User Guide
Page 6
... cannot access either. 6 ZyWALL USG100-PLUS User's Guide Figure 3 Applications: VPN Connectivity ***** OTP PIN SafeWord 2008 Authentication Server File Server Email Server Web-based Application SSL VPN Network Access SSL VPN lets remote users use VPN solution. User C is trying to the ZyWALL's network. A user just browses to the ZyWALL's web address and enters his user name and password to securely connect to access it. Chapter 1 Introduction Password System for strong two-factor authentication for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins...
... cannot access either. 6 ZyWALL USG100-PLUS User's Guide Figure 3 Applications: VPN Connectivity ***** OTP PIN SafeWord 2008 Authentication Server File Server Email Server Web-based Application SSL VPN Network Access SSL VPN lets remote users use VPN solution. User C is trying to the ZyWALL's network. A user just browses to the ZyWALL's web address and enters his user name and password to securely connect to access it. Chapter 1 Introduction Password System for strong two-factor authentication for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins...
User Guide
Page 9
... or disabled security services. If you change the default password, the Login screen appears after you have a OTP (One-Time Password) token generate a number and enter it is using the default user name and password, the Update Admin Info screen appears. You must use the token to http://192.168.1.1. By default, the ZyWALL automatically routes this setting. The Login screen appears. 3 Type the user name (default: "admin") and password (default: "1234"). See the Quick Start Guide. 2 In your ZyWALL hardware is...
... or disabled security services. If you change the default password, the Login screen appears after you have a OTP (One-Time Password) token generate a number and enter it is using the default user name and password, the Update Admin Info screen appears. You must use the token to http://192.168.1.1. By default, the ZyWALL automatically routes this setting. The Login screen appears. 3 Type the user name (default: "admin") and password (default: "1234"). See the Quick Start Guide. 2 In your ZyWALL hardware is...
User Guide
Page 13
... names. IP/MAC Binding Summary Configure IP to MAC address bindings for devices connected to force user authentication. Static Route Create and manage IP static routing information. HTTP Redirect Set up and manage port forwarding rules. VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. Session Limit Limit the number of IP addresses to configure the ZyWALL's features. Update IDP signatures immediately or by a schedule. Service View the licensed service status and upgrade licensed services. Tunnel Configure tunneling between IPv4 and IPv6 networks...
... names. IP/MAC Binding Summary Configure IP to MAC address bindings for devices connected to force user authentication. Static Route Create and manage IP static routing information. HTTP Redirect Set up and manage port forwarding rules. VLAN Create and manage VLAN interfaces and virtual VLAN interfaces. Session Limit Limit the number of IP addresses to configure the ZyWALL's features. Update IDP signatures immediately or by a schedule. Service View the licensed service status and upgrade licensed services. Tunnel Configure tunneling between IPv4 and IPv6 networks...
User Guide
Page 14
... used web, file transfer and email protocols. SSL VPN Access Privilege Configure SSL VPN access rights for content filtering policies. DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Signature Search for signatures by application and see registration and signature information. VPN Gateway Configure IKE tunnels. Object 14 ZyWALL USG100-PLUS User's Guide Concentrator Combine IPSec VPN connections into a single secure network Configuration Provisioning Set who can retrieve VPN rule settings from the ZyWALL using the ZyWALL IPSec VPN Client...
... used web, file transfer and email protocols. SSL VPN Access Privilege Configure SSL VPN access rights for content filtering policies. DNSBL Have the ZyWALL check e-mail against DNS Black Lists. Signature Search for signatures by application and see registration and signature information. VPN Gateway Configure IKE tunnels. Object 14 ZyWALL USG100-PLUS User's Guide Concentrator Combine IPSec VPN connections into a single secure network Configuration Provisioning Set who can retrieve VPN rule settings from the ZyWALL using the ZyWALL IPSec VPN Client...
User Guide
Page 15
Method Authentication Method Create and manage ways of addresses. Lease Configure IPv6 DHCP lease type and interface information. USB Storage Settings Configure the settings for the ZyWALL. DNS Configure the DNS server and address records for the connected USB devices. Login Page Configure how the login and access user screens look. TELNET Configure telnet server settings for the ZyWALL. Language Select the Web Configurator language. Address Address Create and manage host, range, and network (subnet) addresses. Schedule Schedule Create one-time and...
Method Authentication Method Create and manage ways of addresses. Lease Configure IPv6 DHCP lease type and interface information. USB Storage Settings Configure the settings for the ZyWALL. DNS Configure the DNS server and address records for the connected USB devices. Login Page Configure how the login and access user screens look. TELNET Configure telnet server settings for the ZyWALL. Language Select the Web Configurator language. Address Address Create and manage host, range, and network (subnet) addresses. Schedule Schedule Create one-time and...
User Guide
Page 20
... error or has failed. No device is connected to a 3G network through the connected 3G USB card. Chapter 1 Introduction 1.7 Front Panel This section introduces the ZyWALL's front panel. The ZyWALL is no traffic on this port. There is sending or receiving packets on this port. There is no connection on this port. Connected to the ZyWALL's USB port or the connected device is a hardware component failure. There is no traffic on this port. There is booting...
... error or has failed. No device is connected to a 3G network through the connected 3G USB card. Chapter 1 Introduction 1.7 Front Panel This section introduces the ZyWALL's front panel. The ZyWALL is no traffic on this port. There is sending or receiving packets on this port. There is no connection on this port. Connected to the ZyWALL's USB port or the connected device is a hardware component failure. There is no traffic on this port. There is booting...
User Guide
Page 24
... ZyWALL's USB ports. 3 Click Configuration > Network > Interface > Cellular. See www.zyxel.com for cellular WAN (Internet) connections. In this example you connect the 3G USB card before you configure the cellular interfaces but is also possible to reverse the sequence. 1 Make sure the 3G device's SIM card is highly recommended that you can configure firewall rules to apply specific security settings to this example). 24 ZyWALL USG100-PLUS User's Guide Leaving Zone set the Zone to WAN to apply your WAN...
... ZyWALL's USB ports. 3 Click Configuration > Network > Interface > Cellular. See www.zyxel.com for cellular WAN (Internet) connections. In this example you connect the 3G USB card before you configure the cellular interfaces but is also possible to reverse the sequence. 1 Make sure the 3G device's SIM card is highly recommended that you can configure firewall rules to apply specific security settings to this example). 24 ZyWALL USG100-PLUS User's Guide Leaving Zone set the Zone to WAN to apply your WAN...
User Guide
Page 26
... when to make the IPv6 settings work. • An Enable IPv6 setting - Although the ZyWALL is "transparent" in the CONFIGURATION > System > IPv6 screen to configure the Ethernet, PPP, VLAN, Bridge screens under Configuration > Network > Interface and Configuration > Network > Routing. Chapter 2 How to Set Up Your Network This way the ZyWALL can automatically balance the traffic load amongst the available WAN connections to configure the DHCPv6 role and the corresponding settings for the interface. 26 ZyWALL USG100-PLUS User's Guide
... when to make the IPv6 settings work. • An Enable IPv6 setting - Although the ZyWALL is "transparent" in the CONFIGURATION > System > IPv6 screen to configure the Ethernet, PPP, VLAN, Bridge screens under Configuration > Network > Interface and Configuration > Network > Routing. Chapter 2 How to Set Up Your Network This way the ZyWALL can automatically balance the traffic load amongst the available WAN connections to configure the DHCPv6 role and the corresponding settings for the interface. 26 ZyWALL USG100-PLUS User's Guide
User Guide
Page 46
... ZyWALL (Configuration > Object > User/Group). 3 Configure an object for the RADIUS server. You cannot have the RADIUS server authenticate the ZyWALL's default admin account. • The authentication attempt will always fail if the ZyWALL tries to allow access for a management service such as AD, LDAP or RADIUS must also enable the service in the service control rules. • The ZyWALL is not applying your firewall rules for specific users or groups of the authentication method setting. Click Configuration...
... ZyWALL (Configuration > Object > User/Group). 3 Configure an object for the RADIUS server. You cannot have the RADIUS server authenticate the ZyWALL's default admin account. • The authentication attempt will always fail if the ZyWALL tries to allow access for a management service such as AD, LDAP or RADIUS must also enable the service in the service control rules. • The ZyWALL is not applying your firewall rules for specific users or groups of the authentication method setting. Click Configuration...
User Guide
Page 63
...; One-Time Password Version 2 (OTPv2) on page 90 4.1 IPSec VPN Besides using the VPN quick setup wizard to configure settings for the VPN Tunnel You configure security policies based on zones. By default, there are no security restrictions on the peer IPSec router's LAN or click Configuration > VPN > IPSec VPN > VPN Connection and use the Configuration > VPN > IPSec VPN screens to manage the ZyWALL's VPN gateways. You can use the VPN connection screen's Connect icon. 4.1.2 Configure Security Policies for an IPSec VPN tunnel, you should set up security policies that...
...; One-Time Password Version 2 (OTPv2) on page 90 4.1 IPSec VPN Besides using the VPN quick setup wizard to configure settings for the VPN Tunnel You configure security policies based on zones. By default, there are no security restrictions on the peer IPSec router's LAN or click Configuration > VPN > IPSec VPN > VPN Connection and use the Configuration > VPN > IPSec VPN screens to manage the ZyWALL's VPN gateways. You can use the VPN connection screen's Connect icon. 4.1.2 Configure Security Policies for an IPSec VPN tunnel, you should set up security policies that...
User Guide
Page 64
... old route may help to identify a configuration problem. • If you enable NAT traversal, the remote IPSec device must also have NAT traversal enabled. • Both routers must use the same authentication method to establish the IKE SA. • Both routers must use the same negotiation mode, encryption algorithm, authentication algorithm, and DH key group. • When using manual keys, both routers must use certificates to authenticate each VPN tunnel. • Make sure the To-ZyWALL firewall rules allow traffic...
... old route may help to identify a configuration problem. • If you enable NAT traversal, the remote IPSec device must also have NAT traversal enabled. • Both routers must use the same authentication method to establish the IKE SA. • Both routers must use the same negotiation mode, encryption algorithm, authentication algorithm, and DH key group. • When using manual keys, both routers must use certificates to authenticate each VPN tunnel. • Make sure the To-ZyWALL firewall rules allow traffic...
User Guide
Page 65
...; Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route ZyWALL USG100-PLUS User's Guide 65 Branch B is up and maintain. This reduces the number of VPN connections to set up but VPN traffic cannot be transmitted through the VPN tunnel, check the routing policies to see if they are sending traffic elsewhere instead of through a secure gateway must have the Configuration > VPN > IPSec VPN > VPN Connection screen's Use Policy Route to control...
...; Remote Policy: 192.168.1.0/255.255.255.0 • Disable Policy Enforcement Policy Route ZyWALL USG100-PLUS User's Guide 65 Branch B is up and maintain. This reduces the number of VPN connections to set up but VPN traffic cannot be transmitted through the VPN tunnel, check the routing policies to see if they are sending traffic elsewhere instead of through a secure gateway must have the Configuration > VPN > IPSec VPN > VPN Connection screen's Use Policy Route to control...
User Guide
Page 73
... type of application and the address of the local computer, server, or web site SSL users are to be displayed on which the ZyWALL IPSec VPN Client is selected and that both Enable Configuration Provisioning in Configuration > VPN > IPSec VPN > Configuration Provisioning is installed. Remote users can access resources on the local network using one of the ZyWALL (or a gateway device) on the local network. If there is no reply, check that the correct ZyWALL IP address and HTTPS port (if the default port...
... type of application and the address of the local computer, server, or web site SSL users are to be displayed on which the ZyWALL IPSec VPN Client is selected and that both Enable Configuration Provisioning in Configuration > VPN > IPSec VPN > Configuration Provisioning is installed. Remote users can access resources on the local network using one of the ZyWALL (or a gateway device) on the local network. If there is no reply, check that the correct ZyWALL IP address and HTTPS port (if the default port...
User Guide
Page 75
... a WAN interface with Android, iOS, and Windows L2TP VPN uses the L2TP and IPSec client software included in remote users' Android, iOS, or Windows operating systems for use it. 3 In Configuration > VPN > L2TP VPN enable the connection and set the VPN connection L2TP VPN uses, the L2TP client IP address pool, the authentication method, and the allowed users. 4 Configure a policy route to let remote users access resources on the network behind the ZyWALL. 1 L2TP VPN uses one of 172.16.1.2. • The remote user has a dynamic public IP address and connects...
... a WAN interface with Android, iOS, and Windows L2TP VPN uses the L2TP and IPSec client software included in remote users' Android, iOS, or Windows operating systems for use it. 3 In Configuration > VPN > L2TP VPN enable the connection and set the VPN connection L2TP VPN uses, the L2TP client IP address pool, the authentication method, and the allowed users. 4 Configure a policy route to let remote users access resources on the network behind the ZyWALL. 1 L2TP VPN uses one of 172.16.1.2. • The remote user has a dynamic public IP address and connects...
User Guide
Page 82
Right-click the L2TP VPN connection and select Properties. 2 In Windows 7, click Security and set the Type of VPN to L2TP IPSec VPN and click IPSec Settings. 82 ZyWALL USG100-PLUS User's Guide In Windows Vista, click Networking. Then click Advanced settings. Chapter 4 Create Secure Connections Across the Internet 5 Enter your ZyWALL user name and password and click Create. 6 Click Close. Configure the Connection Object 1 In the Network and Sharing Center screen, click Connect to Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec). Set the Type of VPN to a network.
Right-click the L2TP VPN connection and select Properties. 2 In Windows 7, click Security and set the Type of VPN to L2TP IPSec VPN and click IPSec Settings. 82 ZyWALL USG100-PLUS User's Guide In Windows Vista, click Networking. Then click Advanced settings. Chapter 4 Create Secure Connections Across the Internet 5 Enter your ZyWALL user name and password and click Create. 6 Click Close. Configure the Connection Object 1 In the Network and Sharing Center screen, click Connect to Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec). Set the Type of VPN to a network.
User Guide
Page 90
... OTPv2 Example ***** OTP PIN SafeWord 2008 Authentication Server File Server Email Server Web-based Application Here is no longer valid. Disconnect any needed matching configuration changes and re-establish the sessions using the new settings. 4.7 One-Time Password Version 2 (OTPv2) Two-factor authentication requires a user to connect from more than one IP address. See the ZyWALL OTPv2 support note for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins. An attacker cannot reuse an OTP password that was already used for Windows...
... OTPv2 Example ***** OTP PIN SafeWord 2008 Authentication Server File Server Email Server Web-based Application Here is no longer valid. Disconnect any needed matching configuration changes and re-establish the sessions using the new settings. 4.7 One-Time Password Version 2 (OTPv2) Two-factor authentication requires a user to connect from more than one IP address. See the ZyWALL OTPv2 support note for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins. An attacker cannot reuse an OTP password that was already used for Windows...
User Guide
Page 91
... to log in. ZyWALL USG100-PLUS User's Guide 91 Users can try to re-use a password that they have already used to use the SafeWord 2008 authentication server RADIUS server object. 7 Configure Auth. Chapter 4 Create Secure Connections Across the Internet 1 Install the SafeWord 2008 authentication server software on a computer. 2 Create user accounts on the ZyWALL and in the SafeWord 2008 authentication server. 3 Import each login. • Authentication fails if the SafeWord 2008 authentication server goes down, loses its network connection, or...
... to log in. ZyWALL USG100-PLUS User's Guide 91 Users can try to re-use a password that they have already used to use the SafeWord 2008 authentication server RADIUS server object. 7 Configure Auth. Chapter 4 Create Secure Connections Across the Internet 1 Install the SafeWord 2008 authentication server software on a computer. 2 Create user accounts on the ZyWALL and in the SafeWord 2008 authentication server. 3 Import each login. • Authentication fails if the SafeWord 2008 authentication server goes down, loses its network connection, or...
User Guide
Page 109
... LAN IP address (called WAN_IP-for-H323 here). Set the Incoming Interface to 1720. Set the Original IP to LAN IP address 192.168.1.56. Click OK. 5.6.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. 1 Click Configuration > Network > NAT > Add > Create New Object > Address and create an IPv4 host address object for -H323 IP address to go to the WAN address...
... LAN IP address (called WAN_IP-for-H323 here). Set the Incoming Interface to 1720. Set the Original IP to LAN IP address 192.168.1.56. Click OK. 5.6.1.3 Set Up a Firewall Rule For H.323 Configure a firewall rule to allow H.323 (TCP port 1720) traffic received on the ZyWALL's 10.0.0.8 WAN IP address to LAN IP address 192.168.1.56. 1 Click Configuration > Network > NAT > Add > Create New Object > Address and create an IPv4 host address object for -H323 IP address to go to the WAN address...
User Guide
Page 123
... SSH client and specify the connection information (IP address, port number) for the ZyWALL. 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in to continue. ZyWALL USG100-PLUS User's Guide 123 Chapter 6 Maintenance 3 Repeat the steps above if you computer. Enter the password to log in you need to add other user groups. 6.3 How to Use SSH for Secure Telnet Access This section shows two examples using a command interface and a graphical interface SSH client program to remotely access...
... SSH client and specify the connection information (IP address, port number) for the ZyWALL. 2 Configure the SSH client to accept connection using SSH version 1. 3 A window displays prompting you to store the host key in to continue. ZyWALL USG100-PLUS User's Guide 123 Chapter 6 Maintenance 3 Repeat the steps above if you computer. Enter the password to log in you need to add other user groups. 6.3 How to Use SSH for Secure Telnet Access This section shows two examples using a command interface and a graphical interface SSH client program to remotely access...
User Guide
Page 138
.... ZyXEL shall in part some free software distributed under those Licenses, please contact support@zyxel.com.tw to the device. • Do NOT open the device or unit. Opening or removing covers can download the latest firmware at the discretion of electric shock from lightning. • CAUTION: RISK OF EXPLOSION IF BATTERY (on the power adaptor or cord. • Do NOT use , or service this device during...
.... ZyXEL shall in part some free software distributed under those Licenses, please contact support@zyxel.com.tw to the device. • Do NOT open the device or unit. Opening or removing covers can download the latest firmware at the discretion of electric shock from lightning. • CAUTION: RISK OF EXPLOSION IF BATTERY (on the power adaptor or cord. • Do NOT use , or service this device during...