INNGATE 3 ADMINISTRATOR`S MANUAL
Contents
1. 1 License Figure 8 12 shows the Date and Time configuration page 1 Retrieve time from NTP server The InnGate supports Network Time Protocol NTP to automatically synchronize the internal clock with an external time server a P Address NTP server IP address 2 New Date amp Time Specify the updated date and time here 3 Time Zone Specify the time zone that the InnGate is in You will need to restart the InnGate Connectivity Made Easy Page 116 of 164 L Retrieve time from MTP server Date Current Date amp Time Time Date 15 05 2008 e g 15 05 2008 gli Hew Date amp Time Time 10 28AM e g 10 284 Insert Current Date amp Time sia o gt Singapore v Time Zone gap A Changing the system lire zone requires a systen restart Save Cancel Figure 8 12 Date and Time Settings Click to confirm the changes 8 7 Syslog Configuration System logs can be sent to a remote Syslog server Syslog is a standard protocol for sending log information over TCP IP usually using UDP Port 514 i System To configure Syslog oB Admin Accounts L Maintenance 1 Click on Settings Settings B rdi 2 Click on Syslog 1 High Availability 1 License Figure 8 13 shows the Syslog selection settings 1 Mirror system logs When selected the following system log information is sent to the Syslog server a Email information b FTP login logout information 2 IP Addre2. There are three different types of definitions in the Walled Garden 1 Define HTTP URLs See Section 3 4 1 2 Define HTTPS Domains See Section 3 4 2 3 Define IP Addresses See Section 3 4 3 Connectivity Made Easy Page 64 of 164 3 4 1 Define HTTP URLs You can define a whitelist of URLs that the InnGate will allow non logged in users to access E Network To define HTTP URLs in the Walled Garden EH LAN E 1 Click on LAN 1 Walled Garden Remote Devices 2 Click on Walled Garden Device Detection Select the HTTP URLs tab as shown in Figure 3 20 Any existing entries will be displayed Click on an entry to modify it or click to create one HTTP URLs HTTPS Domains IP Addresses Configure HTTP URLs that can be accessed before authentication HTTPURL A Description ig http ww w CreditCardPaymentPortal com Credit card payment portal for charged Internet access F Selected Entries Figure 3 20 Whitelist of HTTP URLs Figure 3 21 shows the interface for defining a HTTP URL in the Walled Garden HTTP URLs HTTPS Domains IP Addresses Configure HTTP URLs that can be accessed before authentication Description Figure 3 21 Define HTTP URL in the Walled Garden Connectivity Made Easy Page 65 of 164 The fields are described as follows 1 HTTP poer a ftp Y http ftp antlabs com x http ftpezxcess com sg http www antlabs com 7 http www antlabs com x http
3. Admin Accounts E Maintenance c Settings Date amp Time i 3 Syslog 2 Click on License 3 SNMP H API High Availability e License 1 Click on Settings Figure 8 24 shows information regarding the number of devices that the InnGate is licensed to operate A The Serial Number pertains to the licensing serial number and is not the same as the hardware serial number found on the equipment License Information License Activated es License 500 devices Hardware Serial Mumber Oemo InnGateso0 00500 Sofware Serial Humber Demao Inniate3 tn O 56b Figure 8 24 License I nformation 8 12 Console Access via Serial Connection You can access the InnGate in console mode via a direct serial connection Once connected and logged in you will be presented with the command line interface CLI just like a Telnet session A This list of commands is separately documented in the Command Line Interface Reference Most of the CLI commands accessible via the Console Connectivity Made Easy Page 128 of 164 are also accessible via Telnet However as a physical security measure some potentially destructive commands can only be executed via the Console To connect to the InnGate Console 1 Connect the serial cable from your PC to the Serial Port of the InnGate 2 Use your PC s terminal software to open an SSH session to the InnGate with the following terminal settings
4. The WAN interface has to be properly configured with a routable IP address valid subnet mask and gateway in order for the InnGate to function correctly in your network b Network To configure the WAN Interface EL LAN E WAN 1 Click on WAN Static Routes El Services A list of WAN profiles will be displayed see Figure 1 7 source MAT Address Description Range Downoad Upload IP Mame Subnet Mask Gateway Limit Limit Address dnb 10 30 1 88 255 255 255 0 10 301 254 Unlimited Unlimited na Interface Interface Figure 1 7 WAN Profiles The InnGate comes preconfigured with a single default WAN profile In our example we will go ahead and modify this profile by clicking on the entry The settings of the selected WAN Profile will be displayed see Figure 1 8 Connectivity Made Easy Page 15 of 164 Mame YAN Interface IP Address 10 50 1 69 Subnet Mask 255 255 255 0 Gateway 10 30 1254 Bandwidth Download Limit Unlimited O Upload Limit Unlimited O Source NAT Address Range l 00 WAN Interface Description Figure 1 8 Modify WAN Profile The various fields are described as follows 1 IP Address The host IP address for the InnGate on the upstream network The factory default IP address setting is 192 168 0 1 Change this to a valid routable IP address on your upstream network Subnet Mask The subnet mask of the upstream network that the InnGate i
5. www antlabs com Sg Y http www antlabs com x http ftpezxcess com sg Y http ftp antlabs com Y http www antlabs com matches the regular See Appendix B expression is the SmartURL 2 http Allow access to the URL that matches the condition 3 Description A description for the entry Click to set advanced options for the Walled Garden entry Figure 3 22 shows the interface for defining advanced options for HTTP URLs in the Walled Garden Connectivity Made Easy Page 66 of 164 Hide Advanced Advanced Redirect to http Add zero contig variables to redirect URL _ Select Al IP Address client ip MAC Address Siclient mac C Location Index location index C PPLI Spi Additional redirect URL query string parameters Figure 3 22 Advanced options in the HTTP URLs Walled Garden The fields are described as follows 1 Redirect to Redirect the user to the URL defined here if the HTTP URL condition matches 2 Add zero config variables to redirect URL Select any of the variables to be added to the redirected URL query string a If IP Address is selected the name in the parenthesis will be added to the redirect URL e g lt URL gt client_ip lt IP Address 3 Additional redirect URL query string parameters Set any other variables to be added to the redirected URL query string a If name value is input the redirect URL will become URL
6. Click to retrieve the entries with the search conditions applied Click to store the filter for future use 7 2 4 Account Monitor View all unexpired accounts information that have been created Connectivity Made Easy Page 97 of 164 E Reports To view the Account Monitor Ey Monitors EE 1 Click on Monitors 2 Click on Account EH Logs E Maintenance Any unexpired accounts will be listed as shown in Figure 7 9 The following column in the Account Monitor is further explained here 1 User ID The user id of the user 2 Access Code The access code of the user 3 Plan The plan assigned the account 4 Valid Until This will show the expiry date of the account 5 Login Limit To show the login limit of the account 6 MAC Address To show the MAC address of the user when user is having session 7 Duration Mins To show the remaining duration user can use the account 8 Start Time The time when user starts using the account 9 End Time The time when user ends the session or to show the account s validity time 10 Remaining Volume MB To show the remaining volume of the account Enabled UserID Access Code Plan Valid Until Login Limit MAC Address Duration mins Start Time End Time Remaining Volume MB fynry Thrattled 0r Unlimited 01 01 1970 07 30AM Throttled Throttled 13 05 2009 12 05 59 Unlimited 01 01 1970 07 30AM Thrattled tester Unlimited 13 05 2008 02 47 AM Unlimited Throttl
7. Figure 9 2 High Availability Configuration Click to confirm the changes Connectivity Made Easy Page 136 of 164 9 4 HA Leader Election Whenever one of the InnGate in a HA setup boots up it will attempt to determine whether it should assume the role of Live or Backup InnGate This process is called the HA Leader Election To do this the rebooted InnGate will first attempt to detect its peer over the Control Channel when it starts up There are 2 possible conditions 1 Peer cannot be detected The InnGate will go into active mode Live InnGate by default 2 Existing peer is detected The InnGate with the shorter runtime elapsed since last reboot will switch to passive mode Backup InnGate ensuring that the longer serving system will be the Live InnGate AN It is possible that an existing Live InnGate is already in operation but because of a faulty or disconnected Control Channel link both InnGate will end up in active mode which is problematic for the downstream clients Should the Control Channel link be reconnected subsequently the Leader Election process described in condition 2 above applies 9 5 HA Failover Behavior After the Leader Election process is completed the both InnGate will begin failure event monitoring Should a failover event be triggered the HA Failover mechanism applies the STONITH approach to attempt to recover the faulty machine Failover triggers are different depending on whether it is a Liv
8. Permissions Admin Group Allowed Permissions system Administrators Il Connectivity Made Easy Page 109 of 164 Figure 8 3 List of Admin Groups and Permissions Figure 8 4 shows the list of permissions that can be configured for the selected Admin Group Select the checkboxes for the permissions you wish to give to the group Full Access view Only Policies Access Control Manage Access Control view Access Control User Group F Manage User Groups ae Figure 8 4 Admin Group Permissions Click to confirm the changes 8 2 3 Creating an Administrator Account In this step you will create Admin Accounts that will be given out to the respective personnel system To create an administrator account EH Admin Accounts EE 1 Admin Groups ef Audit Log Admin Access Sessions BH Maintenance Settings 1 Click on Admin Accounts Any existing entries will be displayed see Figure 8 5 Click on an entry to modify it or click to create one Mame Admin Group Email i Description Logins System System Default system Administrator Administrators administrator account adminglocalhost com 4 Figure 8 5 List of Administrator Accounts Connectivity Made Easy Page 110 of 164 Figure 8 6 shows the interface for configuring the Admin Account 1 Enabled Select to activate the account 2 ID Login user ID 3 Name The name given to the account 4 Password Re type Password Login pass
9. Routable IP Address Never Assign Prompt User CO Always Assign Attempt to reconnect users when they return Figure 1 13 Creating a Plan Click to confirm the changes 1 3 6 Firewall Rules The InnGate allows you to define firewall like rules that can be applied to individual User Groups for greater control over network access policies To configure a Firewall rule E 3 Plans Pe 1 Click on Plans 2 Click on Firewall Any existing entries will be displayed see Figure 1 14 Any account belonging to the Plan will be subject to the rules defined in the order that the rules appear when they log in Click on an entry to modify it or click to create one Plan Order VLAN Protocol Source Network Destination Metweork Action Descriptian test 1 Ir falc By Drap O Subnet Mask Any Subnet Mask Any Add Selected Entries Figure 1 14 List of Firewall rules Connectivity Made Easy Page 22 of 164 The Firewall rule definition page will be displayed see Figure 1 15 Plan i Order VLAN Any VLAN v Protocol Any Q TCP UDP ICMP Source lletwork G Any Network Address Subnet Mask Destination Network Any Network Address Subnet Mask Action Accept Drop Description Figure 1 15 Plan Firewall The fields are described as follows 1 Plan The Plan that this firewall rule will apply to amp You can also configure Firew
10. The two InnGate will communicate directly through their OPT network interfaces see Section 1 1 1 via a cross cable connection This link is called the Control Channel and is used by the InnGate to detect the State of its peer heartbeat and for regular synchronization of system configurations The two InnGate will be setup with the same WAN IP address shown aS 192 168 10 1 in the diagram in their WAN profiles see Section 4 2 In addition each HA InnGate will automatically use an additional IP address which is derived from numerically adding the HA ID to the WAN IP see Figure 9 1 This facilitates upstream clients when they need to probe and access each InnGate individually with Ping and Telnet A A HA setup will thus require 3 I P addresses The Admin GUI will still be accessible only via the WAN IP if accessing from the upstream and will always be the Admin GUI of the Live InnGate Some potential problems due to setup errors are also highlighted here 9 3 l If the downstream network is not overlapping due to configuration errors switch failure etc the Backup InnGate will think that the Live InnGate is failing to service its downstream clients triggering a failover event based on the behavior described in Section 9 5 This will keep repeating as the two InnGate continuously switch roles every time the failover occurs If the downstream network is not overlapping and the Control Channel also fails then both Inn
11. You can then configure the DHCP server to respond with the desired IP address range based on the DHCP Relay Agent IP address it receives The fields are described as follows 1 DHCP Relay Agent IP Address The IP address that the InnGate will use when relaying DHCP requests from downstream clients 2 VLAN The VLAN for which the Relay Agent IP Address is applicable Click to confirm the entry or for modifications 3 3 Routed Network Setup Using this function you can configure IP addresses that will always be routed on the upstream whenever the InnGate encounters network packets which contain these addresses in either the source or destination IP There are some circumstances in which this would be useful 1 When operating in DHCP Relay mode see Section 3 2 2 IP addresses are assigned to downstream clients from an external DHCP Server In Connectivity Made Easy Page 62 of 164 this case InnGate must not perform NAPT for these clients and therefore the DHCP range is defined in the Routed Network 2 The InnGate may be required to route packets from downstream clients to resources on the upstream that are within the intranet such as intranet portals but perform NAPT for Internet traffic In this case the intranet resources will be defined in the Routed Network To setup Routed Networks 1 Click on LAN 2 Click on Routed Network Any existing entries will be displayed see Figure 3 18 Click on an entry to
12. process restart or server reboot etc The following are the service event SNMP traps sent by the InnGate Trap Ref arpdUp ARPD service 1 3 6 1 4 1 12902 1 1 4 2 1 1 1 restored ARPD service down 1 3 6 1 4 1 12902 1 1 4 2 1 1 2 mysqldUp 1 3 6 1 4 1 12902 1 1 4 2 1 2 1 restored mysqldDown 1 3 6 1 4 1 12902 1 1 4 2 1 2 2 down restored down restored dhcpdDown DHCPD service 1 3 6 1 4 1 12902 1 1 4 2 1 4 2 down dhcpdGetPublicl pFail DHCPD public IP 1 3 6 1 4 1 12902 1 1 4 2 1 4 3 Connectivity Made Easy Page 121 of 164 S assignment failure release failure restored httpdDown restored down restored DNS service down service restored service down All high availability 1 3 6 1 4 1 12902 1 1 4 2 1 8 3 nodes in master mode for too long antHearbeatAllFollower All high availability 1 3 6 1 4 1 12902 1 1 4 2 1 8 4 nodes in slave mode for too long Lone node in slave 1 3 6 1 4 1 12902 1 1 4 2 1 8 5 mode for too lonc failover SIP Login service 1 3 6 1 4 1 12902 1 1 4 2 1 9 1 restored down service restored service down restored qmailDown Qmail service down All network links restored network link down link down network link down unreachable 1 3 6 1 4 1 12902 1 1 4 2 1 4 4 1 3 6 1 4 1 12902 1 1 4 2 1 5 1 1 3 6 1 4 1 12902 1 1 4 2 1 9 2 1 3 6 1 4 1 12902 1 1 4 2 1 10 1 1 3 6 1 4 1 12902 1 1 4 2 1 10 2 1 3 6 1 4 1 12902 1 1 4 2 1 11 1 1 3 6 1 4 1 12902 1 1 4 2 1 11 2 1 3
13. 1 3 8 creating VEAN 32 1 3 9 Importing and Exporting VLAN Definitions sese 34 1 4 Network Installation ssseeeen Hmmm 35 1 4 1 VLAN enabled NetworkS cccecscssceceeeeeeeeeeeeeaueueetetatanteees 36 1 5 Testing the Configuration sx 2 ncsetnecsdensehetnedarandavaensnmseeiemabanenes 36 EE E E E EE E EEEE E EE E 38 PUT AUC AUO opener an E AE EE E E E AE 38 2 1 OE W a T A anaes 38 2 2 OCA PC COUMING aa E E SN CUN PURUS 38 2 2 1 Local Accounts Maintenance eseseesen 40 2 3 uc TE m 40 2 4 BLECOUDEJDEIDEBES oos cmt ye per iat n pETL o IPIE n ERE DIEI UG TUR EE PPRUNC PRECII 43 2 5 Size H 47 2 6 MAC li E 47 2 7 Eelo e Be un a e S A tance canes E A EEE TT 48 EE oE E ETETE EE E E 50 EAN NETWORK SETTINGS cesxsderkisnb icurVEFHas pt ebE i oei 50 3 1 OVEN E E A EA E 50 3 2 DACP OUD ranieri E EE TEREE 51 3 2 1 Configuring DHCP Server Mode eseennmHe 51 3 2 Setting up the Default Scope sseeennne 53 3 2 1 2 Setting up the User Provision Routed Scope 55 3 2 2 Configuring DHCP Relay Mode eeeennnnmHH 60 3 2 2 1 Relay Agent Mappings essseenmHm 61 3 3 Routed Network Setup asieripkviniooeprisvbR VEDRTY SUVS Y TUERES UTI aU RUE YV RE 62 3 4 Walled Garden Setup seseenm 64 3 4 1 Bras o c 65 3 4 2 Define HTTPS DOMAINS s saccsseiexiet
14. Baud rate 115200 Data bits 8 Parity None Stop bits 1 Flow Control None o0oAro 7 OY The default login ID and password is the same as for Telnet access and was previously discussed in Section 5 5 1 8 13 Securing the System for Deployment Once the InnGate has been configured and deployed for security reasons it is recommended that you 1 Securing Access to the Admin GUI See Section 8 13 1 2 Change the Default Admin User Account See Section 8 13 2 3 Change the FTP Account Password See Section 8 13 3 4 Change the Telnet and Console Password See Section 8 13 4 8 13 1 Securing Access to the Admin GUI You can limit access to the web admin system by IP addresses and also block admin access from the downstream totally A Do be extremely careful with this feature as you can potentially lock yourself out of the system In the event that this happens you will need to access the InnGate via serial console see Section 8 12 and use a terminal based software to shell into the InnGate to clear the lockout with this command wadacc disable ip control please refer to Command Line Interface Reference documentation for more information on the wadacc command Connectivity Made Easy Page 129 of 164 J System To configure the admin access EH Admin Accounts L Admin Groups 1 Click on Admin Accounts Audit Log E Admin Access ie 3 Sessions 2 Click on Admin Access Maintenance m settin
15. Connect your PC or laptop to InnGate s USB Serial Console or Serial Console port using USB Serial cable 2 Open a Hyperterminal session Login using conso e account see Section 8 12 3 Enable supervisor mode by typing enasup No password Is required AMTlabs InnGate model E1000 release 3 00 Inncate3 n00 1 login console Password Last login Thu Jul 2 22 35 02 on ttyUSB Type help to view the list of commands 8 ES E aACeESS5y Pliasup jJasswoard Figure 11 1 Enabling supervisor mode 4 Run the command by typing save snapshot There will be a prompt asking you whether you are sure to perform snapshot save Press y for yes or N for cancel Connectivity Made Easy Page 146 of 164 iNMTlabs Innbtate model E1000 InnGatesOO 1 login console Password Last login Thu Jul Z 2211 35 02 oro ooo o help to view the list of commands enasup ave Snapshot sure You want to save the system snapshot v N Figure 11 2 Saving snapshot Upon executing this command the InnGate will reboot itself 11 3 Restore Firmware Restoring firmware will restore the InnGate to its factory default state This action can be done through CLI in supervisor mode or through GRUB To restore firmware through CLI 1 Connect your PC or laptop to InnGate s USB port using USB serial cable 2 Open a HyperTerminal session Login using console account see Section 8 12 3 Enable supervisor mode by typing
16. modify it or click to create one Network Address Subnet Mask 192 166 123 0 255 255 255 0 Add Selected Entries Figure 3 18 List of Routed Networks Connectivity Made Easy Page 63 of 164 Figure 3 19 shows the interface for defining a Routed Network 1 Network Address The network within which the IP addresses will be routed 2 Subnet Mask The subnet mask for the Network IP Address A To define a specific host IP address use 255 255 255 255 for the subnet mask Network Address 192 158 123 0 Subnet Mask 255 255 255 0 Add Cancel Figure 3 19 Defining a Routed Network In this example the InnGate will route packets originating from or destined for the network identified by the network address 192 168 123 0 and subnet mask 255 255 255 0 Click to confirm the entry or for modifications 3 4 Walled Garden Setup This feature allows you to configure HTTP URLs HTTPS Domain and IP Addresses that the InnGate will allow downstream clients to access before authentication A common example of using this feature is in a charged Internet usage environment where you need to allow the user to access a credit card payment portal to complete the purchase transaction before he has logged in The payment portal will be defined in the Walled Garden so that even though the user is not logged in and therefore does not have Internet access he can still access the portal
17. 1 Login Logout Success Message The messages shown to the user 2 Display Logout Button To show the button for logging out of the session Useful for time duration based plans 3 Alert user A timer will show on the page indicating the amount of time left Useful for time duration based plans 4 Enable link to external URL To include customized post login processes enable this to invoke the following actions to an external page a display link as the external page is displayed as a link on the default success page b redirect to link after the default success page is first shown for the specified number of seconds before redirecting to the external page c use link as login success page the external page is used as the success page d Add the following to the URL query string You can also choose to pass the zero configuration variables such as IP address MAC address User ID to the external page for advanced integration requirements Connectivity Made Easy Page 30 of 164 Click Letse to proceed with the next step in the wizard The next step is to define what is shown to the user if the system encounters an error Error Page Please contact your system administrator for assistance Error Message Figure 1 28 Error Page Click __Netse to proceed with the next step in the wizard The next step is to define what to name the various labels on the pages shown to the user in the whole a
18. 6 1 4 1 12902 1 1 4 2 1 12 1 1 3 6 1 4 1 12902 1 1 4 2 1 12 2 1 3 6 1 4 1 12902 1 1 4 2 1 12 3 1 3 6 1 4 1 12902 1 1 4 2 1 12 4 1 3 6 1 4 1 12902 1 1 4 2 1 12 5 heartbeatUp Heartbeat service 1 3 6 1 4 1 12902 1 1 4 2 1 13 1 restored heartbeatDown Heartbeat service 1 3 6 1 4 1 12902 1 1 4 2 1 13 2 Connectivity Made Easy Page 122 of 164 down S OO heartbeatFailover Heartbeat failover 1 3 6 1 4 1 12902 1 1 4 2 1 13 3 heartbeatFailback Heartbeat failback pfmgrUp PFMGR service 1 3 6 1 4 1 12902 1 1 4 2 1 14 1 restored pfmgrDown 1 3 6 1 4 1 12902 1 1 4 2 1 14 2 down The following are the system event SNMP traps sent by the InnGate TrapRef Description OID o loadNormal System load returns to normal 1 3 6 1 4 1 12902 1 1 4 2 2 1 1 loadWarning System load reaches critical 1 3 6 1 4 1 12902 1 1 4 2 2 1 2 limit limit to normal critical limit critical limit normal critical limit critical limit The following are the security event SNMP traps sent by the InnGate DNS Redirector denial of 1 3 6 1 4 1 12902 1 1 4 2 3 1 1 service arpdlpConflict ARPD IP conflict 1 3 6 1 4 1 12902 1 1 4 2 3 2 1 service denial of service squidHttpDos Web proxy reached 1 3 6 1 4 1 12902 1 1 4 2 3 3 1 maximum concurrent HTTP connection limit squidNonHttpDos Web proxy reached 1 3 6 1 4 1 12902 1 1 4 2 3 3 2 maximum concurrent non HTTP connection limit qmailDos Qmail reached maxi
19. 7 Description A description for the entry Click to confirm the entry or for modifications 3 5 Network Devices Setup Sometimes downstream devices may need to be accessed by clients on the upstream For example a network administrator may use an NMS on the upstream to monitor wireless access points on the downstream see Figure 3 1 Such devices are registered as Network Devices Subsequently whenever an upstream device sends packets to a downstream Network Device the InnGate will perform a proxy ARP on the WAN interface on behalf of the Network Device receive the packets and then forward to it A Network Devices often need to communicate back to the sender Unlike a downstream user who will initiate a browser session to authenticate themselves devices such as access points cannot do this to gain network access As such the InnGate comes preloaded with a Plan that is applied to registered Remote Devices X Network To setup Remote Devices EHL LAN E Waled Garden _ Remote Devices 2 Click on Remote Devices Any existing entries will be displayed see Figure 3 25 Click on an entry to modify it or click to create one WAC Address IP Address VLAN Ignore 4RP 21 30 04 43 1E 08 192 158 123 55 1 Hotspot VLAN Add Selected Entries Figure 3 27 List of Network Devices Figure 3 28 shows the interface for registering a Remote Device Connectivity Made Easy Page 71 of 164 1 MAC Address MAC address
20. Cors rb kx aeta ee Roni vice 67 3 4 3 Define IP Addresses sssseeennnm mmn 69 3 5 Network Devices Setup ccccceceeceseeeeeeeeeseeaeeeeeeeesneesteeaeees 71 3 5 1 Pon BIRIN orara E 72 Page 4 of 164 3 6 Device Detection Setup esssseee mmn 75 3 7 niue ibm E E 76 1705 47 X XX OTT 78 WAN NETWORK SEW ING eee ePurT UP Beriadi OUTEM een ieubaneumanenaoneients 78 4 1 8 T 78 4 2 WAN SOUD E 78 4 2 1 Defining a Static ROULUO isses exse satus kia PERLE Y vex s era o ER ean 78 CMAP DB RR TR 80 NETWORK SERVICES SET TINGS scena cui wiusatiuVvEedau Fori dias wi desi rana aeq 80 5 1 07 27 merria a TE AAA 80 5 2 Wep SOL VOL cats ncon nitnarysanaor anna nia AUR KVPU MIEL INe DEM URSUS 80 5 3 WV CO PIOXY area A E E EA AAE A 81 5 4 Sail bois a gt Getter te eee E nn er M uer MEM IE SEES 81 5 5 MO y CC OS T 84 5 5 1 Accessing the InnGate via Telnet and FTP eeren 86 APT Gee A T E A 87 SYSTEM MAINTENANCE AND DIAGNOSTICS eseeennmH 87 6 1 OMIM 87 6 2 Local Accounts Maintenance sssesee mmn 87 6 3 Reports Maintenance s sssssssrsssrrrrererersrerrrrsrsrerrrrsrsrerrrrrrrrne 88 6 4 PMS DIGG MOST CS arro A EE 90 EEE E A E E A E E E E 92 SYSTEM MONITORING AND REPORTING seeem 92 7 1 2 92 7 2
21. EXPRESSIONS seseeen menn 154 eee m 155 CSV LE RESTRIC TIONS asuptasiutat EEUU VER URN ReqN DURCH ERR E Gt RP EPIIT 155 Connectivity Made Easy Page 6 of 164 Yos db 156 UPLOADING CUSTOM WEBPAGES sesen Hm 156 lere d cU UU E 157 CUSTOM SSLTOGIN PAGEBS sssscitiitiimbss aed Vt VIX UI S TUECIUN rntieanciantingowtases 157 ADBODIODG T casetaiite rt EnMRtARpFA IS FiRr onu HOMME E M UP NN ENS 161 ERROR PACES uissurtentettIse EPOR d tessUERbIa EDI EE MEIN EUMD tef EE 161 Xeemjacme 9 163 eB REGIID 163 Connectivity Made Easy Page 7 of 164 PREFACE AUDI ENCE This manual is intended for administrators who will be responsible for the installation and configuration of the InnGate 3 This manual will explain how first time installation and configuration should be done as well as the tasks involved in performing regular maintenance and configuration Administrators are expected to have a good working knowledge of networks and TCP IP Knowledge of the operating environment and characteristics of the systems used in the deployed networks are also useful Basic knowledge of HTML and HTTP will also allow the administrator to customize the user facing web pages RELATED DOCUMENTATI ON You may refer to the ANT abs homepage at http www antlabs com for other related materials and documents released by ANT ab
22. J unior s setting page Transaction Type Test mode O Live made Installation ID TESTER Currency 15 4217 currency code omy Callback IP Address e Use WAN IP address C Use Figure G 1 Worldpay Select J unior Setting For details visit http www worldpay com 2 Paypal Payflow Pro Figure G 2 shows the Paypal Payflow Pro s setting page Transaction Type e Test made Vendor ID testingaccountl 23 Vendor Password testing123 UserID testingaccountl 23 Partner Hame PayPal Figure G 2 Paypal Payflow Pro Setting For details visit https www paypal com cgi bin webscr cmd payflow pro overview outside 3 Authorize Net SI M Figure G 3 shows the Authorize Net SIM s setting page Transaction Type O Test mode Live made Merchant ID S5DD432frz Transaction Key 2kKfg5GCc3dDP2p4d5e Currency HSO 4247 cumency code only awe Cancel Figure G 3 Authorize Net SI M Setting For details visit http www authorize net 4 Paypal Payflow Link Figure G 4 shows Paypal Payflow Link s setting page Merchant ID pay flowlinktest1 23 PayPal Peta URL hip fermoess antabs comhgivcepaynal_ n pmcessor ant must be COED wing mebo POST Partner Hame Save Cancel Figure G 4 Paypal Payflow Link Setting For details visit https www paypal com cgi bin webscr cmd payflow link overview outside to the Admin GUI
23. Log Room Status Guest Status Room Mumber Date YT Guest Murmber Number of Guests at 1305 2009 03 384M ww 13 05 2009 03 35AM CS Download All Figure 7 16 PMS Room Status Log Click CSV 9 to export the existing log entries into a comma separated values file Click on Guest Status tab to view the log of guest status as shown in Figure 7 17 Biling Log Room Status Guest Status Guest Number Guest Name Room Humber Date YF Status VIP Status Payment Type Departure Date 1 128 at 13 05 2008 03 38AM Y M MO POST 1 12 amp vv 13 05 2008 03 354M Y M MO POST TSY Download All Connectivity Made Easy Page 104 of 164 Figure 7 17 PMS Guest Status Log 7 3 4 Account Printer Logs View the log of accounts created by account printers Reports To view the Account Printer Logs EL Monitors Logs 1 Click on Logs 3 pes 2 Click on Account Printers E Account Printers Credit Card Lj Maintenance Figure 7 18 shows the list of accounts created by account printers The following column in the Account Printers Log is further explained here 1 Date amp Time The date and time when the relevant account is created 2 Printer IP address The IP address of the printer 3 Button To indicates which button was pressed to create the account 4 User ID 5 Password 6 Access Code Date amp Time Printer IP Address Button UserID Password Access Code 2009 05 13 22 34 52 10 401 202 P
24. Operators user group is allowed to 15 mins Unlimited view sections in the admin pages pertaining to network information Network Operators Add Selected Entries Figure 8 1 List of Admin Groups Figure 8 2 shows the interface for configuring the Admin Group 1 Name The name given to the Admin Group 2 Idle Timeout Maximum inactivity period before auto log off 3 Max Account Logins Maximum number of accounts in the group that can concurrently login Connectivity Made Easy Page 108 of 164 4 Description A description for this entry Hame Network Operators kdle Timeout mM hrs mins Unlimited Max Account Logins o The Network Operators user group is alowed to views sections in the admin pages pertaining to network information Description Figure 8 2 Admin Group Configuration Click to confirm the entry or for modifications 8 2 2 Defining Admin Group Permissions In this step you will define the permissions for the Admin Group created J System To define administrator group permissions EM Admin Accounts SL Admin Groups 1 Click on Admin Accounts Audit Lag 1 Admin Access Bae 2 Click on Admin Groups amp 3 Maintenance settings Select the Permissions tab as shown in Figure 8 3 All Admin Groups will be listed and you can click to view the permissions for each Click on the Admin Group s name to modify the permissions for it Groups
25. Section 8 2 2 Creating an Administrator Account See Section 8 2 3 Connectivity Made Easy Page 107 of 164 4 Miewing Audit Log See Section 8 2 4 5 Assigning Admin Access See Section 8 2 5 6 Viewing Sessions See Section 8 2 6 8 2 1 Creating an Administrator Group In this step you will define the administrator groups for different sets of administrator accounts System To create an administrator group EM i Admin Accounts 1 Admin Groups 1 Click on Admin Accounts Audit Log 13 Admin Access i Baa 2 Click on Admin Groups H Maintenance EH Settings Select the Groups tab as shown in Figure 8 1 Any existing entries will be displayed Click on an entry to modify it or click to create one Groups Permissions idle Max Name TRECE Account Description Logins System TUM Unlimited The System Administrators is allowed to perform all Administrators actions by default The Customer Administrators user group is allowed 15 mins Unlimited to manage sections in the admin pages pertaining to user accounts and sessions Customer Administrators The Customer Operators user group is allowed to 15 mins Unlimited view sections in the admin pages pertaining to user accounts and sessions Customer Operators The Network Administrators user group is allowed to 15 mins Unlimited manage sections in the admin pages pertaining to network information Network Administrators The Network
26. Setup See Section 4 2 2 DNS Setup This was previously covered in Chapter 1 GETTING STARTED under Section 1 3 3 Configuring the Domain Name Server 4 2 WAN Setup Like any other device connecting to a network the InnGate s network settings such as its IP address on the upstream must be configured The WAN setup interface allows you to do this 1 Configuring the WAN interface was previously covered in Chapter 1 GETTING STARTED under Section 1 3 2 Configuring the WAN Interface 4 2 1 Defining a Static Route Network To setup a Static Route for a Service Provider Al LAN E Static Routes 1 Click on Static Routes EH Services Any existing entries will be displayed see Figure 4 1 Click on an entry to modify it or click to create one service Provider Network Address Subnet Mask Gateway Interface status LAN VLAN No vean Invalid Default 192 166 123 1 25 255 2755 0 NA Add Selected Entries Figure 4 1 List of Static Routes Connectivity Made Easy Page 78 of 164 Hetwork Address Subnet Mask 255 255 755 0 Route Type Subnet route Gateway route Figure 4 2 Defining Static Routes Figure 4 2 shows the interface for defining a static route to a previously defined Service Provider 1 Network Address Specify the Network Address for this Static Route 2 Subnet Mask Subnet Mask for the Network Address 3 Route Type Indicate if this entry is a Subnet or Gateway
27. The host name used for TCP IP connection Port Number The port number used for TCP IP connection Data Bits t is necessary to set 8 as number of data bits to be able Parity Bit To enable single bit error correction The default is None l 2 2 4 Baud Rate Serial baud rate 5 to transmit multiple character sets 6 7 Stop Bit The default value is 1 8 Log all traffic This logging Connectivity Made Easy option is to enable or disable detailed PMS traffic Page 41 of 164 9 Delimiter To specify the field separator in the PMS data stream The default is bar character 10 Calculate message checksum To include LRC checksum of the message at the end of the data stream 11 1gnore hardware handshake To turn on or off the hardware handshake 12 Sales Outlet This is sent during posting to identify different type of services or posting This is only used by TCP IP based Micros Fidelio Figure 2 9 shows the PMS Billing Setting Fixed time posting Hour Minute F Repost unacknowledged bill Repost unsent bill Post Usage Duration Send ODDODO regardless of usage v Ignore room checked in status Client Email Address o Figure 2 9 PMS Billing Setting 1 Fixed time posting To enable or disable fixed time bill posting 2 Repost unacknowledged bills To enable or disable reposting of unacknowledged bills 3 Repost unsent bills To enable or disable resposting of un
28. Whitelist of HTTPS Domains Figure 3 24 shows the HTTPS Domain Definition page with the following fields 1 HTTPS Domain Name P address of the HTTPS web server 2 Description A description for this entry Configure HTTPS Domain Names that can be accessed before authentication This only applies to netyyork devices configured to use a proxy server for HTTPS access For non proxied HTTPS access use the IP Addresses tab HTTPS Domain Hame 202 157 140 103 ANTIabs website Description Connectivity Made Easy Page 68 of 164 Figure 3 24 HTTPS Domain Definition 3 4 3 Define I P Addresses This feature allows you to filter packets that downstream clients are allowed to send before they are logged in To define IP addresses in the Walled Garden 1 Click on LAN 2 Click on Walled Garden Select the IP Addresses tab as shown in Figure 3 25 Any existing entries will be displayed Click on an entry to modify it or click to create one HTTP URLs HTTPS Domains IP Addresses Configure IP packets that users can send before authentication Destination Network Description 202 157 140 103 Any VLAN TCP Subnet Mask Any Subnet Mask 255 255 255 255 32 Access to the ANTlabs website F Port Any Port 80 Add Selected Entries Delete Figure 3 25 Whitelist of I P addresses Figure 3 26 shows the interface for defining IP addresses in the Walled Garden Connectivity Made Eas
29. addresses from one of two DHCP scopes 1 Default Scope The pool of IP addresses that are assigned to clients by default Traffic from these clients can be either routed upstream or via Network Address and Port Translation NAPT See Section 3 2 1 1 2 User Provision Routed Scope The pool of IP addresses that are assigned to clients on request Traffic from these clients is always routed upstream See Section 3 2 1 2 a Network To setup the DHCP Server AALAN 1 Routed Metu ark L Click on LAN 1 Walled Garden B coe 2 Click on DHCP 1 Device Detection ARP amp WAN Static Routes H Services Figure 3 2 shows part of the DHCP Settings configuration page Connectivity Made Easy Page 51 of 164 Select the DHCP Server option Settings Default Scope User Provision Routed Scope DHCP Made Na DHCP DHCP Server DHCP Relay Figure 3 2 DHCP Mode Figure 3 3 shows the configuration settings for the Default Scope The fields are described as follows 1 Default Lease The amount of time before a lease on an IP address expires and is applied when the client does not specifically request the lease duration 2 Max Lease Specify the maximum lease duration that can be requested from DHCP clients Default scape Default Lease 3600 secs Max Lease 3600 Secs Figure 3 3 Default Scope Settings Figure 3 4 shows the configuration settings for the User Provision Ro
30. an FTP session 2 Once logged in you will be in the default webroot directory This corresponds to the following webroot URL from the downstream http ezxcess antlabs com www pub 3 Begin uploading your custom webpages A You can only upload files and create new subdirectories in the login and ssl directories For example if you create a subdirectory new under the login directory and upload a webpage called test htm there the URL from the downstream to access the page will be http ezxcess antlabs com www pub login new test htm Connectivity Made Easy Page 156 of 164 Appendix E CUSTOM SSL LOGI N PAGES The InnGate supports HTTPS based login using a custom SSL certificate This section will give step by step instructions on how to enable secure HTTPS pages on the InnGate which is a 4 step process as follows 1 Step 1 Generate the Certificate Signing Request 2 Step 2 Apply for a SSL Server Certificate 3 Step 3 Install the Signed Certificate and Private Key 4 Step 4 Configuring the HTTPS Login Page A The SSL Domain is only applicable on the downstream Step 1 Generate the Certificate Signing Request You can either generate the Certificate Signing Request CSR for the required domain using the ANT abs Cert Generator or by other means Here we will describe how to do it with the ANT abs Cert Generator Firstly obtain a copy of the ANT abs Cert Generator Windows program from your loc
31. behind the faceplate The behaviour of the button depends on the power state a InnGate is powered up Pressing will shut down the InnGate b InnGate was shutdown normally Press to power up A In the event of a power failure the InnGate will automatically power up when the supply from the electrical mains is restored The power button does not need to be pressed The hardware serial number is usually found on the rear panel of the InnGate and the licensing serial number is accessible via the Admin GUI see Section 8 11 1 1 2 Network Operation As shown in Figure 1 1 the InnGate separates the network into the upstream and downstream networks 1 Downstream Network The InnGate manages the Authentication Authorization and Accounting AAA functions and enables the Tru Connect Zero Configuration for client devices on the downstream 2 Upstream Network Only successfully authenticated downstream clients may be authorized to access the upstream network This is where the server farm DMZ and also the gateway to the Internet normally reside Connectivity Made Easy Page 11 of 164 When in operation the InnGate performs Network Address and Port Translation NAPT on the WAN interface for downstream clients routing can also be done and is discussed in Section 3 2 and Section 3 3 Thus when a downstream client wants to send packets to the upstream the InnGate will do so using its WAN IP address 1 2 Recommended Sett
32. enasup No password is required 4 Run the command by typing restore snapshot There will be a prompt asking you whether you are sure to perform snapshot save Press y for yes or N for cancel AMTlahbs InnGate model E1000 release 3 00 Inn amp care3 0n0 1 login console Password Last login Thu Jul 2 23 40 55 on ttyUS B0 e help to wiew the list of cormands a T E ZACESS9 mlasup restore firmware Are you sure you vant to restore the sysbem to factory default stat Figure 11 3 Restoring Firmware Upon executing this command the InnGate will reboot itself to perform firmware restoration Connectivity Made Easy Page 147 of 164 Once the firmware restoration has finished the IP address subnet mask and default gateway will change into factory default setting You need to change them appropriately and reboot the InnGate after you save the changes To restore through GRUB 1 Connect your laptop or PC to the InnGate s PMS port using USB serial cable 2 Reboot the InnGate Open a HyperTerminal session from your laptop or PC Once the InnGate is up you should see as shown in Figure 11 4 below on your HyperTerminal window Press ESC to skip memory test Phoenix AwardBIOS wh O0PG An Energy Star ALLY Copyright C 1964 2005 Phoenix Technologies LTD IB782 F Ci1C CP1A 090626 Hain Processor VIA CY SOOMHE 100x6 0 Memory Testing SOYLO4E OEN CT 16M shared memory ac to skip memory test Figure 11 4 M
33. existing record or create a new one VLANID Location Default v i s Unlimited Max Logins Sessions devices Name Description Figure 1 32 Defining a VLAN Connectivity Made Easy Page 32 of 164 The fields are described as follows 1 VLAN ID Unique VLAN identifier Must correspond to the VLAN setup in the switch connected via the trunk port 2 Location Select the Location that this VLAN belongs to 3 Max Logins Sessions The maximum number of concurrent users allowed on the VLAN 4 Name The name given to this VLAN definition 5 Description A description for this VLAN Click J below the Description field to create the VLAN entry and it will be displayed in a table see Figure 1 33 VLAN ID Location Max Lagins sessians Marne Description 1 Default Unlimited Hotspot Zone 1 m Figure 1 33 New VLAN entry created You can add more entries or click on the respective LJ buttons to remove existing entries A These VLAN entries are not committed yet Once you have finalized the list of entries you can proceed to save the list by clicking on the second button as shown in Figure 1 34 LAN ID Loca 1 Defa Cancel Figure 1 34 Commit the VLAN entries A You can also Import and export VLAN definitions from a file in comma separated values format see Section 1 3 9 Connectivity Made Easy Page 33 of 164 A A default entry treats traffic that is not VLAN tagged No V
34. for future use Connectivity Made Easy Page 95 of 164 7 2 3 Session Monitor View real time information about users currently logged in Users who have logged out will be found in the Session Logs Reports To view the Session Monitor 1 Click on Monitors 2 Click on Session EH Logs 1j Maintenance Any active sessions will be listed as shown in Figure 7 7 The following column in the Session Monitor is further explained here 1 Status Session status a active The user has not logged out and the session is still active b unexpired The user is physically disconnected from the network but the Usage Duration for the User has not been exceeded c pending close The user has logged out and the InnGate has initiated a Stop request to the RADIUS server and is awaiting a response from the RADIUS server Click CSV L owman to export the entries into a comma separated values file Click to logout any selected user sessions Connectivity Made Easy Page 96 of 164 Logged in Y 1405 2009 12 15PM 14 05 2009 12 09PM 14 05 2008 11 534M 14 05 2008 11 385M 14 05 2008 11 16AM 14 05 2009 10 41 4M 1405 2009 10 384M 1405 2009 10 134 1405 2009 09 554 1405 2009 09 195 14 03 2009 0 05AM Logged Out MLA NA BLA BLA BLA BLA NLA MLA MLA MA N A Authentication Type Fixed Duration fixed duration Fixed Duration fixed duration Unlimited unlimited Fixed Duration fixed duration S
35. further information 8 5 Applying System Patches System patches are released occasionally to fix bugs and correct problems or in response to security vulnerabilities as part of ANT abs continuous product support commitment EI System To apply a system patch Security 1 Click on Maintenance 2 Click on Patch Figure 8 11 shows the interface for applying a patch Any existing patches are listed in the Installed Patches table Patch File Browse Installed On Patch File Installed From 14 05 2009 06 53PM InnGate300_module app addons pms 20090508 01 patch Administration System 14 05 2009 06 53PM InnGate3S00_module app auth cc 20090508 01 patch Administration System 14 05 2009 06 54PM InnGate30O0_module app volume_accounting 20090508 01 patch Administration System 14 05 2009 06 54PM InnGate300_module sys full_ha 20090508 01 patch Administration System Connectivity Made Easy Page 115 of 164 Figure 8 11 Patch Application I nterface Click to select the patch file Then click to apply the selected patch file A Patches must be applied in the exact sequence of release earlier patches first followed by later patches And no patch should be skipped Failure to comply may result in system corruption 8 6 Setting the Date and Time i System To set the Date and Time mM Admin Accounts E 1 Maintenance esu L Click on Settings Date amp Time A 3 Click on Date amp Time High Availability
36. of the device to be registered The format of the MAC Address Is xx xx xx xx xx xx 2 IP Address IP address of the device to be registered 3 VLAN VLAN that the device to be registered is on MAC Address 21 30 04 43 1E 08 IP Address 192 1868 123 55 VLAN 1 Hotspot VLAN Ignore ARP ignore ARP requests from this Remote Device Aad Cancer Figure 3 28 Network Device Configuration Click to confirm the entry 3 5 1 Port Binding In a typical deployment an NMS is used to monitor the key network components such as routers and access points The NMS is normally run from a remote location and may have problems accessing devices that are found on the downstream such access points This is because downstream network is usually a private network that is not visible to the upstream because the InnGate performs NAPT In such cases upstream users will only see the WAN IP of the InnGate and not the individual downstream hosts So there will be no way for an upstream user to connect to a particular downstream device Port Binding allows you to configure a port forwarding service which allows incoming traffic from the upstream to reach downstream devices Port Binding allows you to assign a Port Number on the InnGate s WAN interface so that a user connecting to the InnGate s WAN IP Port Number will actually have their traffic forwarded to the downstream service The InnGate thus acts as a port forwarding proxy for in
37. options 3 2 2 Configuring DHCP Relay Mode With the DHCP relay feature the InnGate can relay DHCP requests and responses between the downstream clients and a DHCP server on the upstream Configuring the InnGate for DHCP Relay is a two step process 1 Configuring the InnGate to interface with the external DHCP server 2 Setting up the InnGate so that the IP addresses assigned by the external DHCP server are not subject to Network Address and Port Translation NAPT and therefore defined in the Routed Network see Section 3 3 a Network To setup DHCP Relay Routed Metwork 1 Click on LAN 1 Walled Garden w Metwork Devices 2 Click on DHCP Device Detection P0 ARP H WAN Static Routes m services Figure 3 15 shows part of the DHCP Settings configuration page Select the DHCP Relay option Connectivity Made Easy Page 60 of 164 Settings Default Scope User Provision Routed Scope DHCP Made C No DHCP DHCP Server 2 DHCP Relay Figure 3 15 DHCP Mode Figure 3 16 shows the configuration settings for the DHCP Relay The fields are described as follows 1 Primary Server The primary DHCP server that the InnGate will relay to 2 Secondary Server Alternate DHCP server A The InnGate will forward DHCP requests to both servers but will only acknowledge and use the first response it receives ignoring the other reply Settings Default Scope User Provisi
38. sg9 o 2F 10 128 0 1 GET 192 168 123 50 80 413 00 11 D8 4C 2A 3B Result shopfront http 127 0 0 1 80 www pub sample login success php url http 6 3A 2F 2Fwww google com sg o 2F amp client mac 00 11 D8 4C 2A 3B Fri Jun 10 10 34 14 2005 http ezxcess antlabs com images antlabs logo gif 10 128 0 1 GET 192 168 123 50 80 413 00 11 D8 4C 2A 3B Result shopfront http 127 0 0 1 80 images antlabs logo gif These entries indicate a successful login and the login success page including the associated images is sent to the user Notice that the initial URL that the user tried to access is also appended which can be used in the success page if desired E 9 Auto redirect Thu Jun 10 10 34 22 2005 http www google com sg 10 128 0 1 GET 64 233 189 104 80 413 00 11 D8 4C 2A 3B Result charged internet http www google com sg Connectivity Made Easy Page 152 of 164 Thu Jun 10 10 34 22 2005 http www google com sg images hpO gif 10 128 0 1 GET 64 233 189 104 80 413 00 11 D8 4C 2A 3B Result charged internet http www google com sg images hpO gif Thu Jun 10 10 34 22 2005 http www google com sg images hp1 gif 10 128 0 1 GET 64 233 189 104 80 413 00 11 D8 4C 2A 3B Result charged internet http www google com sg images hp1 gif Thu Jun 10 10 34 22 2005 http www google com sg images hp2 gif 10 128 0 1 GET 64 233 189 104 80 413 00 11 D8 4C 2A 3B Result charged internet h
39. the account printer There is a maximum of six buttons supported Click on the button you want to configure Printers Buttons Audit Log Printer IP Address Button Account Type Plan sharing Type Header Footer 10 30 1202 Press A Press H Press c Press AA Press BB Press CE Figure 2 13 Account Printers Button Setting Choose the account type and account sharing option you want to assign to the respective button Shared account is only applicable to fixed duration plans and it only allows maximum 100 simultaneous users Account Type Type 7 User ID amp Password Access Code Sharing e single User Account Q Shared Account fixed duration plans only Allo simultaneous users max 100 Connectivity Made Easy Page 44 of 164 Figure 2 2 14 Account Type If the account type is User ID amp Password the Credentials setting will be shown in Figure 2 15 Credentials User ID Random Length characters Format Alphabet xt Running number Random password Length characters Format Alphanumeric hull Figure 2 15 User I D amp Password s Credentials If the account type is Access Code the Credentials setting will be shown in Figure 2 16 Credentials Access Code e Random Length characters Format Alphanumeric w Prefix Suttix C3 Running number Pretix 3 Suffix S Figure 2 16 Access Code s Credentials Configure the plan account expiry and the login limit to be assi
40. up the selected reports in backup reports FTP directory 6 Perform selected task s on record Specify how old records should be before they are deleted emailed backed up Tasks Delete selected reports E Mail selected reports as attachment From officegantlabs com To noviriantlabs com Compress attachment using ZIF Back up selected reports to backup reports FTP directory Keep local copies Pertorm selected task s on record older than days Set to 0 for al recoms Figure 6 3 Maintenance Tasks Figure 6 4 shows the interface for specifying the frequency of the tasks to be performed on the selected logs The selected tasks can be scheduled daily weekly or monthly Schedule Perform selected tasks at 00 Figure 6 4 Maintenance Schedule Click button to view the advanced setting as shown in Figure 6 5 1 Do not format duration field into To change the duration format in the reports into readable format hrs mins secs Connectivity Made Easy Page 89 of 164 Hide Advanced L Do not format duration field inta human readable format Figure 6 5 Maintenance Advanced Setting Click to confirm the changes Click to perform the maintenance immediately after the schedule is saved A If both Delete Selected Reports and E mail Selected Reports are selected the reports are mailed to the recipient before they are deleted 6 4 PMS Diagnostics PMS Diagnostics allows you to do PMS test
41. when configuring or changing system settings However if observed for extended periods you will need to check if the InnGate is experiencing an ARP storm denial of service attacks email spamming etc Disk Space The disk space used should be less than 8096 for optimum performance A common reason for high disk usage is the presence of large log files It is recommended that you configure the InnGate s scheduled log maintenance settings see Section 7 2 to regularly purge backdated log entries Connectivity Made Easy Page 93 of 164 4 Memory It is common for the memory used to be above 90 as the system maximizes the use of memory to cache commonly used data to improve system performance 4 Firmware information Shows the product version license information and serial numbers Firmware Product e amp ezXcess 356 II ETODOD 3 00 Version 3 00 License Activated License 1000 devices Hardware Serial Humber Demo 3563 01000 Software SerialNumber Demo 5562 01000 Figure 7 4 Firmware I nformation Click button to refresh the InnGate s status summary 7 2 2 Device Monitor View real time information about the devices detected on the downstream Devices that have disconnected will be found in the Device Logs Reports To view the Device Monitors Monitors a 1 Click on Monitors 2 Click on Device EH Logs 1 Maintenance Figure 7 5 shows the device monitor s interface when there are devices connected on t
42. which have been expired for specified duration The deletion can be scheduled daily weekly monthly 2 Email a list of deleted accounts To email the list of deleted accounts to an email address 6 3 Reports Maintenance You can schedule the system to auto delete or email existing reports as part of routine maintenance _ Maintenance To do reports maintenance B Local Accounts L Reports 1 Click on Reports J Diagnostics TE Phys Figure 6 2 shows the available reports to be selected for maintenance Select Reports Administration System Audit Log Device Logs Session Logs Billing Logs F Credit Card Transaction Lag Account Printer Log Figure 6 2 Select Reports Figure 6 3 shows the task options that can be performed to the selected reports 1 Delete selected reports Selected reports will be deleted 2 E mail selected reports as attachment A copy of the selected reports will be sent to the specified email address If this option is selected the fields must be completed a From Specify the sender s email address b To Specify the recipient s email address c Subject Specify the Email subject 3 Compress attachment using ZIP The reports are compressed into a ZIP file before they are sent Connectivity Made Easy Page 88 of 164 4 Compress attachment using ZIP To compress the selected reports using ZIP to be attached in the email 5 Back up selected reports to To back
43. 154 of 164 Appendix C CSV FILE RESTRI CTI ONS When importing CSV file the following points need to be taken note of 1 The comma character is the field separator Thus if your text contains a comma such as in a description you must enclose that field with double quote characters as follows Field in CSV File Flower garden Level 1 Flower garden Level 1 Lounge access Lounge access 2 Do not use the double quote character except to enclose strings in the manner described in point 1 3 Do not use the single quote character 4 For multiple line input fields such as description fields a new line carriage return is denoted by Vn as follows Text to be imported Field in CSV File Flower garden Flower garden nLevel 1 Level 1 Connectivity Made Easy Page 155 of 164 Appendix D UPLOADI NG CUSTOM WEBPAGES To upload custom webpages 1 Initiate an FTP session to the InnGate as shown in Figure D 1 See Section 5 5 1 for the default User ID and Password ei C WINDOWS system32 cmd exe ftp 192 168 123 15 Jof x E Microsoft Windows AP Version 5 1 2600 C Copyright 1985 2001 Microsoft Corp C N Documents and Settings Alvineftp 192 168 1259 15 Connected to 192 168 123 15 228 Welcome to Antlabs Ez cess Server User 192 168 123 15 none gt gt Fteponly 331 Password required for ftponly Password Lu em Ftponly logged in Access restrictions apply tp Figure D 1 Initiate
44. 23988 610783 end msg 337 qmail 1120723988 610754 status local 0 10 remote 0 20 qmail 1120723988 610649 delivery 8928 success 165 21 103 137 accepted message Remote host said 250 2 0 0 j679273b002103 Message accepted for deliv qmail 1120723985 863200 status local 0 10 remote 1 20 qmail 1120723985 863085 delivery 8929 success 165 21 103 137 accepted message Hemote host said 250 2 0 0 167924v5001227 Message accepted for delis qmail 1120723985 555482 status local 0710 remote 2720 qmail 1120723985 555376 delivery 8927 success 165 21 103 137 accepted message Remote host said 250 2 0 0 j67924ua001226 Message accepted for deliv qmail 1120723985 438288 status local 0 10 remote 3 20 qmail 1120723985 438182 delivery 8926 success 165 21 103 137 accepted message Hemote host said 250 2 0 0 167924 L001225 Message accepted for deliv smtpd 1120723980 897470 tcpserver status 0 200 smtpd 1120723980 896755 tcpserver end 26197 status 0 qmail 1120723980 819481 status local 0 10 remote 4 20 qmail 1120723980 819367 delivery 8925 success 165 21 6 30 accepted message Hemote host said 250 2 0 0 j6791xdu008154 Message accepted for delivery qmail 1120723980 554695 status local 0 10 remote 5 20 qmail 1120723980 554591 starting delivery 8929 msg 337 to remote teowt antlabs com qmail 1120723980 543355 status local 0 10 remote 4 20 qmail 1120723980 543268 starting delivery 8928 msg 337 to remote aw antlabs com qm
45. 34 09 2005 http ezxcess antlabs com www pub sample singleclick http php 10 128 0 1 GET 192 168 123 50 80 413 00 11 D8 4C 2A 3B Result shopfront http 127 0 0 1 80 www pub sample singleclick http php The user s browser is instructed to redirect to the singleclick http php and therefore makes a HTTP Get request for it The InnGate responds with the page http 127 0 0 1 80 www pub sample singleclick http php Notice that the IP address of the URL is 127 0 0 1 which indicates that the file resides on the InnGate The Result description shopfront indicates that the user is surfing the pages prior to authentication Fri Jun 10 10 34 12 2005 http ezxcess antlabs com login now 10 128 0 1 POST 192 168 123 50 80 413 00 11 D8 4C 2A 3B Result shopfront http 127 0 0 1 80 api 2api password admin amp op auth login amp type singleclick amp client mac 00 11 D8 4C 2A 3B amp client ip 10 128 0 1 amp location index 3 amp ppli zethO amp successURL http ezxcess antlabs com www pub sample login success php url requestedURL The user enters clicks the Go button on the SingleClick login page This action initiates a HTTP Post to login now which resides on the InnGate 192 168 123 50 80 TM The I nnGate matches the Web Access SmartURL which invokes an API call for SingleClick login Fri Jun 10 10 34 14 2005 http ezxcess antlabs com www pub sample login success php url http 3A 2F 2Fwww google com
46. ANTELA Connectivity Made Easy I NNGATE 3 ADMI NI STRATOR S MANUAL DOCUMENT RELEASE 1 01 ELHMLENXS GATEWAY iru connect TECHNOLOGY I nnGate 3 Administrator s Manual This manual provides an in depth coverage of the setup configuration and administration of an InnGate 3 and is intended for system and network administrators who will be performing these tasks Copyright 2002 2009 Advanced Network Technology Laboratories Pte Ltd All rights reserved Connectivity Made Easy Page 2 of 164 TRADEMARKS AND ACKNOWLEDGEMENTS The following trademarks and acknowledgments apply to the following The InnGate system and Tru Connect technology are products and technologies of Advanced Network Technology Laboratories Pte Ltd ANT abs Windows and Microsoft are registered trademarks of Microsoft Corporation Solaris is a registered trademark of Sun Microsystems All other products mentioned in this manual are trademarks of their respective owners DI SCLAI MER No part of this manual may be copied distributed transmitted transcribed stored in a retrieval system or translated into any human or computer language in any form or by any means electronic or otherwise without the express written permission of ANT abs The software and accompanying written materials including instructions for use and this document are provided as is without warranty of any kind ANT abs does not warrant guarantee or make any representati
47. APT for the packets from clients assigned these IP addresses Instead the packets are routed upstream A While you can configure one IP address pool to be routed and another to be non routed it is considered an unusual practice and is not recommended This is because the LAN client in the Default Scope Connectivity Made Easy Page 54 of 164 may or may not get a routed IP address as the InnGate will assign these addresses in no particular order 7 Options Figure 3 7 shows the interface for configuring the DHCP options that are sent to the client Options w ww server 192 168 123 200 e g 192 168 1 1 192 768 7 2 Figure 3 7 Adding DHCP options Select the DHCP option from the drop down list and enter the value for that option Click J to add the option to the list as shown in Figure 3 8 Options e g 192 168 1 1 192 168 1 2 w Ww Ww server 192 166 123 200 Figure 3 8 DHCP options To delete any option from the list select the entry and click L To commit the Default Scope entry click on the Routed C button or for modifications Options 3 2 1 2 Setting up the User Provision Routed Scope Downstream clients may be allowed to request for a routed IP address when logging on to the network see Section 3 2 1 1 by selecting the Obtain routable IP address option These IP addresses come from the User Provision Routed Scope Connectivity Made Easy Page 55 of 164 It is quite common for t
48. Click to confirm the entry or for modifications 1 3 7 Creating a Location Now partition your network into service locations and attach the different plans to each location a Policies To configure the Location oo Plans FL Locations 1 Click on Locations A list of locations will be displayed see Figure 1 16 Any other locations added later will also be listed here Location Mame Description Default Office Add Selected Entries Figure 1 16 Creating a Location The InnGate comes preconfigured with a default location Connectivity Made Easy Page 24 of 164 After making a selection details about the location is displayed see Figure 1 17 Location Hame Default Description Pre Lagin C Send user to a pre login URL before the welcome page URL Add the following to the URL query string IP Address ipi MAC Address mac VLAN name vlan Add the mrestogig UAL to te Waleo Gamen The page must continue to Welcome Page Title InnGate Welcome Page Thank you for purchasing Innate Figure 1 17 Location Settings Creating a location is a multi step process and the wizard will guide you through the steps Pre Lagin F send user to a pre Iogin URL before the welcome page URL Add the following to the URL query string IP Address ipi MAC Address mac VLAN name vlan Add the pre ogim URL bo Se HWalled Gamen The page must continue Figure 1 18 Pre Login Page
49. D and Password accounts to be given out to users Users will then use it to login 4 Policies To access the option BH Plans EL Locations 1 Click on Authentication Ely Authentication E B Local Accounts E Maintenance 2 Click on Local Accounts PMS L Any existing accounts will be shown as seen in Figure 2 1 Click an existing record to edit or add a new one 123 45 6 7 Next gt Last gt gt Login Limit UserID 4 m Plan Creator Valid From Valid Until Sharing Description Created On Fixed 01328 Duration 6 admin hours 24 04 2008 29 04 2009 24 04 2008 10 50AM 23 00PM i 10 50AM Fixed Duration 6 admin hours 2404 2009 29 04 2009 24 04 2009 10 504M 23 00PM 10 50AM Stored Duration 6 admin hours 24 04 2008 29 04 2009 24 04 2008 11 07 4M 23 00PM 11 07 4M ires B ecinin 2404 2009 29 04 2009 24 04 2009 mde 11 07AM 23 00PM i 11 07AM Fixed Duration 6 admin 24 04 2008 29 04 2009 E 24 04 2008 Figure 2 1 Existing accounts When creating a new record select either to create a single account or multiple accounts at once Task Create account C Generate multiple accounts Figure 2 2 Account Creation Connectivity Made Easy Page 38 of 164 The sections are described as follows 1 Type Select whether you want to create a User ID and Password based login account or an Access Code account which only requires the user to enter the code to login 2 Sharing Select whether more tha
50. D ro Telnet telnet ezxcess antlabs com console admin ftp ezxcess antlabs com ftponl antlabs A The commands in the table above apply only to the clients connecting from the downstream If you connect from the upstream you should use the public host domain name or IP address assigned to it A The Telnet and Console see Section 8 12 services use the same user account and therefore share the same user ID and password to logon Connectivity Made Easy Page 86 of 164 Chapter 6 SYSTEM MAI NTENANCE AND DI AGNOSTI CS 6 1 Overview This chapter explains the system maintenance and diagnostics functions of the InnGate 1 Local Accounts Maintenance See Section 6 2 2 Reports Maintenance See Section 6 3 3 PMS Diagnostics See Section 6 4 6 2 Local Accounts Maintenance You can do maintenance of the local accounts you have been created by deleting expired accounts and email the list to an email address Ci ENSIMIDTIHES To do local accounts maintenance T Local Accounts Reports 1 Click on Local Accounts 3 Diagnostics oof PMS Figure 6 1 shows the options for local accounts maintenance Delete expired accounts after days Perform this every at 3 004 eg 74240 Email a list of deleted accounts From erereneeQeewrsm o a Save Figure 6 1 Local Accounts Maintenance Connectivity Made Easy Page 87 of 164 1 Delete expired accounts after days This option enables deletion of accounts
51. Gate may become active Live InnGate If we assume that the upstream network is overlapping then they will cause a duplicate IP address problem on the network System Configuration The steps involved to setup the HA implementation is as follows l Bootup one of the InnGate We will call this InnGate Alpha Connectivity Made Easy Page 134 of 164 2 Make the necessary system configurations to InnGate Alpha 3 Configure the HA settings see Section 9 3 1 4 Perform a system backup optional 5 Connect the upstream and downstream interfaces of InnGate Alpha to the network Do not connect the Control Channel yet 6 Shutdown InnGate Alpha Changes will take effect when you next bootup 7 Bootup the other InnGate We will call this InnGate Omega 8 Ensure the system configuration is identical to InnGate Alpha e g WAN IP DHCP proxy etc 9 Configure the HA settings with a different identifier 10 Shutdown InnGate Omega Changes will take effect when you next bootup 11 Bootup InnGate Alpha 12 Connect the upstream and downstream interfaces of InnGate Alpha to the network and connect the Control Channel to nnGate Omega 13 Ensure that InnGate Alpha operates correctly e g downstream clients can login and access the Internet through the InnGate 14 Bootup InnGate Omega In accordance with the HA Leader Election Process see Section 9 4 InnGate Alpha will become the Live InnGate and InnGate Omega wi
52. Gateway 192 168 123 100 VLAN Any WYLAN Ma Options C Add Selected Entries Figure 3 10 User Provision Routed Scope Entries Figure 3 11 shows the configuration interface to define the User Provision Routed Scope Connectivity Made Easy Page 57 of 164 Network Address 155 21 22 1 Subnet Mask 255255 255 Default Gateway 185 21 22 254 VLAN Any VLAN Options Figure 3 11 User Provision Routed Scope The fields are described as follows 1 Network IP Address The network from which IP host addresses will be assigned to downstream clients 2 Subnet Mask Subnet mask for the Network IP Address 3 Default Gateway Clients will be configured with the default gateway specified here 4 VLAN Restricts this scope to be applied to a particular VLAN only 5 Options Figure 3 12 shows the interface for configuring the DHCP options that are sent to the client Options www Server 192 168 123 200 e g 192 168 1 1 792 768 1 2 Figure 3 12 Adding DHCP options Select the DHCP option from the drop down list and enter the value for that option Click H to add the option to the list as shown in Figure 3 13 Connectivity Made Easy Page 58 of 164 Options eg 192 168 1 1 192 168 7 2 Www server 192 166 123 200 Figure 3 13 DHCP options To delete any option from the list select the entry and click L To commit the User Provision Routed Scope Routed C entry click on the b
53. IOI ORS peann tn ancncunane secaoniwesenamrnenaaerseesusasenasaminssmanseatse 92 7 2 1 Status MOBIEOF o dn saurtubuisntav Mau clum ctim enetnand sued leds 92 7 2 2 Device MONIOT sirrinin re eiee 94 1 2 3 Session Monitor eet atsaietsmodianaeneonus 96 7 2 4 Account Monitor sxivsvsesatansweninsiaesandantantdastindstuantiestestacdanaunt 97 7 2 5 COOKIES nro e 99 7 2 6 EmMa MODO assente PI RUpada fabu PIRE NES TERRI 100 7 3 Kole eee ere err tere eet 101 7 3 1 DoVe Kole cer AE A E 101 7 3 2 ecce e been 102 7 3 3 gal c 103 7 3 4 ACCOUNE Printer EDS Sastepostet TAM EXERTET RIA TB I MET IEEE PRONITPUPUS 105 7 319 eredi Card LOOS 106 1 4 MalritetiallE B E P E E E 106 CIAPO O aana A teas psnencennaneen 107 SYSTEM ADM NESSHRSATIOBN cissaeseses pan RO anioEWmREN SPIRI DP o2FE DRM EUN UE 107 8 1 817 P m 107 9 2 Setting up Administrator ACCOUNCS ccececeeseteeeeeeeeeeeeeasenes 107 8 2 1 Creating an Administrator Group eeeenn e 108 9 2 2 Defining Admin Group Permissions eene 109 8 2 3 Creating an Administrator Account ccecesceeeteseeeereeeeaees 110 8 2 4 VIEWING AUUE LOD oseere inas 112 8 2 5 Assigning Admin Access ccecsecececsesucuteteeaeeueeteeaeauteneeans 112 8 2 6 VIEWING SESSIONS corretti inerea e kan ul E und 113 Connectivity Made Easy Page 5 of 164 8 3 Poweri
54. LAN to be assigned to the Default VLAN Group You can change this treatment if required 1 3 9 Importing and Exporting VLAN Definitions Policies To import export VLAN definitions E Plans 1 Click on Locations ER ENSE 2 Click on VLANs Figure 1 35 shows the list of VLAN definitions VLANID Location hax Logingz seszions Mame Description Mone Default Unlimited Mo VLAN 10 Office Unlimited WLAN 10 WLAN 10 210 Office Unlimited WLAN 210 WLAN 210 220 Office Unlimited WLAN 220 WLAN 220 230 Office Unlimited VLAN 230 YLAN 230 Add Selected Entries Figure 1 35 I mport Export VLAN Definitions Click CSV L9 to import VLAN definitions from a comma separated values formatted file To export VLAN definitions from the system check the required entries and click lowest A The format of the exported records file may not compatible with older versions of the InnGate Figure 1 36 shows the interface for selecting a CSV file to upload Figure 1 36 Upload VLAN definitions Click to select the file to upload and click to begin importing the VLAN definitions Connectivity Made Easy Page 34 of 164 Errors will be highlighted by the system The CSV file must provide these fields enclosed with double quotes in the following order separated by commas and each entry on a separate line 1l VLAN ID 2 Location 3 Max Logins Sessions 4 Name 5 Description The following is an example of a single
55. PAGES You can create customized error page by putting a HTML or PHP file named with these names below to the messages FTP directory 1 blocked ant This error page is shown when access is blocked by InnGate When this file is not available InnGate will show the default error page below Figure F 1 Your access is blocked by Innate Back ta Previous Page Figure F 1 Default blocked ant 2 location_config ant This error page is shown when location has not been configured yet When this file is not available InnGate will show the default error page below Figure F 2 Error This location iz not configured in Innate Back to Previous Fage Figure F 2 Default location config ant 3 config error ant This error page is shown when there is configuration error When this file is not available InnGate will show the default error page as shown in Figure F 3 Configuration Error There is a configuration error in Innate Back to Previous Page Figure F 3 Default config error ant svc_failure ant This error page is shown when there is temporary service error When this file is not available InnGate will show the default error page as shown in Figure F 4 There is a temporary error in Innate Please try again later Back to Previous Page Figure F 4 Default svc failure ant Appendix G CREDIT CARD Credit card payment gateways used by InnGate are 1 Worldpay Select J unior Figure G 1 shows the Worldpay Select
56. The Pre Login section lets you configure what page is shown to the user instead of the login page Enable the check box to turn on this feature 1 URL This is the URL of the page to send the user to In addition you can pass the zero configuration settings to this webpage and do customized processing Connectivity Made Easy Page 25 of 164 A When using a pre login page make sure it eventually sends the user to the welcome page to login Welcome Page Title Inniate Welcome Page Thank au for purchasing Innate v 00 Click za Welcome Message href https ezxcess antlabs com admin her eslar to configure your gateway Figure 1 19 Welcome Page The Welcome Page section lets you configure how the welcome login page will look like 1 Title The title of the page shown in the browser 2 Welcome Message The content shown on the page Accepts HTML code 3 Footer Copyright Statement The footer or copyright statement shown at the bottom part of the login page The Look amp Feel section is meant for customizing the presentation of the landing page allowing you to modify it via CSS and even uploading your own CSS definitions This advanced feature is normally used for customized solutions Look amp Feel Sample Stylesheet iv Logolmade 5 Default hbt applicable to custom style Custom Location Image 55 Default bt applicable to custom style C Custom Background Ima
57. To restore snapshot through CLI 1 Connect your PC or laptop to InnGate s USB Serial Console or Serial Console port using USB serial cable 2 Open a HyperTerminal session Login using console account see Section 8 12 3 Enable supervisor mode by typing enasup No password is required 4 Run the command by typing restore snapshot There will be a prompt asking you whether you are sure to perform snapshot save Press y for yes or N for cancel AMTlabs InnGate model E1000 release 3 00 InncGate3 00 1 login console Laut login Thu Jul Z xr4gdgiz e of CEVUSBU Type help to view the list of commands enasup ye NM Figure 11 7 Restoring Snapshot When there is no snapshot found this action will be aborted AMTlabs InnicGate model E1000 rel 3 00 InncGate3s 0n0 1 login console Password Last login Thu Jul zZ 23 45 30 on ttyUsSBU U Type help to view the list of commands 5f enasup Are you sure you want to restore the system to the last saved snapshot y N No snapshot found Aborting Figure 11 8 Aborting snapshot restore Restoring snapshot through GRUB has the same steps as restoring firmware through GRUB Refer to Section 11 3 Connectivity Made Easy Page 150 of 164 Appendix A REDI RECT LOG This is a sample of a redirect log showing the typical flow beginning with the user s first attempt to access the I nternet with accompanying explanations below each entry or set of
58. User Provision Routed Scope Network Address Subnet Mask Router First IP Address Last IP Address Routed Options 10 10 1 0 255 255 255 0 10101254 10101 126 10 1041 2535 tcp keepalive interval 1000 Add Selected Entries Figure 3 5 Default Scope I P Addresses A Ensure that there is no overlap of the IP address ranges between the Default Scope and User Provision Routed Scope Connectivity Made Easy Page 53 of 164 Figure 3 6 shows the Default Scope configuration page Settings Default Scope User Provision Routed Scope Network Address 192 163 123 0 Subnet Mask 255 255 255 0 Router 192 168 123 254 First IP Address 192 168 123 1 Last IP Address 192 168 123 253 Routed Options Figure 3 6 Defining an I P address pool The fields are explained as follows l Network Address The network from which IP host addresses will be assigned to downstream clients Subnet Mask Subnet mask for the Network IP Address Router The IP address of the router entry to be assigned to downstream clients This entry will be excluded from the address range that can be assigned which is defined by the First and Last IP Address fields First IP Address The first IP address of the IP range to be assigned A The First and Last IP Addresses must fall within the subnet defined above Last I P Address The last IP address of the IP range to be assigned Routed When enabled the InnGate will not perform N
59. Virtual MAC addresses enable a seamless failover as the rest of the network will always receive packets with the same MAC addresses Connectivity Made Easy Page 138 of 164 1 The new Live InnGate will use the latest synchronized system configuration settings 2 The new Live InnGate will assume the latest synchronized downstream client state as its current runtime state so that network operations can continue A The following is a list of items that are not synchronized 1 Login volume accounting information This information cannot be recovered in the event of a failover However end user login status usage time etc are recoverable 2 FTP accessible system logs email web access login logs 3 Web patches System patches must be applied individually to both InnGate in a HA setup You cannot just apply a patch to the Live InnGate and expect the synchronization process to copy the system image over to the Backup InnGate to produce a patched Backup InnGate 9 6 1 Manual Synchronization A HA Manual Synchronization can only be performed if Full HA module is installed in the InnGate You may also perform a manual synchronization This is often done as part of the initial HA setup process J System To perform a manual sync BH Admin Accounts EH Maintenance E Settings B Date amp Time 1 Click on Settings 2 Click on High Availability Figure 9 3 shows the interface for invoking a manual synchronizat
60. a search of the log entries as shown in Figure 7 13 You can click on the LJ button to add more search conditions or L to remove Connectivity Made Easy Page 101 of 164 Cancel Search Match all conditions Ww MAC Address vw contains v 25 87 VLAN v equasto No VLAN Figure 7 13 Search Device Log Entries Click to retrieve the log entries with the search conditions applied Click to store the filter for future use 7 3 2 Session Logs View the log of past user sessions Currently active sessions are displayed in Session Monitor instead To view the Device Logs 1 Click on Logs 2 Click on Session Any existing log entries will be listed as shown in Figure 7 14 Click CSV 2e to export the existing log entries into a comma separated values file Click to purge the log Loggedin Login Duration Authentication Type User D MAC Address IP Address VLAN Input Octets Output Octets input Packets Output Packets 13 05 2009 02 47AM 7 mins 26 secs Unlimited unlimited tester 1 00 0E 35 E5 4E D4 10128253254 No VLAN 178012 25792 246 239 Delete All Entries CSV Download All Figure 7 14 Session Logs Click to run a search of the log entries as shown in Figure 7 15 You can click on the LJ button to add more search conditions or LJ to remove Connectivity Made Easy Page 102 of 164 Match all conditions W MAC Address cont
61. ail 1120723980 542467 status local 0 10 remote 3 20 Figure 8 14 Syslog Server Output A Some Syslog servers may require you to specify the sender s IP address as a security measure n such cases you should specify the WAN IP address of the InnGate 8 8 SNMP Setup The InnGate supports SNMP version 2 and can be configured to operate in an SNMP enabled managed network environment as a network element Network managers can then query the Management Information Base MIB maintained by the InnGate for remote monitoring Connectivity Made Easy Page 118 of 164 System To configure SNMP E Admin Accounts C Maintenance 1 Click on Settings Ey Settings Date amp Time 2 Click on SNMP Figure shows the interface for setting the Community string for authentication purposes Access Control Figure 8 15 SNMP Community String Figure 8 16 shows the interface for configuring SNMP traps 1 Destination Host Host IP address of the manager that traps will be sent to By default it is set to 127 0 0 1 which means that traps will not be sent out 2 Port SNMP traps are normally sent on port 162 3 Community The community string of the manager for authentication when sending traps to it Trap Canfiguration Destination Host 127 0 0 1 Figure 8 16 Trap Configuration Figure 8 17 shows the SNMP Denial of Service trap suppressor configuration Connectivity Made Easy Page 119 of 164 Denial af Service Tr
62. ains 2587 VLAN v lequalsto No VLAN Figure 7 15 Search Session Log Entries Click to retrieve the log entries with the search conditions applied Click to store the filter for future use 7 3 3 PMS Logs View the log of PMS billing room status and guest status J Reports To view the PMS Logs EL Monitors 3 Click on Logs 4 Click on PMS Click on Billing Log tab to view the past PMS billing log as shown in Figure 7 13 The following column in the PMS Billing Log is further explained here l 2 Date Date of billing Guest Number Room Number Current room number Original Room Number Previous room number if guest ever changed room Usage Time Start Time Charge Start Time Amount Amount of the billing Connectivity Made Easy Page 103 of 164 9 Status 10 MAC Address 11 Description Description of the billing Billing Log Room Status Guest Status Date Guest Number Room Number Original Room Number Usage Time Start Time Charge Start Time Amount Status MAC Address Description 12 05 2008 08 04PM 1 A 12 05 2008 08 04PM 12 05 2009 09 04PM 2 s TESTING 12 05 2009 09 03PM 1 1 12 05 2009 09 03PM 12 05 2009 09 03PM 10 S TESTING csv Figure 7 13 PMS Billing Log Click CSV 9 to export the existing log entries into a comma separated values file Click on Room Status tab to view the log of room status as shown in Figure 7 16 Billing
63. al ANT abs representative Next run the installation program When prompted to enter the password key in antlabs as shown in Figure E Click on the Next button to continue with the installation et ANTLabs Cert Generator InstallShield Wizard d This package has been password protected Enter the password required to run this package Please note that passwords are case sensitive Click Next to continue Figure E 1 Cert Generator I nstallation Password Once the installation has completed start the ANT abs Cert Generator application Fill in the CSR fields in the certificate generator interface as shown in Figure E 2 Cert Generation V1 01 Cert request generator the field marked with must be filled advanced setting Key Length 512 State or Province Name full name PE Locality Name e g city Validity Period 3285 Days Organization Name e g company Configure Output Folder ae CAProgram Organization Unit Name e g section UT Li di oM Cert Country Name e g 5G Common Name e g Your Name Email Address Self Signed No need CA View Cert Request File Generate Quit Figure E 2 Cert Generator I nterface Compulsory fields are marked with an asterisk and are briefly described as follows 1 Country Name The two letter ISO abbreviation for your country 2 State or Province Name The state or province where your organization is legally located C
64. all rules for the following default groups of devices e Blacklisted Devices users whose MAC addresses are denied access Section 2 6 e Whitelisted Devices users whose MAC addresses are allowed access without login Section 2 6 e Throttled users who are throttled e None users who are not login yet 2 Order The position in the list of rules and determines its priority 3 VLAN The firewall rule will be applied to users that connect from the specified VLAN group Previously defined VLAN Groups will appear here along with the following additional options a Any VLAN Applies to traffic from any VLAN Connectivity Made Easy Page 23 of 164 b No VLAN Applies to traffic that has no VLAN tag 4 Protocol This specifies the type of network traffic that the firewall will pick up 5 Source Network The firewall will pick up network traffic originating from the specified IP address or network 6 Source Port The firewall will pick up network traffic with the specified source port number 7 Destination Network The firewall will pick up network traffic heading for the specified IP address or network 8 Destination Port The firewall will pick up network traffic with the specified destination port number 9 Action This is the action that will be performed for network traffic that is picked up by the firewall based on the above specified criteria 10 Description A description for the firewall rule
65. annot be abbreviated 3 Common Name This is the FQDN Fully Qualified Domain Name for which you plan to use your Certificate For example a certificate generated for antlabs com will not be valid for secure antlabs com If the web address to be used for SSL is secure antlabs com ensure that the common name submitted in the CSR is secure antlabs com Click on the Generate button to generate the CSR and private key If you want to generate a self signed key enable the self signed check box By default the CSR and private key will be saved under the same installation directory as the software You can change the default save folder by selecting the Configure Output Folder button The CSR filename will be lt yourdomain gt csr The private key filename will be lt yourdomain gt key Step 2 Apply for a SSL Server Certificate You need to apply for a SSL server certificate from a Certificate Authority CA by submitting the CSR you generated to a CA of your choice e g Verisign Thawte etc Be careful not to submit your private key to the CA A if you generated a self signed certificate in the first step you do not need to apply for a CA signed certificate However your self signed certificate will not be trusted by default Depending on the CA certificate application procedure they may request for additional information Certification Information 1 Web Server Type Apache 2 CSR Format PEM 4N You m
66. ap Suppressor Configuration arpdArpDostTrap 10 seconds arpelGratuitousArpDosTrap 10 seconds arpdlpConflictTrap seconds dnsredirDosTrap seconds squidHttpDosTrap seconds squidHonHttpDosTrap seconds qmailDosTrap seconds Figure 8 17 Denial of Service Trap Suppressor Configuration Figure 8 18 shows the SNMP system information configuration system Information sysiHame 0 OfficeEzxcess amp eysL ocation O ANTlabs Office amp ysContact 0 supporti antilabs com Figure 8 18 System I nformation Click to confirm the changes 8 8 1 Traps Generated The following are the process information SNMP traps sent by the InnGate Process TrapRef Description JOID 1 3 6 1 4 1 12902 1 1 3 2 1 0 1 3 6 1 4 1 12902 1 1 3 2 12 0 1 3 6 1 4 1 12902 1 1 3 2 13 0 Connectivity Made Easy Page 120 of 164 1 3 6 1 4 1 12902 1 1 3 2 14 0 1 3 6 1 4 1 12902 1 1 3 2 15 0 1 3 6 1 4 1 12902 1 1 3 2 26 0 public IP address MAPI public IP address ANT HA Server has just been 1 3 6 1 4 1 12902 1 1 1 3 1 PROMOTION TRAP promoted to master in a HA setup ANT_HA Server has just been 1 3 6 1 4 1 12902 1 1 1 3 2 DEMOTION TRAP demoted to slave in a HA setup SNMPv2 MIB Sent whenever the SNMP 1 3 6 1 6 3 1 1 5 1 coldStart agent starts up due to process restart or server reboot etc UCD SNMP MIB Sent whenever the SNMP 1 3 6 1 4 1 2021 251 2 ucdShutdown agent terminates due to
67. ator Accounts 8 13 3 Change the FTP Account Password You can change the FTP account password through the CLI command passwd ftp First connect to the InnGate via Telnet see Section 5 5 1 or Console see Section 8 12 Then type in the command passwd ftp as shown in Figure 8 27 o Telnet ezxcess antlabs com login console Password Last login Mon May 360 19 42 58 on ttySh Type help to view the list of commands ezxcezs passwd_ftp Changing password for user Ftponly Enter new password Cmax 128 characters Enter password again Password updated successfullyt ezxcessS a Figure 8 27 Change of FTP password You will be prompted to key in your new password twice If they match your password will be updated successfully 8 13 4 Change the Telnet and Console Password The Telnet and Console user account Is the same and changing the password will affect both Telnet and Console access To change the password logon to the InnGate via Telnet or Console and type the CLI command passwd as shown in Figure 8 28 Connectivity Made Easy Page 131 of 164 e Telnet ezxcess antlabs com login console Password Last login Mon May 36 19 37 16 on ttyS8 Type help to view the list of commands ezxcess5 passwd Changing password for user console Enter new password Cmax 128 characters Enter password again Password updated successfullyt ezxcess Figure 8 28 Change of Telnet Console Password Connectivity Mad
68. bedabBd gabBctf5adBabUb8775761a744c128b7cc307b0fU B552e2h1ab208574b22854f3a08980d48aBb50522h a cefdd1et752c300858b4a5835a7faBd aczfed 138aed315bbbeb3baf43c4378fe42abd35c58afa3 B12adb43172845213812c5abBabeSesd1d58b5971f 1128ac2c18c2b7adadbfBE33bbbelasSed zacf239 agi b5ac140B5dea4d1a5abbfabfeca2b3essnb3648 Bae3ad fz3brzbsbbfsberb88158fc02435a4aB0f 6701 75243e3fi388cb4abde475b5544103171965 User ID adczr4 1 crhanu 1 geqrdd 1 teowt 1 xwyxixa 1 zdibdi 1 mavets 1 jhmvwry 1 Frhfmk 1 alb5b4ng 1 irvvTau 1 wa bun 1 geqrdd 1 zBB2wg 1 7241741 bwikpn 1 426de0 1 vid1dbz 1 Last Used MAC Address 00 1 2 FO 64 01 76 DO 12 F r 12 85 53 00 13 ES BT 46 29 DO TEC EU CAD Dr 15 EB DS FEE 33 DO 11 25 4F 80 58 00 30 1B 34 3F E3 DO 1F SB Da 2 3B Dr 13 ES BB DE S3 00 12 F BS CEGA DD 1 2 F r OO 70 44 DD TF SB De 24 3B Dn 13 ES BT 46 29 Dor 13x Ee Sx DOE TD OO 22 41 04 BEC OG DO 19 24 30 28 23 DL OE 33 ES 4E D4 00 1 0 60 60 7B 8r Figure 7 10 List of Cookies Cookie Expiry Date 30 05 2009 14 00PM 3040572008 14 00PM 30 05 2008 11 00PM 14 05 2010 07 18PM 3040572008 11 00PM 3040572008 11 00PM 14 05 2008 03 38PM 30405 2008 14 00Ph 30 05 2009 11 00PM 14 05 2009 03 53PM S0 05 2009 14 00PM 14 05 2009 02 33PM 30 05 2009 11 00PM 30 05 2009 11 00PM 14 05 2009 02 55PM 29 05 2009 11 00PM 21 05 2009 12 09PM 14 05 2009 02 44 PM 7 2 6 Email Monitor This function shows the
69. by introducing artificial delays thus slowing down its ability to send The InnGate can also be configured to send an email to a user if he tries to access his POP3 server before having logged in to gain Internet access Figure 5 5 shows the interface for setting up such email reminders Reminder Email Send a reminder email when the user accesses a POPS server to dovnload mail before lagging in ta the gateway Enable reminder email Contents of Reminder Email Figure 5 5 Reminder Email Template Click to confirm the changes 5 5 Remote Access The InnGate provides FTP and Telnet services to allow the administrator to upload custom web pages and images or for remote administration A Once the InnGate is fully configured these services may not be necessary and can be disabled as a security measure Connectivity Made Easy Page 84 of 164 To set the Remote Access settings 1 Click on Services 2 Click on Remote Access Select the appropriate services required as shown in Figure 5 6 Click to confirm the changes Enable FTP Enable Telnet cave Cancel Figure 5 6 Remote Access Settings Connectivity Made Easy Page 85 of 164 5 5 1 Accessing the I nnGate via Telnet and FTP Telnet and FTP services are available on the InnGate and accessible from both the downstream and the upstream The default user ID and passwords are as follows Unix Command to Default Default Connect to nnGate User I
70. clients have to set their browser s proxy setting Downstream clients will continue to enjoy Zero Configuration However it is important to note that a downstream client that has an existing browser proxy setting e g company laptop with corporate web proxy setting should not change it after logging in Connectivity Made Easy Page 19 of 164 1 3 5 Creating a Plan Next you need to create the different types of service plans required This depends on your business needs I Policies To configure the Plans EL Plans ool 31 Firewall 1 Click on Policies nA Locations H Authentication 2 Click on Plans Any existing plans will be shown Select an existing plan or create a new one Plan Name Price Duration Limit Volume Limit Download Bandwidth Upload Bandwidth Routable IP Address Relogin E Throttled NLA Unlimited Unlimited 256 Kbps 128 Kbps Fixed Duration 4hours M A 4hrs Unlimited 512 Kbps 512 Kbps Fixed Duration 6 hours N A 6hrs Unlimited 2 Mbps 1 Mbps Stored Duration 5 hours M A Bhrs Unlimited 2 Mbps 1 Mbps Stored Volume 100 MB N A Unlimited 100 MB 5 Mbps 5 Mbps Stored Volume 100MB logout A Unlimited 100 MB 2 Mbps 1 Mbps Unlimited M A Unlimited Unlimited Unlimited Unlimited Fixed Duration 4 hrs no relogin M A 4hrs Unlimited 2 Mbps 1 Mbps Stored Volume 1GB logout M A Unlimited 1024 MB 5 Mbps 5 Mbps Add Figure 1 12 Plans Never Assign Never Assign Never Assign Never Assign N
71. coming upstream traffic Port Binding can also be used as a means to conserve public IP addresses as opposed to assigning a public IP for each downstream service host Connectivity Made Easy Page 72 of 164 J Network To access the option ALAN 1 Click on LAN Routed Network MEE 1 Waled Garden EH Network Devices 7 Pert Binding Device Detection 3 Click on Port Binding 2 Click on Network Devices Figure 3 29 shows the Port Binding Rules setting page This GUI is used to setup a port on the InnGate s WAN interface that upstream clients can connect to in order to reach a particular downstream host Rules Access Control Setting TCP Protocol UDF Local Fort 1 65536 Destination Host o eg 4 4 1 1 Destination Port 7 65536 Metweork Interface Mo VLA b dl Figure 3 29 Port Binding Rules The fields are described as follows 1 Protocol Specify the protocol that is allowed over the proxied connection 2 Local Port This is the port on the InnGate that the upstream client will connect to in order to connect to the downstream device A Do not use ports 61000 to 65096 as these are reserved by InnGate for IP masquerading 3 Destination Host P address of the downstream host that traffic will be forwarded to You can use CIDR notation to specify the subnet mask e g 10 2 3 11 24 4 Destination Port The IP port of the downstream host that traffic will b
72. date api module api modules Figure 8 19 API I nformation 8 9 1 HTTP Setting Configure the setting when making API calls via HTTP or HTTPS from downstream To view the configure HTTP setting 1 Click on Settings 2 Click on API 3 Click on HTTP Figure 8 20 shows the settings to allow IP addresses to call API via HTTP or HTTPS Connectivity Made Easy Page 125 of 164 Allowed IP Addresses This list of IP addresses are allowed ta make AFI calls via HTTP or HTTPS Network Address Ys e g 192 168 1 1 subnet Mask 255 255 255 255 e g 255 255 255 255 Save Cancel Figure 8 20 Allowed I P Addresses Setting Click to confirm the changes Figure 8 21 shows the settings to change the API s password which is required when API is called via HTTP or HTTPS Change AFI Password When calling the API via HTTP or HTTPS the AFI password api passvvord input argument must be provided Figure 8 21 Change API Password Setting Click to confirm the changes 8 9 2 Browser Setting Configure the matching user agent strings for PDA and phone browsers This is used by the BrowserType PHP API function and the browser API module to detect and return the browser type Connectivity Made Easy Page 126 of 164 To view the configure Browser setting 1 Click on Settings 2 Click on API 3 Click on Browser Figure 8 22 shows the existing configuration for browser setting Configure the matching user agent
73. de Merchant ID 5DD42vfr2 Transaction Key 2kfaSoco3sdpP2p45e Currency ISO 4247 currency code only Figure 2 20 Credit Card Payment Gateway Payment Gateway Transaction Type Choose Test Mode if you are testing Merchant I D Transaction Key Currency Currency to be used in the transaction Depending on the selected payment gateway the fields will change accordingly and that depends what functions are made available by the service provider Details of credit card are explained in Appendix G 2 6 MAC Filter Use this as a MAC based firewall to block or allow devices Connectivity Made Easy Page 47 of 164 To access the option 1 Click on Authentication 2 Click on MAC Filter You can now select the Blocked MAC Addresses tab to add devices that you want to block Error pages are explained in details in Appendix F Blocked MAC Addresses Allowed MAC Addresses Prevent MAC addresses from accessing the network Users will see an g To display a customized error page to blocked users FTP a HTML or PHP Figure 2 21 Blocked MAC Conversely select the Allowed MAC Addresses tab to add devices that are allowed access to the network without login 2 7 Global Settings Here you can configure the global settings that will apply to all accounts To access the option 1 Click on Authentication 2 Click on Settings The following sections are available 1 Auto Logout This tells the system to lo
74. de a password matching the guest s Posting jee LAN ID as the room number L Allow only quests with ALLOW POST payment type Prevent users with the same YLAM from being charged again 1 Throttled v Currency does not have decimal C Display an access code to alow users to login again manually if automatic relagin fails Account Expiry T days Figure 1 23 PMS Authentication a Display Label b Authentication When this option is checked the guest based authentication is enabled Guest is required to specify the room number guest name or reservation number If it is unchecked the room based authentication is enabled c Posting VLAN ID VLAN Name and Description can be used as the room number for posting o Allow only guests with ALLOW POST f it is checked only guests with Allow Post status can do posting o Prevent users with the same S checked to prevent double billing d Plans To configure what are the plans selectable in the login page e Currency does not have decimal The billing amount is sent in cent If it is checked the billing amount will not be multiplied by 100 f Display an access code to This option is to display an access code so the user can use this access code to do manual login if automatic relogin fails g Account Expiry To specify the validity of the accounts created The value must be between 1 to 90 days All expired accounts will b
75. departs from the network after which the account cannot be used for login anymore amp There is a default Throttled Plan that is pre configured in the Gateway The user s bandwidth will be automatically adjusted to the values specified in this plan if the user s plan is a volume plan with the throttled option enabled and the volume limit is exceeded The default bandwidth for this plan is unlimited You will need to change it to your desired throttled value if you want to use this feature 4 Upload Download Bandwidth Set the bandwidth limits here 5 Routable IP Address Select if you want to allow users to request for a public IP address Useful if the user has some applications that need it or cannot work in a NAT environment 6 Attempt to reconnect users Select this if you want to enable cookie based relogin so that users need not keep going through the welcome login page for separate sessions of usage Connectivity Made Easy Page 21 of 164 Plan Hame Fixed Duration 4hours Price 0 00 e g 100 00 or 100 Duration amp olume Limit Unlimited duration and volume unlimited Limit duration to days hrs mins From the time that the account is valid fixed duration Deducted when used stored duration Limit volume to bo 1 MB stored volume Change users to Throtthed plan after volume ig exceeded Download Bandwidth Unlimited Limited to Upload Bandwidth 75 Unlimited Limited to
76. e Easy Page 132 of 164 Chapter 9 HI GH AVAILABILITY E Series 9 1 Overview The InnGate features high availability HA failover support capabilities to ensure continued operations in the event of a systems failure The high availability feature couples two InnGate together with one operating in an active Live InnGate mode and the other in passive Backup InnGate mode When a failover event occurs the Backup InnGate will take over the network management responsibilities while the original Live InnGate attempts to recover This chapter describes the network setup requirements GUI configurations and discusses the failover process 9 2 Network Configuration The network diagram in Figure 9 1 illustrates the basic connections for a typical HA setup in terms of the network connections A l Internet Upstream Network 192 168 10 x WAN I P 192 168 10 1 192 168 10 1 WAN IP WAN IP HAID 192 168 10 2 192 168 10 3 WAN IP HAID Live InnGate Backup I nnGate Control HAID 1 LAN Channel LAN HAID 2 I nterface I nterface Downstream Network Figure 9 1 High Availability Setup Connectivity Made Easy Page 133 of 164 The key points to note when setting up the network for HA operations is summarized follows 1 Both the Live and Backup InnGate must be connected to the same upstream and downstream networks overlapping via their individual WAN and LAN interfaces respectively as shown in the diagram
77. e deleted by system maintenance Connectivity Made Easy Page 28 of 164 5 Access Code Authentication Instead of a User ID and Password system this only requires an access code to be entered for access Access Code Authentication Figure 1 24 Access Code Authentication 6 Authentication Display Define the order in the drop down list of authentication options that is shown to the user Authentication Display Complimentary Access Local Authentication RADIUS Authentication Authentication Display Order PMS Authentication Credit Card Authentication Access Code Authentication Figure 1 25 Authentication Display Click __Netstee to proceed with the next step in the wizard The next step in the wizard will let you define the content that is shown under the terms and conditions Terms and Conditions Terms and Conditions Text Figure 1 26 Authentication Display Click Lese to proceed with the next step in the wizard The next step is to define what is shown to the user when he successfully authenticates Connectivity Made Easy Page 29 of 164 Success Pages You are logged in You can begin accessing the internet Login Success Message Display logout button Alert user minutes before expiry Add the following to the URL query string IP Address ip MAC Address mac User ID userid VLAN name Plan You are logged out Figure 1 27 Success Pages These are the fields
78. e forwarded to Connectivity Made Easy Page 73 of 164 5 Network Interface Specify if the traffic should be forwarded to a specific VLAN on the downstream where the host resides Click to confirm the entry After configuring the proxy rule you can further restrict access by creating access control rules that determine the action to take when incoming traffic that matches certain criteria is detected Figure 3 30 shows the Port Binding Access Control page Rules Access Control Setting F Limit port binding to these addresses AYE Cancel Source Hetwork fe 13 3 14 Subnet Mask eg 255 255 255 255 Figure 3 30 Port Binding Access Control The fields are described as follows 1 Limit port binding to these addresses To limit only allowed addresses to use port binding 2 Source Network Matches the value of the source IP address field in the incoming network packet 3 Subnet Mask Click to confirm the entry After you have configured the port forwarding and access control rules you can also to specify the settings that determine the general behavior of the Port Binding system as shown in Figure 3 31 Connectivity Made Easy Page 74 of 164 Rules Access Control Setting TCP Connection Timeout 5 UDP Session Timeout 30 Max TCP Session Max UDP Session ave Cancel Figure 3 31 Port Binding Setting The fields are described as follows 1 TCP Connection Timeout Timeout for TCP c
79. e or Backup InnGate The failover triggers for the Live I nnGate are described as follows 1 LAN or WAN link of the Live InnGate is down The Live InnGate will check if the Backup InnGate s LAN and WAN links are functioning If so a failover is triggered 2 Failure of internal system components of the Live I nnGate The Live InnGate will attempt to restart the malfunctioning system service If this fails to restore the component a failover is triggered The failover triggers for the Backup I nnGate are described as follows 1 Backup InnGate detects failure of the Live InnGate to respond to downstream clients 2 Failure to detect HA Leader heartbeat over control channel Connectivity Made Easy Page 137 of 164 The behavior of the Backup InnGate is the same for these two triggers The Backup InnGate will simulate a downstream client and probe the Live InnGate to elicit a response If the Live InnGate fails to respond the Backup InnGate will request for HA Leadership from the Live InnGate over the Control Channel and attempt to reboot STONITH the Live InnGate During this process the Backup InnGate will beep continuously When leadership is no longer held by the Live InnGate the Backup InnGate will switch to active mode and assume the role of new Live InnGate Three audio beeps will be sounded The new Live InnGate will also assume the virtual MAC addresses of the downstream and upstream network interfaces of
80. ed Unlimited 0170171970 07 30AM Thrattled Throttled Unlimited 01014970 07 304M Throttled Figure 7 9 List of Accounts Connectivity Made Easy Page 98 of 164 A The values shown in Accounts Monitor is not updated in real time The MAC address is updated when user is using the account The start time end time duration are updated only when user is not in the system 7 2 5 Cookies Monitor View cookies information of all valid sessions J Reports To view the Cookies Monitor 1 Click on Monitors 2 Click on Cookies EH Logs Lj Maintenance Any valid session s cookies will be listed as shown in Figure 7 10 The following column in the Cookies Monitor is further explained here 1 Cookies ID The ID of cookies 2 User ID The user id whose cookies belong to 3 Last Used MAC Address The last used MAC address of relevant Cookies 4 Cookie Expiry Date The validity time of session if it is set or 1 year after the cookies creation time if there is no session expiry time Connectivity Made Easy Page 99 of 164 Cookie ID e5128fb0 ca2b31982aB753fbS8b45f a0557 3235c a3699f539b074991 e400bf3d4a3598ecbb57c16e02 34e8cd7 es54cecSun7558afabb47B6d 4f b c1387 edcSebcd 723104511589637 4dafatb35b3fe3fae 58d1eallaS3ddesas4df4115faczfla5cBS3etbi33 3d381e 0bed7b Tabd 33452ec8afsf c cdot 288282bfh511331d45dfB182e3246bbdasb45450 Po 75524cbBe3884B e7a3eBub4a98414319416 ff 48abfd7aB1e4ffzald5442301a45df3
81. eeteeass 133 9 3 System Configuration cesses 134 9 3 1 EA NG CHICO aureseosivtoter rto xeEtautuPIIE TIED PAM BIER UP RON DEEP EIE 136 9 4 HA Leader EIeCLIOLI vescasesirosbersedicrina Had eTa 137 9 5 HA Failover BellaviIOlSsssieritutetmptEvI 9d reatiea dix vx pLPD EET Ebr Rd E 137 9 6 HA SyncnroniZatlOlLouspoaxed vbi ador ri d orb ced Gage dax Pia E c orU 138 9 6 1 Manual Synchronization eeseeen m 139 Pan ST i m 141 HIGH AVAILABILITY M Series esssesenn mn 141 IMEEM en ee eer ee re 141 10 2 Network CONTIGUPATION catorswniasxnnusasantenerinedneseonmsaienyuanseuianns 141 10 3 System Configuration ccccecsececeteeeeeeeereeeeeeeetetaeataneeeetatenss 142 10 4 Billing Configuration esesee meme 144 10 5 Fallover BehlaVIOl seisseribetixekstarinebi Eb or Nen Ear A IE INEN 145 CES ed E A E N noses P E A E E 146 System Save amp RestoraltlOfLcssvceras iid e Rage iS ER UNCRVR YEN CHOR PN Eo Ee 146 LEL OVENI esac A eed oan Seacannnseeve iateiaatnnnaces 146 Il2 SVS DMG SOE assured reta FIO Ya NUI IP TCR PRIMUM 146 11 3 Restore FIM Wale oaestada axes ud Uta hortudcubt eT M ETHER IR Eno ua Es 147 11 4 Restore SnapShot uescecevkekaxvvbd tia GR Xx aka u rrt acra vb C regens 149 Yes d 151 space Mec 151 ADDS ODD csesdrEvIoE rU paved pease RUE EII I E III IE DIM PIMETPIN EIN MPOEPEIE 154 PERL REGULAR
82. emory Test 3 After you see the system verifies DMI Pool Data on your screen press any key to continue to GRUB selection menu Connectivity Made Easy Page 148 of 164 Channel 2 dgvlss Iisbing uos gt No Device No Func No Vendor Device Class Device Class Network Cntrlr o167 0200 WNetwork Cntrlr G aly O200 Metwork Cntrlr 1106 3149 DU IDE Cntrlirtrilr 1i 057 0101 IDE Cntrlr 1106 3036 Oca 071 1 UHCI nee 1106 3036 OCOS SH 1 0 1 1 UHCI CHneElE 1106 3036 BINE SB 1 0 1 1 UHCI ChutElE 1106 30368 OCOS DB 1 UHCI Cntrlr 1106 3104 Oca SB 2 0 EHCI Cntrle 1106 oar 0300 Display Cntrlr LCPI controller o 1 Cl Di Di LR B D mi A m rR Pool Data ey to continue L ey to continue Hj j nm m im i i ty e m urn rn Tey to continue um ni iT Figure 11 5 System verifies DMI Pool Data 4 You should see the GRUB selection menu as shown in Figure 11 6 Choose InnGate3 00 Factory Firmware to do firmware restoration GNU GRUB version 0 594 6538E lower i10300156K upper memory InnGates 00 2 6 18 53 1 13 815 ANT 0 0 4 di1k usbserial InnGates3 00 LATEST SNAPSHOT InnGates3 00 FACTORY FIRMWAEE et which entry is highlighted nope t enter amp Figure 11 6 GRUB Selection Menu 11 4 Restore Snapshot Restoring snapshot will restore the InnGate to the latest saved state This action can be done through CLI in supervisor mode Connectivity Made Easy Page 149 of 164
83. entries The redirect log is useful when diagnosing web access problems Each log entry consists of essentially 2 lines and follows the following format Date Time of entry URL accessed User s IP address HTTP Request type Destination IP address Interface number MAC address Result Description HTTP Response type URL response sent to user Fri Jun 10 10 34 09 2005 http www google com sg 10 128 0 1 GET 64 233 189 104 80 413 00 11 D8 4C 2A 3B Result need reg defaulturl 302 http ezxcess antlabs com www pub sample singleclick http php This is the user s first attempt at accessing the Internet The user has just connected to the LAN and launched the Internet browser to access the URL http www google com sq The user s I P address is 10 128 0 1 and his browser has initiated a HTTP Get request to the destination P address of 64 233 189 104 on port 80 this is the DNS resolved P address for http www google com sg Other information such as the user s interface number 413 and MAC address 00 OE 35 7B 6D D9 are also available Since the user has not logged in yet the user is classified as unregistered and to be sent to the default URL need reg defaulturl The redirect is done with a HTTP 302 to the default URL http ezxcess antlabs com www pub sample singleclick http php The singleclick http php is in fact the SingleClick login page Connectivity Made Easy Page 151 of 164 Fri Jun 10 10
84. er hosts will only be addressable via their IP addresses AN If you have your own DNS within your network for name resolutions you can likewise configure the InnGate to use it This DNS should be able to resolve both internal and external domains Alternatively you can configure the InnGate to use your ISP s DNS for name resolutions The InnGate also allows more than one DNS entry to be specified a Network To configure the DNS settings ELAN EHL WAN 1 Click on WAN L Static Routes 2 Click on DNS HA Services A list of DNS entries will be displayed see Figure 1 9 sorted in order of priority Parent DNS Server 155 21 83 55 Selected Entries Figure 1 9 DNS Settings Connectivity Made Easy Page 17 of 164 The InnGate comes with a default entry which we will modify according to your network DNS defined Click on the entry to proceed The DNS configuration page will be displayed see Figure 1 10 Parent DHS Server 155 21 33 88 e g 192 158 1 1 Figure 1 10 DNS Configuration Page The fields are described here Parent DNS Server P address of the Domain Name Server that can be contacted for name resolution Click to add more entries Click to confirm the changes A The InnGate will switch to another DNS server in the list for subsequent name resolution attempts if a previous attempt was unanswered 1 3 4 Configuring the Web Proxy The InnGate can be configured to forward HTTP reques
85. ess to the client packets sent by the client through the InnGate will not be Connectivity Made Easy Page 56 of 164 subject to NAPT but instead routed on the upstream and therefore VPN friendly 2 Mideo Conferencing and Other Applications Another common use of public IP is when a client on the downstream sets up a video conferencing server to conduct a video conference The participants of the conference could be connecting from a remote location from the upstream and will therefore need to configure its video conferencing software to connect to a public IP address of the server Other similar applications that also require a public IP may include multiplayer game servers FTP servers etc In all these scenarios the downstream user will need to select public IP upon login in order to be assigned a valid routable IP address to allow for clients from the WAN to connect to it al Network To setup the User Provision Routed Scope 1 n NMetwvvark L Click on LAN AE Waled Garden WH Network Devices Bee ces 2 Click on DHCP ARP H WAN Static Routes EH Services Select the User Provision Routed Scope tab as shown in Figure 3 10 Any existing entries will be displayed Click on an entry to modify it or click to create one Settings Default Scope User Provision Routed Scope Public IP Address Range Options 192 168 123 0 Subnet Mask 255 255 255 0 Broadcast 192 166 123 255 Default
86. ever Assign Never Assign Never Assign Never Assign Baa aa LPS mN LETS Never Assign Selected Entries Figure 1 13 shows the plan creation page These are the fields 1 Plan Name Name of the plan Best to give a meaningful name 2 Price The units to charge for usage The definition of a unit depends on what is defined in your PMS system 3 Duration amp Volume Limit Select if you want to charge by duration or data volume usage The user will need to repurchase once the plan is used up The 4 different types of duration and volume plans Supported are a Unlimited duration and volume b Fixed Duration Single Duration single fixed usage period valid from the first time of use for the duration specified c Stored Duration multiple usage period valid as long as there is balanced time left Connectivity Made Easy Page 20 of 164 4s You need to purchase the Stored Volume Prepaid module in order for this option to be enabled d Stored Volume multiple usage periods valid as long as there is balanced volume left i Change users to Throttled plan after volume is exceeded If this option is unchecked then the user is immediately logged out from the system when the volume limit is exceeded If this option is checked then the user s bandwidth will be changed to that specified in the Throttled plan once the volume limit is exceeded The user can continue to use the system until he logouts or
87. ge Default hbt applicable to custom style C Custom Figure 1 20 Look amp Feel Page Click L e se to proceed with the next step in the wizard Connectivity Made Easy Page 26 of 164 The next step in the wizard allows you to select the different access options available to users in this location you are creating 1 Complimentary Access This means the user will not be charged and there is no need to enter a User ID and Password Select from the list of plans created previously The name given for the Display Label will be what is shown in the plan selection drop down box a Only Fixed Duration plans with relogin option enabled can be selected as a Complimentary Access plan Complimentary Access Display Label Complimentary access Plan Fixed Duration 4hours v Axed duration will retagin plans omy Figure 1 21 Complimentary Access 2 Local Authentication This is the standard User ID and Password login access method Local Authentication Display Label User ID amp password Figure 1 22 Local Authentication 3 Radius Authentication This is currently not available 4 PMS Authentication This integrates with the PMS system so that charges will be sent to the PMS and will show up on the final bill as services charged to his room Connectivity Made Easy Page 27 of 164 PMS Authentication Display Label Charge to my room Authentication Require user to provi
88. gned to the accounts created by respective button Connectivity Made Easy Page 45 of 164 Plan Thrattled Ww Expire the account 2 days lo hours jo minutes after creation After a specific date amp time Dae eg svao E Time LE y e g 4 0PM Insert Current Date amp Time Limit logins to jo times Figure 2 17 Account configuration Enter the header and footer text to be printed by account printer Please use the following Access Code to access the internet Header Figure 2 18 Header and Footer Click button to save the configuration Use Audit Log to view the accounts created Printers Buttons Audit Log Date amp Time Printer IP Address Button UserID Password Access Code 2009 05 12 15 49 22 10 101 109 Press 4 FBkhg 2009 05 12 15 43 27 10 10 1 108 Press A ivtiv arods 2009 05 12 16 49 32 10 10 1 109 Press C ujpmg c352e Delete All Download Alcs Selected Entries Figure 2 19 Audit Log Connectivity Made Easy Page 46 of 164 2 5 Credit Card Use this to allow users to pay for service via credit card gt Policies To access the option BH Plans BH Locations E43 Authentication 1 Click on Authentication pH 3 Local Accounts PMS 2 Click on Credit Card Lj Account Printerz Credit Card Select the correct payment gateway service provider from the drop down list 4 5 Payment Gateway Authorize Net SIM hal Transaction Type Test mode O Live mo
89. gout users that have been detected to be inactive for a period of time Connectivity Made Easy Page 48 of 164 Auto Logout C Automatically logout inactive users after hrs b mins b secs Figure 2 22 Auto Logout Connectivity Made Easy Page 49 of 164 Chapter 3 LAN NETWORK SETTI NGS 3 1 Overview VPN Server Radius Server Internet Router l Switch Hub E ELA E Al me ennGate Printer Desktop PC 1 ir j JI n h z i Em iy ws n bres a i a Tre ii ail a i Notebook 1 Notebook 2 ls Desktop PC 2 Figure 3 1 Example Network Setup This chapter covers the basic LAN network settings that allow you to configure how the InnGate will manage the downstream network Connectivity Made Easy Page 50 of 164 1 DHCP Setup See Section 3 2 2 Routed Network Setup See Section 3 3 3 Walled Garden Setup See Section 3 4 4 Network Devices Setup See Section 3 5 5 Device Detection Setup See Section 3 6 6 ARP Setup See Section 3 7 3 2 DHCP Setup The InnGate can be configured as either a DHCP server DHCP relay or to operate without any DHCP services enabled Each of these modes is described in the following sections 1 Configuring DHCP Server Mode See Section 3 2 1 2 Configuring DHCP Relay Mode See Section 3 2 2 3 2 1 Configuring DHCP Server Mode When the InnGate is setup in DHCP Server mode downstream clients will be assigned IP
90. gs Figure 8 25 shows the interface for configuring the admin access settings 1 Deny users from accessing this Admin system via LAN f enabled access to the Admin GUI from the downstream is prohibited 2 Limit users accessing this admin system to these I P Addresses Subnet Mask pairs f enabled only client machines whose IP addresses are listed here will be allowed to access the Admin GUI from the upstream Click and LJ to add and remove the IP address and subnet mask entries defined Deny users from accessing this admin system via LAN C Limit users accessing this admin system to these Network Address Subnet Mask pairs Network Address e g 192 168 1 1 subnet Mask eg 255 255 255 255 Figure 8 25 Admin Access Settings Click to confirm the changes 8 13 2 Change the Default Admin User Account Connectivity Made Easy Page 130 of 164 J System To modify the default admin user acoount EH Admin Accounts Lj Admin Groups oo Audit Log E Admin Access sessions 2 EH Maintenance m4 Settings 1 Click on Admin Accounts Any existing entries will be displayed see Figure 8 5 The default admin account goes by the name of System Administrator Click on the entry to proceed and change the User ID and Password Mame Admin Group Email M Description Logins System System Administrator Administrators Default system adminglocalhost com 4 cn HM Figure 8 26 List of Administr
91. hanges 2 2 1 Local Accounts Maintenance Local Accounts Maintenance is explained in details in Section 6 2 2 3 PMS Use this to interface with a PMS system gt Policies To access the option BH _ Plans EH Locations l 5 23 Authentication 1 Click on Authentication m Local Accounts l EH PMS 2 Click on PMS Operations The InnGate comes with various pre built interfaces for common PMS Select the correct one PMS Type Settings PMS Type Micros Fidelio Figure 2 7 PMS Type Connectivity Made Easy Page 40 of 164 amp When you change the PMS type you need to re save Location s PMS Authentication setting to associate new PMS configuration Next configure the interface parameters according to the setup of the PMS so that the InnGate can communicate with the PMS for authentication and accounting of usage PMS Type Settings Communication Host llame Port Humber Baud Rate Data Bits Parity Bit Stop Bit Delimiter VIP Flag Sales Outlet Use TCPAP connection gs00 w 8w Mone Ww TW Log all traffic Calculate message checksum Send bills regardless of serial link connection status Ignore hardware handshake Send bills when serial connection active message received Include VIP status 3 1 Send link description message upon start up Figure 2 8 PMS Communication Setting Use TCP I P connection To enable TCP IP based PMS Host Name
92. he User Provision Routed Scope to be configured as set of public IP addresses although private addresses are also accepted Section 3 2 1 2 discusses the common scenarios where public IP addresses may be needed by the LAN clients 4X For clients without DHCP enabled or configured with a static IP the InnGate will not be able to assign a routed IP to it ANTIET Connectivity Made Easy ANTIabs Login Obtain routable IP address Figure 3 9 Routed IP addresses Some applications such as VPN and video conferencing require that the clients be assigned a public IP address and the User Provision Routed Scope with a set of public IP addresses can be used to accommodate such scenarios 1 Connecting to Virtual Private Networks Often clients on the LAN may need to connect to a VPN server for example to access a corporate enterprise network securely from a remote location This is a common requirement of business travelers or telecommuters Although quite uncommon some VPN applications do not always work with devices performing NAPT between the VPN server and the connecting client This is because the process of network address translation modifies the IP header and the TCP port thus violating the IPSec checksum integrity used by some VPN and the resulting packets will be dropped by the VPN server As such clients that need access to VPN services will need to select the public IP option Once the InnGate assigns a public IP addr
93. he downstream MAC Address IP Address Gateway amp ddress VLAN YLAN Used Connected Reconnected Last URL Requested Internet Access Charged Access Logged In Login Duration 00 0D 60 77 09 20 10 128 253 254 10 128 255 254 Mo vLAN No 13 05 2009 05 35PM 13 05 2009 05 35PM No No NLA CSV Download All Figure 7 5 List of device detected Connectivity Made Easy Page 94 of 164 The following columns in the Device Monitors are further explained here l 2 MAC Address I P Address Gateway Address VLAN The name of the VLAN on which this device is detected VLAN Used The VLAN ID Connected Reconnected Last URL Requested Internet Access This indicates whether the user can access the internet 10 Charged Access This indicates whether the user needs to login in order to get internet access 11 Logged In The start of login session upon user login 12 Login Duration This indicates the duration of the login session Click CSV Lema to export the entries into a comma separated values file Click _New search to run a search of the entries as shown in Figure 7 6 You can click on the LJ button to add more search conditions or L to remove Match all conditions MAC Address contains 2587 VLAN v equals to v No VLAN Figure 7 6 Search Device Log Entries Click to retrieve the entries with the search conditions applied Click to store the filter
94. ing The recommended settings for InnGate 3 are shown in table below User Accounts Total number of accounts MAC 1 000 10 000 20 000 filter entries Log Entries Total number of log entries in 5 000 50 000 50 000 database User Licenses 1 000 1 000 VLANs 1 000 2 000 Port Binding Rules PE 1 000 10 000 20 000 otal number of undelivered mails Locations Plans 1 3 System Setup This section explains the basic configuration for a new InnGate to operate in our network example These configuration tasks are performed through the web based admin GUI see Section 1 3 1 1 Configuring the WAN I nterface See Section 1 3 2 2 Configuring the Domain Name Server See Section 1 3 3 3 Configuring the Web Proxy optional See Section 1 3 4 4 Configuring the Plans See Section 1 3 5 5 Configuring the Locations See Section 1 3 7 6 Configuring the VLANs See Section 1 3 8 Connectivity Made Easy Page 12 of 164 Some of these tasks can also be performed through the Command Line Interface CLI and is discussed separately in the InnGate Command Line Reference 1 3 1 Accessing the Web based Admin GUI This section explains how to access the Web based Admin GUI to configure the system settings Power up the InnGate and connect to either the WAN or LAN port using a cross cable Then follow the instructions to access the Admin GUI A If ever you are unable to access the InnGate from one of the interfaces due to p
95. ion Click to begin the synchronization As the synchronization process may take a while you can click to check on the progress Connectivity Made Easy Page 139 of 164 aynchranizatian Manual Synchronization iset Status Figure 9 3 Manual Synchronization Once completed you will be presented with a log report of the synchronization process Connectivity Made Easy Page 140 of 164 Chapter 10 HI GH AVAILABI LI TY M Series 10 1 Overview InnGate features high availability HA failover support to allow a secondary InnGate to be installed along with an existing primary InnGate to ensure that services continue to be provisioned in the event of a single system failure When a failover occurs the secondary InnGate will change from standby mode to active mode and take over the network management responsibilities from the primary InnGate while the primary InnGate is recovered This chapter describes the network setup requirements admin configuration and the failover process 10 2 Network Configuration The network diagram in Figure 10 1 shows the network connections needed for a typical HA setup x D Internet J a Upstream Network 192 168 10 x WAN I P 192 168 10 1 192 168 10 2 WAN IP Secondary Prima ry I nnGate I nnGate LAN Interface Control channel Downstream Network LAN Interface gt Figure 10 1 High Availability Setup Co
96. ion 8 13 1 Connectivity Made Easy Page 112 of 164 8 2 6 Viewing Sessions To access the option 1 Click on Admin Accounts 2 Click on Sessions Figure 8 8 shows the existing admin account sessions 1l ID 2 Name 3 Admin Group 4 Login Time 5 Current Session ID Mame Admin Group Login Time Current Session root System Administrator System Administrators 18 05 2003 09 44A Figure 8 8 Admin Account Sessions 8 3 Powering up and shutting down the system To access the power options 1 Click on Maintenance Figure 8 9 shows the power options interface Click to reboot the InnGate Click to power down the InnGate Connectivity Made Easy Page 113 of 164 Restart Nowy Shut Down Mow Shut Down Figure 8 9 Power Options 8 4 System Configuration Backup or Restore JJ System To access the Backup Restore options H Admin Accounts Ei Maintenance 1 Click on Maintenance Figure 8 10 shows the interface for performing a backup or restore of the system configuration 1 System Configuration Backup Choose Download optionto save a copy of the system s configuration into a binary format file Or you can also choose Save to local system to save the configuration file in the local drive Click button 8 to back up This process normally takes less than a minute as the InnGate gathers the system configuration into a binary file The file will be named configuration yyyymmdd ezxconf
97. ll be the Backup InnGate 15 Now when you login to the Admin GUI via the WAN IP address you will be accessing the current Live InnGate i e InnGate Alpha 16 Perform a manual synchronization see Section 9 6 1 A In a HA setup attempting to login to the InnGate will always access the current Live InnGate You can tell which physical machine this is by checking the HA identifier see Section 9 3 1 Connectivity Made Easy Page 135 of 164 9 3 1 HA Identifier Each of the InnGate in a HA setup is identified by a unique HA identifier which is used to differentiate the two gateways This setting is configured in the Admin GUI A The ID configured for each machine must be different otherwise the GUI synchronization peer detection and HA failover will not function properly J System To setup the HA identifier EH Admin Accounts H 3 Maintenance EI 1 Click on Settings Date amp Time 2 Click on High Availability High Availability License Figure 9 2 shows the interface for configuring the HA identifier 1 Slave Connected Indicates if a slave machine is connected to the machine 2 ID for This Unit The HA ID for this machine permissible values are either 1 or 2 A The ID is only used to uniquely distinguish the machines and does not represent whether the InnGate is the Live or Backup machine status Slave Connected Mo ID configuration ID for This Unit O 1 em Save Cancel
98. mum 1 3 6 1 4 1 12902 1 1 4 2 3 4 1 concurrent SMTP connection limit Connectivity Made Easy Page 123 of 164 8 8 2 Supported MI Bs The MIBs supported by the InnGate are as follows 1 MIB2 RFC 1213 2 HOST Resources RFC 1514 3 MIB for SNMPv2 RFC 1450 4 UCD Davis MIBS OID 1 3 6 1 4 1 iso org dod internet private enterprises 5 ANT abs private MI Bs a Number of detected clients OID 1 3 6 1 4 1 12902 1 1 2 1 1 1 0 Iso 1 org 3 dod 6 internet 1 private 4 enterprises 1 antlab S 12902 ezxcess 1 ezxcessModules 1 clientl nfoMI B 2 clientl n foObjects 1 clientl nfo 1 detectedClientNum 1 0 b Number of logged in clients OID 1 3 6 1 4 1 12902 1 1 2 1 1 2 0 Iso 1 org 3 dod 6 internet 1 private 4 enterprises 1 antlab s 12902 ezxcess 1 ezxcessModules 1 clientl nfoMI B 2 clientl n foObjects 1 clientl nfo 1 internetClientNum 2 0 c Number of clients with Full Access OID 1 3 6 1 4 1 12902 1 1 2 1 1 3 0 Iso 1 org 3 dod 6 internet 1 private 4 enterprises 1 antlab S 12902 ezxcess 1 ezxcessModules 1 clientl nfoMI B 2 clientl n foObjects 1 clientl nfo 1 payingClientNum 3 0 8 9 View API Information Connectivity Made Easy Page 124 of 164 To view the API information 1 Click on Settings 2 Click on API Figure 8 19 shows version information of the API and its modules installed in the InnGate API version 2 40 Module Version account add account delete account up
99. n one device can login and use the service at the same time with the same account Account Type User ID amp Password Access Code sharing 5 Single User Account Shared Account fixed duration plans only Allow simultaneous users Max 100 Figure 2 3 Account Type 3 Credentials The User ID and Password Credentials Figure 2 4 Account Credentials 4 Plan Select the type of Plan that the account is being created for The Plans should already have been created at the start when configuring the service offerings Plan Fixed Duration 4 hrs no relagin Figure 2 5 Plan Type 5 Advanced Subsection Under the advanced subsection there are additional account control options a Account can be used You can set the time when the account will start being usable Useful for accounts created ahead of time for a future event b Expire the account after You can also set the validity period here Connectivity Made Easy Page 39 of 164 c Limit logins to Here you can further restrict how many logins are allowed before the account is no longer valid Account can be used 5 immediately C from a specific date amp time onwards Time osaera e g 0476P0F Insert Current Date amp Time Expire the account after Time booom e g 04J6PM Insert Current Date amp Time Limit logins to jo times Figure 2 6 Advanced Subsection Click to commit the c
100. namezvalue b Click to add additional URL query string parameters If there are more than 1 parameter added the redirect URL will become URL name zvalue amp name2 value2 c Click J to remove any unwanted parameters Click to confirm the entry or for modifications 3 4 2 Define HTTPS Domains Some clients may be configured to use a web proxy server and when the client accesses a HTTPS website the proxy protocol will require that the HTTPS Domain Name be defined in the Walled Garden Connectivity Made Easy Page 67 of 164 A f the client is not using a proxy server define the domain under IP Addresses instead However if client proxy settings are not deterministic then you will need to create both entries Network To define HTTP Domains in the Walled Garden Routed Network 1 Click on LAN l 1 Walled Garden E Remote Devices 2 Click on Walled Garden 1 Device Detection Select the HTTP Domains tab as shown in Figure 3 23 Any existing entries will be displayed Click on an entry to modify it or click to create one HTTP URL HTTPS Domains IP Addresses Configure HTTPS Domain Mames that can be accessed before authentication This only applies to network devices configured ta use a proxy server for HTTPS access For non proxied HTTPS access use the IP Addresses tab HTTPS Domain Hame Description 202 157 140 105 AMNTlabz website Ade Selected Entries Figure 3 23
101. ng up and shutting down the system 113 8 4 System Configuration Backup or Restore cceceeeeeeeeeeeeeeees 114 8 5 Applying System Patches cccccececeeeeceeseeeeeeeeeeeseeeeeetaeanees 115 8 6 Setting the Date and TiMe cccccececseseceeeeseeeeerereeeueutereaeeess 116 8 7 Syslog COMO Ura HOM cecacunsacensscrsanasinenaitesaaanstnetoenesacdtasantunne 117 8 8 eie uio seeeaenaeamnes 118 8 8 1 IECIT UT 120 8 8 2 Supported MIBS ssssnsrsssnrererersrsrrsrsrsrrrrrrerersrrrrrrererer 124 8 9 View API Information essersi ma kdbnd vakek iua bitu E E YEPEPIV E dta EE qua 124 8 9 1 ATP ul E 125 8 9 2 Browser S OEBIT G 2g ainncneniis innin rE niia 126 OO elo Esel TTE MMT 128 8 11 View License Information eeeenm 128 8 12 Console Access via Serial Connection sese 128 8 13 Securing the System for DeployMent c ccceceeeeeeeseeeeeeees 129 8 13 1 Securing Access to the Admin GUI seeeeeeee 129 8 13 2 Change the Default Admin User ACCOUNT cccceceeeeeeeees 130 8 13 3 Change the FTP Account PaSSWOI cssecereeeeeeeeeeeeseees 131 8 13 4 Change the Telnet and Console Password 131 Sura M 133 HIGH AVAILABILITY E Series esseeenm Hm 133 9 1 eI M OE 133 9 2 Network Configuration cccccecececseeeeeeeeeueeeeeaeeueetetatau
102. nnectivity Made Easy Page 141 of 164 Both the primary and secondary InnGate requires 1 An internet accessible IP address each assigned to the WAN interface The WAN network and default gateways for both InnGates can be through the same link or separate links for improved redundancy If it is through the same link be careful not to assign the same IP address to both InnGates as this will cause a duplicate IP address problem on the network 2 An Ethernet cross cable or dedicated switch connected to the OPT network interface to allow both gateways to communicate via a control channel link This link is used by the primary and secondary InnGates to detect the state of its peer and trigger a failover when necessary 3 A connection to the same downstream network and trunk VLANs via the LAN interface so that both InnGates can serve the same clients on the network A The web admin of each InnGate can be accessed by the IP configured for the respective WAN port 10 3 System Configuration InnGates are factory configured as primary gateways They can be configured as the primary or secondary gateway in the admin GUI as shown in Figure 10 2 i System To configure HA H Admin Accounts H Maintenance 1 Click on Settings EY settings E M 2 Click on High Availability Connectivity Made Easy Page 142 of 164 Slave Connected es ID Configuration ID for This Unit e 1 2 Save Cancel Figure 10 2 High Availabilit
103. number of undelivered emails as well as the amount of disk space used to store emails that have yet to be sent out J Reports To view the Email Monitor Ao Monitors 1 Click on Monitors 2 Click on Email EH Logs Maintenance The email monitor status shows number of undeliverable emails and size of disk space used status Undeliverable Ermailz Disk Space Used OME Figure 7 11 Email Monitor Status Connectivity Made Easy Page 100 of 164 7 3 Logs Logs shows past activity of downstream devices sessions PMS when available account printer and credit card when available 7 3 1 Device Logs View past activity of downstream devices that are now disconnected Devices that are still detected on the downstream will be found in Device Monitor EJ Reports To view the Device Logs 1 Click on Logs 2 Click on Device 1j Account Printerz E Credit Card 1 Maintenance Any existing log entries will be listed as shown in Figure 7 12 Click CSV L 9 to export the existing log entries into a comma separated values file Click Dette atenies to purge the log MAC Address IP Address VLAN Connected Disconnected Logged In Logged out Login Duration 00 0E SEES 4E D4 10 126 253 254 Mo VLAN 13 05 2008 02 35 amp M 13 05 2009 02 544M 13 05 2008 02 47 amp M 13 05 2008 02 544M T mins 25 secs Delete All Entries OSW Download All Figure 7 12 Device Logs Click ese to run
104. on Routed Scope DHCP Mode Mo DHCP DHCP Server DHCP Relay DHCP Relay Primary Server 10401178 secondary Server Figure 3 16 DHCP Relay Settings Click to commit the changes A You will need to configure the DHCP range in the Routed Network so that the InnGate does not perform Network Address and Port Translation NAPT for the externally assigned IP addresses See Section 3 3 3 2 2 1 Relay Agent Mappings After saving the Settings for DHCP Relay mode see Section 3 2 2 an additional option tab called Agent Mapping will be available as shown in Figure 3 17 Connectivity Made Easy Page 61 of 164 Settings Agent Mapping DHCP Relay Agent IP Address fe WLAN Mo WLAN bal Figure 3 17 DHCP Relay Agent Mapping This feature allows different IP address pools to be allocated to clients belonging to different VLANs when in DHCP Relay mode For example an administrator may wish to allocate the IP addresses in the subnet 192 168 123 0 28 to the clients on the Office VLAN while the clients on the Meeting Room VLAN will get addresses from the 192 168 123 128 28 subnet This is done by configuring the InnGate to use a different DHCP Relay Agent IP address for each VLAN when it sends a DHCP request on behalf of the downstream client In the case of the above example the InnGate can be configured to use the IP address 10 10 10 1 when sending DHCP requests for any of the clients on the office VLAN
105. onnection attempts 2 UDP Session Timeout Timeout for UDP connection attempts 3 Max TCP Session Maximum number of TCP sessions allowed 4 Max UDP Session Maximum number of UDP sessions allowed Click to commit the changes 3 6 Device Detection Setup The InnGate sends ARP requests ARP probe on the downstream to determine whether a remote device is still on the LAN or has physically disconnected The device detection feature is activated by default and you may make changes to the respective fields to suit your network environment J Network To configure the Device Detection settings EI ILAN 1 Click on LAN Routed Network 0 0 Walled Garden EM 3 Network Devices 2 Click on Device Detection Lj Device Detection Figure 3 32 shows the Device Detection settings page Connectivity Made Easy Page 75 of 164 Probe each user s presence eyery Secs Disconnect user after unacknowledged probes Probe a maximum of Users at one time Figure 3 32 Device Detection Settings The fields are described as follows 1 Probe each user s presence Interval between probes 2 Disconnect user after Specify the number of unacknowledged probes before the user is disconnected 3 Probe a maximum of Select a value between 0 45 depending on the network requirements Click to confirm the changes 3 7 ARP Setup You can configure how the InnGate will manage ARP requests and responses J Net
106. ons regarding the use or the results of the use of the software or written materials in terms of correctness accuracy reliability trend or otherwise ANT abs reserves the right to make changes without further notice to any products described herein to improve reliability function or design This documentation is copyrighted and may not be altered without written consent from ANT abs ANT abs reserves the right to prosecute companies or individuals who make distribute or use illegal copies of this software system and its accompanying documentation Release Date 10 July 2009 Document Reference No G3 ADM Connectivity Made Easy Page 3 of 164 Connectivity Made Easy CONTENTS Sam 9 GETTING STARTED irinaren aa ainiai 9 1 1 OV GI OW ar aE A E E A DPUEUE 9 1 1 1 mise Gl NETT 10 1 1 2 Network ODeLdLllonenssprsimseixv n2 Ra IRE epit E AYUDE PEN EENS 11 1 2 Recommended Setting seseseseen memes 12 1 3 eV c r 12 1 3 1 Accessing the Web based Admin GUI eeene 13 1 3 2 Configuring the WAN Interface seseeennm 15 1 3 3 Configuring the Domain Name Server eene 17 1 3 4 Configuring the Web PLEIOXV sssexes risate Mni brat ax Flat eiiis 18 1 3 5 Creating a Plan sseeeee meme 20 1 3 6 Frew RUG cuestsintuPEECUU UE E TPebMIASUIORIINE SU ID 22 1 3 7 C reabHndg dEOCdUDTYouscnaa steetcanrunssetaueganendsensadreranin tence tenses 24
107. or outgoing emails without a domain name f selected you can specify the domain name that the InnGate will append to the sender s email address if it finds the domain e g alvin amp antlabs cem missing SMTP SMTP Service System restart required SMTP Host Mame sintp antlabs com Forward outgoing emails ta another SMTP Server IP Address Mame mail singnet com sg Delete undeliverable emails after hrs Set a domain name for outgoing emails vithout a domain name Use SMTP Host Mame Connectivity Made Easy Page 82 of 164 Figure 5 3 SMTP Settings Figure 5 4 shows the interface for configuring the thresholds and checks performed on SMTP traffic aMTP Limiting Verity domain name af sender s email address F Limit the total number af concurrent SMTP connections Total connections allowed Limit uzers concurrent SMTP connections Connections allowed per user Limit the size of each outgoing email Maximum email size 9765 525 kh F Limit the number of recipients for each outgoing email Maximum recipients per email Add delay for each email address in one email Start delaying after user sends to or mare email addresses Delay each email address by Secs Figure 5 4 SMTP Traffic Filters The fields are described as follows 1 Verify domain name of sender s email address When enabled the InnGate will ensure that the sender s email address contains a valid domain name before sending
108. ossible incorrect configuration settings you can always attempt to reconnect via the other interface In addition the Admin GUI can only be accessed via secure HTTP HTTPS and the forward slash after admin should be included 1 Connecting from the WAN Interface The URL to access the Admin GUI is https lt WAN IP Address gt admin A The factory default WAN IP address is 192 168 0 1 with a subnet mask of 255 255 255 0 When connecting directly ensure that the subnet mask setting on your client device matches the default value The URL of the Admin GUI for a new InnGate will therefore be https 192 168 0 1 admin 2 Connecting from the LAN I nterface The URL to access the Admin GUI is https ezxcess antlabs com admin A The ezxcess antlabs com domain is only valid on the LAN network assuming that LAN access to the Admin GUI is not blocked and is not a valid domain on the public Internet Figure 1 4 shows the SSL warning message you will see when connecting via HTTPS Click the Yes button to continue You will need a version 4 0 or better MS IE Netscape web browser to access the Admin GUI The web browser should also have cookies and Javascript enabled and must support frames Connectivity Made Easy Page 13 of 164 Security Alert 1 A X Information vou exchange with this site cannot be viewed or M changed by others However there is a problem with the site s security certificate e The securi
109. posting J Maintenance To do PMS diagnostics B Local Accounts Li Reports 1 Click on PMS J Diagnostics E PIS In order to do PMS test posting you need to fill the compulsory fields room number guest number and amount into the form as shown in Figure 6 6 Click button LPest_ Room Humber Guest Humber Amount Description TESTING PMS Past wil he generated wing MAC Adoress Figure 6 6 PMS Diagnostics The information of posting you have done will be shown below the form as shown in Figure 6 7 Connectivity Made Easy Page 90 of 164 Date Room Mumber Guest Number Amount Description Resul 13 05 2008 01 44PM 101 1001 100 TESTING SUCCESE Figure 6 7 Test Posting Log Click button to clear the log Connectivity Made Easy Page 91 of 164 Chapter 7 SYSTEM MONI TORI NG AND REPORTI NG 7 1 Overview This chapter explains the system monitoring and reporting functions of the InnGate These logs and reports can be used for troubleshooting and also for analysis purposes You can also configure the presentation of the logs and reports 1 Monitors See Section 7 2 2 Logs See Section 7 3 3 Maintenance See Section 7 4 7 2 Monitors You can perform status device session account cookies and email monitoring 7 2 1 Status Monitor Reports To monitor system status E Monitors ls n 1 Click on Monitors 2 Click on Status EC Loys E Maintenance The System Status report incl
110. record from a CSV file VLAN ID Location Max Logins Sessions Name Description l e Services Hotspot VLAN A The CSV must contain a header row which will not be imported 1 4 Network Installation The following steps describe how to install the InnGate in the desired network 1 Connect the respective network cables to the I nnGate a LAN interface Connect to the downstream network b WAN interface Connect to the upstream network 2 Power up the I nnGate a Connect the InnGate to the electrical mains using the power cable b Turn on the power supply from the mains c Press the power button to start up the InnGate Warning Connecting the wrong interface to the network can result in downtime to your existing network Connectivity Made Easy Page 35 of 164 1 4 1 VLAN enabled Networks When incorporating the InnGate in a VLAN enabled network the LAN interface must connect to an 802 1Q enabled trunk port on the switch This trunk port should receive all tagged VLAN traffic from downstream clients that are to be managed by the InnGate The InnGate will then be able to apply location specific policy settings based on the VLAN information for each client In addition the InnGate must be configured to recognize the VLAN setup and this is covered in Section 1 3 8 1 5 Testing the Configuration The InnGate is now configured and ready to accept client connections on the LAN interface Follow the s
111. ress Figure 5 2 Email Services Admin Contact Figure 5 3 shows the SMTP settings configuration interface 1 Enable Bypass Disable SMTP Services Enable bypass or disable SMTP services a Enable By selecting this option all email will be sent using the defined SMTP server in the InnGate Connectivity Made Easy Page 81 of 164 b Bypass This option allow users to use their own SMTP server However if the user s SMTP server is not resolvable the defined SMTP server in the InnGate will be used c Disable Selecting this option will disable InnGate s SMTP setting and all email will be sent using the defined SMTP on user s mail setting 2 SMTP Host Name The InnGate can function as an SMTP server and this is the host name you must assign to it 3 Forward outgoing emails to another SMTP server f you need to use an external SMTP server e g your ISP s SMTP to send out emails then the InnGate will need to be configured to forward all emails to it If left unselected the InnGate will use its own SMTP process for sending emails a IP Address Name IP address or host name of the SMTP server to forward outgoing emails to b Port IP port of the SMTP service A The SMTP server itself may have to be configured to allow relays from the InnGate i e WAN IP address of the InnGate 4 Delete undeliverable emails after hrs Duration before purging emails that could not be delivered 5 Set a domain name f
112. ress A fynry 2009 05 13 22 45 18 10 401 202 Press A vinsi 2009 05 13 22 48 25 10 401 202 Press A unnri 2009 05 13 22 48 47 10 40 1202 Fress B jisiz t4fah Delete All Download AICS Selected Entries Download CSV Figure 7 18 Account Printers Log Connectivity Made Easy Page 105 of 164 Click button to delete selected entries or click button to delete all the logs Click button to download selected entries in comma separated values format or click button to download all the logs in comma separated values format 7 3 5 Credit Card Logs View the log of past credit card activities To view the Credit Card Logs 3 Click on Logs 4 Click on Account Printers Figure 7 19 shows the log of credit card Transaction Status Local Payment Gateway Transaction ID Transaction ID IP Address Date MAC Address VLAN Plan Price Payment Gateway Transaction Details 14 05 2009 12 08PM Fixed Duration 6 Transaction 46 7641BDB4E28 Completed O0 0E 35 E5 4E D4 10 10 1 241 40 00 Paypal Payflow Link 210 VLAN 210 14 05 2003 Fixed Duration 6 40 00 Paypal Payflow Transaction 12 02PM i 45 V18A1D22375F hours Link Completed 00 0C F1 07 2E 35 10 10 1 252 EM 14 05 2003 12 02PM 14 05 2003 12 01PM 44 43 0 00 0C F1 07 2E 35 00 00 F1 07 2E 35 210 VLAN 10 10 1 252 210 210 VLAN 10401282 349 Fixed Duration 6 hours Fixed Duration 6 10 00 Paypal Payflow Link 10 00 Authori
113. ring the InnGate are still applicable The setup covered in this chapter is suitable for quick demonstrations and small scale setups Later chapters will cover details for more complex deployment scenarios 1 1 1 Hardware Front Panel LAN WAN Console Figure 1 2 InnGate E Series Front amp Back Panels Front Panel nnGate M Series LAN WAN OPT1 OPT2 Back Panel a i Console OOCR USB PMS OPT2 OPT1 WAN LAN DC 5V Figure 1 3 I nnGate M Series Front amp Back Panels Some of the switches and connectors shown in Figure 1 2 and Figure 1 3 are described here Connectivity Made Easy Page 10 of 164 1 USB Serial Console The left USB port allows direct console access to the InnGate Use the provided USB to serial converter to connect a PC with a terminal program to access the console see Section 8 12 2 Serial Console The M series serial console allows direct console access to the InnGate 3 LAN All clients to be managed by the InnGate are placed on the network which is connected to this port 4 WAN This port connects the InnGate to the rest of the network for client traffic to pass through 5 OPT1 Used to connect two InnGates in a High Availability HA setup Both OPT1 have to be connected to the same HA VLAN This will be used for the HA heartbeat signals between the gateways 6 Power button for E Series only The power button is located to the left of the front panel
114. route Connectivity Made Easy Page 79 of 164 Chapter 5 NETWORK SERVI CES SETTI NGS 5 1 Overview You can configure the following under the Services option 1 Web Server See Section 5 2 2 Web Proxy See Section 5 3 3 Email Server See Section 5 4 4 Remote Access See Section 5 5 5 2 Web Server This email address is displayed to users in the Web Server error pages Network Fl LAN EH WAN 1 Click on Services E Static Routes EL Services To set the Web Server admin email 3 Web Server 2 Click on Web Server Web Proxy Email Server Enter the email address in the Display Email field as shown in Figure 5 1 Click to confirm the changes Display Email admin contacti amp blacalhost com This emai address is aisplayed fo users im len Server emr pages Save Cancel Figure 5 1 Web Server Admin Contact Connectivity Made Easy Page 80 of 164 5 3 Web Proxy To configure the SMTP settings 1 Click on Services 2 Click on Web Proxy 5 4 Email Server You can configure how the InnGate will treat SMTP traffic from downstream clients To configure the SMTP settings 1 Click on Services 2 Click on Email Server Figure 5 2 shows the first part of the configuration interface 1 Display Email Any bounced or undelivered email will be forwarded to this email address Display Email support antlabs com Any bounced or urndelivered ena will be lorwared to tis email add
115. s FEEDBACK AND COMMENTS ANT abs welcomes all comments and suggestions on the quality and usefulness of this document Our users feedback is an important component of the information used for improvement of this document Please include in your feedback e Name e Postal Address e Title e Telephone Number e Company e Document Title amp Release No e Department e Document Reference No e E Mail e Comments Feedback Also please include the chapter section and or page number when referring to specific portions of the document Send your comments via email to documentation antlabs com Connectivity Made Easy Page 8 of 164 Chapter 1 GETTI NG STARTED 1 1 Overview This chapter will illustrate a simple network deployment of the InnGate 3 involving the following 3 steps 1 System Setup Configuring the InnGate to operate in the network 2 Network I nstallation Connecting the InnGate to the network 3 Testing the Configuration Ensuring that the InnGate operates as expected Figure 1 1 shows a simple network setup which will be used to illustrate the deployment steps in this chapter Intemet EE S Router WAN upstream ennGate 4 a i i PX ii se i E i 1 Li te za Notebook 1 Desktop PC 2 Figure 1 1 Example Network Diagram Connectivity Made Easy Page 9 of 164 Although your own network will likely differ from this the general principles for installing and configu
116. s connected to The factory default subnet mask setting Is 255 255 255 0 Change this to the mask used on your upstream network segment Gateway The address of the router or gateway for the InnGate to send network traffic to for the next hop Bandwidth Bandwidth options are available with an optional module which may be purchased separately a Download Limit The maximum bandwidth allocated for the WAN Interface for incoming packets b Upload Limit The maximum bandwidth allocated for the WAN Interface for outgoing packets Connectivity Made Easy Page 16 of 164 5 Source NAT Address Range The InnGate will use the pool of IP addresses defined here when performing network address and port translation NAPT on the WAN interface for its downstream clients AN The WAN IP address must be in the same subnet as the source NAT address range 6 Description A description of this profile Click to confirm the changes The system will then display a summary of the WAN profile AN If you are accessing the Admin GUI via the WAN interface and your web browser appears to have stalled it is because the browser is trying to access the InnGate using the previous IP address If that happens close ALL currently opened browser sessions start a new browser session and login to the admin page again 1 3 3 Configuring the Domain Name Server A DNS is required by the InnGate to resolve domain names If you do not configure this paramet
117. sent bills 4 Post Usage Duration To configure the duration value when overflow usage happens Click to commit the changes Once configured you can also trigger operational events and perform diagnostics via the PMS interface Connectivity Made Easy Page 42 of 164 To access the option 1 Click on Authentication 2 Click on PMS 3 Click on Operations This allows you to generate a check in or check out event Guest Hame Do Guest Humber Do Room Humber Do Figure 2 10 PMS Operation You can also use the diagnostic tool to post PMS events To access the option 1 Click on Authentication 2 Click on PMS 3 Click on Diagnostics Enter the PMS post event details and you can use it to test if the PMS posting from the InnGate works correctly The details can be found in Section 6 4 Description TESTING PIS Post will be gererated usim MAC Adaress Figure 2 11 PMS Diagnostics 2 4 Account Printers Use this to configure account printer based authentication Connectivity Made Easy Page 43 of 164 Ey Authentication To access the option E Local Accounts H PMS 1 Click on Authentication Lj Account Printers 1 MAC Filter Lj Settings 2 Click on Account Printers Enter the printer s IP address and click button L Printers Buttons Audit Log Enabled Printer IP Address PY Figure 2 12 Account Printers Authentication Next step is to configure each button of
118. ss The IP address of the Syslog server to send to Connectivity Made Easy Page 117 of 164 F Mirrar system logs to a remote Syslog server Figure 8 13 Syslog Settings Click to confirm the changes Figure 8 14 shows the sample output on a typical Syslog daemon server Date Time Priority Hostname Message OSOS System1 Info 127 128 50 254 Systeml Info 127 128 50 254 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 07 07 2005 17 06 11 17 06 08 17 02 07 17 02 07 17 02 07 17 02 04 17 02 04 17 02 04 17 02 04 17 02 04 17 02 04 17 01 59 17 01 59 17 01 59 17 01 59 17 01 59 17 01 59 17 01 59 17 01 59 17 01 59 Hail Info Hail Info Hail Info Hail Info HMail Info Hail Info Hail Info Hail Info Hail Info HMail Info Mail Info Mail_Info Mail Info Mail Info Mail_Info Mail Info Mail Info Mail Info 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 127 128 50 254 ftpd 1 7049 FTP session closed ftpd 1 7049 FTP LOGIN FROM 192 168 122 116 192 168 122 116 ftponly qmail 11207
119. strings for PDA and phone browsers This is used by the BrevwserType PHP SFI function and the browser API module to detect and return the browser type Browsers not configured here usually standard browsers like IE will be reported az an other browser type Condition String Browser lanore Capitalization contains Avantia PDA browser pda contains Palm PDA browser pda contains Blazer PDA browser pda contains BlackBerry PDA browser pda contains Fh FDA browser pda contains Windows CE PDA browser pda contains PSP FDA browser pda contains MetF ront PDA browser pda contains ProxiMet PDA browser pda contains PDA PDA browser pda contains DacoMa phone browser phone contains Ericsson phone browser phone contains Makia phone browser phone contains UP Browser phone browser phone contains Symbian phone browser phone contains WAF phone browser phone FSS SS Sa Se ee Fao ao o contains CellPhone phone browser phone Add Selected Entries Downoad CS Delete Figure 8 22 API Browser Setting Click button to add new configuration record repart it as a POA browser pda bul Ignore capitalization Connectivity Made Easy Page 127 of 164 Figure 8 23 Adding New API Browser Setting Click button to add the configuration 8 10 High Availability High Availability is explained in details in Chapter 9 and Chapter 10 8 11 View License I nformation I System To view the license information
120. t they can see one another This will prevent the secondary InnGate from becoming active after it boots up 10 4 Billing Configuration Additional care should be taken when configuring an InnGate that has billing enabled This is to prevent situations where a failover occurs and users are billed again by the newly active InnGate because it does not know that billing was already done previously e Primary InnGate Configured with billing plans e Secondary InnGate No billing policies to prevent duplicate billing in the event of a failover It is important that backups of the policies and web pages on the primary InnGate are made whenever they are changed If the primary InnGate has a downtime which exceeds the maximum billing duration of your billed usage plans it is recommended to swap the primary and secondary roles of the InnGates such that the secondary InnGate will continue to serve the network as the primary gateway To do this 1 Backup the policies and web pages of the secondary InnGate 2 Restore the primary InnGate s earlier backup to the secondary InnGate 3 Configure the secondary InnGate as the primary gateway Once the primary InnGate is working again it can be configured to work as the secondary gateway 1 Restore the secondary InnGate s backup to the primary InnGate 2 Configure the primary InnGate as the secondary gateway A When policies are exchanged between both InnGates it is important that the same patches ha
121. teps below to connect a client on the downstream to the Internet via the InnGate 1 Connect a PC Laptop on the downstream One way to do this is to connect directly to the LAN interface you must use a cross cable for a direct client to InnGate connection which may be useful for quick demonstrations 2 Startup the Internet browser on the connected computer 3 Attempt to access the URL of a valid website with the browser Up to this point you have basically simulated a typical user connecting to your downstream LAN to connect to the Internet through the InnGate 4 f the configuration is done correctly you will be able to access the website and see the configured login page as shown in Figure 1 37 Connectivity Made Easy Page 36 of 164 ANTAY Connectivity Made Easy Lr B Er m n E 4 zm L HI T m m ANTlabs Login Welcome to ANTlabs You are required to login before you can access the internet Authentication Complimentary access Figure 1 37 Login Page AN If you are unable to surf to the website check that the instructions in the previous sections were implemented correctly Connectivity Made Easy Page 37 of 164 Chapter 2 Authentication 2 1 Overview This chapter explains how to configure the different authentication methods that you can use for the range of services you want to provide 2 2 Local Accounts Use this to create local User I
122. the previous Live InnGate and continue servicing the downstream clients Once previous Live InnGate boots up again it will assume the role of new Backup InnGate in accordance with the HA Leader Election process described in Section 9 4 A The state of the Control Channel link alone is not a trigger for failover so if the Control Channel link goes down e g network interface or cable failure a failover is not triggered although other services dependent on the link such as GUI and client state synchronization may cease to function 9 6 HA Synchronization A HA Synchronization can only be performed if Full HA module is installed in the InnGate The HA system supports automated periodic synchronization of some of the InnGate configuration settings and client state information from the Live InnGate to the Backup InnGate via the Control Channel Whenever the Backup InnGate boots up it will download the current system configuration from the Live InnGate and subsequently synchronize these settings along with the downstream client states from the Live InnGate at two minute intervals In the event of a failover the Backup InnGate will switch to active mode and assume the role of new Live InnGate as described in Section 9 5 When this happens the following process is carried out Virtual MAC addresses are part of the HA feature The Live SG always uses the Virtual MAC addresses while the Backup SG uses its own actual MAC addresses
123. the email Spam is often sent using fake email addresses 2 Limit the total number of concurrent SMTP connections This setting limits the total number of concurrent SMTP connections from all downstream clients Software or viruses that spam usually send out high volumes of email concurrently causing heavy bandwidth utilization and putting a strain on the resources of the InnGate 3 Limit the users concurrent SMTP connections When enabled the InnGate will allow the specified number of concurrent SMTP connections per downstream client This limits the effectiveness of malicious software which often attempt to send out high volumes of email through multiple concurrent SMTP connections Connectivity Made Easy Page 83 of 164 4 Limit the size of each outgoing email This setting limits the size of each email that can be sent out Some malicious software attempt to overload the network resources such as by sending large emails usually concurrently and to multiple recipients 5 Limit the number of recipients for each outgoing email When enabled the InnGate will not send out emails that exceed the number of recipients specified here Spam is often characterized by emails each addressed to a large number of recipients 6 Add delay for each email address in one email Spam is often sent in quick succession continuously to many recipients resulting in high system loads This setting reduces the effectiveness of automated spam systems
124. tored Volume stored volume Fixed Duration fixed duration Fixed Duration fixed duration Stored Volume stored volume Stored Volume stored volume Stored Volume stored volume Stored Volume stored volume Status active active active active active active active active active active active User ID bmavkp 1 426ded 1 teowt 1 mavefz 1 gearda 1 wd dbz 1 war bun 1 zbB2wvg1 adczra 1 iw fau 1 zdi dj 1 MAC Address Dno 12 FD BS CE BA Dr OE 35 ES 4E D4 00 10 EO 10 105 D 00 30 1B 3 3F E3 Dr T3 ES BH 46 29 00 10 E0 60 TB 87 ni 1F 5BrD8 24386 Dog 13 E8 43 00 10 00 12 FO B4 01 76 Dor 12 FO OD TU 4 4 00 11 25 A amp F BD 5B P Address 10 101 246 10 104 244 10 104 246 10 1041 250 10 10 1 251 10 10 1 243 10 10 1 227 10 10 1 243 10 10 1 245 10 10 1 224 10 10 1 144 WLAN 210 VLAN 210 210 VLAN 210 220 VLAN 220 10 VLAN 10 220 VLAN 220 210 VLAN 210 220 VLAN 220 210 VLAN 210 220 VLAN 220 210 VLAN 210 10 LAN 10 Selected Entries Sw Download All Figure 7 7 List of Active Sessions Click ese to run a search of the entries as shown in Figure 7 8 You can click on the LJ button to add more search conditions or LJ to remove Match all conditions MAC Address contains w 25 87 equals to wv No VLAN Figure 7 8 Search Session Entries
125. ts to a web proxy server if necessary This is optional depending on whether your network allows direct connections to the Internet or requires the use of a proxy al Network To configure the Web Proxy settings EL LAN E VAAN ee LT 1 Click on Services Ely Services Web Server 2 Click on Web Proxy 11 Web Proxy Email Server Remote Access The Web Proxy configuration page will be displayed see Figure 1 11 Connectivity Made Easy Page 18 of 164 Direct Connection Use Proxy IP Address Name proxy isp net Port 3128 1 65535 proxy isp net 8080 Display Email support isp net This email is displayed when there is an error with the Web Proxy Save Cancel Figure 1 11 Web Proxy Configuration The various fields are described as follows l Direct Connection Select this if your network allows direct connections to the Internet Use Proxy Select this if your network requires the use of a web proxy for browsing IP Address Name A proxy server entry that the InnGate can use for downstream web traffic Port The port number for accessing the proxy server Display Email This is the email address that is displayed in error pages generated when users attempt to access an invalid or inaccessible URL You may add and remove proxy server entries by clicking LJ or L Click to confirm the entries AN Configuring the web proxy for the InnGate does not mean that the downstream
126. ttp www google com sg images hp2 gif Thu Jun 10 10 34 22 2005 http www google com sg images hp3 gif 10 128 0 1 GET 64 233 189 104 80 413 00 11 D8 4C 2A 3B Result charged internet http www google com sg images hp3 gif Thu Jun 10 10 34 22 2005 http www google com sg favicon ico 10 128 0 1 GET 64 233 189 104 80 413 00 11 D8 4C 2A 3B Result charged internet http www google com sg favicon ico These entries indicate that the user has clicked on the link to re attempt access to http www google com sg The domain name is resolved to 64 233 189 104 and the page is sent along with the associated images to the user s browser for display Connectivity Made Easy Page 153 of 164 Appendix B PERL REGULAR EXPRESSI ONS Some features in the InnGate allow you to specify regular expressions for input matching Here is an illustration of the application of regular expressions where you can use the character to match the start of the URL Regular Expression http www ezxcess com http www ezxcess com mod id 123 http www ezxcess com index html e http www redirectaway com url http WWw ezxcess com The InnGate recognizes Perl Regular Expressions and it is beyond the scope of this manual to discuss its full syntax Instead some references are provided 1 http www perl com doc manual html pod perlre html 2 http www perldoc com perl5 8 0 pod perlre html Connectivity Made Easy Page
127. ty certificate is from a trusted certifying authority e The security certificate date is valid A The name on the security certificate is invalid or does not match the name of the site Do you want to proceed i No View Certificate Figure 1 4 SSL Warning Message The administrator s login page is presented next see Figure 1 5 nnGate Figure 1 5 Login Prompt Login with the default User ID root and default password admin A It is recommended that you change the default password see Section 8 3 2 to prevent unauthorized access Upon successful login the main Admin Page will be displayed Figure 1 6 shows a portion of the actual page which is a status summary nnGate Policies D 22 Firewall H 1 Locations C Authentication Last Updated 27 04 2009 02 16PM Network Devices Connected 0 LAN WAN Devices Logged In 0 L Static Routes Services A Maintenance Local Accounts w Reports Network LAH VLANs 0 MAC Address 00 00 00 DD DD DD Packets Received 0 Dropped 0 Overruns 0 Frame 0 Packets Sent 0 Dropped 0 Overruns D Carrier 0 Collisions 0 Figure 1 6 Admin Page Connectivity Made Easy Page 14 of 164 The various menu options are displayed on the left side of the page and you may return to the main Admin page at any time by clicking on the InnGate logo at the top left corner of the browser window 1 3 2 Configuring the WAN I nterface
128. udes information about 1 Downstream information Shows information about downstream devices Last Updated 06 03 2008 03 44PM Devices Connected O Devices Logged In Figure 7 1 Downstream Devices Connectivity Made Easy Page 92 of 164 2 Network information Network LAH Shows LAN and WAN packet statistics VLANs 2 Packets Received 6 DroppedO Overruns D Frame Packets Sent 0 DroppedO Overruns 0 Carrier 0 Collisions 0 VLANs 2 Packets Received 0 Dropped a Overruns 0 Frame Packets Sent 0 Dropped O Overruns 0 Carrier 0 Collisions 0 Service Providers 1 Figure 7 2 Network I nformation 3 Appliance information Shows the system uptime load memory usage etc Appliance Uptime System Load Memory Disk Space O days O hrs 57 mins 0 07 past 1 minj 0 04 past 5 mine 0 05 past 15 mins 318032 used 20 1235046 free 90 1556080 total Logs and Email 229912 used 0 53443232 free 100 53673144 total Database 328572 Used 17 1629140 free 8399 1958712 total Web Pages 38182 used 4 944060 free 96 983052 total Figure 7 3 Appliance I nformation Under normal operating conditions the Appliance status should reflect the following 1 Users Connected This value should not exceed the user licenses for your InnGate System Load This value should be less than 25 for the past 1 5 or 15 minutes Temporary high system loads may be observed
129. ust own the domain for which you are applying the certificate Step 3 Install the Signed Certificate and Private Key Initiate an FTP session to the InnGate See Section 5 5 1 for the default User ID and Password 1 Change to the ssi directory and upload the signed certificate and private key A The signed certificate filename extension must be crt not csr and the private key filename extension must be key There must be only one crt and matching one key file in the ssl directory 2 Reboot the InnGate To test the new certificate is working make sure your web browser is configured not to use a web proxy direct connection to the Internet and from the service gateway downstream access the new HTTPS URL Admin GUI e g https yourdomain admin You should see the Admin GUI login page Step 4 Configuring the HTTPS Login Page This is only required if you want to display your login page via HTTPS It is not necessary if you only want to secure the login User ID and Password information via HTTPS 1 Ensure that the URL for the login page specified in your active Authentication Policy reflects lt yourdomain gt rather than the default ezxcess antlabs com 2 Modify the HTML code in the login page to post the login form to the new domain i e ezxcess antlabs com to yourdomain Example lt form method post action https lt yourdomain gt Appendix F ERROR
130. uted Scope The fields are the same as for the Default Scope User Provision Routed scope Default Lease secs Figure 3 4 User Provision Routed Scope Settings Click to commit the changes After saving the Settings for DHCP Server mode additional option tabs called Default Scope and User Provision Routed Scope will be available Connectivity Made Easy Page 52 of 164 Next we proceed to define the IP addresses for the different scopes 1 Setting up the Default Scope See Section 3 2 1 1 2 Setting up the User Provision Routed Scope See Section 3 2 1 2 When the client first connects on the downstream LAN the InnGate will assign an IP address from the Default Scope to the client via DHCP initially The client may be allowed to request for a routed IP address from the User Provision Routed Scope A The propagation of this new routable IP will only occur when the client seeks to renew the DHCP lease which is half of the lease expiry time Alternatively the client can force an immediate change in IP by releasing and renewing its IP address 3 2 1 1 Setting up the Default Scope iNetwork To setup the Default Scope ANLAN 1 Click on LAN O Waled Garden EH Network Devices 2 Click on DHCP Static Routes H Services Select the Default Scope tab as shown in Figure 3 5 A list of IP address ranges will be presented Click on an entry to modify it or Click to create one Settings Default Scope
131. uthentication process Form Labels Authentication Type Authentication Plan Selection Routable IP Prompt Obtain routable IP address User ID Field Password Field Room Humber Field PMS Password Field Credit Card Humber Field Credit Card Number Credit Card Expiry Field Access Code Error Messages Ho JavaScript Support JavaScript support is required to access this p ITI Lr u uu 5 s a 8 S F u a F a E E E 7 i D E o E JEE e c T T Figure 1 29 Customizing Labels Click __Netstee to proceed with the next step in the wizard The next step allows you to preview the Welcome Login page that you have just configured Connectivity Made Easy Page 31 of 164 Preview Welcome Page Preview Figure 1 30 Error Page At any step in the wizard you can always click to confirm the changes 1 3 8 Creating VLANs Within each location you will now assign VLANs to it so that under each VLAN you can have network specific controls J Policies To configure the VLAN E Plans 1 Click on Locations EE e 2 Click on VLANs VLAH ID Location Max Loginz sessions Mame Description Mone Default Unlimited Mo WLAN 10 Office Unlimited VLAN 10 VLAN 10 210 office Unlimited VLAN 210 WLAN 210 220 Office Unlimited WLAN 220 WYLAN 220 230 office Unlimited WLAN 230 WLAN 230 250 Unknown Location LInlimited VLAN 250 LAN 250 Figure 1 31 VLANs Figure 1 31 shows the list of existing VLANs Select an
132. utton or for A Options modifications A The InnGate will perform a proxy ARP on the upstream when it encounters user provisioned routed IP addresses that have been assigned to its downstream devices The InnGate will not proxy ARP for addresses that have not been assigned Thus when defining the routing table of the router on the WAN segment traffic destined for the IP addresses in the User Provisioned Routed Scope should be sent to the WAN subnet rather than directly to the InnGate s WAN IP address There are two additional configuration options which are accessible when you select an existing entry from the list shown in Figure 3 14 to modify The additional interface options are shown in Figure 3 14 1 Disabled IP Addresses P addresses that will not be assigned to the DHCP clients This feature is commonly used to exclude the IP addresses of statically configured permanent network devices such as routers printers etc Connectivity Made Easy Page 59 of 164 2 Reserved IP Addresses Used to map an IP address to a particular MAC address When the system detects that a DHCP clients MAC address is in this list it will assign the corresponding IP address to it Disabled IP Addresses Single IP Address e g 192 168 1 1 C IP Address Range e g 192 168 1 1 192 168 71 10 Reserved IP Addresses IP Address eg 192 168 1 1 MAC Address e g D0 11 22 33 44 55 Figure 3 14 Additional DHCP configuration
133. ve been applied to both gateways Connectivity Made Easy Page 144 of 164 10 5 Failover Behavior The primary InnGate will always be the active gateway unless one of the following occurs to trigger a failover to the secondary InnGate e WAN gateway is not responding to ARP pings e InnGate is rebooting or shutting down The secondary InnGate will failover and become active if any of the following occurs e Primary InnGate is not detected e Control channel OPT link to the primary InnGate is down e Received indication from the primary InnGate that it is rebooting or shutting down A failback from the secondary InnGate to the primary InnGate will occur when the primary InnGate is e Turned on e Detected again after a OPT link disconnection e Able to contact its LAN and WAN networks again If a valid email address is configured in System gt Security gt Admin Account the secondary InnGate will send email notifications with the subject High Availability Event Notification whenever a failover or failback occurs Connectivity Made Easy Page 145 of 164 Chapter 11 System Save amp Restoration 11 1 Overview InnGate 3 allows you to do 3 types of system save and restoration 1 Save Snapshot 2 Restore Firmware 3 Restore Snapshot 11 2 Save Snapshot Saving snapshot will save your current state configuration of the InnGate This action can be performed through CLI in supervisor mode To save snapshot through CLI 1
134. where yyyymmdd is the current date in year month date format E g 2 Jun 2006 20060602 2 System Configuration Restore Click to select the system configuration backup binary file to use and then click L esse A Reboot the InnGate after performing a system restore Configuration Backup Configuration e Download Save to local file system Figure 8 10 Backup and Restore functions Connectivity Made Easy Page 114 of 164 A After you have made a backup of the system configuration you should also make a backup of the directories containing any customized web pages such as login scripts 1 Access the InnGate via FTP see Section 5 5 1 2 Browse the directories using ls 1 and identify those files directories you wish to make a backup of 3 Change to the temporary directory on the local host using the lcd command so that whatever you download will end up in that directory EQ ied os backup 4 Copy out the files directories you wish to make a backup copy of using the mget command E g mget sample A In addition to backing up and restoring the configuration of a InnGate the Command Line Interface CLI provides additional features to make a snapshot of the current state of the gateway and perform a subsequent on demand restore You can also invoke a factory restore from the CLI to revert the InnGate back to its original state Please refer to the InnGate Command Line I nterface Reference for
135. word 5 Admin Group Select the admin group 6 Email The email address for the user account 7 Max Logins Maximum number of concurrent sessions allowed for this account Earlier sessions will be terminated when the limit is exceeded 8 Description A description for this entry Enabled Password Po Re type Password fo Max Logins Description Figure 8 6 Administrator Account Details Click to confirm the entry or for modifications Connectivity Made Easy Page 111 of 164 8 2 4 Viewing Audit Log System To access the option EH B Admin Accounts L Admin Groups 1 Click on Admin Accounts Audit Log 1j Admin Access 2 Click on Audit Log H Maintenance J settings Figure 8 7 shows the existing list of audit log 1 Date amp Time The date and time when the admin account logged in 2 ID The admin account used for login 3 Status The status of login 4 Module The module accessed by admin 5 Operation The activity done by admin 6 Details Additional information of activity Date amp Time YT status Module Operation Details d 18 05 2008 10 344M SUCCESS Admin Login 1 7405 2008 01 464M SUCCESS Admin Login 17 05 2008 12 47 25M SUCCESS Admin Login 1605 2009 12 244M SUCCESS Admin Logout 15 05 2009 11 56PM SUCCESS Admin Login Delete All Download A Selected Entries Figure 8 7 Audit Log 8 2 5 Assigning Admin Access Assigning Admin Access is explained in Sect
136. work To configure the ARP settings 1 Click on LAN Routed Network Lj Walled Garden nAi Network Devices 2 Click on ARP 1 Device Detection Figure 3 33 shows the ARP Settings configuration page Source IP Addrezz of SRP Probe O Use Default Gateway IP Address 10 104 254 Manage ARF traffic for users in the same VLAN cave Cancel Figure 3 33 ARP Settings Connectivity Made Easy Page 76 of 164 The fields are described as follows 1 Source I P Address of ARP Probe a Use Default Gateway Uses the IP address of the Default Gateway defined under the WAN profile see Section 4 2 as the source address of the ARP probes that it sends out b IP Address Depending on the network setup the downstream subnet may not be the same as the subnet of the Default Gateway and some devices are known to ignore ARP requests that are not from their own subnet If you encounter such cases you can configure the Source IP Address of the ARP probe here 2 Manage ARP traffic for users in the same VLAN This is normally unselected to allow users within the same VLAN to communicate directly with each other If the checkbox is selected the InnGate will respond to clients ARP requests in an attempt to manage their communications Click to confirm the changes Connectivity Made Easy Page 77 of 164 Chapter 4 WAN NETWORK SETTI NGS 4 1 Overview You can configure the following under the WAN Settings 1 WAN
137. y Configuration Set the gateway as primary or secondary and click to commit the changes Reboot the gateway for the setting to take effect A After changing InnGate from primary to secondary do not connect to the LAN network until it is rebooted The configuration policies and patches applied to both InnGates should be the same so that when a failover occurs network services are similarly provisioned The recommended steps to set up a HA deployment is as follows l 2 Start up the primary InnGate Make the necessary system configuration changes Set it as a primary InnGate Reboot the primary InnGate for the HA settings to take effect Connect the primary InnGate s WAN and LAN interfaces to the upstream and downstream networks Start up the secondary InnGate Configure the secondary InnGate with the same policies as the primary InnGate to ensure that it is correctly set up to take over in event of a HA failover Set it as a secondary InnGate Shut down the secondary InnGate Connectivity Made Easy Page 143 of 164 10 Connect the secondary InnGate s WAN and LAN interfaces to the upstream and downstream networks 11 Connect the primary and secondary InnGates via the OPT interface for the control channel link 12 Power on the secondary InnGate The secondary InnGate will start up discover the primary InnGate and set itself to standby A The primary and secondary InnGates must be connected via the OPT interface so tha
138. y Page 69 of 164 HTTP URLs HTTPS Domains IP Addresses Configure IP packets that users can send before authentication VLAN Any WYLAN vt Protocol 7 Any TCP UDP ICMP Source Network Any Network Address subnet Mask Any O e Destination Network Any Network Address 202 157 140 103 Subnet Mask None single IP address Destination Port Any cem Access to the ANTlabs website Description Figure 3 26 Define IP packets allowed before login The fields are described as follows 1 VLAN Packets from this VLAN is allowed 2 Protocol Specify the protocol allowed 3 Source Network Packets whose source field matches the criteria here are allowed 4 Source Port Packets whose source port field matches the entry here are allowed 5 Destination Network Packets whose destination field matches the criteria here are allowed AN if you are creating this IP Address Walled Garden entry as part of the HTTPS Domain requirements see Section 3 4 2 this will be the IP of the web server that will handle the HTTPS traffic 6 Destination Port Packets whose destination port field matches the entry here are allowed Connectivity Made Easy Page 70 of 164 A if you are creating this IP Address Walled Garden entry as part of the HTTPS Domain requirements see Section 3 4 2 then the port number here should be 443 This is the standard port for HTTPS traffic
139. ze Net SIM Transaction Started Transaction Completed 14 05 2009 11 58AM Fixed Duration 6 hours Transaction 42 7941BDB4740 Completed 00 0C F1 07 2E 35 10 10 1 252 Figure 7 19 Credit Card Log 210 VLAN 210 10 00 Paypal Payflow Pro 7 4 Maintenance Reports maintenance has been explained in Section 6 3 Connectivity Made Easy Page 106 of 164 8 1 Chapter 8 SYSTEM ADMI NI STRATI ON Overview This chapter covers some of the common system configuration options and maintenance tasks l 2 8 9 Setting up Administrator Accounts See Section 8 2 Powering up and shutting down the system See Section 8 3 System Configuration Backup or Restore See Section 8 4 Applying System Patches See Section 8 5 Setting the Date and Time See Section 8 6 Syslog Configuration See Section 8 7 SNMP Setup See Section 8 8 View API Information See Section 8 9 High Availability See Section 8 10 10 View License Information See Section 8 11 11 Console Access via Serial Connection See Section 8 12 12 Securing the System for Deployment See Section 8 13 8 2 Setting up Administrator Accounts Administrator accounts with different access privileges can be created for personnel with different responsibilities Few processes in setting up admin accounts are l 2 3 Creating an Administrator Group See Section 8 2 1 Defining Admin Group Permissions See
Download Pdf Manuals
Related Search