User Guide
Page 9
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...Binding ...359 Authentication Policy ...365 Firewall ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide 9
Contents Overview Contents Overview User's Guide ...27 Introducing the ZyWALL ...29 Features and Applications ...37 Web Configurator ...43 Installation Setup Wizard ...59 Quick Setup ...69 Configuration Basics ...87 Tutorials ...Binding ...359 Authentication Policy ...365 Firewall ...373 IPSec VPN ...391 SSL VPN ...427 SSL User Screens ...437 SSL User Application Screens 447 ZyWALL SecuExtender ...449 Bandwidth Management ...453 ADP ...467 Content Filtering ...487 Content Filter Reports ...513 Anti-Spam ...521 User/Group ...539 Addresses ...555 Services ...561 ZyWALL USG 20/20W User's Guide 9
User Guide
Page 11
... Applications ...37 2.1 Features ...37 2.2 Applications ...39 2.2.1 VPN Connectivity ...39 2.2.2 SSL VPN Network Access 39 2.2.3 User-Aware Access Control 41 Chapter 3 Web Configurator...43 3.1 Web Configurator Requirements 43 3.2 Web Configurator Access ...43 3.3 Web Configurator Screens Overview 45 3.3.1 Title Bar ...46 3.3.2 Navigation Panel ...47 3.3.3 Main Window ...52 3.3.4 Tables and Lists ...54 ZyWALL USG 20/20W User's Guide 11
... Applications ...37 2.1 Features ...37 2.2 Applications ...39 2.2.1 VPN Connectivity ...39 2.2.2 SSL VPN Network Access 39 2.2.3 User-Aware Access Control 41 Chapter 3 Web Configurator...43 3.1 Web Configurator Requirements 43 3.2 Web Configurator Access ...43 3.3 Web Configurator Screens Overview 45 3.3.1 Title Bar ...46 3.3.2 Navigation Panel ...47 3.3.3 Main Window ...52 3.3.4 Tables and Lists ...54 ZyWALL USG 20/20W User's Guide 11
User Guide
Page 13
...6.5.8 DDNS ...98 6.5.9 NAT ...98 6.5.10 HTTP Redirect ...99 6.5.11 ALG ...100 6.5.12 Auth. Policy ...100 6.5.13 Firewall ...100 6.5.14 IPSec VPN ...101 6.5.15 SSL VPN ...101 6.5.16 Bandwidth Management 102 6.5.17 ADP ...102 6.5.18 Content Filter ...102 6.5.19 Anti-Spam ...103 6.6 Objects ...103 6.6.1 User/Group ...104... on Ethernet Interfaces 113 7.3.2 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide 13
...6.5.8 DDNS ...98 6.5.9 NAT ...98 6.5.10 HTTP Redirect ...99 6.5.11 ALG ...100 6.5.12 Auth. Policy ...100 6.5.13 Firewall ...100 6.5.14 IPSec VPN ...101 6.5.15 SSL VPN ...101 6.5.16 Bandwidth Management 102 6.5.17 ADP ...102 6.5.18 Content Filter ...102 6.5.19 Anti-Spam ...103 6.6 Objects ...103 6.6.1 User/Group ...104... on Ethernet Interfaces 113 7.3.2 Configure the WAN Trunk 114 7.4 How to Set Up an IPSec VPN Tunnel 116 7.4.1 Set Up the VPN Gateway 117 7.4.2 Set Up the VPN Connection 118 7.4.3 Configure Security Policies for the VPN Tunnel 119 ZyWALL USG 20/20W User's Guide 13
User Guide
Page 19
... User Login ...438 25.3 The SSL VPN User Screens 443 25.4 Bookmarking the ZyWALL 444 25.5 Logging Out of the SSL VPN User Screens 444 Chapter 26 SSL User Application Screens 447 26.1 SSL User Application Screens Overview 447 26.2... The Application Screen 447 Chapter 27 ZyWALL SecuExtender...449 27.1 The ZyWALL SecuExtender Icon 449 27.2 Statistics ...450 27.3 View Log ...451 27.4 Suspend and Resume the Connection 451 27.5 Stop the Connection ...452 ZyWALL USG 20...
... User Login ...438 25.3 The SSL VPN User Screens 443 25.4 Bookmarking the ZyWALL 444 25.5 Logging Out of the SSL VPN User Screens 444 Chapter 26 SSL User Application Screens 447 26.1 SSL User Application Screens Overview 447 26.2... The Application Screen 447 Chapter 27 ZyWALL SecuExtender...449 27.1 The ZyWALL SecuExtender Icon 449 27.2 Statistics ...450 27.3 View Log ...451 27.4 Suspend and Resume the Connection 451 27.5 Stop the Connection ...452 ZyWALL USG 20...
User Guide
Page 39
ZyWALL USG 20/20W User's Guide 39 Chapter 2 Features and Applications 2.2 Applications These are some example applications for configuration tutorial examples. 2.2.1 VPN Connectivity Set up additional connections to the Internet to remote users. You can configure the ZyWALL to provide SSL VPN network access to provide better service. Figure 3 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can also set up...
ZyWALL USG 20/20W User's Guide 39 Chapter 2 Features and Applications 2.2 Applications These are some example applications for configuration tutorial examples. 2.2.1 VPN Connectivity Set up additional connections to the Internet to remote users. You can configure the ZyWALL to provide SSL VPN network access to provide better service. Figure 3 Applications: VPN Connectivity 2.2.2 SSL VPN Network Access You can also set up...
User Guide
Page 49
.... Policy Define rules to each supported interface. Firewall Firewall Create and manage level-3 traffic rules. Global Setting Configure the ZyWALL's SSL VPN settings that apply to which the ZyWALL does not apply IP/MAC binding. ZyWALL USG 20/20W User's Guide 49 Cellular Configure a cellular Internet connection for users and groups. RIP Configure device-level RIP settings...
.... Policy Define rules to each supported interface. Firewall Firewall Create and manage level-3 traffic rules. Global Setting Configure the ZyWALL's SSL VPN settings that apply to which the ZyWALL does not apply IP/MAC binding. ZyWALL USG 20/20W User's Guide 49 Cellular Configure a cellular Internet connection for users and groups. RIP Configure device-level RIP settings...
User Guide
Page 96
... Interface > Ethernet and then the dmz's Edit icon. 6.5.4 Trunks Use trunks to set up load balancing using two or more SSL VPN tunnels, and content filtering. MENU ITEM(S) Configuration > Network > Interface > Trunk PREREQUISITES Interfaces WHERE USED Policy routes Example: See ... triggering, 96 ZyWALL USG 20/20W User's Guide MENU ITEM(S) PREREQUISITES Configuration > Network > Interface (except Network > Interface > Trunk) Port groups (configured in the Interface > Port Grouping screen) WHERE USED Zones, trunks, IPSec VPN, DDNS, policy routes, static routes, HTTP redirect, ...
... Interface > Ethernet and then the dmz's Edit icon. 6.5.4 Trunks Use trunks to set up load balancing using two or more SSL VPN tunnels, and content filtering. MENU ITEM(S) Configuration > Network > Interface > Trunk PREREQUISITES Interfaces WHERE USED Policy routes Example: See ... triggering, 96 ZyWALL USG 20/20W User's Guide MENU ITEM(S) PREREQUISITES Configuration > Network > Interface (except Network > Interface > Trunk) Port groups (configured in the Interface > Port Grouping screen) WHERE USED Zones, trunks, IPSec VPN, DDNS, policy routes, static routes, HTTP redirect, ...
User Guide
Page 97
...ZyWALL USG 20/20W User's Guide 97 Add a policy route. 3 Name the policy route. 4 Select the interface that the traffic comes in through (P3 in the DMZ zone). If you are listed. MENU ITEM(S) Configuration > Network > Routing > Policy Route Criteria: users, user groups, interfaces (incoming), IPSec VPN... destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering) Example: You have to set...
...ZyWALL USG 20/20W User's Guide 97 Add a policy route. 3 Name the policy route. 4 Select the interface that the traffic comes in through (P3 in the DMZ zone). If you are listed. MENU ITEM(S) Configuration > Network > Routing > Policy Route Criteria: users, user groups, interfaces (incoming), IPSec VPN... destination), address groups (source, destination), schedules, services, service groups PREREQUISITES Next-hop: addresses (HOST gateway), IPSec VPN, SSL VPN, trunks, interfaces NAT: addresses (translated address), services and service groups (port triggering) Example: You have to set...
User Guide
Page 98
... > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, remote management, ADP Example: For example, to create the DMZ-2 zone, click Network > Zone and then the Add icon. 6.5.8 DDNS Dynamic DNS maps a domain name to at most one zone. MENU ITEM(S) Configuration > Network > NAT 98 ZyWALL USG 20/20W User's Guide MENU ITEM(S) Configuration...
... > Network > Zone PREREQUISITES Interfaces, IPSec VPN, SSL VPN WHERE USED Firewall, remote management, ADP Example: For example, to create the DMZ-2 zone, click Network > Zone and then the Add icon. 6.5.8 DDNS Dynamic DNS maps a domain name to at most one zone. MENU ITEM(S) Configuration > Network > NAT 98 ZyWALL USG 20/20W User's Guide MENU ITEM(S) Configuration...
User Guide
Page 101
... to give remote users secure network access. MENU ITEM(S) Configuration > VPN > IPSec VPN; Make sure each rule is in the correct place in order. The ZyWALL also offers hub-and-spoke VPN. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list, IP pool...any insecure network that uses TCP/IP for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. 6.5.15 SSL VPN Use SSL VPN to No. ZyWALL USG 20/20W User's Guide 101
... to give remote users secure network access. MENU ITEM(S) Configuration > VPN > IPSec VPN; Make sure each rule is in the correct place in order. The ZyWALL also offers hub-and-spoke VPN. MENU ITEM(S) Configuration > VPN > SSL VPN Interfaces, SSL application, users, user groups, addresses (network PREREQUISITES list, IP pool...any insecure network that uses TCP/IP for assigning to clients, DNS and WINS server addresses), to-ZyWALL firewall, firewall WHERE USED Policy routes, zones Example: See Chapter 7 on page 107. 6.5.15 SSL VPN Use SSL VPN to No. ZyWALL USG 20/20W User's Guide 101
User Guide
Page 104
... ZyWALL applies default settings. The prerequisites are only used in to the ZyWALL before the ZyWALL routes traffic for them, you might have to delete references to force user authentication 104 ZyWALL USG 20/20W User's Guide address VPN connections...force user authentication) AAA server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN 6.6.1 User/Group Use these screens to configure prerequisites ...
... ZyWALL applies default settings. The prerequisites are only used in to the ZyWALL before the ZyWALL routes traffic for them, you might have to delete references to force user authentication 104 ZyWALL USG 20/20W User's Guide address VPN connections...force user authentication) AAA server Authentication methods authentication methods VPN gateways (extended authentication), WWW (client authentication) certificates VPN gateways, WWW, SSH, FTP SSL Application SSL VPN Endpoint Security Authentication policies, SSL VPN 6.6.1 User/Group Use these screens to configure prerequisites ...
User Guide
Page 130
... > WWW 3 In the Zone field select LAN1 and click OK. Figure 82 Configuration > System > WWW > Service Control Rule Edit 130 ZyWALL USG 20/20W User's Guide Chapter 7 Tutorials user access (logging into SSL VPN for more on page 629 for example). If you configure service control to allow management or user HTTP or HTTPS access...
... > WWW 3 In the Zone field select LAN1 and click OK. Figure 82 Configuration > System > WWW > Service Control Rule Edit 130 ZyWALL USG 20/20W User's Guide Chapter 7 Tutorials user access (logging into SSL VPN for more on page 629 for example). If you configure service control to allow management or user HTTP or HTTPS access...
User Guide
Page 132
... Rule Configured) Now administrator access to the Web Configurator can still use HTTPS to log into the ZyWALL from the WAN. Chapter 7 Tutorials 6 Click Apply. Here is an example of the ZyWALL's zones (to use SSL VPN for example). 7.9 How to Allow Incoming H.323 Peer-to -peer calls from any of how to configure... a H.323 device on the LAN1 for VoIP calls and you want it to be able to receive peer-to -peer Calls Suppose you have the ZyWALL forward H.323 traffic destined 132 ZyWALL USG 20/20W User's Guide
... Rule Configured) Now administrator access to the Web Configurator can still use HTTPS to log into the ZyWALL from the WAN. Chapter 7 Tutorials 6 Click Apply. Here is an example of the ZyWALL's zones (to use SSL VPN for example). 7.9 How to Allow Incoming H.323 Peer-to -peer calls from any of how to configure... a H.323 device on the LAN1 for VoIP calls and you want it to be able to receive peer-to -peer Calls Suppose you have the ZyWALL forward H.323 traffic destined 132 ZyWALL USG 20/20W User's Guide
User Guide
Page 198
... the information in the display. 9.12.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single character in front of active SSL VPN connections. • Log out individual users and delete related session information. 198 ZyWALL USG 20/20W User's Guide A VPN connection or policy name named "testacc" for example would still match. Wildcards (*) let multiple...
... the information in the display. 9.12.1 Regular Expressions in Searching IPSec SAs A question mark (?) lets a single character in front of active SSL VPN connections. • Log out individual users and delete related session information. 198 ZyWALL USG 20/20W User's Guide A VPN connection or policy name named "testacc" for example would still match. Wildcards (*) let multiple...
User Guide
Page 199
... number of bytes transmitted by the ZyWALL on this screen. Access This field displays the name of bytes received by the ZyWALL on this connection was established. ZyWALL USG 20/20W User's Guide 199 Figure 148 Monitor > VPN Monitor > SSL The following table describes the labels... in this connection. Table 39 Monitor > VPN Monitor > SSL LABEL DESCRIPTION Disconnect Select a connection and ...
... number of bytes transmitted by the ZyWALL on this screen. Access This field displays the name of bytes received by the ZyWALL on this connection was established. ZyWALL USG 20/20W User's Guide 199 Figure 148 Monitor > VPN Monitor > SSL The following table describes the labels... in this connection. Table 39 Monitor > VPN Monitor > SSL LABEL DESCRIPTION Disconnect Select a connection and ...
User Guide
Page 212
... filtering. See the respective User's Guide chapters for more SSL VPN tunnels. You can have the ZyWALL use and content filtering subscription services. Click Configuration > Licensing > Registration in the navigation panel to register your ZyWALL with myZyXEL.com and activate a service, such as shown next. Figure 154 Configuration > Licensing > Registration 212 ZyWALL USG 20/20W User's Guide
... filtering. See the respective User's Guide chapters for more SSL VPN tunnels. You can have the ZyWALL use and content filtering subscription services. Click Configuration > Licensing > Registration in the navigation panel to register your ZyWALL with myZyXEL.com and activate a service, such as shown next. Figure 154 Configuration > Licensing > Registration 212 ZyWALL USG 20/20W User's Guide
User Guide
Page 304
... ZyWALL USG 20/20W User's Guide This field displays when you also need to the interface). Select Gateway to route the matched packets to the next-hop router or switch you enable Auto Destination Address, the ZyWALL uses the local network of 0 which the traffic is connected to select the individual interface, VPN tunnel, or SSL VPN...
... ZyWALL USG 20/20W User's Guide This field displays when you also need to the interface). Select Gateway to route the matched packets to the next-hop router or switch you enable Auto Destination Address, the ZyWALL uses the local network of 0 which the traffic is connected to select the individual interface, VPN tunnel, or SSL VPN...
User Guide
Page 427
...login (the remote users do not need a VPN router or VPN client software. 24.1.1 What You Can Do in this Chapter • Use the VPN > SSL VPN > Access Privilege screens (see Section 24.2 on page 429) to configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 24.3 on... as if they were part of the ZyWALL (or a gateway device) on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user screen. 24.1.2 What You Need to perform the following tasks: ZyWALL USG 20/20W User's Guide 427
...login (the remote users do not need a VPN router or VPN client software. 24.1.1 What You Can Do in this Chapter • Use the VPN > SSL VPN > Access Privilege screens (see Section 24.2 on page 429) to configure SSL access policies. • Use the Click VPN > SSL VPN > Global Setting screen (see Section 24.3 on... as if they were part of the ZyWALL (or a gateway device) on your network for full tunnel mode access, enter access messages or upload a custom logo to be displayed on the remote user screen. 24.1.2 What You Need to perform the following tasks: ZyWALL USG 20/20W User's Guide 427
User Guide
Page 428
...local computer, server, or web site SSL users are allowed to access through a VPN connection. SSL Access Policy Objects The SSL access policies reference the following objects. Configure address objects for how to establish an SSL VPN connection to the ZyWALL (after you want to apply this information...621 for details on endpoint security objects. • See Chapter 41 on page 615 for details on SSL application objects. 428 ZyWALL USG 20/20W User's Guide Chapter 24 SSL VPN • apply Endpoint Security (EPS) checking to require users' computers to comply with defined corporate ...
...local computer, server, or web site SSL users are allowed to access through a VPN connection. SSL Access Policy Objects The SSL access policies reference the following objects. Configure address objects for how to establish an SSL VPN connection to the ZyWALL (after you want to apply this information...621 for details on endpoint security objects. • See Chapter 41 on page 615 for details on SSL application objects. 428 ZyWALL USG 20/20W User's Guide Chapter 24 SSL VPN • apply Endpoint Security (EPS) checking to require users' computers to comply with defined corporate ...
User Guide
Page 429
... and click Object References to open a screen that appears, specify the number to which settings use the entry. ZyWALL USG 20/20W User's Guide 429 Table 122 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Add Edit Remove Activate Inactivate Move Object References Click this policy uses including its name,... entry is active and dimmed when the entry is inactive. Chapter 24 SSL VPN 24.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open a screen where you want to move an entry to an SSL access policy. Double-click an entry or select it and click Inactivate....
... and click Object References to open a screen that appears, specify the number to which settings use the entry. ZyWALL USG 20/20W User's Guide 429 Table 122 VPN > SSL VPN > Access Privilege LABEL DESCRIPTION Add Edit Remove Activate Inactivate Move Object References Click this policy uses including its name,... entry is active and dimmed when the entry is inactive. Chapter 24 SSL VPN 24.2 The SSL Access Privilege Screen Click VPN > SSL VPN to open a screen where you want to move an entry to an SSL access policy. Double-click an entry or select it and click Inactivate....