User Guide
Page 37
...configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. Virtual Private Networks (VPN) Use IPSec, SSL to zones. You can add interfaces and VPN tunnels to provide secure ...ZyWALL USG 20/20W User's Guide 37 CHAPTER 2 Features and Applications This chapter introduces the main features and applications of the ZyWALL. High Availability To ensure the ZyWALL provides reliable, secure Internet access, set up one or more information about the features of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN...
...configure load balancing between two sites over the Internet or any insecure network that uses TCP/IP for communication. Virtual Private Networks (VPN) Use IPSec, SSL to zones. You can add interfaces and VPN tunnels to provide secure ...ZyWALL USG 20/20W User's Guide 37 CHAPTER 2 Features and Applications This chapter introduces the main features and applications of the ZyWALL. High Availability To ensure the ZyWALL provides reliable, secure Internet access, set up one or more information about the features of the ZyWALL. 2.1 Features The ZyWALL's security features include VPN...
User Guide
Page 77
... Wizard: Step 2 Rule Name: Type the name used to identify this to connect to -site with Dynamic Peer - Only the clients can initiate the VPN tunnel. Choose this VPN connection (and VPN gateway). ZyWALL USG 20/20W User's Guide 77 You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. Chapter...
... Wizard: Step 2 Rule Name: Type the name used to identify this to connect to -site with Dynamic Peer - Only the clients can initiate the VPN tunnel. Choose this VPN connection (and VPN gateway). ZyWALL USG 20/20W User's Guide 77 You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. Chapter...
User Guide
Page 81
... device can initiate the VPN tunnel. ZyWALL USG 20/20W User's Guide 81 This value is case-sensitive. Choose this if the remote IPSec device has a dynamic IP address. Only the clients can initiate the VPN tunnel. • Remote Access (Server Role) - This ZyWALL can initiate the VPN tunnel. • Site-to -site - Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Select...
... device can initiate the VPN tunnel. ZyWALL USG 20/20W User's Guide 81 This value is case-sensitive. Choose this if the remote IPSec device has a dynamic IP address. Only the clients can initiate the VPN tunnel. • Remote Access (Server Role) - This ZyWALL can initiate the VPN tunnel. • Site-to -site - Chapter 5 Quick Setup 5.5.4 VPN Advanced Wizard - Select...
User Guide
Page 84
A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is more secure, yet slower). • Local Policy (IP/Mask): Type the ... refers to -site and remote access client role scenarios. SHA-1 gives higher security. DH5 is slower. • SA Life Time: Set how often the ZyWALL renegotiates the IKE SA. Select DH1, DH2 or DH5 to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 20/20W User's Guide...
A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. • Perfect Forward Secrecy (PFS): Disabling PFS allows faster IPSec setup, but is more secure, yet slower). • Local Policy (IP/Mask): Type the ... refers to -site and remote access client role scenarios. SHA-1 gives higher security. DH5 is slower. • SA Life Time: Set how often the ZyWALL renegotiates the IKE SA. Select DH1, DH2 or DH5 to have the ZyWALL automatically renegotiate the IPSec SA when the SA life time expires. 84 ZyWALL USG 20/20W User's Guide...
User Guide
Page 101
ZyWALL USG 20/20W User's Guide 101 Chapter 6 Configuration Basics 1 Create a VoIP service object for UDP port ... Example: See Chapter 7 on page 107. 6.5.15 SSL VPN Use SSL VPN to -ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. MENU ITEM(S) Configuration > VPN > IPSec VPN; you have configured. • You don't need to specify...; Leave the Access field set to Allow and the Log field set to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for assigning to clients, DNS and WINS ...
ZyWALL USG 20/20W User's Guide 101 Chapter 6 Configuration Basics 1 Create a VoIP service object for UDP port ... Example: See Chapter 7 on page 107. 6.5.15 SSL VPN Use SSL VPN to -ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. MENU ITEM(S) Configuration > VPN > IPSec VPN; you have configured. • You don't need to specify...; Leave the Access field set to Allow and the Log field set to provide secure communication between two sites over the Internet or any insecure network that uses TCP/IP for assigning to clients, DNS and WINS ...
User Guide
Page 119
... or click Configuration > VPN > IPSec VPN > VPN Connection and use the VPN connection screen's Connect icon. 7.4.3 Configure Security Policies for the remote. ZyWALL USG 20/20W User's Guide 119 Chapter 7 Tutorials 4 Enable the VPN connection and name it ("VPN_CONN_EXAMPLE"). Click OK. The new VPN connection was assigned to -site and the VPN gateway (VPN_GW_EXAMPLE). To trigger the VPN, either try to the...
... or click Configuration > VPN > IPSec VPN > VPN Connection and use the VPN connection screen's Connect icon. 7.4.3 Configure Security Policies for the remote. ZyWALL USG 20/20W User's Guide 119 Chapter 7 Tutorials 4 Enable the VPN connection and name it ("VPN_CONN_EXAMPLE"). Click OK. The new VPN connection was assigned to -site and the VPN gateway (VPN_GW_EXAMPLE). To trigger the VPN, either try to the...
User Guide
Page 391
... the IP layer. ZyWALL USG 20/20W User's Guide 391 Internet Protocol Security (IPSec) is used to -site lines. Figure 238 IPSec VPN Example The VPN tunnel connects the ZyWALL (X) and the remote (peer) IPSec router (Y). CHAPTER 23 IPSec VPN 23.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to transport traffic...
... the IP layer. ZyWALL USG 20/20W User's Guide 391 Internet Protocol Security (IPSec) is used to -site lines. Figure 238 IPSec VPN Example The VPN tunnel connects the ZyWALL (X) and the remote (peer) IPSec router (Y). CHAPTER 23 IPSec VPN 23.1 IPSec VPN Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to transport traffic...
User Guide
Page 393
... it . Table 113 IPSec VPN Application Scenarios SITE-TO-SITE SITE-TO-SITE WITH REMOTE ACCESS DYNAMIC PEER (SERVER ROLE) REMOTE ACCESS (CLIENT ROLE) Choose this ZyWALL can also initiate the VPN tunnel if this if the remote IPSec router has a dynamic IP address. This ZyWALL must have a static IP address or a domain name. ZyWALL USG 20/20W User's Guide 393...
... it . Table 113 IPSec VPN Application Scenarios SITE-TO-SITE SITE-TO-SITE WITH REMOTE ACCESS DYNAMIC PEER (SERVER ROLE) REMOTE ACCESS (CLIENT ROLE) Choose this ZyWALL can also initiate the VPN tunnel if this if the remote IPSec router has a dynamic IP address. This ZyWALL must have a static IP address or a domain name. ZyWALL USG 20/20W User's Guide 393...
User Guide
Page 398
... character cannot be necessary to allow incoming connections from IPSec VPN clients. This ZyWALL can initiate the VPN tunnel. Connection Name Type the name used to identify this to connect to an IPSec server. Site-to display a greater or lesser number of -Service attacks... IPSec VPN Each field is to use or select Create Object to add another VPN gateway for this VPN connection to use. 398 ZyWALL USG 20/20W User's Guide Table 115 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to -site -
... character cannot be necessary to allow incoming connections from IPSec VPN clients. This ZyWALL can initiate the VPN tunnel. Connection Name Type the name used to identify this to connect to an IPSec server. Site-to display a greater or lesser number of -Service attacks... IPSec VPN Each field is to use or select Create Object to add another VPN gateway for this VPN connection to use. 398 ZyWALL USG 20/20W User's Guide Table 115 Configuration > VPN > IPSec VPN > VPN Connection > Edit LABEL DESCRIPTION Show Advance Settings / Hide Advance Settings Click this button to -site -
User Guide
Page 428
...Addresses Address VPN Network Address DESCRIPTION Configure a user account or user group to which network segment users are not removed. Finding Out More • See Section 6.5.15 on page 101 for related information on these screens. • See Section 24.4 on SSL application objects. 428 ZyWALL USG 20/20W User... for details on page 435 for how to establish an SSL VPN connection to changes, the ZyWALL automatically propagates the changes through the SSL policies that defines a range of the local computer, server, or web site SSL users are to be able to user computers so they can...
...Addresses Address VPN Network Address DESCRIPTION Configure a user account or user group to which network segment users are not removed. Finding Out More • See Section 6.5.15 on page 101 for related information on these screens. • See Section 24.4 on SSL application objects. 428 ZyWALL USG 20/20W User... for details on page 435 for how to establish an SSL VPN connection to changes, the ZyWALL automatically propagates the changes through the SSL policies that defines a range of the local computer, server, or web site SSL users are to be able to user computers so they can...
User Guide
Page 437
..., you can access intranet sites, web-based applications, or web-based e-mails using Microsoft Outlook Web Access (OWA). Figure 258 Network Example WWW Internet A 25.1.1 What You Need to Know The ZyWALL can use SSL VPN to provide secure connections to your computer. ZyWALL USG 20/20W User's Guide 437 Network Resource Access Methods As a remote...
..., you can access intranet sites, web-based applications, or web-based e-mails using Microsoft Outlook Web Access (OWA). Figure 258 Network Example WWW Internet A 25.1.1 What You Need to Know The ZyWALL can use SSL VPN to provide secure connections to your computer. ZyWALL USG 20/20W User's Guide 437 Network Resource Access Methods As a remote...
User Guide
Page 439
...Password field. 4 Click SSL VPN to log in a Web Browser 2 Click OK or Yes if a security screen displays. Chapter 25 SSL User Screens 1 Open a web browser and enter the web site address or IP address of your login account. Figure 261 Login Screen ZyWALL USG 20/20W User's Guide 439 ...Enter the user name and password of the ZyWALL. Figure 260 Login Security Screen 3 A login screen displays. For example, ...
...Password field. 4 Click SSL VPN to log in a Web Browser 2 Click OK or Yes if a security screen displays. Chapter 25 SSL User Screens 1 Open a web browser and enter the web site address or IP address of your login account. Figure 261 Login Screen ZyWALL USG 20/20W User's Guide 439 ...Enter the user name and password of the ZyWALL. Figure 260 Login Security Screen 3 A login screen displays. For example, ...
User Guide
Page 447
...VPN connection. The Type field displays whether the application supports Virtual Network Computing (VNC) or Remote Desktop Protocol (RDP). Figure 272 Application ZyWALL USG 20/20W User's Guide 447 CHAPTER 26 SSL User Application Screens 26.1 SSL User Application Screens Overview Use the Application screen to access web-based applications (such as web sites... and e-mail) on the ZyWALL's...
...VPN connection. The Type field displays whether the application supports Virtual Network Computing (VNC) or Remote Desktop Protocol (RDP). Figure 272 Application ZyWALL USG 20/20W User's Guide 447 CHAPTER 26 SSL User Application Screens 26.1 SSL User Application Screens Overview Use the Application screen to access web-based applications (such as web sites... and e-mail) on the ZyWALL's...
User Guide
Page 615
...able to access. Depending on the application type, remote users can configure the following SSL application on the ZyWALL. • Web-based A web-based application allows remote users to access an intranet site using a standard web browser (Section 41.2.1 on page 618). • You can also use SSL ... or follow the steps in SSL VPN. CHAPTER 41 SSL Application 41.1 Overview You use the SSL Application Edit screen to specify the name of the local computer, server, or web site SSL users are displayed as links in remote user screens. ZyWALL USG 20/20W User's Guide 615 Configure an...
...able to access. Depending on the application type, remote users can configure the following SSL application on the ZyWALL. • Web-based A web-based application allows remote users to access an intranet site using a standard web browser (Section 41.2.1 on page 618). • You can also use SSL ... or follow the steps in SSL VPN. CHAPTER 41 SSL Application 41.1 Overview You use the SSL Application Edit screen to specify the name of the local computer, server, or web site SSL users are displayed as links in remote user screens. ZyWALL USG 20/20W User's Guide 615 Configure an...
User Guide
Page 616
...Remote Desktop Connections Use SSL VPN to allow remote users to access web sites. 41.1.3 Example: Specifying a Web Site for an internal web site. The remote user's computer does not use VNC or RDP client software. The address of the web site is useful for troubleshooting, ...support, administration, and remote access to files and programs. The LAN computer to manage LAN computers. This is http://info with the following remote desktop connection software: RDP • Windows Remote Desktop (supported in the navigation panel. 616 ZyWALL USG 20...
...Remote Desktop Connections Use SSL VPN to allow remote users to access web sites. 41.1.3 Example: Specifying a Web Site for an internal web site. The remote user's computer does not use VNC or RDP client software. The address of the web site is useful for troubleshooting, ...support, administration, and remote access to files and programs. The LAN computer to manage LAN computers. This is http://info with the following remote desktop connection software: RDP • Windows Remote Desktop (supported in the navigation panel. 616 ZyWALL USG 20...
User Guide
Page 619
...: You must enter the "http://" or "https://" prefix. Select VNC to allow users to 31 characters ("0-9", "a-z", "A-Z", "-" and "_"). ZyWALL USG 20/20W User's Guide 619 Object Type Web Application Select Web Application from the drop-down list box. Server Type Specify the type of your SSL...to identify this screen. Click Advanced to access the URL you expect the SSL VPN users to Web Server, OWA, or Weblink. Select Weblink to create a link to a web site that have Virtual Network Computing remote desktop server software installed. Chapter 41 SSL Application...
...: You must enter the "http://" or "https://" prefix. Select VNC to allow users to 31 characters ("0-9", "a-z", "A-Z", "-" and "_"). ZyWALL USG 20/20W User's Guide 619 Object Type Web Application Select Web Application from the drop-down list box. Server Type Specify the type of your SSL...to identify this screen. Click Advanced to access the URL you expect the SSL VPN users to Web Server, OWA, or Weblink. Select Weblink to create a link to a web site that have Virtual Network Computing remote desktop server software installed. Chapter 41 SSL Application...
User Guide
Page 733
...so, ensure that are being sent and received by the ZyWALL and remote IPSec router (for NAT traversal. ZyWALL USG 20/20W User's Guide 733 The old route may be routed. You must use the same SPI. • If the sites are some general suggestions. See also Chapter 23 on page...IPSec SAs in the routing table. Check the configuration for each VPN tunnel. If you assign the VPN tunnel and the zone from the network before the ZyWALL encrypts them and check packets the ZyWALL receives after the ZyWALL decrypts them. Chapter 50 Troubleshooting Here are /were previously connected using...
...so, ensure that are being sent and received by the ZyWALL and remote IPSec router (for NAT traversal. ZyWALL USG 20/20W User's Guide 733 The old route may be routed. You must use the same SPI. • If the sites are some general suggestions. See also Chapter 23 on page...IPSec SAs in the routing table. Check the configuration for each VPN tunnel. If you assign the VPN tunnel and the zone from the network before the ZyWALL encrypts them and check packets the ZyWALL receives after the ZyWALL decrypts them. Chapter 50 Troubleshooting Here are /were previously connected using...
User Guide
Page 947
...DHCP clients 285 Ethernet, see also virtual interfaces. types 218 virtual, see also Ethernet interfaces. PPPoE/PPTP, see also VPN site-to-site with dynamic peer 398 static site-to-site 398 ZyWALL USG 20/20W User's Guide 947 where used 96 WLAN 218 Internet access troubleshooting 728, 734 Internet Control Message Protocol, see ... redirect 350 and layer-3 virtualization 218 and NAT 341 and physical ports 88, 218 and policy routes 305 and static routes 309 and VPN gateways 394 and zones 88, 218 as DHCP relays 286 as DHCP servers 286, 630 backup, see trunks bandwidth management 285, 295 bridge...
...DHCP clients 285 Ethernet, see also virtual interfaces. types 218 virtual, see also Ethernet interfaces. PPPoE/PPTP, see also VPN site-to-site with dynamic peer 398 static site-to-site 398 ZyWALL USG 20/20W User's Guide 947 where used 96 WLAN 218 Internet access troubleshooting 728, 734 Internet Control Message Protocol, see ... redirect 350 and layer-3 virtualization 218 and NAT 341 and physical ports 88, 218 and policy routes 305 and static routes 309 and VPN gateways 394 and zones 88, 218 as DHCP relays 286 as DHCP servers 286, 630 backup, see trunks bandwidth management 285, 295 bridge...
User Guide
Page 958
...251 VoIP pass through 358 and firewall 354 and NAT 354 and policy routes 353, 354 see also ALG 352 VPN 391 active protocol 421 and NAT 419 and the firewall 376 basic troubleshooting 732 IKE SA, see IKE SA IPSec ... ActiveX 510 cookies 510 Java 510 web proxy servers 510 web proxy servers 348, 510 see also HTTP redirect web site ZyXEL 4 web-based SSL application 615 configuration example 616 create 618 weblink 616 webroot-directory-traversal attack 485 weighted round robin... balancing) 290 white list (anti-spam) 521, 527, 529, 531 Wi-Fi Protected Access 812 958 ZyWALL USG 20/20W User's Guide
...251 VoIP pass through 358 and firewall 354 and NAT 354 and policy routes 353, 354 see also ALG 352 VPN 391 active protocol 421 and NAT 419 and the firewall 376 basic troubleshooting 732 IKE SA, see IKE SA IPSec ... ActiveX 510 cookies 510 Java 510 web proxy servers 510 web proxy servers 348, 510 see also HTTP redirect web site ZyXEL 4 web-based SSL application 615 configuration example 616 create 618 weblink 616 webroot-directory-traversal attack 485 weighted round robin... balancing) 290 white list (anti-spam) 521, 527, 529, 531 Wi-Fi Protected Access 812 958 ZyWALL USG 20/20W User's Guide
User Guide
Page 959
... wireless security 249, 808 Wizard Setup 59, 69 WLAN 146, 248 interfaces 218 interference 805 security parameters 816 see also HTTP, HTTPS 130, 646 www.zyxel.com 4 Z zones 88, 327 and firewall 374, 384 and FTP 670 and interfaces 88, 327 and SNMP 674 and SSH 665 and Telnet 668... and VPN 88, 327 and WWW 650 block intra-zone traffic 330, 382 configuration overview 98 default 90 extra-zone traffic 328 inter-zone traffic 328 intra-zone traffic 328 prerequisites 98 types of traffic 328 where used 98 ZyWALL terminology differences 91 ZyXEL web site 4 ZyWALL USG 20/20W User's Guide 959...
... wireless security 249, 808 Wizard Setup 59, 69 WLAN 146, 248 interfaces 218 interference 805 security parameters 816 see also HTTP, HTTPS 130, 646 www.zyxel.com 4 Z zones 88, 327 and firewall 374, 384 and FTP 670 and interfaces 88, 327 and SNMP 674 and SSH 665 and Telnet 668... and VPN 88, 327 and WWW 650 block intra-zone traffic 330, 382 configuration overview 98 default 90 extra-zone traffic 328 inter-zone traffic 328 intra-zone traffic 328 prerequisites 98 types of traffic 328 where used 98 ZyWALL terminology differences 91 ZyXEL web site 4 ZyWALL USG 20/20W User's Guide 959...