elmeg T444, T484 User Manual

Page 1
Page 2
Declaration of conformity and CE marks
This device meets the requirements of the following EC directive R&TTE 6/3/EG:
»Directive 1999/5/ECof theEuropean Parliament andof theCouncil of9 March 1999 on radioequip
-
mentand telecommunications terminalequipmentand the mutualrecognitionoftheir conformity«.
You can also requestthisEC declaration ofconformityat the followingInternetURL:http://www.funkwerk-ec.com.
­posed of separately from normaldomestic wasteat an appropriate waste disposalfacility atthe end of its usefulservice life. You will find additional information on anindividual returningof theold appli
­ances under www.funkwerk-ec.com.
© 2009 Funkwerk Enterprise Communications GmbH - All rights reserved.
Reprinting of thisdocument, even excerpts,is permitted onlywith the expressconsent of thepublisher and withpre
-
cise source information, regardless of the media used (mechanical or electronic).
Function descriptions included in this documentation which refer to software products of other manufacturers are based on the software used and valid at the date the documentation was prepared or published. The product and company names used in this documentation may be protected by trademarks.
Page 3
Table of contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Router of the PABX elmeg T444 / elmeg T484 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What is a router? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Router of the PABX system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Which Internet connections are supported? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Dial-in into the LAN (RAS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
RAS Callback:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
DHCP server and IP address allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Direct connection (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Default setting of the PABX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Default IP addressesforthelocal area network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
What are IPaddressesandsubnetwork masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Example with this PABX:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Router functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Automatic Internet access, fallback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Short Hold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Dynamic ISDN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
DNS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
DNS-Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Router control via system phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Statusdisplay CAPI/TAPIin the ControlCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Configuration examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Address assignment by DHCP -Recommended configuration - (Default setting). . . . . . . . . . . . . . . . 9
Things to note for this configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Addressassignment without DHCP (set / mixedIPaddresses) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Things to note for this configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
LAN-Client (PC) Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
PC settings in Windows operating system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Sample configuration of a network with mixed address assignment. . . . . . . . . . . . . . . . . . . . . . . 14
Sample configuration ofanetworkwith setaddressassignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Checking the LAN clients (PCs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuration for Windows 98SE/ME/2000/XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Checking the TCP/IP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Windows 98SE / ME. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Windows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuring Internet access on a PC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
InternetExplorer settings /WindowsInternet options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure firewall filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Basic information about firewall configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Four place holdersareprovided to achieveanabstractionwhen defining thefilters: . . . . . . . . . . . . . . . . . 23
You can configure the following parameters: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Filter Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Gaming - Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1
Page 4
Realplayer - Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Mediaplayer - Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Filter update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2
Page 5
Introduction
Router of the PABX elmeg T444 / elmeg T484
The PABX elmegT444/ elmeg T484isequipped withanintegrated router. Youcanprovide access totheInternet and network several PC via this router.
What is a router?
A router allows LAN clients (computers, PC within a network) of one network (LAN) to obtain access to a different network, for exampleInternet.Accessto the Internetismadeavailable by variousInternetservice providers (ISP).
In this process, the router searches for a path on which data can be exchanged between the LAN clients in the local network and the Internet. Linking to the Internet can be carried out via an xDSL and / or an ISDN connection.
Router of the PABX system
The PABXsystem routeris equippedwith aWAN/xDSL anda LANport). ThePABX systemis connectedto another network, forexample the Internet, via theWAN/xDSL port.You canhook up a DSL or cable modelfor connectionto the Internet.
The LAN ports are for your local network. Here, you can directly connect up to two PCs equipped with built-in net
­work cards. If you wish to network more than two PCs you can do this using an additional HUB / Switch, HomePN (optional module, not included in standard supply scope of system), or a USB port.
LAN1 sets itself automatically (from10 Mbit/shalf-duplex upto 100 Mbit/s full duplex)to themaximum data trans
­fer rate of the remote location (PC).
These PCs are also part of your local network and can, for example, exchange files or take advantage of the Internet connections via therouter. AllLAN clients thatare linkedare integrated into the localnetwork viathe TCP/IP proto­col.
Further PCs can be linkedto your networkvia RAS- access. Here, the IP address isalways assigned by the telephone system, evenwhen theDHCP serveris de-activated.Under “Addressassignment” in the configurationprogram you can de-activate theDHCP serverandinput thestarting address forRAS. The following11 IPaddressesare thenauto­matically reserved for RAS.
Using the Remote Access Server(RAS) a field representative, for example, cancall intothe local network from anex­ternal location andthenvia the localnetworkaccess the Internet.Accessfroman external locationis only possiblevia an ISDN connection.Externalaccessis provided withuser-nameand password protection.Ifthe callismade from an external location only,the phonenumber can alsobe monitoredas an addedprotection feature.Note that thisaccess portal is not protected by a firewall!
Note Please note the further instructions given in the operator’s manual of the PABX system for connecting a pcs.
Which Internet connections are supported?
You can set up a connection to the Internet with your PABX system as follows:
·
Dial-up connectionsvia ISDN (using PPP protocol, with one or two ISDN Bchannels, i.e.at 64kbit/s or128 kbit/s). These types of connections require access datawith thenumber tobe dialed,the username and password and, insome cases, other information such as theIP addressof thename server and any information about the datacompression method that is used (VJH).
·
Using xDSL (for example ADSL - T-DSL) in conjunctionwith aDSL modemthat iscompatible withyour ISP viaPPPoE. These connections require your username andpassword asaccess data.
Router of the PABX elmeg T444 / elmeg T484 Introduction
1
Page 6
·
Using xDSL (for example: SDSL) in conjunction with aDSL modemthat iscompatible withyour ISPwith a set, publicIP address. These connections requirethe publicIP addressthat youhave been assigned, the IP address of the next gateway (next hop) and theIP addressfor thename serverof your provider.
·
Tunneling. Here, data packets of one protocol are packedinto theshell ofa differentprotocol toroute them on tothe Internet. At the recipient the shellis thenremoved andthe datapacket routed on with the original protocol. This tunnelingis usedto overcomeincompatible networks,or when taking into consideration se
-
curity andcost aspects (for example PPTP).Normally, youonly needyour username and password as ac
­cess data. Indicate all the data that is alsospecified toyou byyour provider(for example,number, IP address and DNS server.
The ISP that you wish to use for your Internet connections is set in the configuration of the PABX system. You can configure upto 10 ISPs. You can then define further settingsfor eachISP, suchas username, password,phone num
­ber, etc.. Youcan alsodefine whether theconnection to theInternet isto be setup automatically (defaultsetting) and that the next ISP in your list is to be selected once the connection has been established (fall-back).
When the PABX system router receives the command to establish an Internet connection this connection is set up using the first ISP inyour list. Ifthe connection is set up successfully all of the clients in your network can access the Internet. If the Internet connection is no longer needed (inactivity) it is terminated after a defined time.
If an Internetconnectioncan not besetup usingtheselected ISP anattemptis madetoestablish the connectionusing the next ISP in your list (fall-back).
When anInternet connectionis terminated,the firstISP inthe listis usedwhen the next connection attempt is initi
­ally carried out.
Note For more information about configuring ISPs and establishing an internet connection, refer to the operator’s ma­nual of your PABX.
Note If “hubs” are installed in your network, for example,or if a connection to the Internet still exists, data packets may continue to be sent to the router and the connection can not be terminated.
Dial-in into the LAN (RAS)
Using the Remote Access Server(RAS) a field representative, for example, cancall intothe local network from anex
­ternal location andthen via thelocal network accessthe Internet. Accessfrom an externallocation is alsopossible via an ISDN connection. External access is provided with user-name and password protection. If the call is made from an external location only, the phone number can also be monitored as an added protection feature. Access can be enabled for up to 8 users. A Windows enable (access to computer, files or printers) andInternet enable can also be configured for each user.
APC thatdialsintothe local networkviaRAS is automaticallyassignedanIP address bytheintegrated DHCP server.
RAS Callback:
If you do not wantto becharged for connectionswithin yourcompany network you can configurethe RASconnecti
­on as an automatic call-back. For this, abrief connection is set up to the company network (for which you are char
­ged) that then initiates a call-back. The PABX system at your company then calls you back and you are not charged for the ensuing connection time. You can enter a number for the corresponding RAS connection in the configurati
­on. Automatic call-back is then only possible from this number. If you do not enter a number here, the automatic call-back can be made from any number.
Introduction Dial-in into the LAN (RAS)
2
Page 7
DHCP server and IP address allocation
PCs can be provided with a major portion of the configuration required for LAN and Internet access via the DHCP (Dynamic Host Configuration Protocol). The DHCP server integrated into the PABX is capable of supplying corre
­sponding configurations to up to 100 PCs (clients). IP addresses aredynamically allocated to the clients. The DHCP server task of the PABX system is activated in the initial status of the PABX.
You can configure the integrated DHCP server under »Network address allocation«.
You can configurethe firstIP address assignedby theDHCP server.The required numberof IPaddresses is assigned to the PCs (DHCP clients) in ascending order. Eleven additionalIP addressesfor theDHCP serverare alwaysreserved forPCs thatare integratedthrough RAS(re
­mote access server)into the local network. Ifthe integrated DHCPserver isactivated the 11IP addresseswhich come after the configured DHCP address range are used for RAS clients. When theDHCP servers are de-activated the 11 IPaddresses thatcome after the set DHCP start addresswill be used for RAS clients.
Direct connection (DHCP)
This setting is used to utilize a direct WAN connection with automatic allocation of the IP addresses via DHCP. In this case theIPaddress is notassignedby your PABXsystemrouter, but bythenetwork in whichtherouter is integra
­ted. The router DHCP must be de-activated in the configuration for this.
Default setting of the PABX
Default IP addresses for the local area network
In its basic setting you can use your PABX system as a router for Internet access for your local network. You have to define (when configuring the PABX) the Internet service provider that you wish to use.
The IP addresses for your local area network are then distributed as follows:
192.168.1.1 to
192.168.1.49
Freely assignable IP addresses as for example for LAN clients with a fixed IP address
192. 168. 1.50to
192.168.1.69
IP addresses that are allocated to corresponding LAN clients by the PABX system. (Number of DHCP clients: 20)
192.168.1.70 to
192.168.1.80
Reserved IP-addresses (11) RAS. These addresses must always remain reserved and may not be assigned as set IP addresses.
192. 168. 1.81to
192.168.1.249
Freely assignable IP addresses as for example for LAN clients with a fixed IP address
192.168.1.250 IP address for the PABX
192.168.1.251 to
192.168.1.254
Freely assignable IP addresses as for example for LAN clients with a fixed IP address
Note Please note thateach IP addresscan onlybeassigned once.The first andlast IP addressfor a networkmay notbeas
-
signed to LAN clients. In this example: 192.168.1.0 and 192.168.1.255.
Example for the hint:
255.255.255.0
Subnet mask for all components on the network (PABX, LAN clients,.. . )
192.168.1.250 IP address for the gateway (PABX)
192.168.1.250
Direct connection (DHCP) Introduction
3
Page 8
IP address for the DNS server (PABX). The PABX system also acts as a DNS proxy in place of the ISP DNS server.
What are IP addresses and subnetwork masks
With the initialsettingsIP addresses andsubnetworkmasks are alreadysetfor the PABXsystemrouter. Both ofthese values are each 4 bytes in length.
IPaddress:
192.168.1.250
Subnetmask: 255.255.255.0
The IP address is an address that is reserved for private local networks.
The subnetwork definesthat this isa Class Cnetwork in whichup to 254LAN clients canbe linked. Usingthe subnet
-
work mask an IP address can be divided into the network address and the host address (address of the PC).
Example with this PABX:
IPaddress of the PABX:
192.168.1.250
IPnetmask for the PABX:
255.255.255.0
Networkpart of the IPaddresses:
192.168.1.xxx
Hostpart of theaddress: x.x.x.250
Firstusable IPaddress:
192.168.1.1 (netmask: 255.255.255.0)
Lastusable IPaddress:
192. 168. 1. 254 (netmask: 255.255.255.0)
You can assignthe available IPaddressesto theindividual LAN clientsmanually,or havethemassigned bythePABX system via DHCP. No IP address may be used simultaneously by more than one client however. With regard to the example given abovethis meansthat the address192.168.1.250 maynot be allocatedagain, as itis alreadybeing used by the PABX system.
The networkpart ofthe IPaddress maynot bechanged, as otherwise the LAN clients would not all be located within the same IP network. APC withthe IP address 192.168.2. 1is locatedin adifferent network. APC fromthe PABXnet would not be able to locate this other PC if it is not within its own network. In addition, the same subnetwork mask must also be entered at all LAN clients located within the same network.
Router functions
Automatic Internet access, fallback
Several ISPs(ISP – Internet Service Provider) can be set upin thePABX. Connectivity to the Internetis providedvia the WAN port(e.g.DSL port),orvia an ISDNport.If required,connectionto the Internetcanbe set upautomatically. If your selected ISP is not available, the next ISP in the list will be selected automatically.
Short Hold
Short Holdmeans that the PABX system terminates theInternet connectionautomatically after a configurable time period when there is no exchange of data from/to the Internet (inactivity). You can set this time separately for each ISP that you have configured. This can result in increased connection costs with frequent, short excursions into the Internet, for example for pi
-
cking up e-mails, as the connection is always maintained for the duration of the set holding time.
Dynamic ISDN
Higher data transfer rates can also be achieved for Internet access via the ISDN connection by bundling the two B channels forthe connection. If an Internetconnection with channel bundling isactive and a B channelis needed for telephony or fax messages, oneB channel is disconnected from the Internet connection.On completion of the voice
Introduction Router functions
4
Page 9
connection the Bchannel reverts automaticallyto usefor the Internetconnection. This functionis available forinco
­ming and outgoing voice links.
This performance feature requires thatthe ISDN SpeedManager be installed, or that Internet access ismade via the router! The Speed Manager is included in the T-Online installation.
Completion of call to busy subscriber:
You cannot bereached byan externaltelephone callwhen youare surfingthe Internetand areusing twoB channels for downloading.As signalingof afurther callis madevia theD channel,your telephonesystem has the capability of specifically de-activating oneBchannel (depending oncurrentsettings)so that youcantake a call.Youcandefine the following settings in the PC Configurator.
Rejecting a call:
The caller will hear the busy signal and both B channels remain active.
Internal MSN extension number:
One B channel is de-activated (the call briefly hears music on hold, see also Page ) and the call is signaled at the sub
­scriber entered under »Internal number«. This terminal device may not be located on the same ISDN bus or at the same USB port as the PC.
Forwarding (Call Deflection) to an external extension number :
One Bchannel isde-activated andthe callsignaled atthe subscriberentered under»External number«.You canalso have the call forwarded to an external subscriber by the exchange, allowing both B channels to remain active. Calls can also be transferred (for examplefor T-NetBox or cell phone) without aB channel of the telephone system being allocated.
Normal call distribution:
One B channelis de-activated andthe callsignaledat thesubscriber entered under»Call allocation« forthe »External number«.
Dynamic ISDN for all outgoing calls
You can not make anoutside call if you are surfing in the Internet while usingtwo B channels for downloading. Ho
­wever, depending onthe PCconfiguration, your telephonesystem doeshave the capabilityto specificallyde-activate one B channel so that you can make calls while connected to the Internet.
DHCP server
PCs can be provided with a major portion of the configuration required for LAN and Internet access via the DHCP (Dynamic Host Configuration Protocol). The DHCP server integrated into the PABX is capable of supplying corre
­sponding configurations to several PCs (LAN-clients). IP addresses are dynamically allocated to the clients. This mode is recommended to dispense with the complicated, manual configuration of the IP addresses for the PC that would otherwise be required.
DNS server
The DNS server(DomainName Server) hasthetaskof establishingnameswithina network. Inthisprocess the IPad
­dresses ofthe PCs(e.g. LANclients) aretransformed into names. You must therefore know the name, and not the IP address, of a PC thatyou wish to access, orare searching for. The DNSserver canalso establish namesthat are notin
­cluded in the local network.
DNS-Proxy
A proxy assumes a surrogate function for the local network (LAN) in a different / external network. Here, the DNS proxy accepts the name queries from the LAN client and submits them to the external network, e.g. Internet, as its
Router functions Introduction
5
Page 10
own queries. Theproxy thentakes the responsefrom theexternal network andforwards itto the LANclient thatpla
­ced the originalquery. Inaddition, the resultfrom thequeryis storedfor a definedtime (configurable)to answer any subsequent queries of the same type.
Dynamic DNS
Using Dynamic DNS you can also offer your own Internet services (e.g. WEB, FTP or e-mail servers). Usually you must have a fixed line or a set IP address for this so that you can always be reached at the same URL (For example: www.Funkwerk-ec.com). You areassigned anew IPaddress bythe ISPeach timeyou dialin tothe Internethowever. UsingDynamic DNSyou can link thisautomatic(dynamic) IP addresswitha set name.The router willtheninform your DynamicDNS service provider (e.g. www.dyndns.org) automatically of the new IP address. Internet enquiries for your Web services are then automatically forwarded to your dynamic IP address via your service provider.
Using Dynamic DNS
·
Configure anInternet address (URL)at aDynamic DNSservice provider.For example,at “www.dyndns.org” configurethe address “www.my-homepage.dyndns.org”.
·
Configure theLAN client of the network in which you wishto offeryour Webservices witha setIP address. For example,let’s say we want to configure aWeb serverwith theIP address192.168.1.200.
·
Activate the Dynamic DNS function in the router andenter theInternet address(URL) for your Dynamic DNS provider(in theexample here www.dyndns.org). Add thenecessary filters in the firewall to allow the PC with the Web servicesto bereached froman external location.
- Configureport mappingfor Port 80 (HTTP protocol) to IP address 192.168.1.200.
- Configurethe filtersthat permit incoming and outgoing WAN connectionsat Port80.
·
The routerwill automatically inform your Dynamic DNS provider of your current dynamicIP addresseach time aconnection is set up with the Internet.The informationabout theIP addressis transferred after set­ting upa new Internet connection, aswell asduring anongoing Internetconnection.
·
A PCin the Internet enters theaddress (URL)“www.my-homepage.dyndns.org”. Inthis wayit reaches your DynamicDNS service provider. Your service provider reroutes the connectionto yourcurrent dynamic IPaddress.
·
Any incoming connection is handled in accordancewith theconfigured filters.In theexample givenhere the incomingWAN connection at port 80 is forwarded to theLAN clientwith theIP address192.168.1.200. The availableInternet sites of your Webserver aredisplayed onthe externalPC.
NAT
NAT (NetworkAdress Translation) protects the connected LAN-clients against attacks from the Internet. Here, the internal IP addressesarenotpassed on totheInternet. The routercarriesout the transfertotheInternet and distribu
­tes the incoming data packets in the internal system. This only requiresone external IPaddress. The internal IP ad
­dresses are protected from attacksfrom outside.The internal IPaddresses cannot be targetedby hackers,as these IP addresses are non-accessible.
Packet Filter Firewall
The integratedfilter firewallpacket alsoprovides youwith enhancedsecurity againstattacks fromthe Internet.A fi
­rewall acts as a logical wall for data packets between the Internet and the LAN which has »holes« for certain packets (firewall rules,also knownas filters),allowing thesepackets topass throughthe wall.The filtersare describedby ru
­les whose configurationrequires expert knowledgeaboutthe TCP/IPprotocolfamily. Thefirewall of yourPABXsys
­tem can be easily configured usinga Filter Wizard in which you need to indicate (in plain text) whether you wish to allow defined applications access to the Internet.
Introduction Router functions
6
Page 11
Portmapping
You wishto accessyour PC from an externallocation viaInternet. Normally, access via the firewall shouldbe prohi
-
bited. When youuse port mapping,access to arouter port thatyou have enabledis permitted froman external locati
­on. Therouter then forwardsthe accessrequest to the defined port of thePC inthe network.A fixed IP-address must be assigned to this PC. When the PC returns data packets the IP address and port number of the PC are replaced by the routerwith the number for the port mapping port and the routerIP. For“outsiders” onthe Internetit then appe
­ars as though there is only one connection to the router.
Note Please note that when you use port mapping the firewall for the ports enabled for this function is ineffective. The target PC in your LAN may then be susceptible to any potential attacks.
Port mapping is practical when you wish to run a game server on your own, for example.
·
You canmake this server accessible viathe Internetto otherusers.
·
Or, ifyou requirecertain peer-to-peer file sharing software that provides greater download bandwidth.
·
When thecorresponding PC in your LAN is tobe accessiblefrom theInternet (notpossible in the standard configuration withNAT). In this case, certainUDP andTCP portsmust bererouted to a PC in the LAN.
RAS-Server
Using the Remote Access Server(RAS) a field representative, for example, cancall intothe local network from anex­ternal location andthen via thelocal network accessthe Internet. Accessfrom an externallocation is alsopossible via an ISDN connection.
External access is provided with user-name and password protection. If the call is made from an external location only, the phone number can also be monitored as an added protection feature. Access can be enabled for several users. A Windows enable (access to computer, files or printers) andInternet enable can also be configured for each user.
Note Note that this access portal is not protected by a firewall!
APC thatdialsintothe local networkviaRAS is automaticallyassignedanIP address bytheintegrated DHCP server.
Time-controlled router inhibition
With the aid of the calendar, or a manual function ofthe PABX system, you can set the time(s)of day whenInternet access is possible (permitted). These times are defined via the calendar assigned to the router in the configuration. Here, it is stipulated that Internet connections can not be set up during night-time operation. You should therefore set the switching times accordingly. Starting with Version 4 of system phones CS290/CS410, the telephones can be switched using function keys on the phone; this setting is then retained until the next calendar-based switchover.
LAN-CAPI
The package includes a program called »CAPI for LANs« for use in your network. This software can be installed on any PCin thenetwork. Thisgives youthe possibilityof runningyour CAPIapplication froma centrallocation viaan interface, i. e. the PABX system. There is no ISDN card required for the PCs. Please note that software used for the CAPI application may require certain license agreements with the software manufacturer. The program »CAPI in LAN« does not require a license to run.
Router functions Introduction
7
Page 12
LAN-TAPI
The package includes a program called »TAPI for LANs« for use in your network. This software can be installed on any PCin thenetwork. Thisgives youthe possibilityof runningyour TAPIapplication froma centrallocation viaan interface, i. e. the PABX system. There is no ISDN card required for the PCs. Please note that software used for the TAPI application may require certain license agreements with the software manufacturer. The program »TAPI in LAN« does not require a license to run.
Blocking of Internet access by the provider
After severalfailed attemptsof inputting user names orpasswords theprovider willblock accessto theInternet for a defined period. To prevent thisthe router onlyallows threeattemptsto bemade. After thatyou mustthenreconfigu
­re the router and enter a correct user name and password. The router must then be enabled again after this via the Control Center.
Connection test
You can test the connection to your provider without a connection actually being set up. The item »Connection test T-Online for DSLand ISDN« isgiven in theprovider list inthe configuration. Selectthis item asthe first providerand store it in the PABXsystem. Youcan then manuallyset upa connection to the Internetvia theControlCenter and the results for this connection are thendisplayed after a few seconds. No actual Internetconnection is established here however. Ifthe results arepositive deletethe currentprovider and enter the settingssupplied byyour provider in the configuration for setting up Internet connections.
Router control via system phone
Starting with Version 4 youcan configure a function keyon system telephones CS290 / CS410 /CS400xt for control­ling the router.
LED Settings
Through PABX system configuration you can de-activate the LEDs, except for the »On« LED. Whenyou re-activate the LEDs the »ISDN« LED may indicate a false status. You should therefore disconnect the external ISDN port for a brief period from the NT.
Status display CAPI / TAPI in the ControlCenter
Information used formonitoring the CAPI-TAPIfunctions can bedisplayed using theControl Center menu. Indica
­tion of the associated function(s) is made only when TAPI and CAPI clients are installed on your PC.
·
The numberof TAPI licenses currently inuse (max.10) isindicated when there is a TAPI connectionwith the PABXsystem.
·
The numberof CAPI licenses (max. 10)is indicated,along withallocation ofthe internaland externalB channels (max. 2 each), when there isa CAPIconnection withthe PABXsystem.
Introduction Router functions
8
Page 13
Configuration examples
Address assignment by DHCP -Recommended configuration - (Default setting)
Address assignment via DHCP is the easiest configuration method for the PABX system and at the clients (PCs).
You canconfigure a LAN client inthe network such that itautomatically receives its IP addressfrom a DHCP server from the PABXsystem on startup.Inthis case,youdo nothaveto enteranIP address orsubnetwork mask inthe con
-
figuration of the LAN client.
Things to note for this configuration.
PABX:
In its initial setting the PABX system is pre-configured for address assignment via DHCP.
You needto choose an ISP. To do this follow theinstructions given in the manual, or the brochure »Onthe fasttrack to the Internet«.
Note When delivered, the DHCP server is already activated and pre-configured. If required you can define the start ad
-
dress (first IP address allocated by DHCP) and the maximum number of LAN clients (PCs).
LAN-Client (PC) Configuration:
PCs with operating systems startingfrom Windows 98SE are already correctly configured intheir standard settings for address assignment via DHCP.
If other means of Internet connection, for example modem or an ISDN card, have already been configured on the LAN client (PC) observe the information given in the section»Settings in Internet Explorer / Internet Options with Windows« in this manual.
Note Please keep in mind that any changes made to the Windows networksettings may have serious effects onthe LAN clients (PCs).Other methods of connection or applications may also be affected by these changes.In theevent that your network settingshavealready beenchangedcontact your systemadministrator. You mayhave to backupall of your data. The configuration presented in the following represents only one of many possibilities. These settings are recommended. However,dependingon the infrastructureof your environment,itmay be meaningfultochoose a different configuration.
If you need to reset the Windows network settings to their standard (default) status proceed as follows:
Example Windows 98SE /ME:
·
Open theControl Panelfrom the Windows Start Menu.
·
Windows 98SE:Open thefolder »Network«.
·
Windows ME:Right-click on »LAN connection« andthen clickon »Properties«.
·
Select »TCP/IP«and click »Properties«.
Address assignment by DHCP -Recommended configuration - (Default setting) Configuration examples
9
Page 14
Note The network adapter connected to the PABX system must be linkedto the TCP/IP protocol, which is a component of Windows. You may have to manually add thisprotocol. The network adapter may only be linked to the T-DSL / PPP0E protocol,especially if a stand-alone versionof theT-DSL driver has been installed.Add theTCP/IP protocol manually using the buttons »Add«, »Protocol«, »Microsoft«, »TCP/IP«.
·
Then specify that the PC is to receive its IP addressautomatically. Allother settings,for exampleDHCP, network mask,gateway and DNS server shouldbe de-activatedor blank.The PABXsystem automatically transfers all required settings to the client (PC) viaDHCP.
·
Confirm yoursettings by clicking OK.
Example Windows 2000 and Windows XP:
·
Open theControl Panelfrom the Windows Start Menu.
·
Under Windows 2000 open the folder »Network and Dial-up Connections«.
·
Under Windows XP open the folder »Network connections«.
·
Select the»LAN Connection« for the PABX by pressingthe rightmouse button.Then click»Properties«.
·
Select »TCP/IP«and click »Properties«.
·
Then specify that the PC is to receive its IP addressautomatically. Allother settings,for exampleDHCP, network mask,gateway and DNS server shouldbe de-activatedor blank.The PABXsystem automatically transfers all required settings to the client (PC) viaDHCP.
·
Confirm yoursettings by clicking OK.
Note Also followthe instructions given in the documentation andthe Helpfunction of your operating system.If itis not possible to set up a connection to the PABX, or to the Internet, refer to the section »Checking the LAN client (PC) configuration« in this manual.
Configuration examples Address assignment by DHCP -Recommended configuration - (Default setting)
10
Page 15
Sample configuration of a network with DHCP address allocation
Configuration of the PABX system in its initial settings
1
NT
2
NT / Splitter
3
Connection for the service provider
4
Modem
5
Network PC 2 at HUB / Switch
6
PC 1 at USB port
IPaddress for thePABX:
192.168.1.250
Subnetmask: 255.255.255.0
Startaddress DHCP: 192.168.1.50
Numberof DHCP addresses:20
PC1
IPvia DHCP:
192.168.1.50 transmitted automatically via DHCP.
Gateway: transmitted automatically via DHCP.
DNS server: transmitted automatically via DHCP.
Subnetmask: transmitted automatically via DHCP.
PC2
IPvia DHCP:
192.168.1.53 transmitted automatically via DHCP.
Gateway: transmitted automatically via DHCP.
DNS server: transmitted automatically via DHCP.
Subnetmask: transmitted automatically via DHCP.
Inthe example givenhere,theIP addresses fortheclients(PCs) can lie withinarangefrom IP 192.168.1. 50 to192.
168. 1. 69.TheIPaddressesare assigned intheorderthat the clients(PCs)requestthem (for example byswitchingon thePCs). If anIPaddressis released (forexamplebyswitching off aPC)thatIP address is thenavailabletobe re-assignedagain.
Address assignment without DHCP (set / mixed IP addresses)
You can dispensewith a DHCPserver in anetwork or alsoconfigure LANclients(PCs) with setIP addressesasan ad
-
dition to the DHCP clients.
Note Much more time and effort is involved for configuring the network if a configuration is chosen without DHCP. If
Address assignment by DHCP -Recommended configuration - (Default setting) Configuration examples
11
a/b1
a/b2
a/b3
a/b4
a/b5
a/b6
a/b7
a/b8
12
NO
12
NO
S0intern
S0extern
a/b1
2a/b
1a/b
3a/b
4a/b
Modul S0intern
2a/b
1a/b
3a/b
4a/b
5a/b
6a/b
a2a1b1b2
Power
ISDN/ POTS
DSL
LAN
USB
Modem
1
2
3
4
5
6
Page 16
you are relatively new to Windows network configuration, we recommend a configuration using DHCP.
Things to note for this configuration.
PABX:
You can de-activate the DHCP server for the PABX system using the »Professional Configurator« program.
Note You may have to adapt the IP addresses and subnetworks of the PABX system to the settings present on the LAN clients (PCs). For information about this use the online Help function of the Configurator.
1
NT
2
NT / Splitter
3
Connection for the service provider
4
Modem
5
External HUB / Switch by means of LAN2 (100 MBit/s)
6
Network PC 4 at HUB / Switch
7
Network PC3 at the HUB / Switch
8
Network PC2 at the HUB / Switch
9
PC 1 at USB port
LAN-Client (PC) Configuration
You must make the following minimum settings manually:
·
IP addressfor the LAN client (PC)
·
Netmask / Subnet mask (which is alsoentered inthe PABXrouter)
·
IP addressof the PABX system asthe gateway(interface toother networks,for exampleInternet)
·
IP addressof the PABX system asthe DNSserver (serverthat convertsthe Internet addresses into IPad
-
dresses)
Note Observe the instructions for address assignment given on the previous pages.
PC settings in Windows operating system
The procedures described below deal only with examples which may differ somewhat depending on the operating system used and the configuration of the PC.
Configuration examples Address assignment by DHCP -Recommended configuration - (Default setting)
12
a/b1
a/b2
a/b3
a/b4
a/b5
a/b6
a/b7
a/b8
12
NO
12
NO
S0intern
S0extern
a/b1
2a/b
1a/b
3a/b
4a/b
Modul S0intern
2a/b
1a/b
3a/b
4a/b
5a/b
6a/b
a2a1b1b2
Power
ISDN/ POTS
DSL
LAN
USB
Modem
1
2
3
4
5
6
7
8
9
Page 17
Note Please keep in mind that any changes made to the Windows networksettings may have serious effects onthe LAN clients (PCs).Other methods of connection or applications may also be affected by these changes.In theevent that your network settingshavealready beenchangedcontact your systemadministrator. You mayhave to backupall of your data. The configuration presented in the following represents only one of many possibilities. These settings are recommended. However,dependingon the infrastructureof your environment,itmay be meaningfultochoose a different configuration.
Example Windows 98SE and Windows ME:
·
Open theControl Panelfrom the Windows Start Menu.
·
Open the»Network« folder
·
Select »TCP/IP«and click »Properties«.
·
Now selectwhether the PC is to receive its address automaticallyfrom aDHCP server,or ifit isto beassig
­ned aspermanent IP address. Edit orsupplement thesettings fornetwork mask,gateway and DNS server as appropriate. Referto theparameters that are to be set inthe sampleconfiguration withmixed addressas
-
signment, or in the sample configuration with set addressassignment onthe followingpages.
·
Confirm yoursettings by clicking OK.
Example Windows 2000 and Windows XP:
·
Open theControl Panelfrom the Windows Start Menu.
·
Under Windows 2000 open the folder »Network and Dial-up Connections«.
·
Under Windows XP open the folder »Network connections«.
·
Right-click on»LAN connection« and then clickon »Properties«.
·
Select »TCP/IP«and click »Properties«.
·
Now selectwhether the PC is to receive its address automatically(from aDHCP server),or ifit isto beassig
­ned asset (permanent) IPaddress. Editor supplementthe settingsfor networkmask, gateway and DNS server as appropriate. Refer to the parameters that areto beset inthe sampleconfiguration withmixed ad
-
dress assignment, or in the sample configurationwith setaddress assignmenton the following pages.
·
Confirm yoursettings by clicking OK.
Note Also follow the instructions given in the documentation and the Help function of your operating system.
Note A further option available is assigning a portion of the IP addresses manually andhaving the remaining addresses allocated by DHCP.Ensurethat the IPaddressfor the routerandany manually assigned IPaddressesare not located in the range for available DHCP addresses.
Address assignment by DHCP -Recommended configuration - (Default setting) Configuration examples
13
Page 18
Sample configuration of a network with mixed address assignment
Set IP addresses and IP addresses allocated by DHCP
1
NT
2
NT / Splitter
3
Connection for the service provider
4
Modem
5
External HUB / Switch by means of LAN2 (100 MBit/s)
6
Network PC 4 at HUB / Switch
7
Network PC3 at the HUB / Switch
8
Network PC2 at the HUB / Switch
9
PC 1 at USB port
IPaddress for thePABX:
192.168.1.250
Subnetmask: 255.255.255.0
Startaddress DHCP: 192.168.1.50
Numberof DHCP addresses:20
PC1
Fixed IP:
192.168.1.91
Gateway: 192.168.1.250
DNS server: 192.168.1.250
Subnetmask: 255.255.255.0
PC2
Fixed IP:
192.168.1.93
Gateway: 192.168.1.250
DNS server: 192.168.1.250
Subnetmask: 255.255.255.0
PC3
IPvia DHCP:
192.168.1.50 transmitted automatically via DHCP.
Gateway: transmitted automatically via DHCP.
DNS server: transmitted automatically via DHCP.
Subnetmask: transmitted automatically via DHCP.
Configuration examples Sample configuration of a network with mixed address assignment
14
a/b1
a/b2
a/b3
a/b4
a/b5
a/b6
a/b7
a/b8
12
NO
12
NO
S0intern
S0extern
a/b1
2a/b
1a/b
3a/b
4a/b
Modul S0intern
2a/b
1a/b
3a/b
4a/b
5a/b
6a/b
a2a1b1b2
Power
ISDN/ POTS
DSL
LAN
USB
Modem
1
2
3
4
5
6
7
8
9
Page 19
PC4
IPvia DHCP:
192. 168. 1. 51 transmitted automatically via DHCP.
Gateway: transmitted automatically via DHCP.
DNS server: transmitted automatically via DHCP.
Subnetmask: transmitted automatically via DHCP.
Sample configuration of a network with set address assignment
IPaddress for thePABX:
192.168.1.250
Subnetmask: 255.255.255.0
Startaddress DHCP: DHCP server is off.
Numberof DHCP addresses: DHCP server is off.
PC1
Fixed IP:
192.168.1.81
Gateway: 192.168.1.250
DNS server: 192.168.1.250
Subnetmask: 255.255.255.0
PC3
Fixed IP:
192.168.1.83
Gateway: 192.168.1.250
DNS server: 192.168.1.250
Subnetmask: 255.255.255.0
PC4
Fixed IP:
192.168.1.84
Gateway: 192.168.1.250
DNS server: 192.168.1.250
Subnetmask: 255.255.255.0
PC5
Fixed IP:
192.168.1.85
Gateway: 192.168.1.250
DNS server: 192.168.1.250
Subnetmask: 255.255.255.0
Sample configuration of a network with mixed address assignment Configuration examples
15
Page 20
Checking the LAN clients (PCs)
Configuration for Windows 98SE/ME/2000/XP
If a connectionto the PABX system, or to the Internet can not be set up you can check the configuration of the LAN clients (PCs) based on the following information.
Note The procedure described here assumes that you are using the recommended configuration with address as
-
signment by DHCP.
The PC is linked to the PABX system via Ethernet (LAN1 jack).
·
Check toensure that the network adapter (Ethernet adapter,Home PhonelineNetworking Adapteror USB) installedin the LAN client (PC) is connectedproperly tothe PABXsystem. Theconnection status is displayed bythe LEDs of the PABX. A description of the LEDs isgiven inthe operator’smanual for the PABX system.
·
Check toensure that the PABX systemhas assignedan IPaddress to the LAN-Client (PC) (see pagein secti
-
on »Checkingthe TCP/IP Configuration«).
·
Check toensure that an Internet serviceprovider (ISP)has beenconfigured inyour PABX (see operator’s manual for the PABX, leaflet »On the fast trackto theInternet« orthe onlineHelp function of your PABX system).
·
Check toensure that the Internet browser(s)has(have) beenconfigured correctlyin your PC (see Pagein section »Settingsim Internet Explorer / Internetoptionenof Windows«).
·
If youhave made the settings asdescribed above,the telephonesystem willestablish aconnection to the In­ternet automatically(e. g. by opening the Internet Explorer,inputting anInternet URLand confirming with “Enter”)when requested to do so by anapplication (defaultsetting).
·
Check toensure that automatic connection tothe Internethas beende-activated (see Configurator Net­work«, »Internet«);the connection mustthen beestablished manuallyvia theelmeg ControlCenter.
The PC is linked to the PABX system via USB.
·
Using the Windows 98SE/ME/2000/XP operating systems you can onlyrun oneLAN client(PC) at the USB port ofthe PABXsystem.
·
The requiredUSB driver is installed automatically when youinitially connectthe PCwith thePABX sys
-
tem. Thisdriver is located on the CD supplied with the system.
·
After installingthe USB driver successfully, follow the procedure for EthernetLAN clients.
Note The USB driversupplied withthe system (RNDIS)is locatedin the devicemanager of the Windows controlpanel as a virtualnetwork adapter.Communication betweenthe PABXsystem andthe PC connected via USB is effected via the TCP-IP protocol. Data for LAN-CAPI are also transferred using this protocol.
Configuration examples Checking the LAN clients (PCs)
16
Page 21
Checking the TCP/IP Configuration
The examplesdescribed beloware baseon therecommended network configuration with automatic address alloca
-
tion. Whatthis means isthat theLAN clients gettheir IPaddress via DHCP (»IP addressfetched automatically«)and that the DHCP server in the PABX system is switched on (initial setting).
Windows 98SE / ME
·
Start theprogram Winipcfg. Select »Run...« in the Windows start menu. Enter »winipcfg« intothe inputfield and click OK to confirm. Finally press the button »Moreinfo«
1
Current IP address of the pabx as DNS ser
-
ver.
2
Select the network adapter connected to the pabx.
3
Current IP address of the network adapter (client).
4
Current IP address of the pabx as gateway and DHCP server.
·
The valuesshown in the screen shotare setas defaultsfor theinitial settingsof the PABX system. Depen­ding onhow many clients (PCs) areconnected, theIP addresslies withina rangefrom 192.168.1.50 to
192.168.69. Whenthese valuesare displayed, the network adapter and the Windows networksettings have been configuredcorrectly. Should the program »Winipcfg« show other values, clickthe buttons»Enable everything« andthen »Update everything«.
If Winipcfg continues to show other values after this, this may be due to the following reasons:
·
Changes havealready been made to the initial settingfor thePABX systemin theProfessional Configura
-
tor.
·
The Windowsnetwork configuration for the client (PCs) doesnot correspondto thefactory settingsDe
-
fault setting.
·
Faulty installationof the network adapter in the client (PC), orthe networkadapter isnot connectedpro
­perly withthe PABXsystem. Check your installation asdescribed inthe operator’smanual forthe PABX system (Installation and Commissioning section).
·
The TCP/IPprotocol isnot installed on the PC, or it has nolink tothe networkadapter connectedto the PABX system.
Windows 2000
·
Start ipconfig. Select »Run...« in the Windows start menu. Enter»cmd« andthen clickOK to confirm. Enter the command »ipconfig/all« andthen press Enter to confirm.
Checking the TCP/IP Configuration
17
Page 22
1
Select the network adapter connected to the pabx.
2
Current IP address of the network adapter (client).
3
Current IP address of the pabx as gateway, DHCP server and DNS server.
·
The valuesshown in the screen shotare setas defaultsfor theinitial settingsof the PABX system. Depen
-
ding onhow many clients (PCs) areconnected, theIP addresslies withina rangefrom 192. 168. 1. 50 to 192.
168. 1.69. Whenthese values are displayed, the network adapter and theWindows networksettings have been configuredcorrectly.
·
The valuefor the physical address is different for each networkadapter. Thevalues forthe leasedepend on when thePC is switched on.
If other data are shown, this may be due to the following reasons:
·
Changes havealready been made to the initial settingfor thePABX systemin theProfessional Configura­tor.
·
The Windowsnetwork configuration for the client (PCs) doesnot correspondto thefactory settingsDe­fault setting.
·
Current IPaddress of the pabx as gateway, DHCPserver andDNS server.Check yourinstallation asdescri­bed inthe operator’s manual for the PABX system(Installation andCommissioning section).
·
The TCP/IPprotocol isnot installed on the PC, or it has nolink tothe networkadapter connectedto the PABX system.
Checking the TCP/IP Configuration
18
Page 23
Windows XP
·
Open theWindows XP network connections. Select thenetwork adapter connected to the pabx bypressing theright mousebutton. Thenclick »Status«.
·
The valuesshown in the screen shotare setas defaultsfor theinitial settingsof the PABX system. Depen­ding onhow many clients (PCs) areconnected, theIP addresslies withina rangefrom 192. 168. 1. 50 to 192.
168. 1.69. Whenthese values are displayed, the network adapter and theWindows networksettings have been configuredcorrectly. If other values are shown clickthe button»Repair«.
·
The valuefor the physical address is different for each networkadapter. Thevalues forthe leasedepend on when thePC is switched on.
If other data continues to be shown this may be due to the following reasons:
·
Changes havealready been made to the initial settingfor thePABX systemin theProfessional Configura
­tor.
·
The Windowsnetwork configuration for the client (PCs) doesnot correspondto thefactory settingsDe
-
fault setting.
·
Faulty installationof the network adapter in the client (PC), orthe networkadapter isnot connectedpro
­perly withthe PABXsystem. Check your installation asdescribed inthe operator’smanual forthe PABX system (Installation and Commissioning section).
·
The TCP/IPprotocol isnot installed on the PC, or it has nolink tothe networkadapter connectedto the PABX system.
Checking the TCP/IP Configuration
19
Page 24
Configuring Internet access on a PC
If youhave used the Windows dial-upnetwork forInternet accessup to now, this connectionwas alwaysestablished as a »Dial-upconnection« (analog orISDN). Set-up andterminationof anInternetconnection was initiatedautoma
-
tically by the programs.
If you set up an Internet connection via the PABX system router, this represents a normal network connection for each PC. If a PCwants to usean Internetconnection the networkrouter, whichacts as agateway andestablishescon
-
nections to othernetworks, isinformed of this. The router,in ourexample here thePABX system,then sets upa con
­nection to one of the Internet service providers that has been configured. As defined in the configuration for the PABX system, this connection is established/terminated automatically. The Internet service provider is configured using the PABX system’s Configurator.
Internet Explorer settings / Windows Internet options
The following descriptionillustratesthe settings forInternetconnections for thevariousoperating systems. Proceed as described below for your operating system and activate the corresponding option.
Windows 98SE:
Start Menu - Settings - Control Panel - Internet Options - Connections
Windows ME:
Start Menu - Settings - Control Panel - Internet Options - Connections
Windows 2000:
Start Menu - Settings - Control Panel - Internet Options - Connections
Windows XP:
Start Menu—-> Settings —-> Control Panel —-> Network and Internet connections ­Internet Options —- Connections
Dial-up connections configuredat theclient are displayedhere. These connectionsare not requiredfor accessingthe Internet with the pabx.
Check »Never«.You can useother devicesbesides yourPABX system to hook upto theInternet. Youmay have to se
­lect the option »Dial whenever a network connection is not present«.
There are no settings required under »LAN Settings«.
Checking the TCP/IP Configuration Configuring Internet access on a PC
20
Page 25
Configuring Internet access on a PC Checking the TCP/IP Configuration
21
Page 26
Configure firewall filters
You can only configure filters in the »Professional Configurator«.
User-defined filtersfor therouter integratedinto the PABX system with packet filter firewalls can be configured un
­der Network / Filters.
Note We recommend configuring the firewall filters with the aid of the Filter Wizard to ensure configuration(s) appro
­priate for andcompatible to theapplications being used. These filtersprovide protection againstdatapackets from the Internet thatmay resultin you beingcharged forcertain connections. The functionfor the“Automatic connec
­tion setup”, forexample,may otherwise notalways be ensured.Aport scan fromthe Internet (usuallytheinitial sta
­ge of a hack attack) may sometimes occur; the telephone system firewall then replies to this scan with »Reject pa
­ckets«. But this may nevertheless result in data traffic that prevents automatic setup of a connection.
Note The filters available using the FilterWizard have been implemented using the latest knowledge. We can, however, provide no guarantee for thefunction of the filters. Useof a firewall should go hand in handwith use of virus scan­ning software on all your PCs! Firewalls and virus scanners cover different areas of data security and are an ideal compliment to one another, but can not replace one another.
To configure self-defined filters click the button “New ...” or change an existing entry in the filter list by double cli­cking on that item. An explanation of the filter function is given when you click on “Help”.
Basic information about firewall configuration
It is important that you have detailed knowledge about the IPprotocol family beforeyou begin configuringthe fire­wall. If your knowledge about this is not so in-depth we recommend using a filter wizard.
The firewall functions like a chain of rules through which each IP packet is routed. If a rule applies toa packet the action associatedwith this rule will beexecuted(allow, deny orexecuteport
-
map). All rules are given in the list under Net
-
work / Filters. Please note that for certain confi
­gurations the order of the filters can be of great significance for the functioning of the firewall. Therefore, afteryou mark afilter ruleyou cande
­fine the order of the rules in the table using the buttons [up] and [down].
If norule appliesto theIP packeta super-ordinate,basic ruleat theend ofthe chaindecides onthe actionto betaken (behavior by last filter rule).
This is why you mustdefine the behavior.. .. ..for thissuper-ordinate rule atthe beginningof the filter configuration.
You can choose between »Allow« or »Discard« for this.
Configure firewall filters
22
Page 27
Discarding of thepacketis generally asafeprocedure, asonlythose packets forwhichan explicit rule(i.e.deliberately configured) exists are authorized in such a configuration.
When defining the filters it is essential to take into account that basically all packets are permitted at all LAN ports (LAN1, LAN2,USB port). You therefore do not need to define filter rules for passingIP packets from the LANto the PABX system / router, nor for their »Return«.
Four place holders are provided to achieve an abstraction when defining the filters:
LAN_ADDR
Represents the LAN address for the router, based on the default configuration, i. e.
192.168.1.250 with the network mask 255.255.255.0 (192.168.1.250 / 24).
LAN_NET This place holder represents all of the LAN addresses, based on the default configurati
-
on, i.e. 192.168.1.0 with network mask 255.255.255.0 (192.168.1.0 / 24).
WAN_ADDR This place holder represents the WAN address for the router that is assigned dynami
­cally by the ISP when PPoE or PPP is used. Dynamic allocation allows an IP address to be assigned from the inventory of your ISP for the WAN port each time a connection is set up to the Internet. The WAN address can not be entered as an absolute value for fil
­ter configuration when you are defining the configuration. PPPoE is required for T-DSL for example; PPP is used for Internet connections with ISDN dial-in. If you have been assigned a set public IP address by your provider for your Internet access, this address will be used for WAN_ADDR.
The firewall is adapted automatically in accordance with the defined rules after the IP address is assigned to the WAN port (or ISDN channel).
WAN_NET Represents all WAN addresses located in the same IP subnetwork as the WAN port.
This parameter is currently not used and will not be significant for future software updates.
You can configure the following parameters:
Nameof the filter
Each filter must be assigned a unique name. Select a name for the filter that uniquely describes the function for that filter - this will make it easier for you later if you wish to change any filters.
Action The following options can be selected: allow, deny, discard and portmap. When »al
­low« is selected, all packets which correspond to the parameters of the associated filter can pass through. When »deny« is selected, the corresponding IP packets are rejected and the sender of the packet is informed. »discard« results in packets being discarded (refused) without the sender being informed. The option »portmap« permits specific forwarding of packets with TCP and UDP protocols to the IP address of a PC in the LAN.
TCPFlag If a TCP connection is to be set up (for example for downloading files), certain bit sam
­ples are set in the packets involved with this - the TCP flags. The option »connection in progress« stands for the SYN flag; the option »connection established« for the »Established flag«
Protocols UDP, TCP, ICMP and »all protocols« can be selected as protocols. The selection of the
protocol can affect further options, as, for example, there are no TCP flags available for UDP, or no port for ISM, while there are certain types of protocols available however.
Interface Here you can define the interfaces for the correspondend filter. At present, the setting
»WAN« is useful for most cases, as all packets are allowed at internal interfaces with this setting.
Connection Use this field to define the direction of the IP packet for which the configured filter is
valid. Possible parameters: in, out and in/out (bi-directional).
Sourceaddress definition
Configure firewall filters
23
Page 28
Here you specify the source address for the IP packets for which this filter is valid. Take into account any potential abstractions brought about by place holders.
Targetaddress definition Here you specify the target address for the IP packets for which this filter is valid. Take
into account any potential abstractions brought about by place holders.
Warningmessage for port protocol association
A warning appears if you attempt to enter an unknown name in the field for the TCP port. If this is bothersome you can suppress this message by removing the correspon
-
ding check in the box.
Example of configuration for enabling the firewall for Web surfing.
First, set the response by the last filter rule to »discard«.
The IP packetsfortwo services mustberoutedthrough thefirewallin order thatpagesfrom the WorldWideWeb can be displayed: DNS for establishing names and the »html data flow«. When you enter a URL in the Web browser, the browser uses a DNS enquiry for transforming the plain-text name (for example www. Telekom. de) into an IP ad
-
dress (in the example here 217. 160. 73. 88).After that, thebrowser establishes atleast one connectionto this IPad
-
dress via TCP/IP. This yields the following filter configuration:
The UDP andTCPprotocol must beenabledfor DNS (protocolname:domain) for thedestinationport 53ofany DNS server from any non-privileged port; same applies for the return route.
Access toany destination addresses for port80 must be possible forhttp requests for the TCPprotocol via theWAN interface from non-privileged ports. Thereturn patch for reply packetsmust be enabledappropriately: Fromany In
-
ternet IP addresses (0. 0. 0. 0 / 0) from port 80 to non-privileged ports for the WAN address of the PABX system.
Configuration example for a portmapping entry into the firewall for the ssh-protocol
The sshprotocol (secureshell) is used among other things for web server administration, or to implement VPN tun­nels. Data canbe transferredencrypted using thessh protocol (notsignificant forconfiguration of the firewall howe­ver). Normally, port 22 of the TCP protocol is used. Inthe example shown here, the web server in your LAN hasthe set, assignedIP address192.168.1.42. Administration accessshould beprovided for this web serverin yourLAN via ssh from the Internet. Please note that you also requireequivalent filters for Port 80if the contentsof the web server are to be accessible from the Internet
You must generatethree rules forthe firewall basedon this informationwith thedefault setting »Responsebylast fil­ter rule à discard«:
ssh_MAP:
This filter routes incoming packets from any IP addresses and non-privileged ports to the Internet-end IP address of the telephone system router unit to the computer with the IP address 192.168.1.42; Port 22 is retained.
ssh_WAN_in: This filter permits passing of incoming packets from any IP address and non-privile
-
ged ports to the Internet-end IP address of the telephone system router unit.
ssh_WAN_out: This filter permits outgoing packets from Port 22 to pass through the WAN interface
(i. e. the connection for the DSL modem or the ISDN dial-up connection to the Inter
-
net) to any IP address and non-privileged ports.
Filter name TCP-Flag Interfa
-
ce
Action Protocol Connection Source IP Source port Target IP Target port
NetBios block none WAN discard UDP out 0.0.0.0/0 137-139 0.0.0.0/0 any
ssh_portmap none WAN portmap TCP in 0.0.0.0/0 22 192.168.1.42 22
ssh_WAN_in none WAN allow TCP in 0.0.0.0/0 any WAN_ADDR 22
ssh_WAN_out none WAN allow TCP out WAN_ADDR 22 0.0.0.0/0 any
Configure firewall filters
24
Page 29
Note As a result, the PCin your LANwith the IP address 192.168.1.42 hasno protection whatsoever from the firewall in your telephone systemat Port22/TCP! You canrestrict accessoptionswhere requiredif access isto alwaysbe effec
-
ted from an Internet connection with a set IP address (for example T-Interconnect). Here, any entries which con
­tain “0. 0. 0. 0/0" should be matched to the knownIP addresses of the remote location (0. 0. 0. 0/0 is a global proxy address for all IP addresses).
Note If youwish to employ a combinationof filters consisting of filtersthat have been generated usingthe Filter Wizard and your own custom filters,or portmap entries,be sure tocheck theorder ofthe rules inthe table(you canchange the order using the buttons»up« and»down«). The “Securesystem” filter,which blocks all packets directedtoward so-called privileged ports, is offeredin the Filter Wizard. Inthe example given here thisfilter would counteract the configured functionality, as the ssh port (22) is a privileged port. We urgently recommend blocking all privileged ports that are not needed; it may therefore be expedient to use the filter configured by the Filter Wizard that has been appropriately adapted, or that is located at the appropriate position in the table.
Note If you are not sure which ports must be routedto the LAN PC forcertain applications, or for attaining defined user privileges inexchange networks using port mappingby your telephone system router, enter thename of the appli­cation and the terms »port« and »firewall« in an Internet search engine; configuration instructions can usually be found quite easily in this manner. You can reroute one singleport, or port ranges (for example 4661-4665) using a port map rule.
Filter Wizard
The firewall isconfigured such thatall data packetsfor which noexplicit rule (filter)exists which wouldotherwise al
-
low thepackets topass are rejected. This procedure makes the configuration ofthe firewall somewhat more compli
­cated, but significantly reduces the probability of “overseeing” the blocking of some packets to prevent them from passing through the firewall.
Some filters contain rules forrejecting packets whichwould actuallynot be requiredfor theselected basic configura
­tion of thefirewall,because the firewallwouldreject any packets notenabledby the filters,basedon the configuration carried out by the Wizard. The rejection rules mentioned above are nevertheless retained to reject packets used in certain attacksat the earliestpossible stage to prevent the packets from passingthrough the entirechain of filterru
­les; this enhances firewall performance in the event of a real attack.
Example for predefined filters in the filter wizard
Help for thevarious filters contained in the Filter Wizard can be found in the file “Filter_Info.txt” in the Win-Tools installation directory (e.g. “C:filesWIN-ToolsTools V6.02"), or by clicking the corresponding ”Help" button«.
Filter Wizard Configure firewall filters
25
Page 30
Protecting the system
This filter blocks the firewall against connection setups at privileged ports (0 ... 1023) for TCP and UDP. Most rele
-
vant data services are offered via privileged ports (establishing names, file transfer, etc.).
IP Spoofing Blocking
This filter blocks the firewall against “fake” (spoof) packets on the “wrong side” of the firewall. As a result, data pa
­ckets which would certainly belong in theLAN basedon their IP address, butwould berouted tothe port for the DSL modem by an attacker from the Internet, are ignored (same applies to ISDN links to the Internet).
DNS-filter
This filter permits establishing of names(assignment of IP-addresses to URLs) by enabling outgoing UPD and TCP packets at port 53, as well asincoming onesfrom port53. Longerreplies and zone transfers arealso permittedby en
­abling TCP. No DNS queries can pass through the firewall when this filter is de-activated!
Active FTP - Filter
Together with the corresponding software module in the firewall this filter permits active FTP. Active FTP differs from passive FTP in that the FTP server sets up a connection for data transfer at the request of the clients (applies both tothe response to the FTP command “ls”and tothe filetransfer proper). The problem here is that the connecti
­on setup by the FTP server is made at any non-privileged port, thus requiring that a large region of the firewall be enabled.
Outgoing connections at ports20and 21 andincomingones from theseportstonon-privileged portsareenabled.
Passive FTP - Filter
This filter permits file transfer via FTP, with the connection always being established by the FTP client. Outgoing connections to port 21 and incoming ones from this port to non-privileged ports are enabled.
HTTP - Filter
This filter permits Web browsing by enabling packets to ports 80 and 8080 (when using http proxies) for outgoing connections and incoming packets from these ports to non-privileged ports.
HTTPS - Filter
This filter permits secure Web surfing by enabling packets to port 443 for outgoing connections and incoming pa
­cketsfrom thisportto non-privileged ports.Thehttps protocol isfrequentlyused for homebankingand online shop
­ping; http connections are used for transfer of secure packets using encryption.
HBCI - Filter
This filterpermits the use of HBCI for homebanking byenabling packetsto port 3000 for outgoingconnections and incoming ones from this port to non-privileged ports.
E-mail send filter
This filterpermits transmission of e-mails via SMTP (=sending e-mails)by enablingpackets to port 25 for outgoing connections and incoming packets from this port to non-privileged ports.
E-mail reception - Filter
This filter permitstransmission of e-mailsvia POP (=receiving e-mails) byenabling packets toport 110 foroutgoing connections and incoming packets from this port to non-privileged ports.
Configure firewall filters Filter Wizard
26
Page 31
ICMP(all) - Filter
This filter permitsthe “ping”programto beused,for exampleto check theavailability and accessibilityof computers in the Internet and tomeasure thetransfer time of IP packetsto thesecomputers. This canbe useful,for example, for locating the server with the most rapid response time for Internet games. When you activate this filter you can also reach the router using the “ping” program, but not any computerin the LAN“behind” (i.e. downcircuit) of the rou
-
ter, as theseare protected byNAT.This filterenablesall ICPMprotocols,and notonlythose used for»ping«. If neces
­sary you can set further restrictions for this filter by having only ICMP protocols 0 and 8 enabled (echo-request, echo-reply). Overallsecurity is increased when youdo notactivate this filter, as thefirewall can not be easily located by a simple »ping« from a port scan program.
SSH - Filter
This filter permitsthe useofthe 443serviceprogramme oncomputersin theInternetby enablingpacketsto portxxx for outgoing connections and incoming packets from that port to non-privileged ports.
TELNET - Filter
This filter permitsthe use ofthe telnet serviceprogrammeat computers inthe Internet byenablingpackets toport23 for outgoing connections and incoming packets from this port to non-privileged ports.
P2P - Filter
This filter allows peer-to-peer (P2P)file sharing software to be used. The following ports are enabled to provideone single filter for the various P2P systems:
Incoming packets:
·
from port80 tonon-privileged ports
·
from port1214 tonon-privileged ports
·
from non-privilegedports toport 80
·
from non-privilegedports tonon-privileged ports
Outgoing packets:
·
from non-privilegedports toport 80
·
from non-privilegedports toport 1214
·
from non-privilegedports toport 4661
·
from non-privilegedports tonon-privileged ports. With this filter the firewall is wide open!
Gaming - Filter
·
Use this filter to play Internet games. The following port enableshave beenprovided:
Incoming packets:
·
from port7002 tonon-privileged portsfor TCP from non-privileged ports to non-privileged ports for UDP
Outgoing packets:
·
from port7002 tonon-privileged portsfor TCP from non-privileged ports to non-privileged ports for UDP
Filter Wizard Configure firewall filters
27
Page 32
Realplayer - Filter
This filter makes it possible to use the RealPlayer for streaming audio and video. The following port enables have been provided:
Incoming packets:
·
from port554 tonon-privileged forTCP
·
from port7002 tonon-privileged portsfor TCP
·
from non-privilegedports toports 6970 - 7170 for UDP
Outgoing packets:
·
from non-privilegedports toport 554 for TCP
·
from non-privilegedports toport 7070 for TCP
Mediaplayer - Filter
This filter makes it possible to use the RealPlayer for streaming audio and video. The following port enables have been provided:
Incoming packets:
·
from port1755 tonon-privileged portsfor UDP
·
from port1755 tonon-privileged portsfor TCP
Outgoing packets:
·
from non-privilegedports toport 1755 for UDP
·
from non-privilegedports toport 1755 for TCP
Filter update
As it may be necessary to provide an update for the firewall configuration to enable new applications, or to fend off hacking attacks from the Internet for example, the Filter Wizard operates usinga descriptive file that you can easily update without necessarily having to update the software in your PABX, your router or PC.
Check at regular intervals whether new description files are available (names: »filterwizardtab.txt« and »Filter_In
­fo.txt«) under http://www.Funkwerk-ec.com. These twofiles belong together:The file“filterwizardtab. txt”controls the behaviorof the Filter Wizard; the file “Filter_Info. txt”contains a detailed description ofthe options available in the Filter Wizard in an easy-to-read format (see following tips and hints).
If newer versions of the description files are available there you can download these to your PC (existing files are overwritten). The descriptionfiles arelocated in thesubdirectory »filterinfo«that can befound inthe installation di
­rectory for theconfigurationsoftware for yourtelephone system, forexample»C:WIN-ToolsTools V6.02x« -the files »filterwizardtab.txt« and »Filter_Info.txt« are also located here«.
When you thenrestarttheFilter Wizard fromtheconfiguration software andclickthe button “Restorestandard”,the new filters will be available immediately.
Configure firewall filters Filter update
28
Page 33
Note If the “Restore standard” button is grayed out you must first modify one of the given filter settings (activate or de-activate any givenfilter) before thisbutton is activated.The button“Help”is locatedinthe configurationbranch “Network” “Filters”. Thetext thatis displayed whenyou clickthis button istaken directly fromthe file“Filter_Info. txt”, allowing the Help function for the Filter Wizard filters to be updated without performing an overall software update.
Filter update Configure firewall filters
29
Page 34
Index
A
Address assignment by DHCP . . . 9,10,11,12,13
Automatic Internet access . . . . . . . . . . . . . 4
B
Blocking Internet access . . . . . . . . . . . . . . 8
C
CAPI in LAN . . . . . . . . . . . . . . . . . . . . 7
CE marks . . . . . . . . . . . . . . . . . . . . . . B
Checking the LAN clients . . . . . . . . . . . . 16
Configuration examples. . 9,10,11,12,13,14,15,16 Configure firewall filters . 22,23,24,25,26,27,28,29
Configure Internet access on a PC . . . . . . 20,21
Configuring firewall filters
. . . . . . . . . . . . . . . 22,23,24,25,26,27,28,29
Configuring Internet access on a PC. . . . . 20,21
Connection test . . . . . . . . . . . . . . . . . . . 8
D
Declaration of conformity. . . . . . . . . . . . . B
Default setting . . . . . . . . . . . . . . . . . . . 3
DHCP server . . . . . . . . . . . . . . . . . . . 3,5
Dial-in into the LAN . . . . . . . . . . . . . . . . 2
Direct connection (DHCP) . . . . . . . . . . . . 3
DNS server . . . . . . . . . . . . . . . . . . . . . 5
DNS-Proxy . . . . . . . . . . . . . . . . . . . . . 5
Dynamic DNS. . . . . . . . . . . . . . . . . . . . 6
Dynamic ISDN . . . . . . . . . . . . . . . . . . . 4
Dynamic ISDN for outgoing calls . . . . . . . . . 5
F
Fallback . . . . . . . . . . . . . . . . . . . . . . . 4
Filter Wizard . . . . . . . . . . . . . . . . 25,26,27
Firewall . . . . . . . . . . . . . . . . . . . . . . . 6
I
Internet Explorer settings . . . . . . . . . . . . 20
Internet options of Windows . . . . . . . . . . 20
Internet-connections. . . . . . . . . . . . . . . . 1
IP address allocation . . . . . . . . . . . . . . . . 3
IP addresses . . . . . . . . . . . . . . . . . . . . . 4
L
LAN-CAPI. . . . . . . . . . . . . . . . . . . . . . 7
LAN-TAPI. . . . . . . . . . . . . . . . . . . . . . 8
LED Settings . . . . . . . . . . . . . . . . . . . . 8
N
NAT . . . . . . . . . . . . . . . . . . . . . . . . . 6
Network
Address assignment without DHCP . . . . 11
mixed address assignment . . . . . . . . 14,15
with DHCP address allocation . . . . . . . . 11
P
Packet Filter Firewall. . . . . . . . . . . . . . . . 6
Parliament . . . . . . . . . . . . . . . . . . . . . B
Portmapping . . . . . . . . . . . . . . . . . . . . 7
R
RAS . . . . . . . . . . . . . . . . . . . . . . . . . 2
RAS Callback: . . . . . . . . . . . . . . . . . . . . 2
RAS-Server . . . . . . . . . . . . . . . . . . . . . 7
Router . . . . . . . . . . . . . . . . . . . . . . . . 1
Router control . . . . . . . . . . . . . . . . . . . 8
S
Short Hold. . . . . . . . . . . . . . . . . . . . . . 4
Speedmanager . . . . . . . . . . . . . . . . . . . 5
Status display CAPI / TAPI I . . . . . . . . . . . 8
Subnet maks. . . . . . . . . . . . . . . . . . . . . 4
T
TAPI in the LAN . . . . . . . . . . . . . . . . . . 8
TCP/IP Check configuration . . . . 17,18,19,20,21
Windows 2000 . . . . . . . . . . . . . . . . . 17
Windows 98SE / ME . . . . . . . . . . . . . 17
Windows XP . . . . . . . . . . . . . . . . . . 19
Time-controlled router inhibition . . . . . . . . 7
Tunneling . . . . . . . . . . . . . . . . . . . . . . 2
W
Windows-Operating system . . . . . . . . . . . 12
30
Page 35
31
Page 36
Funkwerk Enterprise Communications GmbH Südwestpark 94 D-90449 Nürnberg
For information on support and service offerings please visit our Website at www.Funkwerk-ec.com where, you will find a Service / Support area
Subject to modifications Ausgabe 4 / 010109
Loading...