Lancom IAP-3G User Manual

LANCOM IAP-3G

Professional 3G router for M2M applications in harsh environments

1

High-speed Internet access via HSPA+ with download speeds up to 21 Mbps

1

Backwards compatible with the cellular standards UMTS, EDGE/GPRS

1

For tough environments: IP50 housing and extended temperature range from -20°C to +50°C

1

Ideal for M2M applications with its serial interface and COM-port forwarding

1

Integrated GPS functionality for device positioning

1

VPN site-to-site connectivity with 5 simultaneous IPsec VPN channels (25 channels optional)

1

Flexible power supply with a universal power supply 10-28V

The M2M cellular router LANCOM IAP-3G features an integrated HSPA+ module and achieves data rates of up to 21 Mbps downstream and 5.76 Mbps upstream on

cellular networks. Thanks to its robust full-metal housing and the extended temperature range, the device is ideal for stationary and mobile connectivity for machines and

automated systems in harsh environments—independent of wired broadband services. For machine-to-machine communications, the LANCOM IAP-3G features a serial

COM port for COM-port forwarding. This enables systems that do not support IP to be integrated into a company network. The LANCOM IAP-3G also has a Gigabit Ethernet

interface and numerous networking features such as IPsec VPN, VLAN support, and an object-oriented stateful inspection firewall.

More flexibility.

The LANCOM IAP-3G offers exceptional flexibility. Thanks to the widespread coverage of cellular networks, the device guarantees Internet connectivity almost anywhere.

Where HSPA+ is not available, the cellular modem is backwards compatible to UMTS, EDGE and GPRS. Integrated into the LANCOM IAP-3G is a universal power adapter:

Designed for bipolar industrial plug connectors, it allows for power supplies ranging from 10 – 28 volts. The mounting plate supplied with the device contributes to its

flexibility, as the cellular router can be installed of on walls, masts and also on top-hat rails. For mobile applications and installation in public places, the LANCOM IAP-3G

features an integrated GPS module to determine the position of the device. This anti-theft measure ensures that the device stops operating if its location is changed.

More security.

LANCOM guarantees you communications with the highest standards of security from an extensive range of encryption and authentication mechanisms. VLAN technology,

matured quality-of-service functions and bandwidth limitation enable the reliable transmission of data streams. The VPN gateway in the LANCOM IAP-3G with its 5

simultaneous IPsec channels and high-security encryption by 3-DES or AES provides optimal security for VPN connections. Thanks to IPSec-over-HTTPS (based on the NCP

VPN Path Finder technology) secure VPN connections are also available where IPsec is blocked by the cellular networks. The LANCOM IAP-3G furthermore assures network

security with the object-oriented stateful inspection firewall, intrusion prevention, Denial of Service protection and access control by MAC or IP address.

More management.

LCMS, the LANCOM Management System, is a free software package for the LANCOM IAP-3G. It caters for the configuration of the device, remote maintenance and

network monitoring. The central component of LCMS, LANconfig, is used to configure the cellular router and other LANCOM devices on the network. LANmonitor offers

detailed, real-time monitoring of parameters, it provides access to log files and statistics, and it can carry out a detailed trace-protocol analysis. Other functions in LCMS

include the firewall GUI for object-oriented setup of the firewall, automatic backup of configurations and scripts, and the intuitive folder structure with convenient search

function.

More reliability for the future.

From the very start, LANCOM products are designed for a product life of several years. They are equipped with hardware dimensioned for the future. Even reaching back

to older product generations, updates to the LANCOM Operating System—LCOS—are available several times a year, free of charge and offering major features. LANCOM

offers unbeatable safeguarding of your investment.

LANCOM IAP-3G

UMTS modem

UMTS, HSPA+ (HSPA+ with up to 21 Mbps, HSUPA with up to 5.76 Mbps), Edge, and GPRS supportSupported standards*

850/900/1900/2100 MHzUMTS and HSxPA bands

850/900/1800/1900 Mhz (EDGE up to max. 236kbps)EDGE/GPRS bands

Maximum transmission power GSM/EDGE

Firewall

Stateful inspection firewall

Packet filter

Tagging

Quality of Service

Bandwidth reservation

Layer 2/Layer 3 tagging

Security

Authentication mechanisms

High availability / redundancy

VRRP

GSM850 & GSM 900 +32dBm (GMSK) ' GSM850 & GSM 900 +27dBm (8PSK) ' DCS1800 & PCS1900 +29dBm (GMSK) ' DCS1800 & PCS1900
+26dBm (8PSK)

+23dBmMaximum transmission power UMTS/HSxPA

Receive diversity on the aux antennaDiversity support

Multi-SIM is supported on 4G devices only*) Note

Incoming/Outgoing Traffic inspection based on connection information. Trigger for firewall rules depending on backup status, e.g. simplified rule
sets for low-bandwidth backup lines. Limitation of the number of sessions per remote site (ID)

Check based on the header information of an IP packet (IP or MAC source/destination addresses; source/destination ports, DiffServ attribute);
remote-site dependant, direction dependant, bandwidth dependant

Network Address Translation (NAT) based on protocol and WAN address, i.e. to make internal webservers accessible from WANExtended port forwarding

N:N IP address mapping for translation of IP addresses or entire networksN:N IP address mapping

The firewall marks packets with routing tags, e.g. for policy-based routing; Source routing tags for the creation of independent firewall rules for
different ARF contexts

Forward, drop, reject, block sender address, close destination port, disconnectActions

Via e-mail, SYSLOG or SNMP trapNotification

Dynamic bandwidth management with IP traffic shapingTraffic shaping

Dynamic reservation of minimum and maximum bandwidths, totally or connection based, separate settings for send and receive directions. Setting
relative bandwidth limits for QoS in percent. Bandwidth control and QoS also for UMTS connections

Priority queuing of packets based on DiffServ/TOS fieldsDiffServ/TOS

Automatic packet-size control by fragmentation or Path Maximum Transmission Unit (PMTU) adjustmentPacket-size control

Automatic or fixed translation of layer-2 priority information (IEEE 802.11p-marked Ethernet frames) to layer-3 DiffServ attributes in routing mode.
Translation from layer 3 to layer 2 with automatic recognition of IEEE 802.11p-support in the destination device

Monitoring and blocking of login attempts and port scansIntrusion Prevention

Source IP address check on all interfaces: only IP addresses belonging to the defined IP networks are allowedIP spoofing

Filtering of IP or MAC addresses and preset protocols for configuration accessAccess control lists

Protection from fragmentation errors and SYN floodingDenial of Service protection

Detailed settings for handling reassembly, PING, stealth mode and AUTH portGeneral

Filtering of unwanted URLs based on DNS hitlists and wildcard filters. Extended functionality with Content Filter OptionURL blocker

Password-protected configuration access can be set for each interfacePassword protection

Alerts via e-mail, SNMP traps and SYSLOGAlerts

EAP-TLS, EAP-TTLS, PEAP, MS-CHAP, MS-CHAPv2 as EAP authentication mechanisms, PAP, CHAP, MS-CHAP and MS-CHAPv2 as PPP authentication
mechanisms

Network protection via site verification by GPS positioning, device stops operating if its location is changesGPS anti-theft

Adjustable reset button for 'ignore', 'boot-only' and 'reset-or-boot'Adjustable reset button

VRRP (Virtual Router Redundancy Protocol) for backup in case of failure of a device or remote station. Enables passive standby groups or reciprocal
backup between multiple active devices including load balancing and user definable backup priorities

For completely safe software upgrades thanks to two stored firmware versions, incl. test mode for firmware updatesFirmSafe

Features as of: LCOS 9.10

LANCOM IAP-3G

High availability / redundancy

Optional operation of an analog or GSM modem at the serial interfaceAnalog/GSM modem backup

Static and dynamic load balancing over up to 2 WAN connections. Channel bundling with Multilink PPP (if supported by network operator)Load balancing

VPN redundancy

VPN

IPSec over HTTPS

Number of VPN tunnels

Certificates

XAUTH

Proadaptive VPN

Algorithms

IPCOMP

LANCOM Dynamic VPN

Specific DNS forwarding

VPN throughput (max., AES)

Backup of VPN connections across different hierarchy levels, e.g. in case of failure of a central VPN concentrator and re-routing to multiple distributed
remote sites. Any number of VPN remote sites can be defined (the tunnel limit applies only to active connections). Up to 32 alternative remote
stations, each with its own routing tag, can be defined per VPN connection. Automatic selection may be sequential, or dependant on the last
connection, or random (VPN load balancing)

Line monitoring with LCP echo monitoring, dead-peer detection and up to 4 addresses for end-to-end monitoring with ICMP pollingLine monitoring

Enables IPsec VPN based on TCP (at port 443 like HTTPS) which can go through firewalls in networks where e. g. port 500 for IKE is blocked. Suitable
for client-to-site connections (with LANCOM Advanced VPN Client 2.22 or later) and site-to-site connections (LANCOM VPN gateways or routers
with LCOS 8.0 or later). IPSec over HTTPS is based on the NCP VPN Path Finder technology

Max. number of concurrent active IPSec, PPTP (MPPE) and L2TPv2 tunnels: 5 (25 with VPN 25 Option). Unlimited configurable connections.
Configuration of all remote sites via one configuration entry when using the RAS user template or Proadaptive VPN.

Integrated hardware accelerator for 3DES/AES encryption and decryptionHardware accelerator

Integrated, buffered realtime clock to save the date and time during power failure. Assures timely validation of certificates in any caseRealtime clock

Generates real random numbers in hardware, e. g. for improved key generation for certificates immediately after switching-onRandom number generator

One click function in LANconfig to create VPN client connections, incl. automatic profile creation for the LANCOM Advanced VPN Client1-Click-VPN Client assistant

Creation of VPN connections between LANCOM routers via drag and drop in LANconfig1-Click-VPN Site-to-Site

IPSec key exchange with Preshared Key or certificateIKE

X.509 digital multi-level certificate support, compatible with Microsoft Server / Enterprise Server and OpenSSL, upload of PKCS#12 files via HTTPS
interface and LANconfig. Simultaneous support of multiple certification authorities with the management of up to nine parallel certificate hierarchies
as containers (VPN-1 to VPN-9). Simplified addressing of individual certificates by the hierarchy's container name (VPN-1 to VPN-9). Wildcards for
certificate checks of parts of the identity in the subject. Secure Key Storage protects a private key (PKCS#12) from theft

Automatic creation, rollout and renewal of certificates via SCEP (Simple Certificate Enrollment Protocol) per certificate hierarchyCertificate rollout

CRL retrieval via HTTP per certificate hierarchyCertificate revocation lists (CRL)

Check X.509 certifications by using OCSP (Online Certificate Status Protocol) in real time as an alternative to CRLsOCSP Client

XAUTH client for registering LANCOM routers and access points at XAUTH servers incl. IKE-config mode. XAUTH server enables clients to register
via XAUTH at LANCOM routers. Connection of the XAUTH server to RADIUS servers provides the central authentication of VPN-access with user
name and password. Authentication of VPN-client access via XAUTH and RADIUS connection additionally by OTP token

Configuration of all VPN client connections in IKE ConfigMode via a single configuration entryRAS user template

Automated configuration and dynamic creation of all necessary VPN and routing entries based on a default entry for site-to-site connections.
Propagation of dynamically learned routes via RIPv2 if required

3DES (168 bit), AES (128, 192 or 256 bit), Blowfish (128 bit), RSA (1024-4096 bit) and CAST (128 bit). OpenSSL implementation with FIPS-140
certified algorithms. MD-5, SHA-1, SHA-256, SHA-384 or SHA-512 hashes

NAT-Traversal (NAT-T) support for VPN over routes without VPN passthroughNAT-Traversal

VPN data compression based on LZS or Deflate compression for higher IPSec throughput on low-bandwidth connections (must be supported by
remote endpoint)

Enables VPN connections from or to dynamic IP addresses. The IP address is communicated via the ICMP or UDP protocol in encrypted form.
Dynamic dial-in for remote sites via connection template

Enables the registration of IP addresses with a Dynamic DNS provider in the case that fixed IP addresses are not used for the VPN connectionDynamic DNS

DNS forwarding according to DNS domain, e.g. internal names are translated by proprietary DNS servers in the VPN. External names are translated
by Internet DNS servers

Enables the use of IPv4 VPN over IPv6 WAN connectionsIPv4 VPN over IPv6 WAN

92 Mbps1418-byte frame size UDP

16 Mbps256-byte frame size UDP

25 MbpsIMIX

Features as of: LCOS 9.10

LANCOM IAP-3G

Firewall throughput (max.)

110 Mbps1518-byte frame size UDP

20 Mbps256-byte frame size UDP

Content Filter (optional)

Activate the 30-day trial version after free registration under http://www.lancom.eu/routeroptionsDemo version

URL filter database/rating server*

URL check*

Categories/category profiles*

Override**

Black-/whitelist

Profiles

Time frames

Flexible firewall action

Individual display pages (for blocked, error,
override)

License management

Statistics

Wizard for typical configurations

VoIP

SIP ALG

Routing functions

Advanced Routing and Forwarding

Worldwide, redundant rating servers from IBM Security Solutions for querying URL classifications. Database with over 100 million entries covering
about 10 billion web pages. Web crawlers automatically search and classify web sites to provide nearly 150,000 updates per day: They use text
classification by optical character recognition, key word searches, classification by word frequency and combinations, web-site comparison of text,
images and page elements, object recognition of special characters, symbols, trademarks and prohibited images, recognition of pornography and
nudity by analyzing the concentration of skin tones in images, by structure and link analysis, by malware detection in binary files and installation
packages

Database based online check of web sites (HTTP/HTTPS). HTTPS websites are checked based on DNS names of HTTPS server certificates or based
on “Reverse DNS lookup“ of IP addresses.

Filter rules can be defined in each profile by collecting category profiles from 58 categories, for example to restrict Internet access to business
purposes only (limiting private use) or by providing protection from content that is harmful to minors or hazardous content (e.g. malware sites).
Clearly structured selection due to the grouping of similar categories. Content for each category can be allowed, blocked, or released by override

Each category can be given an optional manual override that allows the user to access blocked content on a case-by-case basis. The override
operates for a limited time period by allowing the category or domain, or a combination of both. Optional notification of the administrator in case
of overrides

Lists that are manually configured to explicitly allow (whitelist) or block (blacklist) web sites for each profile, independent of the rating server.
Wildcards can be used when defining groups of pages or for filtering sub pages

Timeframes, blacklists, whitelists and categories are collected into profiles that can be activated separately for content-filter actions. A default
profile with standard settings blocks racist, pornographic, criminal, and extremist content as well as anonymous proxies, weapons/military, drugs,
SPAM and malware

Timeframes can be flexibly defined for control over filtering depending on the time of day or weekday, e.g. to relax controls during break times for
private surfing

Activation of the content filter by selecting the required firewall profile that contains content-filter actions. Firewall rules enable the flexible use of
your own profiles for different clients, networks or connections to certain servers

Response pages displayed by the content filter in case of blocked sites, errors or overrides can be custom designed. Variables enable the inclusion
of current information such as the category, URL, and rating-server categorization. Response pages can be issued in any language depending on
the language set in the user's web browser

As an alternative to displaying the device's own internal response pages to blockings, errors or overrides, you can redirect to external web serversRedirection to external pages

Automatic notification of license expiry by e-mail, LANmonitor, SYSLOG or SNMP trap. Activation of license renewal at any time before expiry of
the current license (the new licensing period starts immediately after expiry of the current license)

Display of the number of checked and blocked web pages by category in LANmonitor. Logging of all content-filter events in LANmonitor; log file
created daily, weekly or monthly. Hit list of the most frequently called pages and rating results. Analysis of the connection properties; minimum,
maximum and average rating-server response time

Messaging in case of content-filter events optionally by e-mail, SNMP, SYSLOG or LANmonitorNotifications

Wizard sets up the content filters for a range of typical scenarios in a few simple steps, including the creation of the necessary firewall rules with
the corresponding action

Simultaneous checking of HTTP(S) traffic for a maximum of 100 different IP addresses in the LANMax. users

Categorization is maintained by IBM. Neither IBM or LANCOM can guarantee full accuracy of the categorization.*) Note

The Override function is only available for HTTP websites.**) Note

The SIP ALG (Application Layer Gateway) acts as a proxy for SIP communication. For SIP calls the ALG opens the necessary ports on the firewall for
the corresponding media packets. By using automatic address translation for devices inside the LAN, the use of STUN is no longer needed.

IP and NetBIOS/IP multi-protocol routerRouter

Separate processing of 16 contexts due to virtualization of the routers. Mapping to VLANs and complete independent management and configuration
of IP networks in the device, i.e. individual settings for DHCP, DNS, Firewalling, QoS, VLAN, Routing etc. Automatic learning of routing tags for
ARF contexts from the routing table

HTTP and HTTPS server for configuration by web interfaceHTTP

Features as of: LCOS 9.10

LANCOM IAP-3G

Routing functions

DNS client, DNS server, DNS relay, DNS proxy and dynamic DNS clientDNS

DHCP

Policy-based routing

Dynamic routing

DHCPv6

Layer 2 functions

ARP lookup

IPv6 layer 2 protocol filter

COM port server

COM port forwarding

LAN protocols

IP

IPv6

IPv6

WAN protocols

WAN operating mode

Interfaces

Serial interface

DHCP client, DHCP relay and DHCP server with autodetection. Cluster of several LANCOM DHCP servers per context (ARF network) enables caching
of all DNS assignments at each router. DHCP forwarding to multiple (redundant) DHCP servers

NetBIOS/IP proxyNetBIOS

NTP client and SNTP server, automatic adjustment for daylight-saving timeNTP

Policy-based routing based on routing tags. Based on firewall rules, certain data types are marked for specific routing, e.g. to particular remote
sites or lines

Dynamic routing with RIPv2. Learning and propagating routes; separate settings for LAN and WAN. Extended RIPv2 including HopCount, Output
Delay, Poisoned Reverse, Triggered Update for LAN (acc. to RFC 2453) and WAN (acc. to RFC 2091) as well as filter options for propagation of
routes. Definition of RIP sources with wildcards

DHCPv6 client, DHCPv6 server, DHCPv6 relay, stateless- and stateful mode, IPv6 address (IA_NA), prefix delegation (IA_PD), DHCPv6 reconfigure
(server and client)

VLAN ID definable per interface and routing context (4,094 IDs) IEEE 802.1qVLAN

Packets sent in response to LCOS service requests (e.g. for Telnet, SSH, SNTP, SMTP, HTTP(S), SNMP, etc.) via Ethernet can be routed directly to the
requesting station (default) or to a target determined by ARP lookup

Automatic discovery of network topology in layer 2 networks (Link Layer Discover Protocol)LLDP

DHCP relay agent information (option 82) can be insterted on devices with WLAN bridge (RFC 3046)DHCP option 82

Router advertisement snopping blocks illegal IPv6 router advertisements in the WLAN bridge. DHCPv6 snopping blocks all illegal DHCPv6 servers.
The lightweight DHCPv6 relay agent (LDRA) can insert relay agent information on layer 2.

COM-port server for the DIN interface. For a serial device connected to it, the server manages its own virtual COM port via Telnet (RFC 2217) for
remote maintenance (works with popular virtual COM-port drivers compliant with RFC 2217). Switchable newline conversion and alternative binary
mode. TCP keepalive according to RFC 1122 with configurable keepalive interval, retransmission timeout and retries

ARP, proxy ARP, BOOTP, DHCP, DNS, HTTP, HTTPS, IP, ICMP, NTP/SNTP, NetBIOS, PPPoE (server), RADIUS, RIP-1, RIP-2, RTP, SIP, SNMP, TCP, TFTP,
UDP, VRRP, VLAN

NDP, stateless address autoconfiguration (SLAAC), stateful address autoconfiguration (with DHCPv6), router advertisements, ICMPv6, DHCPv6,
DNS, HTTP, HTTPS, PPPoE, RADIUS, TCP, UDP, SMTP

IPv4/IPv6 dual stackDual Stack

WEBconfig, HTTP, HTTPS, SSH, Telnet, DNS, TFTP, Firewall, RAS dial-inIPv6 compatible LCOS applications

PPPoE, Multi-PPPoE, ML-PPP,GRE, EoGRE,PPTP (PAC or PNS), L2TPv2 (LAC or LNS) and IPoE (with or without DHCP), RIP-1, RIP-2, VLAN, IPEthernet

IPv6 over PPP (IPv6 and IPv4/IPv6 dual stack session), IPoE (autoconfiguration, DHCPv6 or static)IPv6

6to4, 6in4, 6rd (static and via DHCP), Dual Stack Lite (IPv4 in IPv6 tunnel)Tunneling protocols (IPv4/IPv6)

ADSL1, ADSL2 or ADSL2+ with external ADSL2+ modemxDSL (ext. modem)

10/100 Mbps, default WAN port, configurable as LAN portWAN port

Serial configuration interface / COM port (8 pin Mini-DIN): 9,600 - 115,000 baud, suitable for optional connection of analog/GPRS modems. Supports
internal COM port server and allows for transparent asynchronous transmission of serial data via TCP

Two SMA antenna connectors for external 3G antennas (Ant 1, Ant 2) or for optional GPS antenna at Ant 2 (not included in package content)External antenna connectors

Features as of: LCOS 9.10

LANCOM IAP-3G

LCMS (LANCOM Management System)

LANconfig

LANmonitor

Firewall GUI

Automatic software update

Management

WEBconfig

LANCOM Layer 2 Management (emergency
management)

Alternative boot configuration

Device SYSLOG

SMS

User administration

Remote maintenance

TACACS+

Remote maintenance of 3rd party devices

TFTP & HTTP(S) client

SSH & Telnet client

Configuration program for Microsoft Windows, incl. convenient Setup Wizards. Optional group configuration, simultaneous remote configuration
and management of multiple devices over IP connection (HTTPS, HTTP, SSH, TFTP). A tree view of the setting pages like in WEBconfig provides
quick access to all settings in the configuration window. Password fields which optionally display the password in plain text and can generate
complex passwords. Configuration program properties per project or user. Automatic storage of the current configuration before firmware updates.
Exchange of configuration files between similar devices, e.g. for migrating existing configurations to new LANCOM products. Detection and display
of the LANCOM managed switches. Extensive application help for LANconfig and parameter help for device configuration. LANCOM QuickFinder
as search filter within LANconfig and device configurations that reduces the view to devices with matching properties. Central configuration of
each management port. Configuration files can also be encrypted and securly saved.

Monitoring application for Microsoft Windows for (remote) surveillance and logging of the status of LANCOM devices and connections, incl. PING
diagnosis and TRACE with filters and save to file. Search function within TRACE tasks. Wizards for standard diagnostics. Export of diagnostic files
for support purposes (including bootlog, sysinfo and device configuration without passwords). Graphic display of key values (marked with an icon
in LANmonitor view) over time as well as table for minimum, maximum and average in a separate window, e. g. for Rx, Tx, CPU load, free memory.
Monitoring of the LANCOM managed switches. Flick easily through different search results by LANCOM QuickFinder

Graphical user interface for configuring the object-oriented firewall in LANconfig: Tabular presentation with symbols for rapid understanding of
objects, choice of symbols for objects, objects for actions/Quality of Service/remote sites/services, default objects for common scenarios, individual
object definition (e.g. for user groups)

Voluntary automatic updates for LCMS. Search online for LCOS updates for devices managed by LANconfig on the myLANCOM download server
(myLANCOM account mandatory). Updates can be applied directly after the download or at a later time

Integrated web server for the configuration of LANCOM devices via Internet browsers with HTTPS or HTTP. Similar to LANconfig with a system
overview, SYSLOG and events display, symbols in the menu tree, quick access with side tabs. WEBconfig also features Wizards for basic configuration,
security, Internet access, LAN-LAN coupling. Online help for parameters in LCOS menu tree

The LANCOM Layer 2 Management protocol (LL2M) enables an encrypted access between the command line interfaces of two LANCOM device
directly via a Layer 2 connection

During rollout devices can be preset with project- or customer-specific settings. Up to two boot- and reset-persistent memory spaces can store
customized configurations for customer-specific standard settings (memory space '1') or as a rollout configuration (memory space '2'). A further
option is the storage of a persistent standard certificate for the authentication of connections during rollouts

SYSLOG buffer in the RAM (size depending on device memory) to store events for diagnosis. Default set of rules for the event protocol in SYSLOG.
The rules can be modified by the administrator. Display and saving of internal SYSLOG buffer (events) from LANCOM devices with LANmonitor,
display only with WEBconfig

Send and receive SMS. The management can be comfortably conducted via LANmonitor. Additionally, notifications can be sent by SMS at defined
network events. SMS can be sent via HTTP with URL parameters, too. Therefore, a cellular router can be utilized as an SMS gateway. Suitable for
installations with a maximum throughput of 10 SMS per minute.

Individual access and function rights for up to 16 administrators. Alternative access control on a per parameter basis with TACACS+Access rights

RADIUS user administration for dial-in access (PPP/PPTP). Support for RADSEC (Secure RADIUS) providing secure communication with RADIUS
servers

Remote configuration with Telnet/SSL, SSH (with password or public key), browser (HTTP/HTTPS), TFTP or SNMP, firmware upload via HTTP/HTTPS
or TFTP

Support of TACACS+ protocol for authentication, authorization and accounting (AAA) with reliable connections and encrypted payload. Authentication
and authorization are separated completely. LANCOM access rights are converted to TACACS+ levels. With TACACS+ access can be granted per
parameter, path, command or functionality for LANconfig, WEBconfig or Telnet/SSH. Each access and all changes of configuration are logged.
Access verification and logging of SNMP Get and Set requests. WEBconfig supports the access rights of TACACS+ and choice of TACACS+ server
at login. LANconfig provides a device login with the TACACS+ request conveyed by the addressed device. Authorization to execute scripts and each
command within them by checking the TACACS+ server’s database. CRON, action-table and script processing can be diverted to avoid TACACS+
to relieve TACACS+ servers. Redundancy by setting several alternative TACACS+ servers. Configurable option to fall back to local user accounts in
case of connection drops to the TACACS+ servers. Compatibility mode to support several free TACACS+ implementations

Support of RADIUS protocol for authentication of configuration access. Administrative privileges can be assigned for each administrator.RADIUS

A remote configuration for devices behind der LANCOM can be accomplished (after authentication) via tunneling of arbitrary TCP-based protocols,
e.g. for HTTP(S) remote maintenance of VoIP phones or printers of the LAN. Additionally, SSH and Telnet client allow to access other devices from
a LANCOM device with an interface to the target subnet if the LANCOM device can be reached at its command line interface

For downloading firmware and configuration files from a TFTP, HTTP or HTTPS server with variable file names (wildcards for name, MAC/IP address,
serial number), e.g. for roll-out management. Commands for live Telnet session, scripts or CRON jobs. HTTPS Client authentication possible by
username and password or by certificate

SSH-client function compatible to Open SSH under Linux and Unix operating systems for accessing third-party components from a LANCOM router.
Also usable when working with SSH to login to the LANCOM device. Support for certificate- and password-based authentication. Generates its own
key with sshkeygen. SSH client functions are restricted to administrators with appropriate rights. Telnet client function to login/administer third
party devices or other LANCOM devices from command line interface

Features as of: LCOS 9.10

LANCOM IAP-3G

Management

Option to choose if an uploaded certificate or the default certificate is used by the HTTPS serverHTTPS Server

Access rights (read/write) over WAN or LAN can be set up separately (Telnet/SSL, SSH, SNMP, HTTPS/HTTP), access control listSecurity

Scripting

Load commands

Diagnosis

Statistics

Volume budget

Accounting

Hardware

Environment

Declarations of conformity*

Scope of delivery

Scripting function for batch-programming of all command-line parameters and for transferring (partial) configurations, irrespective of software
versions and device types, incl. test mode for parameter changes. Utilization of timed control (CRON) or connection establishment and termination
to run scripts for automation. Scripts can send e-mails with various command line outputs as attachments

LoadFirmware, LoadConfig and LoadScript can be executed conditionally in case certain requirements are met. For example, the command
LoadFirmware could be executed on a daily basis and check each time if the current firmware is up to date or if a new version is available. In
addition, LoadFile allows the upload of files including certificates and secured PKCS#12 containers

SNMP management via SNMPv2, private MIB exportable by WEBconfig, MIB IISNMP

Scheduled control of parameters and actions with CRON serviceTimed control

Extensive LOG and TRACE options, PING and TRACEROUTE for checking connections, LANmonitor status display, internal logging buffer for SYSLOG
and firewall events, monitor mode for Ethernet ports

Extensive Ethernet, IP and DNS statistics; SYSLOG error counterStatistics

The used data volume of WAN connections (PPP, IPoE, PPTP, L2TP, IPSec) can be monitored and different actions can be triggered once certain
thresholds are passed

Connection time, online time, transfer volumes per station. Snapshot function for regular read-out of values at the end of a billing period. Timed
(CRON) command to reset all counters at once

Accounting information exportable via LANmonitor and SYSLOGExport

207 mm x 148 mm x 44 mm (Length/Width/Height)Dimensions

approximately 1.2 kg excluding mounting materialWeight

5 LEDs for Power, Ethernet 1, Ethernet 2, 3G and VPN, 3 LEDs for 3G signal strengthLED display

12 V DC, external power adapter (230 V) with bayonet cap to protect against accidentally unpluggingPower supply

24 V DC, input voltage range 10 - 28 VPower supply

Configurable reset switch for resetting and booting the deviceReset button

Temperature range -20 – +50° C; humidity 0–95%; non-condensing, please note that depending on the intended use your power supply has to
support the extended temperature range

Robust metal housing, IP 50 protection rating, ready for wall, pole and top-hat rail mountingHousing

@12 V: 6.2 Watts @ 24 V: 6.7 WattPower consumption (max)

EN 60950-1, EN 301 489-1, EN 301 489-24CE

UL-2043UL

EN 301 511GSM 900, GSM 1800

EN 301 908-1, EN 301 908-2UMTS

IPv6 Ready GoldIPv6

You will find all declarations of conformity in the products section of our website at www.lancom-systems.de/en*) Note

Hardware Quick Reference (EN, DE), Installation Guide (DE/EN/FR/ES/IT/PT/NL)Manual

Data medium with firmware, management software (LANconfig, LANmonitor, WLANmonitor) and documentationCD/DVD

Serial configuration cable, 1.5mCable

1 Ethernet cable, 3 mCable

2-pin plug to connect with multi-voltage power supply unit with screwed connectionPlug

Mounting kit for wall, pole and top hat rail mountingMounting Kit

Features as of: LCOS 9.10

LANCOM IAP-3G

Scope of delivery

Two 2 dBi dipole UMTS/GPRS antennas (850-960 Mhz and 1700-2220 Mhz)Antennas

Passive GPS antenna can be ordered free of charge with enclosed voucherGPS antenna

Power supply unit

Support

Options

Accessories

Item number(s)

External power adapter (230 V), NEST 12 V/1.5 A DC/S, coaxial power connector 2.1/5.5 mm bayonet, temperature range from -5 to +45° C,
LANCOM item no. 110723 (EU)/LANCOM item no 110829 (UK)

3 years support via hotline and Internet KnowledgeBaseWarranty

Regular free updates (LCOS operating system and LANCOM Management System) via InternetSoftware updates

LANCOM VPN-25 Option (25 channels), item no. 60083VPN

LANCOM Content Filter +10 user, 1 year subscriptionLANCOM Content Filter

LANCOM Content Filter +25 user, 1 year subscriptionLANCOM Content Filter

LANCOM Content Filter +100 user, 1 year subscriptionLANCOM Content Filter

LANCOM Content Filter +10 user, 3 year subscriptionLANCOM Content Filter

LANCOM Content Filter +25 user, 3 year subscriptionLANCOM Content Filter

LANCOM Content Filter +100 user, 3 year subscriptionLANCOM Content Filter

LANCOM Warranty Basic Option M, item no. 10711Warranty Extension

LANCOM Warranty Advanced Option M, item no. 10716Warranty Extension & Advanced Replacement

AirLancer Extender O-360-3G 4 dBi omnidirectional GSM/GPRS/EDGE/3G outdoor antenna, item no. 61225External antenna

AirLancer Extender I-360-3G 2dBi GSM/GPRS/EDGE, 5dBi 3G, omnidirectional indoor antenna, item no. 60916External antenna

61393LANCOM IAP-3G

61394LANCOM IAP-3G (UK)

Features as of: LCOS 9.10

www.lancom.eu

LANCOM Systems GmbH I Adenauerstr. 20/B2 I 52146 Wuerselen I Germany I E-Mail info@lancom.eu I Internet www.lancom.eu

LANCOM, LANCOM Systems and LCOS are registered trademarks. All other names or descriptions used may be trademarks or registered trademarks of their owners. Subject to change

without notice. No liability for technical errors and/or omissions. 7/2015