Page 1
SpeedTouch™620
Wireless Business DSL Routers
Operator’s Guide
Power
Ethernet
W
LA
N
Plug-in
ISD
N
Internet
DSL
Page 2
Page 3
SpeedTouch™
620
Operator’s Guide
Page 4
Copyright
Copyright ©1999-2006 THOMSON. All rights reserved.
Distribution and copying of this document, use and communication of its contents is not permitted without written authorization
from THOMSON. The content of this document is furnished for informational use only, may be subject to change without notice,
and should not be construed as a commitment by THOMSON. THOMSON assumes no responsibility or liability for any errors or
inaccuracies that may appear in this document.
Thomson Telecom Belgium
Prins Boudewijnlaan, 47
B-2650 Edegem
Belgium
www.speedtouch.com
Trademarks
The following trademarks are used in this document:
SpeedTouch™ is a trademark of THOMSON.
Bluetooth® word mark and logos are owned by the Bluetooth SIG, Inc.
Ethernet™ is a trademark of Xerox Corporation.
Wi-Fi® and the Wi-Fi logo are registered trademarks of the Wi-Fi Alliance. "Wi-Fi CERTIFIED", "Wi-Fi ZONE", "Wi-Fi Alli-
ance", their respective logos and "Wi-Fi Protected Access" are trademarks of the Wi-Fi Alliance.
UPnP™ is a certification mark of the UPnP™ Implementers Corporation.
Microsoft®, MS-DOS®, Windows® and Windows NT® are either registered trademarks or trademarks of Microsoft Corpo-
ration in the United States and/or other countries.
Apple® and Mac OS® are registered trademarks of Apple Computer, Incorporated, registered in the United States and
other countries.
UNIX® is a registered trademark of UNIX System Laboratories, Incorporated.
Adobe®, the Adobe logo, Acrobat and Acrobat Reader are trademarks or registered trademarks of Adobe Systems, Incor-
porated, registered in the United States and/or other countries.
Netscape® and Netscape Navigator® are registered trademarks of Netscape Communications Corporation.
Other brands and product names may be trademarks or registered trademarks of their respective holders.
Document Information
Status: v1.0 (January 2006)
Reference: E-DOC-CTC-20051017-0155
Short Title: Operator’s Guide ST620 R5.4
Page 5
Contents
E-DOC-CTC-20051017-0155 v1.0
i
Contents
1 Introduction ................................................................... 3
2 SpeedTouch™ Command Line Interface .................... 5
2.1 About the CLI Interface.................................................................. 5
2.2 CLI Access via Telnet or Serial Console......................................... 6
2.3 Basic Navigation ............................................................................ 7
2.4 Command Line Interface Commands ........................................... 10
2.5 Menu-driven CLI Navigation......................................................... 13
3 SpeedTouch™ System Software ..............................15
3.1 About the System Software......................................................... 15
3.2 System Software Management via FTP ....................................... 16
3.2.1 Backup System Software via FTP................................................................................. 17
3.2.2 Upgrade or Restore System Software via FTP............................................................ 19
3.2.3 Manual System Software Management via BOOTP/TFTP server.............................. 23
4 SpeedTouch™ Configuration Management............. 25
4.1 Configuration Management via the SpeedTouch™ Web Interface26
4.2 Configuration Management via Telnet......................................... 30
4.3 The :Config CLI Command Group ................................................ 31
4.3.1 Back up Configurations via FTP.................................................................................... 33
4.3.2 Store Configurations via FTP........................................................................................35
Page 6
Contents
E-DOC-CTC-20051017-0155 v1.0
ii
4.4 SpeedTouch™ Service Templates ................................................ 40
4.5 SpeedTouch™ System Languages Management .......................... 41
5 SpeedTouch™ Software Modules............................. 45
5.1 Software Activation Key Management ........................................ 46
6 SpeedTouch™ System Services................................ 49
6.1 SpeedTouch™ Dynamic DNS ....................................................... 50
6.2 The SpeedTouch™ SNTP Client ................................................... 56
6.3 Website Filtering .......................................................................... 60
6.3.1 The Website Filtering Configuration Pages.................................................................62
6.3.2 How to Verify the Filtering Configuration....................................................................63
6.3.3 How to Activate a Web Filtering License ..................................................................... 65
6.3.4 Configuring the Actions for Uncategorised Sites ....................................................... 66
6.3.5 How to Create an Address Based Filter .......................................................................67
6.3.6 How to Create a Content Based Filter .......................................................................... 68
6.3.7 How to Create a Content Level .....................................................................................69
6.4 Intrusion Detection and Protection ............................................. 71
6.5 Remote Assistance....................................................................... 72
7 The SpeedTouch™ File System................................. 75
Page 7
Contents
E-DOC-CTC-20051017-0155 v1.0
iii
8 SpeedTouch™ Remote Access .................................. 79
8.1 Remote Web Interface Access ..................................................... 81
8.2 Secure Remote Web Interface Access ......................................... 84
8.3 Remote Telnet Access.................................................................. 88
8.4 Remote SSH Access ..................................................................... 91
8.5 Remote FTP Access...................................................................... 97
8.6 Remote SFTP Access ................................................................. 100
8.7 LAN Based Auto-Configuration (LAC) Support (TR-064) ............ 106
8.8 CPE WAN Management Protocol (CWMP) Support (TR-069)...... 108
9 The Integrated SpeedTouch™ ISDN Modem ......... 113
9.1 About the ISDN Modem ............................................................. 114
9.2 How to Configure the ISDN Modem........................................... 116
9.3 ISDN Backup .............................................................................. 117
9.3.1 How to Configure the ISDN Dial-In Connection........................................................118
9.3.2 How to Configure the PPP Connection ......................................................................121
9.4 ISDN Callback ............................................................................ 124
9.4.1 How to Configure the ISDN Dial-In Connection........................................................125
9.4.2 How to Configure the PPP Connection ......................................................................128
9.5 ISDN Remote CAPI ..................................................................... 131
Page 8
Contents
E-DOC-CTC-20051017-0155 v1.0
iv
10 SpeedTouch™ Monitoring ...................................... 133
10.1 An Introduction to SNMP........................................................... 134
10.1.1 Basic Concepts.............................................................................................................135
10.1.2 MIBs Explained. ...........................................................................................................136
10.2 SNMP configuration................................................................... 139
10.2.1 How to Allow Access to the SNMP Agent .................................................................140
10.2.2 How to View the SNMP Configuration....................................................................... 141
10.2.3 How to View the System Contact, Name and Location............................................142
10.2.4 How to Configure SNMPv1......................................................................................... 143
10.2.5 How to Configure the System contact, Name and Location.................................... 145
10.2.6 How to Force the Source IP Address.......................................................................... 146
10.2.7 How to Configure the SNMP Target........................................................................... 147
10.2.8 How to Read SNMP Parameters via the CLI..............................................................149
10.2.9 How to Allow Remote SNMP......................................................................................151
10.2.10 How to Add an SNMP User......................................................................................... 152
10.2.11 How to Restrict SNMP Access .................................................................................... 157
10.2.12 How to Configure the Traps........................................................................................158
10.3 The SpeedTouch™ Syslog .......................................................... 160
10.3.1 The SpeedTouch™ Syslog Daemon ..........................................................................161
10.3.2 Syslog via the Web Interface ...................................................................................... 164
10.3.3 Syslog via the CLI ........................................................................................................166
10.3.4 Remote Syslog Notification ........................................................................................167
10.4 SpeedTouch™ Identification on AWS ........................................ 169
11 SpeedTouch™ Advanced Diagnostics .................... 171
11.1 The Office Network Web Page ................................................... 172
11.2 The Diagnostic Web Page .......................................................... 175
Page 9
Contents
E-DOC-CTC-20051017-0155 v1.0
v
11.3 Command Line Interface Diagnostics ........................................ 179
11.3.1 About CLI Diagnostics ................................................................................................. 180
11.3.2 Lower Layer Diagnostics .............................................................................................181
11.3.3 Router Services Diagnostics ....................................................................................... 184
11.3.4 Routing Diagnostics..................................................................................................... 186
11.3.5 Ethernet Diagnostics.................................................................................................... 189
11.3.6 Management Diagnostics ........................................................................................... 191
12 SLA Monitoring. ........................................................ 193
13 Resetting the SpeedTouch™ ...................................203
Page 10
Contents
E-DOC-CTC-20051017-0155 v1.0
vi
Page 11
About this Operator’s Guide
E-DOC-CTC-20051017-0155 v1.0
1
About this Operator’s Guide
Used Symbols
Terminology
Generally, the SpeedTouch™620 will be referred to as SpeedTouch™ in this
Operator’s Guide.
Typographical
Conventions
When we display interactive input and output we’ll show our typed input in a
bold font and the computer output
like this.
Comments are added in italics.
Example:
Documentation and
software updates
THOMSON continuously develops new solutions, but is also committed to improve
its existing products.
For more information on THOMSON's latest technological innovations, documents
and software releases, visit us at:
www.speedtouch.com
A note provides additional information about a topic.
A tip provides an alternative method or shortcut to perform an action.
!
A caution warns you about potential problems or specific precautions that
need to be taken.
=>language list
CODE LANGUAGE VERSION FILENAME
en* english 4.2.0.1 <system>
Only one language is available
Page 12
About this Operator’s Guide
E-DOC-CTC-20051017-0155 v1.0
2
Page 13
Chapter 1
Introduction
E-DOC-CTC-20051017-0155 v1.0
3
1Introduction
Overview Being a key component of your business network, a good operation of the
SpeedTouch™ is essential to gain maximum performance of your DSL connectivity.
Continuous management and diagnosis of the SpeedTouch™ should be performed
to ensure a faultless operation of the SpeedTouch™, 24hours a day, 7 days a week.
As such the SpeedTouch™ can be perfectly embedded in high quality networks.
Applicability This Operator’s Guide applies to the SpeedTouch™620 Wireless Business DSL
Router.
Contents This Operator’s guide consists of 2 major parts:
Configuration:
How to manage the SpeedTouch™ system configuration.
The SpeedTouch™ Command Line Interface.
How to manage the SpeedTouch™ system software.
How to activate software modules with activation keys.
How to configure the SpeedTouch™ system services.
The SpeedTouch™ file system.
How to access the SpeedTouch™ remotely.
How to use the integrated ISDN Modem of SpeedTouch™.
Monitoring and debugging:
How to monitor the SpeedTouch™.
How to identify the SpeedTouch™ with AWS.
The SpeedTouch™ Advanced Diagnostics.
SLA Monitoring.
How to reset the SpeedTouch™ to defaults.
Page 14
Chapter 1
Introduction
E-DOC-CTC-20051017-0155 v1.0
4
Page 15
Chapter 2
SpeedTouch™ Command Line Interface
E-DOC-CTC-20051017-0155 v1.0
5
2 SpeedTouch™ Command Line Interface
2.1 About the CLI Interface
CLI access You can access the Command Line Interface via:
The SpeedTouch™ CLI Web Interface
A Telnet session
The serial Console interface.
CLI web page access
requirements
To access the CLI via the SpeedTouch™ Web Interface, you need:
A TCP/IP connection between the computer and the SpeedTouch™.
A web browser on your computer. The web browser should be at least
Microsoft's Internet Explorer 4.0, Netscape's Communicator 4.06, or
equivalent. The web browser must support Java Script.
CLI Telnet access
requirements
To access the CLI via an IP Telnet session, you need:
A TCP/IP connection between the computer and the SpeedTouch™.
A Telnet application on the computer.
CLI serial access
requirements
To access the CLI via the serial Console port, you need:
A cable.
A terminal application that you can use to connect to other devices.
Example: Hilgraeve’s Hyperterminal application delivered with MS Windows
OSs.
The following application’s Port settings:
9600 bits per second
8 data bits
No parity
One stop bit
No Flow control
ANSI terminal emulation
All popular, recent Operating Systems feature a built-in telnet application.
Page 16
Chapter 2
SpeedTouch™ Command Line Interface
E-DOC-CTC-20051017-0155 v1.0
6
2.2 CLI Access via Telnet or Serial Console
Access via a Telnet
session or serial
console
As soon a session to the CLI is opened, a banner pops up, followed by the CLI
prompt:
If the SpeedTouch™ is protected by a system password, authentication will be
required before access is granted to the CLI.
-----------------------------------------------------------------------
______ SpeedTouch 620
___/_____/\
/ /\ 5.4.0.10
_____/__ / \
_/ /\_____/___ \ Copyright (c) 1999-2005, THOMSON
// / \ /\ \
_______//_______/ \ / _\/______
/ / \ \ / / / /\
__/ / \ \ / / / / _\__
/ / / \_______\/ / / / / /\
/_/______/___________________/ /________/ /___/ \
\ \ \ ___________ \ \ \ \ \ /
\_\ \ / /\ \ \ \ \___\/
\ \/ / \ \ \ \ /
\_____/ / \ \ \________\/
/__________/ \ \ /
\ _____ \ /_____\/
\ / /\ \ /___\/
/____/ \ \ /
\ \ /___\/
\____\/
-----------------------------------------------------------------------
Page 17
Chapter 2
SpeedTouch™ Command Line Interface
E-DOC-CTC-20051017-0155 v1.0
7
2.3 Basic Navigation
Command group
navigation
From the top level, you can change to a command group by executing the name of
the desired command group (for example type the name of the command group
and press ENTER).
To obtain a list of all available command groups, use the
help command from the
top level:
To return to top level, or to go up one level (in case of nested command groups),
type two dots and press ENTER.
=>:help
Following commands are available :
help : Displays this help information
menu : Displays menu
? : Displays this help information
exit : Exits this shell.
.. : Exits group selection.
saveall : Saves current configuration.
ping : Send ICMP ECHO_REQUEST packets.
traceroute : Send ICMP/UDP packets to trace the ip path.
telnet : Open a telnet connection to a server.
Following command groups are available :
firewall service autopvc connection cwmp
dhcp dns dsd dyndns eth
expr ids igmp ip isdn
adsl atm capi config debug
env hostmgr interface ipqos label
language mbus memm mlp nat
ppp pptp rcapi router script
sla snmp sntp software ssh
syslog system tunnel upnp user
wireless
The exact list of available command groups depends on the type of
SpeedTouch™, the number and kind of activated software modules and on
the current version of the SpeedTouch™ System software.
Page 18
Chapter 2
SpeedTouch™ Command Line Interface
E-DOC-CTC-20051017-0155 v1.0
8
Help You can use help or ? from any level to list all available commands and command
groups for that level. Below an example is provided of executing help from the
firewall command group selection:
Entering
help followed by a specific command, for example :help firewall
list
(starting from top level) or help list (entered from within the firewall
command group selection) results in a description of the syntax for the command:
Executing
:help all from top level will generate the complete listing of all
available CLI commands (including syntax description). If entered from within a CLI
command group, the listing of all available CLI commands from that CLI command
group (including syntax description) are shown.
Command completion The CLI features command completion, which means that when starting to type a
command it can be completed by pressing TAB.
For the completion to be successful, the part already typed has to be unique.
Completion works for the command groups, for the commands and the options, but
not for values.
For example, typing the letter l at the firewall command group selection, followed
by pressing TAB results in the full command being completed. Entering
firewall
l
from top level and pressing TAB gives the same result: the command is
completed to
firewall list.
Going to the beginning
or end of a line
You can move the cursor to the beginning of the command line by pressing
"CTRL+A"; to move the cursor to the end of the Command Line press "CTRL+E".
Breaking off commands You can break off a command by pressing "CTRL+G". This can be useful in a
situation where a user wants to abort the command. This can be useful to break off
commands for which the user does not know the value of a required command
parameter.
=>:firewall help
Following commands are available :
config : Display/Modify firewall configuration.
list : Display firewall configuration.
flush : Flush firewall configuration.
Following command groups are available :
chain debug level rule
Executing :help firewall from top level gives the same result.
=>:help firewall list
Display firewall configuration.
Syntax : list [format = <{pretty|cli}>]
Parameters :
[format = <{pretty|cli}>]
The format of the firewall list.
Page 19
Chapter 2
SpeedTouch™ Command Line Interface
E-DOC-CTC-20051017-0155 v1.0
9
History of Commands The CLI allows you to re-use commands you have used before during a CLI session.
To scroll through the previously used CLI commands use UP ARROW and DOWN
ARROW.
To execute a re-used command, press ENTER.
Page 20
Chapter 2
SpeedTouch™ Command Line Interface
E-DOC-CTC-20051017-0155 v1.0
10
2.4 Command Line Interface Commands
Executing Commands
from the Top Level
All CLI commands are commands that operate on, or configure, the SpeedTouch™
settings.
You can use these commands from top level, preceded by the name of the
command group from which the command should be executed (for example
firewall list).
=>:firewall list
Config
======
State : disabled
Keep : disabled
TcpChecks : none
TcpWindow : 65536
UdpChecks : disabled
IcmpChecks : disabled
LogDefault : disabled
LogThreshold : enabled
Modules
=======
Module State Text Hooks
----------------------------------------------------------------------fire enabled Firewall Administration Module sink, forward,
source
host_service enabled Firewall Host Service Module forward
level enabled Firewall Level Module forward
system_service enabled Firewall System Service Module sink
=>
Page 21
Chapter 2
SpeedTouch™ Command Line Interface
E-DOC-CTC-20051017-0155 v1.0
11
Executing Commands
from the Command
Group
You can also enter the commands from the command group itself, using the
reduced form of the command (for example
list at the firewall command group
selection):
“!” in a command means NOT, for example the [!] parameter in the firewall rule
create command [
srcintf [!]= <string>] parameter.
Executing Commands
from Anywhere
It is possible to enter a command from anywhere within the CLI, provided the
command is preceded by a colon (:) and the full command path, e.g.:
Using Partial Command
Statements
Instead of typing a complete command with all of its required and optional
parameters and pressing ENTER, you can also enter the command itself, without
specifying any parameter. If all parameters are optional, the command is executed
immediately, assuming default values for all parameters. In case the CLI command
features required parameters, you are prompted to complete the command with the
required (and the optional, if present) parameters. For optional parameters you can
simply press ENTER without giving a value (to assume default value). In case the
parameter provides preset values, you can scroll through these via the UP and
DOWN arrow keys. For example, the
addroute parameter below has two preset
values enabled and disabled:
=>firewall
[firewall]=>list
Config
======
State : disabled
Keep : disabled
TcpChecks : none
TcpWindow : 65536
UdpChecks : disabled
IcmpChecks : disabled
LogDefault : disabled
LogThreshold : enabled
Modules
=======
Module State Text Hooks
----------------------------------------------------------------------fire enabled Firewall Administration Module sink, for
ward, source
host_service enabled Firewall Host Service Module forward
level enabled Firewall Level Module forward
system_service enabled Firewall System Service Module sink
[firewall]=>:ip rtlist
=>:ip ipadd
intf = lan1
addr = 10.1.5.31
[netmask] = 8
[pointopoint] =
[addroute] = enabled
:ip ipadd intf=lan1 addr=10.1.5.31/8 addroute=enabled
Page 22
Chapter 2
SpeedTouch™ Command Line Interface
E-DOC-CTC-20051017-0155 v1.0
12
Saving the configuration After configuring the SpeedTouch™ via the CLI, it is advised to save your
configuration.
You can save the complete SpeedTouch™ configuration to persistent memory by
executing the
saveall command.
The
saveall command can be entered from any CLI prompt.
Page 23
Chapter 2
SpeedTouch™ Command Line Interface
E-DOC-CTC-20051017-0155 v1.0
13
2.5 Menu-driven CLI Navigation
Introduction To improve the user-friendliness of the SpeedTouch™ CLI, the CLI features a menu-
driven interface.
Entering the CLI menu To enter the menu-driven interface, simply enter the command menu from the CLI
prompt:
The semi-graphical CLI offers you an attractive and easy-to-use configuration
environment for the CLI.
You can browse through the CLI command groups via the arrow keys. Pressing
ENTER executes your selection, i.e. for entering a CLI command group. From each
level you can select .. and press ENTER to go up one level.
Use TAB to change from the command menu to the control menu (the lower bar of
the menu) and vice versa.
Executing commands To setup a CLI command, simply press ENTER on its name. You can configure and
overview its various parameters at once. In case the parameter provides preset
values, scroll through the available values via the UP and DOWN arrow keys. If you
are satisfied with all parameter values, use TAB to select
<OK> and press ENTER to
execute the command:
Saving the configuration after configuring the SpeedTouch™ via the CLI, it is
advised to save your configuration.
Save the complete SpeedTouch™ configuration to persistent memory by executing
saveall after exiting the menu-driven CLI via <Cancel> from root menu.
Page 24
Chapter 2
SpeedTouch™ Command Line Interface
E-DOC-CTC-20051017-0155 v1.0
14
Page 25
Chapter 3
SpeedTouch™ System Software
E-DOC-CTC-20051017-0155 v1.0
15
3 SpeedTouch™ System Software
3.1 About the System Software
Upgrade system
software
For new system software packages, you can visit the SpeedTouch™ support pages
at: http://www.speedtouch.com
System software
packages and security
All SpeedTouch™ system software packages are:
Digitally signed and encrypted:
Packages that may have become corrupted, or have been altered in any way,
will not be accepted by the SpeedTouch™.
Specific per product.
This way, the SpeedTouch™, or its service can never be corrupted or lost.
Page 26
Chapter 3
SpeedTouch™ System Software
E-DOC-CTC-20051017-0155 v1.0
16
3.2 System Software Management via FTP
FTP access For more information on the SpeedTouch™ file system and how to access
it via FTP, see “7 The SpeedTouch™ File System” on page 75.
SpeedTouch™ system
software locations
The SpeedTouch™ file system consists of two subdirectories: ‘/active’ and ‘/ dl’.
In the ‘/active’ subdirectory the currently running system software (the active
software version) is stored. The ‘/dl’ subdirectory stores the dormant system
software (the passive software version).
In case no SpeedTouch™ system software upgrade was performed before, both
active and passive software will be the same.
Overview This section covers the following topics:
There are SpeedTouch™ devices where only the ‘/dl’ directory exist (single
directory file system).
Full read/write access is only granted in the ‘/dl’ subdirectory.
Topic See Page
“3.2.1 Backup System Software via FTP” 17
“3.2.2 Upgrade or Restore System Software via FTP” 19
“3.2.3 Manual System Software Management via BOOTP/
TFTP server”
23
Page 27
Chapter 3
SpeedTouch™ System Software
E-DOC-CTC-20051017-0155 v1.0
17
3.2.1 Backup System Software via FTP
Introduction For backup reasons, you can transfer system software files from both
SpeedTouch™’s ‘/active’ and ‘/dl’ subdirectories to your local disk.
Backup procedure To transfer system software files from the SpeedTouch™ to your local disk as
backup, proceed as follows:
Step Action
1
Open an FTP session to the SpeedTouch™. At the user name prompt,
enter a user name and at the password prompt, if applicable, the
Password (see “The Multi Level Access Policy Configuration Guide” for
more information):
C:\>ftp <SpeedTouch™ IP address>
Connected to <SpeedTouch™ IP address>.
220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to
change.
User (<SpeedTouch™ IP address>:(none)): JohnDoe
331 SpeedTouch (00-90-D0-01-02-03) User 'JohnDoe' OK. Password
required.
Password:#####
230 OK
ftp>
2 Enter binary file transfer mode. Optionally you can enable hashing:
ftp> bin
200 TYPE is now 8-bit binary
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark).
ftp>
3 Change to the SpeedTouch™ subdirectory from which you want to get
the system software file from. In the example below the ‘/dl’
subdirectory is chosen where the currently running - and usually most
recent - system software file is stored:
ftp>cd dl
250 Changed to /dl
ftp>
Page 28
Chapter 3
SpeedTouch™ System Software
E-DOC-CTC-20051017-0155 v1.0
18
As a result the system software file will be stored on the location from where you
started the FTP session.
4 To identify the system software file name, use the quote site
software version
command:
ftp> quote site software version
200- Flash image : 5.4.0.10.0
200- Active SW : ZZUIAA5.40A (5.4.0.a.0)
200- Passive SW : ZZUIAA5.40A (5.4.0.a.0)
200200 CLI command "software version" executed
You can also check for the system software file by making a listing of the
subdirectory’s contents:
ftp> dir
200 Connected to 192.168.1.60 port 1312
150 Opening data connection for /bin/ls
-rwxrwxrwx 1 0 0 3601488 Jun 29 1971 ZZUIAA5.40A
-rwxrwxrwx 1 0 0 20 Jun 29 1971 start.cmd
-r--r--r-- 1 0 0 9 Jun 29 1971 seed.dat
-r--r--r-- 1 0 0 790 Jun 29 1971 sslcert.pem
-r--r--r-- 1 0 0 963 Jun 29 1971 sslkey.pem
-r--r--r-- 1 0 0 692 Jun 29 1971 sshdsa.pem
-rwxrwxrwx 1 0 0 93013 Jun 29 1971 user.ini
226 Options: -l : 7 matches total
ftp: 466 bytes received in 0,00Seconds 466000,00Kbytes/sec.
5 Get the system software file:
ftp> get ZZUIAA5.40A
200 Connected to 192.168.1.60 port 1315
150 Opening data connection for ZZUIAA5.40A (3601488)
226 File transfer complete
ftp: 3601488 bytes received in 5,92Seconds 608,46Kbytes/sec.
ftp>
Step Action
Page 29
Chapter 3
SpeedTouch™ System Software
E-DOC-CTC-20051017-0155 v1.0
19
3.2.2 Upgrade or Restore System Software via FTP
Upgrade/Restore
procedure
The procedure to upgrade or restore the SpeedTouch™ system software consists of
three main steps:
Step Action
1
Transfer system software to the SpeedTouch™
2 Mark system software file as Passive Software Version
3 Activate the upgrade/ restored system software
Page 30
Chapter 3
SpeedTouch™ System Software
E-DOC-CTC-20051017-0155 v1.0
20
Transfer system
software to the
SpeedTouch™
To transfer a system software file stored on your local disk to the SpeedTouch™,
proceed as follows:
Step Action
1
Open an FTP session to the SpeedTouch™. At the user name prompt,
enter a user name. At the password prompt, if applicable, enter the
SpeedTouch™ system password (see “The SpeedTouch™ Multi Level
Password Configuration Guide”):
C:\>ftp <SpeedTouch™ IP address>
Connected to <SpeedTouch™ IP address>.
220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to
change.
User (<SpeedTouch™ IP address>:(none)): JohnDoe
331 SpeedTouch (00-90-D0-01-02-03) User 'JohnDoe' OK. Password
required.
Password:#####
230 OK
2 Enter binary file transfer mode. Optionally you can enable hashing:
ftp> bin
200 TYPE is now 8-bit binary
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark).
3 Change to the SpeedTouch™ ‘/dl’ subdirectory:
ftp>cd dl
250 Changed to /dl
4 Use the quote site software version command to check
whether a passive system software version is stored in the ‘/dl’
subdirectory :
ftp> quote site software version
200- Flash image : 5.4.0.10.0
200- Active SW : ZZUIAA5.40A (5.4.0.a.0)
200- Passive SW : ZZUIAA5.40A (5.4.0.a.0)
200200 CLI command "software version" executed
5 In case a passive software version is found, use the quote site
software deletepassive
command to delete it:
ftp> quote site software deletepassive
200- Flash image : 5.4.0.10.0
200- Active SW : ZZUIAA5.40A (5.4.0.a.0)
200- Passive SW : --200200 CLI command "software deletepassive" executed
Page 31
Chapter 3
SpeedTouch™ System Software
E-DOC-CTC-20051017-0155 v1.0
21
As a result the system software file is stored on the ‘/dl’ subdirectory of the
SpeedTouch™. In addition, the SpeedTouch™ will automatically clean its file
system.
6 Put the upgrade system software to the SpeedTouch™ ‘/dl’ subdirectory:
ftp> put ZZUIAA5.411
200 Connected to 192.168.1.254 port 3638
150 Opening data connection for ZZUIAA5.411
226-Filesystem data garbage collection in progress. This may
take
a while ...
226 File written successfully
ftp: 2314257 bytes sent in 5.05Seconds 464.90Kbytes/sec.
Step Action
Page 32
Chapter 3
SpeedTouch™ System Software
E-DOC-CTC-20051017-0155 v1.0
22
Mark system software
file as Passive Software
Version
You must identify the system software you transferred to the SpeedTouch™ ‘/dl’
subdirectory as passive software version to allow the SpeedTouch™ to mark the file
as system software.
Proceeding from the same FTP session you opened to transfer the file, use the
quote site software setpassive file=<file name> command, where
<file name> represents the name of the system software file you transferred via the
previous procedure:
Activate the upgrade/
restored system
software
To activate the upgrade or restored system software, the same mechanism as used
via the Web Interface is valid: the system software files are switched.
Proceeding from the same FTP session you opened in the previous procedures, use
the
quote site software switch command to restart the SpeedTouch™ and
activate the newly uploaded upgrade system software:
During restart, the SpeedTouch™ will switch the passive and active system
software files and mark the newly uploaded system software as active software
version.
Due to the restart of the SpeedTouch™ any open FTP or Telnet session will be
closed.
ftp> quote site software setpassive file=ZZUIAA5.411
200- Flash image : 5.4.0.10.0
200- Active SW : ZZUIAA5.40A (5.4.0.a.0)
200- Passive SW : ZZUIAA5.411 (5.4.0.a.0)
200200 CLI command "software version" executed
ftp>
ftp> quote site software switch
200Connection closed by remote host.
ftp>
Page 33
Chapter 3
SpeedTouch™ System Software
E-DOC-CTC-20051017-0155 v1.0
23
3.2.3 Manual System Software Management via
BOOTP/TFTP server
System software
management
The SpeedTouch™ system software can also be updated based on BOOTP, a
standard mechanism used for booting diskless stations.
The SpeedTouch™ is able to be placed in BOOTP mode, allowing a BOOTP/TFTP
server to manage the SpeedTouch™ file system, allowing the SpeedTouch™ to
fetch the upgrade files from the BOOTP/TFTP server.
Important note It is recommended only to use the procedure described below in case you are
familiar with the use of a BOOTP/TFTP server, and the mechanisms on which
BOOTP is based.
Upgrading the system software via the procedure described below will reset the
SpeedTouch™ to its factory default settings. Therefore, prior to performing an
upgrade of the system software it is recommended to back up the SpeedTouch™
configuration.
Before you start You need a third party BOOTP/TFTP server installed on the computer from which
you want to perform the SpeedTouch™ system software upgrade.
Make sure that your computer is connected to the SpeedTouch™ via Ethernet. In
case of a SpeedTouch™ with USB connectivity, please disconnect the USB
interface, if used, to avoid communication errors during the system software
upgrade.
You will need the SpeedTouch™ Medium Access Control (MAC) address of your
SpeedTouch™ device.
Make sure a valid SpeedTouch™ system software image file is available on your
local disk.
The SpeedTouch™ Upgrade Wizard is based on a BOOTP/TFTP server. For
more information on how to upgrade the SpeedTouch™ using its Upgrade
wizard, please see the User’s Guide.
!
It is not possible to upgrade your SpeedTouch™ via a wireless connection!
Page 34
Chapter 3
SpeedTouch™ System Software
E-DOC-CTC-20051017-0155 v1.0
24
Procedure To upgrade/restore the SpeedTouch™ system software:
Step Action
1
Make sure that your SpeedTouch™ is powered off and that a BOOTP/
TFTP server is readily installed on the computer from which you intend
to perform the system software upgrade
2 Configure the BOOTP/TFTP server to use the SpeedTouch™ system
software image file in its reply to BOOTP requests from the
SpeedTouch™ you want to upgrade.
3 To identify the BOOTP requests from the SpeedTouch™, you will need to
specify its MAC address and define an IP range for basic communication
between the BOOTP/TFTP server and the SpeedTouch™.
4 Set the SpeedTouch™ in BOOTP by executing the :software upgrade CLI
command:
=>:software upgrade
The SpeedTouch™ is in BOOTP mode when the power LED is solid
orange.
5 The BOOTP/TFTP server will reply to the BOOTP requests and will
perform the required operations to allow the system software to be
fetched by the SpeedTouch™ via TFTP.
6 After checking whether the received system software is valid for the
device, the SpeedTouch™ will start in normal operational mode to
complete the upgrade.
This step can take some time to complete.
The upgrade process can be followed via a serial console!
Page 35
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
25
4 SpeedTouch™ Configuration Management
Saving the
configuration
Whenever the configuration of the SpeedTouch™ has been altered in any way, with
the intention to keep this configuration, you should save it.
You can save the configuration manually in two ways:
Click Save All in the Topics menu of the SpeedTouch™ Expert Mode Web
Interface
Enter saveall from the CLI prompt.
Result:
The system creates a user.ini text file on the SpeedTouch™ ‘/dl’ subdirectory. This
file contains all CLI commands needed to reproduce the configuration present at the
moment it was saved.
Backing up
configurations
You can make backup files of the SpeedTouch™ configuration for later use.
Backing up saved SpeedTouch™ configurations can be done via the SpeedTouch™
Web Interface or via FTP.
Storing and restoring
multiple configurations
The SpeedTouch™ file system allows you to store multiple configuration files. Via
the CLI you are able to apply one of these whenever needed, without the need of
uploading a configuration file each time you want to switch to a new configuration.
Whenever you alter the configuration of the SpeedTouch™ via the basic
Web Interface, all changes are saved automatically.
Page 36
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
26
4.1 Configuration Management via the
SpeedTouch™ Web Interface
Basic and expert mode The SpeedTouch™ features two ways of managing its configuration via the Web
Interface:
Via the basic Web Interface
Via the expert Web Interface
Backing up
configurations via the
basic Web Interface
Proceed as follows:
Step Action
1
Open a web browser and go to the SpeedTouch™ Web Interface.
2 Go to Home > SpeedTouch > Configuration.
3 Click Save or Restore Configuration:
4 To back up the SpeedTouch™ configuration, click Backup
Configuration Now.
5 Click Save and select a location on your local disk to store the user.ini
file.
Page 37
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
27
Restoring
configurations via the
basic Web Interface
Proceed as follows:
Step Action
1
Open a web browser and go to the SpeedTouch™ Web Interface.
2 Go to Home > SpeedTouch > Configuration.
3 Click Save or Restore Configuration:
4 Click on Browse and choose the configuration file, residing on your
local disk, you want to restore on your SpeedTouch™.
5 To restore the selected SpeedTouch™ configuration, click Restore
Configuration Now.
Page 38
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
28
Backing up saved
configurations via the
expert Web Interface
Proceed as follows:
Step Action
1
Open a web browser and go to the SpeedTouch™ Web Interface.
2 Go to expert mode.
3 Click Save All to save the current configuration.
4 Open the Update page via Home > SpeedTouch > System Update:
5 Click the Configuration Files tab and select the file you want to back
up:
6 Click Backup.
7 Select a location on your local disk to store the user.ini file and click
OK.
!
Don’t click Delete, or the SpeedTouch™ will reset to defaults and your
configuration will be gone.
Page 39
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
29
Restoring a
configuration via the
expert pages
Proceed as follows:
Step Action
1
Open a web browser and go to the SpeedTouch™ Web Interface.
2 Go to expert mode.
3 Open the Upgrade page via Home > SpeedTouch > System Update:
4 Click Browse to locate the configuration file on your local disk you
intend to restore. Select the file and click OK.
5 Click Upload to transfer the configuration file to the SpeedTouch™.
Be aware that by uploading a new configuration also the IP configuration of
the SpeedTouch™ may have been changed. In that case the information
logging as described above procedure will not be shown. To save the new
configuration, you must browse to the SpeedTouch™ Web Interface using
its new IP address, and click Save All.
Page 40
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
30
4.2 Configuration Management via Telnet
FTP access For more information on the file system of the SpeedTouch™ and how to access it
via FTP, see “7 The SpeedTouch™ File System” on page 75.
SpeedTouch™
configuration files
The SpeedTouch™’s last saved configuration is stored in the SpeedTouch™ ‘/dl’
subdirectory of the SpeedTouch™ file system.
There may be a user.ini file present in the system’s ‘/active’ subdirectory.
However, this user.ini only contains the saved configuration created before
your latest software switch-over, and hence may be not up-to-date.
Therefore never use this user.ini file for backup reasons.
Full read/write access is only granted in the ‘/dl’ subdirectory.
Page 41
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
31
4.3 The :Config CLI Command Group
Introduction The config CLI command group allows the management of SpeedTouch™
configurations.
Following CLI commands are available in the config CLI command group:
:config CLI commands Below the CLI commands available for SpeedTouch™ configurations are shortly
described. For more information, see the “SpeedTouch™ CLI Reference Guide”.
:config save
Allows to save the current configuration of the SpeedTouch™ to a user.ini file
in the ‘/dl’ subdirectory
:config backup filename = <user configuration filename>
Allows to save the current configuration of the SpeedTouch™ to a
configuration file in the ‘/dl’ subdirectory. You are able to choose a filename of
your own choice for the backup file.
:config dump
Allows to view a dump of the stored user.ini file.
=>:help config
Following commands are available :
save : Store current configuration to backup file
load : Load saved or default configuration.
delete : Delete a user configuration file.
flush : Flush the loaded configuration.
list : Show the current configuration set
dump : Show the saved configuration file
=>
Page 42
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
32
Applying a configuration
stored on the
SpeedTouch™
To activate a configuration file, stored on the SpeedTouch™ ‘/dl’ subdirectory, the
CLI command
:config load is used.
Following CLI commands are available in the config load CLI command group:
Following parameters are available:
load_ip = <{no|yes}>
Allows you to define whether the current IP configuration should be preserved
(no), or the IP configuration as defined in the loaded configuration file should
be applied (yes). If not specified, load_ip=no.
defaults = <{no|yes}>
Allows you to reset the SpeedTouch™ to its default configuration (yes). If not
specified, defaults=no. To restore a configuration file, do not use this
parameter.
flush = <{yes|no}>
Allows you to define whether the SpeedTouch™ should flush its current
configuration before loading the new one (yes). By default, and if not specified
flush = yes, the new loaded configuration is exclusively applied to the
SpeedTouch™. If you specify flush = no, the new loaded configuration is
appended to the existing current configuration. The latter may result in an
unexpected behaviour of the SpeedTouch™.
echo = <{no|yes}>
Allows you to specify whether to echo each command string loaded from the
new configuration file (yes) or not (no). If not specified, echo=no.
filename = <string>
Allows you to specify the name of the configuration file to load, in case it is
different from user.ini. If not specified, the SpeedTouch™ will assume the file
name to be user.ini. It is also possible to load a script file (.sts) with the config
load command.
=>:help config load
Load saved or default configuration.
Syntax : load [load_ip = <{disabled|enabled}>]
[defaults <{disabled|enabled}>] [flush = <{enabled|disabl
ed}>]
[echo = <{disabled|enabled}>] [filename = <string>]
Parameters :
[load_ip = <{disabled|enabled}>]
Load IP settings or not.
[defaults <{disabled|enabled}>]
Load default instead of saved configuration.
[flush = <{enabled|disabled}>]
Flush current configuration before loading new one.
[echo = <{disabled|enabled}>]
Echo each command string when loaded.
[filename = <string>]
Configuration filename.
When loading a config file, the file is loaded to memory. However, to
make the configuration persistent you need to click saveall to save the
configuration.
Page 43
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
33
4.3.1 Back up Configurations via FTP
Introduction For backup reasons, you can transfer configuration files from both the
SpeedTouch™ ‘/active’ and ‘/dl’ subdirectories to your local disk.
Backup procedure To backup the current SpeedTouch™ configuration to your local disk as backup
user.ini file, proceed as follows:
Remind that a user.ini file in the system’s ‘/active’ subdirectory may contain
an old saved configuration created before your latest software switch over.
Step Action
1
Open an FTP session to the SpeedTouch™. At the user name prompt,
enter a user name and at the password prompt, the password (see
“The SpeedTouch™ Multi Level Access Policy Configuration Guide”
for more information):
C:\>ftp <SpeedTouch™ IP address>
Connected to <SpeedTouch™ IP address>.
220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to
change.
User (192.168.1.254:(none)): root
331 SpeedTouch Password required.
Password:
230 OK
ftp>
2 If required, save the current SpeedTouch™ configuration via the quote
site saveall command:
3
ftp> quote site saveall
200200 CLI command "saveall" executed
4 Enter binary file transfer mode. Optionally you can enable hashing:
ftp> bin
200 TYPE is now 8-bit binary
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark).
5 Change to the SpeedTouch™ ‘/dl’ subdirectory from which you want to
get the latest configuration file from:
ftp>cd dl
250 Changed to /dl
Page 44
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
34
As a result the configuration file, containing a saved SpeedTouch™ configuration
will be stored on the location from where you started the FTP session.
6 Optionally, you can make a listing of the subdirectory’s contents:
ftp> dir
200 Connected to 192.168.1.254
150 Opening data connection for /bin/ls
-rwxrwxrwx 1 0 0 20 Jun 29 1971 start.cmd
-rwxrwxrwx 1 0 0 2952448 Jun 29 1971 ZZUIAA5.314
-r--r--r-- 1 0 0 9 Jun 29 1971 seed.dat
-r--r--r-- 1 0 0 729 Jun 29 1971 sslcert.pem
-r--r--r-- 1 0 0 908 Jun 29 1971 sslkey.pem
-r--r--r-- 1 0 0 692 Jun 29 1971 sshdsa.pem
-rwxrwxrwx 1 0 0 66920 Jun 29 1971 user.ini
-rw-rw-rw- 1 0 0 4056 Jun 29 1971 user.tpl
-rw-rw-r-- 1 0 0 34633 Jun 29 1971 security.cfg
226 Options: -l : 9 matches total
ftp: 600 bytes received in 0,00Seconds 600000,00Kbytes/
sec.ftp: 400 bytes received in 0.01Seconds 40.00Kbytes/sec.
The configuration you saved in step 2 is stored in the user.ini file.
Other configuration files (stored via the
:config save and
:config backup CLI commands) may be found.
7 Get the configuration file (in the example the saved configuration file
user.ini is backed up):
ftp> get user.ini
200 Connected to 192.168.1.254 port 1693
150 Opening data connection for user.ini (12016)
#####
226 File transfer complete
ftp: 12016 bytes received in 0.02Seconds 600.80Kbytes/sec.
Step Action
Page 45
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
35
4.3.2 Store Configurations via FTP
Introduction Via the procedure described below you can:
Restore a configuration file you previously backed up via the procedure
described in “4.3.1 Back up Configurations via FTP” on page 33.
Apply a new configuration to the SpeedTouch™ by storing a new or changed
configuration file.
Store multiple SpeedTouch™ configuration and template files on the file
system for immediate use.
A configuration file has no limitations regarding the file name to be valid. However,
the SpeedTouch™ file system will truncate the full name (including the extension)
to maximum 13 characters. For example, when transferring a file
“abcdefghijklmnopqrstuvwxyz.ini” to the SpeedTouch™ file system it will be stored
as “abcdefghijklm”.
For your convenience, it is advised always to use the extension .ini for configuration
files.
Each file present in the ‘/dl’ subdirectory of the SpeedTouch™ file system must have
a unique file name.
Restore/change
procedure
The procedure to restore or load a new SpeedTouch™ configuration consists of two
main steps:
You can use a similar procedure as the one described here to upload and
execute script files (.sts)
Step Action
1
Transfer the configuration file to the SpeedTouch™
2 Applying a configuration stored on the SpeedTouch™
Page 46
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
36
Transfer the
configuration file to the
SpeedTouch™
To transfer a SpeedTouch™ configuration file stored on your local disk to the
SpeedTouch™, proceed as follows:
Step Action
1
Open an FTP session to the SpeedTouch™. At the user name prompt,
enter a user name and at the password prompt, the password (refer
to “The SpeedTouch™ Multi Level Access Policy Configuration
Guide” for more information).
2 If required, save the current SpeedTouch™ configuration via the
quote site saveall command:
ftp> quote site saveall
200200 CLI command "saveall" executed
3 Enter binary file transfer mode. Optionally you can enable hashing:
ftp> bin
200 TYPE is now 8-bit binary
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark).
4 Go to the SpeedTouch™ ‘/dl’ subdirectory:
ftp> cd dl
5 You can check whether a user.ini configuration file, or other
configuration files are stored in the ‘/dl’ subdirectory by making a
listing of the subdirectory’s contents:
ftp> dir
200 Connected to 192.168.1.254
150 Opening data connection for /bin/ls
-rwxrwxrwx 1 0 0 20 Jun 29 1971 start.cmd
-rwxrwxrwx 1 0 0 2952448 Jun 29 1971 ZZUIAA5.314
-r--r--r-- 1 0 0 9 Jun 29 1971 seed.dat
-r--r--r-- 1 0 0 729 Jun 29 1971 sslcert.pem
-r--r--r-- 1 0 0 908 Jun 29 1971 sslkey.pem
-r--r--r-- 1 0 0 692 Jun 29 1971 sshdsa.pem
-rwxrwxrwx 1 0 0 66920 Jun 29 1971 user.ini
-rw-rw-rw- 1 0 0 4056 Jun 29 1971 user.tpl
-rw-rw-r-- 1 0 0 34633 Jun 29 1971 security.cfg
226 Options: -l : 9 matches total
ftp: 600 bytes received in 0,00Seconds 600000,00Kbytes/
sec.ftp: 400 bytes received in 0.01Seconds 40.00Kbytes/sec.
6 In case the configuration file you intend to upload has the same
name as (one of) the configuration file(s) on the SpeedTouch™ file
system (for example user.ini), you must either:
Rename the file name, of the configuration file stored on your
local disk
Delete the file from the SpeedTouch™ file system.
7 Optionally you can clean up the SpeedTouch™’s file system via the
:software cleanup CLI command:
ftp> quote site software cleanup
200200 CLI command "software cleanup" executed
Page 47
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
37
8 Put the configuration file to the SpeedTouch™ ‘/dl’ subdirectory:
ftp> put config.ini
200 Connected to 192.168.1.254 port 1657
150 Opening data connection for config.ini
##
226 File written successfully
ftp: 4472 bytes sent in 0.02Seconds 223.60Kbytes/sec.
ftp>
9 You can check whether the configuration file was stored successfully
by making a listing of the subdirectory’s contents:
ftp> dir
200 Connected to 192.168.1.254
150 Opening data connection for /bin/ls
-rwxrwxrwx 1 0 0 20 Jun 29 1971 start.cmd
-rwxrwxrwx 1 0 0 2952448 Jun 29 1971 ZZUIAA5.314
-r--r--r-- 1 0 0 9 Jun 29 1971 seed.dat
-r--r--r-- 1 0 0 729 Jun 29 1971 sslcert.pem
-r--r--r-- 1 0 0 908 Jun 29 1971 sslkey.pem
-r--r--r-- 1 0 0 692 Jun 29 1971 sshdsa.pem
-rwxrwxrwx 1 0 0 66920 Jun 29 1971 user.ini
-rw-rw-rw- 1 0 0 4056 Jun 29 1971 user.tpl
-rw-rw-r-- 1 0 0 34633 Jun 29 1971 security.cfg
-rw-rw-r-- 1 0 0 44721 Jun 29 1971 config.ini
226 Options: -l : 9 matches total
ftp: 600 bytes received in 0,00Seconds 600000,00Kbytes/
sec.ftp: 400 bytes received in 0.01Seconds 40.00Kbytes/sec.
Step Action
Page 48
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
38
Applying a configuration
stored on the
SpeedTouch™
To activate a configuration file, stored on the SpeedTouch™ ‘/dl’ subdirectory, the
CLI command
:config load is used.
Below the syntax of the config load CLI command is provided:
Proceeding from the same FTP session you opened in the previous procedure, enter
the
quote site config load command to load the configuration you
previously put on the SpeedTouch™ file system:
=>help config load
Load saved or default configuration.
Syntax : load [load_ip = <{disabled|enabled}>]
[defaults <{disabled|enabled}>] [flush = <{enabled|disabl
ed}>]
[echo = <{disabled|enabled}>] [filename = <string>]
Parameters :
[load_ip = <{disabled|enabled}>]
Load IP settings or not.
[defaults <{disabled|enabled}>]
Load default instead of saved configuration.
[flush = <{enabled|disabled}>]
Flush current configuration before loading new one.
[echo = <{disabled|enabled}>]
Echo each command string when loaded.
[filename = <string>]
Configuration filename.
ftp> quote site config load
200200 CLI command "config load" executed
For more information on the config load options, see“ Applying a
configuration stored on the SpeedTouch™” on page 32
Page 49
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
39
In case the file name of the configuration file is different from user.ini, you should
specify the file name. This allows you to store multiple configuration files on the
SpeedTouch™ file system, and load them when needed:
ftp> dir
200 Connected to 192.168.1.254 port 2187
150 Opening data connection for /bin/ls
-rwxrwxrwx 1 0 0 20 Jun 29 1971 start.cmd
-rwxrwxrwx 1 0 0 2952448 Jun 29 1971 ZZUIAA5.314
-r--r--r-- 1 0 0 9 Jun 29 1971 seed.dat
-r--r--r-- 1 0 0 729 Jun 29 1971 sslcert.pem
-r--r--r-- 1 0 0 908 Jun 29 1971 sslkey.pem
-r--r--r-- 1 0 0 692 Jun 29 1971 sshdsa.pem
-rwxrwxrwx 1 0 0 66920 Jun 29 1971 user.ini
-rw-rw-rw- 1 0 0 4056 Jun 29 1971 user.tpl
-rw-rw-r-- 1 0 0 34633 Jun 29 1971 security.cfg
-rw-rw-r-- 1 0 0 44721 Jun 29 1971 config.ini
-rwxrwxrwx 1 0 0 66920 Jun 29 1971 config1.ini
-rw-rw-rw- 1 0 0 4056 Jun 29 1971 config2.tpl
-rw-rw-r-- 1 0 0 34633 Jun 29 1971 config3.cfg
-rw-rw-r-- 1 0 0 44721 Jun 29 1971 test.ini
226 Options: -l : 11 matches total
ftp: 803 bytes received in 0.10Seconds 8.03Kbytes/sec.
ftp> quote site config load filename=config3.ini
200200 CLI command "config load filename=config3.ini" executed
ftp>
Page 50
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
40
4.4 SpeedTouch™ Service Templates
Introduction Template files are ASCII text files consisting of a set of SpeedTouch™ (embedded)
Easy Setup wizard specific commands and CLI commands.
Used by the SpeedTouch™ (embedded) Easy Setup wizard, template files allow
users to complete the configuration of the device in a convenient and
comprehensive way, without the need of manual configuration via CLI or the Web
Interface.
Delivered template files Three template files are by default delivered within the SpeedTouch™ System
software for use by means of the embedded Easy Setup wizard:
Template files on the
SpeedTouch™ file
system
As the default templates, are embedded in the system software, these template files
will not be present in the ‘/dl’, (or ‘/active’) subdirectories by default.
However, via FTP access you are able to upload additional template files from the
SpeedTouch™ Setup CD, or custom template files to the SpeedTouch™ ‘/dl’
subdirectory, to extend the diversity of embedded configuration possibilities and/or
to avoid the need of using the SpeedTouch™ Home Install Wizard from the CD.
Template Description
Bridge A template to configure the SpeedTouch™ for Bridged Ethernet
WAN access (actually as an IEEE802.1D Transparent Bridge). In
this template, the DHCP Server has been disabled.
Router A template to configure the SpeedTouch™ for Routed PPPoE or
PPPoA. For the local network the SpeedTouch™ acts as DHCP
server.
Routed IPoA A template to configure the SpeedTouch™ for Routed IP over
ATM. For the local network the SpeedTouch™ acts as DHCP
server.
Each time the SpeedTouch™ Home Install Wizard is used to configure the
device a ‘backup’ user.tpl file is created/overwritten in the ‘/dl’ subdirectory,
for future use by the embedded Easy Setup wizard.
Page 51
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
41
4.5 SpeedTouch™ System Languages
Management
Introduction The following three actions are possible regarding the system languages.
Upload a new system language file, which can be found on the
SpeedTouch™ Setup CD, to the SpeedTouch™.
Switch between system languages via the system language bar.
Delete a system language via the SpeedTouch™ Web Interface.
Uploading a new
system language
To upload a new system language, proceed as follows:
Step Action
1
Open a web browser and go to the SpeedTouch™ Web Interface.
2 Go to Expert Mode.
3 Open the Upload File page via Home > SpeedTouch > System Update.
4 Click Browse and select the desired system language from the
SpeedTouch™ Setup CD.
5 Click Upload to start uploading the system language on to the
SpeedTouch™
Page 52
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
42
Switch between system
languages
To switch between system languages, select the desired system language in the
system language bar.
The system language bar can be found on the top right side of the SpeedTouch™
Web Interface:
By default, the SpeedTouch™ is shipped with only one language. The
system language bar will only be shown in case more than one valid system
language is stored on the SpeedTouch™.
The system language packs are related to the system software versions!
Page 53
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
43
Delete a system
language
Proceed as follows:
Step Action
1
Open a web browser and go to the SpeedTouch™ Web Interface.
2 Go to the Expert Mode.
3 Open the language page via Home > SpeedTouch > System Update.
4 Click on the Language Packs tab:
5 Select the entry at the desired system language and click Delete.
6 Select Saveall to save your changes.
Page 54
Chapter 4
SpeedTouch™ Configuration Management
E-DOC-CTC-20051017-0155 v1.0
44
Page 55
Chapter 5
SpeedTouch™ Software Modules
E-DOC-CTC-20051017-0155 v1.0
45
5 SpeedTouch™ Software Modules
SpeedTouch™ software
module functionality
The SpeedTouch™ comes by default with an extended set of features to provide
end-to-end connectivity over the DSL line, IP Routing, RIP, Hyper-NAT, SNMP,
Syslog, DHCP, DNS, Remote Assistance, Game & Application Sharing, UPnP, Web
Site Filtering, IDS, DSD to name just a few.
The SpeedTouch™ is able to support additional functionality on top of its basic
feature set. These additional software modules however, are not enabled by default
and must be activated by means of a software activation key.
Overview Software
modules
The table below describes the possible Software Modules:
Software Modules ST620 ST608(WL) ST605
IPSec (VPN256-32)
Software key - -
IPSec (VPN16-4)
Software key Software key -
IPSec (VPN16-1)
Software key Available -
ISDN
Software key Software key -
SIP PBX (SIP256)
Software key - -
By activating the ISDN Software Module, full throughput capability on the
ISDN interface will be enabled.
Page 56
Chapter 5
SpeedTouch™ Software Modules
E-DOC-CTC-20051017-0155 v1.0
46
5.1 Software Activation Key Management
The SpeedTouch™
Software Modules web
page
Via the SpeedTouch™ web interface you can easily overview the SpeedTouch™
available software activation keys and their current status:
The Software Module Status Display shows the available software modules that
can be activated via a software activation key.
For each software module, following information is provided:
How to Access the
Software Modules Page
In expert mode, go to SpeedTouch™ > Addon.
Table Item Description
Name The name of the software module.
The name also serves as an Internet link to the SpeedTouch™
software module server from which you can acquire a software
activation key for the particular software module.
Description Describes the software module.
File In case the software module is enabled, the software key’s file
name is displayed.
Status Indicates the status of the module:
No key
Meaning that the software module is not enabled.
Key enabled
Meaning that the software module is enabled.
Page 57
Chapter 5
SpeedTouch™ Software Modules
E-DOC-CTC-20051017-0155 v1.0
47
Software activation key
management via the CLI
You can overview the software modules and their status and link information via
the SpeedTouch™ Command Line Interface (CLI).
See “2 SpeedTouch™ Command Line Interface” on page 5 for more information on
how to access the Command Line Interface.
The
:software addon list CLI command group allows you to overview the
current software modules, their status, and some additional information:
To allow for a successful activation of software modules no parts of the :
software
addon
CLI command group should be changed, unless specifically instructed by
your Service Provider.
Applying for a
software key
Contact your local product dealer for available software module activation
possibilities.
=>:software addon list
VPN256-32 module info :
Software key status : No Key
Filename :
Link : http://www.speedtouch.com/homeprod/addon.htm
Teaser : IPSec based VPN (256 Sessions, 32 Profiles)
VPN16-4 module info :
Software key status : No Key
Filename :
Link : http://www.speedtouch.com/homeprod/addon.htm
Teaser : IPSec based VPN (16 Sessions, 4 Profiles)
VPN16-1 module info :
Software key status : No Key
Filename :
Link : http://www.speedtouch.com/homeprod/addon.htm
Teaser : IPSec based VPN (16 Sessions, 1 Profile)
ISDN module info :
Software key status : No Key
Filename :
Link : http://www.speedtouch.com/homeprod/addon.htm
Teaser : ISDN Backup
SIP256 module info :
Software key status : No Key
Filename :
Link : http://www.speedtouch.com/homeprod/addon.htm
Teaser : SIP PBX (256 User Agents)
Page 58
Chapter 5
SpeedTouch™ Software Modules
E-DOC-CTC-20051017-0155 v1.0
48
How to Install a
Software Key
After applying for a software key, your ISP should provide you with a software key
user name and password. Proceed as follows to install and activate the software key
via the GUI:
The user name and password remain active. If for some reason, your software keys
are lost, proceed as described above to reactivate them.
How to Back Up the
Software Keys
Normally, you do not need to backup the software keys; However, should you want
to do so, use ftp to transfer the software key files (.swk) to a backup location.
Disabling software
modules on the
SpeedTouch™
Under normal conditions, once a software module has been activated, there is no
reason to disable this software module again.
However, via an FTP session to the SpeedTouch™ file system you are able to create
a backup of software activation keys (files with an extension .swk, stored on the
SpeedTouch™ ‘/dl’ subdirectory), delete keys and/or restore them.
Be aware that due to a previous system software update software keys may be
residing in the SpeedTouch™ ‘/active’ directory. If so, and you want to remove these
software keys in order to prevent them to re-activate a software module in a future
system software upgrade, follow the instructions below:
1 Make sure to save your current SpeedTouch™ configuration via the
:saveall CLI command.
2 Make sure that both the active and passive system software are the same. This
can be done via the
:software duplicate CLI command.
3 Switch active and passive system software versions via the :software
switch CLI command.
4 After restart, remove the software keys (now residing in the ‘dl’ directory) via
an FTP session.
For more information on System software upgrades and management, see
“3 SpeedTouch™ System Software” on page 15. For information on SpeedTouch™
FTP access see “7 The SpeedTouch™ File System” on page 75.
Step Action
1
Go to the software modules page. Refer to How to Access the
Software Modules Page.
2 Click on the software module you want to activate. You are taken to
the software key request page.
3 Enter the user name and password you received and click Request
Software Key. You will receive the software key.
4 Copy the text of the software key, and paste it into the provided
window on the Software modules page.
5 Click Add.
Page 59
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
49
6 SpeedTouch™ System Services
Overview This chapter covers the following services:
Service See
Dynamic DNS 6.1
Simple Network Time Protocol (SNTP) 6.2
Website Filtering 6.3
Intrusion Detection 6.4
Remote Assistance 6.5
Page 60
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
50
6.1 SpeedTouch™ Dynamic DNS
Introduction Dynamic DNS is a mechanism, offered by several dynamic DNS service providers
(available through the Internet) that allows the mapping of a worldwide resolvable
static DNS host name to a dynamically (and temporarily) assigned public IP address
used for Internet connectivity.
This allows you to offer basic Internet services to the world wide web, through a
DNS host name, without the need for obtaining a static and worldwide unique
public IP address.
In most cases dynamic DNS service providers offer various host applications, which
run in background on a local computer and send IP address updates to a dynamic
DNS service server whenever the dynamically assigned public IP address has been
changed.
The SpeedTouch™ offers you an embedded dynamic DNS client, making the use of
third party host applications running on a local computer superfluous.
Applying for the
dynamic DNS service
Before you are able to use the SpeedTouch™ dynamic DNS client functionality, you
must first apply for a dynamic DNS account (and DNS host name) at one of the
available dynamic DNS service providers available on the Internet.
The SpeedTouch™ supports by default the following dynamic DNS service
providers:
DynDNS (www.dyndns.org/services/dyndns/)
StatDNS (www.dyndns.org/services/statdns/)
No-IP (www.no-ip.com)
DtDNS (www.dtdns.com)
GnuDIP
Dynamic DNS client
configuration
The SpeedTouch™ dynamic DNS client service can be configured via the CLI or the
SpeedTouch™ Web Interface.
Below a short description on how to prepare your SpeedTouch™ for dynamic DNS,
using an imaginary account at the DynDNS dynamic DNS service provider using the
CLI interface.
Preparing the
SpeedTouch™ dynamic
DNS client
The procedure for enabling a dynamic DNS client consists of five steps:
1 Adding a dynamic DNS host name
2 Adding a dynamic DNS client
3 Modifying the dynamic DNS client
4 Refining the dynamic DNS service settings (optional)
5 Enabling the Dynamic DNS Service.
For more in-depth information on the CLI, see “2 SpeedTouch™ Command
Line Interface” on page 5 and the “SpeedTouch™ CLI Reference Guide”.
In a preliminary step, it is assumed that the SpeedTouch™ is already
correctly configured for your Internet subscription and connected to the
Internet, and that you have obtained a valid dynamic DNS account (and
DNS host name) at a dynamic DNS service provider (in this example
DynDNS).
Page 61
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
51
The SpeedTouch™ CLI
dyndns commands
The SpeedTouch™ allows configuration of its dynamic DNS client functionality via
the :dyndns CLI command group:
In this command group all commands are available for adding/deleting and
configuring a dynamic DNS client.
It contains also two sub command groups:
:dyndns host
This allows to specify one or more host name(s) corresponding to a dynamic
DNS client.
:dyndns service
This allows you to view/configure the pre-configured dynamic DNS service
providers, or to create custom dynamic DNS service providers.
=>:dyndns help
Following commands are available :
add : Add a Dynamic DNS client.
modify : Modify a Dynamic DNS client.
delete : Delete a Dynamic DNS client.
flush : Delete all Dynamic DNS clients.
list : List all Dynamic DNS clients.
Following command groups are available :
host service
=>
=>:dyndns host help
Following commands are available :
add : Add a fully qualified host name
delete : Delete a host name
flush : Delete all host names
list : List all host names
=>
[dyndns]=>:dyndns service help
Following commands are available :
modify : Modify specific DynDNS service settings
list : List all DynDNS services
=>
For a full description of the syntax of these commands, see the
“SpeedTouch™ CLI Reference Guide”.
Page 62
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
52
Example dynamic DNS
subscription
For this example, following dynamic DNS subscription is assumed at DynDNS
(www.dyndns.org
):
Adding a dynamic DNS
host name
In a first step you must specify for which hostname(s) you want to enable the
dynamic DNS service for. According to the Example dynamic DNS subscription
information, following configuration must be done:
To allow multiple host names to be assigned to the same dynamic DNS service,
host names always reside in a group. You are free to choose a group name, it is
only used for referring to the group during CLI configuration.
Adding a dynamic DNS
client
Add a dynamic DNS client entry:
value
user name
JohnDoe@MyISP.com
password
john
Dynamic DNS host
johndoe.dyndns.org
Allow wildcards
yes
Depending on your dynamic DNS subscription some other, more advanced
options may be required or available, e.g. multiple host names, the Mail
Exchanger (MX) host name, update interval, etc.
=>:dyndns host add group=MyDynDNSHost name=johndoe.dyndns.org
=>:dyndns add name=MyDynDNS
Page 63
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
53
Modifying the dynamic
DNS client
Now the dynamic DNS client must be configured according your dynamic DNS
subscription. According the Example dynamic DNS subscription information,
following configuration must be done:
=>:dyndns modify
name = MyDynDNS
[intf] = PPPoE_1
[user] = JohnDoe@MyISP.com
[password] = **** First time typing the password
Please retype password for verification.
[password] = **** Second time typing the password for
verification
[group] = MyDynDNSHost
[mx] = Left empty
[backmx] = disabled
[wildcard] = enabled
[offline] = disabled
[service] =dyndns
[status] = disabled
:dyndns modify name=MyDynDNS intf=DIALUP_PPPOE user=JohnDoe@MyISP.com
password=_DEV_2AF11E9E944667D4 group=MyDynDNSHost
The [intf] parameter requires you to select the SpeedTouch™ interface used
for your Internet connectivity.
Page 64
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
54
Refining the dynamic
DNS service settings
If needed or required by the dynamic DNS service provider, you can change some
details of the dynamic DNS service.
The Example dynamic DNS subscription at DynDNS requires no changes in the
service settings, as the pre-configured settings should be adequate.
Below an overview of the default service settings per pre-configured dynamic DNS
service provider (and the custom dynamic DNS service):
=>:dyndns service list
dyndns :
server = members.dyndns.org
port = 80
request = /nic/update
update interval = 2097120s
retry interval = 30s
max retry = 3
statdns :
server = members.dyndns.org
port = 80
request = /nic/update
update interval = 0s
retry interval = 30s
max retry = 3
custom :
server = members.dyndns.org
port = 80
request = /nic/update
update interval = 0s
retry interval = 30s
max retry = 3
No-IP :
server = dynupdate.no-ip.com
port = 80
request = /ducupdate.php
update interval = 86400s
retry interval = 30s
max retry = 3
DtDNS :
server = dtdns.com
port = 80
request = /api/autodns.cfm
update interval = 86400s
retry interval = 30s
max retry = 3
gnudip :
server =
port = 80
request =
update interval = 0s
retry interval = 0s
max retry = 0
Page 65
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
55
Enabling the Dynamic
DNS Service
In a final step you must enable the dynamic DNS client:
Checking dynamic DNS
client Resolving
You can easily check whether the dynamic DNS client is successfully updating the
SpeedTouch™ public IP address towards the dynamic DNS service provider’s
hostserver:
The Dynamic DNS Web
Page
The Basic Web interface has a page on Dynamic DNS. To access this page, go to:
Basic mode > Toolbox >Dynamic DNS
This page shows the Dynamic DNS settings:
To change the settings and enable/disable Dynamic dns, click configure.
This page allows you to perform the following tasks:
Use dynamic DNS on multiple interfaces: configure an additional interface.
Use multiple hosts: configure an additional host.
=>:dyndns modify name=MyDynDNS status=enabled
=>:dyndns list
MyDynDNS : PPPoE_1 [CONNECTED]
options = dyndns wildcard
user = JohnDoe@MyISP.com password = ********
addr = 141.11.1.1
group = MyDynDNSHost
Page 66
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
56
6.2 The SpeedTouch™ SNTP Client
Introduction The SpeedTouch™ Simple Network Time Protocol (SNTP) client allows you to
configure the SpeedTouch™ internal real-time clock (RTC), used for time-critical
operations, for example for online certificates enrolment (IPSec VPN client).
This section shortly describes the configuration and use of the SpeedTouch™ SNTP
client.
Daylight Saving Time Because the RTC does not have an automatic daylight saving switch, you should
update it manually at the correct moments (twice a year).
The RTC The SpeedTouch™ contains a battery to allow the RTC to maintain the time even
when the device is powered off and restarts. This helps security because even when
the NTP servers are temporarily inaccessible because of a power outage or network
traffic overflow, the SpeedTouch™ has the correct time allowing to correctly
correlate syslog events from various devices and perform correct diagnosis.
The SNTP web page You can access the SpeedTouch™ SNTP page via Home > SpeedTouch > SNTP:
By default SNTP is disabled; internal clocking refers to the SpeedTouch™ up time
(i.e. the time passed since last reboot).
Page 67
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
57
The Manual tab Select Manual to:
Set a date manually. (format dd/mm/yyyy)
Set a time manually. (format HH:mm:ss)
Select a geographical timezone. (from GMT-12:00 to GMT+12:00)
Enable or disable summertime.
!
The Manual TAB, if selected, disables the SpeedTouch™ SNTP client
Page 68
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
58
The SNTP tab To enable the SpeedTouch™ SNTP client, select the SNTP TAB :
As long no NTP servers are configured, time will not be controlled by SNTP.
Proceed as follows to add an NTP server:
From now on, your SpeedTouch™’s internal clock will be synchronized every 5
minutes (default setting) with the NTP server.
Step Action
1
Click New.
2 Enter the IP address or DNS hostname of an NTP server.
3 Specify the NTP version of the server.
4 Click Apply. This enables the SNTP client, which contacts the NTP server,
in order to synchronize the SpeedTouch™ internal clock with the NTP
server. If needed, you can correct the synchronized time by selecting
your geographical timezone, optionally by enabling or disabling
summertime
If needed you can enter additional redundant NTP servers to ensure that the
clock always is synchronized with at least one of the provided NTP servers.
Page 69
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
59
Setting the time via CLI The :system rtc settime CLI command allows you to overview the current
real-time clock settings and to configure them:
You can also use this CLI command to manually set the SpeedTouch™ internal realtime clock:
SNTP via the CLI The SpeedTouch™ SNTP client is configured via the :sntp CLI command group:
You can use the following commands:
:sntp list
List the configured NTP servers.
:sntp add and :sntp delete
Add or delete NTP servers.
:sntp config
Enable/disable the SpeedTouch™ SNTP client and set the polling interval.
=>:system rtc settime
date = 04/07/2003
time = 10:34:55
timezone = +01:00
daylightsaving = off
=>
=>:help system rtc settime
Set/Get date, time, timezone, daylight savings time
Syntax : settime [date = <dd/mm/yyyy>] [time = <hh:mm:ss>]
[timezone = <(+ or -)hh:mm>]
[daylightsaving = <{disabled|enabled}>]
Parameters :
[date = <dd/mm/yyyy>]
Set the system date
[time = <hh:mm:ss>]
Set the system time
[timezone = <(+ or -)hh:mm>]
Set the system timezone(-12:00...+14:00 / 15 minute resolution)
[daylightsaving = <{disabled|enabled}>]
Enable/Disable daylight saving
=>:sntp help
Following commands are available :
add : Add NTP server
list : List the NTP servers
delete : Delete NTP server from list
flush : Flush NTP server list and SNTP client configuration
config : Modify/Display configuration
Page 70
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
60
6.3 Website Filtering
About Website Filtering The website filtering feature offers you the possibility to control Internet Access by
filtering blocking access to certain websites. The SpeedTouch™ has two methods of
controlling access to the Internet:
Address Based Filtering With address based filtering, you can allow or block access to specific web sites
based on their address. You can also block access to a specific site and redirect the
browser to another site.
You can do this by configuring an address filter similar to this example:
Method Description
Address Based Filtering Allow or block access to specific sites
based on their address.
Content Based Filtering Allow or block access to websites based on
their content.
If you create a rule for a specific URL, that rule also applies to child URLs,
unless otherwise specified in the filter.
Example:
Any rule created for www.Speedtouch.com also applies to
<anything>.speedtouch.com.
Page 71
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
61
Content Based Filtering With content based filtering, you can block or allow access to web sites based on
their content. To do this, you can apply a content level as filter. You can use (an, if
necessary, customize) one of the predefined content levels or create your own. The
following is an example of (part of) a content level:
Note that “x” marks forbidden content while “v” marks allowed content.
Overview This section covers the following topics:
Section See Page
“6.3.1 The Website Filtering Configuration Pages” 62
“6.3.2 How to Verify the Filtering Configuration” 63
“6.3.4 Configuring the Actions for Uncategorised Sites” 66
“6.3.5 How to Create an Address Based Filter” 67
“6.3.6 How to Create a Content Based Filter” 68
“6.3.7 How to Create a Content Level” 69
Page 72
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
62
6.3.1 The Website Filtering Configuration Pages
Page Overview The website filtering section of the SpeedTouch™ web interface offers three pages:
Page Description
Overview Allows you to view the filtering
configuration
Configure Allows you to configure website
filtering
Help Provides online help on Website
filtering
Page 73
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
63
6.3.2 How to Verify the Filtering Configuration
Procedure Proceed as follows to verify the website filtering configuration:
Result: you are taken to the website filtering overview page:
Step Action
1
Go to the SpeedTouch™ configuration home page
2 In the Toolbox section, click Web Site filtering.
Page 74
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
64
The Website Filtering
Web page
This page has two sections:
Section Description
Filtering Information This section provides information on the active filtering
configuration:
Address based filtering information: a list of all
specified websites and the actions to be taken.
Content based filtering information: license
information and information about the active
content level.
Note: to view more detailed information on the
content level, click Details...
Pick a task List of possible tasks. In this case, any Activate Web
filtering license is available.
Note: after activating the license, a new task Create a new
content level becomes available. Refer to “6.3.3 How to
Activate a Web Filtering License” on page 65 for more
information.
Page 75
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
65
6.3.3 How to Activate a Web Filtering License
Prerequisite Before you can activate the web site filtering license, you need a valid license key.
Procedure Proceed as follows to activate a web filtering license:
Step Action
1
Go to the SpeedTouch™ configuration home page
2 In the Toolbox section, click Web Site filtering.
Result: you are taken to the website filtering overview page
3 In the Pick a task... section, click Activate Web filtering license.
Result: the Web filtering activation page appears:
4 Fill in a valid license key and click Apply.
Once you have activated the license, the Create New Content Level task
becomes available in the Pick a Task section of the filtering configuration
pages.
Page 76
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
66
6.3.4 Configuring the Actions for Uncategorised
Sites
Filter Priority The address based filter, if activated, has the highest priority. For web sites that are
not specified in the address based filter, the system uses the Content based filter (if
activated). If neither filter is activated, no filtering is applied.
Actions for
Uncategorised Sites
Uncategorised sites are sites that are not targeted by any of the active filters. For
these sites, you can:
allow access
block access
Procedure Proceed as follows to set the actions for uncategorised sites:
Step Action
1
Go to the SpeedTouch™ configuration home page
2 In the Toolbox section, click Web Site filtering.
3 In the top right corner, click Configure.
4 Go to the second bullet in the list (Content Based Filtering).
5 In the drop down list next to the option Action for uncategorised sites,
select the desired action (Block or Allow).
6 Click Apply.
Page 77
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
67
6.3.5 How to Create an Address Based Filter
How to Create a New
Entry
Proceed as follows:
How to Modify an Entry Proceed as follows to modify an entry in the filter table:
How to Delete an Entry Proceed as follows to delete an entry in the filter table:
Step Action
1
Go to the SpeedTouch™ configuration home page
2 In the Toolbox section, click Web Site filtering.
3 In the top right corner, click Configure.
4 Go to the first bullet in the list (Address Based Filtering).
5 In the last row of the table, enter the URL of the web site for which you
want to create an entry in the filter
6 Select the action to be taken (Block, Allow or Redirect)
In case of Redirect, enter the address to which you want to redirect.
7 Click Add
8 Repeat steps 5 to 7 for each entry you want to create in the filtering
table.
9 If necessary, select Use Address Based Filter and click Apply.
Step Action
1
Go to the row you wish to change and click the corresponding Edit.
2 Modify the entry and click Apply.
To undo the changes, click Cancel.
Step Action
1
Go to the row you wish to delete
2 Click the corresponding Delete.
Page 78
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
68
6.3.6 How to Create a Content Based Filter
About Content Levels Content levels determine which web sites will be targeted by the filter, based on
their content.
There are 5 pre-defined content levels:
Procedure Proceed as follows to create a content based filter:
Level Description
All Allow all categorized web sites.
Legal Allow all except illegal, extreme, spam
and spyware websites.
Teenagers Block illegal, adult, extreme, online
ordering & gambling and spyware
websites.
Children Allow only children-safe websites.
BlockAll Block all categorized web sites.
Step
Action
1
Go to the SpeedTouch™ configuration home page
2 In the Toolbox section, click Web Site filtering.
3 In the top right corner, click Configure.
4 Go to the second bullet in the list (Content Based Filtering)
5 If not already set, select the desired action for uncategorised sites.
6 If necessary, create a new content level, or modify an existing one.
7 Select the content level of your choice.
8 Repeat steps 5 to 7 for each entry you want to create in the filtering
table.
9 Click Apply.
Page 79
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
69
6.3.7 How to Create a Content Level
How to get a Detailed
View
Proceeds as follows to get a detailed view of an content level:
How to Edit a Content
Level
Proceed as follows to edit an existing Content Level:
Step Action
1
Go to the Web site filtering Overview page.
Result:
The Web interface shows a description of the content level as well as
full details on which type of content is allowed and which is not.
2 Click on Details...
Step Action
1
Go to the Web site filtering Overview page.
2 Select the content level you wish to edit and click the corresponding
Edit.
3 Modify the name, description and/or the content classes or subclasses
targeted by the filter. To select or de-select a content class or subclass,
click its checkbox.
4 Click Apply.
Page 80
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
70
How to Create a New
Content Level
Proceed as follows to create a new content level:
Step Action
1
Go to the Web site filtering Configure page
2 In the Pick a Task... list, select Create a new content level.
3 Fill in a name and a description and click Next
4 If you want to:
Start from a copy of an existing level, select Clone an Existing Level.
Start from a white list (everything blocked, leaving you to determine
which categories are to be allowed), select White List.
Start from a black list (everything allowed, leaving you to determine
which categories are to be blocked), select Black List.
5 Click Next.
6 Select or de-select the content classes and subclasses you want to
include or exclude.
Note that if you select a class, all subclasses in that class are
automatically included, unless you select at least one subclass. In that
case, only the selected subclasses are included.
Example:
If the filter is set to allow the sites targeted by the filter, the above
example will allow the following sites:
Sites related to swimwear or lingerie, but no other nudity related
sites
No sites in the Ordering class
In the Society/Education/Religion class, only sites related to Non-
governmental organizations, Cities/Regions and Countries and
political parties.
78Click Apply.
Page 81
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
71
6.4 Intrusion Detection and Protection
About Intrusion
Detection
The SpeedTouch™ actively protects your system against malicious intrusion. You
can view statistics on the intrusion attempts the SpeedTouch™ has detected.
How to View the
Intrusion Detection
statistics
Proceed as follows to see the intrusion statistics:
Possible Tasks The Intrusion Detection page also shows a Pick Task... section which has two
possible tasks:
To execute a task, simply click it in the Pick a Task... section.
Step Action
1
Go to the Basic configuration home page of the web interface
2 In the To ol bo x section, click Intrusion Detection
Result: the Web Interface shows you a list of all possible intrusions and
the number of times each intrusion actually occurred.
Task Description
View the security logs View the security logs for more
information about the intrusion.
Clear intrusion detection statistics Clears the intrusion detection statistics
and resets all counters to zero.
Page 82
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
72
6.5 Remote Assistance
About Remote
Assistance
Remote Assistance allows you to log on to the SpeedTouch™ from a remote
location and perform tasks.
How to Set Up Remote
Assistance
Proceed as follows to set up Remote Assistance:
How to Log On To The
SpeedTouch™
Remotely
Proceed as follows to log on to the SpeedTouch™ remotely:
You are now remotely connected to the SpeedTouch™ and have access to all of its
functions, as if the connection were a local connection.
Step Action
1
Go to the Basic configuration home page of the web interface
2 In the To ol bo x section, click Remote Assistance
Result: the Web Interface shows the following page:
The system selects the user with the defremadmin property set to
enabled.
The SpeedTouch™has a pre-configured user called TechSupport
already configured for this purpose. Normally, the page should show
this user (see example above).
The system also generates a random password, which you can alter
manually.
3 Click Enable Remote Assistance.
Note that the system generates a new password every time you click
the enable button.
Step Action
1
Open a browser window
2 Enter the URL of the SpeedTouch™ (public IP address of the
SpeedTouch™ with port number 51003, as shown on the Remote
Assistance page).
3 Log on using the user and the password on the Remote Assistance
page.
Page 83
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
73
Connection Type On most variants, the connection will be HTTPS (secure HTTP). However, some
variants do not support SSH and will therefore use an HTTP connection;
Page 84
Chapter 6
SpeedTouch™ System Services
E-DOC-CTC-20051017-0155 v1.0
74
Page 85
Chapter 7
The SpeedTouch™ File System
E-DOC-CTC-20051017-0155 v1.0
75
7 The SpeedTouch™ File System
Introduction The SpeedTouch™ file system exists of nonvolatile memory responsible for storing,
retrieving and maintaining the system software files, configuration profile files,
language-pack files, software activation keys, secure storage files, etc.
The file system of the SpeedTouch™ is accessible via the well known File Transfer
Protocol (FTP). This allows to backup and restore files present on the SpeedTouch™
file system. Moreover, via FTP's
quote site command you are able to use a
limited set of CLI commands from the FTP prompt.
Opening an FTP session
to the SpeedTouch™
Proceed as follows to open an FTP session to the SpeedTouch™ file system (the
example shows an ftp session opened from an MS Windows Command Prompt):
In its default firewall configuration, FTP access to the SpeedTouch™ file system is
restricted to access from the local network only.
File system structure The file system features a tiny multilevel directory structure with two nodes '/active'
and '/dl'.
The root directory is secured and contains two subdirectories ‘/active’ and ‘/dl’.
The ‘/active’ subdirectory contains the system software in execution. Other files
may be present to ensure the good operation of the device, or due to previous
system software upgrades.
The ‘/dl’ subdirectory is the directory where you can find a user.ini file, holding the
most recently saved SpeedTouch™ configuration. The ‘/dl’ subdirectory also
contains the passive (dormant) system software (in most cases the passive system
software will be the same as the active system software present the ‘/active’
subdirectory. Optionally, the ‘/dl’ subdirectory may contain software activation keys
for enabling SpeedTouch™ software modules, language pack files and template
files. Other files may be present as well to ensure the good operation of the device.
In the example above the default SpeedTouch™ IP address 192.168.1.254 is
assumed, however another IP address may be assigned to your
SpeedTouch™ device.
There may be a user.ini file present in the ‘/active’ subdirectory. However,
this user.ini only contains the saved configuration since the last software
switchover, and hence may be not up-to-date.
Page 86
Chapter 7
The SpeedTouch™ File System
E-DOC-CTC-20051017-0155 v1.0
76
Access rights to the file
system
Following access/action rights apply to the directories and its contents:
'root' Directory
Access is allowed
No Read access
No Write access
'/active' Subdirectory
Access is allowed
Listing of files (dir)
FTP (m)get of (multiple) files
'/dl' Subdirectory
Access is allowed
Listing of files (dir)
FTP (m)get of (multiple) files
FTP (m)put of (multiple) files
FTP (m)delete of (multiple) files
Preparing for FTP file
transfers
To allow correct file transfers the transfer mode must be set to "binary".
You can turn on the hashing option. This allows you to see the file transfer in
progress, by printing a mark for each 2048 bytes that have been transferred:
ftp> bin
200 TYPE is now 8-bit binary
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark) .
ftp>
Page 87
Chapter 7
The SpeedTouch™ File System
E-DOC-CTC-20051017-0155 v1.0
77
Files stored on the file
system
The following is an example output of the SpeedTouch™ ‘/dl’ and ‘/active’
subdirectory content:
C:\Documents and Settings\john_doe>ftp 192.168.1.254
Connected to 192.168.1.254.
220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to change.
User (192.168.1.254:(none)):Administrator
331 SpeedTouch (00-0E-50-0F-FE-2A) Password required.
Password:
230 OK
ftp>cd dl
250 Changed to /dl
ftp>dir
200 Connected to 192.168.1.1 port 2055
150 Opening data connection for /bin/ls
-rwxrwxrwx 1 0 0 20 Jun 29 1971 start.cmd
-rwxrwxrwx 1 0 0 2889484 Jun 29 1971 ZZUIAA5.321
-r--r--r-- 1 0 0 9 Jun 29 1971 seed.dat
-r--r--r-- 1 0 0 729 Jun 29 1971 sslcert.pem
-r--r--r-- 1 0 0 908 Jun 29 1971 sslkey.pem
-rwxrwxrwx 1 0 0 54952 Jun 29 1971 user.ini
-r--r--r-- 1 0 0 692 Jun 29 1971 sshdsa.pem
226 Options: -l : 7 matches total
ftp: 466 bytes received in 0,02Seconds 29,13Kbytes/sec.
ftp>cd ..
250 Changed to /
ftp>cd active
250 Changed to /active
ftp>dir
200 Connected to 192.168.1.1 port 2056
150 Opening data connection for /bin/ls
-rwxrwxrwx 1 0 0 20 Jun 29 1971 start.cmd
-rwxrwxrwx 1 0 0 2889484 Jun 29 1971 ZZUIAA5.321
226 Options: -l : 2 matches total
ftp: 134 bytes received in 0,00Seconds 134000,00Kbytes/sec.
ftp>
Page 88
Chapter 7
The SpeedTouch™ File System
E-DOC-CTC-20051017-0155 v1.0
78
File types Following file types can be found:
System software files (e.g. ZZUIAA5.321)
The SpeedTouch™ system software file. The one in the ‘/active’ directory is
currently used by the SpeedTouch™; the one in the ‘/dl’ directory is dormant.
Software activation keys(e.g. VPN256-32.swk)
Software key files allowing the SpeedTouch™ to enable the corresponding
software module at startup. Per enabled software module, a software key
must be present in the ‘/dl’ directory.
Configuration files (e.g. user.ini)
The most recent saved configuration of the SpeedTouch™, or alternative
dormant configuration files, manually stored on the SpeedTouch™. At start-up
the SpeedTouch™ will load the user.ini configuration file residing in the ‘/dl’
directory.
Default configuration files (e.g. isp.def)
Depending on your ISP’s or network administrator’s preferences, your
SpeedTouch™ may have a deviant default configuration after a reset. The
isp.def file, if present, reflects this deviant default configuration.
Template files (e.g. custom.tpl)
Service template file, used by the embedded Easy Setup wizard.
Language-pack files (e.g. German.lng)
Files, allowing to view the SpeedTouch™ Web Interface in a local language.
Per
selectable language a language pack file should be available.
Secure storage files (e.g. ss_p12.dat)
Secure storage data files, containing certificate information for the
SpeedTouch™ IP Security VPN module (if enabled).
Flag and system files (e.g. build.flg, config.inf, start.cmd)
Protected files, created by the SpeedTouch™ for file system and startup
management. For proper operation, do not change or delete these files in any
way.
Script files (.sts)
Page 89
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
79
8SpeedTouch™ Remote Access
The SpeedTouch™
access methods
The SpeedTouch™ offers various access methods to allow configuration and
monitoring of the device.
SpeedTouch™ HTTP
SpeedTouch™ HTTPs access
SpeedTouch™ Telnet access
SpeedTouch™ FTP access
SpeedTouch™ SSH access
However, for obvious security reasons, in the default configuration all these
methods are denied from the WAN side. Explicit configuration is required in order
to allow remote management from the WAN.
Restrictions Two important factors determine if you are allowed access via a specific method.
The SpeedTouch™ multi-level access policy:
It determines access rights for users.
The SpeedTouch™ system services:
The SpeedTouch™ access methods are linked to different SpeedTouch™
Services.
A Service is an application running on the SpeedTouch™. By activating a
service, the SpeedTouch™ adds the appropriate NAT entries and firewall rules,
for example to disable access to the SpeedTouch™ web host.
Access methods vs
system services
In the table below the access methods and their services are listed:
Configuration via CLI To allow remote access (from the WAN side) for a certain service, add the WAN
interface group to the interface access list of the service. See“ Configuration via CLI
commands” on page 81
Remote Assistance It is possible to remotely access the SpeedTouch™ Web Interface for remote
assistance purposes. For more information, refer to Chapter 6, section “6.5 Remote
Assistance” on page 72.
For more information on the multi-level SpeedTouch™ access policy,
please refer to the SpeedTouch™ Multi-Level Access Policy
Configuration Guide.
Access method System service name
HTTP access HTTP
HTTPs access HTTPs
Telnet access TELNET
SSH access SSH
FTP access FTP
Page 90
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
80
Interface access list The interface access list of a service contains the interface groups from where a
user is allowed access to that specific service.
The interface access list can contain 1 or more of the following groups:
lan:
the local or corporate network
local:
the serial console cable
wan:
the Internet
IPSec Protection It is possible to use IPSec to protect remote management. You can either use IPSec
tunnel mode or IPSec transport mode. For more details, refer to the IPSec
configuration guide.
Page 91
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
81
8.1 Remote Web Interface Access
Introduction The SpeedTouch™ web interface is provided by the SpeedTouch™ HTTP web
server. Access to this server and hence the web interface is controlled by the HTTP
service. By default, the HTTP service is configured to let the web server accept http
requests from LAN side only. In addition the SpeedTouch™ provides HTTPs access.
This provides a more secure way (HTTP over ssl) of accessing the SpeedTouch™
HTTP web server.
Default HTTP
service configuration
Use the following CLI command to see the default HTTP service configuration.
Configuration via
CLI commands
For WAN access, you should use HTTP. For this, additional configuration of the
HTTP service is needed.
Use the following CLI command to allow HTTP access from the WAN to the
SpeedTouch™:
If you take a look at the HTTP service configuration, you will see that the wan group
is added to the Interface Access List:
=>:service system list name=HTTP expand=enabled
Idx Name Protocol SrcPort DstPort Group State
----------------------------------------------------------------------1 HTTP tcp 80 enabled
Description................ HTTP web server
Properties................. server
Managed parameters......... state port acl map log
Interface Access List...... lan local
Ip Access List............. any
NAT Port List.............. 80
=>
=>:service system ifadd name=HTTP group=wan
=>
=>:service system list name=HTTP expand=enabled
Idx Name Protocol SrcPort DstPort Group State
----------------------------------------------------------------------1 HTTP tcp 80 enabled
Description................ HTTP web server
Properties................. server
Managed parameters......... state port acl map log
Interface Access List...... lan local wan
Ip Access List............. any
NAT Port List.............. 80
=>
Page 92
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
82
Refinement of the
Service
If needed, the service can be fine-tuned to restrict the allowed traffic to:
A single IP address
A subnet
A range of IP addresses
Use the following CLI command to restrict the allowed traffic to 1 IP address.
Use the following CLI command to restrict the allowed traffic to a subnet.
Use the following CLI command to restrict the allowed traffic to a range of IP
addresses.
=>:service system ipadd name=HTTP ip=192.6.11.5
=>
=>:service system ipadd name=HTTP ip=192.6.11.0/24
=>
=>:service system ipadd name=HTTP ip=192.6.[2-55].[2-55]
=>
Page 93
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
83
Hyper-NAT Refinements The SpeedTouch™ features a powerful Hyper-NAT engine allowing the local hosts
to share a single (remotely negotiated) public IP address.
In case Hyper-NAT is enabled on the WAN interface that will be used for remote
management, and a static mapping has been made to allow remote hosts to
address regular HTTP services on a host residing on your local network, you must
make sure that accessing the SpeedTouch™ Web Interface is still possible.
The default port for the HTTP server is set to 80. This can be changed by executing
the following command:
The command above will change the HTTP server port of the SpeedTouch™ from
port 80 (default) to port 82.
For more information on Hyper-NAT, see the SpeedTouch™ Hyper-NAT
Configuration Guide.
=>:service system modify name=HTTP state=enabled port=82
=>
=>:service system list name=HTTP expand=enabled
Idx Name Protocol SrcPort DstPort Group
----------------------------------------------------------------------1 HTTP tcp 82
Description................ HTTP web server
Properties................. server
Attributes................. state port aclip aclif aclifgroup map log
User Managed Attributes.... state port aclip aclif aclifgroup map log
Attribute Values :
State...................... enabled
Port....................... 82
Ip Access List............. any
Interface Access List...... any
Interface Group Access List lan
Map List................... 82
Logging.................... disabled
=>
!
NAT-refinements for SpeedTouch™ services should never be made in the
NAT configuration menu, but always in System Services.
Page 94
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
84
8.2 Secure Remote Web Interface Access
HTTPs service
Introduction
The SpeedTouch™ supports secure HTTP or HTTPS. The Transport Layer Security
(prior SSL implemented by Netscape) provides communications privacy over the
Internet. The protocol allows client/server applications to communicate in a way
that is designed to prevent eavesdropping, tampering, or message forgery.
The primary goal of the TLS Protocol is to provide privacy and data integrity
between two communicating applications.
The remote
management certificate
When booting, the SpeedTouch™ verifies if a certificate exists for remote
management. If no certificate is found, the SpeedTouch™ generates its own
certificate. When the SpeedTouch™ receives an HTTPs request on port 443, it
transmits this certificate to the client. The client can either accept of refuse the
server identity. Depending on client implementation, the end-user is prompted
whether or not to trust the server.
When a web user logs in or tries to log in the SpeedTouch™, a syslog message is
generated. This message indicates the user name and the underlying protocol
(HTTP or HTTPS)
After negotiating the cipher between the two peers involved in the TLS protocol,
data is encrypted for further communications. The minimum level of security
required for the connection is indicated by each peer. If the minimum requirement
of each peer cannot be achieved, the connection is closed.
Default HTTPs
service configuration
Use the following CLI command to see the default HTTPs service configuration.
=>:service system list name=HTTPs expand=enabled
Idx Name Protocol SrcPort DstPort Group
----------------------------------------------------------------------1 HTTPs tcp 443
Description............... HTTP web server over ssl
Properties................ server
Attributes................ state port aclip aclif aclifgroup map log
User Managed Attributes... state port aclip aclif aclifgroup map log
Attribute Values :
State...................... enabled
Port....................... 443
Ip Access List............. any
Interface Access List...... any
Interface Group Access List lan
Map List................... 443
Logging.................... disabled
=>
Page 95
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
85
Configuration via
CLI commands
To have HTTPs access via WAN, additional configuration of the HTTPs service is
needed.
Use the following CLI command to allow HTTPs access from the WAN to the
SpeedTouch™:
If you take a look at the HTTPs service configuration, you will see that the wan
group is added to the Interface Access List:
=>:service system ifadd name=HTTPs group=wan
=>
=>:service system list name=HTTPs expand=enabled
Idx Name Protocol SrcPort DstPort Group
----------------------------------------------------------------------1 HTTPs tcp 443
Description............... HTTP web server over ssl
Properties................ server
Attributes................ state port aclip aclif aclifgroup map log
User Managed Attributes... state port aclip aclif aclifgroup map log
Attribute Values :
State...................... enabled
Port....................... 443
Ip Access List............. any
Interface Access List...... any
Interface Group Access List lan wan
Map List................... 443
Logging.................... disabled
=>
Page 96
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
86
Refinement of the
Service
If needed, the service can be fine-tuned to restrict the allowed traffic to:
A single IP address
A subnet
A range of IP addresses
Use the following CLI command to restrict the allowed traffic to 1 IP address.
Use the following CLI command to restrict the allowed traffic to a subnet.
Use the following CLI command to restrict the allowed traffic to a range of IP
addresses.
=>:service system ipadd name=HTTPs ip=192.6.11.5
=>
=>:service system ipadd name=HTTPs ip=192.6.11.0/24
=>
=>:service system ipadd name=HTTPs ip=192.6.[2-55].[2-55]
=>
Page 97
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
87
Hyper-NAT Refinements The SpeedTouch™ features a powerful Hyper-NAT engine allowing the local hosts
to share a single (remotely negotiated) public IP address.
In case Hyper-NAT is enabled on the WAN interface that will be used for remote
management, and a static mapping has been made to allow remote hosts to
address regular HTTPs services on a host residing on your local network, you must
make sure that accessing the SpeedTouch™ Web Interface is still possible.
The default port for the HTTPs server is set to 443. This can be changed by
executing the following command:
The command above will change the HTTPs server port of the SpeedTouch™ from
port 443 (default) to port 448.
For more information on Hyper-NAT, see the SpeedTouch™ Hyper-NAT
Configuration Guide.
=>:service system modify name=HTTPs state=enabled port=448
=>
=>:service system list name=HTTPs expand=enabled
Idx Name Protocol SrcPort DstPort Group
----------------------------------------------------------------------1 HTTPs tcp 448
Description............... HTTP web server over ssl
Properties................ server
Attributes................ state port aclip aclif aclifgroup map log
User Managed Attributes... state port aclip aclif aclifgroup map log
Attribute Values :
State...................... enabled
Port....................... 448
Ip Access List............. any
Interface Access List...... any
Interface Group Access List lan wan
Map List................... 448
Logging.................... disabled
=>
!
NAT-refinements for SpeedTouch™ services should never be made in the
NAT configuration menu, but always in System Services.
Page 98
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
88
8.3 Remote Telnet Access
About Secure Remote
Telnet Access and SSH
The SpeedTouch™ Telnet host is provided by the SpeedTouch™ Telnet server.
Access to this server and hence the Telnet interface is controlled by the Telnet
service. By default, the Telnet service is configured to let the Telnet server accept
telnet sessions from LAN side only. In addition the SpeedTouch™ provides SSH
remote access.
SSH provides a more secure way of accessing the SpeedTouch™ CLI interface and
should therefore be used.
Default Telnet
service configuration
Use the following CLI command to see the default Telnet service configuration.
Configuration via
CLI commands
To have Telnet access via WAN, additional configuration of the SpeedTouch™ Telnet
service is needed.
Use the following CLI command to allow WAN Telnet access to the SpeedTouch™.
Use the following CLI command to take a look at the Telnet service configuration,
you will see that the wan group is added to the Interface Access List:
=>:service system list name=TELNET expand=enabled
Idx Name Protocol SrcPort DstPort Group State
--------------------------------------------------------------------
1 TELNET tcp 23 enabled
Description................ Virtual Terminal
Properties................. server
Managed parameters......... state port acl map log
Interface Access List...... lan
Ip Access List............. any
NAT Port List.............. 23
=>
=>:service system ifadd name=TELNET group=wan
=>
=>:service system list name=TELNET expand=enabled
Idx Name Protocol SrcPort DstPort Group
----------------------------------------------------------------------1 TELNET tcp 23
Description................ Virtual Terminal
Properties................. server
Attributes................. state port aclip aclif aclifgroup map log
User Managed Attributes.... state port aclip aclif aclifgroup map log
Attribute Values :
State...................... enabled
Port....................... 23
Ip Access List............. any
Interface Access List...... any
Interface Group Access List lan wan
Map List................... 23
Logging.................... disabled
=>
Page 99
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
89
Refinement of the
Service
If needed, the service can be fine-tuned to restrict the allowed traffic to:
A single IP address
A subnet
A range of IP addresses
Use the following CLI command to restrict the allowed traffic to 1 IP address.
Use the following CLI command to restrict the allowed traffic to a subnet.
Use the following CLI command to restrict the allowed traffic to a range of IP
addresses.
=>:service system ipadd name=TELNET ip=192.6.11.5
=>
=>:service system ipadd name=
TELNET ip=192.6.11.0/24
=>
=>:service system ipadd name=
TELNET ip=192.6.[2-55].[2-55]
=>
Page 100
Chapter 8
SpeedTouch™ Remote Access
E-DOC-CTC-20051017-0155 v1.0
90
Hyper-NAT Refinements The SpeedTouch™ features a powerful Hyper-NAT engine allowing the local hosts
to share a single (remotely negotiated) public IP address.
In case Hyper-NAT is enabled on the WAN interface that will be used for remote
management, and a static mapping has been made to allow remote hosts to open a
Telnet session to a host residing on your local network, you must make sure that
Telnet access to the SpeedTouch™ CLI is still possible.
The default port for the Telnet server is set to 23. This can be changed by executing
the following command:
The command above will change the Telnet server port of the SpeedTouch™ from
port 23 (default) to port 50.
For more information on Hyper-NAT, see the SpeedTouch™ Hyper-NAT
Configuration Guide.
=>:service system modify name=TELNET state=enabled port=50
=>
=>:service system list name=TELNET expand=enabled
Idx Name Protocol SrcPort DstPort Group
----------------------------------------------------------------------1 TELNET tcp 50
Description................ Virtual Terminal
Properties................. server
Attributes................. state port aclip aclif aclifgroup map log
User Managed Attributes.... state port aclip aclif aclifgroup map log
Attribute Values :
State...................... enabled
Port....................... 50
Ip Access List............. any
Interface Access List...... any
Interface Group Access List lan wan
Map List................... 50
Logging.................... disabled
=>
!
NAT-refinements for SpeedTouch™ services should never be made in the
NAT configuration menu, but always in System Services.
Loading...