Digi WAN VPN, WAN, WAN IA, WAN 3G, WAN 3G IA User Manual

...

Download

Digi Cellular Family

User’s Guide

Digi Cellular Family Products

Connect WAN Family:

Digi Connect

Digi Connect WAN GPRS

Digi Connect WAN GSM-R

Digi Connect WAN VPN

Digi Connect WAN IA

Digi Connect WAN 3G

Digi Connect WAN 3G IA

ConnectPort

ConnectPort WAN VPN

ConnectPort WAN Wi

ConnectPort WAN GPS

WAN

™

WAN Family:

90000753_E

registered trademarks of Digi International, Inc. All other trademarks mentioned in this document are the property of their respective owners. Information in this document is subject to change without notice and does not represent a

commitment on the part of Digi International. Digi provides this document “as is,” without warranty of any kind, either expressed or implied,

including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose. Digi may make improvements and/or changes in this manual or in the product(s) and/or the program(s) described in this manual at any time.

This product could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes may be incorporated in new editions of the publication.

Contents

Contents........................................................................................................................................................................................ 3

About this guide...........................................................................................................................................................................6

Purpose................................................................................................................................................................................6

Audience..............................................................................................................................................................................6

Scope...................................................................................................................................................................................6

Where to find more information..........................................................................................................................................6

Digi contact information .....................................................................................................................................................7

Chapter 1: Introduction............................................................................................................................................................8

Important Safety Information..............................................................................................................................................8

Digi Cellular Family products.............................................................................................................................................9

Digi Connect™ WAN...............................................................................................................................................9

Digi Connect™ WAN VPN......................................................................................................................................9

Digi Connect™ WAN IA

Digi Connect WAN 3G IA......................................................................................................................................10

Digi Connect WAN 3G...........................................................................................................................................10

ConnectPort™ WAN VPN .....................................................................................................................................11

Wireless carrier certifications............................................................................................................................................11

Features .............................................................................................................................................................................12

User interfaces.........................................................................................................................................................12

Quick reference for configuring features ................................................................................................................13

Hardware features ...................................................................................................................................................18

Network interface features ......................................................................................................................................18

Configurable network services................................................................................................................................18

IP protocol support..................................................................................................................................................19

Mobile/Cellular features and protocol support........................................................................................................23

RealPort software....................................................................................................................................................24

Alarms.....................................................................................................................................................................24

Modem emulation ...................................................................................................................................................25

Security features......................................................................................................................................................25

Configuration management.....................................................................................................................................26

Customization capabilities ............................................................................................... .......................................26

Supported connections and data paths in Digi devices .....................................................................................................27

Interfaces for configuring, monitoring, and administering Digi devices.........................................................

Configuration capabilities .......................................................................................................................................30

Configuration interfaces..........................................................................................................................................30

Monitoring capabilities and interfaces....................................................................................................................36

Device administration .............................................................................................................................................37

.................30

Chapter 2: Configure Digi devices.........................................................................................................................................38

Default IP address and methods for assigning an IP address............................................................................................39

Configure an IP address using DHCP.....................................................................................................................39

Configure an IP address using Auto-IP...................................................................................................................39

Configure an IP address from the command-line interface......................................... ............................................40

IP addresses and the iDigi Platform........................................................................................................................40

Test the IP address configuration..................................... .......................................................................................40

Configuration through the iDigi Platform.........................................................................................................................41

Create an Account on iDigi.com...................................... .......................................................................................41

Add the Digi device to the idigi.com Device List...................................................................................................42

iDigi Platform views for configuring and managing Digi devices .........................................................................44

Configuration through the web interface..........................................................................................................................47

Open the web interface.............................................................. ..............................................................................47

Organization of the web interface...........................................................................................................................49

Change the IP address from the web interface, as needed ......................................................................................52

Network configuration settings ...............................................................................................................................53

Mobile (cellular) settings ........................................................................................................................................97

Serial port settings................................................................................................................................................110

Camera settings.....................................................................................................................................................119

Alarms...................................................................................................................................................................121

System settings......................................................................................................................................................125

Remote management settings................................................................................................................................131

Security settings ....................................................................................................................................................136

Position (GPS support)..........................................................................................................................................140

Applications ..........................................................................................................................................................142

Configuration through the command line .......................................................................................................................147

Access the command line........................... ...........................................................................................................147

Verify device support of commands .....................................................................................................................147

Configuration through Simple Network Management Protocol (SNMP)................................................................

.......150

Batch capabilities for configuring multiple devices........................................................................................................150

Chapter 3: Monitor and manage Digi devices....................................................................................................................151

Monitoring capabilities from the iDigi Platform.............................................................................................................152

Monitoring capabilities in the web interface...................................................................................................................153

Display system information ..................................................................................................................................153

Manage connections and services.........................................................................................................................168

Monitoring capabilities from the command line .............................................................................................................171

Commands for displaying device information and statistics ................................................................................171

Commands for managing connections and sessions ............................................................................................. 173

Monitoring Capabilities from SNMP.............................. ................................................................................................174

Chapter 4: Digi device administration ................................................................................................................................175

Administration from the web interface ...........................................................................................................................175

File management...................................................................................................................................................176

X.509 Certificate/Key Management .....................................................................................................................177

Backup/restore device configurations...................................................................................................................180

Update firmware and Boot/POST Code................................................................................................................181

Restore a device configuration to factory defaults................................................................................................182

Display system information ..................................................................................................................................184

Reboot the Digi device..........................................................................................................................................184

Enable/disable access to network services............................................................................................................184

Administration from the command-line interface...........................................................................................................185

Chapter 5: Specifications and certifications.......................................................................................................................186

Hardware specifications..................................................................................................................................................187

Digi Connect WAN product specifications...........................................................................................................187

ConnectPort WAN product specifications ............................................................................................................189

Digi Connect WAN 3G specifications..................................................................................................................190

Digi Connect WAN 3G IA specifications.............................................................................................................191

Wireless networking features..........................................................................................................................................192

Regulatory information and certifications.......................................................................................................................194

RF exposure statement ................................................................. .........................................................................194

FCC certifications and regulatory information (USA only)..................................................................................194

Industry Canada (IC) certifications.......................................................................................................................195

Safety statements...................................................................................................................................................196

International EMC (Electromagnetic Emissions/Immunity/Safety) standards.....................................................198

Chapter 6: Troubleshooting.................................................................................................................................................199

Troubleshooting Resources.............................................................................................................................................199

System status LEDs.........................................................................................................................................................200

Connect WAN Family LEDs and buttons.............................................................................................................200

ConnectPort WAN Family LEDs and buttons......................................................................................................203

Glossary....................................................................................................................................................................................205

Purpose

Audience

Scope

About this guide

This guide describes and shows how to provision, configure, monitor, and administer Digi devices.

This guide is intended for those responsible for setting up Digi devices. It assumes some familiarity with networking concepts and protocols. A glossary is provided with definitions for networking terms and features discussed in the content.

This guide focuses on configuration, monitoring, and administration of Digi devices. It does not cover hardware details beyond a certain level, application development, or customization of Digi devices.

Where to find more information

In addition to this guide, find additional product and feature information in the these documents:

 Online help and tutorials in the web interface for the Digi device  Quick Start Guides  RealPort  Cellular 101 Tut orial  Digi Connect Family Customization and Integration Guide  iDigi tutorials and user’s guides  Release Notes  Cabling Guides  Product information available on the Digi website, www.digi.com, and Digi's support

site at www.digi.com/support, including, Support Forums, Knowledge Base, Data sheets/product briefs, application/solution guid es, and carrie r-specific documents

Installation Guide

 Python developer Wiki

Digi contact information

For more information about Digi products, or for customer service and technical support, contact Digi International.

To Contact Digi International

Use:

by:

Mail Digi International

11001 Bren Road East Minnetonka, MN 55343 U.S.A.

World Wide Web: http://www.digi.com/support/

email http://www.digi.com/contactus/email.jsp/

Telephone (U.S.) (952) 912-3444 or (877) 912-3444

Telephone (other locations) +1 (952) 912-3444 or (877) 912-3444

Introduction

CHAPTER 1

This chapter introduces Digi devices and their product families, types of connections and data paths in which Digi devices can be used, and the interface options available for configuring, monitoring, and administering Digi devices.

Important Safety Information

To avoid contact with electrical current:

Introduction

 Never install electrical wiring during an electrical storm.  Never install an Ethernet connection in wet locations unless that connector is

specifically designed for wet locations.

 Use caution when installing or modifying lines.  Use a screwdriver and other tools with insulated handles .  Wear safety glasses or goggles.  Do not place Ethernet wiring or connections in any conduit, outlet or junction box

containing electrical wiring.

 Installation of inside wire may bring you close to electrical wire, conduit, terminals and

other electrical facilities. Extreme caution must be used to avoid electrical shock from such facilities. Avoid contact with all such facilities.

 Ethernet wiring must be at least 6 feet from bare power wiring or lightning rods and

associated wires, and at least 6 inches from other wire (antenna wires, doorbell wires, wires from transformers to neon signs), steam or hot water pipes, and heating ducts.

 Do not place an Ethernet connection where it would allow a person to use an Ethernet

device while in a bathtub, shower, swimming pool, or similar hazardous location.

 Protectors and grounding wire placed by the service provider must not be connected to,

removed, or modified by the customer.

 Do not touch uninsulated Ethernet wiring if lightning is likely!  External Wiring: Any external communications wiring installed needs to be constructed

to all relevant electrical codes. In the United States this is the National Electrical Code Article 800. Contact a licensed electrician for details.

Digi Cellular Family products

In the Digi Cellular Family, there are two groups of products: Digi Connect WAN products and ConnectPort WAN products.

Digi Connect™ WAN

Digi Connect W AN is a wireless WAN gateway . It provides high-performance Ethernet-to-wireless communications through cellular GSM (Global System for Mobile communication) or CDMA (Code Division Multiple Access) networks for primary and backup connectivity to remote locations. It uses General Packet Radio Service (GPRS)/Enhanced Data Rates for GSM Evolution (EDGE) to offer an easy and cost-effective means of connecting v irtually any remote location into the corporate IP network. It is ideal for use where wired networks (for example, leased line/frame relay, CSU/DSU, fractional T1) are not feasible or where alternative network connections are required.

Benefits of wireless communications through Digi Connect WAN include instant deployment, elimination of wiring costs and problems due to wire breaks, the ability to traverse firewalls, and the ability to move the connection virtually anywhere.

Introduction

Digi Connect™ WAN VPN

The Digi Connect WAN VPN (Virtual Private Network) is a small cellular-enabled router that securely connects remote subnets using the Encapsulati ng Security Pa yload (ESP) version of IPsec (IP security) VPN technology. IPsec ESP uses IP protocol 50 and requires each VPN endpoint be able to reach the other, which usually means each end has a public IP address. Authenticati on Header (AH) is not currently supported.

The Digi Connect WAN VPN handles the routing between networks. Devices within the Digi Connect WAN VPN’s private network can connect directly to devices on the other private network with which the VPN tunnel is established. Configuring VPN tunnels using security settings and methods ensures that the networks are secure.

The Digi Connect WAN VPN is based on the same feature set as Digi Connect WAN, plus VPN capability.

Digi Connect™ WAN IA Digi Connect WAN 3G IA

Digi Connect WAN IA is a full-featured serial-to-cellular or Ethernet-to-cellular router designed for Industrial Automation applications. It features a DIN rail mount kit, terminal blocks for 9-30 VDC power input, Modbus to Modbus TCP conversion support, Class 1, Division 2 certification and hardened temperature specifications.

Digi Connect WAN 3G IA is an industrial-grade 2.5 to 3G Wireless WAN GSM/GPRS/EDGE/ HSUPA, CDMA/EV-DO router/gateway.

These products offer all of the all of the functionality of the Digi Connect WAN VPN plus an industrial-grade feature set, including a Modbus bridge for multi-master access and mixing of protocols such as Modbus/TCP, Modbus/UDP, Modbus/RTU, and Modbus/ASCII. ModbusPlus requires dedicated hardware and is not supported.

These products provide an alternative to traditional wired TCP/IP Wide Area Networks (W ANs), using global wireless Cellular, and IPSec VPN technology to create secure primary and backup network connectivity. It offers an easy, cost-effective means of securely connecting virtually any remote location or device into the corporate IP network.

The Modbus Bridge functionality enables remote Masters to connect through both the Cellular IP network and the local Ethernet. It supports these prot ocols:

Introduction

 Modbus/TCP transported by TCP/IP or UDP/IP  Modbus/RTU transported by serial, TCP/IP, or UDP/IP  Modbus/ASCII transported by serial, TCP/IP, or UDP/IP

The factory default settings for these products provide y ou wi th a ba se con figurat ion for In dustria l Automation that you can modify from the device’s Telnet command-line interface. These factory defaults should be sufficient for most Industrial Automation applications. Should you need to change the settings from the factory defaults, use the “set ia” command, described in the Digi Connect Family Command Reference. By default, these products use a a specialized set of serial port configuration settings for Industrial Automation, or port profile, that you can associate with serial ports during device configuration (See "About port profiles" on page 110).

For more details on the Modbus Bridge, see the Digi document Remote Cellular TCP/IP Access to Modbus Ethernet and Serial Devices, P/N 90000773.

Digi Connect WAN 3G

Digi Connect WAN 3G is a 3G high-speed upgradeable HSUPA/EV-DO Rev A Wireless WAN cellular router with integrated VPN. It provides primary and backup connectivity to remote sites and devices.

ConnectPort™ WAN VPN

ConnectPort WAN VPN is a hardened, upgradeable 3G cellular router that provides secure highspeed wireless connectivity to remote sites and devices. It can be used for primary wireless broadband network connectivity to equipment at remote locations, as well as for a backup to existing landline communications. The ConnectPort WAN VPN is ideal for use where wired networks (for example, leased line/frame relay, ISDN, DSL) are not feasible, or where alternative network connections are required.

The flexible design of the ConnectPort WAN VPN ensures easy upgrading throug h supported Type 2 PCMCIA Card slots or PCI Express modules. With an upgradeable wire less network platform, you can quickly migrate to future 3G platfo rms and beyond . ConnectPort WAN VPN also includes two RS-232 serial ports for connecting legacy COM devices and a built-in four-port 10/100 Ethernet switch for connecting additional TCP/IP network devices.

Benefits of the ConnectPort WAN VPN include instant deployment, elimination of wiring costs, elimination of problems due to wire breaks, and the flexibility to move the con ne cti on virtu all y anywhere.

Applications include utilities, industrial a utomation, POS/retail, finan cial (ATMs), traffic, medical, video surveillance and more. For applications requiring secure connections, ConnectPort WAN VPN offers an available integrated IPsec VPN client/server for true end to end data protection.

Introduction

Wireless carrier certifications

Digi devices are being certified around the world with major carriers supporting these technologies. For a current list of carrier certifi cations for your Digi product, go to dig i.com and go the product pages for your product. Click the Specs tab of the product pages. Carrier certifications are listed under Mobile Certifications or Carrier Certifications.

Features

User interfaces

Introduction

This is an overview of key features in Digi devices. Software features are covered in more detail in the next three chapters. Hardware specifications and are covered in Chapter 5, "Specifications and certifications".

There are several user interfaces for configuring and monitoring Digi devi ces, in clu di ng the following. Some of these user interfaces can be cu stomized.

 The iDigi Platform   A web-based interface for configuring, monitoring, and administering Digi devices. For

Digi devices that ship with a default IP address, simply connecting a laptop computer to the Ethernet port of these products allows direct access to the web interface for configuration.

 A command-line interface available via local serial port, telnet or SSH.  Simple Network Management Protocol (SNMP).

Quick reference for configuring features

This guide primarily focuses on configuring, monitoring, and administ erin g D igi device s from the web interface. This table provides a quick reference for configuring features and performing device tasks, and where to find the features and settings in the web interface and this guide. Click the page number in the Page column to jump to instructions on configuring or using the feature. Some features are configurable from the command line interface only. In those cases, the commands that configure the feature are noted. The command descriptions are in the Digi Conn ect Family Command Reference.

Feature/task Path to feature in the web interface See page

Administration/Configuration management:

Introduction

File management: uploading and

downloading files, such as applet files, and custom splash screens.

Python program file

management.

Backup/restore a configuration

from a TFTP server on the network

Update firmware

Reset configuration to factory

defaults

System information, including

device identifiers and statistics

Reboot the Digi device

Certificate and key management,

including X.509, VPN, SSL, SSH

Administration > File Management

176

See also the Digi Connect Family Customization and Integration Guide for information on uploading and downloading files used to customized a Digi device’s look-and-feel.

Applications > Python 142

Administration > Backup/Restore 180

Administration > Update Firmware 181

Administration > Factory Default Settings 182

Administration > System Information 184

Administration > Reboot 184

Administration > X.509 Certificate and Key Management 177

Alarms Configuration > Alarms 121

Autoconnection: automatically connect a user to a server or network

Configuration > Serial Ports > port > Profile Settings > TCP Sockets > Automatically establish TCP connections

device

Connection management:

Manage serial port connections

Management > Serial Ports 168

112

Introduction

Feature/task Path to feature in the web interface See page

Manage Virtual Private Network

Management > Connections > Virtual Private Network (VPN) Settings 168

(VPN) connections

Manage active system

Management > Connections > Active System Connections 168

connections

Manage network services

Management > Network Services

169

(Currently only DHCP server settings managed from here)

Domain Name System (DNS):

DNS Client

Dynamic DNS (DDNS) update

Dynamic Host Configuration Protocol (DHCP) server

Configuration > Network > Advanced Network Settings 92

Configuration > Network > Dynamic DNS Update Settings 67

To configure a DHCP server:

Configuration > Network > DHCP Server Settings

To start and stop and show status of a DHCP server:

Management > Network Services > DHCP Server Management

Ethernet settings Configuration > Network > Advanced Network Settings 92

Event logging for the Digi device Management > Event Logging 168

Help on configuring features Help button on each page.

Host name for a device Configuration > Network > Advanced Network Settings > Host Name 92

Industrial Automation (IA) Configuration > Serial Ports > Select Port Profile > Industrial

146

Automation

The Industrial Automation port profile should address most configuration scenarios. To fine-tune your IA settings, use the “set ia” command from the command line. See the set ia command description in the Digi Connect Family Command Reference.

For additional information on configuring Industrial Automation, see this web site: http://www.digi.com/support/ia

IP address settings Configuration > Network > IP Settings

39, 55, 60, 92

Configuration > Network > Advanced Settings

IP filtering / access control Configuration > Network > IP Filtering Settings 70

IP forwarding: Network Address

Configuration > Network > IP Forwarding Settings 71

Translation (NAT) and port forwarding configuration/static routes

IP pass-through Configuration > Network > IP Pa ss-through 79

Feature/task Path to feature in the web interface See page

Mobile (cellular) settings:

Introduction

Provisioning the cellular

modules

Configuration > Mobile

For Digi Cellular product that have a cellular module, provisioning must be performed once.

To launch a wizard for provisioning the module, go to Configuration > Mobile. Under Mobile Service Provider Settings, click the Provision Device button.

Provisioning can also be performed from the command line:

To provision the CDMA module: provision To display existing provisioning parameters: displayprovisioning

Mobile service provider and

connection settings

SureLink™ Settings

Configuration > Mobile

Settings displayed vary by mobile service provider.

Configuration > Mobile > SureLink Settings.105

Modem emulation Configuration > Serial Ports > Port Profile Settings >

Modem Emulation

See the Connect Family Command Reference for modem emulation commands.

Port logging: enabling port buffering and displaying contents of a port buffer

To enable port logging:

Configuration > Serial Ports > Advanced Serial Settings

To display the contents of a port buffer: Management > Serial Ports > Port Logs

98, 105

114

116

Port profiles: sets of preconfigured

Configuration > Serial Ports > Port Profile Settings 110

serial-port settings for a particular connection and use scenario

Python support: loading and running custom programs authored in the Python programming language.

RealPort (COM port redirection) configuration

Applications > Python

For more information on writing and running Python programs, see the Digi Python Programming Guide.

Configuration > Serial Ports > port > Port Pr ofile Settings > RealPort

See also the RealPort Installation Guide.

142

111

Remote device management Configuration > Remote Management 131

Reverting configuration settings Administration > Factory Default Settings 182

Feature/task Path to feature in the web interface See page

Security/access control features:

Introduction

Control access to inbound ports

Secure Shell Server (SSH)

Establish/change user name for a

user

Issue a new/cha nged password to

a user

Serial port configuration:

Basic serial port settings

Advanced serial port settings

Port profiles: associate a serial

port with a set of preconfigured port settings for a specific use

Configuration > Serial Ports > port > Port Profile Settings >

110

TCP Sockets or UDP Sockets or Custom port profile

Configuration > Security > Enable SSH public key authentication

139, 65

Network > Network Services > Enable Secure Shell Server (SSH)

Configuration > Security 136

Configuration > Serial Ports > Basic Serial Settings 115

Configuration > Serial Ports > Advanced Serial Settings 116

Configuration > Serial Ports > Port Profile Settings 110

RCI over serial mode

RTS Toggle

TCP serial connections

UDP serial characteristics

Configuration > Serial Ports > Advanced Serial Settings 116

Configuration > Serial Ports > port > Port Profile Settings >

112

TCP Sockets port profile

Configuration > Serial Ports > port > Port Profile Settings > UDP

113

Sockets port profile

Feature/task Path to feature in the web interface See page

Simple Network Management Protocol (SNMP):

Introduction

Configure SNMP through the

web interface

Enable/disable SNMP service

Enable/disable SNMP alarm

traps

Use SNMP as primary

configuration interface

Configuration > System > Simple Network Management Protocol (SNMP) Settings

Configuration > Network > Network Services 64

Configuration > Alarms > alarm > Send SNMP trap to following destination when alarm occurs

Basic network and serial settings configurable through standard and Digispecific Management Information Blocks (MIBs).

128

123, 124

35, 150

More advanced settings must be set through the web or command-line user interfaces, and sending alarms as SNMP traps must be configured through the web interface, on the pages listed above.

System information: assign system-

Configuration > System > Device Identity Settings 125

identifying information to a device

Socket Tunnel Settings Configuration > Network > Socket Tunnel Settings 78

Statistics for Digi devices Administration > System Information 153

Status of Digi devices Management > Serial Ports, Connections, Network Services 168

VPN (Virtual Private Network) To configure VPN:

Configuration > Network > Virtual Private Network (VPN) Settings

To manage VPN:

Management > Connections > Virtual Private Network (V PN) Connections

Wi-Fi (wireless LAN) devices:

Wireless LAN Settings Configuration > Network > WiFi LAN Settings 56

Wireless Security Settings Configuration > Network > WiFi Security Settings 57

Wireless 802.1x Authentication

Configuration > Network > WiFi 802.1x Settings 59

Settings

Hardware features

A summary of hardware features, including power-supply information, is in "Hardware specifications" on page 187.

Network interface features

A detailed list of network interface features is in Chapter 5, "Specifications and certifications". Se e also the data sheet for your Digi product.

Configurable network services

Access to network services can be enabled and disabled. This means that a device’s use of network services can be restricted to those strictly needed by the device. To improve device security, nonsecure services, such as Telnet, can be disabled.

Network services that can be enabled or disabled include:

 Advanced Digi Discovery Protocol (ADDP): can enable or disable ADDP, but cannot

change its network port number.

Introduction

 RealPort  Encrypted RealPort  HTTP/HTTPS  Line Printer Daemon (LPD)  Remote Login (rlogin)  Remote Shell (rsh)  Simple Network Management Protocol (SNMP)  Telnet

In the web interface, access to network services is enabled and disabled on the Network Services page of Network Configuration. For more information, see "Network services settings" on page 64. In the command-line interface, network services are enabled and disabled through the set service command. See the Digi Connect Family Command Reference for the set service command description.

IP protocol support

All Digi devices include a Robust on-board TCP/IP stack with a built-in web server. Supported protocols include, unless otherwise noted:

 Transmission Control Protocol (TCP)  User Datagram Protocol (UDP)  Dynamic Host Configuration Protocol (DHCP)  Simple Network Management Protocol (SNMP)  Secure Sockets Layer (SSL)/Transport Layer Security (TLS)  T e lnet Com Port Control Option (Telnet) including support of RFC 2217 (ability to

 Remote Login (rlogin)  Line Printer Daemon (LPD)  HyperText Transfer Protocol (HTTP)/HyperText Transfer Protocol over Secure Socket

Introduction

control serial port through Telnet). See "Serial data communication over TCP and UDP" on page 20 for additional information.

Layer (HTTPS)

 Simple Mail Transfer Protocol (SMTP)  Internet Control Message Protocol (ICMP)  Internet Group Management Protocol (IGMP)  Address Resolution Protocol (ARP)  Advanced Digi Discovery Protocol (ADDP)  Point to Point Protocol (PPP)  Network Address Translation (NAT)/Port Forwarding  Secure Shell (SSHv2)  Generic Routing Encapsulation (GRE) Passthrough  IPSec Encapsulating Security Payload (ESP) on most models  ESP Passthrough

Following is an overview of some of the services provided by these protocols.

Introduction

Serial data communication over TCP and UDP

Digi devices support serial data communication over TCP and UDP. Key features include:

 Serial data communication over TCP, also known as autoconnect and tcpserial can

automatically perform the following functions: – Establish bidirectional TCP connections, known as autoconnections, between the serial

device and a server or other network device. Autoconnections can be made based on

data and or serial hardware signals. – Control forwarding characteristics based on size, time, and pattern – Allow incoming raw, Telnet, and SSL/TLS (secure-socket) connections – Support RFC 2217, an extension of the Telnet protocol

 Serial data communication over UDP, also known as udpserial, can automatically

perform the following functions: – Digi Connect products can automatically send serial data to one or more devices or

systems on the network using UDP sockets. Options for sending data include whether

specific data is on the serial line, a specific time period ha s elapsed, or after the specified

number of bytes has been received on the serial port. – Control forwarding characteristics based on size, time, and patterns. – Support incoming datagrams from multiple destinations. – Support outgoing datagrams sent to multiple destinations.

 TCP/UDP forwarding characteristics.  Extended communication control on TCP/UDP data paths.

–Timeout –Hangup – User-configurable Socket ID string (text string identifier on autoconnect only)

Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP) can be used to automatically assign IP addresses, deliver TCP/IP stack configuration parameters such as the subnet mask and default router, and provide other configuration information. For furt her details, see "Configure an IP address using DHCP" on page 39.

Auto-IP

Auto-IP is a protocol that will automatical ly assign an IP address from a reserved pool of standard Auto-IP addresses to the computer on which it is installed. For Di gi dev ice s ar e set to ob tai n it s IP address automatically from a DHCP server and the DHCP server is unavailable or nonexistent, Auto-IP will assign the device an I P address. For further details, see "Configure an IP address using Auto-IP" on page 39.

Introduction

Simple Network Management Protocol (SNMP)

Simple Network Management Protocol (SNMP) is a protocol for managing and monitoring network devices. SNMP architecture enables a network administrator to manage nodes--servers, workstations, routers, switches, hubs, etc.--on an IP network; manage network performance, find and solve network problems, and plan for network growth. Digi devices support SNMP Versions 1 and 2. For more information on SNMP as a device-management interface, see "Simple Network Management Protocol (SNMP)" on page 35. For a list SNMP-related of supported Request for Comments (RFCs) and Management Information Bases (MIBs), see page 128.

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) are used to provide authentication and encryption for Digi devices. For more information, see "Security features" on page 25.

Telnet

Digi devices support the following types of Telnet connections:

 Telnet Client  Telnet Server  Reverse Telnet, often used for console management or device management  Telnet Autoconnect  RFC 2217, Telnet Com Port Control Option, an extension of the Telnet protocol

For more information on these connections, see "Supported connections and data paths in Digi devices" on page 27. Access to Telnet network services can be enabled or disabled.

Remote Login (rlogin)

Users can perform logins to remote systems (rlogin). Access to rlogin service can be enabled or disabled.

Line Printer Daemon (LPD)

The Line Printer Daemon (LPD) allows network printing over a serial port. Each serial port has a dedicated LPD server that is independently configurable. Access to LPD service can be enabled or disabled.

HyperText Transfer Protocol (HTTP) HyperText Transfer Protocol over Secure Socket Layer (HTTPS)

Digi devices provide web pages for configuration that can be secured by requ iring a user login.

Internet Control Message Protocol (ICMP)

ICMP statistics can be displayed, including the number of messages received, bad messages received, and destination unreachable messages received.

Introduction

Point-to-Point Protocol (PPP)

The Point-to-Point Protocol (PPP) transports multi-prot ocol packet s over point-to -point links. PPP encapsulates the data packet, allows the server to inform the dial-up client of its IP address (or client to request the IP address), authenticates the exchange, negotiates multiple protocols, and reassembles the data packet for network communication. Digi Cellular Family devices support PPP as the connection protocol from the Digi device to the cellu lar IP network with NAT (Network Address Technology).

Network Address Translation (NAT)/Port Forwarding

Network Address Translation (NAT) reduces the need for a large amount of publicly known IP addresses by creating a separation between publicly known and privately known IP addresses.

Advanced Digi Discovery Protocol (ADDP)

The Advanced Digi Discovery Protocol (ADD P) runs o n an y o pe r ati ng sy ste m c ap abl e o f se nd ing multicast IP packets on a network. ADDP allows the system to identify all ADDP-enabled Digi devices attached to a network by sending out a multicast packet. The Digi devices respond to the multicast packet and identify themselves to the client sending the multicast.

ADDP communicates with the TCP/IP stack using UDP. The TCP/IP stack should be able to receive multicast packets and transmit datagrams on a network.

Not all Digi devices support ADDP. Access to ADDP service can be enabled or disabled, but the network port number for ADDP cannot be changed from its default.

Generic Routing Encapsulation (GRE) Passthrough Encapsulating Security Payload (ESP) ESP Passthrough

Generic Routing Encapsulation (GRE) and Encapsulating Security Payload (ESP) are routing protocols that are used to route (tunnel) various types of information between networks.

GRE applies to the encapsulation of IP datagrams tunnelled through the internet. The encapsulation includes security , typically in the form o f IPSec (IP security), and i s most commonly found in VPN (Virtual Private Network) implementation. RFC (Request For Comment) 1701 and 1702 define these standards.Similarly, ESP is used in conjunction with IPsec as a possible way of carrying IP packets for a Virtual Private Network (VPN) setup. ESP is defined in RFC 2406.

In ESP Passthrough and GRE Passthrough, inbound IPsec ESP or GSP protocol traffic is forwarded from to a VPN device connected to the Digi device’s Ethernet port.

Note: If an Auto-key Internet Key Exchange (IKE)-based VPN is used, UDP port 500 must also be forwarded.

Mobile/Cellular features and protocol support

Key cellular features in cellular-enabled Digi devices include:

 Cellular network bandwidth  GSM: GPRS, EDGE, UMTS, HSPA

 CDMA: 1xRTT, Ev-DO (Revs 0 and A)  Antenna connector:  3-5 Vol t SIM card  Transmit power:  Provisioning made easy through a wizard (Mobile Device Provisioning Wizard)  IPSec ESP / IKE  IP Pass-through, also known as bridge mode

Provisioning wizard

For Digi devices equipped with a Code-Division Multiple Access (CDMA)-based cellular modem, a wizard is available in the web interface to properly configure the Digi device with the required configuration used to access the mobile network. The wizard allows for bo th automatic and manual provisioning for a variety of mobile service providers.

Introduction

Digi SureLink™

Digi Connect Family, Digi Cellular Family, and ConnectPort X Family products support the Digi SureLink™ feature. Digi SureLink provides an “always-on” mobile network connection to ensure that a Digi device is in a state where it can connect to the network. It does this through hardware reset thresholds and periodic tests of the connection.

Mobile/Cellular protocols

Mobile/cellular protocols supported in clu de, unless otherwise noted:

 Global System for Mobile communication (GSM)  General Packet Radio Service (G PRS)  Enhanced Data Rates for GSM Evolution (EDGE)  Universal Mobile Telecommunications Service (UMTS)  High Speed Packet Access (HSPA)  Code-Division Multiple Access (CDMA)  Evolution-Data Optimized (EV-DO, EVDO, or 1xEV-DO)

RealPort software

Introduction

Digi devices use the patented RealPort COM/TTY port redirection for Microsoft Windows. RealPort software provides a virtual connection to serial devices, no matter where they reside on the network. The software is installed directly on the host PC and allows applications to talk to devices across a network as though the devices were directly attached to the host. Actually, the devices are connected to a Digi device somewhere on the network.

RealPort is unique among COM port re-directors be cause it is th e only implementa tion that allows multiple connections to multiple ports over a single TCP/IP connection. Other implementations require a separate TCP/IP connection for each serial port. Unique features also include full hardware and software flow control, as well as tunable latency and throughput.

Access to RealPort services can be enabled or disabled.

Encrypted RealPort

Digi devices also support RealPort software with encryption. Encrypted RealPort offers a secure Ethernet connection between the COM or TTY port and a device server or terminal server. Encryption prevents internal and external snooping of data across the network by encapsulating the TCP/IP packets in a Secure Sockets Layer (SSL) connection and encrypting the data using Advanced Encryption Standard (AES), one of the latest, most effi cient security algo rithms. Access to Encrypted RealPort services can be enabled or disabled.

Alarms

Digi’s RealPort with encryption driver has earned Microsoft’s Windows Hardware Quality Lab (WHQL) certification. Drivers are available for a wide range of operating systems, including Microsoft Windows Server 2003, Windows XP, Windows 2000, Windows NT, Windows 98, Windows ME; SCO Open Server; Linux; AIX; Sun Solaris SPARC; Intel; and HP-UX. It is ideal for financial, retail/point-of-sale, government or any application requiring enhanced security to protect sensitive information.

Digi devices can be configured to issue alarms, in the form of email message or SNMP traps, when certain device events occur. These events include certain data patterns being detected in the data stream, and cellular alarms for signal strength and amount of cellular traffic for a given period of time. Receiving alarms about these conditions provides the advantage of notifications being issued when events occur, rather than having to monitor the device on an ongoing basis to determine whether these events have occurred. Alarms can also be forwarded to the iDigi platform for display and management in that platform. For more information on configuring alarms, see "Alarms" on page 121.

Modem emulation

Security features

Introduction

Digi devices include a configuration profile that allows the device to emulate a modem. Modem emulation sends and receives modem responses to a serial de vice over TCP/IP (in clud ing Ethe rnet and Cellular) instead of Public Switched Telephone Network (PSTN). The modem emulation profile allows maintaining a current software application but using it over the less expensive Ethernet network. In addition, Telnet processing can be enabled or disabled on the incoming and outgoing modem-emulation connections.The modem-emulation commands supported in Digi devices are documented in the Digi Connect Family Command Refe rence.

Security-related features in Digi devices include:

Secure access and authentication

 One password, one permission level.  Can issue passwords to device users.  Can selectively enable and disable network services such as ADDP, RealPort,

Encrypted RealPort, HTTP/HTTPS, LPD, Remote Login, Remote Shell, SNMP, and Telnet.

 Can control access to inbound ports.  Secure sites for configuration: HTML pages for configuration have appropriate security.  Can control access to specific devices, IP addresses, or networks through IP filtering.

Encryption

 Strong Secure Sockets Layer (SSL) V3.0/ Transport Layer Security (TLS) V1.0-based

encryption: DES (64-bit), 3DES (192-bit), AES (128-/192-/256-bit), IPsec ESP: DES, 3DES, AES.

 Encrypted RealPort offers encryption for the Ethernet connection between the COM/

TTY port and the Digi device. Encryption prevents internal and external snooping of data across the network by encapsul ati ng the TCP/IP pa cket s in a Secure Sockets Layer (SSL) connection and encrypting the data using the Advanced Encryption Standard (AES) security algorithm.

SNMP security

 Authorization: Changing public and private community names is recommended to

prevent unauthorized access to the device.

 SNMP “set” commands can be disabled to make use of SNMP read-only.

Configuration management

Once a Digi device is configured and running, configur ation-management tasks need to be periodically performed, such as:

 Upgrading firmware  Copying configurations to and from a remote host  Software and factory resets  Rebooting the device  Memory management  File management

For more information on these configuration-management tasks, see Chapter 4, "Digi device administration".

Customization capabilities

Several aspects of using Digi devices can be customized. For example:

Introduction

 The look-and-feel of the device inte rface can be customized , to use a dif ferent company

logo or screen colors.

 Custom applications written in Python can be executed.  Custom factory defaults to which devices can be reverted can be defined.

The Digi Connect Family Customization and Integration Guide (Part Number 90000734; available with the Digi Connect Integration Kit) describes c ustomization and integration tools and processes. Contact Digi International for more information on the Digi Connect Integration Kit cust omization tools and resources and for assistance with customization efforts.

Supported connections and data paths in Digi devices

Digi devices allow for several kinds of connections and pat hs for data flow between the Digi device and other entities. These connections can be grouped into two main categories:

 Network services, in which a remote entity initiates a connection to a Digi device.  Network/serial clients, in which a Digi device initiates a network connection or op ens a

serial port for communication.

This discussion of connections and data paths may be helpful in understanding the effects of enabling certain features and choosing certain settings when configuring Digi products.

Network services

A network service connection is one in which a remote entity initiates a connection to a Digi device. There are several categories of network services:

 Network services associated with specific serial ports  Network services associated with serial ports in general  Network services associated with the command-line interface (CLI)

Introduction

Network services associated with specific serial ports

 Reverse Telnet: A telnet connection is made to a Digi device, in which data is passed

transparently between the telnet connection and a named serial port.

 Reverse raw socket: A raw TCP socket connection is made to a Digi device, in which

data is passed transparently between the socket and a named serial port.

 Reverse TLS socket: An encrypted raw TCP socket is made to a Digi device, in which

data is passed transparently to and from a named serial port.

 LPD: A TCP connection is made to a named serial port, in which the Digi device

interprets the LPD protocol and sends a print job out of the serial port.

 Modem emulation, also known as Pseudo-modem (pmodem): A TCP connection is

made to a named serial port, and the connection will be “interpreted” as an incoming call to the pseudo-modem.

Introduction

Network services associated with serial ports in general

 RealPort: A single TCP connection manages (potentially) multiple serial ports.  Modem emulation, also known as pseudo-modem (pool): A TCP connection to the

“pool” port is interpreted as an incoming call to an available pseudo-modem in the “pool” of available port numbers.

 rsh: Digi devices support a limited implementation of the Remote shell (rsh) protocol, in

that a single service listens to connections and allows a command to be executed. Only one class of commands is allowed: a single integer that specifies which serial port to connect to. Otherwise, the resulting connection is somewhat similar to a reverse telnet or reverse socket connection.

 DialServ: Connecting a DialServ device to the serial port. DialServ simulates a public

switched telephone network (PSTN) to a modem and forwards the data to th e serial port. The Digi device sends and receives the data over an IP network.

Network services associated with the command-line interface

 Telnet: A user can Telnet directly to a Digi device’s command-line interface.  rlogin: A user can perform a remote login (rlogin) to a Digi device’s command-line

interface.

Network/serial clients

A network/serial client connection is one in which a Digi device initiates a network connection or opens a serial port for communication. There are several categories of network/serial client connections:

 Autoconnect behavior client connections  Command-line interface (CLI)-based clients  Modem emulation (pseudo-modem) client connections

Autoconnect behavior client connections

In client connections that involve autoconnect behaviors, a Digi device initiates a network connection based on timing, serial activity, or serial modem signals. Autoconnect-related client connections include:

 Raw TCP connection: The Digi device initiates a raw TCP socket connection to a

remote entity.

 T eln et connec tion: The Digi dev ice initi ates a TCP co nnectio n using th e Telnet protocol

to a remote entity.

 Raw TLS encrypted connection: Th e Di gi devi ce init iates an encrypted raw TCP socket

connection to a remote entity.

 Rlogin connection: The Digi device initiates a TCP connection using the rlogin protocol

to a remote entity.

Introduction

Command-line interface (CLI)-based client connections

Command-line interface based client connections are available for use once a user has established a session with the Digi device’s CLI. CLI-based client connections include:

 telnet: A connection is made to a remote entity using the Telnet protocol.  rlogin: A connection is made to a remote entity using the Rlogin protocol .  connect: Begin communicating with a local serial port.

Modem emulation (pseudo-modem) client connections

When a port is in the modem-emulation or pseudo-modem mode, it can initiate network connections based on AT command strings received on the serial port.The AT commands for modem emulation are documented in the Digi Connect Family Command Reference.

Introduction

Interfaces for configuring, monitoring, and administering Digi devices

There are several interfaces for configuring, monitoring, and administering Digi devices. These interfaces are covered in more detail later in this guide.

Configuration capabilities

Device configuration involves setting values and enabling features for such areas as:

 Network configuration: Specifying the device’s IP address settings, network-service

settings, and advanced network settings.

 Mobile (cellular) configuration: Specifying the mobile service provider and mobile

connection settings for the device.

 Serial port configuration: Specifying the serial port characteristics for the device.  Alarms: Defining whether alarms should be issued, the conditions that trigger alarms,

and how the alarms should be delivered.

 Security/Users configuration: Configuring security features, such as whether password

authentication is required for device users.

 System configuration: Specifying system-identifying information, such as a device

description, contact person, and physical location.

Configuration interfaces

Several interfaces are available for configuring Digi devices, including:

 The Digi Device Discovery Utility, which locates Digi devices on a network, and allows

opening the web interface for the devices.

 The iDigi platform, a configuration interface to fine-tune or monitor devices. The iDigi

Platform cannot assign an IP address but it can change one.

 A web-based interface embedded with the product, providing device configuration

profiles for quick serial-port configuration and other settings.

 A command-line interface (CLI).  Remote Command-line Interface (RCI) protocol  Simple Network Management Protocol (SNMP).

Introduction

Digi Device Discovery utility The Digi Device Discovery utility locates Digi devices on a network and allows for opening the

web interface for discovered devices, configuring networ k settings, and rebooting the device. It uses a Digi International-proprietary protocol, Advanced Digi Discovery Protocol (ADDP), to discover the Digi devices on a network, and displays the discovered devices in a list, for example:

Digi Device Discovery quickly locates Digi devices and basic device information, such as the device’s address, firmware revision, and whether it has been configured. It runs on any operating system that can send multicast IP packets to a network. It sends out a User Datagram Protocol (UDP) multicast packet to all devices on the network. Devices supporting ADDP reply to this UDP multicast with their configuration information. Even devices that do not yet have an IP address assigned or are misconfigured for the subnet can reply to the UDP multicast packet and be displayed in device discovery results.

Not all Digi devices support ADDP. Note that Device discovery responses can be blocked by personal firewalls, Virtual Private Network (VPN) software, and certain network equipment. Firewalls will block UDP ports 2362 and 2363 that ADDP uses to discover devices.

Digi Device Discovery is available for downloading from the Digi Support site. After installation, it is available from the Start menu. Access to the ADDP service can be enabled or disabled, but the network port number for ADDP cannot be changed from its default. For more informatio n on the Digi Device Discovery utility, see page 47.

Introduction

iDigi™ Platform interface

The iDigi Platform provides remote netw ork management of all connected h ardware. In co ntrast to the one-user-to-one device model of other Digi device interfaces, the iDigi Platform uses a oneuser-to-many-devices interface model. By providing a central point of access to remote devices or groups of devices, the iDigi Platform makes it easier for you to manage many devices. Using a standard Web browser, from the iDigi Platform, you can configure ne twork hardware; track de vice performance; remotely set filters and alarms; monitor connections, device status and statistics; reboot devices; reset defaults, and remotely upgrade firmware. Because you can diagnose and solve problems from a central site, resulting in fewer maintenance trips to remote locations, iDigi Platform helps you reduce maintenance costs.

For more information on the iDigi Platform as an remote management interface, see these resources:

 "Remote management settings" on page 131. This section shows how to configure

settings within Digi devices so that they can be handled through a remote device manager such as the iDigi Platform.

 "Configuration through the iDigi Platform" on page 41.  "Monitoring capabilities from the iDigi Platform" on page 152  iDigi tutorials and guides

Introduction

Web interface

A web interface is provided as an easy way to configure and monitor Di gi devices. Configurable features are grouped into several categories. These categories vary by product; examples include Network, Serial Port, Alarms, System, Remote Management, Security. Most of the configurable features are arranged by most basic settings on a page , wi th associated and advanced settings accessible from that page. Serial-port configurations are classified into port profiles, o r configuration scenarios that best represents the environ me nt i n which th e Di gi device will be used. Selecting a particular port profile configures the serial port parameters that are nee ded.

To access the web interface, enter the Digi device’s IP address or host name in a browser’s URL window. The main menu of the web interface is displayed. For more information, see "Configuration through the web interface" on page 47. The web interface has a tutorial, accessed from the Home page, and online help, accessed from the Help link on each page.

Not all settings provided by the command-line interface are displayed in the web interface. However, the configuration settings in the web interface should be sufficient for most users. If necessary, settings can be modified later from the command line.

Introduction

Command-line interface

Digi devices can be configured by issuing commands from the command line. The command-line interface allows communication directly without a graphical interface. To access the command line from the Digi Device Discovery utility, click Telnet to command line.

For example, here is a command issued from the command line to assign the IP address to the Ethernet interface:

#> #> set network ip=192.168.1.1

The command-line interface provides flexibility for making precise changes to device configuration settings and operation. It does require users to have experience issuing commands, and access to command documentation.

The command line is available through Telnet or SSH TCP/IP connections, or through serial port using terminal emulation software such as Hyperterminal. Access to the command line from serial ports depends on the port profile in use by the port. By default, serial port command-line access is allowed.

See "Configuration through the command line" on page 147 fo r more information on this interface . See the Digi Connect Family Command Referen ce for command descriptions and examples of entering configuration commands from the command-line interface. In addition, online help is available for the commands, through the help and ‘?’ command s.

Remote Command Interface (RCI)

Remote Command Interface (RCI) is a programmatic interface for configuring and controlling Digi devices. RCI is an XML-based request/response protocol that allows a caller to query and modify device configurations, access statistics, reboot the device, and reset the device to factory defaults. Unlike other configuration interfaces that are designed for a user, such as the commandline or web interfaces, RCI is designed to be used by a program. RCI access consists of program calls. A typical use of RCI is in a Java applet that can be stored on the Digi device to replace the web interface with a custom browser interface. Another example is a custom application running on a PC that monitors and controls an installation of many Digi devices.

As RCI is designed to be used by a program, it is useful for creating a custom configuration user interface, or utilities that configure or initialize devices through external programs or scripts.

RCI uses HTTP as the underlying transport protocol. Depending on the network configuration, use of HTTP as a transport protocol could be blocked by some firewalls.

RCI is quite complex to use, requiring users to phrase configuration requests in Extensible Markup Language (XML) format. It is a “power-user” option, intended more for users developing their own user interfaces, or for users implementing embedded control (and thus potent ially using RCI over serial) than for end-users with limited knowledge of device programming.

Not all actions in the web interface have direct equivalents in RCI. Therefore, it may not be easy for some end-users to determine what needs to be sent through XML for a particular style of request.

For more details on RCI, see the Digi Connect Integration Kit and the Remote Command Interface (RCI) Specification.

Introduction

Simple Network Management Protocol (SNMP)

Simple Network Management Protocol (SNMP) is a protocol for managing and monitoring network devices. The SNMP architecture enables a network administrator to manage nodes-servers, workstations, routers, switches, hubs, etc.--on an IP network; manage network performance, find and solve network problems, and plan for network growth. Dig i devic es support SNMP Versions 1 and 2.

SNMP is easy to implement in extensive networks. Programming new variables and “dropping in” new devices in a network are easy. SNMP is widely used. It is a standard interface that integrates well with network management stations in an enterprise environment. While its capabilities are limited to device monitoring and display of statistics in Digi devices, read/write capabilities are expected to be added to Digi devices in future releases.

However, because device communication is UDP-based, the communication is not secure. If more secure communications with a device are required, use an alternate device interface. SNMP does not allow for certain task that can be performed from the web interface, such as file management, uploading firmware, or backing up and restoring configuration s. Compa r ed to th e web or command-line interfaces, SNMP is limited in its ability to set specific parameters, such as set port profile, is not possible.

Accessing the SNMP interface requires a tool, such as a network management station. The management station relies on an agent at a device to retrieve or update the information at the device, including Device configuration, status, and statistical information. This information is viewed as a logical database, called a Management Information Base (MIB). MIB modules describe MIB variables for a variety of device types and computer hardware and software components.

A variety of resources about SNMP are available, including reference books, overviews, and other files on the Internet. For an overview of the SNMP interface and the components of MIB-II, go to http://www.rfc-editor.org/rfcsearch.html, and search for MIB -II. From the results, locate the text file describing the SNMP interface, titled Management Information Base for Network Management of TCP/IP-based internets: MIB-II. The text of the Digi enterprise MIBs can also be displayed.

For additional discussion of using SNMP as a device monitoring interface, see "Monitoring Capabilities from SNMP" on page 174.

Monitoring capabilities and interfaces

Monitoring Digi devices includes such tasks as checking device status, checking runtime state, viewing serial port operations, and reviewing network statistics, and managing their connections. There are several interfaces for monitoring Digi devices and managing their connections.

As with device configuration, there are several interfaces available for monitoring Digi devices, including, the web interface embedded with the product, SNMP, command-line interface, and the iDigi Platform. These interfaces are covered in more detail in Chapter 3, "Monitor and manage Digi devices"

The iDigi Platform

In the iDigi Platform, monitoring capabilities can be sorted by the server and the de vices mana ged by the server. The information is available in logs and can be generated into reports. When available, the reports post linked to tals that can be drilled back to the origina l devices that mak e up the activity of the report.

The iDigi Platform is well-suited to managing Digi Cellular Family devices and the networks in which the devices reside. Advantages include the ability to view an entire network, and multiple networks, at once, and ease in viewing signal strength, link quality, and alarms

Introduction

Web interface

The web interface has several screens for monitoring Digi devices:

 Network Status  Mobile connection status  Serial Port Management: for each port, the port’s description, current profile, and

current serial configurati on.

 Connections Management: A display of all active system connections.  System Information: general device information; serial port information for each port,

including the port’s description, current profile, and current serial configuration (the same information displayed by choosing Serial Port Management); and network statistics.

Command-line interface

Several commands can be issued from the command line t o monitor devices. For a re view of these commands and what they can provide from a device-monitoring perspective, see "Monitoring capabilities from the command line" on page 171.

SNMP

Monitoring capabilities of SNMP include managing network performance, gathering device statistics, and finding and solving network problems. For more information on using SNMP for device-monitoring purposes, see "Monitoring Capabilities from SNMP" on page 174.

Device administration

Periodically, administrative tasks need to be performed on Digi devices, such as uploading and managing files, changing the password for logging onto the device, backing up and restoring device configurations, updating firmware, restoring the configuration to factory defaults, and rebooting.

As with configuration and monitoring, administration can be done from a number of interfaces, including the web interface, command line, and the iDi gi Platform. See Chapter 4, "Digi device administration" for more information and procedures.

Introduction

Configure Digi devices

CHAPTER 2

This chapter describes how to configure a Digi device. It covers these topics:

 Identifying the predefined static IP address for your Digi device on page 39  "Default IP address and methods for assigning an IP address" on page 39  "Configuration through the iDigi Platform" on page 41  "Configuration through the web interface" on page 47  "Configuration through the command line" on page 147  "Configuration through Simple Network Management Protocol (SNMP)" on page 150  "Batch capabilities for configuring multiple devices" on page 150

Configure Digi devices

Default IP address and methods for assigning an IP address

All products that have a cellular (WAN) interface ship with static IP address for the Ethernet port of 192.168.1.1 and DHCP server enabled by default. Therefore, simply connecting a laptop computer to the Ethernet port of these products allows direct access to the web interface for configuration.The Ethernet port of the laptop should be con figured to automatically receive an IP address and DNS server address.

All products that only have an Ethernet or Wi-Fi (LAN) interface ship with DHCP client enabled by default. Accessing the web interface on the se prod ucts is most easily don e by con nectin g it to a LAN that has a DHCP server.

T o discover which IP address has been assigned to the device, use the Device Discovery Utility for Windows, available on the Digi Support site. See installation instructions on page 47.

There are several alternate ways to assign an IP address to a Digi device, described on the following pages:

 Use Dynamic Host Configuration Protocol (DHCP) from the web interface.  Use the command-line interface.  Use Automatic Private IP Addressing (APIPA), also known as Auto-IP.

Configure an IP address using DHCP

An IP address can also be configured using Dynamic Host Configuration Protocol (DHCP). DHCP is an Internet protocol for automating the configuration of computers that use TCP/IP. DHCP can be used to automatically assign IP addresses and deliver TCP/IP stack configuration parameters.

As mentioned previously, all products that have a cellular (WAN) interface ship with static IP address for the Ethernet port of 192.168.1.1 and DHCP server enabled by default. All products that only have an Ethernet or Wi-Fi (LAN) interface ship with DHCP client enabled by default.

If desired, set up a permanent entry for the Digi device device on a DHCP server. While this is not necessary to obtain an IP address via DHCP, setting up a permanent entry means the IP address is saved when the device is rebooted.

For more information on DHCP server configuration, see "DHCP server settings" on page 60.

Configure an IP address using Auto-IP

The standard protocol Automatic Private IP Addressing (APIPA or Auto-IP) automatically assigns the IP address from a group of reserved IP addresses to the device on which Auto-IP is installed. Use Digi Device Discovery or DHCP to find the Digi device and assign it a new IP address that is compatible with your network. Once the unit is plugged in, Auto-IP automatically assigns the IP address. Auto-IP addresses are typically in the 169.254.x.x ad dress range.

Configure an IP address from the command-line interface

The set network command configures an IP address from the command line. Includ e the following parameters:

 ip=device ip: The IP address for the device.  gateway=gateway: The network gateway IP address.  submask=device submask: The device subnet mask.  dhcp=off: Turns off use of the Dynamic Host Configuration Protocol (DHCP), so that

the IP address assigned is permanen t.

 static=on: Specifies that the IP address is static, and will remain as the specified IP

address, gateway, and submask.

For example:

set network ip=10.0.0.100 gateway=10.0.0.1 submask=255.255.255.0 dhcp=off static=on

IP addresses and the iDigi Platform

Configure Digi devices

From the iDigi Platform interface the Ethernet/LAN address for a Digi device can be changed only; an address cannot be assigned. The mobile/cellular device is typically provided by the mobile service provider; check with your mobile service pro vider on how they handle addresses. To change the IP address, open the web interface for based on the IP address the device has and navigate to Configuration > Network > IP Settings. On the IP Settings page, enter the new IP address, subnet mask, and gateway.

Test the IP address configuration

Once the IP address is assigned, make sure it works as configured.

1 Access the command line of a PC or other networked device. 2 Issue the following command:

ping ip-address

where ip-address is the IP address assigned to the Digi device. For example:

ping 192.168.2.2

Configuration through the iDigi Platform

The iDigi Platform is an on-demand service. After creating an iDigi account, you can connect to the iDigi Platform. There are no infrastructure requirements. Remote devices and enterprise business applications connect to the iDigi Platform via stand ards-based Web Services.

Create an Account on iDigi.com

To get started using iDigi, set up an account on the iDigi Platform.

1 Navigate to http://www.idigi.com. 2 Click on the iDigi Platform Login button. 3 Click on the Are you a new user? link and create your account.

Configure Digi devices

Add the Digi device to the idigi.com Device List

To add your Digi device to the device list, follow these steps:

1 Log into the iDigi.com user portal using the username and password you just created. The

iDigi Platform interface is displayed.

2 In the Devices list, Click the button on the toolbar to display the Add Devices dialog.

Locate and select your device from the list of locally discovered devices and click the OK button. If your device was not found in the list, check that it is turned on and connected to the same local network as your PC and click the Refresh button. Adding your device through automatic discovery informs iDigi about the device and configures that device to connect to the iDigi Connectivity server.

Configure Digi devices

Note

If the device is not locally accessible or cannot be automatically discovered, you can

still add it by clicking the Add Manually button and enter the MAC address found on the bottom of the device. If you manually add your device however, you must also configure the device to connect to the iDigi Connectivity Server. See “Manually configure a Digi device to connect to the iDigi Platform” on page 135.

3 Wait a few moments and click the Refresh button to ensure that your device status is now

Connected.

4 Select y our device and double-click it, or right-click and select Properties. 5 Your device information will load into the iDigi Device Manager.

iDigi Platform views for configuring and managing Digi devices

The iDigi Platform has several views for configuring and managing network devices.

Device list

The iDigi device list displays all the devices in your network. This view allows for viewing and accessing devices regardless of their physical location, even devices behind firewalls. From this view, you can filter and sort device list information, customize the device information displayed, refresh the information, view messages, select one or more devices to configure, manage, and monitor., and add and remove devices and groups

Configure Digi devices

Device operations menu

In the device list, right-clicking on a selected device displays the device operations menu for performing key device-management tasks, such as file management, restoring the device to factory defaults, updating firmware, and displaying device properties. The image shows the operations menu and the operations available under Administration and Firmware.

Configure Digi devices

Device properties view

Selecting Properties from the device operations menu displays a system summary of the selected device, and a menu of configuration settings, similar to the menu on the home page of the web interface for a Digi device.

For more information on iDigi Platform

To learn more about the iDigi Platform and the services it provides, see the iDigi Device Management and Web Services Tutorial.

Configuration through the web interface

Open the web interface

To open the web interface, either enter the Digi device’s URL in a web browser and log on to the device, if required, or use the Digi Device Discovery utility to locate it and open its web interface.

By entering the Digi device’s IP address in a web browser

1 In the URL address bar of a web browser, enter the IP address of the device. 2 If security has not been enabled for the Digi device, the Home pag e of the web interface is

displayed. If security has been enabled for the Digi device, a login dialog will be displayed. Enter the user name and password for the device. The default username is root and the default password is dbps. If these defaults do not work, contact the system administrator who set up the device. Then the Home page of the web interface is displayed. See "Organization of the web interface " on page 49 fo r an overview of using the Home page and other linked pages.

Note

The idle timeout automatically logs users out of the web interface after 5 minutes of inactivity if password authentication has been enabled for the device.

Configure Digi devices

By using the Digi Device Discovery utility

Alternatively, use the Digi Device Discovery Utility to locate the Digi device and open its web interface.

Install and run the Digi Device Discovery utility

The Digi Device Discovery Utility is available for downloading from the Digi Support site. If this utility is not already available on your computer, follow these steps.

1 From a browser, go to www.digi.com. 2 Cl ick t he Sup port link and select Diagnostics, Utilities and MIBs. 3 Und er Select Your Product for Support, select your Digi device from the product list

and click Submit.

4 Und er Active Products, select your Digi device from the product list. 5 Und er OS Specific Diagnostics, Utilities and MIBs, select the operating system for

your computer from the list.

6 Select either Device Discovery Utility fo r Windows - Standalone version or

Device Discovery Utility for Windows - Installable version. The standalone version runs

the utility immediately after the download is complete. The installable version installs the utility on your computer and adds it to a program group named Digi in the Start menu.

7 Cl ick Run on the two dialogs. The standalone version of the utility starts immediately.

For the installable version, an installation wizard is displayed. Follow the prompts to complete the installation. To start the utility, select

Start > Programs > Digi > Digi Device Discovery > Digi Device Discovery

Configure Digi devices

Discover devices

From the start menu, select Start > Programs > Digi Connect > Digi Device Discovery. The Digi Device Discovery application is displayed.

Locate the device in the list of devices, and double-click it, or select the Digi device from the list and select Open web interface in the Device Tasks list.

Depending on whether a system administrator has configured passwor d authentication for the device, a login may be required. If a login dialog is displayed, enter the user name and password for the Digi device. The default us ername is roo t and the default passw ord is dbps. If these defaults do not work, contact the system administrator who initially set up the device. Now configure the Digi device, as described on the following pages.

Organization of the web interface

When the web interface is opened, the Home page is displayed. Here is the Home page for a ConnectPort WAN VPN.

Configure Digi devices

The Home page

The left side of the Home page has a menu of choices that display pages for configuration, management, and administration tasks, and to log out of the web interface. This chapter focuses on the choices under Configuration and Applications. For details on monitoring Digi devices and the choices under Management, see Chapter 3, "Monitor and manage D igi devices". For details on the tasks under Administration, see Chapter 4, "Digi device administration".

Clicking Logout logs out of a configuration and management session with a Digi device. It does not close the browser window, but displays a logout window. To finish logging out of the web interface and prevent access by other users, close the browser window. Or, log back on to the device by clicking the link on the screen. After 5 minutes of inactivity, the idle timeout also automatically performs a user logout.

The Getting Started section has a link to a tutorial on configuring and managing Digi device. The System Summary section notes all available device-description information.

Configuration pages

The choices under Configuration in the menu display pages for configuring settings for various features, such as network settings, mobile settings, and serial port settings.

Some of the configuration settings are organized on sets of linked screens. For example, the Network Configuration screen initially displays the IP Settings, and provides links to Network Services Settings, Advanced Settings, and other network settings appropriate to the Digi device.

Applications pages

Depending on the Digi device, there may be an Applications menu item for configuring various applications available for use in the device.

 Python: For loading and running custom programs authored in the Python

programming language onto ConnectPort X Family devices.

 RealPort: Configures RealPort settings. See page 145.  Industrial Automation: Configures the Digi device for use in industrial automation

applications.

Apply and save changes

The web interface runs locally on the device, which mean s that th e interfac e always main tains an d displays the latest settings in the Digi device.

On each screen, the Apply button is used to save any changes to the configuration settings to the Digi device.

Cancel changes

To cancel changes to configuration settings, click the Refresh or Reload button on the web browser. This causes the browser to reload the page. Any changes made since the last time the Apply button was clicked are reset to their original values.

Configure Digi devices

Restore the Digi device to factory defaults

The device configuration can be reset to factory defaults as needed during the configuration process. See "Restore a device configuration to factory defaults" on page 182.

Online help

Online help is available for all screens of the web interface, and for common configuration and administration tasks. There is also tutorial available on the Home page.

Change the IP address from the web interface, as needed

Normally, IP addresses are assigned to Digi devices either through DHCP or the Digi Device Setup Wizard.

This procedure assumes that the Digi device already has an IP address and you simply wan t t o change it.

1 Op en a web browser and enter the Digi device’s current IP address in the URL address bar. 2 If security is enabled for the Digi device, a login prompt is displayed. Enter the user name

and password for the device. The default username is root and the default password is dbps. If these defaults do not work, contact the system administrator who set up the device.

3 Cl ick Network to access the Network Configuration page. 4 On the IP Settings page, select Use the following IP address.

5 Enter an IP address (and other network settings), then click Apply to save the configuration.

Configure Digi devices

Network configuration settings

The Network configuration pages include:

 Ethernet IP settings: For viewing IP address settings and changing as needed. See

page 55.

 WiFi IP settings: For setting the IP address used for wireless LAN communication. See

page 55.

 WiFi L AN settings: For setting basic options for wireless LAN devices such as

network name and network connection options. See page 56.

 WiFi Security settings: For setting authentication and encryption options for wireless

LAN devices. See page 57.

 WiFi 802.1x Authentication settings: Detailed authentication settings for IEEE 802.1x

authentication for wireless LAN devices. See page 59.

 DHCP Server settings: For configuring a DHCP server to allow other devices or hosts

on this network to be assigned dynamic IP addresses. See page 60.

 Network Services settings: Enable and disables access to various network services,

such as ADDP, RealPort and Encrypted RealPort, Telnet, HTTP/HTTPS, and other services. See page 64.

Configure Digi devices

 Dynamic DNS Update settings: For configuring a Dynamic DNS (DDNS) service that

allows a user whose IP address is dynamically assigned to be located by a host or domain name. See page 67.

 IP Filtering settings: For configuring the Digi Cellular Family device to only accept

connections from specific and known IP addresses or networks. See page 70.

 IP Forwarding settings: For configuring the Digi Cellular Family device to forward

certain connections to other devices. This is also known as Network Address Translation (NAT) or Port Forwarding. See page 71.

 IP Network Failover settings: provides a dynamic method for selecting and

configuring the default gateway for the Digi device using a set of rules and link tests to determine whether a particular network interface can be used to communicate with a specified destination. See page 74.

 Socket Tunnel settings: For configuring a socket tunnel, used to connect two network

devices: one on the Digi Cellular Family device’s local network and the other on the remote network. See page 78.

 Virtual Private Network (VPN) settings: For configuring Virtual Private Networks,

which are used to securely connect two private networks together so that devices may connect from one network to the other network using secure channels. See page 79 .

Configure Digi devices

 IP Pass-through settings: Configures a Digi Cellular Family device to pass its mobile

IP address directly through and to the Ethernet device (router or PC) to which it is connected through the Ethernet port. The Digi Cellular Family device becomes transparent (similar to the behavior of a ca bl e o r DSL mo de m) t o p r ov id e a brid ge from the mobile network directly to the end device attached to the Digi Cellular Family device. See page 79.

 Host List settings: Adds or removes entries from the host list. For DialServ, the host list

provides a means to map a phone number (in the local name field) to a network destination, (in the “resolves_to” field). See page 90.

 Virtual Router Redundancy Protocol (VRRP) settings: For configuring a number of

routers to represent a virtual router, which simplifies configuration of hosts on a network.

 Advanced Network Settings: Configures the Ethernet Interface speed and mode, TCP/

IP settings, TCP keepalive settings, and DHCP settings. See page 92.

Alternatives for configuring network communications

There are three ways a Digi device can be configured on the network.

 Using dynamic settings: All network settings will be assigned automatically by the

network, using a protocol called DHCP. Contact your network administrator to find out if a DHCP server is available.

 Using static settings: All network settings are set manually and wil l not chan ge. The IP

address and subnet mask are mandatory . The rest are not mandatory, but may be needed for some functions. Contact your network administrator for the required values.

 Using Auto-IP: Auto-IP assigns an IP address to the Digi device immediately after it is

plugged in. If running DHCP or ADDP, the Auto-IP address is overridden and a network compatible IP address is assigned, or a static IP address can be assigned.

Digi Cellular Family products have two IP addresses: one for Ethernet and one for cellular. All Digi Cellular Family products have a pre-defined default Ethernet Port IP address of 192.168.1.1.

Even if a DHCP server is available, the device configuration may work better with static settings. Once set, static settings will not change, so you and ot her network devices can al ways find the Digi device by its IP address. With dynamic settings, the DHCP server can change the IP address. This can happen frequently or infrequently depending on how your network administ rator has configured the network.

When the IP address does change, you and other network devices configured to talk to the Digi device can no longer access the device. In this case, the Digi device must be located the Digi Device Discovery utility, and other network devices that need to communica te with the Digi device must be reconfigured.

Configure Digi devices

Ethernet IP settings

The Ethernet IP Settings page configure how the IP address of the Digi device is obtained, either by DHCP or by using a static IP address, subnet mask, and default gateway. For more information about how these settings are assigned and used in your organization, contact your network administrator.

 Obtain an IP address automatically using DHCP: When the Digi device is rebooted,

it will obtain new network settings.Use the Digi Device Setup Wizard to find the Digi device, since it will likely have a new address.

 Use the following IP Address: Choose this option to supply static settings. An IP

address and Subnet mask must be entered. Other items are not mandatory, but may be needed for some functions (such as talking to other networks).

 IP Address: An IP address is like a telephone number for a computer. Other network

devices talk to this Digi device using this ID. The IP address is a 4-part ID assigned to network devices. IP addresses are in the form

of 192.168.2.2, where each number is between 0 and 255.

 Subnet Mask: The Subnet Mask is combined with the IP address to determine which

network this Digi device is part of. A common subnet mask is 255.255.255.0.

 Default Gateway: IP address of the computer that enables this Digi device to access

other networks, such as the Internet.

 Enable Auto assignment: With AutoIP enabled, the Digi device will automatically

self-configure an IP address when an address is not available from other methods, for example, when the Digi device is configured for DHCP and a DHCP server is not currently available.

WiFi IP settings

The WiFi IP settings configure how the IP address of a Wi-Fi-enabled Digi device is obtained. It has the same settings as the Ethernet IP settings page.

Configure Digi devices

WiFi LAN settings Digi devices with Wi-Fi (wireless LAN) capability contain a wireless network interface that may

be used to communicate to wireless networks using 802.11b8 technology. Contact your administrator or consult wireless access point documentation for the settings required to setup the wireless LAN configuration. Settings include:

 Network name: The name of the wireless network to which the wireless device should

connect. In situations with multiple wireless networks, this setting allows the device to connect to and associate with a specific network. The network name is referred to as the SSID (service set identifier). If the network name is left blank, the device will search for wireless networks and connect to the first available network. This is useful if a specific network name does not need to be used as the device will select the first available network.

 Connection method: The type of connection method this device uses to communicate

on wireless networks. Choose from: – Connect to any available wireless network: Use this setting to allow the device to

access any network. The device can either access point networks or peer-to-peer

wireless networks. – Connect to access point (infrastructure) networks only: Use this setting if the

wireless network that this device needs to connect to is composed of wireless access

points. This is typically the most popular method for connecting to wireless networks. – Connect to peer-to-peer (ad-hoc) networks only: Use this setting if all dev ices on the

wireless network connect to and communicate with each other. This is known as peer-

to-peer in that there is no central server or access point. Each system communicates

directly with each other system.

 Country: The country in which this wireless device is being used . The chann el settin gs

are restricted to the legal set for the selected country.

 Channel: The frequency channel that the wireless radio will use. Select Auto-Scan to

have the device scan all frequencies until it finds one with an available access point or wireless network it can join.

 Transmit Power: The transmit power le vel in dBm.  Enable Short Preamble: Enables transmission of wireless frames using short

preambles. If Short Preamble is supported in the wireless netw ork, enabling it can boost overall throughput.

Configure Digi devices

WiFi security settings

The WiFi security settings specify the wireless security settings that the wireless network uses. Multiple security and authentication modes may be chosen depending on the configuration of the access point or wireless network. The wireless device will automatically select and determine the authentication and encryption methods to use while associating to the wireless network. If the wireless network does not use security and uses an Open Network architecture, these settings do not need to be modified.

Note that WPA settings require that the device communicate to Access Points and is not valid when the Connection Method is set to Connect to wireless systems using peer-to-peer

(ad-hoc). Also, WPA pre-shared key (WPA-PSK) security is only valid when a specific Network Name or SSID is being used.

 Network Authentication: The authentication method or methods used for wireless

communications. –

Use any available authentication method: Enables all of the methods. The

actual method used will be determined by the capabilities of the wireless network. –

Use the following selected method(s): Selects one or more authentication

methods for wireless communications.

Open System: IEEE 802.11 open system authentication is used to establish a

connection.

Shared Key: IEEE 802.11 sha red key authentication is used to establish a

connection. At least one WEP key must be specified in order to use shared key

authentication.

WEP with 802.1x authentication: IEEE 802.1x authentication (EAP) is used to

establish a connection with an authentication server or access po int. Wired

Equivalent Privacy (WEP) keys are dynamically generated to encryp t dat a ov er the

wireless network.

WPA with pre-shared key (WPA-PSK): The Wi-Fi Protected Access (WPA)

protocol is used with a pre-shared key (PSK). The PSK is calculated using a

passphrase and the network SSID.

WPA with 802.1x authentication: The WPA protocol and IEEE 802.1x

authentication (EAP) is used to establish a connection with an authentication serve r

or access point. Encryption keys are dynamically generated to encrypt data over the

wireless link.

Cisco LEAP: Lightweight Extensible Authentication Protocol (LEAP) is used to

establish a a connection with an authentication server or access point. Wired

Equivalent Privacy (WEP) keys are dynamically generated to encryp t dat a ov er the

wireless link. A user name and password must be specified to use LEAP.

Configure Digi devices

 Data Encryption: Multiple encryption methods can be selected.

–

Use any available encryption method: enables all of the methods. The actual

method used will be determined by the capabilities of the wireless network. –

Use the following selected method(s): Selects one or more encryption

methods.

Open System: No encryption is used over the wireless link. Open System

encryption is valid only with Open System and Shared Key authentication.

WEP: Wired Equivalent Priv acy (WEP) encryption is used over the wireless link.

WEP encryption can be used with any of the above authentication methods.

TKIP: Temporal Key Integrity Protocol (TKIP) encryption is used over the

wireless link. TKIP encryption can be used with WPA-PSK and WPA with 802.1x

authentication.

CCMP: CCMP (AES) encryption is used over the wireless link. CCMP can be used

WPA-PSK and WPA with 802.1x authentication.

 WEP Keys

– T ransmit Key: Specify the corresponding key of the encryption key that should be used

when communicating with wireless networks using WEP security.

This device allows up to four wireless keys to be set of ei ther 64 -b it o r 128 -b it

encryption. These keys allow the wireless network to traverse different wireless

networks without having to change the wireless key. Instead, only the transmit key

setting has to be changed to specify which wireless key to send . – Encryption Keys: Specify 1 to 4 encryption keys to be used when communicating with

wireless networks using WEP security.

The encryption keys should be a set of 10 (64-bit) or 26 (128 -b it) hex adecimal

characters. The encryption key should only contain the c haracte rs A-F, a-f, or 0-9.

Optionally, separator characters, such as '-', '_', or '.' may be used to separate the set

of characters.

 WPA PSK (Pre-Shared Key) Passphrase/Confirm: The passphrase that the Wi-Fi

network uses with WPA pre-shared keys. The pre-shared key is calculated using the passphrase and the SSID. Therefore, a valid network name must have been previously specified. In the Confirm field, reenter the passphrase.

 Username/Password/Confirm: The username and password combination used to

authenticate on the network when using these authentication methods:

WEP with

802.1x authentication, WPA with 802.1x authentication, or LEAP. In the Confirm field, reenter the password.

Configure Digi devices

WiFi 802.1x authentication settings

These settings are not required based on the current Wi-Fi authentication settings. They are only configurable when WEP with 802.1x authentication or WPA with 802.1x authentication are enabled on the WiFi Security Settings tab.

 EAP Methods: These are the types of Extensible Authentication Protocols (EAP) or

outer protocols that are allowed to establish the ini tial connection with an authenticatio n server or access point. These are used with WEP with 802.1x authentication and WPA with 802.1x authentication.

– PEAP: Stands for “Protected Extensible Authentication Protocol.” A username and

password must be specified to use PEAP. – TLS: Stands for “ T ransport Layer Security.” A client certificate and private key must be

installed in order to use TLS. – TTLS: Stands for “Tunneled Transport Layer Security.” A username and password

must be specified to use TTLS.

 PEAP/TTLS Tunneled Authentication Protocols: These are the types of inner

protocols that can be used within the encrypted connection established by PEAP or TTLS.

These Extensible Authentication Protocols (EAP) can be used with PEAP or TTLS. – GTC: Generic Token Card – MD5: Message Digest Algorithm. – MSCHAPv2: Microsoft Challenge response Protocol version 2. – OTP: One Time Password These non-EAP protocol s that can be used with TTLS. – CHAP: Challenge Response Protocol – MSCHAP: Microsoft Challenge response Protocol – TTLS MSCHAPv2: TTLS Microsoft Challenge response Protocol version 2. – PAP: Passw ord Authentication Protocol

 Client Certificate Use: When the TLS is protocol is enabled, a client certificate and

private key must be installed on the Digi device. – Certificate: Click Browse to select a client certificate file. Then click the next Browse

to select a private key file. – Private Key File: If the private key file is encrypted, a password must be specified.

 Trusted Certificates: Adds and lists trusted certificates.

– Verify server certificates: Enable to verify that certificates received from an

authentication server or access point are signed by a trusted certificate authority (CA).

Standard CAs are built in. Additional trusted certificates may be added. – T rusted Certificate File: To add additional trusted certificates, click Browse to select a

certificate file to upload to the Digi device, then click Upload.

 Installed Certificates: Shows which client certificates have been added and are in use.

Configure Digi devices

DHCP server settings

The DHCP server feature can be enabled in a Digi device to allow other devices or hosts on this network to be assigned dynamic IP addresses. This DHCP server supports a single su bnetwork scope.

For the DHCP server to operate, the Digi device must be configured to use a static IP address. For information on how to configure static IP settings, see "Ethernet IP settings" on page 55.

DHCP terminology

Some key DHCP terms involved in configuring a DHCP server include:

scope

A scope is the full consecutive range of possible IP addresses for a network. A scope typically defines a single physical subnet on your network, to which DHCP services are offered. A scope is the primary way for the DHCP server to manage distribution and assignment of IP addresses and related configuration parameters to its clients on the network.

exclusion range

An exclusion range is a limited sequence of IP addresses within a scope, excluded from DHCP service offerings. Exclusion ranges assure that any addresses in these ranges are not offered by the server to DHCP clients on your network.

address pool

After the scope is defined and exclusion ranges are applied, the remaining addresses form the available address pool within the scope. The addresses in this pool are available for dynamic assignment by the server to DHCP clients on your network.

lease

A lease is the length of time that the DHCP server specifies, du ri ng which a client host can use an assigned IP address. When the DHCP server grants a lease to a client, the lease is active. Before the lease expires, the client typically need s to renew its address lease assignment wi th the DHCP server. A lease becomes inactive when it expires or it is deleted at the server, or if the client actively releases the lease. The duration of a lease determines when it will expire and how often the client needs to renew it with the DHCP server in order to retain the lease.

A DHCP server will never grant a lease to its own address. There is no need for its own address to be in the exclusion range; the DHCP server simply prot ects its address from being offered.

Configure Digi devices

grace period

When a DHCP client actively releases a lease, or when the lease expires without be ing renewed by the client, the DHCP server does not immediately delete the lease record and return the associated IP address to the available address pool. A grace period is the interval of time for which the lease record is retained before the DHCP server automatically de letes the record from its lease list, thereby making the IP address available for lease assignment to another client. The grace period is not a configurable value. See also the discussion of the grace period and what it means when the DHCP server is running in "View and manage current DHC P leases" on page

169.

reservation

You may use a reservation to create a permanent address lease assignment by the DHCP server. Reservations assure that a specified hardware device on the subnet can always use the same IP address. Address lease reservations associate a specific IP address with a specific client's Ethernet MAC address.

options

Options are other client configuration parameters that the DHCP server can assign when serving leases to DHCP clients. Most options are defined in RFC 2132. The DHCP server in the Digi device supports a limited set of options:

– Option 3: Routers on Subnet – Option 6: DNS Servers

Addresses in the DHCP server settings

The IP address and subnet mask of the DHCP server's scope are the static IP configuration settings for the Digi device itself.

The default gateway (router) provided to a client with the lease information is the IP address of the Digi device.

The DNS servers provided to a client with the lease information are the DNS server addresses configured in the Digi device. These addresses include any DNS server addresses that the Digi device acquires when it connects to the mobile network.

Configure Digi devices

DHCP server configuration settings

Here are the configuration settings for the DHCP server. Typically, these settings can be modified without having to restart the DHCP server for the changes to become effective in the running server.

 Enable Dynamic Host Configuration Protocol (DHCP) Server: Enables the DHCP

server feature on this Digi device. Note that for the DHCP server to operate, the Digi device must be configured to use a static IP address. For information on how to configure static IP settings, see "Ethernet IP settings" on page 55.

– Scope Name: The name of the physical network interface associated with the subnet

being served by the DHCP Server. Most Digi device models have a single network

interface, so there is no choice for the scope name. For models that have multiple

network interfaces, such as an Ethernet interface and a Wi-Fi (802.11) interface, this

DHCP Server may be configured to provide services on either of those interfaces. – IP Addresses: The starting and ending IP addresses for the scope being served by this

DHCP server. These addresses must be in the same subnet as the Digi device itself. – Lease Duration: The length of the leases for the scope being served by this DHCP

server. The default lease duration is 24 hours. A DHCP client may request a lease

duration other than this setting, and the DHCP server will grant that request if possible.

 Wait specifie d delay before sending DHCP offer reply: The interval of time in

milliseconds to delay before offering a lease to a new client. The default delay is 500ms, and the range is 0 to 5000ms. Use of this delay permits this Digi device to reside on a network with other DHCP servers, yet not offer leases to new clients unless the other DHCP servers do not make such an offer. This provides a measure of protection against inadvertently connecting a Digi device to a network that is running its own DHCP server(s), and offering leases to clients in a manner inconsistent with that network.

 Check that an IP address is not in use before offering it: When a DHCP client

requests a new IP address lease, before offering an IP address to that client, use “ping” to test whether that IP address is already in use by another host on the network but is unknown to the DHCP server . If an IP addr ess is determined to be in use , it is marked as Unavailable for a period of time, and it will not be offered to any client while in this state. Enabling this test adds approximately one second of delay before the IP address is offered to the client, since the “ping” test must not receive a valid reply for that test to successfully determine that the IP address is not already in use. This option is off (disabled) by default. This option does not apply to S t atic Lease Reservations, since the “ping” test is not used for them.

Configure Digi devices

 Send the DHCP Server IP address as a DNS Proxy Server: This option configures

the DHCP Server to send its IP address to a DHCP client as the first DNS server in its lease information. This Digi device supports a DNS Proxy feature that will relay DNS requests and responses between DNS clients and servers. The DNS Proxy is no t a feature of the DHCP Server itself, but rather it is managed elsewhere in the configuration settings for this Digi device. For DNS Proxy to be used effectively by a DHCP client, it must be enabled both in the DHCP server configuration and in the DNS Proxy settings. For more information, see the description of the Enable DNS Proxy Service setting in "Advanced network settings" on page 92. This option is on (enabled) by default.

– Static Lease Reservations: A static lease reservation is a specific IP address paired

with a client's MAC address, whic h reserves the IP address for that client's use only.

This assures that a client always receives a lease for the same IP address and that no

other client obtains a lease for that address.

To add a reservation, enter the IP address and MAC Address values, check or clear

the Enable checkbox, and then press the Add button.

After adding a reservation, you may cli ck on the IP a ddress or MAC address of that

entry in the table, permitting you to specify or modify th e lease duration for this

reservation.

The Enable checkbox for the entry permits a reservation to be disabled without

actually removing the entry, then enabled again at a later time.

The Remove link is used to permanently remove a reserv atio n fro m the DHCP

server configuration.

The Remove All link is used to permanently remove all reservations from th e

DHCP server configuration. – Address Exclusions: A specific set of IP addresses to exclude from the scope. The

DHCP server will not grant leases to clients for any IP address in the exclusion range.

To add an exclusion, enter the starting and ending IP addresses, check or clear the

Enable checkbox, and then press the Add button.

The Enable checkbox for the entry permits an exclusion to be disabled witho ut

actually removing the entry, then enabled again at a later time.

The Remove link is used to permanently remove an exclusion from th e DHCP

server configuration.

The Remove All link is used to permanently remove all exclusions from the DHCP

server configuration.

 Apply button: You must click the Apply button to save changes you make to the

DHCP server settings. If you leave this page without applying the changes, those changes will be discarded.

Manage the DHCP server

For information on managing the DHCP server and viewing and managing lease status, see "Manage DHCP server operation" on page 169.

Configure Digi devices

Network services settings

The Network Services page shows a set of common network services that are availabl e for Digi devices, and the network port on which the service is running.

Common network services can be enabled and disabled, and the TCP port on which the network service listens can be configured. Disabling services may be done for security purposes. That is, certain services can be disabled so the device runs only those servi ces specifically needed. To improve device security, non-secure services such as Telnet can be disabled.

It is usually best to use the default network port numbers for these services because they are well known by most applications.

Several services have a setting for whether TCP keep-alives will be sent for the network services. TCP keep-alives can be configured in more detail on the Advanced Network Settings page.

Caution

Exercise caution in enabling and disabling network services, particularly disabling them. Changing certain settings can render a Digi Connect device inaccessible. For example, disabling Advanced Digi Discovery Protocol (ADDP) prevents the device from being discovered on a network, even if it is actually connected. Disabling HTTP and HTTPS disables access to the web interface. Disabling basic services such as Telnet, Rlogin, etc. can make the Command-Line interface inaccessible.

Supported network services and their default network port numbers

In Digi devices that have multiple serial ports, the network port number defaults for various services are set based on the following formula:

base network port number + serial port number

For example, the Telnet Passthrough service is set to network port 2001 for serial port 1, 2002 for serial port 2, 2003 for serial port 3, etc.

If a network port is changed for a particular service, that is the only network port number that changes. That change does not carry over to the other network ports. For example, if the network port number for Telnet Passthrough is changed from 2001 to 3001, that does not mean that the other network ports will change to 3002, 3003, etc.

There are two types of network services available:

 Basic services, which are accessed by connecting to a particular well-known network

port.

 Passthrough services, in which a particular serial port is set up for a particular type of

service. To use the service, users must both use the correct protocol and specify the correct network port. For example, assuming default service ports and using a Linux host, here is how a user would access the SSH and Telnet passthrough services:

#> ssh -l fred digi16 -p 2501

#> telnet digi16 2101

Configure Digi devices

The table shows network services, services provided , and the default networ k port number for each service.

Service Services provided Default

network

port

number

Device Discovery, also known as Advanced Digi Discovery Protocol (ADDP)

Encrypted (Secure) RealPort Secure Ethernet connections between COM or TTY ports and device

RealPort A virtual connection to serial devices, no matter where they reside on

Line Printer Daemon (LPD) Allows network printing over a serial port. 515

Modem Emulation Pool (pmodem) Allows the Digi device to emulate a modem. Modem emulation sends

Modem Emulation Passthrough Allows the Digi device to emulate a modem. This service is for dialing

Discovery of Digi devices on a network. Disabling this service disables use of the Digi Device Discovery utility to locate the device, either on its own or as part of running the Digi Device Setup Wizard.

The network port number for ADDP cannot be changed from its default.

servers or terminal servers.

the network.

and receives modem responses to the serial device over the Etherne t instead of Public Switched Telephone Network (PSTN). Telnet processing can be enabled or disabled on the incoming and outgoing modem-emulation connections. The pmodem service is for connecting to whatever serial port will answer.

in to a particular serial port that has been set up for modem emulation.

2362

1027

771

50001

Remote login (Rlogin) Allows users to log in to the Digi device and access the command-line

interface through Rlogin.

Remote shell (Rsh) Allows users to log in to the Digi device and access the command-line

interface through Rsh.

Secure Shell Server (SSH) Allows users secure access to log in to the Digi device and access the

command-line interface.

Secure Shell (SSH) Passthrough Accessing a specific serial port set up for SSH. 2501

Secure Socket Service Authentication and encryption for Digi devices. 2601

Simple Network Management Protocol (SNMP)

Managing and monitoring the Digi device. To run SNMP in a more secure manner, note that SNMP allows for

“sets” to be disabled.This securing is done in SNMP itself, not through this command.

If disabled, SNMP services such as traps and device information are not used.

513

514

161

Configure Digi devices

Service Services provided Default

network

port

number

Telnet Server Allows users an interactive Telnet session to the Digi device’s

command-line interface. If disabled, users cannot Telnet to the device.

Telnet Passthrough Allows a Telnet connection directly to the serial port, often referred to

as reverse Telnet.

Transmission Control Protocol (TCP) Echo

Transmission Control Protocol (TCP) Passthrough

User Datagram Protocol (UDP) Echo Used for testing the ability to send and receive over a UDP connection,

User Datagram Protocol (UDP) Passthrough

Web Server, also known as HyperText Transfer Protocol (HTTP)

Used for testing the ability to send and receive over a TCP connection, similar to a ping.

Allows a raw socket connection directly to the serial port, often referred to as reverse sockets.

similar to a ping.

Allows raw data to be passed between the serial port and UDP datagrams on the network.

Access to web pages for configuration that can be secured by requiring a user login.

HTTP and HTTPS, below, are also referred to as Web Server or Secure Web Server. These services control the use of the web interface. If HTTP and HTTPS are disabled, device users cannot use the web interface to configure, monitor, and administer the device.

2001

2101

Secure Web Server, also known as HyperText Transfer Protocol over Secure Socket Layer (HTTPS)

Network services and IP pass-through

The IP pass-through feature (Configuration > Network > IP Pass-through) causes the Digi device to be bridged transparently between the Ethernet and mobile data links. Enabling IP Passthrough disables many device features, in clu d ing many net w ork serv ices. To provide access to the device for configuration and management purposes, you can configure a subset of network services to terminate at the Digi device instead of being passed on to a connected device such as a router . In the IP pass-through feat ur e, these ne twork services are called pinholes. Services that can be configured as pinholes include HTTP, HTTPS, Telnet, SSH, and SNMP. See "IP pass-through settings" on page 87 for more information.

Access to web pages for configuration that can be secured by requiring a user login, with encryption for greater security.

443

Configure Digi devices

Dynamic DNS update settings

A Dynamic DNS (DDNS) service allows a user whose IP address is dynamically assigned to be located by a host or domain name. Before a DDNS service may be used, you must create an account with the DDNS service provider. The provider will give you account information such as username and password. You will use this account information to register your IP address and update it as it changes.

A DDNS service provider typically supports the registration of only public IP addresses. When using such a service provider, if your Digi device has a private IP address (such as 192.168.x.x or

10.x.x.x), your update requests will be rejected. The Digi device monitors the IP add ress it is assigned. It wil l typically update the DDNS serv ice or

server automatically, but only when its IP address has changed from the IP address it previously registered with that service.

DDNS service providers may consider frequent updates to be an abuse of their service. In such a circumstance, the service provider may act by blocking updates from the abusive host for some period of time, or until the customer contacts the provider. Please observe the requirements of the DDNS service provider to ensure compliance with possible abuse guidelines.

The Dynamic DNS Update Settings page includes both settings and status information.

Settings

 Current IP address: The IP address of the Digi device:  Use the following dynamic DNS service: Disables DDNS updates, or selects the

DDNS service provider to use to register the IP address of this Digi device. When you select a specific DDNS service provider, you must also provide the related account information for that service provider.

To force an update request to be sent to a particular DDNS service.

1 Select the None radio button to disable DDNS updates, and then click Apply to

save that change.

2 Select the radio button for the DDNS service you wish to update 3 Click Apply to save that change.

If the settings for the selected DDNS service are all specified and valid, an update request will be sent immediately to that service.

Configure Digi devices

 DynDNS.org DDNS Service: Y ou must c reate your account at DynDNS.org before you

can successfully register the IP address of your Digi device with their service. Please familiarize yourself with their service options and requirements, in order to most effectively use this feature of your Digi device.

This DDNS service supports only public IP addresses. If you have a priv ate IP address (such as 192.168.x.x or 10.x.x.x), your update requests will be rejected.

– Host and Domain Name: The fully qualified host and domain name you have

registered with your service provider. An example is: myhost. dyndns.net.

– DynDNS User Name: The user name for the account you have created with your

service provider.

– DynDNS Password: The password for the account you have created with your service

provider.

– DynDNS DDNS System: The system for the account you have created with your

service provider. DynDNS.org supports a number of different services, which vary by the system you select. The available choices are:

- Dynamic DNS

- Static DNS

- Custom DNS

– Use Wildcards: Enables/disables wildcards for this host. The available choices for this

option are:

- Disable wildcards

- Enable wildcards

- No change to service setting According to wildcard documentation at DynDNS.org: “The wildcard aliases

*.yourhost.ourdomain.tld to the same address as yourhost.ourdomain.tld .” Using this option in the settings for your Digi device has th e same effect as selecting

the wildcard option on the DynDNS.org website. To leave the wildcard opti on unchanged from the current selection on their web site, use the “no change” option in the device settings. Note that DynDNS.org su ppo rt fo r this option may vary according to the DynDNS system you are registered to use.

– Connection Method: The connection method to try when connecting to your service

provider to register your IP address. DynDNS.org supports three methods to connect. The available choices are:

- Standard HTTP port 80

- Alternate HTTP port 8245

- Secure HTTPS port 443

Configure Digi devices

Status and history information

The next settings show status and history information for the DDNS service.

 Most Recent DDNS Service Update Status: This section provides the stat us of the

most recent attempt to update a DDNS service or server. The displayed information confirms the success of an update request, or it may offer informati on as to the reason an update request was rejected by the service or server.

A number of status items are shown. Some of them are specific to the DDNS service being updated. Such information will be helpful when trying to resolve update failures with the DDNS service provider.

– Service: The name of the DDNS service provider or server being updated. – Reported: The IP address for your Digi device that is being registered with the DDNS

service provider or server.

– Update Status: A simple indication of success or failure for this last update request. – Result Information: A DDNS service-specific status message, helpful when consulting

technical support.

– Raw Result Data: DDNS service-specific update result data returned by the service

provider, helpful when consulting technical support.

 Last Logged Action or Result: The last attempted, logged action or result for the

DDNS feature, helpful for troubleshooting possible problems with DDNS updates. This information may help identify problems with settings, network connection failures, and other issues that prevent a DDNS update from being complete d successfully. Successful results also are reported here.

Configure Digi devices

IP filtering settings

You can better restrict your device on the netw ork by on ly allowing certain devices or networks to connect. This is better known as IP Filtering or Access Control Lists (ACL). By enabling IP filtering, you are telling the device to only accept connections from specific and known IP addresses or networks. Devices can be filtered on a single IP address or can be restricted as a group of devices using a subnet mask that only allows specific networks to access to the device.

Caution

It is important to plan and review your IP filtering settings before applyi ng them. Incorrect settings can make the Digi device inaccessible from the network.

On the IP Filtering Settings page, enter the settings as follows:

 Only allow access from the following devices and networks: Enables IP filtering so

that only the specified devices or networks are allowed to connect to and access the device. Note that if you enable this feature and the system from which you are connecting to the Digi device is not included in the list of allowed devices or networks, then you will instantly no longer be able to communicate or configure the device from this system.

– Automatically allow access from all devices on the local subnet: Specifies that all

systems and devices on the same local subnet or network of the device should be allowed to connect to the device.

Allow access from the following devices: A list of IP addresses of systems or devices that are allowed to connect to this device.

Allow access from the following networks: A list of networks b ased on a n IP address and matching subnet mask that are allowed to connect to this device. This option allows grouping several devices that exist on a particular sub net o r network to connect to the device without having to manually specific each individual IP address.

Configure Digi devices

IP forwarding settings

When a Digi device acts as a router and communicates on both a private and public network with different interfaces, it is sometimes necessary to forwa rd certain connections to other devices. This is also known as Network Address Translation (NAT) or Port Forwarding. When an incoming connection is made to the device on the private network, the IP port is searched for in the table of port forwarding entries. If the IP port is found, that connection is forwarded to another specific device on the public network.

Port Forwarding/NAT is useful when external devices can not communicate directly to devices on the public network of the Digi device. For example, this may occur because the device is behind a firewall. By using port forwarding, the connections can pass through the networks transparently. Also, Port Forwarding/NAT allows multiple devices on the private network to communicate to devices on the public network by using a shared private IP address that is cont rolled by Port Forwarding/NAT.

Port forwarding can be used to connect from a Digi device to a RealPort device. For this type of connection to occur, your mobile wireless provider must be mobile-terminated.

IP Forwarding settings include:

 Enable IP Routing: Enables or disables IP forwarding.  Apply the following static routes to the IP routing table: The Digi device can be

configured with permanent static routes. These routes are added to the IP routing table when this device boots, or afterward when network interfaces become active or changes are made to this list of static routes. The use of static routes provides a means by which IP datagrams can be routed to a network that is not a local network or accessible t hrough the default route.

 Network Address Translation (NAT) Settings: A list of instances of NAT settings is

displayed. For each instance, the settings are: – Enable Network Address T ranslation (NAT): Permit the translation and routing of IP

packets between private (internal) and public (external) networks. Refer to NAT configuration options below. Some Digi device models permit the configuration of NAT instances for more than one network interface. .

– NA T Public Interface: The name of the network interface for which NAT will perform

address and port translations. The list of interfaces available for NAT configuration varies according to the capabilities of your Digi device model.

– NAT Table Size Maximum: The maximum number of entries that can be added to the

NAT table. These entries include the configured port and protocol forwarding rules (see Forward TCP/UDP/FTP Connections and Forward Protocol Connections below), the DMZ Forwarding rule (see Enable DMZ Forwarding to this IP address below), as well as dynamic rules for connections that are created and removed during the normal operation of NAT. The NAT table size maximum value may be configured for any value in the range 64 through 1024, with the default value being 256 ent ri es. No te that this setting does not control the maximum number of port or pro tocol forwarding rules that can be configured in their respective settings.

Configure Digi devices

– Enable DMZ Forwarding to this IP address: DMZ Forwarding allows you to specify

a single host (DMZ Server) on the private (internal) network that is available to anyone with access to the NAT Public Interface IP address, for any TCP- and UDP-b ased services that haven't been configured. Services enabled directly on the Digi device take precedence over (are not overridden by) DMZ Forwarding. Similarly, TCP and UDP port forwarding rules take precedence over DMZ Forwarding (please see Forward TCP/UDP/FTP Connections below). DMZ Forwarding is effectively a lowest priority default port forwarding rule that doesn't permit the same remapping of port numbers between the public and private networks, as is possible if you use explicit port forwarding rules.

If enabled, the DMZ Forwarding rule is used for incoming TC P and UDP packets from the public (external) network, for which there is no other rule. The se oth er rules include explicit port forwarding rules or e xisti ng d yn ami c rules that were created for previous communications, be those outbound (private to public) or inbound (public to private). Also, the DMZ Forwarding rule i s not used if there is a local port on the Digi device to which the packet may be delivered. This includes TCP service listener ports as well as UDP ports that are open for various services and clients. DMZ forwarding does not interfere with estab lishe d TCP or UDP connections, either to local ports or through configured or dynamic NAT rules. Outbound communications (private to public) from the DMZ Server are h and led in the same manner as the outbound communications from other hosts on t hat sa me private network. S

Security Warning: DM Z Forwarding presents security risks for the DMZ Server. Configure the DMZ Forwarding option only if you un derstand and are willi ng t o accept the risks associated with providing open access to this server and your private network.

– Forward protocol connections from external networks to the following internal

devices: Enables protocol forwarding to the specified internal devices. Currently, the only IP protocols for which protocol forwarding is supported are:

Generic Routing Encapsulation (GRE, IP protocol 47) Encapsulating Security Payload (ESP, IP protocol 50, tunnel mode only). These are routing protocols that are used to route (tunnel) various types of

information between networks. If your network needs to use th e GRE or ESP protocol between the public and private networks, e nabl e th is fe ature accordingly.

Configure Digi devices

– Forward TCP/UDP/FTP connections from external networks to the following

internal devices: Specifies a list of connections based on a specific IP port and where those connections should be forwarded to. Typically the connecting devices come from the public side of the network and are redirected to a device on the private side of the network.

It is possible to forward a single port or a range of ports. To forward a range of ports, specify the number of ports in the range, in the Range Port Count field for the port forwarding entry. When a range is configured, the first por t in the range is specified, and the full range is indicated in the displayed entry information.

Note that FTP connections require special handling by NAT. This is because the FTP commands and replies are character-based, and so me of the m c ont ain port numbers in this message text. Those embedded port numbers potentially need to be translated by NAT as messages pass between the private and public sides of the network. In consideration of these needs, one should select FTP as the protocol type when configuring a rule for FTP connection forwarding to an FTP server on the private network side. If TCP is used instead, FTP communicatio ns may n ot work correctly. Note also that TCP port 21 is the standard port number for FTP. Finally, the use of port ranges for FTP forwarding is not supported; a port count of 1 is required.

Example

For example, to enable port forwarding of RealPort data (network port 771) on a Digi Connect WAN VPN to a Digi Connect SP with an IP address of 10.8.128.10, you wo uld do the following:

 Make sure the Enable IP Routing checkbox is checked.  In the Forward TCP/UDP connections from external networks to the following

internal devices section, enter the port forwarding information as follows, and click Add:

Configure Digi devices

IP Network Failover settings

The IP Network Failover feature provides a dynamic method for selecting and configuring the default gateway for the Digi device. Failover uses of a set of rules and link tests to determine whether a particular network interface can be used to communicate with a specified destination. The user configures these rules, link tests and the priority order of the interfaces.

Failover maintains a network interface list, ordered by the configured Failover Interface Priority, and containing information on the st ate of the network interface and re cent success or failure of the link tests for that interface. The failover status for a network interface is one of the following:

 1 - Responding: The interface is Up and configured in the system. It is currently

responding to the link tests. This interface is suitable for use as the default gateway.

 2 - Up: The interface is Up and configured in the system. Its status has not been

determined by the link tests, or no link tests are configured. This interface may be suitable for use as the default gateway.

 3 - Not Responding: The interface is Up and configured in the system. However, it is

not currently responding to the link tests, and the numb er of consecutive test failures has reached the threshold number configured in the Network Failover settings. This interface may be suitable for use as the default gateway.

 4 - Down: The interface is Down or not configured in the system. However, it is not

currently responding to the link tests. This interface is not suitable for use as the default gateway.

 5 - Unknown: The interface is Unknown (does not exist) in the system. This interface is

not suitable for use as the def ault gateway.

The number shown above for each status value, indicates the priority of that status, used by failover in selecting the interface t o use as the default gateway. Status priority 1 is the most suitable for use, with lower priorities considered suitable if there are no interfaces at the highest priority.

When any network interface changes status, the interface list is examined for the interface that has the highest status priority, nearest the start of the list. The highest priority interface with a Responding status is used as the default gateway. If no interface is marked Responding then the highest Up interface is used, etc.

When Network Failover performs a link test, it adds a temporary static host route t o the destination IP address for the link test, using the network interface that the link test is configured to test. The static host route is removed when the link test completes. whether successfully or in failure. Users should be careful to avoid manually configuring static host routes to any of the failover link test destinations, as such host routes may interfere with failover's link testing. Static IP routes are configured on the IP Forwarding Settings page. For additional information, see "IP forwarding settings" on page 71.

In the Advanced Network Settings, the Gateway Priority selection provides a simpler method for selecting the default gateway. However, if failover is p roperly co nfigured an d enabled , it overrides the Gateway Priority selection in the Advanced Network Settings. For a description of this nonfailover Gateway Priority selection and information on how to configure it, see "Advanced network settings" on page 92.

For IP Network Failover status and statistics, see "IP Network Failover statistics" on page 163.

Configure Digi devices

Network Failover General Settings

 Enable IP Network Failover: Enable the Network Failover feature in the Digi device.

Click the checkbox to turn failover on or off.

 Enable fallback to the non-failover default gateway priority method: The fallback

option is used if a default gate way can not be configured by Network Failover. Failure to configure a default gateway could occur if one or more interfaces are not enabled (On) for Network Failover use, or if the enabled interfaces are not Up o r do not have a gateway associated with them. Click the checkbox to turn fallback on or off.

 Failover Interface Priority: The list of available network interfaces in priority order,

used by failover to determine the default gateway. The default gateway is used to route IP packets to an outside network, unless controlled by anot her route.

A network interface may have a static gateway configured for it, or it may obtain a gateway from DHCP or other means when the interface is configured. The first interface in this list that supplies a gateway will be used as the default gateway. The default gateway may change as interfaces connect and disconnect, and as failover link tests determine that an interface is providing the desired IP packet routing to a remote network destination.

To change the interface priority order, select an item from the list and click the up or down arrow.

 Link Test Settings for each of the network interfaces: The options that follow are

used to configure the link tests for the network interfaces. Each n etwork interface h as its own set of options. Failover can support th e use of Ethernet, Wi-Fi and Mobile (cellular) network interfaces. The available interfaces vary among different Digi products.

– Enable IP Network Failover for the XXX Interface: Enable use of the XXX interface

for failover, where XXX is Ethernet, Wi-Fi, or Mobile. Click the checkbox to turn failover on or off. If a network interface is not enable d for us e by failo ver, it will not be considered by failover for use in selecting the default gateway.

– No Test: Click on the radio button to select no link tests will be used for this interface.

Since no link tests are run, failover will only be aware of the Up or Down status of the interface.

– Ping Test: Click on the radio button to select the Ping Test as the link test to use for this

interface. The Ping Test sends ICMP Echo Request packets to the configured destination IP address. If an ICMP Echo Reply is rec eived (pin g re ply), t he lin k test has successfully demonstrated that the network interface can be used to communicate with the specified destination.

Primary Destination (Ping Test): The primary, o r first, de st inat ion to ping. The destination must be a valid IPv4 address. If the destination is left empty, no Primary Destination link test will be attempted.

Secondary Destination (Ping Test): The secondary, or secon d, d estina tio n to pin g. The destination must be a valid IPv4 address. If the destinatio n is left empty, no Secondary Destination link test will be attempted.

Send Count (Ping Test ): The maximum number of ping requests to send for a ping link test. When a reply is received, the ping test ends successfully and d oes not continue to send ping requests. If no pi ng rep ly i s rece ived after Send Count ping requests have been sent, the link test ends in failure.

Configure Digi devices

Send Interval (Ping Test): The time interval in seconds between sending ping requests during a ping link test. The ping tests sends a ping reque st. If no ping reply is received before the Send Interval expires, another ping request is sent.

– TCP Connection Test: Click on the radio button to select the TCP Connection Test as

the link test to use for this interface. The TCP Connection Test attempts to establish a TCP connection to the configured destination IP address and port number. If a connection is successfully established, or if the remote host actively rejects (resets) the connection attempt, the link test has successfully demonstrated that the network interface can be used to communicate with the specified destination. If a TCP connection is successfully established, it is immediately closed.

Primary TCP Port (TCP Connection Test: The destination TCP port to use to connect to the Primary Destination address.

Primary Destination (TCP Connection Test): The primary, o r first, destina tion to which to establish a TCP connection. The Primary TCP Port is used as the port t o which the test connects at the Primary Destination. The destination must b e a v alid IPv4 address. If the destination is left empty , no Primary Destination link test wi ll be attempted.

Secondary TCP Port (TCP Connection Test): The destination TCP port to use to connect to the Secondary Destination address.

Secondary Destination (TCP Connection Test): The secondary, or second, destination to which to establish a TCP connection. The Se condary TCP Port is used as the port to which the test connects at the Secondary Destination. The destinatio n must be a valid IPv4 address. If the destination is left empty, no Secondary Destination link test will be attempted.

Connection Timeout (TCP Connection Test): The time in seconds to wait for a TCP connection to be established or rejected by the destination host.

Configure Digi devices

The following four Link Test options are used if the Ping or TCP Connection Link Test is selected.

 Repeat the test every: N seconds: The time interval (N) in seconds between the end of

a successful link test and the start of the next link test for the network interface. This interval is used only after a successful test.

Shorter intervals verify the link more often, but they also increase the packet traffic over the network interface being tested. The frequency of tests should be considered c arefully for network connections such as Mobile (cellular) connections, which may be expensive, depending on the service plan in effect with your mobile service provider.

 On test failure, retry every: N seconds: The time interval (N) in seconds between the

end of a failed link test and the start of the next link test for the network interface. This interval is used after a failed test, but only until the “Not Responding” (consecut ive failures) threshold has been reached.

A possible strategy is to configure a shorter Retry interval than the Success interval, to more quickly test the network connection to dete rmine whether it is truly not wo rking or there was just a transient test failure. Determining the validity of the link helps failover determine whether it is necessary to reconfigure the default gateway.

 Report Not Responding after: N consecutive failures : The th re sho ld (N) in

consecutive link test failures at which time the network interface is reported to failover as “Not Responding”. Upon receiving such a report, failover may determine that the default gateway should be reconfigured. The count of consecutive failures is reset to zero when a successful link test complete s, or when the network interface is reconfigured or its connection is restarted (such as a mobile PPP connection).

 When Not Responding, retry every: N seconds: The time interval (N) in seconds

between the end of a failed link test and the start of the next link test for the network interface. This interval is used after a failed test, but only after the “Not Responding” (consecutive failures) threshold has been reached.

Configure Digi devices

Socket tunnel settings

A Socket Tunnel can be used to connect two network devices: one on the Digi device’s local network and the other on the remote network. This is especially useful for providing SSL data protection when the local devices do not support the SSL protocol.

One of the endpoint devices is configured t o initia te the soc ket tunnel. The tunn el is init iated wh en that device opens a TCP socket to the Digi device device on the configured port number. The Digi device then opens a separate connection to the specified destination host. Once the tunnel is established, the Digi device acts as a proxy for the data between the remote network socket and the local network socket, regardless of which end initiated t he tunnel.

Socket Tunnel settings include:

 Enable: Enables or disables the configured socket tunnel.  Timeout: The timeout (specified in seconds) controls how long the tunnel will remain

connected when there is no tunnel traffic. If the timeo ut value is zero, t hen no timeout is in effect and the tunnel will stay up until some other event causes it to close.

 Initiating Host: The hostname or IP address of the network device which will initiate

the tunnel. This field is optional.

 Initiating Port: Specify the port number that the Digi device will use to listen for the

initial tunnel connection.

 Initiating Protocol: The protocol used between the device that initiates the tunnel and

the Digi device. Currently, TCP and SSL are the two supported protocols.

 Destination Host: The hostname or IP address of the destination network device.  Destination Port: Specify the port number that the Digi device will use to make a

connection to the destination device.

 Destination Protocol: This is the protocol used between Digi de vice and the destinatio n

device. Currently, TCP and SSL are the two supported protocols. This protocol does not need to be the same for both connections.

 Click the Add button to add a socket tunn el. Click th e Apply button to save the se ttings.

Once the socket tunnel is configured, check the Enable checkbox to enable the socket tunnel.

Configure Digi devices

Virtual Private Network (VPN) settings

Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices may connect from one network to the other network using secure channels.VPN uses IP Security (IPSec) technology to protect the transferring of data over the Internet. All Digi Cellular Family products except Digi Connect WAN support VPNs.

The Digi device is responsible for handling the routing betw een networks. Devices wi thin the local private network served by the Digi device can connect to devices on the remote network as if they are in the local network. The VPN tunnels are configured using various security settings and methods to ensure the networks are secu red.

Uses for VPN-enabled Digi devices

VPN-enabled Digi devices, such as Digi Connect WAN VPN, are cellular-enabled routers that securely connect remote subnets using IPsec VPN technology. Devices in the Digi device’ s private network can connect directly to devices on the other private network with which the VPN tunnel is established. You configure VPN tunnels using security settings and methods to ensure the networks are secured.

The Digi device is used for primary or backup remote site connectivity . Sec ured IPsec VPN tra f fic is typically routed from the Digi device over the cellular IP network and is terminated by a VPN appliance at the host end.

A VPN-enabled Digi device can be used in several scenarios; for example:

 As the primary remote site router where no other WAN router is used.  As a backup router where the remote site has a primary WAN connection through DSL,

Frame Relay, or other means.

 To provide secure access to remote serial and/or Ethernet devices.

This section describes using a Digi device as a primary remote site router using IPsec Encapsulated Security Payload (ESP) and Internet Key Exchange (IKE)/Internet Security Association and Key Management Protocol (ISAKMP) pre-shared key methods.

Configure Digi devices

VPN Global Settings

 General Security Settings

– Enable Antireplay: Antireplay allows the IPsec tunnel receiver to detect and reject

packets that have been replayed. Set this field to match that at t he remote VPN gateway. The default is Enabled.

Important: Disable Antireplay if you use manual keyed tunnels.

 Miscellaneous Settings

– Suppress SA lifetime during IKE Phase 1: In most cases, leave this option unchecked.

Some VPN equipment does not negotiate the ISAKMP Phase 1 lifetimes. Such equipment may refuse to negotiate with the Digi device if it includes lifetime values in Phase 1 negotiation messages. If the Digi device must communicate with such equipment, enable this option to prevent the Phase 1 lifetimes from being included in the ISAKMP Phase 1 messages.

– Suppress Delete Phase 1 SA Message For PFS: In most cases this option should be

unchecked. VPN devices usually send a delete noti fi cat io n for any phase 2 SAs that are left over from previous sessions when they start to negotiate quick mode. However, some devices do not handle thi s noti ficat ion c orrect ly an d wil l termin ate th e con necti on when they receive it. If you have trouble connect ing to the remote VPN device, yo u can try checking this box to suppress sending this message.

– IP addresses of remote VPN peers may change on the fly (Dynamic DNS): Check

this box if you are specifying the address of the remote VPN device with a DNS name, and that device uses dynamic DNS because its public IP address can change. Checking this box will cause the Digi device to poll the DNS server once a minute to see if the remote VPN device’s IP address has changed. The IPSec software will be restarted with the new IP address if it does change. Checking this option will increase network traffic since the unit will be polling the DNS server once a minute.

Configure Digi devices

VPN tunnel configuration settings

 Description: Enter a short, one-line description of the VPN tunnel.  VPN Tunnel: Displays settings for encryption and authentication keys. Selecting

ISAKMP is recommended; it is the standard protocol used by almost all VPN devices. ISAKMP is more secure than manually setting the keys The only time to set the keys manually is when connecting with an old VPN device that does not support ISAKMP, in which case you should replace the obsolete box with one that does.

 Local Endpoint Type:

Select Local endpoint is a subnet to allow devices on the remote network to see devices on the local network. This is the standard way IPsec works and the correct choice in most cases.

Select Local endpoint is an internal interface to not allow devices on the remote network to see devices on the local network. This causes the Digi device to create a virtual endpoint and assign it the IP address specified later in the settings on this page. Devices on the remote network will only see th e IP address of t his en dpoin t, an d cannot see the IP addresses of any devices on the local private network. This feature must be used in combination with NAT. If you select it, then you must update the NAT settings on the Network >IP Forwarding page. You must enable NAT translation for the VPN interface that corresponds to the tunnel. Tunnel 1 uses interface vpn0, tunnel 2 uses vpn1, etc.

 VPN Mode:

If a single remote VPN device will be used for this VPN tunnel, select

Initiate client connections to and accept connections from the remote VPN device at and enter the remote device’s IP address or DNS name in the field below. If the Digi

device should accept connections from any remote VPN device for this tunnel, select the Accept connections from any VPN device option.

 Identity settings

– Network Interface: mobile|0eth0: Select the network interface used to communicate

with the remote VPN device. The mobile0 device is the one with the cellular modem. In most cases, this is the correct device to use to communicate with a remote VPN device on the Internet.

– Negotiate tunnel as soon as interface comes up: Check if the Digi device should

establish the VPN tunnel as soon as the selected network interface is ready to use. Leave this box unchecked if the Digi device should wait until a device on the local private network attempts to communicate with a device on the remote network before establishing the VPN tunnel.

– Use the following as the identity: Use this option to control how the Digi device

identifies itself to the remote VPN device. The Digi device must identify itself to the remote VPN device when it negotiates the tunnel. You must make sure both devices agree on what the identification is. Select the “Use th e fo llo wing as the identity” option to enter a string such as a DNS name or an FQDN. Select the “Use the interface IP address” if the Digi device should send the IP address of the interface you selected above as its identity. Select Use the identify certificate X.509… to use a PKI certificate. If using a PKI certificate, remember to load it in the Administration >X.509 Certificate/Key Management web page.

Configure Digi devices

 Local Endpoint:

If the Local Endpoint Type is set to Local endpoint is an internal interface, the following prompts are displayed:

– Host address for tunnel's internal VPN interface: In the IP Address field, enter the

IP address for the virtual network interface in the IP Address. This is the IP address which will be visible to devices on the remote private network.

– Discard packets sent to the remote subnet unless they come from this local subnet:

Select this option if the Digi device should discard IP packets transmitted from a device on the local network and addressed to the remote network which do not come from the subnet you specify below.

IP Address: Enter the IP address of the subnet. Subnet Mask: Enter the mask for the subnet.

– As indicated on the settings page, having the local endpoint as an internal interface is

used in combination with NAT. Click here to configure the Network Address Translation (NAT) settings. Select the interface name of vpn0 to config ure NAT for this tunnel.

If the Local Endpoint Type is set to Local endpoint is a subnet, prompts are displayed for entering the network address and mask for the private network. Both the Digi unit and the remote VPN device must be configured to use the same values.

– IP Address: Enter the IP address of the local private network. – Subnet Mask: Enter the mask for the local private network.

 Remote Endpoint: Enter the IP address and subnet mask of the remote network. Both

the Digi unit and the remote VPN device must be configured to use the same values. – Tunnel Network Traffic to the following Remote Network:

IP Address: Enter the IP address of the remote network. Subnet Mask: Enter the subnet mask of the remote network.

 Pre-Shared Key Settings

If you select the pre-shared key authentication method in one or more of your ISAKMP Phase 1 Policies, then you will be prompted to supply the ID of the VPN device and the preshared key used for authentication.

– Use the following IP address, FQDN, or username for the remote VPN’s ID: Enter

the remote VPN device’s ID here. Make sure the remote VPN device is configured to send this ID.

– Use the following pre-shared key to negotiate IKE security settings: Enter the

preshared key here. This must match exactly with the preshared key set on the remote VPN device.

 ISAKMP Phase 1 Settings

– General Security Settings for Phase 1

Connection Mode: Main|Aggressive: Set the connection mode to match that

configured on the remote VPN device. If aggressive mode is selected, then the VPN device will try aggressive mode first, and then try main mode if agg ressiv e mode fails.

Enable Perfect Forward Secrecy (PFS): Set this option to enable PFS. PFS guarantees that if one key is broken by an attacker, that does not help him to break another key. PFS is more secure, but slows down the negotiation process. Both the Digi unit and the remote VPN device must be configured the same way.

– NAT-T Settings

Enable NA T Traversal (NAT-T): Set this option if there is a NAT firewall between the two VPN devices.

Keep Alive Interval: The amount of time in seconds between NAT keep alive messages. Once a connection is established through a firewall, th e VPN dev ices have to send keep alive messages to prevent the NAT firewall from timing out the connection. Set the interval to a value less than the connec tion timeo ut of the NA T firewall.

Configure Digi devices

– ISAKMP Phase 1 Policies:

Keys are negotiated in two phases. The first phase negotiates the keys and authentication method to be used to establish the initial ISAKMP connection. During this phase, the two VPN devices verify each other’s identity and create a security association (encrypted connection) which is used durin g p hase 2 . The encryption and authentication settings yo u specify determine the level of se curity in the connection the two VPN devices used to communicate with each other.

Select the policies to be used during phase 1 of the ISAKMP negotiation. The most important thing is to make sure that the Digi unit and the remote VPN device use the same policies. If more than one policy is specified, the VPN devices will use the most secure policy that they both have been configured to support.

Pre-shared Key: Using DSS and RSA signatures is more secure than using a preshared key .

Encryption: The encryption type and the length of the key. The longer the key the more secure it is.

Integrity: The authentication algorithm. The SHA1 algorithm is more secure tha n MD5.

SA Lifetime: The maximum length of the phase 1 security association. Diffie-Hellman: The Diffie-Hellman group to use for k ey generation. The lar ger the

group the more secure it is.

Configure Digi devices

– ISAKMP Phase 2 Settings:

The SAs used for bulk data transfer are created during phase 2. The ph ase 2 settings you specify will determine the level of security used when devices on the local private network communicate with devices on the remote private network. As with the other settings, the both the Digi unit and the re mote VPN device must be configured to use the same values. If more than one policy is specified, the VPN devices will use the most secure policy that they both have been configured to support.

– General Security Settings for Phase 2

Diffie-Hellman: Select the Diffie-Hellman group used to generate key s. Larger groups are more secure.

– ISAKMP Phase 2 Policies

Encryption: The encryption algorithm used for encrypting data and the length of the key. The longer the key the more secure it is. There are three supported encryption algorithms including DES, 3-DES, and AES. DES encryption uses 64bit keys, 3-DES encryption uses 192-bit keys, and AES encryption uses 256-bit keys.

Authentication: The authentication algorithm used in authenticating clients. Th ere are two supported authentication algorithms including MD5 and SHA1. MD5 authentication uses 128-bit keys and SHA1 uses 160-bit keys. Th e SHA1 algori thm is more secure than MD5.

SA Lifetime: The maximum length of the Phase 2 security association (SA), in seconds. After the SA has been negotiated, the SA lifetime begins. Once the lifetime has completed, a new set of SA policies are negotiated with the remote VPN endpoint.

Configure Digi devices

Cellular

Data Network

Digi

Connect

VPN

Internet

Remote Site HQ

166.123.99.99

209.123.123.123

PWR

WIC0 ACT/CH0

ACT/CH1

WIC0 ACT/CH0

ACT/CH1

ETH ACT

COL

VPN

Appliance

17 2.16 .5.0/2 4

2.17.1.0

172.17.1.1

Private IP Tunnel

172.16.5.1

IPSec ESP

WAN

Example VPN configuration

The diagram shows a Digi Connect WAN VPN used as a primary remote site router:

How VPN tunnels work

The Digi device’s Ethernet port usually connects to a switch or hub, which then connects to other Ethernet devices. The mobile/cellular carrier provides only one IP address to the mobile interface. The Digi device uses Network Address Translation (NAT), where only the mobile IP address i s visible to the outside. Private IP addresses are typically used on the remote site LAN connect ed to the Digi device’s Ethernet port. All outgoing traffic, except the tunneled VPN traffic, uses the mobile IP address of the Digi device. Using the example network above, the process for initiating VPN tunnels works like this:

1 Typically, a host or device on the remote subnet (in this case, 172.17.1.0) requests

information from a host on the main site (HQ) subnet (172.16.5.0). Fo r example, a computer at 172.17.1.20 needs a file from 172.16.5.100.

2 The Digi device sees the request as being on the HQ subnet and checks whether a VPN

tunnel exists between the two sites.

3 If no tunnel exists, the Digi device initiates a VPN tunnel request to its peer — the VPN

concentrator at HQ. The VPN policy settings are compared, and if they match, an IPsec tunnel is created between the Digi device and the VPN concentrator. Traffic is encrypted as defined in the VPN policies.

Configure Digi devices

Requirements for VPN tunnels

To establish an IPSec VPN tunnel, the IP address of the mobile interface must be publicly accessible. The IP address can be either static or dynamic depending up on the requirements of your VPN end point. However, the IP address cannot be within a private range of addresses (for example, 10.0.0.0, 172.16.0.0 or 192.168.0.0). If th e mobil e IP address i s with in on e of the priv ate IP address ranges, the mobile carrier is using a NAT (Network Address Translation) server between your mobile IP address and the internet.

GSM GPRS/EDGE APN type needed

If the VPN end points require static (persistent) IP addresses, you may need a custom access point name (APN). An Internet APN can work in these cases:

 The main site (HQ) VPN appliance can support Dynamic DNS names.  Another form of authentication is used (for example, FQDN).

Be aware that these APNs are based on Cingular Blue; other carrier APNs may have similar requirements.

CDMA carrier requirements

The CDMA (Code-Division Multiple Access) carrier requirements are similar to GSM in that static IP addresses may be required depending on the host site concentrator VPN implementation. In both cases, the Digi device’s mobile IP address will likely need to support mobile terminated data; that is, the ability to accept incoming data connections.

HQ router / VPN appliance configuration

For supported protocols, see the IPsec specifications your Digi device. Security policies on the HQ VPN device must match those on the Digi device. The HQ VPN appliance’s peer address is the Digi device’s mobile IP address.

Using a console port

The Digi device’s console port can be configured for Console Management to provide SSH or T elnet access. It can be cabled to the router or VPN appliance’s console port to provide true diverse out-of-band console access.

Configuring and managing VPN settings from the command line

In the command-line interface, the set vpn command configures VPN connections, and the vpn command manages them. These commands are described in the Digi Connect Family Command Reference. Generally, configuring VPN connections from the web interface is simpler. Review the settings descriptions in this procedure (also availab le in the o nli ne help ) to de termin e wh et her yo u need to gather any information before you start setting up the VPN.

Configure Digi devices

IP pass-through settings

There are many application scenarios where a router is used to decide upon alternative routes using a primary and a secondary (or backup) interface. In many of these configurations, the router is required to use a public IP address as assigned by the network over which it is communicating. This requirement is mostly owing to the router needing to establish a VPN tunnel over that interface and using the public IP address as part of the VPN authentication. (For more on VPN tunnels, see page 79.)

The IP pass-through feature allows a Digi device to provide bridging functionality similar to that of a cable or DSL modem, where the Digi device becomes “transparent” to the router or connected device. In this case; the router’s WAN interface believes it is connected directly to the mobile network and has no knowledge that the Digi device is the mechanism providing that connectivity.

How IP pass-through works

A Digi device configured for IP pass-through, such as a ConnectPort WAN or Digi Connect WAN, passes its mobile IP address directly through and to the Ethernet device (router or PC) to which it is connected through the Ethernet port. From the persp ective of the connecte d device, the Digi devic e essentially becomes transparent (similar to the behavior of a cable or DSL modem) to provide a bridge from the mobile network directly to the end device attached to the Digi device.

Since the mobile network address is effectively “passed-through” to the local device connected to the Ethernet port of the Digi device, all network access to it is bypassed, with some specifi c exceptions.

Here is an example of a Digi device configured for IP pass-through in a network wi th a third-party router.

Configure Digi devices

If the third-party router’s WAN interface is attached to the Digi device’ s Et hernet port, and th e Digi device’ s mobile interface receives t he IP address 16 6.213.2.2 15, the rout er’ s WAN port is assigned the same IP address 166.213.2.215. If the router is receiving the IP address dynamically; the DNS server addresses, subnet mask, and default gateway information will be filled in automatically. If the router is configured manually; yo u need to obtain the DNS information fro m the mobile service provider and enter that manually. The subnet mask is 255.255.255.0 and the default gat eway i s th e same as the mobile IP address with “.1” for the last octet. In other words: if the mobile IP address is 166.213.2.215, the default gateway is 166.213.2.1.

IP pass-through’s effect on network access to Digi devices

When IP pass-through is enabled, the Digi device effectively disables all router and IP service functionality. Services that are disabled are:

 NAT  Port Forwarding  VPN  DDNS updates  Socket Tunnel  Network Services configuration.

The Digi device is effectively transparent to all IP activity and network access by other devices, with these exceptions:

 It can be accessed via the serial port for configuration using th e comma nd line in terface.  It accepts TCP/IP connections for purposes of configuration by means of a “pinhole” on

the mobile interface.

 It can be accessed by other devices on the local Ethernet segment via the default IP

address of 192.168.1.1.

Configure Digi devices

Using pinholes to manage the Digi device

IP pass-through uses a concept called pinholes. A Digi device can be configured to listen on specific TCP ports, and terminate those connections at the Digi devi ce for purposes of managing it. Those ports are called pinholes, and they are not passed on to the device connected to the Ethernet port of the Digi device. Network services and ports that can be configured as pinhol es include (see "Network services settings" on page 64 to configure these settings):

 HTTP: for accessing the device through HTTP and the web interface.  HTTPS: for accessing to the device through HTTPS and the web interface  Telnet: for accessing the device through a Telnet login and the command-line.  SSH: for accessing the device through a Secure Shell (SSH) login and the command-

line.

 SNMP: for monitoring and managing the device through SNMP.  Ping: for accessing the device through ICMP echo (ping) requests

iDigi Platform and Digi SureLink ports are automatically set up as pinholes so that they continue to work with the Digi device. In addition, the Digi device uses a private address on the Ethernet interface strictly for use in configurat ion or lo cal acc ess. This all ows a user on the local network to gain access to the web interface or a Telnet session in order to make configuration changes.

Remote device management and IP pass-through

As illustrated above, the Digi device allows you to enable pinholes for specific ports to allow remote users to manage the Digi device from the mobile network or open Internet. The Digi device retains its remote management capabilities using the iDigi Platform. The necessary pinholes are automatically defined when the Digi device is configured for IP Pass-through.This provides administrators with the same remote-management capabilities that exist in Digi remote devices.

Steps to configure IP pass-through

T o configure IP Pass-through from the web interface for your Digi device, follow these steps, or, in the case of the first three steps, make sure they have been performed.

1 Set a static IP address for the Digi device. Go to Configuration > Network > IP Settings. 2 Se t up the DH CP ser ver. Go to Configuration > Network > DHCP Server Settings. See

page 60 and the online help for DHCP Server Settings.

3 Turn on the DHCP server. Go to Management > Network Services. In

DHCP Server Management, click the Start button.

4 Con figure IP pass-through settings. Go to Configuration > Network > IP Pass-through.

IP pass-through settings include: – Enable IP Pass-through: Enables or disables IP Pass-through. – Pinhole Configuration: Specifies whether specific network services/ports are

configured as pinholes for purposes of managing the Digi device.

5 Cl ick Apply.

Configure Digi devices

Host List settings

The Host List settings page is used to add or remove entries from the host list. For Digi devices using the DialServ feature, the host list provides a means to map a phone number to a network destination.

The Host List settings are:

 Local Name: A phone number  Resolves To: a network destination).  Add button: Adds the entry to the host list

When accessing a device by name, the Digi device will attempt to locate the name within the host list. When a match is found, the host name is mapped to the alias. Typi cally, this is used as a first means of locating the destination address before using the domain name system (DNS).

Each host list entry consists of a local name string which is mapped to an resolves to destination. The destination can be either an IP Address or Fully Qualified Domain Name (FQDN). By creat ing several entries, the host list will allow a many-to-one mapping of multiple host names to a single destination, as well as a one-to-many mapping of a ho st name to multiple destinations. The one-tomany mapping allows a fail-over option - that is, a connection to the resolves to name for the first host match in the list will tried. If that connection attempt fails, the resolves to name for the next match in the host list will be used.

Configure Digi devices

Virtual Router Redundancy Protocol (VRRP) settings

Virtual Router Redundancy Protocol (VRRP) is a redundancy protocol for routers. VRRP allows several routers on a subnet to use the same virtual IP address, with the physical routers representing a “virtual router.” Two or more physic al routers are configured to stand for the virtual router, with only one doing the actual routing at any given time. The virtual rout er has a unique IP address and MAC address that can be shared by all routers in a VRRP group. The advantage in using a virtual router redundancy protocol is that systems can be configured with a single default gateway, rather than running an active routing protocol.

There are two roles in VRRP: master, and backup. The master represents the virtual router and forwards IP traffic. The physical router that is cu rren tl y ro uti ng the d ata is k no w n a s th e M aster. If the Master router fails, another Backup router automatically replaces it. Backup routers monitor the health of the master router, and in the event that the master stops sending advertisements, backup routers stage an election to determine which one will be the next master, and take over the virtual router IP address. The time required to make the determin ati on th at the mast er is down and hold elections depends on configuration, but typically o ccurs in about 3 seconds.

A number of VRRP groups (up to 255) can be configured on a LAN. A router may participate in multiple groups. All routers must be within one hop of each other (does not route).

VRRP settings include:

 Virtual Router Identifier (VRID): The virtual router ID. All routers in the same VRID

communicate with each other. The VRID can be any value between 1 and 255. All routers that are to communicate m ust have the same VRID.

 Priority: Determines which router is the master. The router with the highest priority is

the master. The default priority is 100.

 Advertisement Interval: The amount of time in milliseconds between VRRP master

advertisements. All routers in the virtual routing group should be set to the same value. 3000 msec (3 seconds) is typically used.

 Enable Preempt: This settings controls whether a higher priority Backup router

preempts a lower priority Master. Check to enable preemption; uncheck to prohibit preemption. The default setting is enabled (checked).

 IP Address: The IP Address of the virtual router. All routers i n the same VRID should

use the same virtual IP address. Clients should be configured to use this value as their default gateway.

Configure Digi devices

Advanced network settings

The Advanced Network Settings are used to further define the network interface. These settings rarely need to be changed. Contact your network administrator for more information about these settings.

IP Settings

These settings are used to fine-tune IP address settings.

 Host Name: The host name to be placed in the DHCP Option 12 field. This is an

optional setting which is only used when DHCP is enabled. The host name is validated and must contain only specific characters. These restrictions

are as defined in RFCs 952, 1035, 1123 and 2132. The following characters are permitted:

– Alphabetic: upper and lower case letters A through Z and a through z – Numeric: digits 0 through 9 – Hyphen (dash): – Period (dot): . The host name value can be a single name, or a fully qualified domain name, whose

parts are separated with a period character. Each part must follo w the following rules: – Must begin with a letter or digit – Must end with a letter or digit – Interior characters may be a letter , digit or hyphen – Each part of the name may be from 1 to 63 characters in length, and the full host name

may be up to 127 characters in length. An IP address is not permitted for use in this host name setting.

 Static Primary DN S / Static Secondary DNS: The IP address of Domain Name

Servers (DNS) used to resolve computer host names to IP addresses. Static DNS servers are specified independently of any network interface and its connection state. An IP address of 0.0.0.0 indicates no server is specified.

 DNS Priority: A list of DNS servers in priority order used to resolve computer host

names. Each type of server is tried, starting with the first in the list. For each se rver type, the primary server is tried first. If no response is received, then the secondary server is tried. If neither server can be contacted, the next server type in the list is tried.

A network interface may obtain a DNS server from DHCP or other means when it is connected. If an interface does not obtain a DNS server, it will be skipped and the next server in the priority list will be tried.

T o chan ge the p riori ty or der, select an item from the list and press the up or down arrow.

Configure Digi devices

 Gateway Priority: List of network interfaces in priority order used to determine the

default gateway. The default gateway is used to route IP packets to an outside network, unless controlled by another route.

A network interface may have a static gateway configured, or obtain a gateway from DHCP or other means when it is connected. The first int erface in th is list that supp lies a gateway will be used as the default gateway. The default gateway may change as interfaces connect and disconnect.

T o chan ge the p riori ty or der, select an item from the list and press the up or down arrow. The IP Network Failover feature provides a dynamic method for selecting the default

gateway. If failover is properly configured and enabled, it overrides the Gateway Priority selection in the Advanced Network Settings. For a description of the failover feature and information on how to configure it, please see "IP Network Failover settings" on page 74.

Configure Digi devices

DNS Proxy Settings

 Enable DNS Proxy Service: Enables the DNS Proxy feature on this Digi device. DNS

Proxy permits DNS client hosts to communicate with this Digi device as if it were a DNS Server. It forwards the DNS client's request to one of the DNS servers configured in its network settings. The response from the actual DNS server will be relayed to the requesting client when it is received by the DNS Proxy. The DNS Proxy does not cache the actual detailed client requests nor the responses received from the DNS servers. Rather, it acts as a request/response relay agent between the DNS clients and servers.

The DNS Proxy will cycle through the DNS servers that are configured in the Digi device. DNS client requests are identified by the client's IP address and the unique Query ID in the DNS request message. For each new DNS client request (new Query ID), the DNS Proxy uses the first DNS server in its list of DNS servers. If the client retries the same request (same Query ID), the DNS Proxy will recognize that retry message and will either send the retry request to the same DNS server as the previous request for this client, or it will move to th e next DNS server in its list of DNS servers. The DNS Proxy feature determines when to retry the same DNS server, or move to the next DNS server, according to the DNS Proxy: Request Retries Per DNS Server configuration setting (see below). The DNS Proxy itself does not perform unsolicited retries of DNS client requests.

Note

The DHCP Server feature on the Digi device may be configured to use the DNS Proxy feature. For more information, see "DHCP server settings" on page 60. The DNS server list may be dynamic in its content. For example, when DNS server IP addresses are received from a mobile service provider's network, they are added to the DNS server list of this Digi device. Those DNS server IP addresses may or may not be configured when the DHCP Server offers a lease to a DHCP client. As a result, the DHCP client may have no DNS servers provided to it in the lease, and domain name resolution may fail for that client. A significant benefit of the DNS Proxy feature is that the DHCP Server can offer its own IP address as a DNS server in the client lease, and the DNS Proxy will forward DNS requests and responses as stated above. Since the DHCP protocol does not allow a DHCP Server to force an unsolicited DNS server list update to its clients, the DNS Proxy feature provides an indirect method by which such updates may be made effective for the client.

 Request Cache Size Maximum: Specifies the maximum number of DNS client request

records that the DNS Proxy will mainta in concurrently in its cache. A large cache consumes more system resources than does a small cache. However, if the maximum cache size is too small, new DNS client requests may be quietly discarded until the cache has room to add new client request records, or existing cache entries may be replaced by the new requests. If a large number of concurrent DNS client lookups is anticipated, configuring a larger maximum cache size is recommended. See also the setting For new client requests received when the request cache is full below.

Configure Digi devices

 Request Idle Time-To-Live: Specifies the period of time, in seconds, that a DNS client

request will remain in the DNS Proxy cache, before it is deleted. Thi s is a period of idle time, during which neither a DNS client request retry is received by the DNS Proxy, nor a DNS server response is received by the DNS Proxy , for a specific DNS client request. A shorter Idle TTL results in resources being used more efficiently by the DNS Proxy, since the client request cache is reduced in size and the request buffers are released more quickly for future use for other DNS client requests.

 Request Retries Per DNS Server: Specifies the number of retries using th e same DNS

server, for a specific DNS client request that is being retried (retransmitted) by the DNS client. There is always one “try” but the number of retries is configurable.

For new client requests received when the request cache is full: Specifies how to handle new client requests when the maximum number of client request entries is already being serviced (the request cache is full). There are two choices for this option: Replace the Least Recently Used (LRU) client request with the new request: Remove the least recently used entry from the cache, and add an entry for the new client request.

Discard (ignore) new requests until some existing requests have expired: Silently discard the new client request, and do this for all future new requests until one or more entries have expired and been removed from the request cache.

Configure Digi devices

Ethernet Interface

 Speed: The Ethernet speed the Digi device uses on the Ethernet network.

– 10: The device operates at 10 megabits per second (Mbps) only. – 100: The device operates at 100 Mbps only. – auto: The device senses the Ethernet speed of the network and adjusts automatically. The default is auto. If one side of the Ethernet connection is using auto (negotiating),

the other side can set the Ethernet speed to what eve r va lue is desire d. Or, if the other side is set for 100 Mbps, this side must use 100 Mbps.

 Duplex Mode: The mode the Digi device uses to communicate on the Ethernet ne twork.

Specify one of the following: – half: The device communicates in half-duplex mode. – full: The device communicates in full-duplex mode. – auto: The device senses the mode used on the network and adjusts automatically. The default is half. If one side of the Ethernet connection is using auto, the other side

can set the duplex value to whatever is desired. If one side uses a fixed value (for example, half-duplex), the other side has to use the same.

 MDI: The connection mode for the Ethernet cable.

– Auto: Enables Auto-MDIX mode, where the required cable connection type (straight

through or crossover) is automatically detected. The connection is configured appropriately without the need for crossover cables to interconnect switches or connecting PCs peer-to-peer. When it is enabled, either type of cable can be used and the interface automatically corrects any incorrect cabling. For this automatic detection to operate correctly, the “speed” and “duplex” options must both be set to “auto.”

– MDI: The connection is wired as a Media Dependent Interface (MDI), the standard

wiring for end stations.

– MDIX: The connection is wired as a Media Dependent Interface with Crossover

(MDIX), the standard wiring for hubs and switches.

TCP Keep-Alive Settings

The DHCP server assigns these network settings, unless they are manually set here.

 Idle Timeout: The period of time that a TCP connection has to be idle before a keep-

alive is sent.

 Probe Interval: The time in seconds between each keep-alive probe.  Probe Count: The number of times TCP probes the connection to determine if it is alive

after the keep-alive option has been activated. The connection is assumed to be lost after sending this number of keep-alive probes.

WiFi Interface

Digi products with Wi-Fi capability display this setting:

 Maximum transmission rate: The maximum transmission rate that the device will use,

in megabits per second. The complete range of transmission rates is available on all devices except the ConnectPort X2 - XBee to Wi-Fi model. For that model, the allowed transmission rates are: 1, 2, 5.5, 11.

Mobile (cellular) settings

The Mobile Settings pages configure how to connect to mobile (cellular) networks using the mobile connection, including the service provider, service plan, and connection settings used in connecting to the mobile network. If your Digi device has not already been provisioned for use in the mobile network, you can launc h a wi zard to provi sion it fro m th ese pag es. In addi tion, yo u can configure settings for Digi SureLink™, a feature that provides an “always-on” mobile network connection to ensure rapid on-demand communication. The SureLink configuration settings allow you to customize how SureLink detects when a connection has been lost, in order to re-establish the link. These settings also are us ed to load a preferred roaming list (PRL) into the cellular module.

Information required from mobile service provider

To connect to the mobile network, you must get a set of network settings from the mobile service provider including service plan and authentication details. For more information, consult the documentation that came with your mobile service provi der's information.

Different processes used for CDMA and GSM provisioning

Configure Digi devices

The process for provisioning your device and the settings displayed on the Mobile Configuration page vary according to whether the mobile service provider network used with your Di gi Cellular Family product is based on CDMA (Code-Division Multiple Access) or GSM (Global System for Mobile communication).

CDMA-based mobile service providers

Device provisioning for a CDMA-based mobile service provider consists of selecting the service provider from a list and either automatically or manually entering mobile settings provided by the mobile service provider Examples of CDMA-based mobile service providers include Sprint, Verizon, Alltel, and Midwest.

GSM-based mobile service providers

Device provisioning for a GSM-based mobile service provider involves inserting a Subscriber Identity Module (SIM) card into the Digi device, which makes subscription data available in the cellular network. Examples of GSM-based mobile service providers include Cingular, AT&T, and T-Mobile.

Configure Digi devices

Set mobile configuration settings to factory defaults

The Set to Defaults button on the Mobile Configuration page sets all the mobile settings to factory defaults and sets the Service Provider selection back to deselected.

Mobile service provider settings

The Mobile Service Provider settings p art of the screen identifies the service provider to use in connecting to the mobile network. The information displayed varies by Digi Cellular Family product and whether the remote service provider is GSM- or CDMA-based. Settings that may be displayed on this screen include:

 Service Provider: For GSM-based mobile servic e providers, this is the service provider

to use in connecting to the mobile network. The service provider must match the provider that supplied the SIM card.Thi s must ma tch the p rovider th at suppli ed the SIM card. (Not displayed for CDMA products.)

 Service Plan: For GSM-based mobile service providers, this is the service plan to use in

connecting to the mobile network. This setting must match the plan that the service provider has supplied to you. This is also sometimes known as the APN (Access Point Name).

 Username and Password: For GSM-based mobile service providers, these settings are

the username and password of the mobile connection needed to access the mobile network.

 Device provisioning state: For CDMA-based mobile service providers, the text below

the Service Provider selection list states whether the device has already been provisioned. Clicking the Provision Device button launches a wizard for provisioning the device. Mobile device provisioning is described next.

Configure Digi devices

Provision a mobile device

Mobile device provisioning is needed to properly configure the Digi device with the required configuration used to access the mobile network. The device must be provisioned before you will be able to create a data connection to the mobile n etwork .The device only needs to be provisioned once. This type of provisioning applies only to Digi devi ces that have a CDMA cellular module.

For Digi devices, provisioning is done through the Mobile Device Provisioning Wizard, which is launched from the Mobile Configuration page.

Launch the Mobile Device Provisioning Wizard

Below the Service Provider selection list is a line of text that states whether or not the device has already been provisioned or needs to be provisioned. If a device has not yet been prov isioned, the Mobile Configuration page displays a message, as shown below. Click the Provision Device button to launch the Mobile Device Provisioning Wizard. For example, here is how the Mobile Settings page looks when a device has not yet been provisioned.

Configure Digi devices

Automatic versus manual provisioning

There are different types of provisioning methods depending upon your mobile provider. The Mobile Device Provisioning Wizard will provide the appropriate choices based on the mobile provider selected. Two main provisioning methods are:

 Automatic Provisioning: Typically, an automatic provisioning process called IOTA (IP-

Based Over the Air) is used to provision the device. Note that automatic provisioning requires the modem device to communicate over the mobile network and requires a good signal to ensure proper provisioning.

 Manual Provisioning: Alternatively, a manual provisioning method can be used to

manually specify the required fields needed to access the mobile network. The manual provisioning method is an advanced configuration normally used only for custom network access or providers.This method is not available for all mobile prov iders, and will not be available in the Mobile Device Provisioning Wizard if your mobile provider does not support it.

Example: provision ConnectPort WAN VPN for Sprint™ PCS

The sequence of Mobile Device Provisioning Wizard screens displayed and the settings on them vary by product and mobile service provider. If you used the Digi Device Setup Wizard for initial configuration of your Digi device, and selected a service provider in the wizard, some of the provisioning settings will have already been establis hed.

Here is an example of the wizard screens for a ConnectPort WAN VPN using Sprint PCS as the mobile service provider.

100

Digi WAN VPN, WAN, WAN IA, WAN 3G, WAN 3G IA User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual