Username The login name of the account Password The login password of the account Remaining Quota The remaining time or volume for which the user can continue to access the network or the cut off time until which the user are allowed to access the network e Status The status of the account gt Normal the account is not currently in use and also does not exceed the quota limit gt Online the account is currently in use gt Expired the account is not valid any more even when there is remaining quota to be used gt Out of Quota the account has exceeded the quota limit gt Redeemed the quota of the account has been fully added to another account Remark Additional information for operator s reference Delete All This will delete all the accounts at once 62 4 2 1 7 Chapter 4 2 Users Delete This will delete the account individuall
14. Press and hold the Reset button about five seconds status LED on front panel starts to blink before restarting the DSA 3600 e Press and hold the Reset button for more than ten seconds status LED on the front panel starts to speed up blinking before resetting the DSA 3600 to default configuration 3 WAN1 WAN2 The two WAN ports connected to an external network not managed by the DSA 3600 These ports may be used to connect to the ATU Router of an ADSL or the port of a Cable Modem or a Switch or Hub on the LAN of an organization 4 LAN1 LAN4 The four LAN ports connect to networks managed by DSA 3600 such as to clients networking devices or APs There are two modes for service zone supported by DSA 3600 Port Based and Tag Based By default all LAN ports are in Tag based service zone Under Tag Based mode service zones will be distinguished by VLAN tagging instead of physical LAN ports 5 Console The serial RS 232 DB9 cable attaches here Chapter 3 Hardware Installation 3 2 Package Contents The standard package of the DSA 3600 includes DSA 3600 x 1 Quick Install Guide x 1 CD ROM x 1 Console Cable x 1 Straight through Ethernet Cable x 1 Power Cord x 1 Power Adapter x 1 3 3 System Requirement Standard 10 100BaseT including network cables with RJ 45 connectors All PCs need to install the TCP IP network protocol 3 4 Installation Steps Please follow the steps mentioned below to insta
15. Preview 4 Login Success Page for On demand User The users can apply their own Login Success page for On demand Users in the menu As the process is similar to that of the Login Page please refer to the instructions on Login Page for more details e Login Success Page for On demand User gt Default Page Choose Default Page to use the default login success page for On demand User Login Success Page Selection for on demand Users Service Zone Default Default Page Template Page Uploaded Page External Page Default Page Setting Service Zone Default This is the default login success page for on demand users You could click Preview to preview the default login success page Preview e Login Success Page for On demand User gt Template Page Choose Template to make a customized login success for On demand User Click Select to pick up a color and then fill in all of the blanks Click Preview to see the result Login Success Page Selection for on demand Users Service Zone Default Default Page Template Page O Uploaded Page External Page Template Page Setting Color for Title Background Select RGB values in hex mode Color for Title Text Select RGB values in hex mode Color for Page Background I a Select RGB values in hex mode Color for Page Text EAE Select RGB values in hex mode Title Login Success Page for Guest Users E We
16. Range 1 10 Default 1 Reminder Time and Cut off Enable Disable minutes Range 1 20 Default 5 MAC ACL Enter the MAC address of the network device When MAC ACL is enabled only the clients with their MAC addresses listed in this list can log into the system Access Control List O Enable Disable i 21 ed 38 1 E 1 AU ay Total 40 First Prey Mext Last 75 4 3 Access Points This section provides information on the following functions List Discovery Adding Templates Firmware and Chapter 4 Web Interface Configuration Upgrade It displays the information of the Access Points such as the number of Total Managed AP the number of Down AP and the number of Associated Clients D D Link Building Networks for People TOOS S DSA 3600 ad pu Firmware Upgrade ag Network H Status List Discovery Adding Templates Firmware Access Points A list to show the information of each managed AP including Type Name IP Address MAC Address and online Status Functions in this section also include the operations such as reboot enable disable delete apply a new template and other configuration This Discovery function is to manually or automatically detect the supported types of APs when connected to the LAN ports and automatically assign a unique IP address to each AP discovered The Adding function is used to manually set up an AP via filling in the required
17. Server 2 POP3 pop3 Server 3 RADIUS radius Server 4 LDAP Idap On demand User ONDEMAND ondemand IP SIP N A Link 7 AP Management AP Management provides information from the AP List a shortcut to 4 3 1 List in Access Points lt lets the administrator add supported APs from Discovery or from the Adding menu tab reboot enable disable delete the managed APs apply template or apply service zone Please refer to the section on AP List for details AP List IP Address C AP Type AP Name Service Zone Status MAC Address 192 168 1 2 C DWL 2100AP 21004 Default Offline 00 19 5B 36 E2 40 Total 1 First Prev Next Last Link8 Firmware Management Firmware Management provides information from the System Firmware Upgrade a shortcut to 4 6 5 System Upgrade in Tools It lets the administrator download the latest firmware from the website and upgrade the system Please refer to the section on System Upgrade for details System Firmware Upgrade Current Version 3 00 00 File Name onse Note For better maintenance we strongly recommend you backup system settings before upgrading firmware 147 Chapter 4 Web Interface Configuration 4 7 Help The Help button is at the upper right corner of the DSA 3600 display screen Click Help for the Online Help window then click the hyperlink of the relevant information required D Link DSA 3600 Building Networks for People admin Multi Service Business Gateway l
18. Service zone 4 lt img src images4 xx jpg gt Click the Browse button to select the file to upload Then click Submit to complete the upload process Next enter or browse the filename of the images to be uploaded in the Upload Images field on the Upload Images Files page and then click Submit The system will show the used space and the maximum size of the image file of 512K If the administrator wishes to restore the factory default of the login page click the Use Default Page button to restore it to default After the image file is uploaded the file name will show on the Existing Image Files field Check the file and click Delete to delete the file After the upload process is completed and applied the new login page can be previewed by clicking Preview button at the bottom e Login Pages gt External Page 34 Chapter 4 1 System Login Page Selection for Users Service Zone Default Default Page Template Page Uploaded Page External Page External Page Setting External URL http Preview Choose the External Page selection and get the login page from the specific website In the External Page Setting enter the URL of the external login page and then click Apply After applying the setting the new login page can be previewed by clicking Preview button at the bottom of this page The user defined login page must include the following HTML codes to provide the necessary fields for user
19. Time Zone Select your time zone from the drop down menu gt SNTP NTP Server IP Enter the IP address of a SNTP NTP server gt Daylight Saving Time Check the box to enable daylight saving time 92 SNMP gt Public Community When enabled change the Public Community Name here gt Private Community When enabled change the Private Community Name here SYSLOG gt System Activity Select Enable to allow the logging of system actions such as logging a firmware upgrade gt Wireless Activity Select Enable to allow the logging of any wireless clients that connect to the AP gt Notice Select Enable to allow all other information to be logged gt Remote SYSLOG Server If you require more space to hold your logs please provide the IP address of the Server The embedded memory can only have up to 300 logs SMTP gt SMTP Server IP IP address of SMTP Server gt SMTP Sender The sender s Email address gt SMTP Recipient The receiver s Email address Properties gt SSID Broadcast Select this option to enable the SSID to broadcast in your network When configuring the network it is suggested to enable this function but disable it when the configuration is complete With this enabled someone could easily obtain the SSID information with the site survey software and get unauthorized access to a private network With this disabled network security is enhanced and can prevent the SSID from being seen on networked gt
20. To properly configure PPPoE connection type the Username Password MTU and Clamp MSS fields are required The Dial on Demand function is used to guard the idle time out of the connection The Maximum Idle Time field is required to enable this function When the idle time is reached the connection will be automatically disconnected WAN1 Interface Setting O Static Lise the following IP settings O Dynamic IP settings assigned automatically O PPPoE WANT MTU 1492 bytes Range 1000 1407 Clamp MSS 1400 bytes tRange 580 1400 Dial on Demand Enable Disable Maximurn Idle Time O minutes FFF e PPTP Select the option when PPTP Point to Point Tunneling Protocol is the connection protocol provided by the network service providers When Dial on Demand is enabled there is a Maximum Idle Time available The system will disconnect itself from the Internet automatically when the Maximum Idle Time is reached WAN1 Interface Setting O Static Lise the following IP settings O Dynamic IP settings assigned automatically PPPoE PPTP Type Static DHCP PPTP Server IF Address ee Lisernarme O Password IO PPTP Connection ID Marme CA Dial on Demand Enable Disable WAN1 15 Chapter 4 Web Interface Configuration O ha ME 16 Chapter 4 1 System 4 1 3 WAN2 WANZ2 can be disabled when selecting None When WAN2 Port is enabled it supports 3 connection types Static
21. information for that AP The system provides 3 templates that can be used to simplify the AP configuration 3 AP setting templates can be defined These templates can be edited saved and used in Adding and Discovery sections The Firmware function provides the tools to see the AP firmware version and upload new AP firmware into the system The system stores up to three versions of AP firmware The Upgrade function allows administrators to upgrade the AP firmware using the firmware files stored in the system Multiple AP firmware upgrade can be done at the same time DSA 3600 Multi Service Business Gateway Logout 76 Chapter 4 3 Access Points 4 3 1 List All of the supported managed APs such as DWL 2100AP F W version v2 2 v2 3 under management of the system will be shown in the list The list is empty during first setup The administrator can add supported APs from Discovery or the Adding tabs After the APs are added this list will show the current managed APs including AP type AP name IP Address MAC Address Service Zone and Status The administrator can reboot enable disable delete the managed APs or apply template or apply service zone to them by checking the check box in front of each individual AP or selecting all the APs together by checking the top check box Please Note The supported managed AP may be varied for different DSA 3600 firmware version AP List IP Address g AP Type AP Name Service Zone S
22. search sacro ime or O Within The Past Day MI From tia e e e a bof A Month Day Year Month Day Year Note For more information about PayPal please see htip www paypal com 195 Appendix K Accepting Payments via PayPal 4 An Example of Making Payments via PayPal Step 1 Click the link below the login window to pay for the service via PayPal C Remember Me Click here to purchase by PayPal account or Credit Card Online Step 2 Choose agree to accept the terms of use and click Next Service Disclaimer We may collect and store the following personal information email address physical contact information credit card numbers and transactional information based on your activities on the Internet service provided by us If the information you provide cannot be verified we may ask you to send us additional information such as your driver license credit card statement and or a recent utility bill or other information confirming your address or to answer additional questions to help verify your information a agree O disagree Step 3 Please fill out the form and click Buy Now to send out this transaction There will be a confirm dialog box 196 Appendix K Accepting Payments via PayPal Rate Plan 1 hr s EUR 4 4hr s EUR 6 500 Mbyte s EUR 5 Note A Payment is accepted via PayPal PayPal enables you to send payments securely online using PayPal account a credit card
23. DHCP Server Enable DHCP server and Enable DHCP relay Each service zone can have its own DHCP setting Select the radio button of Disable DHCP Server to disable the built in DHCP server when clients are assigned static IP addresses Select the radio button of Enable DHCP Server to enable the built in DHCP server When the Enable DHCP server is chosen the system will act as a DHCP server and assign IP addresses to its clients Select the radio button of Enable DHCP Relay when a service zone is connected to an external DHCP server When Enable DHCP Relay is chosen the IP addresses of clients will be assigned by the external DHCP server The system will only relay DHCP information from the external DHCP server to downstream clients of this service zone Basic Settings Service 7one Status Enabled Service Zone Name Default Operation Mode NAT Router Network Interface IF Address 1192 148 1 1 F Subnet Wask 255 255 255 0 Disable DHCP Server 6 Enable DHCP Server start IP Address 192 168 1 2 End IF Address 1 92 166 1 100 F Preferred ONS Server DHCP Server Alternate ONS Server Domain Mame dlink com WINS Server Lease Time 1 Day w Reserved IP Address List Enable DHCP Relay gt Service Zone Status Each service zone can be enabled or disabled except the default service zo
24. Data Rate The default is Auto Available range is from 1 to 54Mbps The rate of data transmission should be set depending on the speed of the wireless network Select from a range of transmission speed or keep the default setting Auto to make the Access Point automatically use the fastest rate possible gt Fragment Length The fragmentation threshold determines whether packets will be fragmented Enter a value between 256 and 2346 gt RTS Length Enter a value between 256 and 2346 When wireless clients would like to send a packet which is larger than this value it transmits an RTS and waits for reply gt Beacon Interval ms Enter a value between 20 and 1000 msec The default value is 100 milliseconds The entered time means how often the beacon signal transmission between the access point and the wireless network gt DTIM Delivery Traffic Indication Message Enter a value between 1 and 255 gt Preamble Select Long Only or Short and Long A short preamble is recommended for high traffic networks gt Transmit Power Select either Full Half 3dB Quarter 6dB Eighth 9dB or Minimum minimum power This tool can be helpful for security purpose if you wish to limit the transmission range gt Antenna Diversity Radio is connected to each antenna and supports auto diversity mode by default Chapter 4 3 Access Points The access point will auto switch to the antenna with better RSSI value o Diversity The AP will auto switch to t
25. E A E E 123 A OE AA E IEE ater eaten onde ae cba E TEA Moone ds wha nia S ET 124 BIO IR Ge DO aemee O O O II O Murr tenNNt setter emerea a ve 128 A SIS ea ee ce eae ne ee a ee see 130 AoA SCR WZ AU A E 131 AO ASS NA ll 138 463 Backup NCC RESTE dci 139 AGA System WU Perade saciedad ill pillados 141 JOS Restat ieie awcbencn E ow catinienewen E E E E Saree aceacneunceeeneenmecencmmatcees 142 Gs WR asaan A 143 oF OU EEN etc eater A ad stead a a IO sa arent ann 144 A ia ee a E a TSO TEN ETT aT OREN Peer rn Ter entnT Sue eget reer rer rere ae 148 Appendix A AME x ample Of UST 0724 Id ewe ree a ne A A ees creer ney ee 149 Appendix B Console Intertace Conti TULA ON he Ea Ara eer eae Oe ner en Gl ewer aloe Udo 151 Appendix C DA A O O A e 154 Appendix D gt Ce rntiticate Settings or TE Gani TEVE et A a 159 Appendix E service Zones Deployment Example S eiser boceto etico eean ohana ieee Liesl Lieb aee 166 Appendix F Deploying DSA 3600 Usine DD WE2T100AP ros nega Gul een Aiea ieee 170 Appendix G Appendix H Appendix I Appendix J Appendix K Network Contre uration on Pi A E 173 Local PIN AA AA AA casa ews Pasa A 178 DHCP RE A ES 184 SESSION Limit anid Session LOA tia dan 186 Accepune Payments aa 188 Chapter 1 Before You Start Chapter 1 Before You Start 1 1 Audience This manual is intended for use by system integrators field engineers and network administrators to help them set up DSA 3600
26. E0 22 DF AC DF_192 168 1 254 When the external DHCP server gets the request packet it will therefore know where to reply to and which IP to assign 184 Appendix I DHCP Relay Here is an example of configuration file of the DHCP server gl public lan i mateh if option 1t circuit id SEET es a dl E oped private lan match if option 1t circuit id 07 60 92 192 168 232 254 rere public lan i match if option agent circuit id DO0 12 43 AD 32 F2 10 10 10 254 Ga pETVate learn S mateh if option i ab circuit id 00 12 43 4pi32 iF2 123 100 1 2 E Subnet 0 0 0 0 netmask 0 0 0 0 4 option domain name servers pool pool i allow members of gi private l Dance 1921 b0 4 00 oe Bes as Option routra 19 166 2 2545 option Subnet mask 255 2455 2 Based on the above example the client that connects to the DSA 3600 sends out a DHCP request The DHCP relay function being enabled in the DSA 3600 sends a Circuit ID 00 90 0B 07 60 91_192 168 1 254 to the external DHCP server When the DHCP server gets the Circuit ID it recognizes that the request is sent from g1_public_lan and thus assigns the client a DNS server of 169 95 1 1 an IP that is in the range of 192 168 1 30 and 192 168 1 50 a default gateway of 192 168 1 254 and a subnet mask of 255 255 255 0 185 Appendix J Session Limit and Session Log Appendix J Session Limit and Session Log Session Limit To prevent ill behaved clients or malici
27. Name Homepage Redirect URL SYSLOG Server System Log SYSLOG Server On demand Users Log Proxy Server Warning of Internet Disconnection WAN Failover Load Balancing SNMP Retained Days User Logs Receiver E mail Address es NTP Server System Time Time Idle Time Out User Session Control Multiple Login Preferred DNS Server DNS Alternate DNS Server 3 00 00 03000 DSA 3600 http hna dlink intlcom NAMA NAMA Disabled Disabled Disabled Disabled Disabled 3 days AA MIA NIA tock usno navy mil 2007 11 29 14 19 43 0800 10 Minis Disabled 168 95 1 1 NA 117 Chapter 4 Web Interface Configuration The following information in the table describes all the items found in the ae eee Overview menu a ria rimar The page to which the users are directed after initial login Homepage Redirect URL SUCCESS The IP address and port number of the external SYSLOG SYSLOG server System Log server N A means that it is not configured The IP address and port number of the external SYSLOG SYSLOG server On demand User log server N A means that it is not configured Enabled Disabled stands for that the system is currently Proxy Server using the proxy server or not Enabled Disabled stands for the connection at WAN is Warning of Internet Disconnection normal or abnormal and all online users are allowed disallowed to log in the network WAN Failover Shows the connection status of WAN1 and WANZ2 Enabled Disabl
28. Please see more explanation above in the section for Roaming Out and the section for 802 1X Authentication Roaming Out amp 802 1x Client Device Settings No Type IP Address Subnet Mask Secret Key 1 802 1x w 10 0 0 0 255 0 0 0 8 w ET 2 8021X v 192 168 0 0 255 255 0 0 116 v leeccccce 3 Disable v 255 255 255 255 132 v Click the hyperlink Roaming out amp 802 1X Client Device Settings to enter the Roaming out amp 802 1X Client Device Settings interface Choose the desired type Disable Roaming Out or 802 1X and key in the 802 1x client s IP address and network mask and then click Apply to complete the settings gt 802 1x Authentication When 802 1X Authentication is enabled the Local authentication database will be used as a RADIUS database for connection with 802 1x enabled devices such as APs or switches 48 4 2 1 2 Chapter 4 2 Users gt Account Roaming Out The system s local user database can also be an external RADIUS database to another system When Account Roaming Out is enabled local users can login from other domains with their original local user accounts The authentication database with their original local user accounts acts as a RADIUS Server and roaming out local users act as RADIUS clients Authentication Database POP3 Clients may login the system by their POP3 accounts There are two sets of POP3 server provided by the system primary and secondary which are for fault toleran
29. Route and Schedule User Name manager Password manager Operator The operator can only access the configuration page of Create On demand User to create and print out the new on demand user accounts User Name operator Password operator Admin Password origina vew Change Operator Password The administrator can change the passwords here Please enter the current password and then enter the new password twice to verify Click Apply to activate this new password Caution If the administrator s password is lost the administrator s password still can be changed through the text mode management interface on the serial port console printer port 138 Chapter 4 6 Tools 4 6 3 Backup amp Restore This function is used to backup restore the DSA 3600 settings The DSA 3600 can also be restored to the factory default settings using this function Backup System Settings Restore System Settings tore Reset to the Factory Default e Backup System Setting Click Backup button to save the current system configurations to a backup file on a local disk of the management console The backup file keeps the current system settings as well as the local user accounts information File Download Do you want to open or save this file a Name 20071206 db Type Data Base File From 10 29 2 197 While files from the Internet can be useful some files can potentially harm pour computer Ifyou do not
30. SON phone line O Connect using a broadband connection that requires a user name and password This i a high speed connection using ether a DSL or cable modem Your ISP may refer to this type of connection as PPP Cs Cte 7 Finally click Finish to exit the Connection New Connection Wizard Wizard Now you have completed the setup Completing the New Connection Wizard our broadband connection should already be configured and ready to use IF your connection is not working properly click the following link To close this wizard click Finish tok Cf Frit D TCP IP Network Setup In the default configuration the DSA 3600 will assign an appropriate IP address to a client PC which uses DHCP to obtain IP address automatically Windows 95 98 2000 XP configures IP setup to Obtain an IP address automatically in default settings To check the TCP IP setup or use a static IP to connect to the DSA 3600 LAN port please follow the following steps 175 Appendix G Network Configuration on PC gt Check the TCP IP Setup of Window XP reer 1 Select Start gt Control Panel gt Network File Edit View Favorites Mare Help Y E Y O pO Search Ky Folders EE Address Control Panel Vg Control Panel 2 Accessibility Add Hardware Administrative Date and Time gt Switch to Category View Options Tools See Also A 4 Display Folder Options Game Internet QB Windows Update Controllers Options 0
31. System Status The table shows the information about AP Name AP Status and Last Reporting Time SO gt Chapter 4 3 Access Points System AP Name 3100 1 AP Status Online Last Report Time 2007 08 09 18 34 47 e Last Reporting Time The time when this summary is last updated LAN Interface Status The table shows the information about IP Address Subnet Mask and Gateway LAN Interface IP Address 192 168 1 3 Subnet Mask 255 255 255 0 Gateway 192 165 1 1 Wireless LAN Status The table shows all of the related wireless information Wireless Interface SSID Alin kong Service Zone eer Default Authentication WPAWPAZ fixed Encryption WPA PSK SSID dlink 5 21 Service Zone ae S74 Authentication Open System Encryption Mone SSID dlink S 22 he zong Authentication Shared Key SZ Encryption WEP Beacon Interval ms 100 RTS Length 2346 Channel Auto Data Rate Auto Preamble Short and Long Access Control Status The table shows the lists of MAC of clients under the control of the AP Access Control Status Accept Control List 1 00 00 00 00 00 00 2 00 00 00 00 00 00 3 00 00 00 00 00 00 4 00 00 00 00 00 00 5 00 00 00 00 00 00 F 00 00 00 00 00 00 T 00 00 00 00 00 00 8 00 00 00 00 00 08 Associated Client Status The table shows the clients connecting to the AP and the related information of the client Associated Clients List No SSID MAC Address Username Band Authentication Signal Power Save Mode 6l Chapter 4 Web
32. VLAN for separating networks Log in to the web management interface and enter admin for both the default username and password in the Username and Password fields of the Administrator Login Page After logging in the web management interface from the Menu Tree click System then Service Zones to enter the Service Zone Settings page Click Configure of the desired service zone to enter its Basic Settings page and then enable the service zone used for port based service zone deployment D Link Building Networks for People Xx XY loos DSA 3600 E p System General WAN1 WAN2 gt WAN Traffic gt gt gt gt LAN Port Mapping fj Users p Access Points 3 Network 3 Status DSA 3600 Multi Service Business Gateway Help Vo Logout Service Zone Settings Service Zone a WELA Applied Default Authen Maine LAN Port Mapping SSID Encryption Policy Option Status Details Defaut aJ aJ eJLe dink None None Sever Enabled Configure S21 mr Sa ee ae pen None None Server1 Disabled 22 LALALA pial None None Server1 Disabled Sz3 Pal boat pale None None Server1 Disabled Sz4 LALALALA si None None Server1 Disabled Configure Click System from the Menu Tree and then click LAN Port Mapping Select Port Based mode for service zone 25 Chapter 4 Web Interface Configuration LAN Ports and Service Zone Mapping Select the mode for Servi
33. View Favorites Tools Help y Y S Search Key Folders ERN E fe amp v Ej so S CG Control Panel we Control Panel x Accessibility Add Hardware Switch to Category View Options See Also BR L Display Folder Options Windows Update O Help and Support o gt Keyboard Mouse Connections a 3 Printers and Regional and Scanners and Faxes Language Cameras Sy vu ql Speech System Internet Properties Security Privacy Content Connections E To set up an Internet connection click Setup Dial up and Virtual Private Network settings Choose Settings if you need to configure a proxy server For a connection Hever dial a connection Always dial my default connection Local Area Network LAN settings LAN Settings do nok apply to dial up connections Choose Settings above For dial up settings AJ a ps Administrative Date and Time Game Internet Controllers Options Phone and Power Options Modem O Scheduled Sounds and Tas Audio Devices Taskbar and User Accounts YMware Tools Advanced Add Remove Settings Dial whenever a network connection is not present 173 Appendix G Network Configuration on PC 3 Click Next when Welcome to the New New Connection Wizard Connection Wizard screen appears Ml to the New Connection IZar This wizard helps you Connect to the Internet Connect to a private network such as your w
34. billing plans all user databases and any configuration to its initial state 140 Chapter 4 6 Tools 4 6 4 System Upgrade To upgrade the system firmware click the Browse button to choose the new firmware file and then click Apply to execute the process There will be a prompt confirmation message appearing to notify the administrator to restart the system upon successful firmware upgrade System Firmware Upgrade Current Version 3 00 00 Note For better maintenance we strongly recommend you backup system settings before upgrading firmware Warning 1 Firmware upgrade may sometime result in loss of some data Please ensure you read the release notes to understand the limitations before upgrading the firmware 2 Please restart the system after upgrading the firmware Do not interrupt upgrade process such as power on off the system during the upgrade or the restart process as it may damage the system and cause it to malfunction 141 Chapter 4 Web Interface Configuration 4 6 5 Restart This function allows the administrator to safely restart the DSA 3600 The process should take about three minutes Click YES to restart the DSA 3600 click NO to go back to the previous screen If turning off the power is necessary restart the DSA 3600 and wait for it to complete the restart process before turning off Click Restart to restart the system Please wait for the blinking timer to finish before accessing the system we
35. certificates 3 Click Certification path erii cal ae k Genera Detak cestficatar Path 5 certificate information The CA Ron teria ae e nol brieted To ciate Gre install thie certificate in thee Truse Root Certification Authoris sine bie ber 154 5100 beue by 15100 Told from 10 26 2006 bo LOWE 161 Appendix D Certificate Settings for LE6 and LE7 4 Select root certification then click View Certificate Cerna A General Deta Certthostian Path Datis e le Te G ol etica a hol uled be a E rot h the Trad Riot Cartas durhoties dire 5 Click Install Certificate HP kh Gere Detak Certification Path Lertiicate information Tht CA Root vcerbilicabe amp not brinebed To enable brut metal this certificate in the Toeebed foot Certiecation Authorities shore lemami be DASAL isso br 00546100 Valid iem OTA bo IZA oca 162 Appendix D Certificate Settings for IE6 and LE7 6 Click Next Welcome to the Certificate Import Wizard Timi ral bros Sou capp cera cer cate a hs and certificate revocar iets From your dick bo a cetificale coe A cercas whech amp ee by a certification sutheety E zonm E pour entity and contas roms ues to probetas ot by ele secure jei CETE A cartfcebe chore is ihe spelen ares where cot icabes art kept To cpt check Ha 7 Select Automatically select the certificate store based on
36. experience for audio and video applications over a Wi Fi network Load Balance When enabled you allow several APs to balance wireless network traffic and wireless clients among APs in the networks Assign each access point a different non overlapping channel o User Limit Enter the number of the limit of load balancing users from 0 64 Link Integrate Enable or disable the feature Internal Station Connection Select either Enabled or Disabled The connection allows clients to communicate with each other when enabled If this is disabled wireless stations of the selected band are not allowed to exchange data through the access point Access Control by MAC Address This function provides to control the clients devices that are allowed to associate with the APs applied with the desired template setting Choose Disabled or Enabled in the Status column and enter the desired clients MAC addresses in the MAC Address List When this function is enabled please make sure the MAC Address List is not empty 58 Chapter 4 3 Access Points Access Control by MAC Address Status Accept w MAC Address List 1 10 20 30 40 50 60 2 00 00 00 00 00 00 Il DWL 3200AP v2 2 DWL 3200AP version 2 2 Templates settings allow users to configure General Wireless Properties Access Control and wireless 802 11b g mode settings Compatible with the 802 11b standard to provide a wireless data rate up to 11 Mbps users can migrate the syste
37. four simple steps to provide easy setup of the DSA 3600 gt General gt WANT Interface gt Local User Account Optional gt Confirm and Restart The Setup Wizard is to provide express setup procedures for DSA 3600 Follow the instructions given at each step to change the system admin password select time zone configure WAN1 interface and create local user account Upon completing the Setup Wizard procedures the system has to be restarted to have the setting take effort The system is ready for operation after restart Please refer to the Quick Install Guide of DSA 3600 if step by step screen images could help the process Running the Wizard Click Tools and Setup Wizard the left top menu and the Setup Wizard page will appear Please read the recommendation of each step Setup Wizard KM id tis recommended to change administrators password and select an Mew Password appropriate time zone forthe system Verify Password Time Zone Gh 131 Chapter 4 Web Interface Configuration Step 1 General Change Password Enter the administrator s New Password in the New Password field and retype it again in the Verify Password field Note The maximum length of the password is twenty character and no space is allowed To secure the system changing the administration account password is recommended Next select a proper time zone from the Time Zone drop down menu to set the system time Click Next to continue Setup
38. from the On demand Account Configuration a shortcut to 4 2 1 Authentication in Users sections and 4 1 6 Service Zone gt On demand User It lets the customers use wireless Internet with username and password from retail environment for access Please refer to the section on On demand Account Configuration for details Link 5 Authentication Server On demand User General Settings Ticket Customization Billing Plans External Payment Gateway On demand Account Creation On demand Account List Policy Management Policy provides information from the Policy Configuration a shortcut to 4 2 3 Policy in Users sections It lets the administrator select one of the defined policies to apply to specific authentication option Please refer to the section on Policy Configuration for details Policy Configuration Global Policy Select Policy Global Firewall Profile Specific Route Profile Privilege Profile 146 Chapter 4 6 Tools Link 6 Authentication Configuration Authentication Configuration provides information from the Authentication Settings a shortcut to 4 2 1 Authentication in Users sections and 4 1 6 Service Zone Authentication Settings lt lets the administrator configure a list of authentication options which can be enabled or disabled within each service zone s management Please refer to the section on Authentication for details Authentication Settings Auth Option Auth Database Postfix Server 1 LOCAL local
39. how On demand users are allowed to access the network e Price The unit price of each plan e Status Show the status in enabled or disabled e Function To create an On demand user account press the Create button for the desired plan and a pop up window will appear for operator s confirmation and additional input Also operators can click Printout button to print out the ticket as a copy of receipt to customers 60 Chapter 4 2 Users Creating an On demand Account Plan Type 1 Cutoff Quota Until 12 30 Grace Period Account remains usable for 60 minute s after cut off Unit Price 2 99 per day Quantity 3 day s Operator s Remark Room 301 Add a remark related to this account for example the customers name Please confirm the information and press Create button to create an account Ga cas Username hderi quest Password d2akk25b Plan Type 1 Cut off Quota 24 hour Clock Untilhd2 30 in 3 dayis Total Price 8 97 Remark Room 301 ESSID dlink Shared Wireless key Mone Open System The account is valid until 2007112117 12 30 Note In order to printout the ticket with the background picture the web browser should configure as show below e First Open the internet Explorer and select Tools for the drop down menu then click on Internet Options JO Googie Windows internet Leplorer BO herpa giaa tao dl ee ot Pie Pot Mer eote Tack bebo FS i Dakta Misai Hry
40. information to be logged gt Remote SYSLOG Server If you require more space to hold your logs please provide the IP address of the Server The embedded memory can only have up to 300 logs SMTP gt SMTP Server IP IP address of SMTP Server gt SMTP Sender The sender s Email address gt SMTP Recipient The receiver s Email address Properties Global Settings gt SSID Broadcast Select this option to enable the SSID to broadcast in your network When configuring the network it is suggested to enable this function but disable it when the configuration is complete With this enabled someone could easily obtain the SSID information with the site survey software and get unauthorized access to a private network With this disabled network security is enhanced and can prevent the SSID from being seen on networked gt Internal Station Connection between 802 11a 8 802 119 Enabling this feature allows devices on the 802 11a network to exchange data with devices on the 802 11g network through Access Point If disabled a partition is created between the networks within the Access point This feature is only available when both 11a and 11g are both in Access Point mode gt Antenna Diversity When enabled each radio will automatically switch to the antenna with the greatest RSSI value When disabled each radio will use its main antenna gt Load Balance When enabled you allow several APs to balance wireless network traffic and wireless clien
41. more quotas for the original account in this case we add up additional quota of 2 days Hello you are logged in via v8chMondemand To log out please click the Logout button Login time 2007 12 5 19 4 17 Expiration time 2007 12 09 12 30 150 Appendix B Console Interface Configuration Appendix B Console Interface Configuration Upon completing this process the console interface configuration will be accessible via the console port to handle problems and situations occurring during operation 1 To connect to the console port of the DSA 3600 a xi console modem cable and a terminal simulation Port Settings program such as the Hyper Terminal will be required Bits per second s600 Data bits E Parity None 2 Setthe parameters as 9600 8 n 1 for Hyper Terminal Stop bits Flow contrat None Restore Defaults coca dom Caution The main console is a menu driven text interface with dialog boxes Please use arrow keys on the keyboard to browse the menu and press the Enter key to make selection or confirm what you enter 3 Once the console port of the DSA 3600 is connected properly the console main screen will appear automatically If the screen does not appear in the terminal simulation program automatically press the arrow keys of the keyboard to enable the terminal simulation program to send out some messages The welcome screen or the main menu should then app
42. networks Transmit Power Select either Full Half 3dB Quarter 6dB Eighth 9dB or Minimum minimum power This tool can be helpful for security purpose if you wish to limit the transmission range WMM Wi Fi Multimedia Improve the user experience for audio video and voice applications over a Wi Fi network WMM is based on a subnet of the IEEE 802 11e WLAN QoS draft standard Internal Station Connection Select either Enabled or Disabled The connection allows clients to communicate with each other when enabled If this is disabled wireless stations of the selected band are not allowed to exchange data through the access point Access Control by MAC Address This function provides to control the clients devices that are allowed to associate with the APs applied with the desired template setting Choose Disabled or Enabled in the 97 Chapter 4 Web Interface Configuration Status column and enter the desired clients MAC addresses in the MAC Address List When this function is enabled please make sure the MAC Address List is not empty Access Control by MAC Address Status Accept w MAC Address List 1 10 20 30 40 50 60 2 00 00 00 00 00 00 98 Chapter 4 3 Access Points 4 3 5 Firmware This is where AP s firmware can be uploaded The current firmware can also be downloaded to the local storage if required The system supports the firmware management of APs to upload new firmware delete the existi
43. option your customers will be asked to include a Contact Telephone Number with their payment information Learn More Note Selecting On Required Field could have a negative effect on buyer conversion Contact Telephone On Optional Field C On Required Field Off PayPal recommends this option Save Cancel 190 Appendix K Accepting Payments via PayPal 1 2 Configure DSA 3600 with a PayPal Business Account Please log in DSA 3600 Users gt Authentication gt Click the Option On demand User gt External Payment Gateway gt Click Configure gt External Payment Gateway gt Select PayPal D Link Building Networks for People admin Tools v Access Points H E Network g Status D Link Building Networks for People admin 7 Tools y DSA 3600 Multi Service Business Gateway Help 22 Logout Authentication Settings Auth Option Auth Database Postfix Sewer 1 LOCAL local Server 2 POP3 papa Server 3 RADIUS radius Server 4 LDAP idap ONDEMAND ondamand SIP SIP N A 7 DSA 3600 Multi Service Business Gateway Help 22 Logout gt DSA 3600 H System Access Points H E Network m Status D Link Building Networks for People admin gt DSA 3600 H E System fhm gt Additional Control H B Access Points Ce i Network B Status Authentication Server On demand User General Settings Ticket Customization pag Pians External Payment Gateway
44. or bank account Clicking on Buy Now button you will be redirected to PayPal s site to make payment B Please don t manually close the browser when you reach PayPal s payment confirmation page It takes about 30 seconds or more before you are automatically redirected back to our website with a set of Login ID and Password Microsoft Internet Explorer Do vou want to purchase the internet service through PoyPal s website 2 Mote You dont necessarily need a PayPal account to do a credit card payment on PayPal s website Step 4 You will be redirected to PayPal website to complete the payment process YK Cafe Wireless Internet Access 1 hrs 0 mins Total 4 00 EUR y Pay Fast With PayPal Rapa E Secure Payments PayPal securely processes payments for YK Cafe You can finish paying in a few clicks Why use PayPal Its free to send money and shop online LOG IN TO PAYPAL You can shop without sharing your financial information with merchants Email personal_account hotmail coi Over 50 000 online merchants accept PayPal Password sevvceses Don t have a PayPal account No problem continue checkout Forgotten email address or password 197 Appendix K Accepting Payments via PayPal YK Cafe JL Review Your Payment FEET E Secure Payments Review the payment details below and click Pay to complete your secure payment Find out how this paymentis made item Unit Pr
45. provides the login and logout activities of roaming in users Roaming In User Log 2007 08 13 Date Type Name NASID NASIP NASPort UserMAC UserlP SessionID SessionTime Bytes In Bytes Out Pkts In Pkts Out Message gt Type The authentication and accounting type of the external RADIUS server There is a type called Accept for authentication There are three types of accounting Start Interim update and Stop gt Name The user name of roaming in user NASID The System ID of the system Usually NASID is the MAC address of the WAN port of the system NASIP The IP address of the WAN port of the system NASPort The port of the WAN port of the system UserMAC The MAC address of the user UserlP The IP address of the user v VV VV WV session SessionTime The time in seconds of this session Bytes In Out The traffic amount of inbound outbound traffic based on byte Pkts In Out The traffic amount of inbound outbound traffic based on packet Y VV WV Message The system response of why the client stops this session SIP Call Usage Log The SIP Call Usage Log provides the login and logout activities SIP users such as Start Time Caller SessionlD The system will give a unique Session ID to an authenticated user when he she starts a new Callee Receiver and Duration seconds A user may register with a SIP Registrar after authentication Their calls will be logged in SIP call history SIP Call Usage Log Start Time Caller Calle
46. that have been integrated with the system Check the APs which need to be upgraded and select the upgrade version of firmware and click Apply to upgrade firmware List Last Upgraded Name Type Version ae Next Version Selection e Last Upgraded Time The time when the AP was last upgraded e Next Version The firmware version to be upgrade to the AP 100 Chapter 4 4 Network 4 4 Network This section provides information on NAT Privilege Monitor IP Walled Garden Proxy Server DDNS Client Mobility and VPN It displays the information of the interfaces For WAN1 and WAN2Z it will show the IP Address and the connection Status For LAN Ports it will show the IP Address SSID and Status of each Service Zone D Link DSA 3600 Building Networks for People Multi Service Business Gateway X Tools Help 2 Logout gt DSA 3600 H System Sd veg i w Users Network Configuration H Access Points NAT The NAT function supports 3 types of network address translation DMZ Demilitarized as Zone Public Accessible Server and IP Port Redirect B Privilege The Privilege function supports two types of privilege list based on IP address and Monitor IP Privilege MAC address Devices specified in the list require NO authentication to access the Walled Garden network o Up to 40 IP addresses can be defined in the Monitor IP function System can monitor ie these IP based network devices and periodically report online status via ema
47. the successful login of a client a VPN tunnel will be established between a client s device and the system The data passing through the VPN tunnel are encrypted The system s Local VPN 49 4 2 1 3 Chapter 4 Web Interface Configuration supports end users devices under Windows 2000 and Windows XP SP1 SP2 e Server The IP address of the external POP3 Server e Port The authentication port of the external POP3 Server e SSL Setting The system supports POP3 Check the check box of the SSL Connection to enable POP3 Authentication Database RADIUS The system supports authentication by an external RADIUS authentication database The system allows each RADIUS domain to have a pair of RADIUS servers primary and secondary for backing up each other The system functions as a RADIUS authenticator for external RADIUS servers Click the hyperlink Configure for further configuration The RADIUS server sets the external authentication for clients Enter the related information for the primary RADIUS server and or the secondary RADIUS server the secondary server is not required Information must be entered for fields with red asterisks These settings will be effective immediately after clicking the Apply button Authentication Option Server 3 Name Postfix Black List Authentication Database Enable Local VPN 802 1X Authentication Username Format NAS Identifier Class Policy Mapping Server Authentication Port Accou
48. the DSA 3600 153 Appendix C Proxy Configuration Appendix C Proxy Configuration Basically a proxy server can help clients access the network resources more quickly This section presents basic examples for configuring the proxy server settings of the DSA 3600 Using Internet Proxy Server The first scenario is that a proxy server is placed outside the LAN environment or in the Internet For example the following diagram shows that a proxy server of an ISP will be used WANT1 DSA 3600 Public LAN Managed APs O D 154 Appendix C Proxy Configuration Follow the following steps to complete the proxy configuration Step 1 Log into the DSA 3600 by using the admin account Step 2 Network gt Proxy Server gt External Proxy Servers page Add the IP address leaving it blank means any IP address and port number of the proxy servers into External Proxy Servers setting Enable the Built in Proxy Server Click Apply to save the settings External Proxy Servers No IP Address Port Redirect Outgoing Proxy Traffic to Built in Proxy Server Built in Proxy Server Enable Disable CAT x Step 3 Make sure that the proxy server settings match with at least one of the proxy server setting of the DSA 3600 for example in this case 203 125 142 1 3128 matches with blank 3128 Local Area Network LAN Settings Proxy Settings Automatic configuration Servers Automatic
49. the type of certificate then click Next Leiti ae mpari Wie ari Certi ate Shore Cote shore eee de genes eee ee oe deep pra E m saeta cta re e ps La pe y locali hoe A Aarts 8 Click Finish Corttmimale impor Worard Completing the Certificate Import Wizard Fou bet cod r a Cart cate lao SE t e Yoh paed the folios stinge Coificab Store Sesta Lionsi daamid by Coa CiriPicada i 163 Appendix D Certificate Settings for IE6 and LE7 9 Click Yes HERA Warning A Vou ie mnt bo eiai a certificate from a ontification hor Py CA clang do apne ii i Wario Carat vades ihal the corthicate ls actualy fren SA ANIKT Teu werd ret a origin by cone acting Taai aa raus eros ina dl Thana dhai SOROS WEA E CA FER TECETEBL Mina pane the root certificate ndo ell rms iran qe Bro dan rms ios cortical wih e rcorerad Cambgrrd W a secutty ral Y you hehe ra a you aan do nta the perth 10 Click OK Lertficale A as Crt Pal Certificate Information fhe CA Bend cet ate a ol beter ln ena Erol eel all the Cer ae as hee Teed Good Certile alin issued be Diae bed by 154410 Valid irom 10 25 2006 bo 10 23 2016 17 Launch a new IE7 browser The certificate is now trusted via IE7 according to the key symbol shown at top next to the address field gt Login Windows Internet Explorer A ir AA T e https Jow privateflogi
50. this service zone and enable the On demand Users authentication options only Authentication Settings Authentication Required For enabled l the Zone Enabled O Disabled Auth Option Auth Database Posttix Default Enabled Semeri LOCAL local O LI Server 2 POP3 pap3 O L Authentication Options Serwer3 RADIUS radius O F Servera LDAP Idap O On demand User ONDEMAND ondemand a F SIF MA Click Apply to activate the changes for the second service zone Now is the time to restart the system After the restart the system will be configured according to Figure 4 1 5a 24 Port B ased Chapter 4 1 System ISP aa Internet DSA 3600 SSID 1 e SSID 2 ssid staff lt 7 ssid quest Service Zone VLAN Service Zone VLAN for staff Y for guests Figure 4 1 5a An example using Tag Based service zones For port based service zone each LAN port can be assigned to a service zone since a LAN port can be mapped to a VLAN tag The mapping between the ports and the service zones are many to one With factory default setting all ports belong to the Default service zone and other 4 service zones are gray out The other 4 service zones will appear after the specific service zone is configured as enabled in System Service Zones gt Port Based Service Zones Configuration Example After running through Setup Wizard on a factory default system the DSA 3600 is ready to use the default tag based
51. webpages from working correctly Show Add ons that have been used by Internet Explorer v Name Publisher Status Type Fie 3 Google Script Object Google Inc Enabled Activex Control google gt Google Toolbar Helper Google Inc Enabled Browser Helper Object googlel a IExpress Enabled Browser Helper Object iexpres E Java Plug in 1 3 1_02 Sun Microsystems Inc Enabled ActiveX Control ss w dll a Java Plug in 1 5 0_10 Sun Microsystems Inc Enabled ActiveX Control ss w dll S Search ssistantOC Microsoft Corporation Enabled ActiveX Control shdocv E Shockwave Flash Object Adobe Systems Incorpora Enabled Activex Control Flashot E SS Helper Class Sun Microsystems Inc Enabled Browser Helper Object ssw dll 3 Sun Java Console Sun Microsystems Inc Enabled Browser Extension ss dll TGsearch Enabled ActiveX Control TGSear E VPNClient ipsec D Link Corporation Enabled Activex Control PNClie a windows Messenger Enabled Browser Extension XML Document Microsoft Corporation Enabled ActiveX Control msxmlz Y gt Settings Delete Activex Click an add on name above and Enabl Click the name of an and then click Enable or Disable efanre Activex control above and Disable then click Delete Download new add ons for Internet Explorer Learn more about add ons From Windows Internet Explorer click Manage add ons button inside Programs page under Tools to show the add ons programs list You can see VPN
52. 200AP v2 20 and v2 30 as two different AP types and names DWL 3200AP v2 20 as DWL 3200AP v2 2 and DWL 3200AP v2 30 as DWL 3200AP v2 3 Moreover firmware upgrade from DWL 3200AP v2 20 to v2 3 is NOT supported by the system General Subnet Mask 255 255 255 0 Default Gateway 192 168 1 1 Time Zone l GMT Greenwich Mean Time Dublin Edinburgh Lisbon London j S SNTP NTP Server IP A Daylight Saving Time Disabled SNMP Disabled v System Activity Enabled w Wireless Activity Enabled SYSLOG SS Notice Enabled w Remote SYSLOG Server Disabled vw SMTP Disabled Wireless SSID Broadcast Enabled v Data Rate Auto v Fragment Length 2346 E Default 2396 Range 256 2346 RTS Length Default 2346 Range 256 2346 100 Beacon Interval ms Default 100 Range 20 1000 msec 1 DTIM fa E Properties Default 1 Range from 1 to 255 Preamble Short and Long vi Transmit Power Full v Antenna Diversity Diversity v WMM Enabled w Load Balance Disabled vw Link Integrate Disabled 4 Internal Station Connection Enabled Access Control by MAC Address Status Disabled Access Control List h Subnet Mask The default is 255 255 255 0 All devices in the network must share the same subnet mask Default Gateway The default is 192 168 1 1 Enter the gateway IP address for the network typically a router SNTP NTP The time server IP address time zone and the local time will be displayed gt
53. 44 Chapter 4 2 Users Local User Database Settings Local User List Enable Disable Account Roaming Out A Local user database will be used as authentication database for roaming out users Enable Disable 802 1X Authentication Local user database will be used as internal RADIUS database for 802 1x enabled LAN devices such as AP and switch Roaming Out amp 802 1 Client Device Settings Name Set a name for the authentication option by using numbers 0 9 alphabets a z or A Z dash underline _ space and dot only The length of this field is up to 40 characters This name is used for the administrator to identify the authentication options easily such as HQ RADIUS Postfix A postfix is used to inform the system which authentication option to be used for authenticating an account e g bob BostonLdap or tim TaipeiRadius when multiple options are concurrently in use One of authentication option can be assigned as default For authentication assigned as default the postfix can be omitted For example if BostonLdap is the postfix of the default option Bob can login as bob without having to type in bob BostonLdap Set a postfix that is easy to distinguish e g Local and the server numbers 0 9 alphabets a z or A Z dash underline _ and dot within a maximum of 40 characters All other characters are not allowed Black List There are 5 sets of black lists provided by the system A u
54. 5 Open a URL from the other application e g e mail of Outlook that occupies this existing Internet Explorer Hello sddtest You have successfully logged in The connection is secured by IPSec VPN Windows Internet Explorer P J Are you sure you want to logout i i Cancel All these will cause the termination of IPSec VPN tunneling if the user chooses to click Yes The user has to log in again to regain the network access Suggestion Click Cancel if you do not intend to stop the IPSec VPN connection yet 6 Non supported OS and Browser Currently Windows Internet Explorer is the only browser supported by DSA 3600 Windows XP and Windows 2000 are the only two supported OS along with this release 182 Appendix H IPsec VPN 7 FAQ a How to clean IPSec client ANS Open a command prompt window and type the commands as follows C gt cd windir system32 C gt Clean_IPSEC bat Or C gt cd windir system32 C gt ipsec2k exe stop b How to remove ActiveX component in client s computer ANS 1 Uninstall and delete ActiveX component 2 Close all Internet Explorer windows 3 Open a command prompt window and type the commands as follows C gt cd windir system32 C gt regsvr32 u VPNClient_1_5 ocx C gt del VPNClient_1_5 ocx c What can do if unable establish IPSec connection for Windows XP SP1 ANS Disable Windows XP firewall 183 Appendix K Accepting Payment via PayPal
55. AP e MAC Address The Media Access Control MAC address of the AP e Remark The administrator can add some extra information for the AP in this field if desired e Service Zone When the system s Service Zone is set to Tag based mode additional Service Zone field will be here for assigning services zones to the AP e Template Applied The template which will be applied to the AP e Channel The Channel of the AP 85 Chapter 4 Web Interface Configuration 4 3 4 Templates A template is a model that can be copied to every AP without having to configure the each AP individually The administrator can configure the setting together in the template instead of logging the AP management interface to set the configurations one by one Click Edit to go to configuration Select the AP type if available and one of the three available templates and then click Edit to have the Template Editing page Template Selection AP Type DWL 210DAP w Supported FW v2 20eu v2 20na v2 30e4 v2 30na and v2 30jp HW 44 Edit Template Name TEMPLATE Except configuring all the template setting manually copy the configuration of an AP to the template by selecting a Copy Settings From and revise some settings is also acceptable Please select None if configuring the whole template from the draft is desired Enter the Name and Remark optional and click Configure to have further configuration After clicking Edit to enter the Details page revise
56. An invoice number may be provided as additional information with a transaction The number will be incremented automatically for each following transaction Click the Change the Number checkbox to change it Description Item Name This is the item information to describe the product for example Internet Access Title for Message to Seller Administrators can edit the header title of the message note used in the PayPal payment page gt PayPal Payment Page Remark Content 5 The message content will be displayed as a special notice to end customers in the page of Rate Plan For example it can describe the cautions for making a payment via PayPal On demand Account Creation After one or more billing plans are configured and enabled in the Billing Plans page administrators including manager and operator accounts are able to create On demand user accounts in this page On demand Account Creation Plan Type Quota Price 4 Status Function 1 Cut off Until 12 30 2 99 Enabled 2 Time 12 hr s 3 99 Enabled 3 Volume 500 Mbyte s 5 Enabled 4 Cutoff Until 13 00 3 5 Enabled 5 Time 18 hr s 6 Enabled 6 Volume 1000 Mbyte s 8 Enabled 7 N A MA MA Disabled 8 N A N A N A Disabled 9 N A N A N A Disabled 0 N A N A N A Disabled a 7 e Plan The number of the specific plan e Type This is the type Time Volume or Cut off of the plan based on which it defines how the account can be used e Quota The limit on
57. Client ipsec is enabled 178 Appendix H IPSec VPN During the first login to the DSA 3600 Internet Explorer will ask user to download the ActiveX component of IPSec VPN This ActiveX component once downloaded will be running parallel with the Login Success page The ActiveX component helps to setup the IPSec VPN tunnel between clients device and the DSA 3600 It also helps to check the validity of the IPSec VPN tunnel between them If the connection is down the ActiveX component will detect the broken link and recompose the IPSec tunnel Once the IPSec VPN tunnel is built any packet sent will be encrypted Without connecting to the original IPSec VPN tunnel user or client device has no alternative to gain network connection beyond this The DSA 3600 s IPSec VPN feature is designed to solve possible data security leak between client and the controller via either wireless or wired connection without extra hardware or client software installed Hello sddtest You have successfully logged in The connection is secured by IPSec VPN Limitations The limitation on the client side due to ActiveX and Windows OS includes a Internet Connection Firewall of Windows XP or Windows XP SP1 not being compatible with IPSec protocol hence it shall be turned off to allow IPSec packets to pass through b Without patch ICMP Ping and PORT command of FTP cannot work in Windows XP SP2 c The Forced termination through CTRL ALT DEL Task Man
58. D Link Building Networks for People DSA 3600 User Guide Version DSA 3600 3 00 Copyright 2007 D Link Corporation All rights reserved Printed in Taiwan D Link Corporation reserves the right to change modify and revise this publication without notice Trademarks Copyright 2007 D Link Corporation All rights reserved D Link the D Link logo and DSA 3600 are trademarks of D Link Corporation All other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability D Link Corporation reserves the right to make any changes to products described in this document without notice D Link Corporation shall be indemnified against any liability that may occur due to the use or application of the product s described herein Table of Contents Chapter Beror YOU a ue anes nae Or eau aon hr cds MAL O a a a a e e A TA ER AID OCU ed a ai Chapter 2 NGINE W area E T E toa ZA Introduction of DSAA3 600 seer E EE E ETER 2 OEEC OC tl bt an a a a aae Chapitre o gt Hardware lista nOi esen e A A ATE dl Panel Function DCS Ci MOUS esere aa e a aar 2 Rackase oe aa aa a a A E o lo IN AAA O een E E EET EE T O E A A De TASA NAO Steps A E T se eon naw T TE Chapter4 Web liiteriace CONSUMO A Aid TES O AAA eaaa O IIA A On EN Ce OMe oo arsine rine antares A rnebrapi A o o o a t
59. General E o Giaa Configure general settings for the entire system such as System Name Internal pr Domain Name SNMP Time etc ju WAN1 Set up WAN1 interface using the connection types Static Dynamic PPTP or PPPoE ay Users z WAN2 Set up WAN2 interface using the connection types None Static Dynamic or PPPoE H E Access Points a Network WAN Traffic Overall traffic control features of WAN interface such as Load Balancing WAN Failover H Status bandwidth management and connection detection etc A Service Zone in the system by default contains wired and wireless coverage areas in the organization When Port Based mode is enabled each physical LAN port can LAN Port Mapping be set individually to map to a specifc Sevice Zone for later use By contrast under y Tag Based mode Service Zones will be distinguished by VLAN tagging instead of physical LAN ports Service Zones Atable to display the Service Zones and related settings ES 11 Chapter 4 Web Interface Configuration 4 1 1 General The system and network related parameters such as System Name Homepage Redirect URL Management IP Address List and HTTPS Protected Login can be configured from the menu shown as below General Settings for the Entire System System Name DSA4 3600 tral Da Na Po L Use the name on the security certificate FADN of this device for internal use 2 9 controller ofice name com Enable Disable Homepage Redi
60. Interface Configuration 4 3 2 Discovery Use this function to detect and manage all the supported APs in the network segment Discovery Settings AP Type DL 21 ODAP i supported Full v2 20eu v2 20na v2 30eu v2 30na and v2 30jp Hi Ad Interface Default Factory Default IF Address 192 168 0 50 Login ID admin Password Empty O Manual Admin Settings Used to Discover IP Addresses of APs after Start IP Address 192 168 1 2 Discovery Background AP Discovery Status Disabled Discovery Results IP Address AP Name Template AP Type Service Zone MAC Address Password Channel Total 0 First Prey Next Last e Discovery Settings When the administrator tries to discover a new AP select the AP Type and select the Interface Service Zone first If the system is set to Tag Base mode only Default Service Zone is available for AP Discovery Second select Manual in Admin Settings Used to Discover field If the AP is reset to default setting please select Factory Default enter the current IP range of the APs Login ID and Password The IP of AP with factory default setting is 192 168 0 50 Then click Scan Now button If the new AP has been discovered it will appear in the following Discovery Results list If there is a warning message showing below the Discovery Settings follow the instructions to change configurations Note Please refer to the datasheet for the supported APs and the firmware
61. Local VPN is disabled e User Log Access IP Address An external billing system may access the system s user logs by specifying a desired IP address of the external billing system in this field Only the billing system with this IP address may directly access the system s user logs in text format via browsers For example if the access interface of DSA 3600 is 10 30 1 23 the user log can be found in following URLs User Log is located in the URL https 10 30 1 23 status history 2006 11 01 On demand User Log is located in the URL https 10 30 1 23 status odhistory 2006 11 01 12 Chapter 4 1 System Management IP Address List Set the IP addresses within a range which the administrator can use to connect to the web management interface of DSA 3600 via its WAN and or LAN ports The administrator can grant the access of the web management interface by specifying a list specific IP address or ranges of IP addresses no matter the access is from WAN or LAN port For example entering 192 168 3 1 and 192 168 1 0 24 means the computer at 192 168 3 1 and the computers the range of 192 168 1 0 to 192 168 1 255 are able to reach the web management interface Management IP Address List Ho IP Address Seqment No IP Address Seqment Please Note While the default IP address of Network Interface is changed at System gt Service Zones gt Basic Settings gt DHCP Server gt Enable DHCP Server the management IP address has to be setup again
62. Mbytes up to which On demand users are allowed to transfer data Editing Billing Plan Plan 3 Type Volume w Quota 500 Mbyte s Range 1 2000 Account Activation Firsttime login must be done within 2 day s 9 hour s Range of hours O 23 they cannot both be zero Valid Period After activation account will be expired in 3 day s Must be largerthan O Price 5 gi Range 0 100000 including two digits after decimal point e g 1 99 o Cut off The time of day at which the on demand account is cut off made expired by the system on that day Please note that the Grace Period is an additional short period of time after the account is cut off during which a user is allowed to continue to use the on demand account to access the Internet 57 Chapter 4 Web Interface Configuration without paying additional fee Editing Billing Plan Plan 1 Type Cutoff I Cut off Time 12 30 HH MM range 00 00 23 59 Grace Period Account remains usable for 1 Y hour s after cut off Unit Price 2 99 per day t Range 0 100000 including two digits after decimal point e g 1 99 Price The unit price of each plan Enable Click the check box to activate the plan Function Click the Edit button to add or edit the specific billing plan 4 External Payment Gateway This section is for merchants to set up an external payment gateway to accept payments in order to provide wireless access s
63. Multi Service Business Gateway in their network environments It contains step by step procedures and pictures to guide users with basic network system knowledge to complete the installation 1 2 Document Conventions The following information provides the details of conventions used in this manual For cautionary statements or warning requiring special attention by readers a text box with italic font will be used Warning For security purposes you should immediately change the administrator s password When any of the button symbol shown below is selected the following action will be executed accordingly ge Logout Log out the system Access Online Help interface CAL Apply all settings configured Clear all settings configured prior to applying The red asterisk indicates information in this field is compulsory Please Note Screen captures and pictures used in this manual may be displayed in part or in whole and may vary or differ slightly from the actual product depending on versioning and menu accessed Chapter 2 Overview Chapter 2 Overview 2 1 Introduction of DSA 3600 DSA 3600 is a Multi Service Business Gateway specially designed for small and medium business and branch office operational environments The major functional areas include user management access control AP management security management and VLAN The major features of DSA 3600 can be grouped into four functional blocks A
64. P and destination IP If SYSLOG is enabled Session Log will be sent to the SYSLOG server automatically during every defined interval in Session Log email notification Session Log allows uploading the log file to a FTP server periodically The maximum log file size is 256K The log file will be sent to the FTP server once the file size reaches its max size or periodical time interval 129 4 6 Tools Chapter 4 Web Interface Configuration This section provides information on utilities used for customizing and maintaining the system including Setup Wizard Password Change Backup amp Restore System Upgrade Restart Utilities and Quick Links D Link Building Networks for People xJ Password Change ra E cae E H Setup Wizard Backup amp Restore System Upgrade Quick Links Itis recommended to change administrators password and select an appropriate time zone for the system Step 2 E Mep e sinui g Ir S i p 4 AA D4 y DSA 3600 Multi Service Business Gateway Help 22 Logout General New Password eeeesee Time Zone GMT 08 00 Taipei v a 130 Chapter 4 6 Tools 4 6 1 Setup Wizard The administrator can configure the DSA 3600 via its web management interface as specified In order to connect to the Internet the TCP IP related information such as IP address subnet mask and gateway address must first be obtained from the ISP The Configuration Wizard uses
65. Points IV DWL 8200AP DWL 8200AP Templates settings allows users to configure 802 11a and 802 11b and g mode settings The connection could be select to enable 802 11a 802 11b g or disable Compatible with 802 11a 802 11b and 802 11g Devices that is fully compatible with the IEEE 802 11a 802 11b and 802 11g standards the DWL 8200AP can connect with existing 802 11b 802 11g or 802 11a compliant wireless network adapter cards It is compatible with the 802 11b standard to provide a wireless data rate of up to 11Mbps General Subnet Mask 255 255 255 0 Default Gateway 192 168 11 Time Zone GMT Greenwich Mean Time Dublin Edinburgh Lisbon London Y lid SNTPINTP Server IP Daylight Saving Time Disabled vw SNMP Disabled Mi System Activity Enabled v Wireless Activity Enabled v SYSLOG Notice Enabled vw Remote SYSLOG Server Disabled v SMTP Disabled v Wireless Global Settings SSID Broadcast Enabled wj Internal station connection between 802 11a amp Disabled v 802 119 Antenna Diversity Enabled v Load Balance Disabled Y 802 11a Mode Settings Data Rate Auto gt Fragment Length 2346 _ e Default 2346 Range 256 2346 RTS Length oat Default 2346 Range 256 2346 100 l Beacon Interval ms Default 100 Range 20 1000 msec 1 DTIM Default 1 Range from 1 to 255 Transmit Power Full v Properties WMM Enabled Internal St
66. Policy 2 S71 FA 2 S22 No Delete Z3 SZ4 Add User Click this button to enter into the Adding User s to the List interface Fill in the necessary information such as Username Password MAC and Remark Select a desired Policy and choose whether to enable Local VPN Only Username and Password are required information Check the desired service zone s in Service Zones area it means that the client is able to log in the system via the checked service zone s The rest are optional For the Policy configuration please check section on Policy Configuration Click Apply to complete adding the user or users Adding User s To the List MAC Address Username Password POLOCOALOADADO Policy Remark 1 User como Policy 1 y Service Zones Enable Local VPN Defaut O sz O sz2 O sz3 O sza O Username Password a Policy Remark gt User como None v Service Zones Enable Local VPN LJ Defaut V sz1 O sz2 Llsz3 C sza ul Upload User Click this to enter the Upload User from File interface Click the Browse button to select the text file for uploading user account then click Upload to execute the upload process The file for uploading should be a text file containing in each line the following information Username Password MAC Address Applied Policy Remark Local VPN enabled There must be no spaces between the fields and commas The MAC field can be omitted but the trailing comma mu
67. RL https 5 Logout Success Page The administrator can apply their own Logout Success Page As the process is similar to that of the Login Page please refer to the instructions on Login Page for more details e Logout Success Page gt Default Page Choose Default Page to use the default logout success page Logout Success Page Selection for Users Service Zone Default Default Page Template Page Uploaded Page External Page Default Page Setting Service Zone Default This is the default logout success page for users You could click Preview to preview the default logout success page Preview e Logout Success Page gt Template Page Choose Template Page to make a customized Logout Success Page Click Select to pick up a color and then fill in all of the blanks Click Preview to see the result first Logout Success Page Selection for Users Service Zone Default O Default Page Template Page O Uploaded Page External Page Template Page Setting Color for Title Background Select RGB values in hex mode Color for Title Text Select RGB values in hex mode Color for Page Background select RGB values in hex mode Color for Page Text Select RGB values in hex mode Title Logout Success Page Information Logout 5 uccessfully 40 Chapter 4 1 System Logout Success Page gt Uploaded Page Choose Uploaded Page to get the logout success page for upload Click the Browse button to select th
68. Required For eee he Enabled Disabled Auth Option Auth Database Postfix Default Enabled Server 1 LOCAL local Server 2 POP3 pops O d Authentication Options Server 3 RADIUS radius O F Serwer d LDAP idap O L On demand User ONDEMAND ondemand O L IP SIF BIA Click the Apply button to activate the changes for the default service zone We can restart the system later since we want to continue to configure a second service zone for the on demand users Following similar procedures click on Service Zones menu item on the Menu Tree again this time is to configure another service zone such as SZ1 Enter its Basic Settings page Enable the service zone enter the IP address of the Preferred DNS server and set its SSID for On demand users such as ssid guest Zo Chapter 4 Web Interface Configuration Basic Settings Service Zone Status Enabled Service Zone Name Default Operation Mode MAT Router Network Interface IP Address 192 168 1 1 gt Subnet Mask 1255 255 255 0 F Disable DHCP Server Enable DHCP Server Stat IP Address 192 168 1 2 End IP Address 192 168 1100 Preferred DNS Server 165 495 1 1 DHCP Server Alternate DONS Server Domain Marne dlink cormn L WINS Server Lease Time 1 Day ml Reserved IF Address List Enable DHCP Relay Remember to enable Authentication requirement for
69. SID must be the same for all devices in the wireless network It is case sensitive and has a maximum length of 32 bytes Channel Select the appropriate channel from the list to correspond with the network settings for example 1 to 11 channels are suitable for the North America area Data Rate The default is Auto Available range is from 1 to 54Mbps The rate of data transmission should be set depending on the speed of the wireless network Select from a range of transmission speed or keep the default setting Auto to make the Access Point automatically use the fastest rate possible Fragment Length The fragmentation threshold determines whether packets will be fragmented Enter a value between 256 and 2346 RTS Length Enter a value between 256 and 2346 When wireless clients would like to send a packet which is larger than this value it transmits an RTS and waits for reply Beacon Interval ms Enter a value between 20 and 1000 msec The default value is 100 milliseconds The entered time means how often the beacon signal transmission between the access point and the wireless network 79 Chapter 4 Web Interface Configuration e DTIM Interval Delivery Traffic Indication Message Enter a value between 1 and 255 e Preamble Select Long Only or Short and Long A short preamble is recommended for high traffic networks e Transmit Power Select either Full Half 3dB Quarter 6dB Eighth 9dB or Minimum minimum power e Internal Stat
70. Tools Help 2 Logout EE System Overview El A System H E Users oe Access Points System Access Points H Network co gu Status System Time 2007 11 29 10 31 29 0800 Total Managed 0 Up Time 15 days 17 48 Down 0 FAW Version 3 00 00 Associated Clients 0 1 7 E Help Microsoft Internet Explorer File Edit View Favorites Tools Help pe Search HZ Favorites Q la Address El http Online Help Interface Introduction Tools setup Wizard Password Change Backup amp Restore System Upgrade Restart Utilities Quick Links System Overview System 148 Appendix A External Network Access Appendix A An Example of User Login Normally users will be authenticated before they get network access through DSA 3600 This section presents the basic authentication flow for end users Please make sure that the DSA 3600 is configured properly and network related settings are finished 1 Open an Internet browser and try to connect to any website The default user login page will appear in the browser Username test local Enter the username and password for example A we use a local user account test local here and then click Login button If wanted the computer to remember your E e Username and Password the next time u login in Tick the Remember me before clicking Login Note If you see the Certificate Error please press Continu
71. U WAN1 DSA 3600 SSID 2 ssid staff ssid guest Service Zone VLAN i Service Zone VLAN for staff Q de Y for guests Figure 4 1 5b An example using Port Based service zones Ze Chapter 4 Web Interface Configuration 4 1 6 Service Zones A Service Zone is a logical network area to cover certain wired and wireless networks in an organization such as SMB or branch offices By associating a unique VLAN Tag and SSID with a Service Zone administrators can separate wired network and wireless network into different logical zones Users attempting to access the resources within the Service Zone will be controlled based on the access control profile of the Service Zone such as authentication security feature wireless encryption method traffic control etc There are up to five Service Zones to be utilized by default they are named as Default SZ1 SZ2 SZ3 and SZ4 as shown in the table below For more details about Service Zones please refer to Appendix E and F Service Zone Settings Service Zone ae WLAN Applied Default Authen p E LAN Port Mapping SSID Encryption Policy Option Status Details Default l l l L dlink None None Server 1 Enabled 521 LALALALA ER None None Server 1 Disabled ote a ae None None server 1 Disabled DEA LALALALA 2 None None Server 1 Disabled or4 a a Mone None Server 1 Disabled Service Zone Settings ServiceZone VLAN cain WLAN Appied en came Details Name Tag Encryption Policy Option gr
72. UAM user User Authentication Management While monitoring online SIP users the page should show registered SIP clients through SIP authentication 129 Chapter 4 Web Interface Configuration 4 5 5 User Logs This function is used to check the history of DSA 3600 There are several types of log provided by the system The log will be saved separately by day in the DRAM and the system supports up to 3 days These logs are stored in volatile memory and will lose when the system is turn off Users Log Date Size Byte 2007 11 27 65 2007 11 28 65 2007 11 29 65 On demand Users Log Date Size Byte 2007 11 27 105 2007 11 28 105 2007 11 29 105 Roaming Out User Log Date Size Byte 2007 11 47 106 2007 11 28 106 2007 11 29 106 Roaming In User Log Date Size Byte 2007 11 27 112 2007 11 28 112 2007 11 29 112 SIP Call Usage Log Date Call Count 2007 11 27 0 2007 11 28 0 2007 11 29 0 Monthly Network Usage of Local User Month No of Entries Usage Data 2007 114 3 Download Caution Since the history is saved in the DRAM if you need to restart the system and also keep the history then please manually copy and save the information before restarting If the Receiver E mail Address for System Log has been entered under the E mail amp SYSLOG page then the system will automatically send out the history information to that e mail address e Users Log The Users Log provides users login and logout activities excep
73. User Access Control B Network Security examples Firewall VLAN and VPN C Web based administration and centralized AP management D General networking features 2 2 System Concept Small and Midsize Business SMB Network Environment Networking devices such as switches hubs and access points are usually included in SMB environments The Internet connection of a SMB is usually via ADSL or cable modem Figure 2 2a shows a typical network deployment example which includes switches access points and connections to the Internet via ADSL cable modem The DSA 3600 provides user authentication authorization and management The user account information is stored in the local database or specified external database servers User authentication is processed via the SSL encrypted web interface This interface is compatible to most desktop devices and palm computers The appended figures are typical examples of DSA 3600 deployed in a SMB environment Figure 2 2b shows DSA 3600 authenticating the users of its built in database as well as the users of external authentication database Both LAN and WLAN can be secured by IPSec VPN PPTP VPN is supported for remote users to increase security at remote sites The DSA 3600 also supports Site to site VPN WAN Failover and DMZ The DSA 3600 can be used to control access to the company s intranet In a managed network that includes cable and wireless network users users located at the managed network c
74. WAN Failover amp Connection Detection The DSA 3600 supports WAN Failover Load Balancing feature and the ability to detect WAN connection e Target for detecting Internet connection To verify the connection to the Internet the system keeps up to three Target IP or Domain Name These targets are used for the system as the detected targets of Enable Load Balancing and Warning of Internet Disconnection To enable WAN Failover at least one target must be configured e Enable Load Balancing Check this option to active the system s load balance function System will allot all traffic to WAN1 and WAN2 by the weight radio The weight radio between WAN1 and WAN2 can be based on Sessions Packets or Bytes gt WAN1 Weight Enter value range between 1 99 The default is 50 gt Base Three bases of the Load Balancing ratio are supported session packet and byte Packet and Byte are based on historic downlink data New connection sessions will be distributed between WAN1 and WAN2 by a weight ratio using random number Limitation o DMZ hosts will be excluded from WAN Load Balancing o SIP authentication is excluded from WAN Load Balancing 19 Chapter 4 Web Interface Configuration Target for detecting Internet connection IPiDomain Name 192 168 1 3 IPiDomain Name wwwyahoo com Connection Detection Enable Load Balancing WANT Weight so Range 1 99 Base Sessions Warning of Internet Disconnection sessions When I
75. Wizard step t au tis recommended to change administrators password and select an New Password appropriate time zone forthe system Verify Password Time Zone Gl c Step 2 WAN1 Interface Select the Connection Type for WAN1 Port Select an Internet connection type for WAN1 interface Contact your ISP or the network administrator to make sure the connection type for WAN1 There are three connection types provided by DSA 3600 Static Dynamic and PPPOE Enter the Username and Password provided by the ISP Click Next to continue or click Back to change configurations in previous step Dynamic IP Address If this option is selected an appropriate IP address and related information will be assigned automatically Click Next to continue Setup Wizard WAN1 Interface Static Use the following IP settings Step2 Dynamic IP settings assigned automatically Please select O PPPoE connection type ofthe WAN interface and 132 Chapter 4 6 Tools Static IP Address Set WAN1 Port s Static IP Address Enter the IP Address Subnet Mask and Default Gateway provided by the ISP Click Next to continue PPPoE Set PPPoE Client s Information Enter the Username and Password provided by the ISP Click Next to continue pppoeusert ei 133 Chapter 4 Web Interface Configuration Step 3 Local User Account Optional Local User Add User New local accounts can be added into the loc
76. ager of the Internet Explorer will stop the running of ActiveX which may result in IPSec tunnel not being able to work properly at client s device A reboot of client s device is needed to clear the IPSec tunnel d The crash of Windows Internet Explorer may cause the same result 179 Appendix H IPSec VPN 3 Internet Connection Firewall In Windows XP and Windows XP SP1 the Internet Connection Firewall is not compatible with IPSec Internet Connection Firewall will drop packets from tunneling of IPSec VPN 4 Ethernet Status 4 Ethernet Properties General Support General Authentication Advanced CO T Internet Connection Firewall Status Connected Protect my computer and network by limiting or preventing Brata 5 daps 04 59 39 access to this computer from the Internet Speed 100 0 Mbps Learn more about Internet Connection Firewall Internet Connection Sharing Allow other network users to connect through this Activity computer s Internet connection Sent igs Recelved Packets 45 176 578 7 Learn more about Internet Connection Sharing a Suggestion Please TURN OFF Internet Connection Firewall feature or upgrade the Windows OS into Windows XP SP2 4 ICMP and Active Mode FTP On Windows XP SP2 that is without patch KB889527 ICMP packets will be dropped from IPSec tunnel This issue can be fixed by upgrading patch KB889527 Before enabling IPSec VPN function on client device please acc
77. al user database Enter the Username e g testuser and Password e g testuser of the desired new account to add a new local account into the system Click Skip to exit step 3 or click Next to validate added local accounts and continue Setup Wizard Local User Account Optional Username testuser You can choose to add local user accounts for a quick configuration Setup Wizard Local User Account Optional Username testuser step Password You can choose to add local user accounts for Step 4 Confirm and Restart Click Finish button to save the current settings and restart the DSA 3600 A confirming message will appear after clicking Finish Click OK to continue The Setup Wizard is now completed Setup Wizard Confirm and Restart Please press Finish button and restart the system Press Finish button to confirm the settings and restart the system 134 Chapter 4 6 Tools Setup Wizard Confirm and Restart Microsoft Internet Explorer Ph utton and restart DSA 3600 a j Are you sure you want bo restart the system now Please press Finish to confirm the settings and restart the system During the DSA 3600 restarting a Confirm and Restart page will appear on the screen Please do not interrupt the DSA 3600 until the DSA 3600 Administrator Login Page reappears This indicates that the restart process has been completed Setup Wizard Confirm and Restart Pl
78. amic These settings will become effective immediately after clicking Apply Dynamic DNS DONS O Enable Disable Provider DynDNS org Dynamic E IS Usernamel Emal F PasswordiKey O e DDNS Dynamic DNS choose to enable or disable this function e Provider Select the DNS provider e Host name The IP address domain name of the WAN port e Username E mail The register ID username or e mail for the DNS provider e Password Key The register password for the DNS provider Note The fields with red asterisks are required to be filled in 110 Chapter 4 4 Network 4 4 7 Client Mobility The DSA 3600 supports IP PNP function When enabled this function allows clients with fixed or assigned IP address to authenticate through the DSA 3600 to access the network By enabling IP PNP a PC with a static IP address will be able to access the network even if the system enables the built in DHCP server No TCP IP reconfiguration is needed Client Mobility IP PNP O Enable Disable e IP PNP When IP PNP is enabled a PC with a static IP address can still access the network even the system enables built in DHCP server No TCP IP reconfiguration is needed 111 Chapter 4 Web Interface Configuration 4 4 8 VPN Virtual Private Network VPN is designed to increase the security of information transferred over the Internet VPN can work with wired or wireless networks and dial up connecti
79. an be set to be unable to access the network resource without permission In the event access right to the network beyond the managed area is required an Internet browser such as the Internet Explorer may be opened to connect to any website When the browser attempts to connect to a website the DSA 3600 will force the browser to redirect to the user login webpage The user must then enter the username and password where upon successful identification and authentication the user will then be granted proper access right as defined in the DSA 3600 Chapter 2 Overview Built in Account Internet Database External Auth Server k DSA 3600 VLAN 2 Tag 2222 VLAN 1 Tag 1111 Managed APs Managed SSID 571 Employee APs SSID 522 Guest SSID 1 521 Employee Service Zone 1 Service Zone 2 for Employees for Guests Figure 2 2a An example deployment using DSA 3600 Internet Built in Account Database NT Domain Server DSA 3600 Private LAN Switch VLAN 2 Tag 2222 VLAN 1 Tag 1111 y i Managed Radius S SSID SZ1 Employee D APS Server Y gE SSID 2 SSID SZ2 Guest SoS Woon 1 SZ2 Guest a fas apo bra fms E ea Intranet C a A Service Zone 1 Service Zone 2 for Employees for Guests Figure 2 2b An example of SMB environment using DSA 3600 Chapter 3 Hardware Installation Chapt
80. ation Connection Enabled v 802 119 Mode Settings Data Rate Auto v Fragment Length 2346 Default 2346 Range 256 2346 RTS Length 2346 Default 2346 Range 256 2346 Beacon Interval ms 100 Default 100 Range 20 1000 msec 1 DTIM Default 1 Range from 1 to 255 Preamble Short and Long v Transmit Power Full v WMM Enabled v Internal Station Connection Enabled a Access Control by MAC Address Status Disabled Access Control List Subnet Mask The default is 255 255 255 0 All devices in the network must share the same subnet mask Default Gateway The default is 192 168 1 1 Enter the gateway IP address for the network typically a router SNTP NTP The time server IP address time zone and the local time will be displayed 95 Chapter 4 Web Interface Configuration gt Time Zone Select your time zone from the drop down menu gt SNTP NTP Server IP Enter the IP address of a SNTP NTP server gt Daylight Saving Time Check the box to enable daylight saving time SNMP gt Public Community When enabled change the Public Community Name here gt Private Community When enabled change the Private Community Name here SYSLOG gt System Activity Select Enable to allow the logging of system actions such as logging a firmware upgrade gt Wireless Activity Select Enable to allow the logging of any wireless clients that connect to the AP gt Notice Select Enable to allow all other
81. atus WINS IP Address Start IP Address End IP Address Lease Time Disabled 00 08 017 02 00 01 10292197 259 255 0 0 WAN2 0 A 0 0 A 0 0 A 0 NAT 00 08 01 02 00 02 192 168 1 1 255 255 255 0 Enabled NA 192 168 1 2 192 168 1 100 1440 Minis 119 Chapter 4 Web Interface Configuration The description of the table is as follows MAC Address The MAC address of WAN1 port IP Address The IP address of the WAN1 port Subnet Mask The Subnet Mask of the WAN1 port MAC Address The MAC address of WANZ2 port WAN2 IP Address The IP address of the WANZ2 port SubmetMask The Subnet Mask of the WANZ2 port Accumulated traffic counts in packets of WAN1 and WANZ since system boot up are displayed the delta Packets In Out counts current last are also displayed and it count and display the time during the period when page is being refresh only Accumulated traffic counts in bytes of WAN1 and WAN2 are displayed the delta counts current last are also Bytes In Out displayed and it count and display the time during the period when page is being refresh only Mode Te mode address of the default service zone Service Zone MAC Address The MAC Address of the default service zone Default IP Address The IP address of the default service zone SubnetMask The Subnet Mask of the default service zone Enable Disable stands for status of the build in DHCP server on the service zone Servic
82. ays Recurring and One Time Recurring is set with the hours within a week Action for Matched Packets There are two options Block and Pass Block is to prevent packets from passing and Pass is to permit packets passing B Specific Route Profile Click the button of Setting for Specific Route Profile the Specific Route Profile list will appear The Default Gateway of WAN1 WAN2 or a desired IP address can be defined in a policy When Default Gateway is enabled all clients applied this policy will access the Internet through this default gateway gt Policy 1 Specific Default Route Enable Default Gateway o WAM Default Gateway WAN Default Gateway Routes P Address Destination Gateway Route No IP Address Subnet Netmask IP Address 1 WI 255 255 255 255 132 NA 2 O 255 255 255 255 32 Enable Check this option to apply the Default Gateway 71 Chapter 4 Web Interface Configuration gt Default Gateway Select the default gateway as WAN1 WANZ2 or an assigned IP Address IP Address Destination The destination IP address of the host or the network gt Subnet Netmask Select a destination subnet netmask of the host or the network gt IP Address Gateway The IP address of the next router to the destination C Schedule Profile Click the button of Setting for Schedule Profile to enter the Schedule Profile list Select Enable to show the list This function is used to restrict the h
83. ays User Logs N A Receiver E mail Address es NIA N A NTP Server tock usno navy mil System Time Time 2007 11 29 15 13 23 0800 Idle Time Out 10 Min s User Session Control Multiple Login Disabled Preferred DNS Server 168 95 1 1 DNS Alternate DNS Server NIA Link 2 Online User List Online Users List provides information from the Users List a shortcut to 4 5 3 Online Users in Status section This list provides to the administrator at a glance all the users online for easy termination of any user session Please refer to the section on Online Users for details Online Users List Username Pkts In Bytes In Access From No Idle IP Address MAC Address PkisOut Bytesout Kckout Link3 Local User Management Local User Management provides information from the Local User List a shortcut to 4 3 1 List in Access Points sections and 4 1 6 Service Zone gt Authentication Settings as well as Authentication database gt Local in System lt lets the administrator add supported APs from Discovery or from the Adding menu tab reboot disable and delete managed APs and apply template Please refer to the section on Local User List for details 145 Link 4 Chapter 4 Web Interface Configuration Local User List Applied Policy Username Password MAC Address Service Zones Local VPN Enabled Remark Policy 1 Default user user11 Z1 SZ3 On demand Account Management On demand Account Management provides information
84. b management interface again Do you Want to RESTART the system restarting Note The connection of all online users on the system will be disconnected when the system is in the process of 142 4 6 6 Utilities Chapter 4 6 Tools The Utilities allows the administrators to manage functions including Wake on LAN Ping Trace Route and showing ARP Table by entering IP or Domain Name Wake on LAN Ping Trace Route ARP Table Status Result Network Utilities tac Wake Up 19216811 IF Domain Name ema Name PING 192 168 1 1 192 168 1 1 56 84 bytes of data 64 bytes from 192 168 1 1 iemp_seg 1 til 64 time 0 404 ms 64 bytes from 192 168 1 1 icmp_seq 2 tl 64 time 0 341 ms 64 bytes from 192 168 1 1 icmp_seq 3 ttl 64 time 0 361 ms 64 bytes from 192 168 1 1 iemp_seg 4 til 64 time 0 360 ms 192 168 1 1 ping statistics 4 packets transmitted 4 received 0 packet loss time 3051ms it min avgimaximdev 0 341 0 366 0 404 0 029 ms Wake on LAN It supports to boot up a power down computer with Wake on LAN feature connected on the LAN side remotely from the system Enter the MAC Address of the desired device and click Wake Up button to execute this function or Host domain name that it will show all the nodes between gateway and destination together from each interface that stored in gateway Ping The Ping function let administrator to detect a device with IP or Host domain name t
85. ber from the drop down box SMTP Setting Test Test if the settings is correct or not Sender E mail Address The e mail address of the sender in charge of the monitoring SMTP Server The IP address of the SMTP server SMTP Auth Method The system provides four authentication methods Plain Login CRAM MD5 and VV VV WV NTLMv1 or None to use none of the above Depending on which authentication method you select you have to enter the Account Name Password and Domain o NTLMvtT is not currently available for general use 128 Chapter 4 6 Tools o Plain and CRAM MD5 are standardized authentication mechanisms while Login and NTLMv1 are Microsoft proprietary mechanisms Only Plain and Login can use the UNIX login password Netscape uses Plain Outlook and Outlook express uses Login as default although they can be set to use NTLMv1 o Pegasus uses CRAM MD5 or Login but can not be configured which method to use SYSLOG Server Settings There are 2 types of SYSLOG supported System Log and On demand Users Log Enter the IP address and Port number to specify which and from where the report should be sent to Note When the number of a user s sessions TCP and UDP reaches the session limit specified in the policy a record will be logged to this SYSLOG server For more information about Session Limit please refer to Appendix K FTP Server Settings gt Session Log Log each connection created by users and tracking the source I
86. can add extra information here about each On demand User Roaming Out User Log The Roaming Out User Log provides the login and logout activities of roaming out users such as Date Type Name NAS ID NASIP NASPORT UserMAC Session ID Session Time Packets In and Packets Out Bytes In Bytes Out Message Roaming Out User Log 2007 08 13 Date Type Name NASID NASIP NASPort UserMAC SessionID SessionTime Bytes In Bytes Out Pkts In Pkts Out Message gt Type The authentication and accounting type of the external RADIUS server There is a type called Accept for authentication There are three types of accounting Start Interim update and Stop gt Name The user name of roaming out user gt NASID The System ID of the system Usually NASID is the MAC address of the WAN port of the system gt NASIP The IP address of the WAN port of the system gt NASPort The port of the WAN port of the system gt UserMAC The MAC address of the user gt SessionlD The system will give a unique Session ID to an authenticated user when he she starts a new session gt SessionTime The time in seconds of this session gt Bytes In Out The traffic amount of inbound outbound traffic based on byte gt Pkts In Out The traffic amount of inbound outbound traffic based on packet gt Message The system response of why the client stops this session 125 Chapter 4 Web Interface Configuration Roaming In User Log The Roaming In User Log
87. ce When POP3 Server is enabled at least one POP3 server will be required Local VPN function can be enabled for clients authenticated by POP3 authentication method Authentication Option Server 2 Name Server 2 k Postfix pop3 gt Black List None v Authentication Database POP3 v Enable Local VPN C d r Primary POP3 Server Server Domain Name IP Address Port F Default 110 SSL Connection C Enable Secondary POP3 Server Server Port SSL Connection C Enable Name Set a name for the server using numbers 0 9 alphabets a z or A Z dash underline _ and dot within a maximum of 40 characters All other characters are not allowed Postfix Set a postfix that is easy to distinguish e g Local for the server using numbers 0 9 alphabets a z or A Z dash underline _ and dot within a maximum of 40 characters All other characters are not allowed Black List There are five sets of the black lists Select one of them or choose None For details please refer to 4 2 2 Black List Authentication Database There are five authentication methods Local POP3 RADIUS LDAP and NT Domain to configure from Select the desired method and then click the link besides the pull down menu for more advanced configuration Local authentication method can be chosen for one Auth Option Enable Local VPN When Local VPN function is enabled for the authentication option upon
88. ce Number C Change the Number Description item Name Internet Acces s Title for Message to Seller Special Note to Seller PayPal Payment Page Remark Content A Payment is accepted via PayPal PayPal enables you to A send payments securely online using PayPal account a credit card or bank account Clicking on Buy Now button MI gt PayPal Payment Page Configuration Business Account This is the Login ID email address that is associated with the PayPal Business Account Payment Gateway URL This is the default website address to post all transaction data Identity Token This is the key used by PayPal to validate all the transactions Verify SSL Certificate This is to help protect the system from accessing a website other than PayPal Currency It is the currency to be used for the payment transactions gt Service Disclaimer Content View service agreements and fees for the standard payment gateway services here as well as adding new or editing services disclaimer gt Choose Billing Plan for PayPal Payment Page These 10 plans are the plans configured in Billing Plans page and all previously enabled plans 59 Chapter 4 Web Interface Configuration can be further enabled or disabled here as needed Enable Disable Choose to enable or cancel the plan Quota The usage time or condition of each plan Price The price charged for this plan gt Client s Purchasing Record Starting Invoice Number
89. ce Zone K Port Based Tag Based Specify a desired Service Zone for each LAN Port fault LANA LAN LANS LAN4 Assume LAN1 LAN2 LAN3 will be used by Default service zone for internal staff while LAN4 is to be assigned to another service zone for external users only In the above mentioned page click LAN4 s drop down menu to select the desired second zone such as SZ1 for LAN4 select only enabled service zones Click Apply and reboot the system LAN Ports and Service Zone Mapping Select the mode for Service Zone Port Based Tag Based Specify a desired Service Zone for each LAN Port Default v Default e Default wt LAN LANZ LANS LAN4 In tag based mode each LAN port can serve traffic from any service zone because VLAN tags carried in message frame will not be modified In port based mode each LAN port can only service traffic of one service zone where all messages through the LAN port will be re tagged with the tag assigned to the port Compare Figure 4 1 5a and Figure 4 1 5b to see the differences A Ww ISP Internet se WAN1 a DSA 3600 SSID 1 S SSID 2 ssid staff s7 ssid guest gt ieee N m Service Zone VLAN Service Zone VLAN for staff Y for guests Figure 4 1 5a An example using Tag Based service zones 26 Chapter 4 1 System For single zone deployment use the Default service zone with port based mode ISP A Internet gt S
90. ce Zones Deployment Examples Typical Application Scenario Employees vs Guests Typical service zone settings will separate users groups into Employee and Guests for the purpose of different authentication level D Link DSA 3600 Building Networks tor People A admin Multi Service Business Gateway X Toos Help B Logout DSA 3600 a g System k gt General Service Zone Settings WANT Service Zone VLAN WLAN Applied Default Authen E WAN2 Name Tag Encryption Policy Option gt WAN Traffic A LAN Port Mapping Default NA dlink None None On demand User Enabled Sqcervice Zones E Users pesccess Pointe sz 1 ply None None LocalDB Disabled Configure ia Network 821 H E Status Z2 2 a None None Local DB Disabled Configure ee None None Local DB Disabled dlink SZ4 4 874 None None Local DB Disabled gt Application Network Diagram As shown in the diagram assign service zone 1 to Employees and service zone 2 to Guest DSA 3600 VLAN 1 Tag 1111 VLAN 2 Tag 2222 Managed APs 1 Managed SSID SZ1 Employee APs g SSID 2 22 Guest Service Zone 1 Service Zone 2 for Employees for Guests 166 Appendix E Service Zones Deployment Examples gt Requirements for the Application Scenario 1 Regardless of the location in the office all users should be divided into two groups Employee and Guest for the purpose of authentication diff
91. ce zone Default Policy in this Service Zone Policy 1 Edit System Poilcies Email Message for Login Reminding Edit Mail Message 168 Appendix E Service Zones Deployment Examples Finished Configuration Service Zone Settings Once the settings of two service zones are completed the configured result will be displayed on screen in the Service Zone Settings The name of the service zone and the enabled status should appear in the display Service Zone Settings Service Zone VLAN WLAN Applied Default Authen SSID i E Name Tag Encryption Policy Option Default MA dlink Mone Mone On demand User Enabled Status Details a Employee 1111 Employee Mone Policy 1 Local DB Enabled configure Ondemand 2222 ond Mone Policy On demand User Enabled Undemand J S73 3 dlink S23 None None LocalOB Disabled Sz4 4 dlink SZ4 None None LocalOB Disabled 169 Appendix F Deploying DSA 3600 Using DWL 2100AP Appendix F Deploying DSA 3600 Using DWL 2100AP Wireless Features of DWL 2100AP Wireless security can be addressed using the DWL 2100AP access point with WPA Wi Fi Protected Access and 802 1X authentication to provide a higher level of security for data communication among wireless clients The DWL 2100AP is fully compatible with industry standards such as WEP and can support Multiple SSIDs each of which can be mapped to a specific Service Zone see Section 4 1 6 Service Zone defined in the DSA 3600 Using the Service Zo
92. configuration may override manual settings To ensure the E use of manual settings disable automatic configuration z Nae C Automatically detect settings HTTP 20 125 142 1 Tl L Use automatic configuration script Po Type Proxy address to use le Secure FTF Proxy Server Socks Use a proxy server for your LON These settings will not apply Eo dial up or PAN connections addes EA Port En Advanced Use the same proxy server For all protocols Bypass proxy server For local addresses Exceptions B amp Ponot use proxy server for addresses beginning with ES Use semicolons Eo separate entries Note 1 It is required that the proxy server setting of the clients match with at least one of the proxy server setting of the DSA 3600 Otherwise users will not be able to get the Login page for authentication via browsers and it will show an error page in the browser 2 When the Built in Proxy Server is enabled all the outgoing proxy requests will be processed by the built in proxy server This will be useful when the specific proxy servers of clients are not listed in the External Proxy Servers 155 Appendix C Proxy Configuration setting 156 Appendix C Proxy Configuration Using Extranet Proxy Server The second scenario is that a proxy server is placed in the Extranet such as DMZ which all users from the Intranet or the Internet are able to access For example the f
93. d the system allows the VPN tunnel between a remote client and the system to encrypt the data transmission via PPTP The system s VPN supports end users devices under Windows 2000 Windows XP SP1 SP2 and Windows Vista Start IP field must be entered when enabled The Client Policy Supported Authentication Servers and the Remote VPN login page also can be customizing here Check the Enable or Disable radio button in the Active column to activate or deactivate this function If the Remote VPN function is enabled enter the Start IP in the Client IP Address Range column Note Vista users have to check enable in the Active column 112 Chapter 4 4 Network SIP transparent proxy will help the SIP traffic of authenticated Remote VPN users when the SIP service is enabled in the last service zone Remote users can use SIP when SIP Configuration here is enabled Remote VPN For The Entire System Active O Enable Disable IP Address Range Assignment a Stat IP Address 192 168 5 2 Support up to 10 PPTP connections SIP Configuration Enable WAM Interface WANT Auth Option Auth Database Posttix Default Enabled Server 1 LOCAL local e Authentication Options Carver 2 POP pops Server 3 RADIUS radius O Server 4 LDAP ldap Client Policy Policy Client Login Page E Username Password Site to Site VPN When the setting is enabled the system will enable the IPSec VPN tunnel between two remote networks sites
94. d Printer Sharing for Microsoft Networks Install Uninstall C Properties Description Transmission Control Protocol lnternet Protocol The default Wide area network protocol that provides communication across diverse interconnected networks C Show icon in notification area when connected 176 Appendix G Network Configuration on PC 4 Using DHCP To use DHCP choose Obtain an Mi ES Es IP address automatically and click OK This is General Altemate Configuration You can get IP settings assigned automatically if your network supports the default setting of Windows Reboot the PC to this capability Otherwise you need to ask pour network administrator for the appropriate IP settings make sure an IP address is obtained from the DSA 3600 Obtain ONS server address automatically Use the following DNS server addresses EE EA 5 Using Specific IP Address To use specific IP Internet Protocol TCP IP Properties address please request from your network meae E You can get IP settings assigned automatically if your network supports administrator the following information of the this capability Othenvise you need to ask your network administrator for the appropriate IP settings DSA 3600 IP address Subnet Mask New gateway and DNS server address IP address Subnet mask Choose Use the following IP address and Default gateway enter the information given from the ne
95. dix K Accepting Payments via PayPal v396 4 Cutoff NEA Until 2007 92 07 13 30 2007 11 29 19 47 59 NA NEA NEA 7 As stated by PayPal you can issue a full or partial refund for any reason and for 60 days after the original payment was sent To find the on demand account name for a specific payment click Details of the payment listing in the activity history log gt Username can be found in the Item Title field 2 3 Send an email receipt to a customer If a valid email address is provided an email receipt with payment details for each successful transaction will be automatically sent to the customer via PayPal To change the information on the receipt for customer please log in DSA 3600 Users gt Authentication gt Click the Option On demand User gt On demand User Server Configuration gt External Payment Gateway gt Click Configure gt Select PayPal gt Go to Client s Purchasing Record section gt Type in information in the text boxes Starting Invoice Number and Description Item Name gt Confirm and click Apply Client s Purchasing Record Starting Invoice Number Hotspot 00000001 Change the Number Description item Name Internet ACCESS Title for Message to Seller Special Mote to Seller z 2 4 Send an email receipt for each transaction to the merchant A copy of email receipt with payment details including available message note from buyer for each successful
96. e Clear lt forme After the upload is completed the customized logout page can be previewed by clicking Preview at the bottom of this page If restore to factory default setting is needed for the logout interface click the Use Default Page button 3 Login Success Page The administrators can apply their own Login Success page As the process is similar to that of the Login Page please refer to the Login Page instructions for more details e Login Success Page gt Default Page Choose Default Page to use the default login success page Login Success Page Selection for Users Service Zone Default Default Page Template Page Uploaded Page External Page Default Page Setting Service Zone Default This is the default login success page for users You could click Preview to preview the default login success page Preview e Login Success Page gt Template Page Choose Template Page to make a customized login success page Click Select to pick up a color and then fill in all of the blanks Click Preview to see the result first 36 Login Success Page Selection for Users Service Zone Default Default Page Uploaded Page Color for Title Background Color for Title Text Color for Page Background Template Page External Page Template Page Setting f Select RGB values in hex mode Select RGB values in hex mode Select RGB values in hex mode Chapter 4 1 S
97. e Destination Subnet Mask Select the source and destination subnet masks gt Source MAC Address The MAC Address of the source IP address This is for specific MAC address filter gt Source Destination IPSec Encrypted Check the box for only filtering on the encrypted traffic gt Service Protocol There are defined protocols in the service protocols list to be selected gt Schedule When schedule is selected clients assigned with this policy are applied the firewall rule only within the time checked There are three options Always Recurring and One Time Recurring is set with the hours within a week 67 Chapter 4 Web Interface Configuration gt Action for Matched Packets There are two options Block and Pass Block is to prevent packets from passing and Pass is to permit packets passing B Specific Route Profile Click the button of Setting for Specific Route Profile the Specific Route Profile list will appear Global Policy Specific Routes Destination Gateway Route No IP Address Subnet Netmask IP Address 1 255 255 255 255 132 Y Route No The number of route IP Address Destination The destination IP address of the host or the network Subnet Netmask Select a destination subnet netmask of the host or the network Y VV WV IP Address Gateway The IP address of the next router to the destination C Privilege Profile Click the button of Setting for Privilege Profile to enter the Pri
98. e Duration seconds 2007 08 13 14 59 07 L003 10 2 3 175 LOOP 2 dde 29 2007 08 13 14 59 42 LODO 2 air ago ANI 23175 13 2007 08 13 15 00 03 LO oo a e PA es 6 Start Time The starting time date year of the call Caller The caller s address Callee The receiver s address Y VV WV Duration seconds The time in seconds of the duration Monthly Network Usage of Local User The Monthly Network Usage provides the monthly activities of local users such as Username Connection Time Usage Packets In Bytes In Packets Out and Bytes Out The system will record the network usage of local users every month In addition the data will be stored locally for up to two months and can be exported as a text file in CSV format s 126 Chapter 4 5 Status Monthly Report 2007 11 Username Connection Time Usage Packets In Bytes In Packets Out Bytes Out userll mins 4 secs 3875 4949K 2592 162 5K user22 6 mins 58 secs 3414 2496K 2830 374 3K user33 2 mins 45 secs 1000 918 4K 587 80 5K gt Username Username of the local user account gt Connection Time Usage The total time used by the user gt Pkts In Pkts Out The total number of packets received and sent by the user gt Bytes In Bytes Out The total number of bytes received and sent by the user 127 Chapter 4 Web Interface Configuration 4 5 6 E mail amp SYSLOG The system supports sending notification e mails of Monitor IP Report Users Log On demand Users Log Sess
99. e No 1 has the highest priority Rule No 2 has the second priority and so on Each firewall rule is defined by Source Destination and Pass Block action Optionally a Firewall Rule Schedule can be set to specify when the firewall rule is enforced It can be set to Always Recurring or One Time Global Policy Firewall Rules Source IPSec y h Encrypted F Ho Active Action Rule Name Service Schedule Destination IPSec Encrypted ANY O Block ALL Always ANY ANY 2 LI Block ALL Always ANY Selecting the Filter Rule Number 1 as the example Global Policy Edit Filter Rule Rule Number 1 Rule Name Source Destination Interface Zone Interface Zone ALL kd IPAddress v iP Address w 0 000 Subnet Mask Subnet Mask 0 0 0 0 0 w IPSec Encrypted d IPSec Encrypted F MAC Address Service Protocol ALL Schedule Always Recurring One Time Action for Matched Packets Block Pass gt Rule Number This is the rule selected 1 Rule No 1 has the highest priority rule No 2 has the second priority and so on gt Rule Name The rule name can be changed here gt Source Destination Interface Zone There are choices of ALL WAN1 WAN2 Default and the named Service Zones to be applied for the traffic interface gt Source Destination IP Address Domain Name Enter the source and destination IP addresses Domain Host filtering is supported but Domain name filtering is not gt Sourc
100. e Zone WINS IP Address The WINS server IP Default DHCP 3 Start IP Address The start IP address of the DHCP IP range erver End IP Address The end IP address of the DHCP IP range Minutes of the lease time of the service zone service Zone nieauied Enable Disable stands for status of the SZ1 SZ4 server isable Z1 SZ4 on the service zone 120 4 5 3 Routing Table Chapter 4 5 Status All the Policy Route rules and Global Policy Route rules will be listed here Also it will show the System Route rules specified by each interface Destination Destination Destination Destination Destination Destination Destination Destination Destination Destination Destination Destination Destination Destination 192 168 1 0 10 29 0 0 0 0 0 0 Subnet Mask Subnet Mask Subnet Mask Subnet Mask Subnet Mask Subnet Mask Subnet Mask Subnet Mask Subnet Mask Subnet Mask Subnet Mask Subnet Mask Subnet Mask Subnet Mask 255 255 255 0 255 255 0 0 0 0 0 0 Policy 1 Policy 2 Policy 3 Policy 4 Policy 5 Policy 6 Policy 7 Policy 8 Policy 9 Policy 10 Policy 11 Policy 12 Gateway Gateway Gateway Gateway Gateway Gateway Gateway Gateway Gateway Gateway Gateway Gateway Global Policy System Gateway Gateway 0 0 0 0 0 0 0 0 10 29 0 1 Policy 1 8 Shows the information of the individual Policy from 1 to 8 Global P
101. e ae EARL Authentication E ie A E E E AoA AubenncaitonDatabdse Local eiii iii 4 2 1 2 Authentication Database POP ooooooooncoconononononnnnnnnnnnnnnonnnnnnnnnnnnnnnnnnnnnonononnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnonnnnnnnnnss Az do AtemtiCatlOn Database KAO I S cise ents a a a a a E eii 4 2 14 Authentication Database LDA P a e 4 215 Authentication Database NT DOM ai di 4 2 1 6 Authentication Database ONDEMAND dooooccccocononononononnnnnnnnnnonononnnnnnnnnonononononnnnonnnnonnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnos A Ae oe AA A A eee 422 AS A EE A ON AAA a iaa A ODA ROO ii A n P SPOS EN 0 Os AAA O AU II O O O A ern TTT 4 24 Additional Colca iia E RT e ed eee e 76 7 sie Yes UR RO 71 RO DISCOV N ae eaea A aa aa aaa Os Serenata A encanta ace 82 E AAE A O Sener ene reve 85 ASA TEMES A ios 86 DE a En un LOS 99 2 Wis A E A O A A O Me AS Ce MTT ees rrr iN waren er 100 O ree ree ree rene eet 101 AAA NADA A A AA AS 102 75d CT 104 A A O EE 106 Aaa WaledGatde ndice dile tota lie a al ere 108 AO PEOKY SCLVCL oroe E a AAA A 109 AO DION Sorteo ladera dde tdo dios 110 rad IA NN 111 A NEN dd e e bd mre Terry earns 112 AD DA ead raed edt lsd aided iss didn a sd edi gis sd odds cg adage epee see cted ce neg cee oe ened eee 116 ead A i ocaeeets teat crest arenas ees i teteo asus sean n sens ashes A 117 A A A A genteel A ee easenmecbeds 119 A Roun Tables ahaa maa aida eda eam ten o 121 LIA Online Us rs nice owce encebwia
102. e are 5 lists supported by DSA 3600 for selections e Name Set the name of the black list and it will show in the pull down menu above e Adding User s After clicking Adding User s the Adding Users to Blacklist page will appear for adding users to the selected black list Adding User s to Blacklist1 Ho Username Remark CO fu After entering the usernames in the Username field and the related information in the Remark field click Apply to save the settings and the following page will appear Black List Settings Select Black List Name Blacklist User Remark Bob James fraud L Total 2 First Prey Mext Last Add seris If the administrator wants to remove a user from the black list just select the user s Delete check box and then click the Delete button to remove that user from the black list 64 Chapter 4 2 Users 4 2 3 Policy There are twelve sets of Policy provided by the system and one Global policy Global is the system s universal policy including Firewall Profile Specific Routes Profile and Privilege Profile Each Policy consists of Firewall Profile Specific Route Profile Schedule Profile QoS Profile and Privilege Profile Policy1 to Policy12 will be used and shared with the Service Zone default policy settings and Authentication Databases settings Once a policy is configured you may assign it to the default policy of a service zone Two service zones may share th
103. e fastest rate possible gt Fragment Length The fragmentation threshold determines whether packets will be fragmented Enter a value between 256 and 2346 gt RTS Length Enter a value between 256 and 2346 When wireless clients would like to send a packet which is larger than this value it transmits an RTS and waits for reply gt Beacon Interval ms Enter a value between 20 and 1000 msec The default value is 100 milliseconds The entered time means how often the beacon signal transmission between the access point and the wireless network Beacons are packets sent by an access point to synchronize a network Specify a beacon interval value gt DTIM Delivery Traffic Indication Message Enter a value between 1 and 255 DTIM is a countdown informing clients of the next window for listening to broadcast and multicast messages gt Preamble Select Long Only or Short and Long A short preamble is recommended for high traffic networks gt Transmit Power Select either Full Half 3dB Quarter 6dB Eighth 9dB or Minimum minimum power This tool can be helpful for security purpose if you wish to limit the transmission range gt Antenna Diversity Radio is connected to each antenna and supports auto diversity mode by default Chapter 4 Web Interface Configuration The access point will auto switch to the antenna with better RSSI value o Diversity The AP will auto switch to the antenna with better RSSI value o Left Antenna The AP
104. e file for the logout success page upload Next click Submit to complete the upload process After the upload process is completed and applied the new logout success page can be previewed by clicking Preview button at the bottom Logout Success Page Selection for Users Service Zone Default Default Page Template Page Uploaded Page External Page Upload Logout Success Page File Name Existing Image Files Total Capacity 512 K Now Used 0 K Upload Image Files Upload Images Preview Logout Success Page gt External Page Choose the External Page selection and get the logout success page from the specific website Enter the website address in the External Page Setting field and then click Apply After applying the setting the new logout success page can be previewed by clicking Preview button at the bottom of this page Logout Success Page Selection for Users Service Zone Default Default Page Template Page Uploaded Page External Page External Page Setting External URL http 4 Chapter 4 Web Interface Configuration Wireless Settings Wireless Settings SSID dlink Open System Y Enable 802 1X Authentication RADIUS Server Settings 802 1X Authentication Security IP Address Port Secret Key i 7 Encryption Ne one v gt SSID Each service zone must setup its own SSID Each SSID as unique name could not be repeated gt Security Each service zone can set
105. e same policy Policies can be selected in the Policy tab The administrator can select one of the defined policies to have policy based user management supported by the DSA 3600 All user clients access to this service zone will be bound to this policy Policy Configuration Policy 1 Select Policy Firewall Profile Specific Route Profile Schedule Profile QoS Profile Privilege Profile 65 4 2 3 1 Global Policy Chapter 4 Web Interface Configuration Global is the system s universal policy including Firewall Rules Specific Routes and Privilege which will be applied to all users unless the user has been regulated and applied to another policy Select Policy Firewall Profile Specific Route Profile Privilege Profile Policy Configuration Global Policy gt Select Policy Select Global to set the Firewall Profile Specific Route Profile and Privilege Profile gt Firewall Profile Global policy and each policy have a firewall service list and a set of firewall profile which is composed of firewall rules gt Specific Route Profile The default gateway of WAN1 WANZ or a desired IP address can be defined in a policy When Specific Default Route is enabled all clients applied this policy will access the Internet through this default gateway gt Privilege Profile Include Maximum Concurrent Session for User from 10 to Unlimited A Firewall Profile Click Setting for Firewall Profile The Firewall C
106. e to this website to continue or reference Appendix D Certificate Settings for IE6 and IE7 for more information 2 Successful Now you can start using the network The Start Browsing button will take you to the website where you originally want to visit or the home page that is configured in the system Hello you are logged in via test local To log out please click the Logout button Login time 2007 12 5 17 42 38 149 Appendix A An Example of User Login Note When On demand accounts are used for example we use v8ch Vondemand here the system will display additional information and function 1 Remaining usage Expiration time The remaining quota of this On demand account that the user can surf Hello you are logged in via vach ondemand To log out please click the Logout button the Internet In this example it is an account of Cut off type that will be expired by 2007 12 07 12 30 Login time 2007 12 5 19 4 17 Expiration time 2007 12 07 12 30 E 2 Redeem When the remaining quota is insufficient the Redeem Page user can add up the quota by purchasing an additional account Please enter the new username for example Waleame to Raden Page we use 23eh ondemand here and password in the Username 23ehGondemand Redeem Page and click Enter button to merge the two Password eecsssee accounts As a result there will be
107. e w 255 255 255 255 32 Click the hyperlink Roaming out amp 802 1X Client Device Settings to enter the Roaming out amp 802 1X Client Device Settings interface Choose the desired type Disable Roaming Out or 802 1X and key in the 802 1x client s IP address and network mask and then click Apply to complete the settings Username Format When Complete option is checked both the username and postfix will be transferred to the RADIUS server for authentication On the other hand when Only ID option is checked only the username will be transferred to the external RADIUS server for authentication NAS Identifier The Network Access Server NAS Identifier of the system for the external RADIUS server Class Policy Mapping This function applies the selected policy to specific clients grouped by the RADIUS class attribute The clients will be applied with the assigned policy while logging on to the system External RADIUS Class Mapping To Policy Server 3 Enable Disable No Class Attribute Value Policy Remark 1 1 Policy1 Class 1 2 2 Policy 1 v Class 2 3 3 Policy1 Class 3 Server The IP address of the external RADIUS server Authentication Port Enter the authentication port of the RADIUS server Accounting Port The accounting port of the external RADIUS server Secret Key The Secret Key for RADIUS authentication Accounting Service The system supports RADIUS accounting that can be enabled or disabled
108. ear If the welcome screen or the main menu of the console still does not appear please check the connection of the cables and the settings of the terminal simulation program D54 3600 Basic Configuration Please select functions tility RRR CCAA eee ATA Maseword Change admin password Reset Reload factory default Mestart Kestart DS4 3600 151 Appendix B Console Interface Configuration 1 Utilities for network debugging The console interface provides several utilities to assist the administrator to check the system conditions and perform debugging The utilities are described as following DeA 4600 Configuration Utility Please select utility Trace routing path Display interface settings Display routing table Display ARF table Display system up time Check service status Set device into safe mode Synchronize clock with NTP server Print the kernel ring buffer Main menu Ping host IP By sending ICMP echo request to a specified host and wait for the response to test the network status Trace routing path Trace and inquire the routing path to a specific target Display interface settings Displays the information of each network interface setting including the MAC address IP address and netmask Display the routing table The internal routing table of the system is displayed which may help to confirm the Static Route settings Display ARP table The internal ARP table of the system is disp
109. ease press Finish to confirm the settings and restart the system Welcome To Administrator Login Page Please Enter Your Username and Password To Sign In ENTER CLEAR 135 Chapter 4 Web Interface Configuration Back and Exit During every step of the wizard if you wish to go back to modify the settings please click the Back button to go back to the previous step Click Exit to leave the Wizard Setup Wizard Local User Account Optional Username testuser KO Password eeeccees You can choose to add local user accounts for OL Cas ace Please Note Login to the web management interface again by using username admin and the selected password After logged in the web management interface click System and then click Service Zones to enter the Basic Settings page Next click the Server 1 hyperlink The DSA 3600 uses Virtual LAN VLAN along with a SSID to separate service zones At this stage the system is ready for use in minimum configuration The factory default configuration uses tag based VLAN The Default service zone with SSID dlink is enabled and requires no user authentication at this initial stage D Link DSA 3600 Building Networks for People e Multi Service Business Gateway io Tools Help WB Logout DSA 3600 a p System s gt General Service Zone Settings WAN1 Service Zone VLAN WLAN Applied Default Authen s gt WAN2 Name Tag a
110. ect to pick up a color for the title text and the background in the center area and change the wording of each item as needed In addition a logo and a background image can be used to create a customized page for branding or other purpose Click Preview to see the result first 32 Chapter 4 1 System j e m jm agm E m ia p Color for Title Background S0C0FF Select RGB values in hex mode Title User Login Page Welcome Welcome To User Login Page An example of Template Login Page D Link Solution Center osas 33 Chapter 4 Web Interface Configuration Login Page gt Uploaded Page Choose Uploaded Page and upload a login page The user defined login page must include the following HTML codes to provide the necessary fields for username and password lt form action userlogin shtml method post name E nter gt lt input type text name myus ername lt input type password name mypassword lt input type submit name submit value Enter gt lt input type reset name clear value Clear gt lt form gt If the user defined login page includes an image file the image file path in the HTML code must be as follows Remote VPN lt img src images xx jpg gt Default Service zone lt img src images0 xx jpg gt Service zone 1 lt img src images1 xx jpg gt Service zone 2 lt img src images2 xx jpg gt Service zone 3 lt img src images3 xx jpg gt
111. ed stands for the current status of the SNMP management function The maximum number of days for the system to retain the Retained Days users information User Logs Receiver E mail The e mail address that the traffic history information will Address es be sent to NTP Server The network time server that the system is set to align System Time Time The system time is shown as the local time The number of minutes allowed for the users to be Idle Time Out User Session inactive Control Enabled Disabled stands for the current setting to allow Multiple Login not allow multiple logins form the same account Preferred DNS Server IP address of the preferred DNS Server Alternate DNS Server IP address of the alternate DNS Server 118 4 5 2 Interface Chapter 4 5 Status This section provides an overview of the all interfaces for the administrator such as WAN1 WAN2 Service Zone Default Service Zone Default DHCP Server Each service zone represents a virtual system Therefore the information of the system s network interface is grouped by service zone WAN WAN2 Packets In Packets Out Bytes In Bytes Out Service Zone Default Service Zone Default DHCP Server Service Zone 521 Network Interface MAC Address IP Address Subnet Mask Disabled WAN 4030783 A 3421586 188268 4 61010 344139146 A 286440251 41052361 A 14056151 Mode MAC Address IP Address Subnet Mask St
112. elated modes such as WPA EAP WPA2 EAP WPA Auto EAP WPA PSK WPA2 PSK and WPA Auto PSK it will disable the availability of WEP Key2 and Key3 for another SSID which is set in Shared Key modes Shared Key or Open System Shared Key in the same DWL 2100AP 2 31D pa related modes Service Zone 1 gt gt ES SSID es Service Zone 2 Set n Shared Key related modes DWL 2100AP NS SID3 q Service Zone 3 Set n Shared Key related modes WEP Setting Only Key1 and Key4 Available Caution If two or more SSIDs belong to the same DWL 2100AP and the wireless security of one associated Service Zone is set in the modes of WPA WPA2 or WPA Mixed those SSIDs that are in the modes of Shared Key and Open System or Shared Key cannot use WEP Key2 and Key3 in the DSA 3600 Ii Appendix F Deploying DSA 3600 Using DWL 2100AP gt Availability of 802 1x Authentication When an SSID Primary type of the DWL 2100AP is set in the mode of Open System Shared Key or Open System or Shared Key it will not support 802 1x authentication Caution 802 1x Authentication should NOT be enabled in DSA 3600 if any DWL 2100AP exists in the Service Zone and the associated SSID is in the mode of Open System Shared Key or Open System or Shared Key Wireless Settings SSID dlink SZ1 la Open System y Enable 802 1X Authentication RADIUS Serv
113. empt from Load Balancing and WAN Failover A fixed WAN port is chosen for SIP traffic 20 Chapter 4 1 System 4 1 5 LAN Port Mapping DSA 3600 supports multiple service zones in either of the two VLAN modes Port Based or Tag Based but not concurrently In the wireless environment a service zone of the DSA 3600 is mapped to the VLAN with an associated SSID When the DSA 3600 is set for tag based VLAN a managed Access Point with multiple SSIDs turned on can service multiple service zones It is recommended that the administrator decides a mode before the system configuration when considering which mode is better for a multiple service zone deployment In LAN Port Mapping the service zones can be configured by modes Port Based which will be distinguished by physical LAN ports or Tag Based which will be distinguished by VLAN tagging Each LAN port of Port Based mode can be selected among Default to SZ1 SZ4 Supporting multiple service zones one D Link DSA 3600 system can behave virtually like multiple systems Each service zone is one to one mapped to a VLAN Messages to or from each service zone are sorted by the VLAN tag in the message frame LAN Ports and Service Zone Mapping Select the mode for Service Zone PortBased O Tag Based Specify a desired Service Zone for each LAN Port EEE LAN LANZ LANG LAN4 e Tag Based For Tag Based service zone each LAN port is Hybrid port which supports both tagged and untagged
114. enabling this feature It will improve the user experience for audio and video applications over a Wi Fi network Internal Station Connection Select either Enabled or Disabled The connection allows clients to communicate with each other when enabled 802 11g Mode Settings Data Rate The default is Auto Available range is from 1 to 54Mbps The rate of data transmission should be set depending on the speed of the wireless network Select from a range of transmission speed or keep the default setting Auto to make the Access Point automatically use the fastest rate possible Fragment Length The fragmentation threshold determines whether packets will be fragmented Enter a value between 256 and 2346 RTS Length Enter a value between 256 and 2346 When wireless clients would like to send a packet which is larger than this value it transmits an RTS and waits for reply Beacon Interval ms Enter a value between 20 and 1000 msec The default value is 100 milliseconds The entered time means how often the beacon signal transmission between the access point and the wireless network Beacons are packets sent by an access point to synchronize a network Specify a beacon interval value DTIM Delivery Traffic Indication Message Enter a value between 1 and 255 DTIM is a countdown informing clients of the next window for listening to broadcast and multicast messages Preamble Select Long Only or Short and Long A short preamble is recommended for high traffic
115. er gt Daylight Saving Time Check the box to enable daylight saving time SNMP gt Public Community When enabled change the Public Community Name here gt Private Community When enabled change the Private Community Name here SYSLOG gt System Activity Select Enable to allow the logging of system actions such as logging a firmware upgrade gt Wireless Activity Select Enable to allow the logging of any wireless clients that connect to the AP gt Notice Select Enable to allow all other information to be logged gt Remote SYSLOG Server If you require more space to hold your logs please provide the IP address of the Server The embedded memory can only have up to 300 logs Properties gt SSID Broadcast Select this option to enable the SSID to broadcast in your network When configuring the network it is suggested to enable this function but disable it when the configuration is complete With this enabled someone could easily obtain the SSID information with the site survey software and get unauthorized access to a private network With this disabled network security is enhanced and can prevent the SSID from being seen on networked gt Data Rate The default is Auto Available range is from 1 to 54Mbps The rate of data transmission should be set depending on the speed of the wireless network Select from a range of transmission speed or keep the default setting Auto to make the Access Point automatically use th
116. er 3 Hardware Installation 3 1 Panel Function Descriptions The DSA 3600 is implemented on an embedded platform with mini desktop form factor On the front panel of the product there are eight LEDs that are used to indicate the system power system status and the link status of the six fast Ethernet ports The interface ports are installed on the rear panel Six fast Ethernet 100Mbps ports are provided by DSA 3600 Two are configured as WAN Ports and the other four are configured as LAN Ports Located on the rear panel are a serial console port a reset button and the power socket Front Panel D Link DSA 3600 E d Multi Service Business Gateway 1 Power ON indicates that power is on and OFF indicates that power is off 2 Status While system power is on status OFF indicates BIOS is running BLINKING indicates the OS is running and ON indicates system is ready 3 WAN1 WAN2 LEDs OFF indicates no connection ON indicates connection and BLINKING indicates transmitting data 4 LAN1 LAN4 LEDs OFF indicates no connection ON indicates connection and BLINKING indicates transmitting data 5 Link Sign Sign to indicate the LED of WAN1 WAN2 and LAN1 LAN4 in the status of connection 6 Act Sign Sign to indicate the LED of WAN1 WAN2 and LAN1 LAN4 in the status of transmitting data Chapter 3 Hardware Installation Rear Panel wed Power Socket 2 The power adapter is attached here 2 Reset Button
117. er Settings 802 1X Authentication Security IP Address Port Secret Key Encryption None w gt Availability of WPA Pre Shared Keys WPA When an SSID of the DWL 2100AP is set in the mode of WPA WPA2 and WPA WPA2 Mixed in DWL 2100AP Passphrase is the only available Key type for Pre Shared keys PSK In addition the length of Passphrase for the SSID of Guest type is 8 to 34 characters Caution The HEX the other Key type should NOT be enabled in DSA 3600 if any DWL 2100AP exists in the Service Zone and the associated SSID is in the mode of WPA WPA2 or WPA WPA2 Mixed Also administrators will have to ensure the length of Passphrase does not exceed 34 characters and not shorter than 8 characters in DSA 3600 Wireless Settings SSID dlink SZ1 Authentication WPA i v WPA PSK vw Security Encryption TKIP Passphrase PSK Hex v Hex 172 Appendix G Network Configuration on PC Appendix G Network Configuration on PC After the DSA 3600 is installed the following configurations must be set up on the PC Internet Connection Setup and TCP IP Network Setup Internet Connection Setup If the Internet Connection of this client PC has been configured as use local area network already you can skip this setup gt 1 2 Choose the Connections label and then click Windows XP Choose Start gt Control Panel gt Internet Option Setup amp Control Panel File Edit
118. erences 2 Each service zone must setup its own SSID to let users to access the wireless network using the specific ID The system will give a unique Session ID to authenticated users when they start new sessions 3 Both groups Employees and Guests will be redirected to different login portal pages and will be authenticated against different authentication database 4 Apply different access control policies to separated groups Employee and Guests Solution and Configuration in DSA 3600 gt Configure two service zones to map to the two groups Step 1 Select Tag Based mode for all service zones D Link DSA 3600 Multi Service Business Gateway Building Networks for Peopie Help BD Logout DSA 3600 F System y 7 gt Cande LAN Ports and Service Zone Mapping gt WAN WANZ2 Select the mode for Service Zone Port Based an aa Tag Based U ce eps Notice Under Tag Based mode Service Zones will be 4 Access Points distinguished by VLAN tagging instead of physical LAN ports 3 Network Status Step 2 Choose and configure the desired service zone for the specific group e g Choose and configure SZ1 for Employees D Link DSA 3600 Building Networks for People Multi Service Business Gateway O Tools Hep QW Logout S DSA 3600 5 85 System 3 2 General Service Zone Settings oo WAN Service Zone VLAN WLAN Applied Default Authen di
119. ervice to end customers who wish to pay for the service on line Before setting up PayPal it is required that the merchant owners have a valid PayPal Business Account Please see Appendix K Accepting Payments via PayPal After opening a PayPal Business Account the merchant should find the Identity Token of this PayPal account to continue PayPal Payment Page Configuration 58 Chapter 4 2 Users External Payment Gateway PayPal Disable PayPal Payment Page Configuration Business Account Payment Gateway URL https www paypal com cgi bin webscr z Identity Token a Verify SSL Certificate Enable O Disable Currency USD U S Dolla v Service Disclaimer Content We may collect and store the following personal A information email address physical contact information credit card numbers and transactional information based on your activities on the Internet service provided by us If the information you provide cannot be verified we may vl Choose Billing Plan for PayPal Payment Page Plan Enable Disable Quota Price 1 Enable Disable Until 12 30 2 99 2 OEnable Disable 12 hr s 3 99 3 OEnable Disable 500 Mbyte s 5 4 Enable Disable Until 13 00 q 5 OEnable Disable 18 hr s 6 6 OQ Enable Disable 1000 Mbyte s 8 7 Enable Disable 8 Enable Disable 9 Enable Disable 10 Enable Disable Client s Purchasing Record Starting Invoi
120. ess the patch from Microsoft s web at http support microsoft com default aspx scid kb en us 889527 This patch also fixes issues of supporting active mode FTP inside IPSec VPN tunnel of Windows XP SP2 Suggestion Please UPDATE client s Windows XP SP2 with patch KB889527 180 Appendix H IPSec VPN 5 The Termination of ActiveX The ActiveX component for IPSec VPN is running parallel with the Login Success web page Unless user decides to close the session and to disconnect with DSA 3600 the following conditions or behaviors of user s browser can be avoided in order to maintain the built IPSec VPN tunnel always alive Hello sddtest You have successfully logged in The connection is secured by IPSec VPN Reasons why Internet Explorer may cause ActiveX to stop unexpectedly are as follows a The crash of Internet Explorer on running ActiveX Suggestion Please reboot client s computer once Windows service is resumed Go through the login process again b Terminate the Internet Explorer Task from Windows Task Manager Suggestion Do not terminate this VPN task of Internet Explorer 181 Appendix H IPSec VPN c There are some cases of Windows messages by which DSA 3600 will hint current user to 1 Close the Windows Internet Explorer 2 Click logout button on login success page 3 Click back or refresh of the same Internet Explorer 4 Enter new URL in the same Internet Explorer
121. ey security mo de Caution If an existing SSID is already using Guest type the wireless security of a Service Zone which is associated with this SSID cannot be set in the Open System or Shared Key mode in DSA 3600 170 Appendix F Deploying DSA 3600 Using DWL 2100AP gt Single Set of WEP Keys All SSIDs which belong to the same DWL 2100AP share the same set of WEP Keys Key1 Key4 4 SSID1 4 Service Zone 1 WEP Setting SSIDZ Y Service Zone 2 DWL 2100AP a SSID3 4 Service Zone 3 Key1 2 3 84 Caution If two or more SSIDs belong to the same DWL 2100AP and the wireless security of the associated Service Zones is set in the Shared Key mode in the DSA 3600 those SSIDs cannot be mapped to the Service Zones that have different sets of WEP Keys in the DSA 3600 gt Single Set of RADIUS Server Setting Only one set of RADIUS Server setting is provided in DWL 2100AP a SSID1 4 Service Zone 1 RADIUS Server Setting IP Address Port Secret Key gt gt e SSIDZ de Service Zone 2 DWL 2100AP e SSID3 lt Service Zone 3 Caution If two or more SSIDs belong to the same DWL 2100AP and the wireless security of the associated Service Zones is set in the modes which use RADIUS those SSIDs cannot be mapped to the Service Zones that have different sets of RADIUS Server settings in the DSA 3600 gt Availability of WEP Keys When an SSID of the DWL 2100AP is set in WPA r
122. fix and unit will be shown in this list General Settings Postfix ondemand O None O UsD O 6BP O EUR hkd Input other desired monetary unit e g AU Monetary Unit WLAN ESSID Wireless Key Remaining Volume Sync Internal 10mints O 15min s 20min ts Number of Tickets 0102 Postfix Postfix is used to inform the system which type of authentication database to be used for authentication when multiple databases are concurrently in use Enter the postfix used for on demand users Monetary Unit Select the desired monetary unit or specified the unit by yourself WLAN ESSID The administrator can enter the defined wireless ESSID in this field and it will be printed on the receipt for on demand users reference when accessing the Internet via wireless LAN service The ESSIDs given here should be those of the service zones enabled for On demand Users Wireless Key The administrator can enter the defined wireless key such as WEP or WPA in the field The Wireless Key will be printed on the receipt for the on demand users reference when accessing the Internet via wireless LAN service Remaining Volume Sync Internal While the on demand user is still logged in the system will update the billing notice of the login successful page by the time interval defined here Number of Tickets Print one or duplicate receipts when pressing the print button of the 54 Chapter 4 2 Users ticket printer w
123. frames Each port can join any VLAN up to 4 group The system supports five service zones one default and other 4 service zones each can be enabled or disabled except the default one The five service zones are mapped to 4 VLANs and 1 untagged subnet Each service zone functions like a virtual system each has an independent set of settings such as SSID Wireless Security Network setting DHCP setting Customized Pages Default Policy Authentication Servers setting and Default Authentication Server i Chapter 4 Web Interface Configuration gt Tag based Service Zones Configuration Example Enabling Two Service Zones Log in to the web management interface and enter admin for both the default username and password in the Username and Password fields of the Administrator Login Page After logging in the web management interface from the Menu Tree click System and then click LAN Port Mapping to verify that Tag Based service zone mode is selected LAN Ports and Service Zone Mapping Select the mode for Service Zone PortBased Tag Based Notice Under Tag Based mode Service Zones will be distinguished by VLAN tagging instead of physical LAN ports LANA LAN LANG LAN4 Click System and then click Service Zones to enter the Service Zone Settings page as shown below Service Zone Settings Service Zone VLAN csp WLAN Applied Default Authen etatus Details Name Tag Encryption Policy Option Default N A dlink N
124. from default IP address to the new IP as the format x x x x x SNMP The DSA 3600 supports SNMPv2 When the function is enabled an implemented SNMP server is able to access the system s management information base Enable Disable SNMP Wanager IP Address 1192 168 1 2 Community publie HTTPS Protected Login The system supports HTTPS encrypted and HTTP non encrypted when clients log into the system When this function is enabled the Secured Socket Layer SSL will be activated and implemented to the web based user login page Time The system time can be set up manually or synchronized with remote NTP Network Time Protocol servers It supports up to five NTP servers When NTP is enabled at least one NTP server has to be configured and the system time will be adjusted automatically according to the remote NTP servers When manually set up is enabled the administrator needs to set configurations manually The system time can also be manually configured when selecting Manually set up Please enter the date and time into the respective fields system Time 2007 0411 19 56 51 Time Zone oMT 08 00 T aipei v Time NTP Manually set up vivear _v Month _ iv ay Hour Y Minute Second 13 4 1 2 WAN1 Chapter 4 Web Interface Configuration There are four connection types supported on the WAN1 Port Static Dynamic PPPoE and PPTP WAN WAN1 Interface Setting O Static L
125. hat it is alive or not Trace Route It lets administrator to find out the real path of packets from our gateway to a destination with IP ARP Table It lets administrator to view all the IP address and MAC address the device has already matched 143 Chapter 4 Web Interface Configuration 4 6 7 Quick Links The Quick Links provide the shortcut to eight links for administrators to directly access frequently used functions of the web management interface The eight functional links are System Status Local User Management Policy Management AP Management Online User List On demand Account Management Authentication Configuration and Firmware Management Quick Links Policy Management Authentication Configuration Local User Management AP Management Firmware Management 144 Chapter 4 6 Tools Link 1 System Status The System Status quick link provides at a glance the System Setting Overview a shortcut to 4 5 1 System in Status section It provides a summary of system information to the administrator in a single page Please refer to the section on System for details System Setting Overview Firmware Version 3 00 00 Build 03000 System Name DSA 3600 Homepage Redirect URL http Awww dlink intlcom SYSLOG Server System Log N AN A SYSLOG Server On demand Users Log NANA Proxy Server Disabled Warning of Internet Disconnection Disabled WAN Failover Disabled Load Balancing Disabled SNMP Disabled Retained Days 3 d
126. he antenna with better RSSI value o Left Antenna The AP will not switch antenna and the radio will use the left antenna to transmit and 93 Chapter 4 Web Interface Configuration receive packets o Right Antenna AP won t switch antenna and the radio will use the right antenna to transmit and receive packets gt WMM WMM stands for Wi Fi Multimedia by enabling this feature It will improve the user experience for audio and video applications over a Wi Fi network gt Load Balance When enabled you allow several APs to balance wireless network traffic and wireless clients among APs in the networks Assign each access point a different non overlapping channel o User Limit Enter the number of the limit of load balancing users from 0 64 gt Link Integrate Enable or disable the feature gt Internal Station Connection Select either Enabled or Disabled The connection allows clients to communicate with each other when enabled If this is disabled wireless stations of the selected band are not allowed to exchange data through the access point Access Control by MAC Address This function provides to control the clients devices that are allowed to associate with the APs applied with the desired template setting Choose Disabled or Enabled in the Status column and enter the desired clients MAC addresses in the MAC Address List When this function is enabled please make sure the MAC Address List is not empty 94 Chapter 4 3 Access
127. hich is connected to the serial port 2 Ticket Customization On demand account ticket can be customized here and previewed on the screen Ticket Customization Receipt Header 1 Welcome Receipt Header 2 Receipt Footer Thank You None Background Image Default Image O Uploaded Image e Receipt Header 1 2 The entered content will be printed on the header area These headers are optional e Receipt Footer The entered content will be printed on the footer area This footer is optional e Background Image Set the background image of the ticket here None No picture Default Image below show the default picture Welcome Username xxxx ondemand Password 200000000 Plan Type 1 Time Quota xx hr s xx min s Total Price 1 99 Remark Customer xx ESSID dlink Shared Wireless Key None Open System Your first time login must be done before 2007 12 03 16 59 The account is valid within xx day s after your first login Thank You is Gc Note To make a better print out ticket you may need to cofigure the browser settings for example Page Setup as well as the printer settings for example Preferences before printing out the page 39 Chapter 4 Web Interface Configuration Uploaded Image click on edit button to upload the picture in the popup Please Upload an image file Image File Browse Upload Mote The Background file size limitis 100 Kbytes No limitfor the d
128. ice Port Public Accessible Server Local Server IP Address Local Server Port Type TCP UDP O TCP O UDF TCP O UDF E O UDF O TCP O UDF Chapter 4 4 Network Enable d d When users attempt to connect to the port of a Destination IP Address listed here the connection packet will be converted and redirected to the port of the Translated to Destination IP Address Enter the IP Address and Port of Destination and the IP Address and Port of Translated to Destination accordingly Depending on the different services selected choose the TCP protocol or UDP protocol These settings will become effective immediately after clicking Apply No Destination IP Address Port and IP Redirect Port LEENI Translated to Destination IP Address fp on LEENI Type ce UDF TCP UDF O TCP O UDF TCP UDP TCP UDF 103 Chapter 4 Web Interface Configuration 4 4 2 Privilege The DSA 3600 provides two Privilege Lists IP Address List and MAC Address List The administrator can add desired IP addresses and MAC addresses in these lists using the Privilege List function The IP addresses and MAC addresses in these lists are allowed to access the network without authentication Privilege List IP Address List MAC Address List IP Address List Clients in the IP Address List are allowed to access the Internet d
129. ice Qty ota Wireless Internet Access 1 hrs 0 mins 4 00 1 4 00 Username QD2U Your first time login must be done before 2007 03 29 17 59 45 The account is worth 1 hrs 0 mins of usage and is valid within 5 days after your first login Add special instructions for the Merchant Total 4 00 Total 4 00 EUR Pay 4 00 Now Payment Method PayPal Funds 2 84 GBP PayPal Conversion Rate as of 26 Mar 2007 1 Pound Sterling 1 41305 Euros Change YK Cafe You Made A Payment PEAR E Secure Payments Your payment for 4 00 EUR has been completed You are now being redirected to YK Cafe If you are not redirected within 10 seconds click here Step 5 Click Start Internet Access to use the Internet access service Login ID 4287 ondemand Password mix55452 Price 4 00 Usage 1 hr s ESSID dlink Vaild To Use Until 2007 92 04 16 24 06 Note Before closing this window please write down your usemame and password Start Internet Access Note 1 Payment is accepted via PayPal PayPal enables you to send payments securely online using PayPal account a credit card or bank account Clicking on Buy Now button you will be redirected to PayPal s site to make payment Please do not manually close the browser when you reach PayPal s payment confirmation page lt takes about 30 seconds or more before you are automatically redirected back to our website with a set of Login ID and Password 198
130. ients will be redirected back to the desired proxy servers External Proxy Servers No IP Address Port Redirect Outgoing Proxy Traffic to Built in Proxy Server Built in Proxy Server O Enable Disable e External Proxy Servers The system will match the proxy setting of the External Proxy Servers list to the clients proxy setting if the setting is found in their browsers If no matching is found the clients will not be able to get the login page nor access the network If a matching is found the clients will first be directed to the system for authentication and upon successful authentication redirect the clients back to the desired proxy servers e Redirect Outgoing Proxy Traffic To Built in Proxy Server The DSA 3600 has a built in proxy server If this function is enabled the clients will be forced to treat the DSA 3600 as the proxy server regardless of the clients Original proxy settings and all traffic will be redirected through the built in proxy server Note For more information about setting up the proxy servers please refer to Appendix C Proxy Configuration 109 Chapter 4 Web Interface Configuration 4 4 6 DDNS The system provides a convenient dynamic DNS function to translate the IP address of WAN port to a domain name that helps the administrator memorize and connect to WAN1 port When the DDNS is enabled the system will update the newest IP address regularly to the DNS server if the WAN1 interface is set to Dyn
131. ii Encryption Policy Option a Dotais gt WAN Traffic Default NIA dlink None None On demand User Enabled H pamte SZ1 1 ani None None Server 1 Disabled Network 21 i P Status i Z2 2 oa None None Server 1 Disabled dlink Sz3 3 Ena None None Server 1 Disabled sZ4 4 pall None None Server 1 Disabled ib Authentication Settings Authentication Required For Enabled O Disabled the Zone Auth Option Auth Database Postfix Default Enabled Server 1 LOCAL local Server 2 POP3 pop3 O O Authentication Options Server 3 RADIUS radius O Server 4 LDAP Idap O O On demand User ONDEMAND ondemand O E IP SIP NIA 136 Chapter 4 6 Tools _ISP Internet DSA 3600 SSID 1 BE ssid 2 ssid staff s7 gsid quest Service Zone VLAN Service Zone VLAN for staff for guests Figure 4 6 1a An example using Tag Based service zones 137 Chapter 4 Web Interface Configuration 4 6 2 Password Change DSA 3600 supports three accounts with different access privileges Choose to log in as admin manager or operator The default password and access privilege for each account are as follow Admin The administrator can access all configuration pages of the DSA 3600 User Name admin Password admin Manager The manager can only access the configuration pages under User Authentication to manage the user accounts but has no permission to change the settings of the profiles for Firewall Specific
132. il based 1 a Monitor IP on a configurable interval These monitored devices can be accessed via HTTP or Status HTTPS connection The management interface of the monitored device can be accessed via a hyperlink of device s IP address when the system is operated under NAT mode Walled Gard Up yo 20 domain names IP addresses can be defined in the list Authentication is NOT required for users to access these domains and or URLs Proxy Server System supports up to 10 external proxy servers DDNS System supports dynamic DNS DDNS feature Client Mobility System supports IP plug and play PNP There are 3 types of VPN connection supported in the system including Local VPN Remote VPN and Site to Site YPN For the local VPN an IPSec tunnel can be x VPN established between the system and the client located at the LAN side For the Remote VPN a PPTP tunnel can be established between the system and the remote user over the Internet For the Site to Site VPN an IPSec tunnel can be constructed to be used to connect to other IPSec capable device over the Internet 101 4 4 1 NAT Chapter 4 Web Interface Configuration There are three functions that need to be set here DMZ Demilitarized Zone Public Accessible Server and Port and Redirect Network Address Translation DM Demilitarized Zone Public Accessible Server Port and IP Redirect DMZ Demilitarized Zone The administrator can define mandatory external to internal IP mapping us
133. imensions ofthe image but a 460x480 image is recommended e Preview Click Preview button to see the ticket with the items that are customized above Please Note A dimension of 460x480 image is recommended 56 Chapter 4 2 Users 3 Billing Plans With the billing plans configured and enabled administrators are able to control and charge the network usage of On demand users Billing Plans Plan Type Quota Price Enable Function 1 Cutoff Until 12 30 2 99 2 Time 12 hr s 3 99 3 Volume 500 Mbyte s 5 4 Cutoff Until 13 00 3 5 5 Time 18 hr s 6 6 Volume 1000 Mbyte s 8 7 N A 8 N A 9 N A 0 N A Plan The number of the specific plan Type This is the type Time Volume or Cut off of the plan based on which it defines how the account can be used Quota The limit on how On demand users are allowed to access the network o Time Total period of time xx hrs yy mins during which On demand users are allowed to access the network Editing Billing Plan Plan J Twe Time Quota 12 hris 0 mings Range of min s O 59 they cannot both be zero Account Activation Firsttime login must be done within 1 day s 0 hour s Range of hours O 23 they cannot both be zero Valid Period After activation account will be expired in 3 day s Must be largerthanO 3 99 Price Range 0 100000 including two digits after decimal point e g 1 99 o Volume Total traffic volume xx
134. ing these IP addresses to downstream clients The administrator can reserve some specific IP addresses for special devices with MAC address Enable DHCP Relay Selecting the radio when a service zone is connected to an external DHCP server When Enable DHCP Relay is chosen the IP address of clients will be assigned by an external DHCP server The system will only relay DHCP information from the external DHCP server to downstream clients of this service zone SIP Interface Configuration The system provides SIP proxy functionality which allows SIP clients to pass through NAT When enabled all SIP traffic can pass through NAT via a fixed WAN interface The policy route setting of SIP Authentication must be configured carefully because it must cooperate with the fixed WAN interface for SIP authentication SIP Transparent Proxy can be activated in both NAT and Router mode SIP Authentication must support in either mode For users logging in through SIP authentication a policy can be chosen to govern SIP traffic The policy s login schedule profile will be ignored for SIP authentication Specific route and firewall rules of the chosen policy will be applied to SIP traffics SIP Interface Configuration Enabled WAN Interface WANA 30 Chapter 4 1 System Authentication Settings The system supports several authentication databases that are Local POP3 RADIUS LDAP and NT Domain and provides up to four authentication options Server1 4 o
135. ing this function so that a client on the WAN side network can access the private machine by accessing the external IP Choose to enable Automatic WAN IP Assignment by checking the Enable check box and enter the Internal IP address When Automatic WAN IP Assignment function is enabled accessing WAN1 will be mapped to access the Internal IP Address For Static Assignments enter Internal and External IP Addresses as a set and choose to use WAN1 or WAN2 for the External Interface from the drop down menu These settings will become effective immediately after clicking the Apply button Automatic WAN IP Assignment Enable External IP Address External Interface Internal IP Address O WAN Static Assignments No External IP Address External Interface Internal IP Address 4 YY WANT vw Public Accessible Server The administrator can set up virtual servers using this function so that the computers not belonging to the managed network can access the servers in the managed network via WAN port IP of DSA 3600 Enter the External Service Port Local Server IP Address and Local Server Port accordingly Depending on the different services selected the network service will be able to use the TCP protocol or the UDP protocol In the Enable column check the desired server to be enabled These settings will be effective immediately after clicking the Apply button 102 No Port and IP Redirect AL External Serv
136. ion Log and AP Status Change up to 3 email accounts automatically The notification of AP Status Change is triggered by event when a managed AP becomes unreachable while the other three types of e mails are sent periodically in given intervals such as one hour A trial e mail is provided by the system for validation In addition the system supports recording SYSLOG of User Log On demand User Log and Session Log via external SYSLOG servers Furthermore the Session Log can send to a specify FTP server Notification E mail Settings Monitor IP On demand Users a AP Status neue Users Log if Session Log clone E o o z a a z mo ES SMTP Setting Test Sender E mail Address AA SMTP Auth Method Receiver E mail Address es SYSLOG Server Settings System Log IP Address ras Port ees On demand Users Log IP Address Po Port Session Log IP Address SEE Port MA FTP Server Settings PAddress Pots send Log every Hours Note same as Interval of Session Log in the Notification E mail Settings Anonymous Yes No FTP Setting Test send Test Log Session Log Notification E mail Settings gt Receiver E mail Address es The e mail address of the person whom the history e mail is for This will be the receiver s e mail Check which type of report to be sent Monitor IP Report System Log On demand Users Log and AP Status Change Interval The time interval to send the e mail report Choose a proper num
137. ion Connection Select either Enabled or Disabled The connection allows clients to communicate with each other when enabled Status After clicking the hyperlink in the Status column there are two areas of information shown AP Status Summary and AP Status Details AP Status Summary includes AP Name AP Type LAN interface MAC address Wireless Interface MAC address Report Time SSID Number of Associated Clients and Remark AP Status Details include System Status LAN Status Wireless LAN Status Access Control Status and Associated Client Status AP Status Summary AP Name 3100 1 AP Type DVWL 32004P LAN Maa o a arena MAC Address 00 19 560 88 74 51 Wireless Interface 2 2 ooo carrera MAC Address 00 19 560 88 74 51 Report Time 2007 08 09 18 32 46 Felix 3600 0 Service Zone Ed Feli 3600 1 Service Zone F521 SSID Feli 3600 2 Service Zone TFS Z lt 2 Felix 3600 3 Service Zone f Si3 Felix 3600 4 Service Zone tii S24 Number of Associated Clients Remark AP Status Details System LAN Interface Wireless Interface Access Control Associated Clients e AP Name Mnemonic name of the specified AP e AP Type This is the supported type of APs for centralized management LAN Interface MAC Address The LAN s Media Access Control address e Wireless Interface MAC Address The wireless LAN s Media Access Control Address e SSID The SSID is the unique name shared among all devices in a wireless network e
138. ion about the template please refer to 4 3 4 Templates Background AP Discovery The system supports discovering APs periodically in background The New IP Address Assignment and Access to the AP Admin Interface configuration in Background Auto Discovery page are the same as in the Discovery Settings Click Configure and then select Enable to set the configuration When Auto Adding AP to the list is enabled the system will add the discovered APs into the List table automatically and apply the selected template in the Template Applied option to the AP When the configurations are set as requirement the system will discover new APs periodically and automatically in background Click Configure to enter the Background AP Discovery page to have further configuration Discovery Settings AP Type _DWWL 21 004P Y Supported FW v2 20eu v2 20na v2 30eu v2 30na and v2 30 p HW Ady Interface Default Factory Default IP Address 192168 0 50 Login ID admin Password Empty Admin Settings Used to Discover Manual IP Addresses of APs after Start IP Address 192 166 1 2 Discovery Background AP Discovery Status Enabled Configure d L Background AP Discovery AP Type OvWVL 21 004P Hew IP Address Assignment Default d Factory Default IP Address 192 166 0 50 Admin Settings Used to l Dis caer Login ID admin Password Empty Manual caido anel Start IP Address 192 168 1 2 Discovery S
139. irectly without authentication Remark is optional but useful for tracking purpose These settings will be effective immediately after clicking Apply Granted Access by IP Address No IP Address Remark Total 100 First Prey Next Last Warning Permitting specific IP addresses to have network access rights without going through standard authentication process may result in security problems MAC Address List Clients in the MAC Address List are allowed to access the Internet directly without authentication Enter the MAC address in format xx xx xx xx xx xx and the remark optional accordingly These settings will be effective immediately after clicking Apply 104 Chapter 4 4 Network Warning Permitting specific MAC addresses to have network access rights without going through standard authentication process may result in security problems 105 Chapter 4 Web Interface Configuration 4 4 3 Monitor IP The DSA 3600 will send out a packet periodically to monitor the connection status of the IP addresses on the list If the monitored IP address does not respond the system will send an e mail to notify the administrator that such destination is not reachable After entering the related information click Apply and these settings will become effective immediately The Monitor IP supported by the system can monitor the devices in this list by pinging them periodically The administrator can use this function to monit
140. ise the following IP settings Dynamic IP settings assigned automatically O PPPoE PPTP e Static Use the following IP Settings Select Static to specify a static IP address for WAN1 port manually when a static IP address is available for DSA 3600 Fields with red asterisks are required to be filled in WAN WAN1 Interface Setting Static Use the following IP settings IP Address subnet Mask Default Gateway Preferred ONS Server 1468 95 11 Alternate DNS Server Dynamic IP settings assigned automatically PPPoE PPTP IP Address The IP address of the WAN1 port Subnet Mask The subnet mask of the WAN1 port Default Gateway The gateway of the WAN1 port Preferred DNS Server The primary DNS Server of the WAN1 port Alternate DNS Server The substitute DNS Server of the WAN1 port This is optional e Dynamic IP settings assigned automatically Select the option when a DHCP server is available in the network implementation above the WAN1 port of the system When Dynamic is selected the system works as a DHCP client and get an IP address for its WAN1 port automatically from the DHCP server 14 Chapter 4 1 System e PPPoE Select the option when PPPoE is the connection protocol provided by the network service providers When Dial on Demand is enabled there is a Maximum Idle Time available The system will disconnect itself from the Internet automatically when the Maximum Idle Time is reached
141. layed Display system up time The system live time time for system being turned on is displayed Check service status Check and display the status of the system Set device into safe mode Used when the administrator is unable to access the Web Management Interface via the browser or when it fails inexplicitly The administrator can choose this utility and set the DSA 3600 into safe mode to manage the device using a browser Synchronize clock with NTP server Immediately synchronize the clock through the NTP protocol and the specified network time server Since this interface does not support manual setup for its internal clock reset of internal clock can only be performed through the NTP DMESG Display the kernel ring buffer to the screen The dmesg program helps users to print out their boot up messages 152 Appendix B Console Interface Configuration 2 Change admin password The username and the default password is admin by default which is similar to the web management interface The administrator s password can be changed If the password cannot be remembered and the management interface cannot be accessed from the web or the remote end of the SSH the console cable can still be used to connect the console management interface where the administrator can then reset the password 3 Reload factory default Choose this option to reset the system configuration to the factory default settings 4 Restart
142. lcome Welcome o Information Please click this button to Logout Logout Information2 Thank you Remaining Usage Remaining Usage Day Day Hour Hour o Min Min oe Sec Sec Login Time Login Time e Login Success Page for On demand User gt Uploaded Page 38 Chapter 4 1 System Choose Uploaded Page and get the login success page for On demand User by uploading Click the Browse button to select the Login Success Page file for instant upload Then click Submit to complete the upload process Login Success Page Selection for on demand Users Service Zone Default Default Page O Template Page Uploaded Page External Page Upload Login Success Page for on demand File Name Existing Image Files Total Capacity 512 K Now Used 0 K Upload Image Files Upload Images Preview 39 Chapter 4 Web Interface Configuration e Login Success Page for On demand User gt External Page Choose the External Page selection to get the Login Success Page for On demand User from the specific website In the External Page Setting enter the URL of the external Login Success Page and then click Apply After applying the setting the new Login Success Page for On demand User can be previewed by clicking Preview button at the bottom of this page Login Success Page Selection for on demand Users Service Zone Default Default Page Template Page Uploaded Page External Page External Page Setting External U
143. licy Mapping function will be available to let administrator assign a policy for a LDAP Attribute When the type of database is SIP the Policy selection function will be available to let the administrator assign a policy for all SIP users 68 Chapter 4 2 Users Policy Configuration Policy 1 Select Policy Firewall Profile Specific Route Profile Schedule Profile o5 Profile Privilege Profile Select Policy Select a desired individual policy for configuration Firewall Profile Global policy and each policy have a firewall service list and a set of firewall profile which is composed of firewall rules Specific Route Profile The default gateway of WAN1 WANZ or a desired IP address can be defined ina policy When Specific Default Route is enabled all clients applied this policy will access the Internet through this default gateway Schedule Profile The Schedule table in a 7X24 format is used to control the clients login time When Schedule is enabled clients applied policies are only allowed to login the system at the time which is checked in the applied policy QoS Profile Set up the information of Traffic Configuration including Traffic Class Total Downlink Individual Maximum Downlink Individual Request Downlink Total Uplink Individual Maximum Uplink and Individual Request Uplink Privilege Profile Include Maximum Concurrent Session for User and Change Password Privilege 69 Chapter 4 Web Interface Configuratio
144. ll the hardware of DSA 3600 Reset DO H2W 1 Connect the power adapter to the power socket on the rear panel The Power LED on the front panel should be ON to indicate a proper connection Warning Using a non certified power adapter may damage this product 2 Connect an Ethernet cable to the WAN1 Port on the rear panel Connect the other end of the Ethernet cable to a networking device such as an ADSL modem a cable modem a switch or a hub The LED of WAN1 port should light up to indicate a proper connection 3 Connect an Ethernet cable to any LAN Port on the rear panel Connect the other end of the cable to a networking device such as the administrator s PC The LED of the LAN should be ON to indicate a proper connection After the hardware of the DSA 3600 is installed completely the system is ready to be configured in the following sections This manual will guide you step by step to set up the system using a single DSA 3600 to manage the network Chapter 4 Web Interface Configuration Chapter 4 Web Interface Configuration This chapter provides further detailed information on setting up the DSA 3600 The following table shows all the functions of DSA 3600 In the web management interface there are three main interface areas Tools Menu Main Menu Tree and Working Area The Working Area occupies the largest area of the web interface on the center right It is also referred as the current management page The current
145. m for example Microsoft Outlook before they are authenticated Click Enabled and Edit Mail Message to edit the message in HTML format Each service zone can has its own message Custom Pages There are five users login and logout pages that can be customized by administrators for each service zone Click the button Configure and the Login Logout page will appear with configuration options for Login Page Logout Page Login Success Page Login Success Page for On demand User and Logout Success Page Click the button of the respective page selections to make further configuration Login Page Logout Page Custom Pages Login Success Page Login Success Page for Ondemand User Logout Success Page 1 Login Page The administrator can use the default login page or get the customized login page by setting the template page uploading the page or downloading from the specific website After finishing the setting click Preview to see the login page e Login Page gt Default Page Choose Default Page to use the default login page Login Page Selection for Users Service Zone Default Default Page O Template Page O Uploaded Page External Page Default Page Setting Service Zone Default This is the default login page for users You could click Preview to preview the default login page Preview e Login Page gt Template Page Choose Template Page to make a customized login page All customizable items are shown here Click Sel
146. m Idle Time is reached This is the common connection type for ADSL To properly configure PPPoE connection type the Username Password MTU and Clamp MSS fields are required The Dial on Demand function is used to guard the idle time out of the connection The Maximum Idle Time field is required to enable this function When the idle time is reached the connection will be automatically disconnected 17 Chapter 4 Web Interface Configuration 18 Chapter 4 1 System 4 1 4 WAN Traffic DSA 3600 supports uplink downlink bandwidth management and WAN Failover features including WAN Failover Load Balancing and Connection Detection features WAN Traffic Settings Available Bandwidth Uplink 100000 Kbps Range 10 100000 on WAN Interface Downlink 100000 Kbps Range 10 100000 Target for detecting Internet connection IP Domain Name 192 165 1 3 IP Domain Name IP Domain Mame C Enable Load Balancing Enable WAN Failover L Fall back to WAN1 when WAN1 is available again Warning of Internet Disconnection When Internet connection is down the system will display the message as WAN Failover amp Connection Detection sorry The service is temporarily unavailable Available Bandwidth on WAN Interface e Uplink It defines the maximum uplink bandwidth allowed to share by clients within WAN interface e Downlink It defines the maximum downlink bandwidth allowed to share by clients within WAN interface
147. m to the 802 11g standard on their own schedule without sacrificing connectivity General Subnet Mask 255 255 255 0 Default Gateway 192 168 1 1 Time Zone GMT Greenwich Mean Time 7 Dublin Edinburgh Lisbon London y MARIE SNTPINTP Server IP Daylight Saving Time Disabled v Enabled w SNMP Public Community public Private Community private System Activity Enabled w Wireless Activity Enabled y SYSLOG a Notice E nabled a Remote SYSLOG Server Disabled v Wireless SSID Broadcast Enabled vw Data Rate Auto v Fragment Length 2346 A Default 2346 Range 256 2346 2346 RTS Length j Default 2346 Range 256 2346 100 Default 100 Range 20 1000 msec Beacon Interval ms Properties P DTIM Default 1 Range from 1 to 255 Preamble Short and Long Y Transmit Power ETS Y Antenna Diversity Diversity v WMM Enabled vw Internal Station Connection Enabled Y Access Control by MAC Address Status Disabled Access Control List Subnet Mask The default is 255 255 255 0 All devices in the network must share the same subnet mask Default Gateway The default is 192 168 1 1 Enter the gateway IP address for the network typically a router SNTP NTP The time server IP address time zone and the local time will be displayed gt Time Zone Select your time zone from the drop down menu 89 gt SNTP NTP Server IP Enter the IP address of a SNTP NTP serv
148. management page is where status is displayed controlled are issued or parameters are configured Tools Menu near the upper left corner provides the access to system utilities including Setup Wizard Password Change Backup amp Restore System Upgrade Restart Wake on LAN and Quick Links Menu Tree on the left side of the web interface allows administrators to traverse to various management functions of this system The management functions are grouped into five branches System System Settings Users User Management Access Points AP Management Network Network Settings and Status Status and Report OPTION FUNCTION General Service Zones Zones A List AR Additional Control Additional Control Discovery Adding Templates Firmware Upgrade Chapter 4 Web Interface Configuration OPTION FUNCTION Privilege Monitor IP Walled Garden VPN Routing Table Tools Setup Wizard Quick Links Caution After finishing the configuration please click Apply and pay attention to see if a restart message appears at the bottom of the screen If the message appears the system must be restarted to allow the configurations to take effect All on line users will be disconnected during restart Chapter 4 Web Interface Configuration Web Management Interface The DSA 3600 provides a web management interface for configuration After completing the hardware installation the administrator can configure
149. ministrator can click Add button to register the APs to the List for management When the system s Service Zone is set to Tag based mode service zones also can be assigned here After clicking Add the current management page is directed to AP List where the newly added APs will show up with a status of configuring It may take a couple of minute to see the status of the newly added AP to change from configuring to online or offline 54 Chapter 4 3 Access Points 4 3 3 Adding The administrator can add supported APs into the List table manually here Enter the related information of the AP and select a Template Applied Click ADD and then the AP will be added to the List Similar to the AP added after discovery a manually added AP will show up with a status of configuring in the AP List initially The system will attempt to configure the AP with the value specified A couple of minutes later the AP s status will become online or offline on the AP List Adding An AP to the List AP Type DL 21 00AP Supported FW w2 20eu v2 20na v2 3084 v2 30na and v2 30jp HW Admin Password 1234 IP Address 1927 1686 1 10 E T Default Service Zone A Dl sz2 Template Applied TEMPLATE Channel Auto e AP Type The type of supported AP e AP Name The mnemonic name of the specific AP e Admin Password The password of the AP for the system to access it e IP Address The IP address of the
150. n A Firewall Profile Click the button of Setting for Firewall Profile the Firewall Configuration will appear Click Predefined and Custom Service Protocols to edit the protocol list Click Firewall Rules to edit the rules Please refer to Global Policy section A for the same operations Policy 1 Firewall Configuration Predefined and Custom Service Protocols Firewall Rules a Predefined and Custom Service Protocols There are predefined service protocols available for firewall rules editing The administrator is able to add new custom service protocols by clicking Add and delete the added protocols with Select All and Delete operations Ho Name ALL ALL TCP ALL UDP ALL ICMF FTF HTTF HTTFE POPS SMTP DHCP Policy 1 Service Protocols List Description Select All ALL TCP Source Port 0 65535 Destination Port 0 65535 IDF Source Port 0 65535 Destination Port 0 65534 IMP Type Any Code Any TCPIUDP Destination Port 20 21 TCPIUDP Destination Port 80 TEPILIDP Destination Port 443 TCP Destination Port 110 TGP Destination Port 25 WOOP Destination Port 67 66 Total 27 First Prey Mext Last b Firewall Routes Click the number of Filter Rule No to edit individual rules and click Apply to save the settings The rule status will show on the list Check Active box and click Apply to enable that rule Ho Active d Action Block Block Policy 1 Firewall Rules Source IPSec E
151. name and password lt form action us erlogin shtml method post name E nter lt input type text name myus ername lt Inputtype password name mypassword lt input type submit name submit value Enter lt input type reset names clear value Clear gt lt form For example the device name of one DSA 3600 is abc 3322 org then the first line of the html code would be https abc 3322 org loginpages userlogin shtml 2 Logout Page The administrator can apply their own logout page in the menu As the process is similar to that of the Login Page please refer to the instructions on Login Page gt Uploaded Page for details Upload Logout Page Service Zone Default File Name Use Default Page Existing Image Files Total Capacity 512 K Now Used 0 K Upload Image Files Service Zone Default Upload Images Preview 35 Chapter 4 Web Interface Configuration Please Note While this process is similar to that of the Login Page the HTML code for the user defined logout interface however is different The following HTML code must be added in order for the user to enter the username and password lt form action usertogout shtmi metho post name E nter gt lt input type text name nwyusemame gt lt input type password name rmnypassword lt input type submit na me submit value L ogout gt lt input type reset name clear valu
152. ncrypted Rule Name Service Schedule Destination IPSec Encrypted ANY ALL Always ANY ANY ALL Always ANY Selecting the Filter Rule Number 1 as the example 70 Chapter 4 2 Users Policy 1 Edit Filter Rule Rule Number 1 Rule Name is Source Destination Interface Zone Interface Zone ALL w Subnet Mask Subnet Mask IPSec Encrypted F IPSec Encrypted L MAC Address ae Service Protocol ALL kd Schedule Always Recurring One Time Action for Matched Packets Block Pass Rule Number This is the rule selected 1 Rule No 1 has the highest priority rule No 2 has the second priority and so on Rule Name The rule name can be changed here Source Destination Interface Zone There are choices of ALL WAN1 WAN2 Default and the named Service Zones to be applied for the traffic interface Source Destination IP Address Domain Name Select the source and destination IP addresses Source Destination Subnet Mask Enter the source and destination subnet masks Source MAC Address The MAC address of the source IP address This is for specific MAC address filter Source Destination IPSec Encrypted Check the box for only filtering on the encrypted traffic Service Protocol There are defined protocols in the service protocols list to be selected Schedule When schedule is selected clients assigned with this policy are applied the firewall rule only within the time checked There are three options Alw
153. nd your Return URL Please note that in order to use Payment Data Transfer you must turn on Auto Return Payment Data On Transfer ooff Identity Token FIY4O0qLV EMdUbg8D_3y7kLG1C8iGdxpF z6f6kCo KBdOfSSQokKZkCBOru Copy the Identity Token in the above page to the section PayPal Payment Page Configuration of DSA 3600 PayPal Payment Page Configuration Business Account test_business_account hotmail com Payment Gateway URL https www paypal com cgi bin webscr z dentity Token FIYOgLY EMdUbg8D_Sy7kLG1C8GdxpF z6f6kCo KBdO Verify SSL Certificate Enable Disable Currency USD U S Dollar 1 3 Requirements for Building a Secure PayPal based E Commerce Site To deploy the PayPal function properly it is required that the merchant register an Internet domain name for example www StoreName com for this subscriber gateway device D Link DSA 3600 Building Networks for People admin ee ce BUSINESS Gateway Help p Log out DSA 3600 General Settings for the Entire System x em Name DSA 3600 gt WAN2 gt WAN Traffic Ki 7 A gt LAN Port Mapping Internal Domain Name AE O Use the name on the security certificate gt Service Zones FODN of this device for internal use e g controller office name com i Users O Enable Disable je Access Points Homepage Redirect URL H Network http dlink intl corn F e g http sin dlink i
154. ndix J Session Limit and Session Log Appendix K Accepting Payments via PayPal This section is to show independent Hotspot owners how to configure related settings in order to accept payments via PayPal making the Hotspot an e commerce environment for end users to pay for and obtain Internet access using their PayPal accounts or credit cards Offers instant on demand i guest access to Internet Needs to charge internet access and accept payments via PayPal No Disable k External Payment Gateway Yes Make sure PayPal Business Account is opened and ready Obtain information from 1 Business Account IB 2 Payment Gateway URL 3 Identity Token PayPal com Enable and configure the PayPal related settings Na Check and retry Yes or ask for technical support Payment function via PayPal Up and running 188 Appendix K Accepting Payments via PayPal 1 Setting Up As follows are the basic steps to open and configure a Business Account on PayPal 1 1 Open An Account Step 1 Sign up for a PayPal Business Account and login Here is a link https www paypal com cgi bin webscr cmd registration run Choose aan gt Enter Information Confirm gt Done Sign Up for a PayPal Account Anyone with an email address can use PayPal to send and receive money online What is PayPal Already have a PayPal Account Upgrade your accoun
155. ne gt Service Zone Name The name of service zone can be input here Service name can accept space lt gt and double quote and etc gt Network Interface O Operation Mode The system supports NAT mode and Router Mode When NAT mode is chosen 29 O O Chapter 4 Web Interface Configuration the service zone runs in NAT mode When Router mode is chosen this service zone runs in Router mode IP address The IP Address of this service zone Subnet Mask The subnet Mask of this service zone gt DHCP Server The system supports three types of DHCP modes Disable DHCP server Enable DHCP server or Enable DHCP Relay 4 O Enable DHCP server This allows the enabling the DHCP server Start IP End IP Set a range of IP addresses that built in DHCP server will assign to clients Please change it accordingly at System gt General gt Management IP Address List to let the administrator to login to the DSA 3600 admin page after the default IP address of Network Interface is changed Domain Name Enter the Windows domain name for this service zone WIN Server IP The IP address of the WINS Windows Internet Naming Service server that if WINS server is applicable to this service zone Lease Time This is the time period that the IP addresses issued from the DHCP server are valid and available Reserved IP Address List Each service zone can reserve some IP addresses from predefined DHCP range to prevent the system from issu
156. ne On demand Users authentication option and one SIP authentication The administrator needs to activate and configure at least one of these authentication databases for an enabled service zone Postfix is used to inform the system which type of authentication database to be used for authentication when multiple databases are concurrently in use Each authentication option is distinguished by the postfix in clients username such as user1 Local One of authentication database except SIP Authentication can be assigned as Default for a service zone For authentication option assigned as default the postfix can be omitted while entering username Authentication Settings Authentication Required For Hoses Enabled Disabled Auth Option Auth Database Postfix Default Enabled Server 1 LOCAL local Server 2 POP3 pop3 O Authentication Options Server 3 RADIUS radius O Server 4 LDAP Idap On demand User ONDEMAND ondemand O SIP SIP NIA Login Page Logout Page Custom Pages Login Success Page Login Success Page for On demand User Logout Success Page Default Policy in this Service Zone None Edit System Poilcies Fina Me lt ane Mil Goss HET O Enabled Disabled gt Authentication Required for the Zone Enable or disable this feature gt Authentication Options Click the hyperlink of Auth Option the Authentication option page will appear options including Server1 to Server4 On demand Users and SIP o Authe
157. ne based architecture administrators can assign wireless security settings to different SSIDs according to the Service Zone profiles 7 di Service Zone 1 profile Wireless Security Setting WEP WPA 802 1X etc gt e lp SSID2 Service Zone 2 profile DWL 2 100 AFP x SSID 4 Service Zone 3 profile The DWL 2100AP can be deployed in the Service Zones and centrally managed via the DSA 3600 The Service Zone and Centralized AP Management provide an ideal solution using the DSA 3600 together with DWL 2100AP for quick creation and extension of wireless local area network WLAN in offices and other workplaces including hotspots Best Practice for Wireless Settings of DWL 2100AP To use multiple SSIDs in DWL 2100AP creation and configuration of different Service Zones will be needed gt Two Types of SSIDs The DWL 2100AP has two types of SSIDs I Primary Only one for each DWL 2100AP Support every mode Open System Shared Key Open System Shared Key WPA EAP WPA2 EAP WPA Auto EAP WPA PSK WPA2 PSK and WPA Auto PSK for security Il Guest Up to 7 for each DWL 2100AP Does not support Open System Shared Key mode for security Supports e se 1 Pri 4 Service Zone 1 SN AM la yar ervice one Y gt SSID2 Guest Type _ g d Service Zone 2 Ho Open System Shared Key security moide DWL2100AP gt SSID3 Guest Type _ d Service Zone 3 Ho Open System Shafed K
158. nformation i Customer Service Message Close Account Seller Eligibility for PayPal Buyer Protection Encrypted Payment Settings Custom Payment Pages Invoice Templates Language Encoding Administrators should scroll down to edit each setting as shown in the table below To activate all the changes please click Save at the end of the page 189 Auto Return On Return URL Redirect Webpage Type http www www com or other URL Payment Data Transfer On Block Non encrypted Website Payment Off PayPal Account Optional Off Contact Telephone Number Off Click Save Appendix K Accepting Payments via PayPal Log Out Help Security Center My Account Send Money Request Money Merchant Tools Auction Tools Overview Add Funds Withdraw History Resolution Center Website Payment Preferences Back to Profile Summary Auto Return for Website Payments Auto Return for Website Payments brings your buyers back to your website immediately after payment completion Auto Return applies to PayPal Website Payments including Buy Now Donations Subscriptions and Shopping Cart Learn More Auto Return n O Off Return URL Enter the URL that will be used to redirect your customers upon payment completion This URL must meet the guidelines detailed below Learn More Return URL http awww www com Return URL Requirements The following items are required in order to set up Auto Return Payment Data Transfer o
159. ng firmware and download the firmware to managed APs Note that the AP s firmware version must be one that has been integrated Firmware Upload List File Name AP Type Version Size Actions Checksum e Firmware Upload o File Name The name of the AP firmware to be uploaded Click Browse to select an AP firmware file to upload o Upload Click Upload button to upload the file from a local disk to the system e List All uploaded firmware will be listed here o File Name The name of the AP firmware has been uploaded o Checksum The automatically detected security identification of the firmware o AP Type The AP type of the firmware o Version The version of the firmware o Size The file size of the firmware o Download Click Download to save the selected firmware to local disk File Download xj Do pou want to sawe this fle Mame 2600 Firmware rom z Type Unknown File Type 670 KB From 10 2 3 112 While files from the Internet can be useful some files can potentially harm Your computer IF you do not trust the source do not save this file What s the nek o Delete Click Delete to delete the selected firmware from the system 99 Chapter 4 Web Interface Configuration 4 3 6 Upgrade The administrator can upgrade the firmware of selected APs individually or at the same time by checking the check box of the APs in Selection column Note that both the version before upgrade and the next version must be ones
160. npages login shtm X Ts p Google G Y Go E Ej YY Bookmarkse Y Check v A gt Send settings v w e ogn A E tho Page gt Eh Toos gt 164 Appendix D Certificate Settings for IE6 and E7 Certificate setting for Internet Explorer 6 For issues relating to IE6 certificate error the following information provides the step to take when the certificate publisher is not trusted by IE6 1 Open an IE6 browser the Security Alert message will be appeared if the certificate is not trusted Click Yes to proceed Security Alert Information you exchange with this site cannot be viewed or changed by others However there is a problem with the site s security certificate The security certificate was sued by a company you have not chosen to trust View the certificate to determine whether You want to trust the certifying authority The security certificate date is valid The name on the security certificate is invalid or does not match the name of the site Do vou want bo proceed view Certificate 2 The User Login Page will appear Login Windows Internet Explorer is gt Es le https dsa 3600 solution center loginpages login shtml y 5 Certificate Error tlx we de 88 D inkosa 3600 login oN TA Username Password 3 The user can now login normally 165 Appendix E Service Zones Deployment Examples Appendix E Servi
161. nterface Configuration 4 4 4 Walled Garden This function allows clients of specified addresses or domain names to access the Internet before login and authentication Users without network access right in this list can make use of the actual network service free of charge Enter the IP Address or Domain Name of the websites in the list The settings will be effective immediately after clicking Apply The Walled Garden supported by the system provides free surfing areas for clients to access before they are authenticated by the system For example on demand users without the network access right in hotels can still have a chance to experience the actual network service free of charge Walled Garden List No Domain NamelP Address No Domain NamelP Address 13 IS 14 A 15 e 18 E 17 IS 18 Oooo Caution To use domain names in list a DNS server must first be configured in the network in order for this function to work 108 Chapter 4 4 Network 4 4 5 Proxy Server The system provides a Build in Proxy Server and External Proxy Server function Under its security management the system will match the proxy setting of External Proxy Servers list to the clients proxy setting in their browsers If no matching the clients will not be able to get the login page and thus unable to access the network If there is matching then the clients will be directed to the system first for authentication After successful authentication the cl
162. nternet connection is down the system will display iia EN Sorry The service is temporarily unavailable E e Enable WAN Failover The purpose of WAN Failover is to have a backup link for WAN1 when WAN2 is available Check the check box of Enable WAN Failover to active the WAN failover function of the DSA 3600 Normally a service zone uses WAN1 as it primary gateway When WAN Failover is enabled WAN1 s traffic will be routed to WAN2 when WAN1 connection is down On the other hand a service zone s policy can also use WANZ as its gateway in that case if WAN2 is down the WAN2 s traffic under its policy also will be routed to WAN 1 gt Fall back to WAN1 when WANT is available again If WAN Failover is enabled the traffic will be routed to WANZ2 automatically when WAN1 connection fails A Fall back to WAN1 when WAN is available again function will appear when Enable WAN Failover check box is checked If Fall back to WAN1 when WANT is available again function is enabled the routed traffic will be back to WAN1 when WAN1 connection is recovered e Warning of Internet Disconnection An Internet disconnection detection feature is supported by the system Check the check box of Warning of Internet Disconnection will enable this function There is a text box available for the administrator to enter a reminding message This reminding message will appear on clients screens when Internet connection is down Note SIP authentication is ex
163. ntication Database The system supports several types of authentication database that are Local POP3 RADIUS LDAP and NT Domain and provides up to four authentication options and one On demand Users authentication option and SIP authentication Select the desired method and then click the link besides the pull down menu for more advanced configuration For more information on Authentication Methods please refer to next section 4 2 1 Authentication 31 Chapter 4 Web Interface Configuration Default Policy in this Service Zone Multiple sets of policy are provided by the system Each policy consists of Firewall Profile Specific Route Profile Schedule Profile QoS Profile and Privilege Profile Policies can be defined in the Policy tab The administrator can select one of the defined policies to apply it to the specific service zone All clients belong to this service zone will be bound by this policy But when RADIUS is the selected Authentication Database the Class Policy Mapping function will be available to let the administrator assign a policy for a RADIUS Class Also when LDAP is the selected Authentication Database the Attribute Policy Mapping function will be available to let the administrator assign a policy for a LDAP Attribute Please refer to 4 2 3 Policy gt Policy1 12 Email Message for Login Reminding When enabled the system will automatically send an email to users if they attempt to send receive their emails using POP3 email progra
164. nting Port Secret Key Accounting Service Authentication Protocol Server Authentication Port Accounting Port Secret Key Accounting Service Authentication Protocol Server 3 radius None vi RADIUS Ceonfgure_ O Y External RADIUS Server Related Settings Enable Disable 602 1 Client Device Settings O Complete e g userl companyname com Only ID e g usert Edit Class Policy Mapping Primary RADIUS Server Domain Name sIP Address Default 1812 F Default 1813 Enable Disable PAP Secondary RADIUS Server Domain Name sIP Address Enable Disable CHAP w e 802 1X Authentication The system supports 802 1X When the option is enabled an extra link will become available for going to the Roaming Out and 802 1X Client Device Settings page the administrator could further set up for the 802 1x capable device that are allowed to authenticate against the local user database Select 802 1X Authentication from the hyperlink Enter IP address 50 Chapter 4 2 Users Subnet Mask and shared Secret Key of the authorized devices An example would be those downstream Access Points with 802 1x option turned on and shared Secret Key set accordingly Roaming Out amp 802 1x Client Device Settings No Type IP Address Subnet Mask Secret Key 1 802 1 v 1 0 0 0 0 255 0 0 0 18 v Coes 2 802 1x w 192 168 0 0 255 255 0 0 16 eseeceoo 3 Disabl
165. ntl com E Status User Log Access IP o E SORENE S Ad ress Setup Management IP Address List SNMP O Enable Disable HTTPS Protected Login O Enable Disable In addition it is necessary to sign up for a SSL certificate licensed from a Certificate Authority for example VerSign for this registered Internet domain name Thus by meeting these two requirements it will allow end customers or subscribers to pay for the Internet access in a securer and convenient way 192 Appendix K Accepting Payments via PayPal 2 Basic Maintenance In order to maintain the operation the merchant owner will have to manage the accounts and payment transactions on PayPal website as well as DSA 3600 2 1 Refund a completed payment and remove the on demand account generated on DSA 3600 a To refund a payment please log in PayPal gt Click History gt Locate the specific payment listing in the activity history log gt Click Details of the payment listing gt Click Refund Payment at the end of the details page gt Type in information Gross Refund Amount and or Optional Note to Buyer gt Click Submit gt Confirm the details and click Process Refund b To remove the specific account from DSA 3600 please log in DSA 3600 Users gt Authentication gt Click the Option On demand User gt On demand Account List gt Click View gt Click Delete on the record with the account ID Click Delete All to delete all users at once
166. of the system is also provided here for the administrator s reference E D Link Building Networks for People KJ v gt DSA 3600 H E System H E Users H Access Points Es System Interface Routing Table Online Users User Logs E mail amp SYSLOG Status Display current settings of the system Display the current settings of all network interfaces such as WAN and service zone List all Policy Route rules and Global Policy Route rules The System Route rules are shown here as well The Policy Route rule has higher priority than the Global Policy route rule The System Route rule has the lowest priority Display the information of the online users Content of the information includes Username IP Address MAC Address Packet Count In Out Byte Count In Out and idle time Administrator can remove the online user via clicking the Logout button in each record Display detailed user access records on daily basis History record of up to 3 days is keptin the system s volatile memory The system can send various reports via up to 3 email accounts such as Monitor IP report Users log and Session Log The external SYSLOG server and FTP server are configured here DSA 3600 Multi Service Business Gateway Help Logout 116 4 5 1 System This section provides an overview of the system administration Chapter 4 5 Status System Setting Overview Firmware Version Build System
167. olicy Shows the information of the Global Policy System Shows the information of the system administration Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Default WANA WAN 121 Chapter 4 Web Interface Configuration gt Destination The destination IP address of the device gt Subnet Mask The Subnet Mask IP address of the port gt Gateway The Gateway IP address of the port gt Interface The choice of interface network including WAN1 WAN2 Default or the named Service Zones to be applied for the traffic interface 122 Chapter 4 5 Status 4 5 4 Online Users Each online user s information can be obtained using this function These include Username IP Address MAC Address Pkts In Bytes In Pkts Out Bytes Out Idle Access From and Kick Out All online users will be listed here The administrator can use this function to force a specific online user to log out or terminate any user session by clicking the hyperlink of Logout button Online Users List Username Pkts In Bytes In Idle Access From No IP Address MAC Address Pkts Out Bytes Out So Kick Out 1 ilocal 591 42040 MA 1 0 192 165 2 55 00 06 17 B 00 90 38 B24 02791 Logout Click Refresh to renew the current users list A user may register with SIP Register after authentication In Online User List this user is shown as a
168. ollowing diagram shows that a proxy server of an organization in the DMZ will be used Core Switch Firewall Router DSA 3600 L2 Switch ya Public LAN Desktop T Managed APS Proxy Server Note A special scenario is that a proxy server is placed in a zone like Intranet where users can reach each other without going through the DSA 3600 In this case whenever any one of users in the Intranet has been authenticated and connects to the network via the proxy server other users using the same proxy setting in their browsers will be able to access the network without any authentication Therefore to stop the risk it is strongly recommended to put all proxy servers outside the Intranet 157 Appendix D Certificate Settings for IE6 and LE7 Follow the following steps to complete the proxy configuration Step 1 Log in the DSA 3600 by using the admin account Step 2 Network gt Proxy Server gt External Proxy Servers page Add the IP address and port number of the proxy server into External Proxy Servers setting Click Apply to save the settings External Proxy Servers No IP Address Port 1 10 2 3 208 6588 al Redirect Outgoing Proxy Traffic to Built in Proxy Server Built in Proxy Server O Enable Disable a Step 3 Make sure that clients use the same proxy server settings Please also configure appropriate exceptions if there is any traffic which is not needed
169. on in the page of Service Zone Settings Concurrently up to four options can be selected and pre configured here by administrators from the five types of authentication databases LOCAL POP3 RADIUS LDAP and NTDOMAIN In addition there are two options On demand User and SIP that are selected by the system For the Authentication Settings of each Service Zone please see 4 1 6 Service Zones Authentication Settings Auth Option Auth Database Postfix server LOCAL local Server POPS pops Servers RADIUS radius Server 4 LDAP Idap On demand User ONDEMAND ondemand SIF SIP NA e Authentication Option There are several authentication options supported by DSA 3600 Server 1 to Server 4 On demand Users and SIP Click the hyperlink of the respective Authentication Option to configure the authentication option Authentication Database There are different authentication databases supported in DSA 3600 LOCAL POP3 RADIUS LDAP NTDOMAIN ONDEMAND and SIP e Postfix A postfix represents the authentication server in a complete username For example user1 local means that this user user1 will be authenticated against the LOCAL authentication database Note Concurrently only one server is allowed to be set as LOCAL or NTDOMAIN authentication database 4 2 1 1 Authentication Database Local Authentication Option Server 1 Name Server 1 F Postfix Local Black List None Y Authentication Database Local v Local NT Domain
170. one None Server 1 Enabled dlink aa 521 1 827 None None Server 1 Disabled dlink sages SA 2 279 Mone Mone server 1 Disabled dlink aes of 3 373 Mone Mone server 1 Disabled dlink 5Zd 4 s74 Mone Mone server 1 Disabled Click the Configure button of Default Service zone to enter its Basic Settings page While in this Basic Settings page enter an IP address for Preferred DNS Server in the area of DHCP Server Empty Preferred DNS Server will result in problems when using the Internet ZZ Chapter 4 1 System Disable DHCP Server 6 Enable DHCP Server Start IP Address 192 169 1 2 End IF Address 192 168 1100 Preferred ONS Server 1 68 95 1 1 DHCP Server Alternate DMS Server Domain Mame jdlink com z WINS Server Lease Time 1 Day E Reserved IP Address List O Enable DHCP Relay Scroll down to near bottom of page and in the Wireless Settings area enter the SSID e g ssid staff for connecting to this service zone Scroll up to the middle of the page where the Authentication Settings is and check the Enabled box for the Authentication Required for the Zone option The users will now need to be authenticated to connect to the service zone Make sure only Server1 is checked Enabled for this service zone Authentication Settings Authentication
171. onfiguration will appear Click Predefined and Custom Service Protocols to edit the protocol list Click Firewall Rules to edit the rules Global Policy Firewall Configuration Predefined and Custom Service Protocols Firewall Rules a Predefined and Custom Service Protocols There are predefined service protocols available for firewall rules editing The administrator is able to add new custom service protocols by clicking Add and delete the added protocols with Select All and Delete operations This link leads to a Service Protocols List where the administrator can defined a list of service by protocols TCP UDP ICMP IP Name ALL ALL TCP ALL UDP ALL ICMP FTF HTTF HTTPS POPS Pe fe Sf E Bey dS te ra SMTP E a DHCP Global Policy Service Protocols List Description Select All ALL TCP Source Port 0 65535 Destination Port 0 6545345 LCP Source Port 0 65535 Destination Port 0 65535 MP Type Any Code Any TCPIIDP Destination Port 20 21 TCPRIUDP Destination Port 80 TCPIIDP Destination Port 443 TCP Destination Port 110 TCP Destination Port 25 LCP Destination Port 67 68 Total 27 First Prev Mex Last 66 Chapter 4 2 Users b Firewall Rules Click the number of Filter Rule No to edit individual rules and click Apply to save the settings The rule status will show on the list Check Active box and click Apply to enable that rule This link leads to the Firewall Rules page Rul
172. ons over POPS It can create a private encrypted tunnel from the end user s computer through the local wireless network and the Internet to corporate servers and databases There are 3 types of VPN connection supported by this system Local Remote and Site to Site Windows Vista clients are able to use VPN from local and remote Windows Vista s local VPN is implemented via PPTP in this release and named as Local PPTP VPN because Windows Vista s IPSec tunnel mode behaves differently from Windows XP and 2000 Local PPTP VPN uses the configuration of Remote VPN When Remote VPN is disabled Windows Vista s clients can only use non IPSec login even though this user is configured as Local VPN required VPN Settings Local VPN Remote VPH site to Site VPN Local VPN Local VPN allows a user to create the VPN tunnel between the user s device and DSA 3600 to encrypt the data transmission In addition only when this function is enabled Active here do users of the entire system are able to use Local VPN Local VPN users can also be isolated from each other when VPN Client Isolation is enabled For more information on Local VPN please refer to Appendix H Local VPN Local PN For The Entire System Active Enable Disable VPN Client Isolation O Enable Disable IPSec Parameters Encryption DES 3 DES Integrity wos SHA 1 Diffie Hellman Groupi Group 2 Remote VPN When the setting is enable
173. open a new browser again Chapter 4 Web Interface Configuration 2 After successfully logging into the DSA 3600 the System Overview page of the web management interface will appear To logout simply click the Logout icon on the upper right corner of the interface to return to the Administrator Login Page m 4 DSA 3600 D Link Multi Service Business Gateway Building Networks for People X Tools y Help Y Logout EEN System Overview H g System H E Users A oe Access Points System y Access Points m Network co Status System Time 2007 11 29 10 31 29 0800 Total Managed 0 Up Time 15 days 17 48 Down 0 FW Version 3 00 00 Associated Clients 0 Network Interfaces Users IP Address Status Total Online o WAN1 Up On demand 0 WAN2 N A Y Down IP Address SSID Status VPN Sessions Default 192 168 1 1 dlink Enabled Local VPN 0 SZ1 192 168 2 1 dlink SZ1 Disabled Remote VPN 0 22 192 168 3 1 dlink SZ2 Disabled SZ3 192 168 4 1 dlink SZ3 Disabled S74 192 168 5 1 dlink SZ4 Disabled Refresh every seconds 10 Chapter 4 1 System 4 1 System This section provides information on the following functions General WAN1 WAN2 WAN Traffic LAN Port Mapping and Service Zones It displays the information such as System Time Up Time and Firmware version D Link DSA 3600 Multi Service Business Gateway Building Networks for People e Tous Help 22 Logout DSA 3600 ole
174. or a public SSL certificate from the website and check if it is valid The public SSL Certificate consists of the public key and identity information which can be signed by any established certificate authority e g VeriSign The certificate authority guarantees that the public key belongs to the named entity Usually website s security certificate may encounter problem only if the security certificate presented to the browser has not been signed by any certificate authority which can be trusted As long as the SSL function is enabled in the DSA 3600 there must be a public SSL certificate signed by an established certificate authority To avoid the error message in the browser a company should have its own Certificate Authority CA The IT department must therefore install the SSL certificate for each normal user when deploying the DSA 3600 gt Secure Certificate setting for both IE6 and IE7 For the company with its own Certificate Authority CA the certificate of the company should be trusted by all his employees computers and the certificate should be delivered through a trusted media For example the MIS staff should install the CA certificate in each computer The company CA will issue a certificate for the DSA 3600 and export it to the DSA 3600 Note If the DSA 3600 is installed in a company the administrator can create a certificate using software instead of purchasing a public trusted certificate Certificate setting f
175. or the company without Certificate Authority For a company that does not have it own Certificate Authority CA the administrators should first apply for a trusted certificate or create one by using certificate software Second the administrators should use some trusted media to install this certificate as trusted CA in each employee s computer and in the meantime export this certificate to the DSA 3600 In some circumstance the company without Certificate Authority may follow the steps stated below to avoid error message When in the LAN environment of the office instead of a wireless environment administrators may already have recognized certificates in the system which the CA must be verified as secured 159 Appendix D Certificate Settings for LE6 and LE7 Certificate setting for Internet Explorer 7 For IE7 certificate issues caused by certificate publisher not being trusted by IE7 the following steps may be taken to provide a workaround or to bypass the issue 1 Open the IE7 browser and you will be redirected to the default login page If the certificate is not trusted the following page will appear Click Continue to this website gt Certificate Error Navigation Dlocked Windows Internet Explorer CAEN Yv x P z _ We 2 Glcerthicate Error Navigation Blocked ar w bee Qia y There is a problem with this website s security certificate Th ty certificate presented by this website was n
176. or third party APs or any other IP devices Enter the IP addresses of the devices that the administrator wants to monitor and click the Apply button When the administrator logs in the system click the Monitor Now button to execute the monitor action manually and a new page with status of monitored devices will appear The red dots mean the devices are unreachable and the green dots mean the devices are reachable and alive A notification e mail of the monitored status can be set to notify the administrator in a set interval For more information please refer to E mail amp SYSLOG in Status category For monitored devices on LAN such as third party APs or web cameras with built in web based administrative interface hyperlinks can be created for the administrator to access the administrative interface of the devices by clicking the Create button in the Hyperlink column This hyperlink function enables the administrator to manage the devices from WAN easily Monitor IF List No Protocol IP Address Hypenink No Protocol IP Address Hyperlink Total 40 Monitor Now in ee x E iT E ou on a 0 Fi 106 Chapter 4 4 Network When the Monitor Now button is clicked Monitor IP Results page will appear If the entered IP address is unreachable a red dot under Result field will appear A green dot indicates that the IP address is reachable and alive Monitor IP Results Na IP Address Fazali 107 Chapter 4 Web I
177. ork security is enhanced and can prevent the SSID from being seen on networked Data Rate The default is Auto Available range is from 1 to 54Mbps The rate of data transmission should be set depending on the speed of the wireless network Select from a range of transmission speed or keep the default setting Auto to make the Access Point automatically use the fastest rate possible Fragment Length The fragmentation threshold determines whether packets will be fragmented Enter a value between 256 and 2346 RTS Length Enter a value between 256 and 2346 When wireless clients would like to send a packet which is larger than this value it transmits an RTS and waits for reply Beacon Interval ms Enter a value between 20 and 1000 msec The default value is 100 milliseconds The entered time means how often the beacon signal transmission between the access point and the wireless network Beacons are packets sent by an access point to synchronize a network Specify a beacon interval value DTIM Delivery Traffic Indication Message Enter a value between 1 and 255 DTIM is a countdown informing clients of the next window for listening to broadcast and multicast messages Preamble Select Long Only or Short and Long A short preamble is recommended for high traffic networks Transmit Power Choose full half 3dB 1quarter 6dB eighth 9dB minimum power WMM WMM stands for Wi Fi Multimedia by enabling this feature It will improve the user
178. orkplace network Set up a home or small office network To continue click Next 4 Choose Connect to the Internet and then New Connection Wizard i Hetwork Connection Type click Next What do you want to do C Connect to the network at my workplace Connect to a business network using dial up or VPN 20 you can work from home a held office or another location Set up a home or small office network Connect to an existing home or small office network or set up a new one Set up an advanced connection Connect directly to another computer using your senal parallel or infrared port or set up this computer so that other computers can connect bo it Tele 5 Choose Set up my connection manually and LETMESTIA The wizard i preparing to set up pour Internet connection then click Next Getting Ready D How do you want to connect to the Internet 2 Choose from_a list of Internet service providers ISPs steel tl ad pour account name password and a phone mba jou your ISP For a broadband account you won t need a phone number O Use the CD got from an ISP cee Q TO 174 Appendix G Network Configuration on PC 6 Choose Connect using a broadband New Connection Wizard connection that is always on and then click ner Pannier tion How do you want to connect to the Internet Next O Connect using a dial up modem This type of connection uses a modem and a regular or
179. ot issued by a trusted certificate au The security certificate presented by this website was issued for a different website s address curity certificate problems may Mate an attempt to foo you or intercept any data you end t gt f ar We recommend that you close this webpage and do not continue to this website Dore Y riera 100 2 The default User Login Page will appear and the users can then login normally Login Windows Internet Explorer y Epic https f dsa 3600 solution center loginpagesflogin shtml v E Certificate Error 9 X oe Edi a D Link DSA 3600 Login Username Password 160 Appendix D Certificate Settings for IE6 and E7 For installing a trusted certificate to solve the IE7 certificate issue please follow the instructions stated below 1 When the User Login page appears click Certificate Error at the top Login Windows Internet Explorer LIA Kral Gl 7 Ss SS D Link DSA 3600 Username Password 2 Click View Certificate E Login A Y Certificate Invalid The security certificate presented by this website has errors This problem may indicate an attempt to fool you or intercept any data you send to the server Username We recommend that you close this webpage Password About certificate errors View
180. ours the users can log in Please check the desired time slot and click Apply to save and enable the settings on the screen below is shown only for O to 02 59 but the system can be configured based on 24 hours 00 00 to 23 59 These settings will become effective immediately after clicking the Apply button The Login Hours in a 7x24 format is used to control the clients login time When Schedule is enabled clients applied polices are only allowed to login the system at the time which is checked in the applied policies Enable Disable Policy 1 Permitted Login Hours HOUR SUN MON TUE WED THU 00 00 00 59 01 00 01 59 02 00 02 59 D QoS Profile Click the button of Setting for QoS Profile to enter the Traffic Configuration Folicy 1 Traffic Configuration Traffic Class Best Effort Total Downlink aaa sera Unlimited ed B IndmMidual Request Downlink None w Total Uplink Unlimited Individual Maximum Uplink Unlimited Individual Request Uplink Mone wt v own traffic class There are four traffic classes Voice Video Best Effort and Background FRI SAT lt K Traffic Class Each login user will be categorized into a policy Each policy can choose its Voice and Video will be put into high priority queue When select Best Effort or Background it also can configure the Downlink and Uplink Bandwidth gt Total Downlink The Total Downlink defines the maximum band
181. ous software from using up system s connection resources administrators will have to restrict the number of concurrent sessions that a user can establish gt The maximum number of concurrent sessions TCP and UDP for each user can be specified in the Global policy which applies to authenticated users users on a non authenticated port privileged users and clients in DMZ zones gt When the number of a user s sessions reaches the session limit a choice of Unlimited 10 25 50 100 200 350 and 500 the user will be implicitly suspended upon receipt of any new connection request In this case a record will be logged to the Syslog server specified in the Email amp SYSLOG gt Since this basic protection mechanism may not be able to protect the system from all malicious DoS attacks it is strongly recommended to build some immune capabilities such as IDS or IPS solutions in the network deployment to protect the network in daily operation Session Log The system can record connection details of each user accessing the Internet In addition the log data can be sent out to a specified Syslog Server Email Box or FTP Server based on pre defined interval time gt The following table shows the fields of a session log record Field Description Date and Time The date and time that the session is established Session Type New This is the newly established session Blocked This session is blocked by a Firewall rule U
182. ptional Payment Data Transfer allows you to receive notification of successful payments as they are made The use af Payment Data Transfer depends on your system configuration and Your Return URL Please note that in order to use Payment Data Transfer you must turn on Auto Return Payment Data On Transfer gt Off Encrypted Website Payments Using encryptian enhances the security of website payments by decreasing the possibility that a 3rd party could manipulate the data in your button code If you plan on only using encrypted buttons you can block payments from non encrypted ones Learn more about Encrypted Website Payments Mote If you enable Encrypted Website Payments all of your Buy Now Donations and Subscriptions buttons must be encrypted via one of the following methods e Using the Button Factory with the security settings enabled e Using your own code you encrypt all website payments before sending them to PayPal By enabling this feature any Buy Now Donation or Subscription button that is not encrypted will be rejected by PayPal Block Non encrypted On Website Payment e Off PayPal Account Optional When this feature is turned on your customers will go through an optimized checkout experience This feature is available for Buy Now Donations and Shopping Cart buttons but not for Subscription buttons Learn More PayPal Account 7 On Optional j Off Contact Telephone Number When you activate this
183. r account information and then save it on disk Search Enter a keyword of a username to be searched in the text filed and click this button to perform the search All usernames matching the keyword will be listed Upload User Download User Del All Click on this button to delete all the users at once and click on Delete to delete the user individually 47 Chapter 4 Web Interface Configuration Add User Upload User Download User search Local User List Applied Policy Username Password MAC Address Service Zones Local VPN Enabled Del All Remark 1 f d user user f 8Z1 Yes ff SZ2 2 f d user user f5Z1 Yes Delete ff SZ2 Edit User If editing the content of individual user account is needed click the username of the desired user account to enter the Editing Existing User Data Interface for that particular user and then modify or add any desired information such as Username Password MAC Policy and Remark optional Then click Apply to complete the modification Editing Existing User Data Username user10 Password use r1 0 MAC Address Applied Policy Policy 1 v Enable Local VPN f d O tsz Service Zones fSz2 O ff Sz3 fiif SZ4 Remark Roaming Out amp 802 1X Authentication When Account Roaming Out is enabled the link of this function will be available to define the authorized device with IP address Subnet Mask and Secret Key
184. re concurrently in use One of the authentication options can be set as default so that end users can choose NOT to type the complete account name id postfix when logging in 5 sets of black list profiles can be defined Each active authentication option may be configured with one of these 5 black list profiles 12 sets of policy profiles can be defined and used to enforce the access control for different policies of users Additional configurations are in this section They are User Session Control Built in RADIUS Server Settings Customization Remaining Time Reminder and MAC ACL The administrator can control user session such as idle timeout in User Session Control Three fuctions are provided in Built in RADIUS Server Settings such as session timeout In Customization the administrator can upload certificate to the system Remaining Time Reminder provides remaining time information to clients on the screen The administrator can manage the access control to the system via clients MAC address in the MAC ACL Access Control List gt DSA 3600 Multi Service Business Gateway Help J oC Logout 43 Chapter 4 Web Interface Configuration 4 2 1 Authentication This section is for administrators to pre configure authentication options for the entire system s Service Zones Fora particular Service Zone administrators can enable all the authentication options which will be used and also specify a default authentication opti
185. rect URL http Awww dlink inth com Address e g 192 188 2 1 Management IP Address few Athen wew dlink intl oom E setup ManagementiP Address List List SNMP O Enable Disable HTTPS Protected Login O Enable Disable System Time 2007 41 29 10 59 42 Time Zone GNT 08 001Beijina Chongqing Hona Kong Urumgi s A NTP MTF Server 4 tock usno nawy mil lag tock usno navy mil Time NTP Server 2 into fau de NTP Server 3 clock cuhk edu hk NTP Server A ntps1 pads ufrj br NTP Server E ntp1 cs mu OZ AU Manually setup e System Name Set the name of the system or use the default e Internet Domain Name A fully qualified domain name FQDN of the system When the administrator enters a desired domain name in the Internal Domain Name field the entered Internal Domain Name will be shown in the top left of the Login Success page instead of an LAN IP address In addition when HTTPS is enabled entering the domain name of the uploaded certificate will increase login speed and the URL in the User Login page will be changed For example if the Internal Domain Name is configured as ashop com the URL in the User Login page will be https ashop com loginpages login shtml e Homepage Redirect URL Enter a URL in this field When the clients are logged in to the DSA 3600 successfully their browsers will be directed to this URL regardless of the original homepage setting in their browsers when
186. ser account listed in the black list is not allowed to log into the system the client s access will be denied The administrator may select one black list from the drop down menu and this black list will be applied to this specific authentication option Authentication Database The system supports five types of authentication database that are Local POP3 RADIUS LDAP NT Domain and SIP authentication For a specific authentication option the Administrator can select the desired database type from the dropdown menu Click the hyperlink Configure to enter the Local User Database Settings and then click the hyperlink Local User List Local User List It let the administrator to view add and delete local user account The Upload User button is for importing a list of user account from a text file The Download User button is for exporting all local user accounts into a text file Clicking on each user account leads to a page for configuring the individual local account Local user account can be assigned a policy and applied Local VPN individually Check the check box of individual local user account in the Enable Local VPN column to enable individually MAC address of a networking device can be bound with a local user as well 45 Chapter 4 Web Interface Configuration Local User List Applied Policy Username Password MAC Address Service Zones Local VPN Enabled Del All Remark Default Policy 1 Z1 al 1 SZ2 Yes Delete 73 SZ4 Default
187. sername The account name with postfix of the user It shows N A if the user or device does not need to log in with a username For example the user or device is on a non authenticated port or on the privileged MACIIP list Note Only 31 characters are available for the combination of Session Type plus Username Please change the account name accordingly if the name is not identifiable in the record DP The destination 1P aderess of tne users computer or devoe 186 gt Appendix J Session Limit and Session Log The following table shows an example of the session log data Jul 20 12 35 05 2007 Jul 20 12 35 05 2007 Jul 20 12 35 06 2007 Jul 20 12 35 06 2007 Jul 20 12 35 07 2007 Jul 20 12 35 09 2007 Jul 20 12 35 10 2007 New user1 local TCP MAC 00 09 6b cd 83 8c SIP 10 1 1 37 SPort 1626 DIP 203 125 164 132 DPort 80 New user1 local TCP MAC 00 09 6b cd 83 8c SIP 10 1 1 37 SPort 1627 DIP 203 125 164 132 DPort 80 New user1 local TCP MAC 00 09 6b cd 83 8c SIP 10 1 1 37 SPort 1628 DIP 203 125 164 142 DPort 80 New user1 local TCP MAC 00 09 6b cd 83 8c SIP 10 1 1 37 SPort 1629 DIP 203 125 164 142 DPort 80 New user1 local TCP MAC 00 09 6b cd 83 8c SIP 10 1 1 37 SPort 1630 DIP 67 18 163 154 DPort 80 New user1 local TCP MAC 00 09 6b cd 83 8c SIP 10 1 1 37 SPort 1631 DIP 202 43 195 52 DPort 80 New user1 local TCP MAC 00 09 6b cd 83 8c SIP 10 1 1 37 SPort 1632 DIP 203 84 196 242 DPort 80 187 Appe
188. st be retained When adding user accounts by uploading a file the existing accounts in the embedded database will not be replaced by the new 46 hea in gt FOna UI Ai A race ald co MAL AU CID HCI NUI itaadina A 1 a tind ACOO lt UPC a L Y adLULCOUUuUMS arad huyt anac Pace J n unes care fa tm g COA 1 USCI gt UL Mat e Cu v NOTE 3 OMIY arnica 7anal ha A OA l i VILE CUNG iv number b MELEE Pies 1 x Lie LA i ma 3 4 eans t resents CO 7 Ss A PIS CUNU nu Mwy y Aniti rica Tone and coon mama al thait mintac OUL AUN e gt ridad dl POMC u A tha t al ina comma miict an a ic SSWO 55 Appi Es Fa soy SID APP ul AECA O E Ag race Anniiad IS5M ui gt de l E omirct no enace hat List Y apa i raetainad When addina Iy vu Hist ve AA MCN CANA USt ara alco da nas LU GIU GIOV u Lizas ata hace CHAO al VPN ULA VI hi narra pol Lo x n los A va vy o o am FF a accantahla or passyv ara BALLERS t ACCePlLaDle 101 passw AAA i CO TA narra mma icc y has t mma ts Iy s Perte 3 L ach car i 70na tada evmbok Sythe at LUNG tage na Aca al vin ranmracante car 7 on mic tha mear can NO At Si E 4 ans 1 a VI COCKS gt ti uy MELE T UIT VU TU a mmac i ao car acchi ce hy LU lt Yy CUu gt Vy hene ntar Chapter 4 2 Users Download User Use this function to create a txt file with all built in use
189. t Personal Account Ideal for shopping online It s a free secure and fast way to send payments You can also accept bank account or PayPal balance funded payments for free and a limited number of credit or debit card payments per year for a low fee Learn more Premier Account Perfect for buying and selling on eBay or merchant websites Accept all payment types for low fees Do business under your own name Business Account The right choice for your online business Accept all payment types for low fees Do business under a company or group name Learn more Forgot your email address Member Log In Forgot your password Step 2 Edit necessary settings in Website Payment Preferences Click Profile gt Click Website Payment Preferences in the Selling Preferences section PayPal Log Out Help Security Center My Account Send Money Request Money Merchant Tools Auction Tools Overview Add Funds Withdraw History Resolution Center Profile Summary To edit your Profile information please click on a link below Account Information Financial Information Selling Preferences Email Credit Cards Auctions Street Address Bank Accounts Regional Tax Phone Currency Balances Shipping Calculations Password Gift Certificates Payment Receiving Notifications Monthly Account Statements Preferences Multi User Access Preapproved Payments Instant Payment Notification Preferences API Access x bt eputation Business I
190. t Default NJA dlink None None Server 1 Enabled l dlink i of 1 1 271 None None server 1 Disabled 2a dlink 522 2 279 None None server 1 Disabled a dlink DA 3 873 None None Server 1 Disabled dlink l Sed 4 274 None None Server 1 Disabled gt Service Zone Name Mnemonic name of the Service Zone gt LAN Port Mapping When the system is set to Port based mode for Service Zones it shows the physical LAN ports that belong to the specific Service Zone gt VLAN Tag When the system is set to Tag based mode for Service Zones it shows the VLAN tag number that is mapped to the specific Service Zone gt SSID The SSID that is associated with the Service Zone gt WLAN Encryption Data encryption method for wireless networks within the Service Zone gt Applied Policy The policy that is applied to the Service Zone 28 Chapter 4 1 System gt Default Authentication Option Default authentication database server that is used within the Service Zone gt Status Each service zone can be enabled or disabled gt Details Configurable detailed settings for each Service Zone Click the button of Configure to configure each Service Zone Basic Settings SIP Interface Configuration Authentication Settings and Wireless Settings The managed AP s in the specific service zone will be shown in this page as well if there are APs set in this service zone Basic Settings The system supports three types of DHCP modes Disable
191. t Sessions The maximum number of concurrent sessions which is allowed to be established by each user Use the drop down list to select the maximum number of concurrent sessions which is allowed to be established by each user A session limit can be specified in each policy for service zones for authenticated users Note For more information please refer to Appendix J Session Limit and Session Log gt Change Password Privilege When Change Password Privilege is enabled the authenticated Local users are allowed to change password via the Login Success Page 73 Chapter 4 Web Interface Configuration 4 2 4 Additional Control In this section additional settings are provided for the administrator to the following for user management Additional Control Idle Timeout minutes 11 1440 User Session Control came Multiple Login Dl iautrentication options using On demand and RADIUS databases will not support this function session Timeout minutes 120 5 1440 Built in RADIUS i See Idle Timeout minutes 1 120 Server Settings 1 120 Interim Update minutes z 4 120 Customization Certificate RemainingTime lume Enable Disable Reminder See eee i Time and Cut off Enable Disable MAC ACL Edit Control list to manage which client devices are allowed to access the login page e User Session Control Functions under this section applies for all general users Idle Timeout Define the time that the s
192. t on demand users and RADIUS roaming in out users such as Date Type Name IP address MAC address Packets In Packets Out Bytes In and Bytes Out 124 Chapter 4 5 Status Users Log 2007 08 13 Date Type Name IP MAC Pkts In Bytes In Pkts Out Bytes Out 2007 08 13 14 46 51 LOGIN user 0local 192 168 6 2 Remote 0 0 0 0 2007 08 13 14 52 56 LOGOUT user7 local 192 168 6 2 Remote 499 350468 532 46643 2007 08 13 14 57 35 LOGIN user70local 192 168 6 2 Remote 0 0 0 0 2007 08 13 15 01 50 LOGOUT user 7 local 192 168 6 2 Remote 2934 1103641 2383 394180 2007 08 13 15 06 29 LOGIN 1 local 192 168 2 55 00 06 1B DD 90 3c 0 0 0 0 2007 08 13 15 12 36 Force logout 1 local 192 168 2 55 00 06 1B DD 90 3C 740 48180 780 103791 On demand User Log The On demand User Log provides the login and logout activities of on demand users such as Date System Name IP address MAC address Packets In Packets Out Bytes In Bytes Out 1 Login Expiration Time and Account Valid Through On demand Users Log 2007 11 03 Date System Name Type Name IP MAC PktsIn BytesIn Pkts Out Bytes Out 1st Login Expiration Time Account Valid Through Remark System Name The system name defined in General tab of System category Type The authentication status of the user 1st Login Expiration Time This is a constant value of one day Y VV WV Account Valid Through This is the Expired information setting in Plan Configuration of On demand User gt Remark The administrator
193. tatus MAC Address a 192 168 1 2 DWL 2100AP 21004 Default offline 00 19 58 36 E2 40 Reboot Enable Disable Delete Apply Template After adding an AP Check any AP and click the button below to Reboot Enable Disable Delete and Apply Template to the checked AP e AP Name The AP name will be shown as hyperlink Click the hyperlink of each managed AP can have for configurations about the specific AP Click the hyperlink of the AP Name to have more configurations There are four kinds of settings available General LAN Wireless LAN and Access Control Click the hyperlink of each individual setting to have further configurations e Service Zone After the AP is added into AP List the managed AP can be assigned to one or multiple service zone e Status Each AP s status will be shown in this column Click the hyperlink of the shown status of each managed AP to see detailed status information about the specific AP such as System Status Service Zone Status Wireless Status Access Control Status and Associated Client Status The status includes 1 Online The hyperlink of Online Enabled indicates that the AP is currently online and in service Online Disabled indicates that the AP is currently online but not ready in service 2 Offline The AP is currently offline for example it is displayed as Offline when the power of the AP is off or the network connection between the AP and the DSA 3600 is down 3
194. tatus O Enable Disable 83 Chapter 4 Web Interface Configuration gt New IP Address Assignment Service Zone is the service zone where APs are connected to Start IP Address is the start IP address that will be assigned to the discovered APs and it must be in the same segment of the selected LAN interface gt Admin Settings Used to Discover Select Manual enter the current IP range of the APs in IP Address field if they are in default value The IP of AP with factory default setting is 192 168 0 50 If the AP was discovered before the IP address of AP should have been changed Please enter the right IP address of the AP or reset the AP to default values Login ID is the admin ID of the AP Password is the password of the AP If the AP is in default value just select Factory Default system can discovery the APs The Interface Admin Settings Used to Discover and IP Addresses of APs after Discovery configurations are the same as the settings mentioned above Check Enable to have more configuration Select Interval setting from the drop down menu to set the system to scan periodically according to this setting the default value is 10 minutes If Auto Adding AP to the list is enabled a new detected AP will be assigned an available IP address from the IP address range set in IP Addresses of APs after Discovery and applied with the selected template automatically Discovery Results The discovered new APs will be listed here The ad
195. the DSA 3600 via web browsers with JavaScript enabled such as Internet Explorer version 6 0 or above After the basic installation has been completed according to the instructions of the previous chapter the DSA 3600 can further be configured with the following steps 1 First set a PC as DHCP in the network with TCP IP setting to get an IP address from the DHCP server automatically Next connect the PC to the DSA 3600 via any LAN port An IP address will be assigned to the PC automatically via the DSA 3600 built in DHCP server Launch a web browser to access the web management interface of DSA 3600 by entering https 192 168 1 1 in the URL Note https is used for a secured connection D Link DSA 3600 Microsoft Internet Explorer File Edit View Favorites Tools Help pack a al A ya Search Address Once the DSA 3600 has been connected the Administrator Login Page will appear Enter admin for both the default username and password in the Username and Password fields Select the Enter button to log in Welcome To Administrator Login Page Please Enter Your Username and Password To sign I Usemame admin Password essee Caution If you are unable to get to the login screen please check the IP address used The IP address should be in the same subnet of the default gateway For using static IP in TCP IP setting set a static IP address such as 192 168 1 x for your network interface and then
196. the configuration on demands such as SSID or Channel About other functions of Wireless part please refer to 4 3 1 List Template Editing Name TEMPLATE Copy Settings From Remark Template 1 e Template Editing The administrator can set the template configuration manually or copy the configurations from a specific existing managed AP by Copy Settings From option Click Configure button to have detailed configurations 86 I Chapter 4 3 Access Points DWL 2100AP DWL 2100AP includes all standards 802 11b g only The connection could be select to enable 802 11b g or disable The DWL 2100AP is fully compatible with the IEEE 802 11b and 802 11g standards General Subnet Mask 255 255 255 0 Default Gateway 192 168 1 1 Enabled vw Public Community public SNMP Private Community private User Status Notification Disable v System Activity Enabled w Wireless Activity Enabled SYSLOG Notice Enabled Remote SYSLOG Server Disabled vw Wireless SSID Broadcast Enabled vw Data Rate Auta v Fragment Length 2346 Default 2346 Range 256 2346 RTS Length 2346 _ Default 2346 Range 256 2346 100 Beacon Interval ms Default 100 Range 20 1000 msec 1 DTIM Properties Default 1 Range from 1 to 255 Preamble shortand Long Transmit Power Full v 802 119 Only Disabled vw WMM Enabled w Load Balance Disabled Link Integrate Disabled vw Internal Station Connection Enabled v
197. to encrypt the data transmission Click Add a Remote Site button to set the configuration about remote VPN capable devices such as a VPN gateway Click Add a Local Site button to set the configuration of the local site An IPSec tunnel can be constructed and used to connect to other IPSec capable devices on the Internet Remote Site Configuration Name IP Address Pre shared Key Edit Delete Add A Remote Site Local Site Configuration Local Subnet Local Interface Remote VPN Gateway Remote Subnet Edit Delete Click Add a Remote Site to enter the Remote VPN Gateway page for further configuration 115 Chapter 4 Web Interface Configuration oo eT MES S feasad GU Beased GU feasas Oo Bessel Oo Bessel S ee gt ee OC ee COU ze a e Click Add a Local Site to enter the Local Site Information page for further configuration Click Add a New Host to enter the screen of Remote VPN Gateway 114 Chapter 4 4 Network Pre shared Key v 255 255 255 255 132 55 255 255 255 132 55 255 255 255 132 55 255 255 255 132 55 255 255 255 132 55 255 255 255 132 55255255 255 132 55 255 255 255 132 255 255 255 255 192 115 4 5 Status Chapter 4 Web Interface Configuration This section covers the description of system status information and online user status which include System Interface Online Users User Logs and E mail amp SYSLOG An overview
198. to go through proxy server for example there is no need to use proxy server for the Default Gateway 192 168 1 254 Local Area Network LAN Settings Automatic configuration Automatic configuration may override manual settings To ensure the Proxy address to use use of manual settings disable automatic configuration Automatically detect settings all Use automatic configuration script Secure _ gt ETP Proxy Server Socks Use a proxy server for your LON These settings will not apply to dial up or PAN connections Bypass proxy server For local addresses Use the same proxy server For all protocols Exceptions Do not use proxy server For addresses beginning with ace 1 1 1 1 Use semicolons bo separate entries La ll Cancel Note It is required that the proxy server setting of the clients match with the proxy server setting of the DSA 3600 Otherwise users will not be able to get the Login page for authentication via browsers and it will show an error page in the browser 158 Appendix D Certificate Settings for IE6 and E7 Appendix D Certificate Settings for IE6 and IE7 Certificate setting for the company with Certificate Authority gt Background information Any website or high value Web Applications will require a client to access their websites via Secure Sockets Layer SSL The browser will automatically ask f
199. trust the source do not open or save this file What s the risk e Restore System Settings Click Browse to search for a db database backup file created by the DSA 3600 and click Restore to restore to the same settings at the time the backup file is created Restore System Settings Browse 20071130 Backup db You have just uploaded the database of 20071130_Backup db You should RESTART the system to activate the change 139 Chapter 4 Web Interface Configuration Caution Due to the limitation on database compatibility the backup database file from a major release of previous firmware version cannot be restored to a later major release of current firmware for example a backup of v2 00 cannot be restored to v3 00 An alert will appear when the backup database file is not compatible with current firmware as shown below The backup db is not compatible with current firmware Please check the db file and try again e Reset to the Factory Default Click Reset to load the factory default settings of the DSA 3600 Note that a Reset action will wipe out the existing local user accounts To back up the local user accounts please export the local user accounts to a text first Please refer to the section on Local User List for more details Are you sure you wish to load factory default setting and RESTART DSA 3600 Caution Resetting to factory default settings will clear all settings such as policies
200. ts among APs in the networks Assign each access point a different non overlapping channel o User Limit Enter the number of the limit of load balancing users from 0 64 802 11a Mode Settings gt Data Rate The default is Auto Available range is from 1 to 54Mbps The rate of data transmission should be set depending on the speed of the wireless network Select from a range of transmission speed or keep the default setting Auto to make the Access Point automatically use the fastest rate possible gt Fragment Length The fragmentation threshold determines whether packets will be fragmented Enter a value between 256 and 2346 96 Chapter 4 3 Access Points RTS Length Enter a value between 256 and 2346 When wireless clients would like to send a packet which is larger than this value it transmits an RTS and waits for reply Beacon Interval ms Enter a value between 20 and 1000 msec The default value is 100 milliseconds The entered time means how often the beacon signal transmission between the access point and the wireless network DTIM Delivery Traffic Indication Message Enter a value between 1 and 255 DTIM is a countdown informing clients of the next window for listening to broadcast and multicast messages Transmit Power Select either Full Half 3dB Quarter 6dB Eighth 9dB or Minimum minimum power This tool can be helpful for security purpose if you wish to limit the transmission range WMM WMM stands for Wi Fi Multimedia by
201. twork 6 Use the following DMS server addresses administrator in IP address Subnet mask Preferred DNS server and the DNS address es and then click OK Alternate DNS server 177 Appendix H IPSec VPN Appendix H Local VPN The DSA 3600 is equipped with IPSec VPN feature starting from release v1 00 To utilize IPSec VPN supported by Microsoft Windows XP SP2 with patch and Windows 2000 operating systems the DSA 3600 implements IPSec VPN tunneling technology between client s windows devices and the DSA 3600 itself regardless of wired or wireless network By pushing down ActiveX to the clients Windows device from the DSA 3600 no extra client software is required to be installed except ActiveX in which a so called clientless IPSec VPN setting is then configured automatically At the end of this setup a build in IPSec VPN feature will be enabled and ready to serve once it is launched for setup The goal of this design is to eliminate the configuration difficulty from IPSec VPN users At the client side the IPSec VPN implementation of the DSA 3600 is based on ActiveX and the built in IPSec VPN client of Windows OS 7 ActiveX component The ActiveX is a software component running inside Internet Explorer The ActiveX component can be checked by the following windows Manage Add ons View and manage add ons that are installed on your computer Disabling or deleting add ons might prevent some
202. ubnet Mask and Default Gateway of AP LAN IP Address 192 168 1100 Subnet Mask 255 255 255 0 Default Gateway 192 168 1 1 gt Wireless LAN Click Wireless LAN to enter the Wireless interface The data of Properties and Security need to be filled 78 Chapter 4 3 Access Points Wireless SSID Broadcast Enabled Channel Auto Data Rate Auto WF Super 6 Mode Disabled dl 2346 Fragment Length R Default 2346 Range 256 2346 RTS Length 2046 Default 2346 Range 256 2395 100 Default 100 Range 20 1000 msec Beacon Interval ms Properties DTIM Default 1 Range from 1 to 255 Preamble Short and Long v Transmit Power Full Wireless B G Mode Mixed vw Antenna Diversity Diversity w Wi Enabled Load Balance Disabled v Link Integrate Disabled Internal Station Connection Enabled Properties SSID Broadcast Select this option to enable the SSID to broadcast in your network When configuring the network it is suggested to enable this function but disable it when the configuration is complete With this enabled someone could easily obtain the SSID information with the site survey software and get unauthorized access to a private network With this disabled network security is enhanced and can prevent the SSID from being seen on networked gt SSID The SSID is the unique name shared among all devices in a wireless network The S
203. up its own Authentication and Encryption support for AP security setting Authentication support WPA WAP2 WAP WAP2 Mixed Open System Shared Key and Open System Shared Key and encryption support WEP Managed AP s in this Service Zone gt Managed AP in this Service Zone List all APs belonging to this service zone Managed AP s in this Service Zone IP Address AP Type AP Name Status MAC Address 192 168 1 3 a DVWL 3200AP 3100 1 art 00 19 58 88 74 51 192 168 1 4 se DWWL 8200AP 8100 1 niine Enabled 00 17 94 D2 45 40 192 168 1 101 DVVL 21 00AP 2100 a1 Down 00 21 00 00 00 01 192 168 1 102 DVL 3200AP 3200 41 Down 00 32 00 00 00 01 42 4 2 Users Chapter 4 2 Users This section provides information on the following functions Authentication Black List Policy and Additional Control It displays the information of the User such as the number of Total Online users and the number of On demand Users 2 ae D Link Building Networks for People TOOS y DSA 3600 Access Points H Network Status Black List Additional Control The internal or external account databases include Local POP3 RADIUS LDAP NT Domain On demand and SIP The administrator needs to activate and configure at least one of these authentication databases Postfix is used for the system to identify which authentication option will be used for the specific user account when multiple options a
204. utes to Policy e Server The IP address of the external LDAP Server e Port The authentication port of the external LDAP Server Base DN The Distinguished Name for the navigation path of LDAP account e Account Attribute The attribute of LDAP accounts e LDAP Policy Mapping This function is to apply selected policy to certain clients grouped by LDAP attribute The clients will be applied with the assigned policy while logging on the system To show the attribute name and value enter Username and Password press Show Attribute The table of Attribute will be displayed Enter the selected Attribute Name and Attribute Value from attribute table and Policy to LDAP Attributes Mapping page Attribute Name Attriubute Value CN LISERO1 C TW ae TAIWAN 52 Chapter 4 2 Users LDAP Attributes Mapping To Policy Server 4 Enable Disable No LDAP Attribute Name LDAP Attribute Value Policy Remark 1 CN USER1 Policy1 2 C T Policy 1 3 Policy1 w 4 Policy1 w 5 Policy1 w 6 Policy 1 w i Policy1 w 8 Policy 1 we ATT ESE Username userO1 Password user01 Show Attributes 4 2 1 5 Authentication Database NT Domain The system supports authentication by an external NT Domain authentication database Authentication Option Server 1
205. version as well as the hardware version Please fill in the required data gt Interface Select the default service zone of the interface where APs are connected and to be scanned gt Admin Settings Used to Discover Select Manual enter the current IP range of the APs in IP Address field if they are not in default value The IP of AP with factory default setting is 192 168 0 50 If the AP was discovered before the IP address of the AP should have been changed Please enter the right IP address of the AP or reset the AP to default values Login ID is the admin ID of the AP Password is the admin password of the AP If the AP is in default value just select Factory Default system can discovery 82 Chapter 4 3 Access Points the APs gt IP Addresses of APs after Discovery It is the start IP address that will be assigned to the discovered APs and it must be in the same segment of the selected ALN interface Service Zone gt Scan Now Click the Scan Now button and the APs that match the given settings will be shown in the Discovered Results below If any IP address among the IP range assigned for a specific AP is used there will be a warning message showing up Please change the IP Addresses of APs after Discovery and then click Scan Now again For the desired AP input the desired AP name and admin password select one template to apply select the check box and click Add to add the discovered AP to the List For more informat
206. vilege Configuration for configuring the item of Maximum Concurrent Session for User from Unlimited to 10 Global Policy Privilege Configuration Maxinum Concurrent ji 500 Session for User gt Maximum Concurrent Session for User Include Maximum Concurrent Session for User from 10 to Unlimited The concurrent sessions for each user it can be restricted by administrator Note For more information please refer to Appendix J Session Limit and Session Log 4 2 3 2 Policy 1 Policy 12 Polices can be defined in the Policy tab The administrator can select one of the defined policies to apply it to the specific authentication option All clients belong to this authentication option will be bound by this policy A policy could be applied at zone level at group level or at user level User level policy overrides group level policy Group level policy overrides zone level policy Zone level policy overrides the global policy When the type of authentication database is Local a policy is applied at per user basis When the type of database is NTDOMAIN or ONDEMAND a policy is applied to the whole user database When type of database is RADIUS a policy is mapped to a user group of a RADIUS class The Class Policy Mapping function will be available to let the administrator assign a policy for a RADIUS Class attribute When the type of database is LDAP a policy is applied to user group defined an attribute value pair The Attribute Po
207. width allowed to share by clients within the same policy gt Individual Maximum Downlink The Individual Maximum Downlink defines the maximum bandwidth allowed for an individual client the Individual Maximum Bandwidth can not exceed the value of Total Bandwidth V minimum bandwidth allowed for an individual client the Individual Request Bandwidth can not exceed the value of Total Downlink and Individual Maximum Downlink Individual Request Downlink The Individual Request Downlink defines the guaranteed gt Total Uplink The Total Uplink defines the maximum bandwidth allowed to share by clients I2 Chapter 4 2 Users within the same policy gt individual Maximum Uplink The Individual Maximum Uplink defines the maximum bandwidth allowed for an individual client the Individual Maximum Uplink can not exceed the value of Total Uplink gt Individual Request Uplink The Individual Request Uplink Bandwidth defines the guaranteed minimum bandwidth allowed for an individual client the Individual Request Uplink can not exceed the value of Total Uplink and Individual Maximum Uplink E Privilege Profile Click the button of Setting for Privilege Profile to enter the Privilege Configuration including Maximum Concurrent Session and Change Password Privilege Policy 1 Privilege Configuration Maxinum Concurrent 500 w i SE sessions per user Change Password Privilege Enable Disable gt Maximum Concurren
208. will not switch antenna and the radio will use the left antenna to transmit and 90 Chapter 4 3 Access Points receive packets o Right Antenna AP won t switch antenna and the radio will use the right antenna to transmit and receive packets gt WMM WMM stands for Wi Fi Multimedia by enabling this feature It will improve the user experience for audio and video applications over a Wi Fi network gt Internal Station Connection Select either Enabled or Disabled The connection allows clients to communicate with each other when enabled Access Control by MAC Address This function provides to control the clients devices that are allowed to associate with the APs applied with the desired template setting Choose Disabled or Enabled in the Status column and enter the desired clients MAC addresses in the MAC Address List When this function is enabled please make sure the MAC Address List is not empty Access Control by MAC Address Status Accept w MAC Address List 1 10 20 30 40 50 60 2 00 00 00 00 00 00 9 Chapter 4 Web Interface Configuration Ill DWL 3200AP v2 3 DWL 3200AP version 2 3 Templates settings allow users to configure wireless 802 11b g mode settings Compared with DWL 3200 v2 2 DWL 3200AP 2 3 enables users to configure SNMP of General settings and adding the properties of Load Balance and Link Integrate Due to firmware upgrade issues between DWL 3200AP v2 20 and v2 30 itself the system treats DWL 3
209. y Authentication Database SIP The system provides SIP proxy functionality which allows SIP clients to pass through NAT When enabled all SIP traffic can pass through NAT via a fixed WAN interface Administrators are able to add up to four trusted SIP Registrars in order to authenticate SIP clients Also a policy can be chosen to govern the SIP traffic SIP Authentication Configuration IP Address Remark Trusted Registrar Policy Policy 1 Y Policy selection applied to clients login with SIP authentication e SIP SIP authentication supports 4 Trusted SIP Registrar e IP Address The IP address of the Trusted SIP Registrar e Remark The administrator can enter extra information in this field for remark e Policy The Policy applied to the clients that login with SIP Authentication 63 Chapter 4 Web Interface Configuration 4 2 2 Black List The administrator can add or delete users in the black list for user access control There are 5 sets of black lists provided by the system A user account listed in the black list is not allowed to log into the system the client s access will be denied The administrator may select one black list from the drop down menu and this black list can be applied to this specific authentication option Black List Settings 1 Blacklistt v Name Blacklist Select Black List Liser Remark Total 0 First Prev Next Last Add Useris e Select Black List Ther
210. ystem Color for Page Text K Select RGB values in hex mode Title Login Success Page a Welcome Hello Information Please click this button to Logout Logout Information2 Thank you Login Time Login Time Login Success Page gt Uploaded Page Choose Uploaded Page to upload the login success page Click the Browse button to select the file for the login success page upload Next click Submit to complete the upload process After the upload process is completed and applied the new Login Success Page can be previewed by clicking Preview button at the bottom Login Success Page Selection for Users Service Zone Default Default Page Template Page Uploaded Page External Page Uploaded Page Setting Browse File Name Existing Image Files Total Capacity 512 K Now Used 0 K Upload Image Files Preview Upload Images Login Success Page gt External Page Choose the External Page selection to get the Login Success Page from the specific website In the External Page Setting enter the URL of the external login page and then click Apply After applying the setting the new Login Success Page can be previewed by clicking Preview button at the bottom of this page 37 Chapter 4 Web Interface Configuration Login Success Page Selection for Users Service Zone Default Default Page Template Page Uploaded Page External Page External Page Setting External URL http
211. ystem will log out users when users have been inactive for the time period set in this field This setting will be applied to all users Multiple Login When Multiple Login is enabled the same account can be logged in by different clients at the same time This function is not valid for On demand Users Account and RADIUS Account e Built in RADIUS Server Settings Session Timeout Define the time that how long users who are authenticated by the built in RADIUS server can access the Internet since they logged in The system will log out users after Session Timeout is reached Idle Timeout Define the time that the system will log out users when users have been inactive for the time period set in this field This setting will be applied to users who are authenticated by the built in RADIUS server Interim Update The system supports to update records of users who are authenticated by the built in RADIUS server constantly based on the time interval set in this field 74 Chapter 4 2 Users Customization The system supports upload customized certificate to system Upload Private Key Upload Certificate Use Default Certificate Remaining Time Reminder There is a Remaining Time Reminder supported by the system to remind users that their accounts are about to cut off within the set time When Remaining Time Reminder is enabled there will be a message appearing on user s screen to remind them Volume Enable Disable Remaining Time Mbyte
Download Pdf Manuals
Related Search