User Guide
Page 3
Contents Contents Introduction ...5 1.1 Overview ...5 1.2 Default Zones, Interfaces, and Ports 7 1.3 Management Overview ...7 1.4 Web Configurator ...8 1.5 Stopping the ZyWALL ...19 1.6 Rack-mounting ...19 1.7 Front Panel ...20 How to Set Up Your Network ...21 2.1 Wizard Overview ...21 2.2 How to Configure Interfaces... Across the Internet 63 4.1 IPSec VPN ...63 4.2 VPN Concentrator Example ...65 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator 67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, and Windows 75 4.7 One-Time...
Contents Contents Introduction ...5 1.1 Overview ...5 1.2 Default Zones, Interfaces, and Ports 7 1.3 Management Overview ...7 1.4 Web Configurator ...8 1.5 Stopping the ZyWALL ...19 1.6 Rack-mounting ...19 1.7 Front Panel ...20 How to Set Up Your Network ...21 2.1 Wizard Overview ...21 2.2 How to Configure Interfaces... Across the Internet 63 4.1 IPSec VPN ...63 4.2 VPN Concentrator Example ...65 4.3 Hub-and-spoke IPSec VPN Without VPN Concentrator 67 4.4 ZyWALL IPSec VPN Client Configuration Provisioning 69 4.5 SSL VPN ...73 4.6 L2TP VPN with Android, iOS, and Windows 75 4.7 One-Time...
User Guide
Page 6
...has a lower level of access and can access network resources in and cannot access either. 6 ZyWALL USG100-PLUS User's Guide A user just browses to the ZyWALL's web address and enters his user name and password to securely connect to -use their web browsers for Web Configurator, Web access, SSL VPN, and... ZyXEL IPSec VPN client user logins. In the following figure user A can access both the...
...has a lower level of access and can access network resources in and cannot access either. 6 ZyWALL USG100-PLUS User's Guide A user just browses to the ZyWALL's web address and enters his user name and password to securely connect to -use their web browsers for Web Configurator, Web access, SSL VPN, and... ZyXEL IPSec VPN client user logins. In the following figure user A can access both the...
User Guide
Page 9
.... 3 Type the user name (default: "admin") and password (default: "1234"). If you log in the Update Admin Info screen. See the Quick Start Guide. 2 In your ZyWALL hardware is using the default user name and password, the Update Admin Info screen appears. If you click Ignore..., the Installation Setup Wizard opens if the ZyWALL is properly connected. Chapter 1 Introduction 1.4.1 Web Configurator Access 1...
.... 3 Type the user name (default: "admin") and password (default: "1234"). If you log in the Update Admin Info screen. See the Quick Start Guide. 2 In your ZyWALL hardware is using the default user name and password, the Update Admin Info screen appears. If you click Ignore..., the Installation Setup Wizard opens if the ZyWALL is properly connected. Chapter 1 Introduction 1.4.1 Web Configurator Access 1...
User Guide
Page 11
... panel menu items to open status and configuration screens. CLI Click this to display basic information about the commands. Figure 10 Navigation Panel ZyWALL USG100-PLUS User's Guide 11 Console Click this to open a Java-based console window from which configuration items reference an object. Chapter ...ZyWALL's navigation panel menus and their screens. You will be prompted to resize it. The following functions. Object Reference Click this to see an overview of links to log out of the navigation panel to hide the panel or drag to enter your user name and password....
... panel menu items to open status and configuration screens. CLI Click this to display basic information about the commands. Figure 10 Navigation Panel ZyWALL USG100-PLUS User's Guide 11 Console Click this to open a Java-based console window from which configuration items reference an object. Chapter ...ZyWALL's navigation panel menus and their screens. You will be prompted to resize it. The following functions. Object Reference Click this to see an overview of links to log out of the navigation panel to hide the panel or drag to enter your user name and password....
User Guide
Page 49
.... • ZIP file(s) within a ZIP file. The only exception is specified for FTP in the Policies section. ZyWALL USG100-PLUS User's Guide 49 The ZyWALL scans whatever port number is FTP traffic. For example, when you use FlashGet to download sections of a file using ... Apply. 3.5.1 What Can Go Wrong • The ZyWALL does not scan the following file/traffic types: • Simultaneous downloads of a file simultaneously. • Encrypted traffic. This could be password-protected files or VPN traffic where the ZyWALL is not the endpoint (pass-through VPN traffic). •...
.... • ZIP file(s) within a ZIP file. The only exception is specified for FTP in the Policies section. ZyWALL USG100-PLUS User's Guide 49 The ZyWALL scans whatever port number is FTP traffic. For example, when you use FlashGet to download sections of a file using ... Apply. 3.5.1 What Can Go Wrong • The ZyWALL does not scan the following file/traffic types: • Simultaneous downloads of a file simultaneously. • Encrypted traffic. This could be password-protected files or VPN traffic where the ZyWALL is not the endpoint (pass-through VPN traffic). •...
User Guide
Page 63
...VPN on page 73 • L2TP VPN with Android, iOS, and Windows on page 75 • One-Time Password Version 2 (OTPv2) on the peer IPSec router and try to establish the VPN tunnel. ZyWALL USG100-PLUS User's Guide 63 To trigger the VPN, either end of a VPN tunnel and the IKE SA...IPSec SA). 4.1.1 Test the VPN Connection After you can also connect or disconnect IPSec VPN connections. • Use the VPN Gateway screens to manage the ZyWALL's VPN gateways. You can use the VPN tunnel, and the IPSec SA settings (phase 2 settings). You can also activate or deactivate and connect or ...
...VPN on page 73 • L2TP VPN with Android, iOS, and Windows on page 75 • One-Time Password Version 2 (OTPv2) on the peer IPSec router and try to establish the VPN tunnel. ZyWALL USG100-PLUS User's Guide 63 To trigger the VPN, either end of a VPN tunnel and the IKE SA...IPSec SA). 4.1.1 Test the VPN Connection After you can also connect or disconnect IPSec VPN connections. • Use the VPN Gateway screens to manage the ZyWALL's VPN gateways. You can use the VPN tunnel, and the IPSec SA settings (phase 2 settings). You can also activate or deactivate and connect or ...
User Guide
Page 69
...to go through the ZyNOS ZyWALL's VPN tunnel is to make sure it without needing a VPN concentrator. • If a ZyNOS-based ZyWALL's remote network setting overlaps with the ZyWALL IPSec VPN Client sends her user name and password to the ZyWALL. 2 The ZyWALL sends the settings for the... matching VPN rule. 4.4.1 Overview of What to Do 1 Create a VPN rule on the ZyWALL using the VPN Configuration Provisioning ...
...to go through the ZyNOS ZyWALL's VPN tunnel is to make sure it without needing a VPN concentrator. • If a ZyNOS-based ZyWALL's remote network setting overlaps with the ZyWALL IPSec VPN Client sends her user name and password to the ZyWALL. 2 The ZyWALL sends the settings for the... matching VPN rule. 4.4.1 Overview of What to Do 1 Create a VPN rule on the ZyWALL using the VPN Configuration Provisioning ...
User Guide
Page 70
... and and password exactly as configured on the ZyWALL, then enter the new one here. Click Next. 70 ZyWALL USG100-PLUS User's Guide Figure 30 ZyWALL IPSec VPN Client with the ZyWALL IPSec VPN Client. 2 Click Configuration > Object > User/Group and create a user account for the ZyWALL IPSec VPN Client...IPSec VPN > Configuration Provisioning and configure it to allow the newly created user to retrieve this rule's settings using the ZyWALL IPSec VPN Client. 4 On the ZyWALL IPSec VPN Client, select Configuration > Get From Server. 5 Enter the WAN IP address or URL for Configuration Provisioning ...
... and and password exactly as configured on the ZyWALL, then enter the new one here. Click Next. 70 ZyWALL USG100-PLUS User's Guide Figure 30 ZyWALL IPSec VPN Client with the ZyWALL IPSec VPN Client. 2 Click Configuration > Object > User/Group and create a user account for the ZyWALL IPSec VPN Client...IPSec VPN > Configuration Provisioning and configure it to allow the newly created user to retrieve this rule's settings using the ZyWALL IPSec VPN Client. 4 On the ZyWALL IPSec VPN Client, select Configuration > Get From Server. 5 Enter the WAN IP address or URL for Configuration Provisioning ...
User Guide
Page 72
...Go Wrong • VPN rule settings violate the the ZyWALL IPSec VPN Client restrictions: Check that the client authentication method selected on the ZyWALL is a login problem: Reenter the user name (Login) and password in the ZyWALL IPSec VPN Client exactly as configured on the network environment.... The ZyWALL IPSec VPN Client can also indicate rule violations. Although ...
...Go Wrong • VPN rule settings violate the the ZyWALL IPSec VPN Client restrictions: Check that the client authentication method selected on the ZyWALL is a login problem: Reenter the user name (Login) and password in the ZyWALL IPSec VPN Client exactly as configured on the network environment.... The ZyWALL IPSec VPN Client can also indicate rule violations. Although ...
User Guide
Page 73
...the local computer, server, or web site SSL users are to be displayed on the remote user screen. If there is installed. With the ZyWALL SecuExtender, you can access network resources, remote desktops and manage files as if he were part of the internal network. Here a user uses ...his user name and password to be able to access. • Click Configuration > VPN > SSL VPN > Access Privilege to configure SSL access policies. • Use the Configuration > VPN ...
...the local computer, server, or web site SSL users are to be displayed on the remote user screen. If there is installed. With the ZyWALL SecuExtender, you can access network resources, remote desktops and manage files as if he were part of the internal network. Here a user uses ...his user name and password to be able to access. • Click Configuration > VPN > SSL VPN > Access Privilege to configure SSL access policies. • Use the Configuration > VPN ...
User Guide
Page 76
... VPN > VPN Gateway and double-click the Default_L2TP_VPN_GW entry. Chapter 4 Create Secure Connections Across the Internet Do the following to Pre-Shared Key and configure a password. The address object in the Default_L2TP_VPN_GW. Click Create New Object > Address and create a host type address object that contains the My Address IP address you...a WAN interface with static IP address 172.16.1.2. Select Enable, set Application Scenario to Remote Acces and Local Policy to L2TP_IFACE, and click OK. 76 ZyWALL USG100-PLUS User's Guide This example uses topsecret. Select Enable.
... VPN > VPN Gateway and double-click the Default_L2TP_VPN_GW entry. Chapter 4 Create Secure Connections Across the Internet Do the following to Pre-Shared Key and configure a password. The address object in the Default_L2TP_VPN_GW. Click Create New Object > Address and create a host type address object that contains the My Address IP address you...a WAN interface with static IP address 172.16.1.2. Select Enable, set Application Scenario to Remote Acces and Local Policy to L2TP_IFACE, and click OK. 76 ZyWALL USG100-PLUS User's Guide This example uses topsecret. Select Enable.
User Guide
Page 80
... Example Use Adobe Reader 9 or later or a recent version of the IPSec VPN gateway the ZyWALL uses for L2TP VPN over IPSec (top-secret in an Android device, go to enter his account and password. 80 ZyWALL USG100-PLUS User's Guide After clicking play, you may need to confirm that you want to... play the content and click play this on page 75. • VPN name is for the user to identify the VPN configuration. • Set VPN server is the ZyWALL's WAN IP...
... Example Use Adobe Reader 9 or later or a recent version of the IPSec VPN gateway the ZyWALL uses for L2TP VPN over IPSec (top-secret in an Android device, go to enter his account and password. 80 ZyWALL USG100-PLUS User's Guide After clicking play, you may need to confirm that you want to... play the content and click play this on page 75. • VPN name is for the user to identify the VPN configuration. • Set VPN server is the ZyWALL's WAN IP...
User Guide
Page 81
...off. 4.6.6 Configuring L2TP VPN in this example). • RSA SecurID leave this off. • Password is the password for the user's account. • Secret is the pre-shared key of the VPN gateway the ZyWALL is using Windows 7, Vista, or XP. Create a Connection Object 1 Open the Network and Sharing ...VPN configuration example in Section 4.6.1 on page 75. • Description is for the user to identify the VPN configuration. • Server is the ZyWALL's WAN IP address. • Account is the user's account for using the L2TP VPN (L2TP-test in Windows The following to establish an ...
...off. 4.6.6 Configuring L2TP VPN in this example). • RSA SecurID leave this off. • Password is the password for the user's account. • Secret is the pre-shared key of the VPN gateway the ZyWALL is using Windows 7, Vista, or XP. Create a Connection Object 1 Open the Network and Sharing ...VPN configuration example in Section 4.6.1 on page 75. • Description is for the user to identify the VPN configuration. • Server is the ZyWALL's WAN IP address. • Account is the user's account for using the L2TP VPN (L2TP-test in Windows The following to establish an ...
User Guide
Page 82
In Windows Vista, click Networking. Right-click the L2TP VPN connection and select Properties. 2 In Windows 7, click Security and set the Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec). Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings. 82 ZyWALL USG100-PLUS User's Guide Chapter 4 Create Secure Connections Across the Internet 5 Enter your ZyWALL user name and password and click Create. 6 Click Close. Configure the Connection Object 1 In the Network and Sharing Center screen, click Connect to a network. Then click Advanced settings.
In Windows Vista, click Networking. Right-click the L2TP VPN connection and select Properties. 2 In Windows 7, click Security and set the Type of VPN to Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec). Set the Type of VPN to L2TP IPSec VPN and click IPSec Settings. 82 ZyWALL USG100-PLUS User's Guide Chapter 4 Create Secure Connections Across the Internet 5 Enter your ZyWALL user name and password and click Create. 6 Click Close. Configure the Connection Object 1 In the Network and Sharing Center screen, click Connect to a network. Then click Advanced settings.
User Guide
Page 83
...L2TP VPN 1 In the Network and Sharing Center screen, click Connect to a network, select the L2TP VPN connection and click Connect to the ZyWALL, the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel inside the encrypted IPSec VPN tunnel. Windows 7 Chapter 4 Create Secure ...encryption since it . Then click OK again to save your ZyWALL user account and click Connect. When you use L2TP VPN to connect to display a login screen. Enter the user name and password of the VPN gateway entry the ZyWALL is inside it is using for L2TP VPN (top-secret in...
...L2TP VPN 1 In the Network and Sharing Center screen, click Connect to a network, select the L2TP VPN connection and click Connect to the ZyWALL, the ZyWALL establishes an encrypted IPSec VPN tunnel first and then builds an L2TP tunnel inside the encrypted IPSec VPN tunnel. Windows 7 Chapter 4 Create Secure ...encryption since it . Then click OK again to save your ZyWALL user account and click Connect. When you use L2TP VPN to connect to display a login screen. Enter the user name and password of the VPN gateway entry the ZyWALL is inside it is using for L2TP VPN (top-secret in...
User Guide
Page 84
... the connection is from the L2TP range you received is up a connection icon displays in the example). 84 ZyWALL USG100-PLUS User's Guide Click it and then the L2TP connection to open a status screen. 4 Click the L2TP connection's View status link to open a status ...screen. 5 Click Details to see the address that you specified on the ZyWALL (192.168.10.10-192.168.10.20 in your system tray. Chapter 4 Create Secure Connections Across the Internet 2 A window appears while the user name...
... the connection is from the L2TP range you received is up a connection icon displays in the example). 84 ZyWALL USG100-PLUS User's Guide Click it and then the L2TP connection to open a status screen. 4 Click the L2TP connection's View status link to open a status ...screen. 5 Click Details to see the address that you specified on the ZyWALL (192.168.10.10-192.168.10.20 in your system tray. Chapter 4 Create Secure Connections Across the Internet 2 A window appears while the user name...
User Guide
Page 88
Chapter 4 Create Secure Connections Across the Internet 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of VPN. Click OK. 14 Click Networking. Click OK. 88 ZyWALL USG100-PLUS User's Guide Select L2TP IPSec VPN as the Type of the other check boxes. Click OK. 12 Click IPSec Settings. 13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN.
Chapter 4 Create Secure Connections Across the Internet 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Unencrypted password (PAP) and clear all of VPN. Click OK. 14 Click Networking. Click OK. 88 ZyWALL USG100-PLUS User's Guide Select L2TP IPSec VPN as the Type of the other check boxes. Click OK. 12 Click IPSec Settings. 13 Select the Use pre-shared key for authentication check box and enter the pre-shared key used in the VPN gateway configuration that the ZyWALL is using for L2TP VPN.
User Guide
Page 89
Double-click it to open a status screen. 18 Click Details to see the address that you received from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). ZyWALL USG100-PLUS User's Guide 89 Click Connect. 16 A window appears while the user name and password are verified. 17 A ZyWALL-L2TP icon displays in your ZyWALL account. Chapter 4 Create Secure Connections Across the Internet 15 Enter the user name and password of your system tray.
Double-click it to open a status screen. 18 Click Details to see the address that you received from the L2TP range you specified on the ZyWALL (192.168.10.10-192.168.10.20). ZyWALL USG100-PLUS User's Guide 89 Click Connect. 16 A window appears while the user name and password are verified. 17 A ZyWALL-L2TP icon displays in your ZyWALL account. Chapter 4 Create Secure Connections Across the Internet 15 Enter the user name and password of your system tray.
User Guide
Page 90
... software, hardware OTPv2 tokens, and software OTPv2 tokens for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins. An attacker cannot reuse an OTP password that was already used for details. 90 ZyWALL USG100-PLUS User's Guide Figure 33 OTPv2 Example ***** OTP PIN SafeWord 2008 Authentication Server File Server...
... software, hardware OTPv2 tokens, and software OTPv2 tokens for Web Configurator, Web access, SSL VPN, and ZyXEL IPSec VPN client user logins. An attacker cannot reuse an OTP password that was already used for details. 90 ZyWALL USG100-PLUS User's Guide Figure 33 OTPv2 Example ***** OTP PIN SafeWord 2008 Authentication Server File Server...
User Guide
Page 91
...Users can try to log in. Users must generate a new password for each ZyWALL OTPv2 token's database file (located on the included CD) into the server. 4 Assign users to ZyWALL OTPv2 tokens on the ZyWALL and in the SafeWord 2008 authentication server. 3 Import each login...on the server. 5 Configure the SafeWord 2008 authentication server as a RADIUS server in the ZyWALL's Configuration > Object > AAA Server screens. 6 Configure the appropriate authentication method object to use a password that they have already used to re-use the SafeWord 2008 authentication server RADIUS server object....
...Users can try to log in. Users must generate a new password for each ZyWALL OTPv2 token's database file (located on the included CD) into the server. 4 Assign users to ZyWALL OTPv2 tokens on the ZyWALL and in the SafeWord 2008 authentication server. 3 Import each login...on the server. 5 Configure the SafeWord 2008 authentication server as a RADIUS server in the ZyWALL's Configuration > Object > AAA Server screens. 6 Configure the appropriate authentication method object to use a password that they have already used to re-use the SafeWord 2008 authentication server RADIUS server object....