3Com BETA Скачать руководство пользователя | Manualshive

Страница: 67 / 70

background image

Chapter 7. Firewall and Client Configuration

The Firewall

The firewall to which the Telecommuting Module is connected should have the following
configuration:

SIP over UDP

•

Let through UDP traffic between the Internet (all high ports) and the Telecommuting
Module (port 5060). You must allow traffic in both directions.

•

Let through UDP traffic between the Internet (all high ports) and the Telecommuting
Module (the port interval for media streams which was set on the

Basic Settings

page).

You must allow traffic in both directions.

•

Let through UDP traffic between the Telecommuting Module (all high ports) and the In-
ternet (port 53). You must allow traffic in both directions. This enables the Telecommuting
Module to make DNS queries to DNS servers on the Internet. If the DNS server is located
on the same network as the Telecommuting Module, you don’t have to do this step.

•

NAT between the Telecommuting Module and the Internet must not be used.

SIP over TCP/TLS

•

Let through TCP traffic between the Internet (all high ports) and the Telecommuting Mod-
ule (ports 1024-32767). You must allow traffic in both directions.

•

Let through UDP traffic between the Internet (all high ports) and the Telecommuting
Module (the port interval for media streams which was set on the

Basic Settings

page).

You must allow traffic in both directions.

•

Let through UDP traffic between the Telecommuting Module (all high ports) and the In-
ternet (port 53). You must allow traffic in both directions. This enables the Telecommuting
Module to make DNS queries to DNS servers on the Internet. If the DNS server is located
on the same network as the Telecommuting Module, you don’t have to do this step.

•

NAT between the Telecommuting Module and the Internet must not be used.

SIP clients

The SIP clients on the internal network should have the Telecommuting Module’s IP address
on that network as their outgoing SIP proxy and registrar.

Other

The DNS server used must have a record for the SIP domain, which states that the Telecom-
muting Module handles the domain, or many SIP clients won’t be able to use it (if you don’t
use plain IP addresses as domains).

The Standalone type

Using the Standalone type, the network configuration should look like this:

59

«
...
65
66
67
68
69
...
»

Содержание BETA

Страница 1: ...3Com VCX IP Telecommuting Module Getting started Guide ...

Страница 2: ......

Страница 3: ... please contact 3Com and a copy will be provided to you UNITED STATES GOVERNMENT LEGEND If you are a United States government agency then this documentation and the software described herein are provided to you subject to the following All technical data and computer software are commercial in nature and developed solely at private expense Software is delivered as Commercial Computer Software as d...

Страница 4: ......

Страница 5: ...tion 1 2 Overview of the Installation 3 3 Installing 3Com VCX IP Telecommuting Module 5 Part II Configuring 3Com VCX IP Telecommuting Module 15 4 Network Configuration 17 5 SIP Configuration 35 6 Administration of the Telecommuting Module 47 7 Firewall and Client Configuration 57 Index 61 i ...

Страница 6: ...ii ...

Страница 7: ...ns the necessary information to configure your Telecommuting Module Additional information about managing your 3Com VCX IP Telecommuting Module can be found in the Reference Guide These chapters contain an introduction to the 3Com VCX IP Telecommuting Module de scriptions of the various models and information about how to install your Telecommuting Module ...

Страница 8: ......

Страница 9: ...cted to your network in three different ways depending on your needs Note that if the Standalone type is used the interface which should receive traffic from the outside must have a public IP address no NAT For a DMZ or DMZ LAN type which uses a private IP address on the interface connected to the DMZ of the firewall its corresponding public IP address must be entered on the Interoperability page ...

Страница 10: ...even if they are hidden behind routers This configuration is used to enhance the data throughput since the traffic only needs to pass your firewall once Fig 2 Telecommuting Module in DMZ LAN configuration Standalone Configuration Using this configuration the Telecommuting Module is connected to the outside on one interface and your internal networks on the others Use this configuration only if you...

Страница 11: ...e firewall connected to the Telecommuting Module or for the Standalone type per interface of the Telecommuting Module Some computers should be handled separately and they therefore need their own networks See also the Networks and Com puters section Go to the Surroundings page for the DMZ Telecommuting Module Type and state the networks connected to the firewall See also the Surroundings section i...

Страница 12: ...om VCX IP Telecommuting Module displays serious errors in red e g if mandatory information is not entered Blank fields are shown in red Fields that you correct remain red until you select Save Add new rows or update the page in some other way If you have a web connection with the Telecommuting Module that is inactive for 10 min utes it will ask for a password again Always log out from the Telecomm...

Страница 13: ...he Telecommuting Module printed on the Telecommuting Module label This is the MAC address of Network Interface 1 Add a static entry in your local ARP table consisting of the Telecommuting Module s MAC address and the IP address it should have on eth0 This is how to add a static ARP entry if you use a Windows computer Run the command command or cmd In the Command window enter the command arp s ipad...

Страница 14: ...ond Use the default configuration for all other settings Click OK and wait for a login prompt In some cases you have to press Return to get the login prompt If you use a Linux workstation connect like this Make sure that there is a symbolic link named dev modem which points to the serial port you connected the Telecommuting Module to Connect using minicom with the bit rate 19200 bits s and wait fo...

Страница 15: ... con figured the configuration computers Then enter a password for the Telecommuting Module This is the password you use in your web browser to access and change the Telecommuting Module s configuration Finally you can reset all other configuration if you want to Following is a sample run of the installation program 3Com VCX IP Telecommuting Module Administration 1 Basic configuration 2 Save Load ...

Страница 16: ...swering no to the question Configure from a single computer y n y n The installation program then asks for the network number The configuration computers must be entered as a complete subnet i e a range which can be written as a network number and a netmask like 10 47 2 128 with netmask 255 255 255 128 which means the computers 10 47 2 128 10 47 2 255 All computers on this subnet will be allowed t...

Страница 17: ...minary configuration 3 Revert to the factory configuration and empty all logs and then apply the configuration specified above Both the preliminary and the permanent configurations will be affected Select the update mode which is what you want to remove Update mode 1 3 1 All configuration is now complete The installation program shows the configuration and asks if it is correct yes saves the confi...

Страница 18: ...work interface to which they are connected for example eth0 You must use the physical device name eth0 and eth1 Enter the IP address of the Telecommuting Module on this interface and the network mask for the network A network mask can be written in two ways in 3Com VCX IP Telecommuting Module The first looks just like an IP address for example 255 255 192 0 or 255 255 254 0 The other way is as a n...

Страница 19: ...e network where the Telecommuting Module is connected Now enter the network address and mask of the net work containing the configuring computer Static routing The computer allowed to configure from is not on a network local to this unit You must configure a static route to it Give the IP address of the router on the network the unit is on The IP address of the router 0 0 0 0 10 47 3 1 Network add...

Страница 20: ...t is used if you answer n to the question above Both the preliminary and the permanent configurations will be updated with the configuration specified above 2 Revert to the factory configuration and then apply the configuration specified above This will affect the permanent but not the preliminary configuration 3 Revert to the factory configuration and empty all logs and then apply the configurati...

Страница 21: ...appen You do this on the Save Load Configuration page under Administration Once this is done just turn the computer off The computer that runs 3Com VCX IP Telecommuting Module is specially designed so that you can switch it off without causing any problems in the file structure Remember to lock up the Telecommuting Module The Telecommuting Module is a computer with special software and must be pro...

Страница 22: ...Chapter 3 Installing 3Com VCX IP Telecommuting Module 14 ...

Страница 23: ...IP Telecom muting Module once it has been installed All configuration is made through the web inter face of the Telecommuting Module The configuration described in these chapters is basic for making the Telecommuting Mod ule work For descriptions of more advanced Telecommuting Module functions please refer to the User Manual ...

Страница 24: ......

Страница 25: ...the Telecommuting Module as an outbound proxy on the clients This is the most secure configuration since all traffic goes through both your firewall and your Telecommuting Module It is also the most flexible since all networks connected to any of your firewall s interfaces can be SIP enabled The drawback is that the SIP traffic will pass the firewall twice which can decrease perfor mance On your f...

Страница 26: ...can handle sev eral networks on the internal interface even if they are hidden behind routers No networks on other interfaces on the firewall can be handled Internal users have to configure the Telecommuting Module as outbound proxy or an internal proxy has to use the Telecommuting Module as outbound proxy The Telecommuting Module derives information about your network topology from the in terface...

Страница 27: ...ied on the Save Load Configuration page before it affects the Telecommuting Module functionality Interface Network Interface 1 and 2 There is a page for each network interface Network Interface 1 and 2 on the Telecommuting Module Select a page to make configuration for that interface There is also a page where configuration for all interfaces can be viewed and changed Here you set the interface na...

Страница 28: ...ss is obtained the Telecommuting Module will keep on sending requests until an address lease is received The Telecommuting Module will accept an IP address and a netmask via DHCP It will also accept a default gateway if you configured for that in the Main Default Gateways table on the Default Gateway page If PPPoE client ON is selected the Telecommuting Module will send out a PPPoE request when yo...

Страница 29: ...he DNS Name Or IP Address applies Broadcast address Shows the broadcast address of the network in the Network address field VLAN Id VLANs are used for clustering IP ranges into logical networks A VLAN id is simply a number which identifies the VLAN uniquely within your network Enter a VLAN id for this network You don t need to use a named VLAN defined on the VLAN page VLAN Name If you entered the ...

Страница 30: ...the interface obtains its IP address dynamically no aliases can be defined Name Enter the name of your alias This name is only used internally in the Telecommuting Mod ule DNS Name Or IP Address Enter the IP address of this alias or a name in the DNS If you enter a DNS name instead of an IP address you must enter the IP address of a DNS server on the Basic Configuration page IP address Shows the I...

Страница 31: ...e If the interface obtains its IP address dynamically no other static routes can be defined Routed network Enter the DNS name or IP address of the routed network under DNS Name Or Network Address The IP address of the routed network is shown under Network address In the Netmask Bits field enter the netmask of the network Router The name or IP address of the router that will be used for routing to ...

Страница 32: ...lly the firewall Default gateway must be an IP address from one of the Directly Connected Networks of the Telecommuting Module s interfaces See appendix C of the User Manual for further description of routers gateways The Telecommuting Module must have at least one default gateway to work You can enter more than one default gateway The Telecommuting Module will use one of them until it stops respo...

Страница 33: ...lick on Create new rows Save or Look up all IP addresses again Create Enter the number of new rows you want to add to the table and then click on Create Policy For Packets From Unused Gateways This policy controls how packets from the currently unused gateway s should be treated The packet can be allowed subject to the rest of the configuration or discarded The Discard IP packets selection means t...

Страница 34: ...s in old rows Networks and Computers Here you name groups of computers and networks Sometimes it can be useful to give a group of computers a network name such as Administration If you want to group some computers this can be done here even if they do not have consecutive IP addresses You can also include a subgroup when defining a new network group The names are used when you configure Surroundin...

Страница 35: ...the old group here and leave the fields for DNS name empty Select as Interface If you don t want to use a subgroup select here Lower Limit DNS Name Or IP Address Enter the DNS name or IP address of the network or computer For computers in an IP range that you want to give a network name enter the first IP address in the range DNS Name Or IP Address must not be empty if you are not using a subgroup...

Страница 36: ...hey are connected to By selecting an interface or a VLAN you constrain the group to consist only of the IP addresses in the interval that really are connected to the selected interface VLAN For example if 10 20 0 0 10 20 0 255 are IP addresses behind the interface DMZ 1 and the lower and upper limits are 10 10 10 20 and 255 255 255 255 respectively choosing DMZ 1 as Interface will cause the group ...

Страница 37: ... this is that traffic between two users on different networks or between one of the listed networks and a network not listed here is NAT ed Another effect is that for connections between two users on the same network or on net works where neither is listed in Surroundings no ports for RTP sessions will be opened since the Telecommuting Module assumes that they are both on the same side of the fire...

Страница 38: ...rward traffic with the exception that QoS will be performed if configured for the traffic in question The traffic sent between Data Interfaces will not be logged by the Telecommuting Module The Telecommuting Module will only send SIP traffic between the other interfaces Interface Select a data interface here Delete Row If you select this box the row is deleted when you click on Create new rows or ...

Страница 39: ...m use only axel If no default domain should be used the Default domain field should contain a single dot IP Policy Here you specify what will happen to IP packets which are neither SIP packets SIP session media streams or Telecommuting Module administration traffic Discard IP packets means that the Telecommuting Module ignores the IP packets without replying that the packet did not arrive Reject I...

Страница 40: ...s are renumbered automatically When you click on Save the DNS servers are re sorted Dynamic If an interface will receive its IP address from a DHCP server the Telecommuting Mod ule can also get information about its DNS server from that server In this case select the corresponding IP address here and leave the other fields empty DNS Name Or IP Address The DNS name IP address of the DNS server whic...

Страница 41: ...onfiguration configuration to the preliminary configuration Cancel Reverts all the above fields to their previous configuration Look up all IP addresses again Looks up the IP addresses for all DNS names on this page in the DNS servers you entered above 33 ...

Страница 42: ...Chapter 4 Network Configuration 34 ...

Страница 43: ...n the Routing page Basic Settings Here you make basic settings for the Telecommuting Module SIP management SIP Module Here select whether the SIP module should be enabled or disabled If you select to Disable SIP module no other SIP settings will have any effect Additional SIP Signaling Ports Normally the Telecommuting Module listens for SIP signaling on ports 5060 UDP and TCP and 5061 TLS You can ...

Страница 44: ...mmuting Module can open ports for this traffic Select if the Telecommuting Module should open ports for provisioning traffic or if the phones get their settings in another way SIP Media Port Range State a port interval which the Telecommuting Module should use for SIP media streams You can use any high ports except 4500 reserved for NAT T and 65097 65200 reserved for RADIUS Note A change in the po...

Страница 45: ...he Telecommuting Module If nothing is entered here the Telecommuting Module will use its own IP addresses This setting is not supported for the Standalone configuration SIP Servers To Monitor Your Telecommuting Module can be made to monitor SIP servers to check that they are alive The information is used by the Telecommuting Module when SIP signaling should be passed on to the server in question T...

Страница 46: ...ettings can also be found on the Logging Configuration page under Logging Log class for SIP signaling For each SIP packet the Telecommuting Module generates a message containing the sender and receiver of the packet and what type of packet it is Select a log class for these log messages Log class for SIP packets The Telecommuting Module logs all SIP packets one SIP packet is many lines Select a lo...

Страница 47: ...e Telecommuting Module should be able to forward requests but which for some reason cannot be resolved in DNS Enter an IP address and port to which the requests should be forwarded You can also select to use a specific protocol The Telecommuting Module uses the Request URI of the incoming SIP packet to match for the domains in this table When it matches a domain the packet will be forwarded to the...

Страница 48: ...eld Port Here enter the port on which the SIP server listens for SIP traffic The standard port is 5060 5061 for TLS Transport You can select which transport protocol to use between the Telecommuting Module and the SIP server Under Transport select from UDP TCP and TLS Priority If you entered more than one IP address host name for the same domain you should also assign them Priority and Weight A lo...

Страница 49: ... are handled according to the Default Policy For SIP Requests No The No field determines the order of the rules Rules are used in the order in which they are displayed in the table rule number 1 is first The order is important if you used networks which partly contain the same IP addresses To change order for a rule enter the new number in the field and press Save From Network The network name tha...

Страница 50: ... any requests at all Content Types The SIP packets present information in different ways using content types MIME types Enter here which types the SIP proxy should accept The most common MIME types are predefined and you only have to activate them The content types application sdp used for SIP requests application xpidf xml used for Presence and text x msmsgsinvite used by Messenger are always acc...

Страница 51: ...he encrypted URI in Contact headers passing through the Telecommuting Module Select what to do with Contact headers Always encrypt URIs will make the Telecommuting Module encrypt the entire Contact header URI Use shorter encrypted URIs will make the Telecommuting Module generate a random string for the incoming Contact URI This will then be used as the username part of the outgoing Contact header ...

Страница 52: ...o makes no checks of incoming SIP URIs It becomes possi ble in theory to trick the Telecommuting Module to send SIP packets anywhere so security is drastically reduced Remote SIP Connectivity Remote NAT Traversal If your SIP client is not STUN capable you can use the built in Remote NAT traversal fea ture of the Telecommuting Module The client must register on the Telecommuting Module or through i...

Страница 53: ...mmuting Module should use as the sender IP address when forwarding signaling from remote clients As all other SIP signaling will be forwarded using the IP address entered in the Directly Connected Networks you must select an Alias IP address here NAT keepalive method Clients using this function will have to send SIP packets very often to keep the IP port NAT binding Select which method to use to f...

Страница 54: ...sually media is always sent via the Telecommuting Module when the Remote NAT Traver sal feature is used For clients behind the same NAT media can be made to go directly between the clients to lower the Telecommuting Module and network load 46 ...

Страница 55: ... interface of the Telecommuting Module or connect your ssh client to For each network interface you also specify whether or not the Telecommuting Module can be configured via this network interface You also select what kind of authentication will be performed for the users trying to access the administration interfaces To further increase security the Telecommuting Module can only be configured fr...

Страница 56: ...authentication should be made by help of a RADIUS server you must enter one on the RADIUS page When connecting to the administration interface via SSH you can only log in as admin Configuration Transport Select Telecommuting Module IP addresses for the allowed configuration protocols The Telecommuting Module web server will listen for web traffic on the IP addresses and ports selected under HTTP a...

Страница 57: ...elecommuting Module and not somebody else s computer HTTPS uses an encryption method using two keys one secret and one public The secret key is kept in the Telecommuting Module and the public key is used in the certificate If any of the keys is changed the HTTPS connection won t work All local certificates for the Telecommuting Module are created on the Certificates page under Basic Configuration ...

Страница 58: ...computer on the Internet or other insecure networks or use HTTPS or IPsec to connect to the Telecom muting Module from these insecure networks Network address Shows the network address of the DNS Name Or Network Address you entered in the previous field Netmask Bits Netmask Bits is the mask that will be used to specify the configuration computers See chapter 3 of the User Manual for instructions o...

Страница 59: ...configuration traffic Perhaps you want to configure the Telecommuting Module so that configuration traffic from one specific computer is simply logged while traffic from the rest of that computer s network is both logged and generates alarms The rules are used in the order in which they are listed so if the network is listed first all configuration traffic from that network is both logged and gene...

Страница 60: ...ecommuting Module will test the configura tion before you make it permanent During test the Telecommuting Module waits for you to press one of the three buttons displayed If you never see the three buttons something in your preliminary configuration now tested is wrong which makes it impossible for you to access the configuration web interface Duration of limited test mode Here you enter the time ...

Страница 61: ...age which will inform you that the test run was aborted Restarting the Telecommuting Module by cycling the power also cancels the test Show Message About Unapplied Changes When there are settings which are not yet applied a warning about this will be shown on the web pages Select here where this message should be shown The options are On every page On the Save Load Configuration page this page and...

Страница 62: ... you can search among files and directories Go to the right directory and select the file you want to upload Save Load CLI Command File All configurations can be saved to and loaded from a CLI file see chapter 18 of the Refer ence Guide for more information about the CLI You can also edit the CLI file before it is uploaded again Uploading a CLI file might affect the permanent configuration as the ...

Страница 63: ...ommut ing Module from the factory Abort All Edits Abort all edits copies the permanent configuration to the preliminary configuration All changes made in the preliminary configuration are deleted Reload Factory Configuration The factory configuration is the standard configuration that is delivered with a Telecommut ing Module Click on this button to load this configuration into the preliminary con...

Страница 64: ...Chapter 6 Administration of the Telecommuting Module 56 ...

Страница 65: ...both directions Let through UDP traffic between the Internet all high ports and the Telecommuting Module the port interval for media streams which was set on the Basic Settings page You must allow traffic in both directions Let through UDP traffic between the internal networks all high ports and the Telecom muting Module the port interval for media streams which was set on the Basic Settings page ...

Страница 66: ... all high ports and the In ternet port 53 You must allow traffic in both directions This enables the Telecommuting Module to make DNS queries to DNS servers on the Internet If the DNS server is located on the same network as the Telecommuting Module you don t have to do this step NAT between the Telecommuting Module and the Internet must not be used NAT between the Telecommuting Module and the int...

Страница 67: ...l high ports and the Telecommuting Mod ule ports 1024 32767 You must allow traffic in both directions Let through UDP traffic between the Internet all high ports and the Telecommuting Module the port interval for media streams which was set on the Basic Settings page You must allow traffic in both directions Let through UDP traffic between the Telecommuting Module all high ports and the In ternet ...

Страница 68: ...gured with the domain only If you don t want to use the Telecommuting Module as the registrar you should point the clients to the SIP registrar you want to use Other The DNS server used must have a record for the SIP domain which states that the Telecom muting Module handles the domain or many SIP clients won t be able to use it if you don t use plain IP addresses as domains 60 ...

Страница 69: ...ommuting Module 5 interface 19 interface name 20 IP policy 31 limited test mode 52 logging of configuration 50 SIP 38 magic ping 5 MIME types 42 monitor SIP servers 37 network interface 19 network topology 29 networks and computers 26 permanent configuration 4 physical device name 19 ping policy 31 port interval for media streams 36 preliminary configuration 4 router 23 save configuration 53 SIP 3...

Страница 70: ......

Отзывы:

Нет отзывов

Похожие инструкции для BETA

Бренд: Samson Страницы: 92

Бренд: Jafar Страницы: 10

Бренд: Accel Страницы: 8

Бренд: Danfoss Страницы: 16

Бренд: Danfoss Страницы: 20

Бренд: Daktronics Страницы: 5

Бренд: Daikin Страницы: 12

Бренд: Samson Страницы: 32

Бренд: Quantum Страницы: 15

Бренд: Gardena Страницы: 14

Бренд: Gardena Страницы: 4

Бренд: Oldham Страницы: 32

Бренд: H3C Страницы: 14

Бренд: Jäger Страницы: 50

Бренд: vacuubrand Страницы: 12

Бренд: Vacon Страницы: 47

Бренд: Vacon Страницы: 40

Бренд: L-Acoustics Страницы: 24

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды