3COM Drums Version 4.3 User Manual

Download

3Com® Telecommuting Module User

Manual

Version 4.3

3Com® Telecommuting Module User Manual: Version 4.3

Part Number BETA Published December 2005

3Com Corporation, 350 Campus Drive, Marlborough MA 01752-3064

Copyright © 2005, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notiﬁcation of such revision or change. 3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms, or conditions of merchantability, satisfactory quality, and ﬁtness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time. If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hardcopy documentation, or on the removable media in a directory ﬁle named LICENSE.TXT or !LICENSE.TXT.If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:

All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as "Commercial Computer Software" as deﬁned in DFARS 252.227-7014 (June 1995) or as a "commercial item" as deﬁned in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR252.227-7015(Nov1995)orFAR 52.227-14 (June 1987), whichever is applicable. You agree not to removeor defaceanyportion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this guide. Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries. 3Com, the 3Com logo, NBX, and SuperStack are registered trademarks of 3Com Corporation. NBX NetSet, pcXset, and VCX are trademarks of 3Com Corporation. Adobe is a trademark and Adobe Acrobat is a registered trademark of Adobe Systems Incorporated. Microsoft, Windows, Windows 2000, Windows NT,and Microsoft Word are registered trademarks of Microsoft Corporation. All other company and product names may be trademarks of the respective companies with which they are associated.

Part I. Introduction to 3Com VCX IP Telecommuting Module ............................................................................. i

1. Introduction to 3Com VCX IP Telecommuting Module.................................................................................1

2. Installing 3Com VCX IP Telecommuting Module..........................................................................................5

3. Conﬁguring 3Com VCX IP Telecommuting Module ...................................................................................13

Part II. How To..........................................................................................................................................................20

4. How To Conﬁgure SIP...................................................................................................................................21

Part III. Description of 3Com VCX IP Telecommuting Module Settings............................................................35

5. The Serial Console ........................................................................................................................................36

6. Basic Conﬁguration.......................................................................................................................................42

7. Network Conﬁguration..................................................................................................................................60

8. SIP Services...................................................................................................................................................69

9. SIP Trafﬁc......................................................................................................................................................82

10. Administration.............................................................................................................................................87

11. Logging........................................................................................................................................................98

12. Failover......................................................................................................................................................112

13. Tools ..........................................................................................................................................................118

14. Firewall and Client Conﬁguration .............................................................................................................121

Part IV. Appendices................................................................................................................................................124

A. More About SIP..........................................................................................................................................125

B. Troubleshooting ..........................................................................................................................................127

C. Lists of Reserved Ports, ICMP Types and Codes, and Internet Protocols..................................................130

D. Deﬁnitions of terms ....................................................................................................................................140

E. License Conditions......................................................................................................................................147

F. Obtaining Support for Your 3Com Products...............................................................................................162

Index.........................................................................................................................................................................165

Part I. Introduction to 3Com VCX IP

Telecommuting Module

Chapter 1. Introduction to 3Com VCX IP Telecommuting Module

Some of the functions of 3Com VCX IP Telecommuting Module are:

• SIP proxy: Forwarding of SIP requests.

• Protection against such attacks as address spooﬁng.

• Logging/alarm locally on the Telecommuting Module, via email and/or via syslog.

• Managing several logical/directly-connected networks and several network connections/physical networks.

• Administration of the Telecommuting Module through a web browser using http or https.

• Failover - connect two Telecommuting Modules in parallel; one handles trafﬁc and the other acts as a hot standby.

• STUN server and Remote SIP Connectivity for SIP clients behind NAT boxes which are not SIP aware (using the

Remote SIP Connectivity module).

Note that some of the functions mentioned here are only available if the corresponding extension module has been installed.

What is a Telecommuting Module?

A Telecommuting Module is a device which processes trafﬁc under the SIP protocol (see RFC 3261). The Telecommuting Module receives SIP requests, processes them according to the rules you have set up, and forwards them to the receiver.

The Telecommuting Module connects to an existing enterprise ﬁrewall through a DMZ port, enabling the transmission of SIP-based communications without affecting ﬁrewall security. SIP messages are then routed through the ﬁrewall to the private IP addresses of authorized users on the internal network.

The Telecommuting Module can also be used as an extra gateway to the internal network without connecting to the ﬁrewall, transmitting only SIP-based communications.

Conﬁguration alternatives

The 3Com VCX IP Telecommuting Module can be connected to your network in three different ways, depending on your needs.

Note that the interface which should receive trafﬁc from the outside must have a public IP address (no NAT), regardless of which Telecommuting Module Type was selected. For a DMZ or DMZ/LAN type, this means that the interface connected to the DMZ of the ﬁrewall must have a public IP address.

DMZ Conﬁguration

Using this conﬁguration, the Telecommuting Module is located on the DMZ of your ﬁrewall, and connected to it with only one interface. The SIP trafﬁc ﬁnds its way to the Telecommuting Module using DNS or by setting the Telecommuting Module as an outbound proxy on the clients.

This is the most secure conﬁguration, since all trafﬁc goes through both your ﬁrewall and your Telecommuting Module. It is also the most ﬂexible, since all networks connected to any of your ﬁrewall’s interfaces can be SIP-enabled.

The drawback is that the SIP trafﬁc will pass the ﬁrewall twice, which can decrease performance.

Chapter 1. Introduction to 3Com VCX IP Telecommuting Module

Fig 1. Telecommuting Module in DMZ conﬁguration.

DMZ/LAN Conﬁguration

Using this conﬁguration, the Telecommuting Module is located on the DMZ of your ﬁrewall, and connected to it with one of the interfaces. The other interface is connected to your internal network. The Telecommuting Module can handle several networks on the internal interface even if they are hidden behind routers. No networks on other interfaces on the ﬁrewall can be handled.

This conﬁguration is used to enhance the data throughput, since the trafﬁc only needs to pass your ﬁrewall once. This conﬁguration can only support one local network.

Fig 2. Telecommuting Module in DMZ/LAN conﬁguration.

Standalone Conﬁguration

Using this conﬁguration, the Telecommuting Module is connected to your internal network on one interface and the outside world on the other.

Use this conﬁguration only if your ﬁrewall lacks a DMZ interface, or for some other reason cannot be conﬁgured for the DMZ or DMZ/LAN alternatives.

Fig 3. Telecommuting Module in Standalone conﬁguration.

Quick guide to 3Com VCX IP Telecommuting Module installation

3Com VCX IP Telecommuting Module is easy to install:

Chapter 1. Introduction to 3Com VCX IP Telecommuting Module

• Select an IP address for the Telecommuting Module on your network.

• The network interfaces are marked with 1 and 2. These numbers correspond to the physical interfaces eth0 and

eth1 respectively, the latter which should be use in the installation program.

• Plug in the power cord and turn on the Telecommuting Module.

• Wait while the Telecommuting Module boots up.

• Connect the network cables to the network interfaces.

• Find out the MAC address of the Telecommuting Module’s Network Interface 1 (printed on the Telecommuting

Module label).

• Add a static entry in your local ARP table consisting of the Telecommuting Module’s MAC address and the IP

address it should have on Network Interface 1. This is how to add a static ARP entry if you use a Windows computer: Run the command command (or cmd). In the Command window, enter the command arp -s ipaddress macaddress where ipaddress is the new IP

address for Network Interface 1, and macaddress is the MAC address printed on the Telecommuting Module, but with all colons (:) replaced with dashes (-).

• Ping this IP address to give the Telecommuting Module its new IP address. You should receive a ping reply if the

address distribution was successful.

• Direct your web browser to the IP address of the Telecommuting Module. You will be prompted to set a

password for the Telecommuting Module admin user.

• Now you can see the top page of 3Com VCX IP Telecommuting Module. Click on the Telecommuting Module

Type link and select the conﬁguration for your Telecommuting Module. The types are described on the web page.

• Go to the Network Interface 1 page and enter the necessary conﬁguration. See also the Interface section. Note

that the Telecommuting Module must have at least one IP address which can be reached from the Internet.

• If one of the Telecommuting Module Types DMZ/LAN or Standalone was chosen, move on to the Network

Interface 2 page and give the Telecommuting Module at least one IP address on this interface and state the networks connected to the interface. See also the Interface section.

• Go to the Networks and Computers page. Deﬁne the networks that will send and receive SIP trafﬁc using the

Telecommuting Module. Usually, you need at least one network per interface of the ﬁrewall connected to the Telecommuting Module (or, for the Standalone type, per interface of the Telecommuting Module). Some computers should be handled separately, and they therefore need their own networks. See also the Networks and Computers section.

• Go to the Basic Conﬁguration page under Basic Conﬁguration and enter a Default gateway and a DNS

server. See also the Basic Conﬁguration section.

• Go to the Access Control page and make settings for the conﬁguration of the Telecommuting Module. See also

the Access Control section.

• Go to the Surroundings page (for the DMZ Telecommuting Module Type) and state the networks connected to

the ﬁrewall. See also the Surroundings section in chapter 7, Network Conﬁguration.

• Go to Basic under SIP Services and turn the SIP module on. See also the Basic section.

• Go to the Interoperability page. Turn Preserve username and SIP URL encryption on.

• If you use a dialing domain which looks like an IP address, enter the dialing domain in the Translation

exceptions table. See also the Interoperability section.

• For this type of dialing domain, you also need to go to the Routing page. Enter the dialing domain in the DNS

Override For SIP Requests table and state the IP address of the SIP server(s) to handle the domain. See also the Routing section.

• Go to the Save/Load Conﬁguration page under. Select Apply conﬁguration. Now you can test your new

conﬁguration and save it permanently if you are satisﬁed with it. If the conﬁguration is not satisfactory, select Revert or restart the Telecommuting Module. The old conﬁguration will remain.

Chapter 1. Introduction to 3Com VCX IP Telecommuting Module

When the Telecommuting Module is conﬁgured, the ﬁrewall connected to it must also be reconﬁgured (for the DMZ and DMZ/LAN Telecommuting Module Types).

• Allow UDP and TCP trafﬁc in the port interval used for media streams by the Telecommuting Module, and port

5060. This trafﬁc must be allowed to all networks which should be reached by SIP trafﬁc.

See also chapter 14, Firewall and Client Conﬁguration, for information on conﬁguring the ﬁrewall and the SIP clients, and chapter 4, How To Conﬁgure SIP, for Telecommuting Module conﬁguration examples.

Before you start

You could do a rough sketch of your network to make the conﬁguration simpler. Things to think of:

• Which IP addresses will the Telecommuting Module interfaces use? You can have more than one IP network on

one interface, each requiring a separate IP address for the Telecommuting Module.

• Which series of IP addresses will be used on the networks connected to the different interfaces?

• Are there networks behind routers?

• What is the default gateway for the Telecommuting Module?

About settings in 3Com VCX IP Telecommuting Module

3Com VCX IP Telecommuting Module uses two sets of Telecommuting Module conﬁgurations: preliminary and permanent conﬁguration. The permanent conﬁguration is what is used in the active Telecommuting Module. The preliminary conﬁguration is where you change and set the conﬁguration. See chapter 3, Conﬁguring 3Com VCX IP Telecommuting Module, for instructions.

The changes you make in the preliminary conﬁguration are not stored in the permanent conﬁguration until you click on Apply conﬁguration on the Save/Load Conﬁguration page under Administration.

The password conﬁguration and time setting are the exceptions to this rule; they are saved immediately. Change the administrator passwords and create more administrator users on the User Administration page under Administration.

3Com VCX IP Telecommuting Module displays serious errors in red, e.g., if mandatory information is not entered. Blank ﬁelds are shown in red. Fields that you correct remain red until you select Save, Add new rows or update the page in some other way.

If you have a web connection with the Telecommuting Module that is inactive for 10 minutes, it will ask for a password again.

Always log out from the Telecommuting Module administration interface when you are not using it. Press the Log out button on the left to log out.

The terms used in the book are explained in appendix D, Deﬁnitions of Terms. For a general description of how to conﬁgure and administer the Telecommuting Module, see

Conﬁguring 3Com VCX IP Telecommuting Module.

chapter 3,

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Installation

There are three ways to install an 3Com VCX IP Telecommuting Module: using a serial cable, using a diskette or perform a magic ping.

Installation with a serial cable or a diskette requires being at the same place as the Telecommuting Module, but will give more options for the start conﬁguration.

Installation with magic ping does not require being on the same place as the Telecommuting Module (but the computer has to be connected to the same logical network as the Telecommuting Module), but restricts the start conﬁguration.

Installation with magic ping

You can use the magic ping to set an IP address for the Telecommuting Module. This is how to perform a magic ping:

• Plug in the power cord and turn the Telecommuting Module on.

• Wait while the Telecommuting Module boots up.

• Connect the network cables to the network interfaces.

• Find out the MAC address of the Telecommuting Module (printed on the back of the Telecommuting Module).

This is the MAC address of Network Interface 1.

• Add a static entry in your local ARP table consisting of the Telecommuting Module’s MAC address and the IP

for the Network Interface 1 interface, and macaddress is the MAC address printed on the Telecommuting Module, but with all colons (:) replaced with dashes (-).

• Ping this IP address to give the Telecommuting Module its new IP address. You should receive a ping reply if the

address distribution was successful.

• Conﬁgure the rest through a web browser.

• Plug in the power cord and turn the Telecommuting Module on.

• Wait while the Telecommuting Module boots up.

• Connect the network cables to the network interfaces.

• Find out the MAC address of the Telecommuting Module (printed on the back of the Telecommuting Module).

This is the MAC address of Network Interface 1.

• Add a static entry in your local ARP table consisting of the Telecommuting Module’s MAC address and the IP

for the Network Interface 1 interface, and macaddress is the MAC address printed on the Telecommuting Module, but with all colons (:) replaced with dashes (-).

Chapter 2. Installing 3Com VCX IP Telecommuting Module

• Ping this IP address to give the Telecommuting Module its new IP address. You should receive a ping reply if the

address distribution was successful.

• Conﬁgure the rest through a web browser.

Installation with a serial cable

These steps are performed when installing with a serial cable:

• Connect the Telecommuting Module to your workstation with a null modem serial cable.

• Plug in the power cord and turn the Telecommuting Module on.

• Wait while the Telecommuting Module boots up.

• Log on from your workstation.

• Run the installation program (see following instructions).

• Connect the network cables to the network interfaces.

• Conﬁgure the rest through a web browser.

Connect the Telecommuting Module to your workstation with a null modem serial cable, plug in the power cord and turn the Telecommuting Module on. You will have to wait a few minutes while it boots up.

• If you use a Windows workstation, connect like this: Start Hyperterm. A Location dialogue will show, asking for

your telephone number and area. Click Cancel followed by Yes. Then you will be asked to make a new connection. Type a name for this connection, select an icon and click OK. The Location dialogue will show again, so click Cancel followed by Yes.

Now you can select Connect using COM1 and click OK. A Port settings dialogue will show, where you select 19200 as Bits per second. Use the default conﬁguration for all other settings. Click OK and wait for a login prompt. (In some cases you have to press Return to get the login prompt.)

• If you use a Linux workstation, connect like this: Make sure that there is a symbolic link named /dev/modem

which points to the serial port you connected the Telecommuting Module to. Connect using minicom with the bit rate 19200 bits/s, and wait for a login prompt.

Log on as the user admin. The ﬁrst time you log on, no password is required. You set the password when you run the installation script, which starts automatically when you have logged on.

Each network interface is marked with a name (1 and 2), which corresponds to a tab under Network. All eth interfaces belong to ethernet cards and should only be connected using ethernet cables.

Decide which computer(s) are allowed to conﬁgure 3Com VCX IP Telecommuting Module and enter the name of the network interface to which they are connected, for example, Network Interface 1. You must use the physical device name (eth0 and eth1).

Enter the IP address of the Telecommuting Module on this interface and the network mask for the network. A network mask can be written in two ways in 3Com VCX IP Telecommuting Module:

• The ﬁrst looks just like an IP address, for example 255.255.192.0 or 255.255.254.0.

• The other way is as a number between 0 and 32. An IP address has 32 bits, where the number of the network

mask indicates how many bits are used in the network’s addresses. The rest of the bits identiﬁes the computer on the network.

Now, you can select to deactivate any network interfaces. Select y to deactivate all interfaces but the one you just conﬁgured. The remaining network interfaces can be activated later when you complete the conﬁguration via the web interface from your work station. This only applies to interfaces which was previously active; you can’t activate interfaces with this setting.

Now enter the computer or computers from which the Telecommuting Module may be conﬁgured (the conﬁguration computers).

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Then enter a password for the Telecommuting Module. This is the password you use in your web browser to access and change the Telecommuting Module’s conﬁguration. Finally, you can reset all other conﬁguration if you want to.

Following is a sample run of the installation program.

3Com VCX IP Telecommuting Module Administration

1. Basic conﬁguration

2. Save/Load conﬁguration

3. Become a failover team member

4. Leave failover team and become standalone

5. Wipe email logs

6. Set password q. Exit admin ==>

Select 1 to install your 3Com VCX IP Telecommuting Module.

Basic unit installation program version 4.3

Press return to keep the default value

Network conﬁguration inside:

Physical device name[eth0]: IP address [0.0.0.0]: 10.47.2.242 Netmask/bits [255.255.255.0]: 255.255.0.0 Deactivate other interfaces? (y/n) [n]

Computers from which conﬁguration is allowed:

You can select either a single computer or a network.

Conﬁgure from a single computer? (y/n) [y]

If you choose to allow only one computer to conﬁgure the Telecommuting Module, you are asked for the IP address (the mask is set automatically).

IP address [0.0.0.0]: 10.47.2.240

If this IP address is not on the same network as the IP address of the Telecommuting Module, you are asked for the router. Enter the IP address of the router on the network where the Telecommuting Module is connected. Then enter the network address and mask of the network containing the conﬁguring computer.

Static routing: The computer allowed to conﬁgure from is not on a network local to this unit. You must conﬁgure a static route to it. Give the IP address of the router on the network the unit is on.

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

You can choose to allow several computers to conﬁgure the Telecommuting Module, by answering no to the question:

Conﬁgure from a single computer? (y/n) [y] n

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Telecommuting Module). The network mask determines the number of computers that can act as conﬁguration computers.

Network number [0.0.0.0]: 10.47.2.0 Netmask/bits [255.255.255.0]: 255.255.255.0

If the network or partial network is not directly connected to the Telecommuting Module, you must enter the IP address of the router leading to that network. Then enter the network’s address and mask.

Static routing: The network allowed to conﬁgure from is not on a network local to this unit. You must conﬁgure a static route to it. Give the IP address of the router on the network this unit is on.

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

Then enter a password.

Password []:

Finally, you are asked if you want to reset other conﬁguration.

Other conﬁguration Do you want to reset the rest of the conﬁguration? (y/n) [n]

If you answer n, nothing is removed. If you answer y, you have three alternatives to select from:

1. Clear as little as possible. This is the alternative that is used if you answer n to the question above. Both the preliminary and the permanent conﬁgurations will be updated with the conﬁguration speciﬁed above.

2. Revert to the factory conﬁguration and then apply the conﬁguration speciﬁed above. This will affect the permanent but not the preliminary conﬁguration.

3. Revert to the factory conﬁguration and empty all logs and then apply the conﬁguration speciﬁed above. Both the preliminary and the permanent conﬁgurations will be affected.

Select the update mode, which is what you want to remove.

Update mode (1-3) [1]:

Chapter 2. Installing 3Com VCX IP Telecommuting Module

You have now entered the following conﬁguration

Network conﬁguration inside:

Physical device name: eth0 IP address: 192.168.150.2 Netmask: 255.255.255.0 Deactivate other interfaces: no

Computer allowed to conﬁgure from:

IP address: 192.168.128.3

Password: eeyore

The rest of the conﬁguration is kept.

Is this conﬁguration correct (yes/no/abort)? yes

Now, ﬁnish conﬁguration of the Telecommuting Module from the computer/computers speciﬁed in the installation program.

Installation with a diskette

These steps are performed when installing with a diskette:

• Select an IP address and store it on the installation diskette as described below.

• Insert the installation diskette into the Telecommuting Module’s ﬂoppy drive.

• Plug in the power cord and turn the Telecommuting Module on.

• Connect the network cables to the network interfaces.

• Wait while the Telecommuting Module boots up.

• Conﬁgure the rest through a web browser.

You must ﬁrst insert the diskette into your PC. If the PC is running Windows, open a Command window and run the ﬁnst-en script from the diskette. If the PC is running Linux, mount the diskette, change directory to the mounted one, and run the ﬁnst-en script.

Enter the IP address of the Telecommuting Module on this interface and the network mask for the network. A network mask can be written in two ways in 3Com VCX IP Telecommuting Module:

• The ﬁrst looks just like an IP address, for example 255.255.192.0 or 255.255.254.0.

• The other way is as a number between 0 and 32. An IP address has 32 bits, where the number of the network

mask indicates how many bits are used in the network’s addresses. The rest of the bits identiﬁes the computer on the network.

Now enter the computer or computers from which the Telecommuting Module may be conﬁgured (the conﬁguration computers).

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Following is a sample run of the installation program on the diskette.

Basic unit installation program version 4.3

Press return to keep the default value

Network conﬁguration inside:

Physical device name[eth0]: IP address [0.0.0.0]: 10.47.2.242 Netmask/bits [255.255.255.0]: 255.255.0.0 Deactivate other interfaces? (y/n) [n]

Computers from which conﬁguration is allowed:

You can select either a single computer or a network.

Conﬁgure from a single computer? (y/n) [y]

If you choose to allow only one computer to conﬁgure the Telecommuting Module, you are asked for the IP address (the netmask is set automatically).

IP address [0.0.0.0]: 10.47.2.240

If this IP address is not on the same network as the inside of the Telecommuting Module, you are asked for the router. Enter the IP address of the router on the network where the Telecommuting Module is connected. Now enter the network address and mask of the network containing the conﬁguring computer.

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

You can choose to allow several computers to conﬁgure the Telecommuting Module, by answering no to the question:

Conﬁgure from a single computer? (y/n) [y] n

The installation program then asks for the network number. The network number is the lowest IP address in the series of numbers that includes the conﬁguration computers (see chapter 3, Conﬁguring 3Com VCX IP Telecommuting Module). The network mask determines the number of computers that can act as conﬁguration computers.

Network number [0.0.0.0]: 10.47.2.0 Netmask/bits [255.255.255.0]: 255.255.255.0

Chapter 2. Installing 3Com VCX IP Telecommuting Module

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

Then enter a password.

Password []:

Finally, you are asked if you want to reset other conﬁguration.

Other conﬁguration Do you want to reset the rest of the conﬁguration? (y/n) [n]

If you answer n, nothing is removed. If you answer y, you have three alternatives to select from:

2. Revert to the factory conﬁguration and then apply the conﬁguration speciﬁed above. This will affect the permanent but not the preliminary conﬁguration.

3. Revert to the factory conﬁguration and empty all logs and then apply the conﬁguration speciﬁed above. Both the preliminary and the permanent conﬁgurations will be affected.

Select the update mode, which is what you want to remove.

Update mode (1-3) [1]:

All conﬁguration is now complete. The installation program shows the conﬁguration and asks if it is correct. yes saves the conﬁguration. no runs the installation program over again. abort ends the installation program without saving. Now, eject the diskette from your PC and insert it into the Telecommuting Module’s ﬂoppy drive. Then power up

the Telecommuting Module and wait for it to boot. Then, ﬁnish conﬁguration of the Telecommuting Module from the computer/computers speciﬁed in the installation program.

Note that the diskette contains a command to erase certain parts of the conﬁguration during boot when the diskette is inserted. Make sure to eject it once the Telecommuting Module has booted up to avoid future loss of data.

If you happen to forget the administrator password for the Telecommuting Module, you can insert the diskette into the Telecommuting Module again and boot it. Note that if you selected anything but 1 as the update mode, you will lose conﬁguration when doing this.

Turning off a Telecommuting Module

Backup the Telecommuting Module conﬁguration (just in case something should happen). You do this on the Save/Load Conﬁguration page under Administration. Once this is done, just turn the computer off. The computer that runs 3Com VCX IP Telecommuting Module is specially designed so that you can switch it off without causing any problems in the ﬁle structure.

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Remember to lock up the Telecommuting Module

The Telecommuting Module is a computer with special software, and must be protected from unauthorized physical access just as other computers performing critical tasks. A locked up Telecommuting Module protects against:

• connecting to the console

• connecting a keyboard and monitor

• changing the administrator password using the installation diskette.

• changing BIOS conﬁguration to allow the Telecommuting Module to be booted from a diskette

For more information about the necessary conﬁguration, see chapter 3, Conﬁguring 3Com VCX IP Telecommuting Module.

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

You connect to your 3Com VCX IP Telecommuting Module by entering its name or IP address in the Location box of your web browser.

Logging on

Before you can conﬁgure the Telecommuting Module, you must enter your administrator username and password or RADIUS username and password. The admin user is predeﬁned with complete administration privileges.

Log on again

If you have a web connection for Telecommuting Module conﬁguration that is inactive for more than 10 minutes, you must enter the password again and click on one of the buttons Keep changes below and Abandon changes below.

On all pages where changes have been made, the two buttons Keep changes below and Abandon changes below will be shown when you log on again. Keep changes below connects you to the Telecommuting Module and stores the preliminary conﬁguration you have changed. Abandon changes below connects you to the Telecommuting Module and discards the changes you have made on this page.

On pages where nothing has been changed, the Log in again button is displayed. Enter the password and click on the button to re-connect to the Telecommuting Module.

The Telecommuting Module’s encryption key is changed every 24 hours. If you have a web connection for Telecommuting Module conﬁguration when this happens, you must enter the password again. This works in the same way as when your connection has been inactive for more than 10 minutes (see above).

Log out

When you have ﬁnished looking at or adding settings, you should log out from the Telecommuting Module. Below the menu there is a Log out button which will end your session.

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

Note: You will not be logged out automatically just by directing your web browser to a different web address. You should log out using the button to make the browser forget your username and password.

Navigation

There is a menu for quick navigation to all conﬁguration pages. On top of the page, you also see the name of the Telecommuting Module.

Site Map

The Site Map is the ﬁrst page displayed when you have logged on the Telecommuting Module. From this page, you can access Basic Conﬁguration, Administration, Network, Logging, SIP Services, SIP Trafﬁc, and Failover. You can also access a special page by the text links below each category name.

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

Basic Conﬁguration

Under Basic Conﬁguration, select Telecommuting Module Type and the name of the Telecommuting Module. You also enter IP addresses for gateway and DNS server. Here you also conﬁgure if the Telecommuting Module should interact with a RADIUS or an SNMP server.

Administration

Under Administration, you store or load a conﬁguration. You can also test your conﬁguration to see if it works the way you planned, upgrade or reboot your Telecommuting Module, set date and time, and conﬁgure administration users and passwords.

Network

Under Network, you enter the Telecommuting Module’s IP address, the routing for the different networks, and deﬁne groups of IP addresses which are used in various settings of the Telecommuting Module.

Logging

Under Logging, you specify the type of trafﬁc you want to log/alarm and how it should be logged. You can also view the logs and the trafﬁc load here.

SIP Services

Under SIP Services, you conﬁgure interoperability settings and Remote SIP Connectivity.

SIP Trafﬁc

Under SIP Trafﬁc, you conﬁgure the SIP trafﬁc through the Telecommuting Module. You can also view current pass-through registrations and SIP sessions.

Failover

Under Failover, you conﬁgure the failover team and its dedicated network. You can also view the status of the other team member.

Tools

Under Tools, you ﬁnd handy tools for troubleshooting. The Telecommuting Module features a packet capturer which produces pcap trace ﬁles.

Home

Under Home, you get basic information about the Telecommuting Module’s serial number, software version, installed licenses and patches, and links to more information.

Overview of conﬁguration

Start by installing the Telecommuting Module as described in chapter 2, Installing 3Com VCX IP Telecommuting Module.

Select the Telecommuting Module Type. The Telecommuting Module must have at least one IP address for each network card to work. A routing, or path, for

each network must also be set on the interface pages under Network. Go to the Networks and Computers page and enter the networks which are using the Telecommuting Module. For a DMZ Telecommuting Module, also state the Telecommuting Module’s Surroundings.

Then move on to SIP Services and turn the SIP module on. Use logging to analyze the trafﬁc that passes through the Telecommuting Module. Choose to log locally on the

Telecommuting Module, send logs to a syslog server or send them by email to an email address. Specify the type of

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

logging wanted under Logging. This is also where the logs of trafﬁc through the Telecommuting Module are viewed.

When the conﬁguration is complete, apply it. Go to Save/Load Conﬁguration under Administration. Select Apply conﬁguration. Now the new conﬁguration is tested. Save it permanently if it works satisfactorily. If the conﬁguration is not satisfactory, select Revert or restart the Telecommuting Module. The old conﬁguration will remain.

Preliminary and permanent conﬁguration

3Com VCX IP Telecommuting Module has two kinds of settings: preliminary and permanent conﬁguration. When the Telecommuting Module is running, the permanent conﬁguration controls the Telecommuting Module functions.

When you conﬁgure your Telecommuting Module, you are working with the preliminary conﬁguration. As you change the preliminary conﬁguration, the permanent conﬁguration continues to control the Telecommuting Module functions.

When you are done with the preliminary conﬁguration, you can test it by selecting Apply conﬁguration on the Save/Load Conﬁguration page. Now the preliminary conﬁguration controls the Telecommuting Module functions.

When you are satisﬁed with the preliminary conﬁguration, you can apply it permanently, which copies the preliminary conﬁguration to the permanent conﬁguration. Now the new conﬁguration controls the Telecommuting Module functions.

You can also copy the permanent conﬁguration to the preliminary conﬁguration. This does not affect the permanent conﬁguration or the Telecommuting Module functions, which are still being run by the permanent conﬁguration. You do this by selecting Abort all edits on the Save/Load Conﬁguration page under Administration. This will discard all changes made in the preliminary conﬁguration since last time you applied a conﬁguration by pressing Save conﬁguration.

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

You can save the preliminary conﬁguration to a ﬁle on your work station (the computer that is running your web browser). Select Save to local ﬁle on the Save/Load Conﬁguration page.

A saved conﬁguration can be loaded to the preliminary conﬁguration. Use Browse to search your local computer or enter path and ﬁle name in the box. When you have chosen the ﬁle you want to load, select Load from local ﬁle on the Save/Load Conﬁguration page.

You can save the preliminary conﬁguration to a diskette. Insert a formatted diskette in the Telecommuting Module’s ﬂoppy drive and press Save to diskette on the Save/Load Conﬁguration page.

You can load a saved conﬁguration to the preliminary conﬁguration. Insert a diskette containing the saved conﬁguration in the Telecommuting Module’s ﬂoppy drive and press Load from diskette on the Save/Load Conﬁguration page.

You can perform all of these functions on the Save/Load Conﬁguration page under Administration.

Conﬁguring IP addresses and masks in 3Com VCX IP

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

Telecommuting Module

IP address

IP addresses are written as four groups of numbers with dots between them. The numbers must be between 0 and 255 (inclusive); for example, 192.168.129.17.

Mask/Bits

The binary system uses the numbers 0 and 1 to represent numbers. A binary digit is called a bit. Eight bits in the binary system can represent numbers from 0 to 255.

The mask indicates how much of the IP address is used for the network address and the computers’ individual addresses, respecitvely. A mask consists of 8+8+8+8 = 32 bits. Below is a mask with 26 bits set to 1, which means that 26 bits of the IP address is locked to the network address and can’t be changed within the network.

Bits 11111111 11111111 11111111 11000000 No. 255 255 255 192

In the 3Com VCX IP Telecommuting Module, a mask is written either as the number of bits that are 1 or as four numbers (0-255) with dots between the numbers.

Sometimes it can be convenient to give a group of computers a network name, such as Administration, or specify that only a handful of computers can change the Telecommuting Module conﬁguration.

You can form a group of computers with a network name, if the computers have consecutive IP addresses. In order to do this, you must set the mask to indicate that the network group consists of those computers only. The lowest IP address for these computers tells the network number of the group.

This is easiest to explain with a simple example. You have 7 computers that will make up a group called Administration.

Take the nearest power of two above the number of computers you want to include: 2, 4, 8, 16, 32, 64, 128 or 256. Since you have 7 computers, 8 is the nearest. In this example, one IP address is free for future use.

Give the computers consecutive IP addresses. Make the ﬁrst IP address a multiple of the power of two number you selected, but under 255. In the above example, this means 0, 8, 16, 24, 32, 40, 48 and so on, up to 248. You might choose to start with 136 (17 x 8). This would give the computers the IP addresses 196.176.1.136, 196.176.1.137,

196.176.1.138, 196.176.1.139, 196.176.1.140, 196.176.1.141, 196.176.1.142 and 196.176.1.143. One of the IP addresses is free and can be used for an eighth computer in the future. You must enter the ﬁrst IP

address in the series, 196.176.1.136, in the Network/IP address ﬁeld. Now you must set the mask so that only the computers with these eight IP addresses are included in this network.

Take 256 and subtract the number of IP addresses in the named network. In the example, we would have 256-8 =

248. The complete mask is 255.255.255.248. Now you have created a group of computers (IP addresses) that you can give a single name, such as Administration.

Table of netmasks.

No. of computers Mask Bits

1 255.255.255.255 32 2 255.255.255.254 31 4 255.255.255.252 30 8 255.255.255.248 29 16 255.255.255.240 28 32 255.255.255.224 27 64 255.255.255.192 26 128 255.255.255.128 25 256 255.255.255.0 24

Chapter 3. Conﬁguring 3Com VCX IP Telecommuting Module

See appendix C, Lists of Reserved Ports, ICMP Types and Codes, and Internet Protocols, for more information on netmasks.

Name queries in 3Com VCX IP Telecommuting Module

A Telecommuting Module should be as independent of other computers as possible. At the same time, the person who changes the conﬁguration of the Telecommuting Module may want to use names for the computers instead of IP addresses. Also, the SIP module needs to look up names of SIP domains. This makes it necessary to use a DNS (name server) for SIP requests.

There are three instances when 3Com VCX IP Telecommuting Module uses a DNS server:

• When it receives a SIP request for a SIP domain.

The results of these DNS queries are stored for a short while in the Telecommuting Module.

• When you change names/IP addresses and save the page.

The results of these DNS queries are stored in the Telecommuting Module.

• When you click on Look up all IP addresses again.

The results of these DNS queries are stored in the Telecommuting Module.

3Com VCX IP Telecommuting Module is dependent of a working name server for the SIP functions. However, it doesn’t automatically look up IP addresses in the conﬁguration, which makes it necessary to click on Look up all IP addresses again every time a computer changes its IP address.

When you enter IP addresses in the Telecommuting Module, they are not updated automatically. If you change a name/IP address in a row, the row is updated when you click on Save, switch to another page of the Telecommuting Module user interface, or click on Look up all IP addresses again.

Part II. How To

In the How To part, you ﬁnd step-by-step descriptions for many common conﬁgurations for the Telecommuting Module. You also ﬁnd references to relevant chapters in Part III, Description of 3Com VCX IP Telecommuting Module settings.

Chapter 4. How To Conﬁgure SIP

3Com VCX IP Telecommuting Module provides a lot of SIP possibilities. In this chapter, the most common SIP setups are setup with step-by-step instructions for the conﬁguration.

DMZ Telecommuting Module, SIP server on the outside

The simplest SIP scenario is when the SIP server is managed by someone else, and the Telecommuting Module SIP function is only used to traverse NAT.

Note that the Telecommuting Module must have a public (non-NATed) IP address for the SIP signaling to work correctly.

Here are the settings needed for this. It is assumed that the Telecommuting Module already has a network conﬁguration. Only the additional SIP settings are listed.

Networks and Computers

The Telecommuting Module must know the network structure to be able to function properly. On the Networks and Computers page, you deﬁne all networks which the Telecommuting Module should serve and which are not

reached through the default gateway of the ﬁrewall. All computers that can reach each other without having to go through the ﬁrewall connected to the Telecommuting Module should be grouped in one network.

You can also deﬁne networks and parts of networks for other conﬁguration purposes.

Chapter 4. How To Conﬁgure SIP

Surroundings

To make the Telecommuting Module aware of the network structure, the networks deﬁned above should be listed on the Surroundings page.

One effect of this is that trafﬁc between two users on different networks, or between one of the listed networks and a network not listed here, is NAT:ed.

Another effect is that for connections between two users on the same network, or on networks where neither is listed in Surroundings, no ports for RTP sessions will be opened, since the Telecommuting Module assumes that they are both on the same side of the ﬁrewall.

Normally, at least one network should be listed here. If no networks are listed, the Telecommuting Module will not perform NAT for any trafﬁc.

Basic

Go to the Basic page under SIP Services and turn the SIP module on. Here you also select log classes for SIP event logging.

Interoperability

If Windows Messenger is used for SIP communication, you need to set a parameter on the Interoperability page. Set lr=true status to On under Loose routing.

Chapter 4. How To Conﬁgure SIP

Routing

On the Routing page, you can enter the SIP server managing your SIP domain. Enter the name or IP address of the SIP server under Outbound proxy.

If you enter the server name here, all SIP trafﬁc from the inside will be directed to this server, regardless of where it is bound to.

Basic Conﬁguration

If no other SIP routing information is entered, the Telecommuting Module must be able to look up SIP domains in DNS. DNS servers are entered on the Basic Conﬁguration page under Basic Conﬁguration.

Save/Load Conﬁguration

Finally, go to the Save/Load Conﬁguration page under Administration and apply the new settings by pressing Apply conﬁguration.

DMZ Telecommuting Module, SIP server inside

You might instead have a SIP server of your own, located on the inside or maybe on a DMZ. If the SIP server is located on a NATed network, DNS queries for the SIP domain should point to the

Telecommuting Module, which in turn will forward the SIP trafﬁc to the server. Note that the Telecommuting Module must have a public (non-NATed) IP address for the SIP signaling to work

correctly.

Chapter 4. How To Conﬁgure SIP

Here are the settings needed for this. It is assumed that the Telecommuting Module already has a network conﬁguration. Only the additional SIP settings are listed.

Networks and Computers

You can also deﬁne networks and parts of networks for other conﬁguration purposes.

Surroundings

To make the Telecommuting Module aware of the network structure, the networks deﬁned above should be listed on the Surroundings page.

One effect of this is that trafﬁc between two users on different networks, or between one of the listed networks and a network not listed here, is NAT:ed.

Normally, at least one network should be listed here. If no networks are listed, the Telecommuting Module will not perform NAT for any trafﬁc.

Chapter 4. How To Conﬁgure SIP

Basic

Go to the Basic page under SIP Services and turn the SIP module on. Here you also select log classes for SIP event logging.

Routing

If the SIP server is located on a NATed network, all SIP trafﬁc from the outside will be directed to the Telecommuting Module, which must know where to forward it.

One way to do this is to enter the SIP domain in the DNS Override For SIP Requests table on the Routing page, to link the SIP server IP address to the name. The Telecommuting Module will look up the domain here instead of in the DNS server, and send the SIP trafﬁc to the correct IP address.

Interoperability

If Windows Messenger is used for SIP communication, you need to set a parameter on the Interoperability page. Set lr=true status to On under Loose routing.

Chapter 4. How To Conﬁgure SIP

If the SIP server is an LCS (Live Communications Server) or some other server that does not accept more than one Via header in SIP packets, you must enter the SIP server IP address in the Remove VIA headers table. This will make the Telecommuting Module strip SIP packets of extra Via headers when it sends those packets to the server, and add the Via headers when the response packets are received.

Basic Conﬁguration

Save/Load Conﬁguration

Finally, go to the Save/Load Conﬁguration page under Administration and apply the new settings by pressing Apply conﬁguration.

Standalone Telecommuting Module, SIP server on the outside

The simplest SIP scenario is when the SIP server is managed by someone else, and the Telecommuting Module SIP function is only used to traverse NAT.

Note that the Telecommuting Module must have a public (non-NATed) IP address for the SIP signaling to work correctly.

Chapter 4. How To Conﬁgure SIP

Here are the settings needed for this. It is assumed that the Telecommuting Module already has a network conﬁguration. Only the additional SIP settings are listed.

Basic

Go to the Basic page under SIP Services and turn the SIP module on. Here you also select log classes for SIP event logging.

Interoperability

If Windows Messenger is used for SIP communication, you need to set a parameter on the Interoperability page. Set lr=true status to On under Loose routing.

Routing

On the Routing page, you can enter the SIP server managing your SIP domain. Enter the name or IP address of the SIP server under Outbound proxy.

If you enter the server name here, all SIP trafﬁc from the inside will be directed to this server, regardless of where it is bound to.

Chapter 4. How To Conﬁgure SIP

Basic Conﬁguration

Save/Load Conﬁguration

Finally, go to the Save/Load Conﬁguration page under Administration and apply the new settings by pressing Apply conﬁguration.

Client Settings

SIP clients will use the Telecommuting Module as their outgoing SIP proxy and the SIP domain as the registrar.

Standalone Telecommuting Module, SIP server inside

You might instead have a SIP server of your own, located on the inside or maybe on a DMZ. If the SIP server is located on a NATed network, DNS queries for the SIP domain should point to the

Telecommuting Module, which in turn will forward the SIP trafﬁc to the server. Note that the Telecommuting Module must have a public (non-NATed) IP address for the SIP signaling to work

correctly.

Chapter 4. How To Conﬁgure SIP

Here are the settings needed for this. It is assumed that the Telecommuting Module already has a network conﬁguration. Only the additional SIP settings are listed.

Basic

Go to the Basic page under SIP Services and turn the SIP module on. Here you also select log classes for SIP event logging.

Routing

If the SIP server is located on a NATed network, all SIP trafﬁc from the outside will be directed to the Telecommuting Module, which must know where to forward it.

Interoperability

If Windows Messenger is used for SIP communication, you need to set a parameter on the Interoperability page. Set lr=true status to On under Loose routing.

Chapter 4. How To Conﬁgure SIP

make the Telecommuting Module strip SIP packets of extra Via headers when it sends those packets to the server, and add the Via headers when the response packets are received.

Basic Conﬁguration

Save/Load Conﬁguration

Finally, go to the Save/Load Conﬁguration page under Administration and apply the new settings by pressing Apply conﬁguration.

Client Settings

SIP clients will use the Telecommuting Module as their outgoing SIP proxy and the SIP domain as the registrar.

DMZ/LAN Telecommuting Module, SIP server on the outside

The simplest SIP scenario is when the SIP server is managed by someone else, and the Telecommuting Module SIP function is only used to traverse NAT.

Note that the Telecommuting Module must have a public (non-NATed) IP address for the SIP signaling to work correctly.

Chapter 4. How To Conﬁgure SIP

Here are the settings needed for this. It is assumed that the Telecommuting Module already has a network conﬁguration. Only the additional SIP settings are listed.

Basic

Go to the Basic page under SIP Services and turn the SIP module on. Here you also select log classes for SIP event logging.

Interoperability

If Windows Messenger is used for SIP communication, you need to set a parameter on the Interoperability page. Set lr=true status to On under Loose routing.

Routing

On the Routing page, you can enter the SIP server managing your SIP domain. Enter the name or IP address of the SIP server under Outbound proxy.

If you enter the server name here, all SIP trafﬁc from the inside will be directed to this server, regardless of where it is bound to.

Chapter 4. How To Conﬁgure SIP

Basic Conﬁguration

Save/Load Conﬁguration

Finally, go to the Save/Load Conﬁguration page under Administration and apply the new settings by pressing Apply conﬁguration.

Client Settings

SIP clients will use the Telecommuting Module as their outgoing SIP proxy and the SIP domain as the registrar.

DMZ/LAN Telecommuting Module, SIP server inside

You might instead have a SIP server of your own, located on the inside or maybe on a DMZ. If the SIP server is located on a NATed network, DNS queries for the SIP domain should point to the

Telecommuting Module, which in turn will forward the SIP trafﬁc to the server. Note that the Telecommuting Module must have a public (non-NATed) IP address for the SIP signaling to work

correctly.

Here are the settings needed for this. It is assumed that the Telecommuting Module already has a network conﬁguration. Only the additional SIP settings are listed.

Basic

Go to the Basic page under SIP Services and turn the SIP module on. Here you also select log classes for SIP event logging.

Chapter 4. How To Conﬁgure SIP

Routing

If the SIP server is located on a NATed network, all SIP trafﬁc from the outside will be directed to the Telecommuting Module, which must know where to forward it.

Interoperability

If Windows Messenger is used for SIP communication, you need to set a parameter on the Interoperability page. Set lr=true status to On under Loose routing.

Chapter 4. How To Conﬁgure SIP

Basic Conﬁguration

Save/Load Conﬁguration

Finally, go to the Save/Load Conﬁguration page under Administration and apply the new settings by pressing Apply conﬁguration.

Client Settings

SIP clients will use the Telecommuting Module as their outgoing SIP proxy and the SIP domain as the registrar.

Part III. Description of 3Com VCX IP

Telecommuting Module Settings

This part contains complete descriptions of settings in 3Com VCX IP Telecommuting Module. The descriptions are grouped in the same way as they are in the user interfaces.

Chapter 5. The Serial Console

Some settings are available without having to log on the web interface, but instead connecting to the Telecommuting Module console via the serial cable. Here, the settings available from the console are listed.

The serial console is a text user interface which requires a terminal software on your workstation, such as Hyperterm in Windows.

Connecting to the serial console

If you use a Windows workstation, connect like this: Start Hyperterm. A Location dialogue will show, asking for your telephone number and area. Click Cancel followed by Yes. Then you will be asked to make a new connection. Type a name for this connection, select an icon and click OK. The Location dialogue will show again, so click Cancel followed by Yes.

If you use a Linux workstation, connect like this: Make sure that there is a symbolic link named /dev/modem which points to the serial port you connected the Telecommuting Module to. Connect using minicom with the bit rate 19200 bits/s, and wait for a login prompt.

Log on as the user admin. The ﬁrst time you log on, no password is required. You set the password when you run the installation script, which starts automatically when you have logged on.

Main Menu

The ﬁrst thing you see after logging on as admin is the main menu. Here, you can change password, make a basic conﬁguration of the Telecommuting Module, enter the Telecommuting Module into a failover team, save or load conﬁguration, or remove all log messages from the e-mail queue.

3Com VCX IP Telecommuting Module Administration

1. Basic conﬁguration

2. Save/Load conﬁguration

3. Become a failover team member

4. Leave failover team and become standalone

5. Wipe email logs

6. Set password q. Exit admin ==>

1. Basic conﬁguration

Basic settings for the Telecommuting Module, such as the IP address and the password. This is one of two ways of giving the Telecommuting Module an IP address. The other way is to perform a magic

ping (see chapter 2, Installing 3Com VCX IP Telecommuting Module).

2. Save/Load conﬁguration

Save or upload the conﬁguration using the Zmodem protocol.

Chapter 5. The Serial Console

3. Become a failover team member

Make this Telecommuting Module member of a failover team.

4. Leave failover team and become standalone

Make this Telecommuting Module leave its failover team.

5. Wipe email logs

Remove all log messages queued to be sent by e-mail.

6. Set password

Set a new password for the admin user.

q. Exit admin

Log out from the admin program.

Basic conﬁguration

Use Basic conﬁguration to give the Telecommuting Module a start conﬁguration. You can assign an IP address to it (for the web GUI), enter the IP addresses of computers allowed to connect to the web GUI and change the administrator password.

Wherever you can enter a value, there will be a default one in brackets, which is the current value. Press Return to select the default value. This is an easy way to fast-forward if you only want to change one of the parameters.

IP address

Give the Telecommuting Module an IP address. The IP address will be added to any addresses already conﬁgured on the Telecommuting Module. The IP address entered here is the one that should be used to access the web GUI.

Basic unit installation program version 4.3

Press return to keep the default value

Network conﬁguration inside:

Physical device name[eth0]: IP address [0.0.0.0]: 10.47.2.242 Netmask/bits [255.255.255.0]: 255.255.0.0 Deactivate other interfaces? (y/n) [n]

Physical device name

Select which interface should get the IP address. The interfaces use their physical names: if you want to use Network Interface 1, enter "eth0", and if you want to use Network Interface 2, enter "eth1".

IP address

Enter the IP address for the Telecommuting Module on the interface above. If the Telecommuting Module didn’t have an IP address before, the default address will be 0.0.0.0. Enter a different address, or the Telecommuting Module will be unreachable via the web GUI.

Netmask/bits

At Netmask/bits, enter the netmask for the network to which the IP address above belongs. The netmask can be written as an IP address or a number of bits (see also chapter 3, Conﬁguring 3Com VCX IP Telecommuting Module).

Chapter 5. The Serial Console

Deactivate other interfaces

If the Telecommuting Module has been used one or more interfaces are active. Select here if all interfaces but the one selected above should be deactivated. You can activate them again via the web GUI.

Conﬁguration computers

Enter here the computers from which it is allowed to conﬁgure the Telecommuting Module. The computers entered here are the only ones allowed to access the web GUI.

Select between allowing a single computer or an entire network.

Computers from which conﬁguration is allowed:

You can select either a single computer or a network.

Conﬁgure from a single computer? (y/n) [y]

Conﬁgure from a single computer

If conﬁguration of the Telecommuting Module should be allowed from a single computer only, answer y to the question above. Then enter the IP address of the conﬁguration computer.

IP address [0.0.0.0]: 10.47.2.240

If the conﬁguration computer is on the same network as the Telecommuting Module, these are all conﬁguration settings needed. If the conﬁguration computer is on a different network, the Telecommuting Module will ask for routing to that network.

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

To let the Telecommuting Module know where trafﬁc to the conﬁguration computer should be sent to, you must enter the router it should use here. Enter the router which is on the same network as the Telecommuting Module and which is used to route trafﬁc to the conﬁguration computer.

You should also enter the network to which the conﬁguration computer is connected.

Conﬁgure from multiple computers

If conﬁguration of the Telecommuting Module should be allowed from more than one computer, answer n to the question above. Then enter the network address of the network to which the conﬁguration computers are connected. This will allow all computers on this network to conﬁgure the Telecommuting Module.

Network number [0.0.0.0]: 10.47.2.0 Netmask/bits [255.255.255.0]: 255.255.255.0

Enter the network address and netmask for the conﬁguration computer network. If they are on the same network as the Telecommuting Module, these are all conﬁguration settings needed. If the conﬁguration computers are on a different network, the Telecommuting Module will ask for routing to that network.

Chapter 5. The Serial Console

The IP address of the router [0.0.0.0]: 10.47.3.1 Network address [10.47.0.0]: 10.10.0.0 Netmask [255.255.255.0]:

Enter the IP address of the router and the network to which the conﬁguration computers are connected. This could be a bigger network than the one entered to distinguish the conﬁguration computers.

Password

Set a password for the Telecommuting Module here.

Password []:

Note that the password will be printed on the screen when entered. It will also be shown when all settings are made.

Other

You can also select if all other conﬁguration should be removed or not.

Other conﬁguration Do you want to reset the rest of the conﬁguration? (y/n) [n]

If you answer n, nothing is removed. If you answer y, you have three alternatives to select from:

2. Revert to the factory conﬁguration and then apply the conﬁguration speciﬁed above. This will affect the permanent but not the preliminary conﬁguration.

3. Revert to the factory conﬁguration and empty all logs and then apply the conﬁguration speciﬁed above. Both the preliminary and the permanent conﬁgurations will be affected.

Update mode (1-3) [1]:

When all settings are entered, they are shown on the screen to be conﬁrmed.

Is this conﬁguration correct (yes/no/abort)?

yes will make the Telecommuting Module reboot using the new settings. no will make the Telecommuting Module go through the Basic conﬁguration questions again and allow you to

change settings. abort will make the Basic conﬁguration script end without changing any settings.

Save/Load conﬁguration

Here, you can save your conﬁguration to a ﬁle or load a conﬁguration from a ﬁle. The transfer is made using the Zmodem protocol, which can be found in terminal software such as Hyperterminal.

Chapter 5. The Serial Console

Load preliminary conﬁguration

The conﬁguration ﬁle selected here will be uploaded as a preliminary conﬁguration. The permanent conﬁguration will not be affected.

To load the conﬁguration, select this alternative and then start the transfer in your terminal program.

Load both conﬁgurations and apply

The conﬁguration ﬁle selected here will be uploaded as both the preliminary and the permanent conﬁguration. When the upload is ﬁnished, the conﬁguration will be applied.

To load the conﬁguration, select this alternative and then start the transfer in your terminal program.

Save preliminary conﬁguration

Save the preliminary conﬁguration to a ﬁle. If your terminal program starts the transfer automatically, the ﬁle will be named config.cfg.

Save permanent conﬁguration

Save the permanent conﬁguration to a ﬁle. If your terminal program starts the transfer automatically, the ﬁle will be named config.cfg.

Main menu

Select this alternative to return to the main menu.

Become a failover team member

Here, you make the Telecommuting Module the second member of a failoverteam. All current conﬁguration will be removed. The Telecommuting Module will receive its new conﬁguration from the ﬁrst member of the team.

Dedicated network interface [eth0]:

Select the network interface which will be directly connected to the other Telecommuting Module in the team. This interface will be used to synchronize the conﬁgurations and can’t be used for anything else. The interfaces use their physical names: if you want to use Network Interface 1, enter "eth0", and if you want to use Network Interface 2, enter "eth1".

IP network address for eth0 [10.120.121.64]:

Enter the network address for this interface. The network address must be the same as the one entered for the ﬁrst member of the failover team. If you used the default values for that Telecommuting Module you can do the same here.

IP netmask for eth0 [255.255.255.252]:

Enter the netmask for the network. The netmask must be big enough to comprise IP addresses for two computers, a network address and a broadcast address, i.e. at least four addresses. The default netmask (255.255.255.252) should sufﬁce. There is no use in assigning a larger network, since the Telecommuting Modules should be connected via a crossover TP cable.

Current conﬁguration:

Dedicated interface: eth0 Network address: 10.120.121.64 Network mask: 255.255.255.252

Is this conﬁguration correct (yes/no/abort)?

When all settings are made they are shown.

Chapter 5. The Serial Console

yes will make the Telecommuting Module reboot, remove all current conﬁguration and apply the new settings. It will then wait for conﬁguration from the other team member.

no will make the Telecommuting Module start over again asking for new settings, starting with the dedicated interface.

abort will abort the failover conﬁguration and return to the main menu without changing any settings on the Telecommuting Module.

Leave failover team and become standalone

Here, you make the Telecommuting Module leave its failover team. The Telecommuting Module will keep the conﬁguration from the team except the failover settings.

This will change the operation mode from being a member of a failover team to become a standalone machine. The machine will reboot to complete this procedure.

Do you want to proceed (yes/no)?

yes will make the Telecommuting Module leave the failover team and reboot as a standalone unit. no will make you return to the main menu without changing any settings.

Wipe email logs

Here, you can erase all log messages queued for sending via email to one or more receivers. This could be useful if you by mistake made settings where lots of events are logged via email, which ﬁll the queue rapidly.

This will remove all email logs that are waiting to be sent.

Do you want to proceed (yes/no)?

yes will remove all log messages from the email queue. These messages are not saved to ﬁle or similar before removed. If you log locally as well as via email, the local log will not be affected by this.

Note that this will only remove messages already queued up for sending. To prevent further queue jams, you must also change log classes for the events in question (see chapter 11, Logging).

no will amke you return to the main menu without removing anything.

Set password

Here, you can change password for the admin user.

Old password: New password: New password again:

As this option requires that you are logged on as admin, you need to know the current password in order to change into a new one. If you have forgotten the password, you must use the installation diskette to set a new one.

Exit admin

Select Exit admin to log out.

Chapter 6. Basic Conﬁguration

Under Basic Conﬁguration, you conﬁgure:

• Telecommuting Module Type

• The name of the Telecommuting Module

• The computers and networks from which the Telecommuting Module can be administered

• Policies for ping packets and unwanted packets

• Default domain

• Default gateways and DNS servers

• RADIUS conﬁguration

• SNMP conﬁguration

• Creation of Telecommuting Module certiﬁcates and upload of CA certiﬁcates

This conﬁguration is usually not changed very often.

Basic Conﬁguration

On the Basic Conﬁguration page, general settings for the Telecommuting Module are made. The most important ones for getting started are the default gateway and, for SIP, the DNS server.

General

Name of this Telecommuting Module

Here, you can give your 3Com VCX IP Telecommuting Module a name. The name of the Telecommuting Module is displayed in the title bar of your web browser. This can be a good idea if you administer several Telecommuting Modules. The name is also used if you use SNMP and when you export log ﬁles into the WELF format.

Default domain

Here, you can enter a default domain for all settings. If a default domain is entered, the Telecommuting Module will automatically assume that an incomplete computer name should be completed with the default. If, for example,

Default domain contains company.com, you could as the name of the computer axel.company.com use only axel. If no default domain should be used, the Default domain ﬁeld should contain a single dot (.).

IP policy

Here, you specify what will happen to IP packets which are neither SIP packets, SIP session media streams, or Telecommuting Module administration trafﬁc. Discard IP packets means that the Telecommuting Module ignores the IP packets without replying that the packet did not arrive. Reject IP packets makes the Telecommuting Module reply with an ICMP packet telling that the packet did not arrive.

Chapter 6. Basic Conﬁguration

Policy For Ping To the Telecommuting Module

Here, you specify how the Telecommuting Module should reply to ping packets to its IP addresses. You can choose between Never reply to ping, Only reply to ping from the same interface and Reply to ping to all IP addresses. Only reply to ping from the same interface means that the ping request should originate from a network which is directly connected to the pinged interface of the Telecommuting Module or from a network to which there exists a static route from the pinged interface, or the request will be ignored.

Ping is a way of ﬁnding out whether a computer is working. See appendix D, Deﬁnitions of Terms, for further information on ping.

Default Gateways

A Default Gateway is the IP address of a router that is used to contact the outside world. This IP address is usually the ﬁrewall. Default Gateway must be an IP address from one of the Directly Connected Networks of the Telecommuting Module’s interfaces. See appendix D, Deﬁnitions of Terms, for further description of routers/gateways.

The Telecommuting Module must have at least one default gateway to work. You can enter more than one default gateway. The Telecommuting Module will use one of them until it stops responding, and then switch to the next one.

DNS name or IP address

Enter the DNS name or IP address for the default gateway. If an interface will receive its IP address from a DHCP server, the Telecommuting Module will get its default gateway from the server, and Default Gateway must be set to "*".

IP address

Shows the IP address of the DNS name or IP address you entered in the previous ﬁeld.

Gateway Reference Hosts

The gateway reference hosts are used by the Telecommuting Module to check if the gateways are alive. For each reference host, test ping packets are sent, using the different gateways.

Reference hosts are only needed when multiple default gateways are used.

DNS name or IP address

Enter the DNS name or IP address for the reference host. The reference host must be located on the other side of the default gateway.

Chapter 6. Basic Conﬁguration

IP address

Shows the IP address of the DNS name or IP address you entered in the previous ﬁeld.

DNS Servers

Here, you conﬁgure DNS servers for the Telecommuting Module. The servers are used in the order they appear in this table, which means that the Telecommuting Module uses the top server to resolve DNS records until it doesn’t reply. Only then is server number two contacted.

No.

The DNS servers are used in the order they are presented in the table. To move a server to a certain row, enter the number on the row to which you want to move it. You need only renumber servers that you want to move; other servers are renumbered automatically. When you click on Save, the DNS servers are re-sorted.

DNS Name Or IP Address

The DNS name/IP address of the DNS server which the Telecommuting Module should use. Note that to use DNS names here, there must exist a DNS server in the Telecommuting Module’s permanent conﬁguration.

IP address

Shows the IP address of the DNS name or IP address you entered in the previous ﬁeld.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves the Basic Conﬁguration conﬁguration to the preliminary conﬁguration.

Cancel

Reverts all the above ﬁelds to their previous conﬁguration.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered above.

Access Control

On the Access Control page, settings are made which controls the access to the Telecommuting Module administration web interface.

Select one or two conﬁguration IP addresses for the Telecommuting Module. The conﬁguration address is the IP address to which you direct your web browser to access the web interface of the Telecommuting Module.

Chapter 6. Basic Conﬁguration

For each network interface, you also specify whether or not the Telecommuting Module can be conﬁgured via this network interface.

You also select what kind of authentication will be performed for the users trying to access the web interface. To further increase security, the Telecommuting Module can only be conﬁgured from one or a few computers that

are accessed from one of these interfaces. Enter the IP address or addresses that can conﬁgure the Telecommuting Module. The IP addresses can belong to one or more computers.

Conﬁguration Allowed Via Interface

Specify whether or not this interface can be used to conﬁgure the Telecommuting Module. The choices are On and Off. This conﬁguration is a complement to the Conﬁguration Computers setting below.

User Authentication

Select where the administrator database is: Local users (administrator users are deﬁned locally on the Telecommuting Module), RADIUS (administrator users are deﬁned on an external RADIUS server), or a choice between the two alternatives at login (Local users or RADIUS database).

Local administrator users and their passwords are deﬁned on the User Administration page under Administration. If the authentication should be made by help of a RADIUS server, you must enter one on the RADIUS page.

Conﬁguration Transport

Select one or two Telecommuting Module IP addresses. The Telecommuting Module web server will listen for web trafﬁc on the selected IP addresses and ports.

This is the IP address and port which should be entered in your web browser to connect to the Telecommuting Module.

Chapter 6. Basic Conﬁguration

Conﬁguration via HTTP

Select which IP address and port the Telecommuting Module administrator should direct her web browser to when HTTP is used for Telecommuting Module conﬁguration. You can select from the Telecommuting Module IP addresses conﬁgured on the Interface pages under Network.

You can use different IP addresses for HTTP and HTTPS conﬁguration.

Conﬁguration via HTTPS

Select which IP address and port the Telecommuting Module administrator should direct her web browser to when HTTPS is used for Telecommuting Module conﬁguration. You can select from the Telecommuting Module IP addresses conﬁgured on the Interface pages under Network.

You can use different IP addresses for HTTP and HTTPS conﬁguration. You also need to select a TLS certiﬁcate, which works as an ID card, identifying the Telecommuting Module to

your web browser. This will ensure that you are really communicating with your Telecommuting Module and not somebody else’s computer. TLS uses an encryption method using two keys, one secret and one public. The secret key is kept in the Telecommuting Module and the public key is used in the certiﬁcate. If any of the keys is changed, the TLS connection won’t work.

The certiﬁcate is created on the Certiﬁcates page.

Conﬁguration Computers

Enter the IP address or addresses that can conﬁgure the Telecommuting Module. The IP addresses can belong to one or more computers.

Note that you must also allow conﬁguration via the Telecommuting Module interface that the computers are connected to. See Conﬁguration Allowed Via Interface above.

DNS Name Or Network Address

Enter the DNS name or IP address of the computer or network from which the Telecommuting Module can be conﬁgured. Avoid allowing conﬁguration from a network or computer on the Internet or other insecure networks, or use HTTPS or VPN to connect to the Telecommuting Module from these insecure networks.

Network Address

Shows the IP address of the DNS Name Or Network Address you entered in the previous ﬁeld.

Netmask/Bits

Netmask/Bits is the mask that will be used to specify the conﬁguration computers. See chapter 3, Conﬁguring 3Com VCX IP Telecommuting Module, for instructions on writing the netmask. To limit access so that only one computer can conﬁgure, use the netmask 255.255.255.255. You can also specify the netmask as a number of bits, which in this case would be 32. To allow conﬁguration from an entire network, you must enter the network address under Network address, and a netmask with a lower number here. To allow conﬁguration from several computers or networks, create several lines for the information.

Chapter 6. Basic Conﬁguration

Range

The Range shows all IP addresses from which the Telecommuting Module can be conﬁgured. The range is calculated from the conﬁguration under DNS name or network address and Netmask/Bits. Check that the correct information was entered in the DNS name or network address and Netmask/Bits ﬁelds.

Log Class

Here, you enter what log class the Telecommuting Module should use to log the conﬁguration trafﬁc to the Telecommuting Module’s web server. Log classes are deﬁned on the Log Classes page under Logging. See also chapter 11, Logging.

Log Rule No.

The Log Rule No. ﬁeld determines the order of the lines. The order is important in deciding what is logged and warned for. The Telecommuting Module uses the ﬁrst line that matches the conﬁguration trafﬁc.

Perhaps you want to conﬁgure the Telecommuting Module so that conﬁguration trafﬁc from one speciﬁc computer is simply logged while trafﬁc from the rest of that computer’s network is both logged and generates alarms.

The rules are used in the order in which they are listed, so if the network is listed ﬁrst, all conﬁguration trafﬁc from that network is both logged and generates alarms, including the trafﬁc from that individual computer. But if the individual computer is listed on a separate line before the network, that line will be considered ﬁrst and all conﬁguration trafﬁc from that computer is only logged while the trafﬁc from the rest of the computer’s network is both logged and generates alarms.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves the Access Control conﬁguration to the preliminary conﬁguration.

Cancel

Reverts all the above ﬁelds to their previous conﬁguration.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Conﬁguration page.

RADIUS

RADIUS (Remote Authentication Dial-In User Service) is an authentication system consisting of one or more servers, and clients using the servers to authenticate users. You could, for example, equip the company modems with RADIUS clients, demanding that a user connecting to a modem ﬁrst identiﬁes himself to the RADIUS server. Servers and clients communicate via UDP.

3Com VCX IP Telecommuting Module uses RADIUS for authentication of Telecommuting Module administration.

RADIUS Servers

Enter the server(s) that the Telecommuting Module should use. When more than one RADIUS server is entered, make sure that their databases contain the same data, since the Telecommuting Module regards them all alike and uses the server which ﬁrst replies to a request.

Chapter 6. Basic Conﬁguration

RADIUS server

Enter the DNS name or IP address for the RADIUS server used for authentication. In IP address, the IP address of the server is shown. It is updated whenever Look up all IP addresses again is

pressed, or the DNS name or IP address ﬁeld is changed.

Port

The ofﬁcial port for RADIUS is UDP port 1812. However, several RADIUS servers use port 1645, so you may have to change the port number either on the RADIUS server or in the table.

Secret

A RADIUS authentication requires a ’shared secret’, which must be the same on both sides. Since the secret is used as an encryption key, it is important that it is kept a secret. Since the secret is saved unencrypted in the Telecommuting Module conﬁguration, you should be careful with where you store the conﬁguration.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Identiﬁer

A RADIUS client may use either of two ways to identify itself for the RADIUS server: an IP address or a name (identiﬁer). You must use at least one of these ways, or the authentication will fail.

Select here which method to use. The address or name in use must be registered at the RADIUS servers speciﬁed in the top table, and must be unique in that RADIUS database.

Use NAS-IP-Address

If you select Yes, the Telecommuting Module’s IP address (the address selected under Contact IP Address) will be enclosed as identity. If you select No, you must enter a NAS-Identiﬁer for the Telecommuting Module.

Chapter 6. Basic Conﬁguration

NAS-Identiﬁer

You can enter a special identiﬁer into this ﬁeld. All characters except space are allowed according to the Telecommuting Module, but your RADIUS server may have some restrictions on the identiﬁer.

Contact IP Address

Select the IP address from which the Telecommuting Module should make connections to RADIUS servers. A convenient choice of address is one on the interface closest to the RADIUS server.

Contact RADIUS servers from

Select a contact address from the IP addresses conﬁgured for the interfaces under Directly Connected Networks and Alias.

Status for RADIUS servers

At the bottom of the page the status for the RADIUS servers is shown. Radiusmux is the part of 3Com VCX IP Telecommuting Module that connects to the RADIUS servers.

If no authentication by RADIUS is conﬁgured, the radiusmux is not run. When you apply a conﬁguration which involves contacting a RADIUS server, the radiusmux is started.

RADIUS server

The IP address for this RADIUS server.

Score

Radiusmux gives points (the scale is 1 to 40, inclusive) to the different servers according to their performance. The better server performance, the higher score. Radiusmux uses the score to select which server to query primarily.

Sent requests

The number of UDP packets sent to this server.

Received replies

The number of UDP packets received from this server.

Consecutive sends

The number of consecutive UDP packets sent without response from the server.

Recent average response time

A calculated average of response time for packets for which response has been received.

Free slots

The RADIUS server allocates a certain number of slots for each RADIUS client, and every pending request from the Telecommuting Module occupies a slot. Here you see the current number of free slots.

Save

Saves the RADIUS conﬁguration to the preliminary conﬁguration.

Chapter 6. Basic Conﬁguration

Cancel

Reverts all of the above ﬁelds to their previous conﬁguration.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Conﬁguration page.

Conﬁguration of a RADIUS server

In this section it is assumed that you know how to conﬁgure your RADIUS server. Consult your RADIUS manual for details.

Add the Telecommuting Module as a client in the RADIUS server. Make sure that the shared secret here is the same as in the Telecommuting Module.

The Telecommuting Module checks the permissions for a user by looking at its RADIUS attribute Service-Type. If the Service-Type has the value Administrative (6), the user is allowed to conﬁgure the Telecommuting Module.

For the various privileges for users, there is an 3Com-speciﬁc RADIUS attribute deﬁned thus:

VENDOR 3Com 43

ATTRIBUTE 3Com-Admin-Account 1 integer 3Com

# # Type of administrator account. # VALUE 3Com-Admin-Account Full-Access-Admin 1 VALUE 3Com-Admin-Account Backup-Admin 2 VALUE 3Com-Admin-Account Read-Only-Admin 3 VALUE 3Com-Admin-Account VPN-Admin 4 VALUE 3Com-Admin-Account SIP-Admin 5

More information about RADIUS can be found in RFC 2865.

SNMP

SNMP is a network monitoring protocol, which enables a single server to monitor one or more networks, including all network equipment like routers and ﬁrewalls. 3Com VCX IP Telecommuting Module supports SNMP and can accordingly be monitored automatically.

The monitoring signaling consists of two main parts. The SNMP server sends requests to the Telecommuting Module, which replies with a list of network parameters and their values for the Telecommuting Module. The Telecommuting Module can also send messages (traps) without the server prompting, when someone sends a request without valid authentication and when the Telecommuting Module boots.

The 3Com VCX IP Telecommuting Module can only send parameters to the server; no changes of conﬁguration can be made through SNMP requests.

For more information about SNMP, read RFC 1157.

General

Here, decide whether the SNMP signaling should be activated. You can also enter contact information for the Telecommuting Module.

Chapter 6. Basic Conﬁguration

Contact person

Enter the name of the contact person for this 3Com VCX IP Telecommuting Module. This information is sent with the parameter list as reply to an SNMP request from the server.

Node location

Enter the location of the Telecommuting Module. This information is sent with the parameter list as reply to an SNMP request from the server.

The Telecommuting Module IP address to respond to SNMP requests

Enter the IP address of the Telecommuting Module to which the SNMP servers should direct their requests. Select from the addresses deﬁned on the Interface pages under Network.

Servers allowed to contact the Telecommuting Module via SNMP

Select the SNMP server(s) which are allowed to contact the Telecommuting Module. You select from the network groups deﬁned on the Networks and Computers page under Network.

SNMP v1 and v2c

In SNMP version 1 and 2c, the authentication is managed through an unencrypted password, a community. Here, you select if the Telecommuting Module should accept access via v1 or v2c, and enter the valid communities.

Access via SNMPv1 and SNMPv2c

Select if access via SNMP version 1 or 2c (using communities as the autentication method) should be On or Off.

Community

Enter a password. Note that this password is stored unencrypted.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Chapter 6. Basic Conﬁguration

Create

Enter the number of new rows you want to add to the table, and then click on Create.

SNMP v3

In SNMP version 3, the authentication is managed through the server sending a username and an (in most cases) encrypted password to the Telecommuting Module, which veriﬁes the validity of them.

Here, you select if the Telecommuting Module should accept access via v3, and select the authentication and encryption used for the SNMP reuqests.

Access via SNMPv3

Select if access via SNMP version 3 (using usernames and encrypted passwords as the autentication method) should be On or Off.

User

Enter a username which the server should use when contacting the Telecommuting Module.

Password

Press the Change password button to enter a password for this user.

Authentication

Select the authentication algorithm to use for SNMP requests. 3Com VCX IP Telecommuting Module supports the MD5 and SHA-1 algorithms.

Privacy

Select whether the SNMP request should be encrypted using DES or not encrypted at all.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

SNMP Traps

If SNMP traps status is On, the Telecommuting Module will send messages (traps) to the server(s) entered below whenever an SNMP authentication fails or the Telecommuting Module boots.

If the trap sending is disabled, no traps will be sent.

Chapter 6. Basic Conﬁguration

Trap sending

Select if trap sending (at boot and failed SNMP authentication) should be On or Off.

Trap receiver

Enter the IP address, or a name in the DNS, of the server to which the Telecommuting Module should send traps. If you enter a DNS name instead of an IP address, you must enter the IP address of a DNS server on the Basic

Conﬁguration page. IP address shows the IP address of the DNS name or IP address you entered in the previous ﬁeld.

Community

Enter the password (community) which the Telecommuting Module should use when sending traps. The community is sent unencrypted over the network.

Version

Select the SNMP version to be used for traps. You can select v1 or v2c.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Download the 3Com MIB

This link leads to the MIB (Management Information Base) deﬁnition for your 3Com VCX IP Telecommuting Module.

Save

Saves the SNMP conﬁguration to the preliminary conﬁguration.

Cancel

Reverts all of the above ﬁelds to their previous conﬁguration.

Chapter 6. Basic Conﬁguration

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Conﬁguration page.

Certiﬁcates

Here, you create X.509 certiﬁcates for the Telecommuting Module, to be used for authentication in various applications, like when conﬁguration over HTTPS is performed.

On this page you also upload CA certiﬁcates to the Telecommuting Module. For the base Telecommuting Module, CA certiﬁcates are not used.

Private Certiﬁcates

Here the private X.509 certiﬁcates of the Telecommuting Module are created. You can use the same certiﬁcate for all authentication purposes, or create different certiﬁcates for the various functions in the Telecommuting Module.

Name

Enter a name for this certiﬁcate. The name is only used internally in the Telecommuting Module.

Certiﬁcate

Create, import or download a private certiﬁcate. See more information about creating certiﬁcates below. Under Import, you upload Telecommuting Module certiﬁcates signed by an external CA.

Under View/Download, you download the private certiﬁcate, and you can also download the key pair.

Information

Information about this certiﬁcate, such as the signing CA and expiration date.

Delete Row

If you select this box, the row is deleted when you click on Add new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Create certiﬁcate or certiﬁcate request

Press Create New to create a new X.509 certiﬁcate. A new page with a form appears, requesting information about the Telecommuting Module. Fill in the form to apply for a certiﬁcate or create a self-signed certiﬁcate. Fields marked * are mandatory.

Chapter 6. Basic Conﬁguration

Expire in

The expiration time deﬁnes how many days the certiﬁcate will last. Default time is 365 days, one year.

Common Name

Here, you enter the host name or IP address of the Telecommuting Module.

Email address

Enter the email address of the Telecommuting Module administrator.

Country code

Here, you enter the country code - not the top domain - for the country where the Telecommuting Module is located. The country code for the USA is US.

State/province

The state or province where the Telecommuting Module is located.

Locality/town

The city or town where the Telecommuting Module is located.

Chapter 6. Basic Conﬁguration

Organization

The name of the organization/company owning the Telecommuting Module.

Organizational Unit

The department using the Telecommuting Module.

Serial number

If you generate more than one certiﬁcate with the same information, and you want to give them separate names and treat them as different certiﬁcates, you need to give them different serial number. Enter a serial number for this certiﬁcate here.

Challenge password

Enter a password. This will be used only when revoking a signed certiﬁcate.

Create a self-signed X.509 certiﬁcate

By entering the requested information above and pressing this button, you can create a certiﬁcate that isn’t signed by any certiﬁcate authority (CA). Self-signed certiﬁcates are for free, while certiﬁcates signed by an ofﬁcial CA normally are not. Certiﬁcates signed by CAs are automatically accepted by web browsers, while you have to accept self-signed certiﬁcates manually when using them in your web browser.

Create an X.509 certiﬁcate request

When pressing this button, you make a certiﬁcate request which can be sent to a certiﬁcate authority for signing. The request is downloaded under View/Download on the certiﬁcate page. The signed certiﬁcate is uploaded under Import.

Abort

Press the Abort button to return to the Certiﬁcates page without creating a new certiﬁcate or certiﬁcate request.

CA Certiﬁcates

Here, you upload CA certiﬁcates and CRLs (Certiﬁcate Revocation Lists). In the base Telecommuting Module, CAs and CRLs are not used.

Name

Enter a name for this CA certiﬁcate. The name is only used internally in the Telecommuting Module.

CA Certiﬁcate

You upload the CA certiﬁcate to the Telecommuting Module, inspect the current certiﬁcate, or download it to use somewhere else, by pressing the Change/View button.

CA CRL

A CRL (Certiﬁcate Revocation List) is used to tell the Telecommuting Module that some certiﬁcates issued by this CAs are not valid, even though they may not have expired yet. Upload a CRL for this CA by pressing the Change/View button.

Chapter 6. Basic Conﬁguration

Information

Information about this certiﬁcate, such as the signing CA and expiration date.

Delete Row

If you select this box, the row is deleted when you click on Add new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves all Certiﬁcates conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and resets changes in old rows.

Telecommuting Module Type

The Telecommuting Module can be connected to your network in different ways, depending on your needs. On this page, you state what conﬁguration you have.

The DMZ Conﬁguration

Using this conﬁguration, the Telecommuting Module is located on the DMZ of your ﬁrewall, and connected to it with only one interface.

This is the safest conﬁguration, since all trafﬁc goes through both your ﬁrewall and your Telecommuting Module. It is also the most ﬂexible, since all networks connected to any of your ﬁrewall’s interfaces can be SIP-enabled.

On your ﬁrewall, you need to open the SIP port (normally UDP port 5060) and a range of UDP ports for RTP trafﬁc between the Telecommuting Module and the Internet as well as between the Telecommuting Module and your internal networks. The SIP trafﬁc ﬁnds its way to the Telecommuting Module using DNS or by setting the Telecommuting Module as an outbound proxy on the clients.

The ﬁrewall mustn’t use NAT for the trafﬁc between the Telecommuting Module and your internal networks or for the trafﬁc between the Telecommuting Module and the Internet. However, the Telecommuting Module can itself use NAT for trafﬁc to the Internet.

You need to declare your internal network topology on the Surroundings page.

The DMZ/LAN Conﬁguration

Using this conﬁguration, the Telecommuting Module is located on the DMZ of your ﬁrewall, and connected to it with one of the interfaces.

This conﬁguration is used to enhance the data throughput, since the trafﬁc only needs to pass your ﬁrewall once.

Chapter 6. Basic Conﬁguration

On your ﬁrewall, you need to open the SIP port (normally UDP port 5060) and a range of UDP ports for RTP trafﬁc between the Telecommuting Module and the Internet. The other interface is connected to your internal network. The Telecommuting Module can handle several networks on the internal interface even if they are hidden behind routers. No networks on other interfaces on the ﬁrewall can be handled.

Internal users have to conﬁgure the Telecommuting Module as outbound proxy, or an internal proxy has to use the Telecommuting Module as outbound proxy.

The Telecommuting Module derives information about your network topology from the interface conﬁguration.

The Standalone Conﬁguration

Using this conﬁguration, the Telecommuting Module is connected to your internal network on one interface and the outside world on the other.

Use this conﬁguration only if your ﬁrewall lacks a DMZ interface, or for some other reason cannot be conﬁgured for the DMZ or DMZ/LAN alternatives.

Internal users have to conﬁgure the Telecommuting Module as outbound proxy, or an internal proxy has to use the Telecommuting Module as outbound proxy. No change in the ﬁrewall conﬁguration is needed.

The Telecommuting Module derives information about your network topology from the interface conﬁguration.

Telecommuting Module Type conﬁguration

Current Telecommuting Module Type

Shows which type is currently active.

Chapter 6. Basic Conﬁguration

Change Telecommuting Module Type to

Select a new Telecommuting Module Type here.

Change type

Press the Change type button to set the new Telecommuting Module Type. This setting, like others, must be applied on the Save/Load Conﬁguration page before it affects the Telecommuting Module functionality.

Chapter 7. Network Conﬁguration

Under Network, you conﬁgure:

• Network groups which are used for the Telecommuting Module conﬁguration

• The Telecommuting Module’s IP addresses on all network interfaces

• Routings for the networks so that computers behind routers can be contacted

• VLAN settings

• The Telecommuting Module network environment (only for the DMZ type)

Networks and Computers

Here, you name groups of computers and networks. Sometimes it can be useful to give a group of computers a network name, such as Administration. If you want to group some computers, this can be done here, even if they do not have consecutive IP addresses. You can also include a subgroup when deﬁning a new network group.

The names are used when you conﬁgure Surroundings and SNMP. Every group of computers which can reach each other without having to pass through the ﬁrewall needs a separate

network group. The rows are sorted in alphabetical order, except that all upper case letters are sorted before lower case letters (B

comes before a). When using an already deﬁned group as a subgroup, select the name of the group under Subgroup. Set

Interface/VLAN to ’-’ and leave the other ﬁelds empty.

Name

Enter a name for the group of computers. You can use this name when you change conﬁguration on the pages mentioned above. A group can consist of several rows of IP addresses or series of IP addresses. By clicking on the plus sign beside the name, you add more rows where you can specify more IP addresses for this group.

Chapter 7. Network Conﬁguration

Subgroup

An already deﬁned group can be used as a subgroup to new groups. Select the old group here and leave the ﬁelds for DNS name empty. Select ’-’ as Interface/VLAN. If you don’t want to use a subgroup, select ’-’ here.

Lower Limit

DNS Name Or IP Address

Enter the DNS name or IP address of the network or computer. For computers in an IP range that you want to give a network name, enter the ﬁrst IP address in the range. DNS Name Or IP Address must not be empty if you are not using a subgroup.

IP Address

The IP address of the object you entered in the DNS name or IP address ﬁeld is displayed here. This ﬁeld is not updated until you click on Look up all IP addresses again or make changes in the DNS Name Or IP Address ﬁeld.

Upper Limit

DNS Name Or IP Address

Here, enter the last DNS name/IP address of the network or group. If the network contains a single computer, you can leave this ﬁeld empty. Then only the IP address in Lower Limit is used.

For computers in an IP range that you want to give a network name, enter the last IP address in the range. The IP address in Upper Limit must be at least as high as the one in Lower Limit. If you use a subgroup, leave this ﬁeld empty.

IP Address

The IP address of the object you entered in the DNS Name Or IP Address ﬁeld is displayed here. This ﬁeld is not updated until you click on Look up all IP addresses again or make changes in the DNS Name Or IP Address ﬁeld.

Interface/VLAN

Here, you can select an interface or a VLAN to restrict the IP range. If the interface ’-’ is chosen, the group will consist of all IP addresses in the interval between Lower limit and

Upper limit, regardless of what interface they are connected to. By selecting an interface or a VLAN, you constrain the group to consist only of the IP addresses in the interval that really are connected to the selected interface/VLAN.

For example, if 10.20.0.0 - 10.20.0.255 are IP addresses behind the interface DMZ-1 and the lower and upper limits are 10.10.10.20 and 255.255.255.255 respectively, choosing DMZ-1 as Interface will cause the group to consist of the IP addresses 10.20.0.0 - 10.20.0.255, being the IP addresses in the interval actually connected to the selected interface.

If you have selected a subgroup, the Interface/VLAN should be ’-’.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new groups and rows you want to add to the table, and then click on Create.

Chapter 7. Network Conﬁguration

Save

Saves the Networks and Computers conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and reset changes in old rows.

Interface (Network Interface 1 and 2)

There is a menu selection for each network interface (Network Interface 1 and 2) on the Telecommuting Module. Select a page to make conﬁguration for that interface. There is also a page where conﬁguration for all interfaces can be viewed and changed.

Here, you set the interface name, whether the interface is on or off, the IP address, alias, and static routing. For each interface, go to Directly Connected Networks and state the IP address of the Telecommuting Module and

the size of the network connected to this interface.

General

Physical device name

This tells the physical device name of the network interface. The physical interface eth0 corresponds to Network Interface 1, and eth1 corresponds to Network Interface 2.

Status

Specify if this network interface is On or Off. If the interface is off, all conﬁguration on this page is ignored, and the Telecommuting Module will behave as if this interface wasn’t present (except when used for failover).

If the interface should be used for failover, you should select Off. In this case, it won’t be available for other trafﬁc than the synchronizing within the failover team. Read more about failover in chapter 12, Failover.

Interface name

The network Interface name is only used internally in the Telecommuting Module, e. g. when conﬁguring Networks and Computers.

Directly Connected Networks

The Telecommuting Module must have an IP address on every network to which it is directly connected. This applies to all networks on the same physical network to which this interface is connected.

Chapter 7. Network Conﬁguration

Name

A name for this IP address. You can use this name when conﬁguring the administration IP address. This name is only used internally in the Telecommuting Module.

DNS name or IP address

The name/IP address of the Telecommuting Module on this network interface on this directly connected network.

IP address

Shows the IP address of the DNS name or IP address you entered in the previous ﬁeld.

Netmask/bits

Enter the mask of the network where the DNS name or IP address applies.

Network address

The IP address of the network where the DNS name or IP address applies.

Broadcast address

Shows the broadcast address of the network in the Network address ﬁeld.

VLAN id

VLANs are used for clustering IP ranges into logical networks. A VLAN id is simply a number, which identiﬁes the VLAN uniquely within your network. Enter a VLAN id for this network. You don’t need to use a named VLAN (deﬁned on the VLAN page).

VLAN name

If you entered the VLAN id of a named VLAN, the name will show here.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Alias

3Com VCX IP Telecommuting Module can use extra IP addresses, aliases, on its interfaces. All alias IP addresses must belong to one of the Directly Connected Networks you have speciﬁed.

Aliases are necessary for setting up a STUN server.

Chapter 7. Network Conﬁguration

Name

Enter the name of your alias. This name is only used internally in the Telecommuting Module.

DNS name or IP address

Enter the IP address of this alias, or a name in the DNS. If you enter a DNS name instead of an IP address, you must enter the IP address of a DNS server on the Basic Conﬁguration page.

IP address

Shows the IP address of the DNS name or IP address you entered in the previous ﬁeld.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Static routing

If there is a router between the Telecommuting Module and a computer network which the Telecommuting Module is serving, you must name the router and the network here. The table is sorted by network number and network mask.

The Default gateway, conﬁgured on the Basic Conﬁguration page, will automatically be entered in this table on the corresponding interface page, when added to the Default Gateways table.

Chapter 7. Network Conﬁguration

Routed network

Enter the DNS name or IP address of the routed network under DNS name or network address. The IP address of the routed network is shown under Network address. In the Netmask ﬁeld, enter the netmask of the network.

Router

The name or IP address of the router that will be used for routing to the network. If there are several routers between the Telecommuting Module and the network, ﬁll in the router closest to the Telecommuting Module.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves all Interface conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and resets changes in old rows.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Conﬁguration page.

VLAN

VLANs are used for clustering IP ranges into logical networks. A VLAN id is simply a number, which identiﬁes the VLAN uniquely within your network. Here, you can list the VLANs you wish to use and give them names, to make administration easier. Named VLANs can also be selected instead of interfaces on the Networks and Computers page.

Chapter 7. Network Conﬁguration

Name

The name of this VLAN. The name is only used in the Telecommuting Module web interface to help you keep track of the different VLANs.

Interface

Select an interface for this VLAN.

VLAN id

Enter a VLAN id. A VLAN id is just a number. All packets for this VLAN is then marked with this number, enabling all network devices to recognize and route packets for the VLAN.

Status

The status for this VLAN. Status can be On (the VLAN is used on an active interface), Off (the VLAN is used on an inactive interface) and Unused (no Directly Connected Networks has been selected for this VLAN).

Delete Row

If you select this box, the row is deleted when you click on Add new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves all VLAN conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and resets changes in old rows.

Interface Status

On this page, status about the physical interfaces and links are shown.

Chapter 7. Network Conﬁguration

Physical device

This tells the physical device name of the network interface. The physical interface eth0 corresponds to Network Interface 1, and eth1 corresponds to Network Interface 2.

Type

Here the speed options for the interface are shown.

MAC address

The MAC address of the interface.

Active

Shows if the interface is activated or not.

Link

Here you can see if the interface has physical link to the network.

Speed

Here you can see the negotiated speed on the interface network.

Duplex

Here you can see the negotiated duplex for the interface.

Surroundings

Settings on the Surroundings page are only required when the Telecommuting Module has been made the DMZ type.

The Telecommuting Module must know what the networks around it looks like. On this page, you list all networks which the Telecommuting Module should serve and which are not reached through the default gateway of the ﬁrewall.

All computers that can reach each other without having to go through the ﬁrewall connected to the Telecommuting Module should be grouped in one network. When you are ﬁnished, there should be one line for each of your ﬁrewall’s network connections (not counting the default gateway).

One effect of this is that trafﬁc between two users on different networks, or between one of the listed networks and a network not listed here, is NAT:ed.

Normally, at least one network should be listed here. If no networks are listed, the Telecommuting Module will not perform NAT for any trafﬁc.

Chapter 7. Network Conﬁguration

Network

Select a network. The alternatives are the networks you deﬁned on the Networks and Computers page.

Delete Row

If you select this box, the row is deleted when you click on Add new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves all Surroundings conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and resets changes in old rows.

Chapter 8. SIP Services

SIP (Session Initiation Protocol) is a protocol for creating and terminating various media stream sessions over an IP network. It is for example used for Internet telephone calls and distribution of video streams.

SIP takes care of the initiation, modiﬁcation and termination of a session with one or more participants. The protocol makes it possible for the participants to agree on what media types they should share. You can ﬁnd more information about SIP in appendix A, More About SIP, and in RFC 3261.

You ﬁnd examples on how to conﬁgure your 3Com VCX IP Telecommuting Module for SIP in chapter 4, How To Conﬁgure SIP.

The SIP module in 3Com VCX IP Telecommuting Module handles SIP requests for users who have registered on a machine connected to the Telecommuting Module. The module forwards the request through the Telecommuting Module, which enables users behind different network interfaces to make contact. The SIP module controls the security rules to temporarily let through the media streams that the users agree on, on their assigned ports.

You must enter a DNS server and a Default gateway on the Basic Conﬁguration page to make the SIP module work satisfactorily.

Administration of SIP

To enable the SIP function of the Telecommuting Module, you must at least conﬁgure on the Basic page. These SIP functions are conﬁgured in the SIP Services section:

• SIP module on/off.

• SIP logging.

• Port range for SIP media.

• Interoperability settings.

• SIP timeouts.

• Remote SIP Connectivity (requires a Remote SIP Connectivity Module).

Basic

Here, you make basic settings for the Telecommuting Module SIP management.

General

Here, select whether the SIP module should be activated or not. If you select to turn the SIP module Off, no other SIP settings will have any effect.

SIP media port range

State a port interval which the Telecommuting Module should use for SIP media streams. You can use any high ports except 4500 (reserved for NAT-T) and 65097-65200 (reserved for RADIUS).

Enter the lower and upper limit of the port range that the TelecommutingModule should use for media streams. The upper limit must be at least as high as the lower limit.

Chapter 8. SIP Services

SIP Servers To Monitor

Your Telecommuting Module can be made to monitor SIP servers, to check that they are alive. The information is used by the Telecommuting Module when SIP signaling should be passed on to the server in question. This is useful when a domain resolves to several individual hosts; the Telecommuting Module will know immediately if one of them is down, which will speed up the call connection.

Server

Enter the host name, domain name, or IP address of the server to be monitored.

Port

Enter the port to be monitored on that host. This should be the port to use for SIP signaling.

Transport

Select the transport to be monitored on that host. This should be the transport to use for SIP signaling.

Delete Row

If you select this box, the row is deleted when you click on Add new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Logging

The same settings can also be found on the Logging Conﬁguration page under Logging.

Log class for SIP errors

The Telecommuting Module sends a message if there are any SIP errors. Select a log class for these log messages.

Chapter 8. SIP Services

Log class for SIP signaling

For each SIP packet, the Telecommuting Module generates a message, containing the sender and receiver of the packet and what type of packet it is. Select a log class for these log messages.

Log class for SIP packets

The Telecommuting Module logs all SIP packets (one SIP packet is many lines). Select a log class for the SIP packets.

Log class for SIP debug messages

The Telecommuting Module logs a lot of status messages, for example the SIP initiation phase of a reboot. Select a log class for these messages.

Save

Saves the Basic conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and resets changes in old rows.

Interoperability

The SIP standard is still young and under considerable development. As an effect, several implementations of the standard omits parts of it, or makes guesses as to what will be accepted.

3Com VCX IP Telecommuting Module adheres rather well to the standard (RFC 3261) per default, but you can also adjust the conﬁguration to make more allowing for known issues in various SIP implementations.

On this page, you also conﬁgure timeout and retransmission values for SIP signaling.

Loose routing

The Telecommuting Module uses the parameter "lr" in its SIP signaling to announce to other SIP devices that it uses loose routing. Some other SIP implementations incorrectly expect the lr parameter to be followed by a value, i.e. "lr=true". If you select that the Telecommuting Module should add this value to its SIP signaling, it will work with these implementations, too. This could affect its interaction with other SIP devices that conform to the SIP standard very strictly.

Select to use lr or lr=true.

Relaxed Refer-To

The SIP standard requires that a Refer-To header with a question mark in it must be contained within angle brackets. Some clients do not honor this.

Chapter 8. SIP Services

Select whether the Telecommuting Module should accept Refer-To headers without angle brackets, but containing question marks. The recommended setting is Only allow Refer-To ? with angle brackets.

Remove VIA headers

Some SIP servers won’t accept requests with more than one Via header. To be able to communicate via these servers, you can select to remove all Via headers but one in requests to those servers. The Via headers are added again when the reply passes the Telecommuting Module.

Here, list servers that won’t accept more than one Via header in SIP requests.

SIP server

Enter the DNS name or IP address for a SIP server that won’t accept more than one Via header.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Translation exceptions

Usually, the Telecommuting Module rewrites IP addresses in the SIP signaling to hide it for the receiver. For some reasons, you might want to except certain IP addresses from being rewritten. Enter those IP addresses in the table.

If you use a dialing domain that looks like an IP address (like 10.10.10.10), you need to enter that domain in this table.

Except this from translation

Enter the DNS name or IP address to be excepted from IP address translation. If you enter a DNS name, the corresponding IP address will be excepted from translation.

Chapter 8. SIP Services

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Preserve username

When registering a SIP client on one side of the Telecommuting Module to a SIP server on the other side, the Contact header is normally rewritten. By doing this, we make it possible for the SIP server to track when the same user is registering multiple times from different places. It is possible to turn this rewriting off and preserve the username in Contact headers passing through the Telecommuting Module, but that makes it impossible for the SIP server to tell if registrations for a certain user belong to one or several clients (if a user has two registrations from different clients and deregisters one of them, the SIP server will delete its only registration for him).

To make all calls work, you need to turn this On.

Select if usernames should be preserved or not. The recommended setting is to Preserveusername in Contact header.

Loose username check

Normally, the Telecommuting Module checks that the authentication username equals the username in the From header. Some clients use their whole address as authentication username (ie: user@host.com), which means that the username "user" in the From header is compared with the authentication username "user@host.com". This authentication will fail. With this function, "@host.com" is stripped from the authentication username.

Select if usernames should be checked loosely (Yes) or strictly (No).

SIP URL encryption

In some situations some SIP URLs are encrypted and signed. When an invitation to a call is sent out, the address that the callee is to send its answer to is encrypted, if the outgoing packet is NAT:ed. When the answer from the callee comes in, the Telecommuting Module checks that the encryption and signing is correct before the address is used to send the information onwards.

The encryption and signing makes the SIP packets slightly larger. This might lead to SIP packets being fragmented. By turning encryption off, fragmentation can be avoided in some cases, and since some equipment has trouble with fragmented packets this can sometimes be necessary.

Please note that when encryption is turned off, the Telecommuting Module maked no checks of incoming SIP URLs. It becomes possible in theory to trick the Telecommuting Module to send SIP packets anywhere, which means that security is drastically reduced if encryption is turned off.

If Remote NAT Traversal is used, the URL encryption must be turned on.

Chapter 8. SIP Services

Here, you select if SIP URL encryption should be used or not.

Expires header

Some SIP clients don’t understand the expires: parameter in the Contact header. To set the expiration time for those clients, you can make the Telecommuting Module add to REGISTER request replies an Expires header with the expires value in it.

Select to Always add Expires header, Never add Expires header, or Add Expires header if the request contained one. The last means that the Telecommuting Module will add an Expires header to the response if the request from the client contained one.

Local IP Addresses Are SIP Domains

Your 3Com VCX IP Telecommuting Module can be made to use all its local IP addresses as local SIP domains, in addition to the domains listed on the User database page.

This setting have impact on all functions where distinctions can be made between local and other domains, like the SIP Methods and the Matching Request-URI.

Select if the Telecommuting Module should regard all its own IP addresses on all interfaces as local SIP domains.

User Matching

Here, you can select to match on username only or username as well as domain. If you match on username only, users with the same username will be treated as the same, even when they are under

different domains.

Force Record-Routing For Outbound Requests

Here, you select if the Telecommuting Module should add a Record-Route header to all requests received by the Telecommuting Module, but whose Request-URI does not contain one of its Local SIP Domains.

Chapter 8. SIP Services

The Record-Route header makes all subsequent SIP signaling for this session to be routed via the Telecommuting Module even if it is not the shortest route.

Here, you select to add Record-Route headers for outbound requests or not.

Force Record-Route For All Requests

Here, you select if the Telecommuting Module should add a Record-Route header to all requests received by the Telecommuting Module, which should be passed on to another client/server.

The Record-Route header makes all subsequent SIP signaling for this session to be routed via the Telecommuting Module even if it is not the shortest route.

Here, you select to add Record-Route headers for all requests or not.

Force remote TLS connection reuse

Enter SIP servers to which the Telecommuting Module connects using TLS. For the listed servers, the Telecommuting Module will use the actual source port for the TLS connection instead of port 5061.

This is useful in the SIP signaling, where port numbers are used in Via and Route headers.

DNS name or IP address

Enter the DNS name or IP address for a SIP server for which the Telecommuting Module should reuse TLS ports.

IP address

Shows the IP address of the DNS name or IP address you entered in the previous ﬁeld.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Chapter 8. SIP Services

Accept TCP Marked As TLS

When a TLS accelerator is used, SIP packets can be sent to the Telecommuting Module via TCP, but the packet content will look as if TLS was used.

Select if TCP packets with TLS content should be accepted. The recommended setting is not to accept them.

Allow Large UDP Packets

Sometimes, the SIP signaling UDP packets get larger than the standard allows. There are two ways to handle this; either send large UDP packets, which may become fragmented into several packets, or use TCP. Some SIP devices may not be able to receive TCP packets, which means that you have to allow large UDP packets, but to do this violates section 18.1.1 in RFC 3261.

This setting only affects SIP signaling packets.

Select if large UDP packets should be allowed. The recommended setting is not to allow them.

Remove Headers in 180 Responses

Some SIP servers require that the Contact and Record-Route headers are removed from 180 responses.

Select if the Telecommuting Module should remove these headers in 180 responses. The recommended setting is to keep the headers.

Open port 6891 for ﬁle transfer

Messenger clients do not always use the ports that are negotiated in the SIP signaling. In particular, the File Transfer function always uses the same port, regardless of what is negotiated. To make File Transfer work through the Telecommuting Module you must open port 6891, the Messenger File Transfer port.

You only need to do this if File Transfers are made between clients on different networks; if transfers are always only made between clients on the same network, no extra ports need to be opened.

Chapter 8. SIP Services

Note: If more than one Messenger client performs ﬁle transfer through the Telecommuting Module at the same time, they could end up sending to each other’s peers instead of their own. An attacker could possibly use this to intercept transfered ﬁles; don’t use this mechanism to transfer sensistive data.

Here, you select to turn Open port 6891 On or Off. Recommended setting is Off.

Allow RFC 2069 authentication

Some SIP units can’t handle Digest authentication as described in RFC 2617, but they still do authentication. 3Com VCX IP Telecommuting Module can allow the simpler form of authentication described in RFC 2069 to be able to interoperate with these units.

To allow this can decrease security. Use it only if units in your system need it.

Select if authentication according to RFC 2069 should be allowed (On) or not (Off). It is recommended to keep this setting off.

Save

Saves the Interoperability conﬁguration to the preliminary conﬁguration.

Cancel

Reverts all of the above ﬁelds to their previous conﬁguration.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Conﬁguration page.

Sessions and Media

Here, settings are made for the SIP timeouts and sessions negotiated via the Telecommuting Module.

Registrar Limits

Chapter 8. SIP Services

Timeout for registrations

Enter the timeout (in seconds) before a registration becomes obsolete. When the timeout is reached, the registrar discards the registration.

Allowed number of users

Enter the maximum number of users allowed to register in the SIP registrar. Leave the ﬁeld empty to allow as many registrations as there are SIP user licenses on the Telecommuting Module

(number displayed inside parantheses). You can purchase additional SIP user licenses from your retailer.

Allowed number of registrations per user

Enter the allowed number of concurrent registrations for a user. A registration looks like user@computer, which means that if you re-register from the same computer, this won’t count as another registration, but just an update.

Session Conﬁguration

Session timer

Enter the maximum time for a SIP initiated connection. When the timeout is reached, the Telecommuting Module discards the media streams. The clients won’t notice, as the connection is still active, but you won’t hear anything as no media streams are let through. To avoid this, clients can regularly ask for new timeouts.

Timeout for SIP over TCP/TLS

The Timeout for SIP over TCP/TLS decides how long a SIP connection over TCP with the Telecommuting Module may exist without having received a complete SIP request.

"0" or an empty ﬁeld means that SIP over TCP or TLS cannot be used to the Telecommuting Module.

Limitation of sender of media streams

The Telecommuting Module usually locks a media stream to the ﬁrst sender IP address and port (for security reasons). Some SIP clients change ports during the ﬁrst media stream packets, which will block the media stream from being let through the Telecommuting Module. There are also scenarios where the media stream sender is changed to an entirely new sender.

You can select for the Telecommuting Module to Lock to the ﬁrst sender, which will render the behaviour described above. Allow multiple concurrent senders lets the media stream through even if ports and/or IP addresses change.

Allowed number of media streams per SIP session

Enter the number of media streams a single SIP session can handle. This restriction is primarily made for preventing DOS attacks.

Chapter 8. SIP Services

Allowed number of concurrent sessions

Enter the number of concurrent SIP sessions which the Telecommuting Module should handle. Leave the ﬁeld empty to allow as many sessions as there are SIP traversal licenses on the Telecommuting Module

(number displayed inside parantheses). You can purchase additional SIP traversal licenses from your retailer.

Requests

You can conﬁgure timeouts for the different functions of the Telecommuting Module SIP module here. It is not recommended to change from the default values unless you really know what you’re doing.

Default timeout for INVITE requests

When sending an INVITE request you can specify a timeout, telling how long you can wait before getting an answer.

If no timeout is given when an INVITE request is sent, the Telecommuting Module sends the default timeout entered here.

Maximum timeout for INVITE requests

Here, enter the maximum timeout to allow for an INVITE request. If a higher timeout is given, the Telecommuting Module changes it to the value entered here.

SIP blacklist interval

When the Telecommuting Module sends out a SIP request and no reply is received, the SIP peer (say, a SIP server or an IP phone) will be blacklisten for the given time interval. This blacklisting means that no new SIP requests will be sent to the unit, even if requests that should be routed to this unit is received by the Telecommuting Module.

If the SIP request which caused the blacklisting, or a subsequent SIP request for that unit, can be routed to another device instead, the Telecommuting Module will keep on sending those requests to the next known IP address for the domain/user in question. When the blacklist ends, the Telecommuting Module will go back to sending requests to the previously blacklisted unit again.

If a 0 is entered into this ﬁeld, the SIP blacklisting will not be used by the Telecommuting Module.

Base retransmission timeout for SIP requests

When the Telecommuting Module sends out a SIP request, it will expect a reply within a certain time. If no reply has been received within the Base retransmission timeout, the Telecommuting Module will start resending the request.

Maximum number of retransmissions for INVITE requests

When the Telecommuting Module sends out an INVITE request, it will wait for a reply until the Base retransmission timeout and then start to retransmit the request. The time intervals between retransmissions will

double for each new retransmission.

Chapter 8. SIP Services

Example: If the Base retransmission timeout is 0.5 seconds and the Maximum number of retransmissions is 6, the INVITE requests will be sent with intervals of 0.5 s, 1 s, 2 s, 4 s, 8 s, and 16 s.

Maximum number of retransmissions for non-INVITE requests

When the Telecommuting Module sends out a request which is not an INVITE request, it will wait for a reply until the Base retransmission timeout and then start to retransmit the request. The time intervals between retransmissions will double for each new retransmission until the interval reaches 4 seconds. After that, retransmissions will be made with a 4-second interval.

Example: If the Base retransmission timeout is 0.5 seconds and the Maximum number of retransmissions is7, the requests will be sent with intervals of 0.5 s, 1 s, 2 s, 4 s, 4 s, 4 s, and 4 s.

Save

Saves the Sessions and Media conﬁguration to the preliminary conﬁguration.

Cancel

Reverts all of the above ﬁelds to their previous conﬁguration.

Remote SIP Connectivity

If you are at a hotel or somewhere else where you ﬁnd yourself behind a NAT-ing device that does not understand SIP, you will have use of the SIP Remote Connectivity of 3Com VCX IP Telecommuting Module. This will help your client to traverse the NAT, even if the device doing the NAT does not understand SIP. The SIP Remote Connectivity is only available if you have installed the Remote Connectivity module.

If you have a STUN-capable SIP client, you need just turn on the STUN server of the Telecommuting Module to make the client work behind NAT. If you have a SIP client that does not do STUN (or if the STUN-capable client is located behind a Symmetric NAT device), you have to use the Remote NAT Traversal feature. This is easier for the client, but generates more network trafﬁc for the Telecommuting Module.

STUN Server

Use the STUN server if you have STUN-aware SIP clients. You will need at least two public IP addresses to make it work with all client implementations of STUN.

STUN will not work properly if the NAT device uses Symmetric NAT (where the client’s private IP/port pair translates to different public IP/port pairs depending on destination, and where other computers than the destination host are not allowed to reply on that IP/port pair).

The client also needs extra conﬁguring for this; it must know which IP addresses and ports the STUN server has.

STUN server function

Select if the STUN server function should be switched On or Off.

STUN server IP addresses

When activated, the STUN server requires two IP addresses, and a pair of ports on these two IP addresses, on the Telecommuting Module. STUN clients will then send test packets to these ports.

Chapter 8. SIP Services

Select two IP addresses out of the ones assigned to the Telecommuting Module under Directly Connected Networks and Alias on the interface pages.

Note: for the STUN server to work properly, you need to select IP addresses which the clients can reach. In normal circumstances, this means that only public IP addresses can be used.

STUN ports

Enter the ports to use for the STUN server. These ports, on the IP addresses selected, will not be available for anything else.

Remote NAT Traversal

If your SIP client is not STUN-capable, you can use the built-in Remote NAT traversal feature of the Telecommuting Module. The client must register on the Telecommuting Module (or through it).

The SIP client needs to re-REGISTER rather often for this to work. The exact period for this depends on the NAT-ing device, but 20 seconds should be enough to get across most NAT boxes. It is not advisable to use OPTIONS for 3Com SIP clients.

Remote NAT traversal

Turn this function on or off.

Re-REGISTER period for clients

Clients using this function will have to re-REGISTER very often, to keep the IP/port NAT binding. A re-REGISTER interval of 20 seconds should be enough to ensure this.

If some clients are unable to handle short re-REGISTER intervals, the Telecommuting Module can send OPTIONS messages instead, see below.

Use OPTIONS for registered clients

Select if the Telecommuting Module should use OPTIONS packets instead of short re-REGISTER intervals to keep the NAT binding.

OPTIONS should not be used for 3Com phones, as they don’t respond to that.

OPTIONS interval

Enter the interval for the Telecommuting Module to send OPTIONS packets to the client.

Save

Saves the Remote SIP Connectivity conﬁguration to the preliminary conﬁguration.

Cancel

Reverts all of the above ﬁelds to their previous conﬁguration.

Chapter 9. SIP Trafﬁc

You ﬁnd examples on how to conﬁgure your 3Com VCX IP Telecommuting Module for SIP in chapter 4, How To Conﬁgure SIP.

You must enter a DNS server and a Default gateway on the Basic Conﬁguration page to make the SIP module work satisfactorily.

These SIP functions are conﬁgured in the SIP Trafﬁc section:

• Allowed SIP methods

• Routing of incoming SIP requests

SIP Methods

Enter the SIP methods you want to allow and/or authenticate. Methods that are not listed here will be blocked by the Telecommuting Module.

Common methods are predeﬁned (from RFC 3261). Note that the standard methods ACK and CANCEL can’t be authenticated.

Chapter 9. SIP Trafﬁc

Method

Enter the name of the SIP method. This should be the name used in RFC 3261.

Trafﬁc to

Here, you select the direction of the trafﬁc. Local domains means that trafﬁc to Local SIP Domains of this Telecommuting Module is affected by this row. Other domains means that trafﬁc to all domains which are not Local SIP Domains of this Telecommuting Module is affected by this row. Both means that this row affects all trafﬁc for the method, regardless of where the trafﬁc is bound.

Allow

Select if the method in this direction should be allowed or not. For methods that are not allowed, the Telecommuting Module sends a 403 (Forbidden) response.

Auth

In the base Telecommuting Module, authentication will not be performed, and this setting will have no effect.

Delete Row

If you select this box, the row is deleted when you click on Add new rows or Save.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves the SIP Methods conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and reset changes in old rows.

Routing

Here, you conﬁgure routing of the SIP signaling received by the Telecommuting Module The options are: to forward all SIP requests to a server, regardless of what they concern (Outbound Proxy), and to forward all requests addressed to a speciﬁc SIP domain to a SIP server (DNS Override For SIP Requests).

You can also select to process class 3xx messages in the Telecommuting Module or pass them on to the client.

Outbound Proxy

Here, you can enter an external SIP proxy to which all SIP requests should be sent. This could be useful e.g. if the Telecommuting Module separates two local departments of a company, and all SIP requests should be processed by the main ﬁrewall connected to the Internet.

Chapter 9. SIP Trafﬁc

Domain or IP address

Enter the domain name or IP address of the external SIP proxy.

Port

Enter the port number of the external SIP proxy. If no port number is entered, the Telecommuting Module will make a DNS query for an SRV record. If a port

number is entered, it will query for an A record.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Class 3xx message processing

Sometimes during negotiation for a connection, status messages about this process will be sent. Here you select whether to forward these to the client or process them in the Telecommuting Module.

A class 3xx message from a server means that the connection attempt was terminated, but no connection was established, e.g. due to use of the wrong address or service. The Telecommuting Module as well as some clients can use this information to make new attempts which might have a better chance to succeed.

Forward class 3xx messages

The choices are Forward all, which forwards all class 3xx messages to the client (which might be able to use this information), and Follow redirects, which means that the Telecommuting Module itself uses the information and might make new connection attempts. In this case, it will only inform the client when the connection ﬁnally is established or the attempt has failed totally.

DNS Override For SIP Requests

Here, you can register SIP domains to which the Telecommuting Module should be able to forward requests, but which for some reason cannot be resolved in DNS. Enter an IP address and port to which the requests should be forwarded. You can also select to use a speciﬁc protocol.

If you use a dialing domain that looks like an IP address, you must enter that dialing domain here along with the SIP server for that domain.

You can enter more than one IP address or host name for a domain, and set weights and priorities for these.

Chapter 9. SIP Trafﬁc

Domain

Enter the domain name of the SIP domain.

Relay to

Enter the IP address for the SIP registrar handling the domain. You can also enter a DNS name for the SIP registrar, if it has a DNS-resolvable host name, even if the SIP domain is not possible to look up in DNS.

Under Port, enter the port on which the SIP registrar listens for SIP trafﬁc. The standard port is 5060 (5061 for TLS).

You can select which transport protocol to use between the Telecommuting Module and the registrar. Under Transport, select from UDP, TCP and TLS. You can also select "-", which means that the signaling is passed on using the same transport as was used to reach the Telecommuting Module.

If you entered more than one IP address/host name for the same domain, you should also assign them Priority and

Weight. A low Priority value means that the unit should have a high priority. If more than one unit has the same Priority, the signaling sent to them is distributed between them according to their Weight. If two units have the

same priority, and Unit 1 has weight 4, and Unit 2 has weight 9, 4/13 of the signaling will be sent to Unit 1, and 9/13 will be sent to Unit 2.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new groups and rows you want to add to the table, and then click on Create.

Save

Saves the Routing conﬁguration to the preliminary conﬁguration.

Cancel

Reverts all of the above ﬁelds to their previous conﬁguration.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Conﬁguration page.

Chapter 9. SIP Trafﬁc

Session Status

You can monitor the current SIP activity. The tables are updated when you select the page or reload it.

Registered Users

Here the currently registered users are listed.

User

The SIP address of the registered user. The address looks like name@domain, where name is a user name or a telephone number, and domain is a domain name or an IP address.

Registered from

The IP address of the computer from which the user registered.

Active Sessions

Here the currently active sessions are listed.

Start

The time when the call started.

Caller

The SIP and IP addresses of the calling user.

Callee

The SIP and IP addresses of the called user.

State

Shows if the call is established or under negotiation.

Call ID/Media Type

Each SIP session has a unique ID, which is shown here. You can also see what media type is used in the call.

Chapter 10. Administration

Under Administration, you

• apply your conﬁguration

• deﬁne administrator users and change their passwords

• save the preliminary conﬁguration to ﬁle

• load a saved conﬁguration

• view the conﬁguration

• reboot your 3Com VCX IP Telecommuting Module

• restart the SIP module on your 3Com VCX IP Telecommuting Module

• upgrade your 3Com VCX IP Telecommuting Module

• set table formats

• set date, time, and time zone (manually or via NTP)

Save/Load Conﬁguration

Here, you work with the preliminary and permanent conﬁgurations, save them and load new conﬁgurations from previously saved conﬁgurations.

Test Preliminary Conﬁguration

When Apply conﬁguration is pressed, the Telecommuting Module will test the conﬁguration before you make it permanent.

During test, the Telecommuting Module waits for you to press one of the three buttons displayed. If you never see the three buttons, something in your preliminary conﬁguration (now tested) is wrong, which makes it impossible for you to access the conﬁguration web interface.

Duration of limited test mode

Here, you enter the time limit for the testing. If you do not press any button within this time, the Telecommuting Module will assume that some part of your preliminary conﬁguration makes connecting impossible. When the timeout is reached, the Telecommuting Module automatically reverts to the old permanent conﬁguration. If this occurs, you will be informed when trying to press a button.

Apply conﬁguration

Saves the preliminary conﬁguration to the permanent conﬁguration and puts it into use. You can test your preliminary conﬁguration before ﬁnalizing it.

Three buttons are displayed during the test:

Chapter 10. Administration

Save conﬁguration saves your preliminary conﬁguration to the permanent conﬁguration and puts it into use. Continue testing shows a new page with only the other two buttons. Revert cancels this test of the preliminary conﬁguration without saving.

If you do not press any button within the time limit, the Telecommuting Module will revert to the old permanent conﬁguration, just as if you had pressed Revert. This is useful if you happen to conﬁgure your Telecommuting Module so it isn’t accessible from your browser.

After the timeout, pressing either of the three buttons will show a new page which will inform you that the test run was aborted.

Restarting the Telecommuting Module by cycling the power also cancels the test.

Backup

All conﬁgurations can be saved to and loaded from diskette or ﬁle. This does not affect the permanent conﬁguration.

Save to diskette

Insert a formatted diskette into the Telecommuting Module’s ﬂoppy drive and press Save to diskette to save the preliminary conﬁguration. Do not remove the diskette until the light on the ﬂoppy drive goes out.

Check that you get a conﬁrmation of the saving. If not, the diskette may be faulty.

Load from diskette

Insert the diskette with the saved conﬁguration into the Telecommuting Module’s ﬂoppy drive and press Load from diskette. Do not remove the diskette until the light on the ﬂoppy drive goes out. The contents of the diskette are

now loaded in the preliminary conﬁguration.

Save to local ﬁle

Press Save to local ﬁle to save the preliminary conﬁguration to the ﬁle you have selected. A new window is opened where you enter the name of the ﬁle.

Load from local ﬁle

Press Load from local ﬁle to load a new preliminary conﬁguration from the ﬁle you have selected.

Browse

Browse is used to scan your local disk. The web browser opens a new window where you can search among ﬁles and directories. Go to the right directory and select the ﬁle you want to upload.

Revert to old conﬁgurations

You can revert to old conﬁgurations of the Telecommuting Module, either back to the last conﬁguration successfully applied, or to the conﬁguration delivered with your Telecommuting Module from the factory.

Chapter 10. Administration

Abort All Edits

Abort all edits copies the permanent conﬁguration to the preliminary conﬁguration. All changes made in the preliminary conﬁguration are deleted.

Reload Factory Conﬁguration

The factory conﬁguration is the standard conﬁguration that is delivered with a Telecommuting Module. Click on this button to load this conﬁguration into the preliminary conﬁguration. The permanent conﬁguration is not affected.

Show conﬁguration

Shows both the preliminary and permanent conﬁgurations, in that order. Before the preliminary conﬁguration, you see the Telecommuting Module’s version, serial number, the time zone and table format you selected.

The heading before each table for the preliminary conﬁguration is clickable and accesses the corresponding conﬁguration page.

Print this list from your web browser and store it in a safe place.

User Administration

On the User Administration page, you change the administration password for the admin account on your Telecommuting Module and create other administrator user accounts. The characters in the password are displayed as little stars. Remember that the password is sent unencrypted over the network if you use HTTP instead of HTTPS.

You can authenticate administrators using a RADIUS server instead of a local password (select this on the Access

Control page under Basic Conﬁguration). When RADIUS is used, you must also enter a RADIUS server on the RADIUS page under Basic Conﬁguration.

More information about how to conﬁgure the RADIUS server to authenticate administrators can be found in the RADIUS section.

Chapter 10. Administration

Password For the ’admin’ Account

The admin user is predeﬁned. That user can make changes, load conﬁgurations, apply conﬁgurations and log on the Telecommuting Module via the serial cable. You can’t remove this user or change its privileges, only change its password.

Old password

Enter the old password for the admin user.

New password, Conﬁrm password

Enter the new password in both ﬁelds. You must enter the exact same password in both ﬁelds, to make sure that you did not make a mistake.

Change administration password

Click this button to change the password for the admin user. The new password is now saved on the Telecommuting Module.

Other Accounts

Here, you deﬁne other user accounts that can access the Telecommuting Module. A user account can be restricted to only look at settings, or to change only some settings. Changes of conﬁguration are logged by user name.

Changes in restrictions for an existing user account are immediate. The exception is changes for a currently logged on user, for which the changes will have effect the next time he/she logs on.

User

Enter the user name for this account. The name is used when the user logs on and for logging the changes.

Password

Press the Change password button to enter the password for this user.

Chapter 10. Administration

Account Type

Select what privileges this user should have. Full Access means that the user can make any changes to the conﬁguration. This is the same privileges as the admin

user has in the web GUI, but only the admin user can log on via the serial cable. Backup/Restore Conﬁg means that the user can download the conﬁguration to ﬁle, and upload a conﬁguration ﬁle

to the Telecommuting Module. The user is also allowed to apply conﬁgurations. The VPN admin account is not used in a base Telecommuting Module. The VPN renegotiator account is not used in a base Telecommuting Module. SIP admin means that the user can make any changes on the SIP Services and SIP Trafﬁc pages and apply

conﬁgurations, but can’t change any other conﬁguration. View Conﬁg Only means that the user can view any conﬁguration and make log searches, but can’t change any

conﬁguration. Off means that the user is not allowed to log on to the web interface of the Telecommuting Module.

Currently Logged In Administrators

Here, all users logged on the Telecommuting Module web interface are shown. If your user has full access, you can log out other users here.

Account

The name of the logged on user.

Type

Here, the account type for the user is shown. The account type tells you the user’s access rights for the Telecommuting Module web interface.

From

Here you see from which IP address the user connected to the Telecommuting Module.

Logged in

Here you see when the user logged on to the Telecommuting Module.

Last access

Here you see when the user last accessed the Telecommuting Module web interface. Accesses could be a change of a parameter, a change of web page or a log search.

Status

Here you see if the user is active or idle. The Telecommuting Module marks a user as idle if the user has not accessed the web interface in ten minutes.

Chapter 10. Administration

Log out

If your user has full access to the web interface, you can log out other users. However, if you do not change their password (or change the Account type to Off), they can just log on again.

Upgrade

Read these instructions carefully before upgrading. You ﬁnd version upgrades for 3Com VCX IP Telecommuting Module at http://eSupport.3com.com/. The upgrade is signed with GNU Privacy Guard. When 3Com VCX IP Telecommuting Module is upgraded, it automatically checks the signing before accepting the upgrade.

You should always upgrade your Telecommuting Module to the latest version. Here, you also upgrade with extension modules (e.g. QoS) and SIP licenses. Upgrading with modules and licenses

is exactly the same procedure as upgrading to a new version. You save the upgrade to a ﬁle on your workstation or network ﬁle system. When upgrading, select Upgrade.

Upgrade

This is the procedure to follow when upgrading an 3Com VCX IP Telecommuting Module.

Step 1

First save the upgrade to a ﬁle on your workstation. Enter the ﬁle name and path in the box or press Browse to search the disk. When you have selected a ﬁle, press Upgrade from network. The Telecommuting Module will read the upgrade ﬁle and check that it was correctly signed and is compatible with the current Telecommuting Module version.

Step 2

If the upgrade ﬁle is correct, a text will appear at the top of the web page, informing about what version the upgrade is. Two new buttons will also be shown; Apply upgrade and Remove upgrade. You can still load new upgrades replacing the old one, which is useful if you for example have selected an upgrade which is too old.

Apply upgrade

Pressing Apply upgrade will make the Telecommuting Module install the new upgrade.

Remove upgrade

Remove upgrade removes the loaded upgrade from the Telecommuting Module. The upgrade will not be installed.

Step 3

If Apply upgrade was pressed, the buttons Try the upgrade and Remove upgrade will appear.

Try the upgrade

Try the upgrade will reboot the Telecommuting Module and test the loaded upgrade. When the reboot is done, log on to continue upgrading the Telecommuting Module.

Remove upgrade

Remove upgrade removes the loaded upgrade from the Telecommuting Module. The upgrade will not be installed.

Chapter 10. Administration

Step 4

When you have pressed Try the upgrade and the Telecommuting Module has rebooted, you will see two buttons on top of every web page: Accept upgrade and Abort upgrade.

Now, you can choose to make the upgrade permanent or to revert to the old version. You can check the conﬁguration, but no changes can be done before the upgrade is permanent. If the Telecommuting Module is rebooted before the upgrade is made permanent, it will revert to the old version.

Accept upgrade

Accept upgrade will complete the upgrade. When you have accepted the upgrade, you must also go to Save/Load Conﬁguration and Apply conﬁguration, i. e. the new upgrade.

Abort upgrade

Abort upgrade aborts the upgrade. The Telecommuting Module will revert to the old version.

Downgrade

If the Telecommuting Module has been upgraded before, it is possible to downgrade to the previous version. When you downgrade, the Telecommuting Module will revert to the conﬁguration it had before upgrading. All

conﬁguration changes made after the upgrade will be lost. When you want to upgrade, the upgrade ﬁle must be uploaded again.

Table Look

There are two alternatives for tables in 3Com VCX IP Telecommuting Module: Either you can change the contents of the table directly, or else you must click on a box in the Edit row column to allow the row to be changed. The image below shows how tables with an Edit row column can look.

To change a row, click in the Edit box for that row and click on Save or Add new rows. The page is updated so that you can change the conﬁgurations on the row. You can select several rows to change.

With an Edit column, tables with many rows are loaded faster, provided that only few of the Edit boxes are checked.

Chapter 10. Administration

Edit Column

Select if all, some or none of the Telecommuting Module tables should have an Edit column. If you select that some tables have an Edit column, you also enter the size required to add the Edit column.

Always have an Edit column

Regardless of the table size, all tables will have an Edit column.

Sometimes have an Edit column

Only the tables of the size entered below will have an Edit column.

Never have an Edit column

Regardless of the table size, no table will have an Edit column.

Tables with at least this many rows have an Edit column

This is an additional setting which only takes effect if you selected Sometimes have an Edit column above. Tables with at least the number of rows as you enter in the box will have an Edit column. Tables with less rows than this are changeable directly.

The standard setting for new 3Com VCX IP Telecommuting Modules is Tables with at least 10 rows have an Edit column.

It is not advisable to enter a value higher than 15 here, or the web browser won’t be able to satisfactorily manage the tables.

Save

Saves the Table Look conﬁguration to the preliminary conﬁguration. The change takes effect immediately.

Cancel

Reverts to the previous table conﬁguration.

Date and Time

Set the Telecommuting Module clock to ensure that the information in the logs has the right date and time. The date and time are displayed at the bottom of all pages. You can set the date and time manually or let the Telecommuting Module get the correct time from an NTP server.

Change Time Zone

Before you change the time in the Telecommuting Module, check that it uses the correct time zone. A change of time zone only affects the time displayed on the Telecommuting Module web pages; the Telecommuting Module clock is not changed.

Chapter 10. Administration

The Time zone ﬁeld shows the current time zone setting. Change time zone by selecting one in the left-hand box and press the Change time zone button.

Change Date and Time Manually

Here you change the Telecommuting Module clock manually. When you change time here, there will be a time gap in the log ﬁles (if you change time forwards) or the same time will be shown twice (if you change time backwards).

N.B. Before you change time here, make sure that the Telecommuting Module uses the correct time zone above.

Date

The date is written as four digits for the year, two for the month and two for the day. The punctuation between year, month and day must be dashes (-).

Time

Time is written as two digits for the hour, two digits for the minute and two digits for the second, although seconds can be left out. The punctuation between hours, minutes and seconds must be colon (:) or period (.). A 24-hour clock is used.

Set date and time manually

Click on Set date and time manually to change the clock in the Telecommuting Module to what you entered in the Date and Time ﬁelds.

Change Date and Time With NTP

Instead of setting the time manually, you can let the Telecommuting Module get the correct time from an NTP server. The time for synchronizing will be notably shorter if the Telecommuting Module time is approximately correct when NTP is activated.

N.B. Before you change time here, make sure that the Telecommuting Module uses the correct time zone above.

Chapter 10. Administration

Synchronize time with NTP

Here, select if NTP synchronizing should be enabled or not. Enter servers to sync with in the table below.

DNS name or IP address

The name/IP address of the NTP server to which the Telecommuting Module should connect.

IP address

Shows the IP address of the DNS name or IP address you entered in the previous ﬁeld.

Delete Row

If you select this box, the row is deleted when you click on Add new rows, Save, or Look up all IP addresses again.

Create

Enter the number of new rows you want to add to the table, and then click on Create.

Save

Saves all Date and Time conﬁguration to the preliminary conﬁguration.

Cancel

Clears and resets all ﬁelds in new rows and resets changes in old rows.

Look up all IP addresses again

Looks up the IP addresses for all DNS names on this page in the DNS servers you entered on the Basic Conﬁguration page.

Restart

Here, you can reboot the Telecommuting Module or restart certain modules. When the Telecommuting Module is rebooted, all active sessions, including SIP sessions (SIP calls, video

conferences etc), will be torn down. SIP user registrations are not affected. When the SIP module is restarted, all active SIP sessions (SIP calls, video conferences etc) will be torn down and

all SIP user registrations will be removed.

N.B! The reboot/restart will be instantaneous when the button is pressed.

3COM Drums Version 4.3 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

Chapter 1. Introduction to 3Com VCX IP Telecommuting Module

What is a Telecommuting Module?

Quick guide to 3Com VCX IP Telecommuting Module installation

Before you start

About settings in 3Com VCX IP Telecommuting Module

Chapter 2. Installing 3Com VCX IP Telecommuting Module

Installation

Installation with magic ping

Installation with a serial cable

Installation with a diskette

Turning off a Telecommuting Module

Remember to lock up the Telecommuting Module

Logging on

Log on again

Log out

Navigation

Site Map

Administration

Network

Logging

SIP Services

Failover

Tools

Home

IP address

Mask/Bits

Name queries in 3Com VCX IP Telecommuting Module

DMZ Telecommuting Module, SIP server on the outside

Networks and Computers

Surroundings

Basic

Interoperability

Routing

DMZ Telecommuting Module, SIP server inside

Networks and Computers

Surroundings

Basic

Routing

Interoperability

Standalone Telecommuting Module, SIP server on the outside

Basic

Interoperability

Routing

Client Settings

Standalone Telecommuting Module, SIP server inside

Basic

Routing

Interoperability

Client Settings

DMZ/LAN Telecommuting Module, SIP server on the outside

Basic

Interoperability

Routing

Client Settings

DMZ/LAN Telecommuting Module, SIP server inside

Basic

Routing

Interoperability

Client Settings

Chapter 5. The Serial Console

Connecting to the serial console

Main Menu

3. Become a failover team member

4. Leave failover team and become standalone

5. Wipe email logs

6. Set password

q. Exit admin

IP address

Physical device name

IP address

Netmask/bits

Deactivate other interfaces

Password

Other

Main menu