Edge Box User Manual 50

Dramatically simplifying voice and data networking
USER MANUAL V5.0

Disclaimer
Precautions have been taken to assure accuracy of the information written in this user’s manual. Typographic or
pictorial errors that are brought to our attention will be corrected in subsequent issues.
Product specifications in this manual are nominal and are provided for the convenience of our customers. They
are all correct at the date of publication. Critical Links reserves the right to make product changes from time to
time, without prior notification, which may change certain specifications or characteristics shown. We therefore
recommend you to check for changes or updates before using for customer projects or further product
developments
No material will be accepted for return unless Critical Links grants permission in writing.
The handling, installation and usage of the edgeBOX are applicable to certain environments and may be
required for code compliance. Features of the device will not provide protection against abuse, misuse, improper
installation or maintenance. It is important that installation, operation and maintenance are performed in
accordance with instructions supplied in the manual. Electricity and electrical devices must always be treated
with caution and respect.
Product Support
The edgeBOX software is distributed according to the End User License Agreement EULA included at the end of
this User Guide. By using the software you agree to be bound by this EULA. If you do not agree to the terms and
limitations of the EULA you should not use the software.
End User License Agreement

For product technical support please visit the following web site http://www.edgebox.com or contact us at the
following email address: support@critical-links.com.
Critical Links, Inc
695 Route 46 West

Fairfield, NJ 07004
USA
Phone: 973.276.9006
Support Hotline: +1 888 433 4326
Website: www.critical-links.com
Email: support@critical-links.com
4 edgeBOX 5.0 Help
Table of Contents
1. About edgeBOX 10
.....................................................................................................................
1.1. Introducing the award-winning edgeBOX 11
.....................................................................................................................
1.2. edgeBOX's main features 12
1.3. Unpack .....................................................................................................................
and setup edgeBOX 13
.....................................................................................................................
1.4. Connecting to edgeBOX's web interface 14
.....................................................................................................................
1.5. Understanding edgeBOX's web interface 16
.....................................................................................................................
1.6. Connecting to edgeBOX's console 19
1.7. Working.....................................................................................................................
with edgeBOX's LCD panel 20
1.8. License,.....................................................................................................................
Hardware and Software 21
2. Initial Configuration 22
3. Dashboard 26
4. Network 29
.....................................................................................................................
4.1. Configure the internet connection (WAN interface) 30
.........................................................................................................................................................
through another device such as a cable modem or a router 30
.........................................................................................................................................................
through a DSL/PPPoE connection 31
4.2. Change.....................................................................................................................
the local network properties (LAN) 32
4.3. Change.....................................................................................................................
the DMZ settings 33
.....................................................................................................................
4.4. View and manage VLANs 34
.....................................................................................................................
4.5. Interfaces Physical and Logical Status 35
4.6. Monitor.....................................................................................................................
connections through edgeBOX 36
4.7. Change.....................................................................................................................
edgeBOX's hostname and network domain 37
.....................................................................................................................
4.8. View the system routes 38
4.9. Manage.....................................................................................................................
static routes 39
..................................................................................................................... 40
4.10. Wireless
.........................................................................................................................................................
Configure and turn on the wireless network 41
Indicate the.........................................................................................................................................................
type of authentication 43
.........................................................................................................................................................
Make the wireless network more secure 46
.........................................................................................................................................................
Make the wireless network public 47
.....................................................................................................................
4.11. Managing the DNS server 47
.........................................................................................................................................................
Adding or Editing DNS domains 48
How to add ..................................................................................................................................................
a Master domain 48
How to add ..................................................................................................................................................
a Slave domain 50
How to add ..................................................................................................................................................
a Forwarder domain 51
.........................................................................................................................................................
Changing global DNS Settings 51
.........................................................................................................................................................
Managing DNS ACLs 52
.........................................................................................................................................................
Managing hosts on an existing domain 53
Critical Links, Inc.

Network 5
.....................................................................................................................
4.12. Use Dynamic DNS 54
.....................................................................................................................
4.13. Using the DHCP service 55
.........................................................................................................................................................
Assign IP addresses using Ranges 56
.........................................................................................................................................................
Assign IP addresses using MAC-IP rules 57
.........................................................................................................................................................
Configure DHCP advanced settings 58
DHCP Leases......................................................................................................................................................... 59
.....................................................................................................................
4.14. Manage the Webcache size and sites 59
.....................................................................................................................
4.15. Using NAT and Port Forwarding 60
..................................................................................................................... 61
4.16. Using QoS
QoS Upload.........................................................................................................................................................
configuration 63
.........................................................................................................................................................
QoS Download configurations 64
......................................................................................................................................................... 64
Service Classification
.........................................................................................................................................................
Internet and DMZ QoS statistics 65
5. VPN 67
5.1. IPSec ..................................................................................................................... 67
General ......................................................................................................................................................... 69
Advanced .................................................................................................................................................. 70
5.2. PPTP ..................................................................................................................... 71
......................................................................................................................................................... 72
PPTP Properties
5.3. L2TP ..................................................................................................................... 73
6. Security 75
6.1. Firewall..................................................................................................................... 75
.........................................................................................................................................................
Securing the Internet and DMZ links 76
.........................................................................................................................................................
Securing Internal Connections 76
.........................................................................................................................................................
Using Advanced Firewall Rules 77
6.2. Setting .....................................................................................................................
up a DMZ 79
6.3. Enabling.....................................................................................................................
NAT for the private networks 80
.....................................................................................................................
6.4. Using Port Forwarding 80
6.5. Website.....................................................................................................................
Access Restrictions 81
Domains ......................................................................................................................................................... 82
......................................................................................................................................................... 83
Words in URL
.....................................................................................................................
6.6. Install and Manage Anti Virus Engines 83
.....................................................................................................................
6.7. Scanning Shared Folders for viruses 83
.....................................................................................................................
6.8. Scanning E-Mail for Viruses 84
Messages ......................................................................................................................................................... 85
Actions ......................................................................................................................................................... 86
Quarantine......................................................................................................................................................... 86
.....................................................................................................................
6.9. Scanning E-Mail for SPAM 87
7. Office Servers 89
7.1. Manage.....................................................................................................................
your web sites and intranets 89
.........................................................................................................................................................
Setting up multiple websites 90
.....................................................................................................................
7.2. E-mail Server and Webmail 92
......................................................................................................................................................... 92
E-mail Queue

6 edgeBOX 5.0 Help
.........................................................................................................................................................
E-mail domains and Webmail 93
Aliases and.........................................................................................................................................................
Mailing Lists 93
.........................................................................................................................................................
Settings and Permissions 94
SMTP Access ..................................................................................................................................................
Control 96
.....................................................................................................................
7.3. Windows Server 97
.....................................................................................................................
7.4. Windows Shared Folders 99
Shares ......................................................................................................................................................... 100
Setup Share..................................................................................................................................................
Permissions 102
Temporary.........................................................................................................................................................
Shared Folders 103
.....................................................................................................................
7.5. Windows Shared Printers 103
8. IP-PBX and VoIP 105

8.1. IP-PBX.....................................................................................................................
Overview 106
.....................................................................................................................
8.2. Managing your phones 108
.........................................................................................................................................................
Understanding the Phones list 109
......................................................................................................................................................... 111
Creating phones
SIP and IAX ..................................................................................................................................................
phone extensions 113
Analog phone..................................................................................................................................................
extensions and fax machines 115
ISDN Phone ..................................................................................................................................................
extensions 116
Connecting.........................................................................................................................................................
phones 116
Connecting ..................................................................................................................................................
VoIP Phones 117
Connecting ..................................................................................................................................................
Analog Phones and FAX machines 118
Connecting ..................................................................................................................................................
ISDN Phones 118
Automatic.........................................................................................................................................................
configuration of phone devices 119
..................................................................................................................................................
Auto Configuration Modes 122
.........................................................................................................................................................
Phone Groups and Access Control 123
Twinning ......................................................................................................................................................... 126
.........................................................................................................................................................
Internal Dial Plan 128
.....................................................................................................................
8.3. Configuring incoming call rules 129
.........................................................................................................................................................
Creating incoming call rules 130
.........................................................................................................................................................
Defining Automated Attendant menus 133
Schedules......................................................................................................................................................... 135
8.4. Define.....................................................................................................................
your outgoing call rules 135
......................................................................................................................................................... 136
Authentication
......................................................................................................................................................... 136
Rules Definition
Emergency.........................................................................................................................................................
number 138
.....................................................................................................................
8.5. Configuring Voice Lines 139
......................................................................................................................................................... 140
VoIP Providers
......................................................................................................................................................... 141
ENUM service
......................................................................................................................................................... 142
Remote Offices
Hardware ......................................................................................................................................................... 143
ISDN BRI.................................................................................................................................................. 143
ISDN PRI.................................................................................................................................................. 144
How to change ...........................................................................................................................................
configuration mode (E1 / T1) 146
Analogue..................................................................................................................................................
FXO-FXS 146
8.6. Phone.....................................................................................................................
operations 147
.........................................................................................................................................................
Blind and Supervised Transfers 148
Group Calls......................................................................................................................................................... 149
......................................................................................................................................................... 149
Intercom Calls
.........................................................................................................................................................
Call Listening and Call Whispering 150
......................................................................................................................................................... 151
Call Pick-Up

IP-PBX and VoIP 7
Twinning ......................................................................................................................................................... 151

Follow Me ......................................................................................................................................................... 152
One Touch.........................................................................................................................................................
Recording 153
.........................................................................................................................................................
Labeling CDR records with Cost Centers 153
.....................................................................................................................
8.7. Conference Rooms 154
.....................................................................................................................
8.8. Managing Call Queues 155
Advanced.........................................................................................................................................................
Settings for Queues 157
8.9. Codecs..................................................................................................................... 158
.....................................................................................................................
8.10. MailFax Service 159
.........................................................................................................................................................
How to send a fax using MailFax? 161
.....................................................................................................................
8.11. Advanced VoIP Options 162
Voicemail ......................................................................................................................................................... 162
Call Parking......................................................................................................................................................... 163
Operation.........................................................................................................................................................
Key Codes 163
Customize.........................................................................................................................................................
Sound Files 164
.........................................................................................................................................................
Define Country Zone 165
......................................................................................................................................................... 165
Echo Cancellation
......................................................................................................................................................... 166
G.729 Licensing
......................................................................................................................................................... 166
Billing Service
......................................................................................................................................................... 167
Manager Interface
Advanced.........................................................................................................................................................
NAT 168
8.12. Music.....................................................................................................................
On-Hold 169
.....................................................................................................................
8.13. Automatic Call Recording 170
8.14. VoIP .....................................................................................................................
activity logs - CDR 172
.....................................................................................................................
8.15. Default Predefined Phone Numbers 172
9. Users 174
..................................................................................................................... 174
9.1. Authentication
Managing .........................................................................................................................................................
network users 175
Importing..................................................................................................................................................
and Exporting Users 177
.................................................................................................................................................. 179
Default Quota
Activating.........................................................................................................................................................
Authentication 179
.........................................................................................................................................................
Using remote authentication 181
..................................................................................................................................................
Using a remote RADIUS Server 181
..................................................................................................................................................
Using a remote LDAP Server 182
..................................................................................................................................................
Using a remote AD Server 183
Customize.........................................................................................................................................................
the user login web page 184
..................................................................................................................... 186
9.2. Privileges
.........................................................................................................................................................
Fine tunning Internet and DMZ access 189
.........................................................................................................................................................
Access to other VLANs 190
9.3. Groups..................................................................................................................... 191
.....................................................................................................................
9.4. Delegate a Local Administrator 191
.....................................................................................................................
9.5. View currently Connected Users 194
.....................................................................................................................
9.6. Configure authorized RADIUS clients 194
10. System 196

.....................................................................................................................
10.1. Adjusting Date and Time 196

8 edgeBOX 5.0 Help
..................................................................................................................... 198
10.2. Administration
.....................................................................................................................
10.3. Managing Software Updates 199
.....................................................................................................................
10.4. Backup & Restore 201
Immediate.........................................................................................................................................................
Backup 202
.........................................................................................................................................................
Scheduled Backups 203
10.5. Using.....................................................................................................................
HotBackup for redundancy 205
Managing .........................................................................................................................................................
software updates in a Hotbackup scenario 208
..................................................................................................................... 210
10.6. Notifications
.....................................................................................................................
10.7. Managing and Diagnosing RAID 211
......................................................................................................................................................... 212
Disk Notifications
Replacing .........................................................................................................................................................
a faulty disk 212
.....................................................................................................................
10.8. Reading and Managing System Logs 213
.....................................................................................................................
10.9. RADIUS Accounting 214
..................................................................................................................... 215
10.10. SNMP
..................................................................................................................... 216
10.11. Maintenance
.....................................................................................................................
10.12. Services Control Panel 217
.....................................................................................................................
10.13. Hardware Monitor 217
.....................................................................................................................
10.14. Diagnostic Tools 218
.....................................................................................................................
10.15. Remote Management 219
11. Reporting 221

..................................................................................................................... 221
11.1. System
CPU ......................................................................................................................................................... 221
Memory ......................................................................................................................................................... 222
Load ......................................................................................................................................................... 223
Disk Usage......................................................................................................................................................... 224
Interfaces......................................................................................................................................................... 225
..................................................................................................................... 226
11.2. Services
......................................................................................................................................................... 226
HTTP Access
......................................................................................................................................................... 227
Web Server
Firewall ......................................................................................................................................................... 228
E-mail ......................................................................................................................................................... 229
VoIP ......................................................................................................................................................... 230
VPN ......................................................................................................................................................... 231
11.3. Users..................................................................................................................... 232
General ......................................................................................................................................................... 232
Accounting......................................................................................................................................................... 233
......................................................................................................................................................... 234
HTTP Access
E-mail ......................................................................................................................................................... 234
VoIP ......................................................................................................................................................... 235
VPN ......................................................................................................................................................... 236
12. User Services and Applications 237

.....................................................................................................................
12.1. Temporary Shared Folders 238
..................................................................................................................... 242
12.2. Webmail
12.3. Flash.....................................................................................................................
Operator Panel (FOP) 243

User Services and Applications 9
FOP Login......................................................................................................................................................... 244

......................................................................................................................................................... 246
Initiate a Call
......................................................................................................................................................... 247
External Calls
Transfer a.........................................................................................................................................................
call 248
Barging ......................................................................................................................................................... 248
Create an.........................................................................................................................................................
Agent 248
......................................................................................................................................................... 249
Queue Managment
Park-Unpark.........................................................................................................................................................
Calls 249
Conference .........................................................................................................................................................
Calls 250
.........................................................................................................................................................
Typical Caller Scenario 250
13. Appendices 251

.....................................................................................................................
13.1. Appendix A: Authentication 251
.........................................................................................................................................................
Authentication architecture 251
.........................................................................................................................................................
Require users to login vs Privileges policies 251
.........................................................................................................................................................
Putting it all together 253
......................................................................................................................................................... 253
Remote configuration
.....................................................................................................................
13.2. Appendix B: Connecting to Wireless 254
802.1x ......................................................................................................................................................... 256
WPA ......................................................................................................................................................... 258
.....................................................................................................................
13.3. Appendix C: Windows Integration 260
.........................................................................................................................................................
Adding a Windows Host to edgeBOX Domain 260
.........................................................................................................................................................
Mapping a Shared Folder on Windows 261
.....................................................................................................................
13.4. Appendix D: VLAN based Infrastructure 262
.........................................................................................................................................................
VLAN Scenario 1 264
.........................................................................................................................................................
VLAN Scenario 2 265
.........................................................................................................................................................
VLAN Scenario 3 267
.........................................................................................................................................................
VLAN Scenario 4 268
.....................................................................................................................
13.5. Appendix E: Factory Reset 269
.....................................................................................................................
13.6. Appendix F: edgeBOX Network Services 270
.....................................................................................................................
13.7. Appendix G: Usernames and Passwords 271

10 edgeBOX 5.0 Help
1 About edgeBOX
Critical Links’ edgeBOX is a network appliance that consolidates the voice, data and IT
functions at a Small and Medium Business (SMB) into one single appliance.
Specifically, it provides IP-PBX and VoIP, comprehensive Networking, Quality of Service

(QoS), Wi-Fi Access Point, Windows Server - with advanced File and Print sharing, network
access profiles - Privileges, Security tools, such as Anti Virus and Firewall and SMB Office
Servers (e-mail / web server / windows server).
While all this is commonly delivered using up to 8 different independent products/devices,

Critical-Links' edgeBOX provides an unified architecture and delivers all this in a single
product.
Introducing the award-winning edgeBOX
edgeBOX's main features
Unpack and install edgeBOX to the network
Connecting to edgeBOX's web interface
Understanding edgeBOX's web interface
Connecting to edgeBOX's console
Working with edgeBOX LCD panel
License, Hardware and Software

About edgeBOX 11
1.1 Introducing the award-winning edgeBOX

The edgeBOX appliance comes in 3 different form factors (with different redundancy & fault-
tolerance options).
The edgeBOX comes with a wide range of interfaces to connect to the Internet and the PSTN (such
as FXO/FXS, Ethernet, ISDN PRI/BRI, T-1/E-1 etc).
Every edgeBOX has an intuitive GUI that allows the user to access the box and configure the various
functions very easily. NOTE: The box already comes with a set of default configurations that will
allow most customers to just literally power on the box and begin to use it; it also provides a
customer the ability to customize the settings to support their environment.
The edgeBOX:
1. Dramatically simplifies the SMB voice and data infrastructure
· It replaces up to 8 independent products/devices with 1 device

· Reduces maintaining & managing several devices (and vendors)
2. Increases Productivity and Convenience at the SMB
· Provides the broadest range of voice, data and IT capability

· Managed through a simple, unified interface, even remotely
3. Reduces initial investment & recurring operational expenses over 60%
· Initial cost reduced to less than a third of a multi-device solution

· Recurring costs are nominal; remote, simplified management
4. Environmentally (and economically) friendly
· Much smaller carbon footprint lower power/space consumption

· Lower waste generated at end of life
The edgeBOX eliminates the traditionally painful trade-off between features, complexity and cost at a
SMB. SMBs have had to incur a high degree of complexity (due to the many devices and vendors
needed to be managed) and the attendant cost (due to expensive IT support) to get much needed
voice and data features. Now with the edgeBOX a customer can get a broad range of voice, data

12 edgeBOX 5.0 Help
and IT services for a fraction of existing costs. The edgeBOX is changing the rules of the game for
the SMB. The SMBs can now focus on their core competence instead of worrying about the cost and
complexity of managing their networking
The edgeBOX, by integrating the voice, data and IT features, in one appliance and managed by a
simple GUI dramatically reduces the complexity and brings down the costs. The edgeBOX, based on
open source standards, also ensures a best-of-breed solution that is competitively superior in terms
of both feature richness and cost.
A remote based management system ensures remote provisioning, monitoring and management of
several edgeBOX appliances as well, further simplifying and cost reducing maintenance.
The edgeBOX incorporates a set of functional capabilities that are necessary when provisioning voice
and data services at a SMB. If a VoIP service is to be provisioned, for example, in addition to
configuring the IP-PBX, Quality of Service (QoS), Firewall, Router tables, e-mail server, etc, have to
also be usually configured. All this can be done right in the edgeBOX appliance from a GUI and
without having to concern about the peculiarity of different devices, interoperability, and making all of
them work together. This not only reduces the upfront cost but also speeds up service turn up.
The edgeBOX comes provisioned with a default configuration for the router/switch settings and also
for commonly used SIP phones, further enhancing the user experience.
The number of features available on the edgeBOX is unmatched competitively and it provides more
voice and data services than most SMBs would require currently. In addition, value-added application
packages called edgePACKs, are also available for specific vertical segments; these further augment
the networking services in the edgeBOX with application oriented capabilities. Current edgePACKs
include the Learning Management System (for academia), Content Management System (for
managing website content), and edgeExchange (for e-mail, calendar and content sharing).
More information on the edgeBOX:

695 Route 46 West
Fairfield, NJ 07004
U.S.A
+1.973.276.9006
www.critical-links.com
1-888-4-EDGEBOX
1.2 edgeBOX's main features

· Internet connections using ADSL, Cable modems or other WAN Broadband devices;
· Supports dynamic and static IP Address assignment, also allowing the configuration of
a registered domain name;

About edgeBOX 13
· DHCP server on the Intranet side with optional automatic name range generation;
· A web server on both the Internet and Intranet side, with optional home pages for every
user of the network;
· DNS Server for both local private domain or as a master name server on the Internet;
· Internet E-Mail Server with anti-spam control.
· Support for SMTP Relay for Road Warriors;
· Full access control over the internal network services and the Internet access;
· 802.1x Port based authentication with Single Sign On;
· User based access control to manage accesses to the network resources;
· Group based access control for third part applications integrated with edgeBOX;
· VLAN aware router. Supports 802.1Q and Inter-VLAN access policies;
· See who is on your network and from what IP address;
· User time and traffic based accounting. Supports optional RADIUS session servers;
· Supports Local User Authentication or Remote User Authentication using a RADIUS
Server, LDAP Server or using Active Directory;
· Backup and Restore of edgeBOX's configuration and of users's data.
· System updates from a remote server.
· Dynamic DNS. Supports DynDNS or No-IP;
· Optional Wireless Network with edgeBOX's access point;
· IMAP and POP3 Servers. Integrated e-mail access using the internal web server;
· VPN tunnels based on the IPSec standard or the PPTP protocol;
· Traffic control in inbound and outbound traffic. Possibility of reserving bandwidth for
important users in your company or for high priority traffic types, such as voice traffic;
· Support for a dynamic Intranet with content management capabilities;
· VoIP Features, including support for line fail over, Interactive Services, Call Rules, Sound
Manager, Conference calls, Hunt Groups, Phone Auto Configuration, etc.
· Fax2Mail and Mail2Fax.
1.3 Unpack and setup edgeBOX

To install the edgeBOX onto your network please consult the Quick Start Guide flyer that was sent
to you with your edgeBOX appliance.
The guide will quickly:
1. Introduce you to all the edgeBOX components,

2. Explain the elements and connectors in the rear and front panels,
3. Tell you how to connect edgeBOX to your Internet Modem and Ethernet Switch,
4. Show you how to power up the appliance.

14 edgeBOX 5.0 Help
1.4 Connecting to edgeBOX's web interface

The edgeBOX appliance is configured with a default factory configuration. Typically, the first
task after you connect the edgeBOX to the network is to change the default configuration, so that it
meets your requirements.
You can perform the initial configuration from a computer connected either:
· directly to edgeBOX's LAN interface, or
· to a hub or a switch connected to edgeBOX's LAN interface.
The LAN interface is initially configured with the IP address 192.168.100.254 and DHCP is
active. This way, to connect your computer to the edgeBOX:
· Configure it to automatically obtain it's local network IP Address from the edgeBOX using
DHCP (recommended);
· Or configure it with a static IP address: the IP address used must lie in the
192.168.100.0/24 range (ex. 192.168.100.50); use 255.255.255.0 for Subnet-Mask; use
192.168.100.254 for Default Gateway; also 192.168.100.254 for Nameserver.
Then, from the computer:
1. With a browser, open the webpage https://myedgebox.com or https://192.168.100.254:8011;
2. After the page opens, click the Login link;

About edgeBOX 15
edgeBOX initial page
3. Use admin for username and root for password to login (this is the default password; for
security reasons you should change it); hit the Login button.
The edgeBOX web interface will then start loading; please note it might take a few moments and you
may have to accept one ore more warning messages due to the Java Platform. To use the edgeBOX
web interface you'll need the Java Plug-in installed: Java Runtime Environment version 6.
When loading completes you will see the Dashboard page with a quick overview of some relevant
edgeBOX variables and it's global status.
At the top you'll also find links to the Network, VPN, Security, Office Servers, IP-PBX, Users,
System and Reporting sections and menus. Feel free to click the links and navigate the interface.
This will help you get familiar with edgeBOX.

16 edgeBOX 5.0 Help
edgeBOX webadmin initial page: the Dashboard
That's it. Congratulations. When you see the Dashboard you are succesfully connected to edgeBOX's
web administration interface, ready to start configuring it.
At this point you might want to:
· have a look at the Understanding edgeBOX's web interface page of this manual, or
· jump to the Initial Configuration section to get a an initial roadmap.
1.5 Understanding edgeBOX's web interface

edgeBOX's administration web interface makes use of several common user interface
concepts and resources - such as graphical symbols, buttons, popup dialogs and others.
This helps to improve the user's experience while maintaining overall coherence among similar
operations and concepts across distinct panels and dialogs. This page introduces those
common concepts and resources and explains their global meaning and usage scenarios.

About edgeBOX 17
The following image displays most of these features and will be used as a starting point for further
explanations below:
Navigation
The interface is divided into Sections. Sections are subdivided into Menus. Navigation is a two-step
interaction: choose the Section you want from the sections bar [1] at the top and, once that section
loads, select the configuration Menu from the menus list [2] at the left. Once there you get a
summary overview with current configurations and the most relevant status variables concerning the
topic involved.
Related Topics
In each Menu you'll find context specific links to other related configuration menus in the Related
Topics corner [3]. If you click the links you'll get immediate access to those configurations in a new
popup window. Then, you can make any quick changes you need and get back to your starting point.
This gives you an alternate and useful navigation path.
Service Status and Service Start/Stop
The Service Status Bar [4] shows you the current operational status of the corresponding
edgeBOX service: the green color indicates the service is active while gray is be used for services

18 edgeBOX 5.0 Help
that are not running; the red color is used for error situations.
On the left, an informative text message is displayed accordingly. At the right end, the Service Status
Bar gives you control over the service by means of the Start Service and Stop Service options. By
clicking them you actually instruct edgeBOX to change the administrative status of the service.
New - Edit - Delete
All over the interface these three operations [5] are executed in innumerous situations. New lets you
create new entries, Edit allows you to change an existing entry and Delete let's you remove
configurations.
Save applies - Cancel cancels
While configuring edgeBOX you'll enter data into several dialogs. In several situations the sequence
of popups that need your input may even become a bit more complex. If you feel lost, or if you're in
doubt, please keep in mind:
· none of the changes you made is actually applied to edgeBOX until you press Save; this also
means that, in order to apply your changes to edgeBOX, you need to press Save at some
point;
· in any situation, if you press Cancel the dialog is immediately aborted and no changes are
propagated to edgeBOX; when in doubt, press Cancel.
Please note: these are global principles that should hold true in the great majority of the
situations you might find.
Glass Pane: in order to keep your interaction with edgeBOX even safer, during the configuration
sequences between the administration interface and edgeBOX itself - usually when you press
Save, but also in other situations - the interface is covered with a Glass Pane that prevents
you from pressing any buttons or interacting with the interface; it's a way to say: "Please wait,
we are busy". Depending on the complexity of the operations being executed you may need to
wait a little bit.
Lists with Filters
Some of the lists presented may grow a lot as you add new entries. For faster search, those lists
include a filtering option [6] that lets you quickly search for specific entries. In the example image
above we are trying to search for a user called Alves. By entering the alv sequence our search is
considerably narrowed and it's now easy to find the person we are searching for.

About edgeBOX 19
Context Sensitive Help
Usually located at the top-right corner you will find the Help icon [7]. Clicking it will open a new
browser window directly into the correct page of this manual.
Status Bar
Located in the lower-left corner, the Status Bar [8] shows you when the interface is busy interacting
with edgeBOX. If the operation is successful a green V sign will be displayed. If edgeBOX encounters
some error then a red X will be shown.
Now that you have a global understanding of the interface you can jump to the Initial Configuration
section to get a roadmap.
1.6 Connecting to edgeBOX's console

It is also possible to connect directly to edgeBOX's console to manage the appliance using a
Command Line Interface (CLI). However, you will be confined to the limited set of commands
available.
You can acces the CLI in three diferent ways:
· keyboard/VGA: connect a keyboard to the PS2 port or any of the USB ports located on the
rear panel; connect a monitor to the VGA port located in the rear panel;
· Serial Port: connect a null-modem (also known as serial cross-over cable; Rx and Tx wires
are "crossed") serial cable to the serial port in the rear panel and the other end to your
laptop's serial port; use no hardware or software flow control, 38400N8 (38400 bit/s, no parity
bit, 8 databits); on Windows you can use Hyperterminal; on Linux you can use minicom;
· SSH: you need to have SSH service active on your Firewall; if you have the Authentication
service running, the Privilege you are assigned to needs to have access to SSH; from the
internal network you can use the address myedgebox.com or the LAN interface IP Address; on
Windows you can use putty; on Linux open a terminal and use the ssh command (ex: ssh
admin@myedgebox.com);
The screen should display a prompt requesting a login/password to be entered. Entrer the usual
admin username and it's password (root if not changed).
At the eOS> prompt type help to get a list of available options; enter help <SOMETHING> to get
specific help on <SOMETHING>;

20 edgeBOX 5.0 Help
ex: help service shows you a usage summary of all commands starting with service;
service status will show you a list of services and their current and administrative operational
status;
Use the command line only if you are an advanced user. Using it incorrectly may
compromise edgeBOX's correct functioning or even stop it to work completely.
1.7 Working with edgeBOX's LCD panel

The edgeBOX LCD panel is a simple information panel available on Business and Enterprise
appliances.
edgeBOX's LCD panel
View information about the network
To see information about the network on the LCD panel, press the Up or Down buttons near
the LCD screen.
The information available is:
· LAN IP - The IP address of the Internal Network.

· WAN IP - The IP address of the Internet Connection.
· DMZ IP - DMZ IP address. The DMZ is often used as an internal Server network.
· Gateway Address - Default Gateway IP Address.
· Firewall Status - Firewall On, if the firewall is enabled or Firewall Off, if it is disabled.
· User Authentication Status - Enabled (LAN based users are required to
authenticate) or disabled (LAN based user are not required to authenticate)
Shutdown the edgeBOX
To shutdown the edgeBOX, press the Power button. edgeBOX will beep. Then,
· press the Power button again, and edgeBOX will beep twice and start the shutdown
process,

About edgeBOX 21
· or press the LCD Enter button. edgeBOX will start the shutdown process and the
message "Shutting down system. Wait..." will be displayed in the LCD.
You can also shutdown the edgeBOX using the web interface. To do this go to the
Webadmin interface, System - Administration section.
1.8 License, Hardware and Software

By clicking the about link at the top-right corner, you'll get information about edgeBOX's software
version, hardware settings and license definitions.
· Version 5.0, Build 1, 29/06/2009: software version, build number and build date;
· Hardware Description: hardware reference and serial number;
· Product Licensed to: licence owner (person or company);
· License Serial Number: edgeBOX license; each edgeBOX has a distinct license;
· Network users limit: maximum number of users allowed for this licence.

22 edgeBOX 5.0 Help
2 Initial Configuration
If you've just turned edgeBOX on for the first time, you need to make an initial basic
configuration so that edgeBOX can start managing your network and services.
In seven simple configuration steps you'll understand the concepts and review the sections
in this manual where the configuration details are covered.
First: you need to open the webadmin interface
If you haven't done this before please follow the steps in the Connecting to edgeBOX's web interface
section of this manual. When you get connected you can jump to Step 1 and get started configuring
edgeBOX
Step 1: Connecting edgeBOX to the Internet - WAN
· Concept:
edgeBOX is supposed to work as the main link between any devices/systems in your
internal network and the Internet; whatever you may do - access the Internet, send an
e-mail, make VoIP calls to another country - keep in mind: edgeBOX is the gateway
to the outside world; so, the first step is to connect it's WAN interface to the internet.
· Hands On: Configure the internet connection (WAN interface)
Step 2: Setup your Internal Network - LAN
· Concept:
your internal network - your LAN, for short - is composed of computers, laptops, IP
Phones and other miscellaneous IP devices like printers and so; they all communicate by
connecting to the so-called TPC/IP Ethernet infrastructure and the messages thus
interchanged are all identified with two distinguishing marks: the IP Address of the
sender and the IP Address of the destination computer or server; each and
every device interacting in a TCP/IP network, like yours, has it's own IP Address; and so
does edgeBOX;
you need to assign such an address to the LAN interface of edgeBOX - through this
interface edgeBOX reaches all those LAN devices and all of them know how to reach
edgeBOX if they need to; all IP devices in your network will somehow find a way to
make messages reach edgeBOX's LAN interface IP Address and edgeBOX will know how
to send them back IP messages identified with it's own LAN IP Address; edgeBOX is

Initial Configuration 23
shipped with the LAN 192.168.100.254 IP Address previously configured for you; don't
change it if you don't need to, but if you do...
· Hands On: Change the local network properties (LAN)
Step 3: Specify a hostname and a domain name
· Concept:
the hostname is the name by which the edgeBOX is known in the network (the
name that the computers in the network use to refer to the edgeBOX); a hostname is a
descriptive name (gateway, edgebox, fileserver, printerhost); you can choose any
name you want; if you have two offices with an edgeBOX in each, you can call
eboxhead to the first and eboxbranch to the other;
the domain is the name by which your network is known; if you do not have a
registered domain, then you can give your network the domain you want, such as
mycompany.loc; this domain will be private and visible only within your network; for
example, if your company is called MegaSoft, then a possible domain could be megasoft.
com; if you have a registered domain, like critical-links.com, for example, then you can
use that public domain; that domain is visible to everyone in the world throughout the
Internet;
· Hands On: Change edgeBOX's hostname and network domain
Step 4: Check and adjust edgeBOX's Date & Time
· Concept:
edgeBOX, as any other computer, keeps it's own date and time internally; you can and
should adjust Date and Time; additionally you should adjust your Timezone too:
edgeBOX is shipped to use timezone Europe/London; change it to your location;
several edgeBOX features rely on a correct Date and Time in order to operate in a
timely fashion as expected by network users and other processes;
· Hands On: Adjusting Date and Time
Step 5: Overview your Firewall and secure your network
· Concept:
the Firewall is possibly the most important network security resource shipped with
edgeBOX; it's very important that you consider always having your Firewall service up
and running (don't turn it off unless you really need to); edgeBOX is shipped with the
Firewall service running and this, alone, is enough for providing a very high degree of

24 edgeBOX 5.0 Help
security for your network users and services;
edgeBOX Firewall working principle is the definition of Allow/Deny rules for specific
network services and protocols; once you decide the services that should or shouldn't be
available, edgeBOX will automatically determine the best Firewall settings and use them,
to provide the maximum security possible to itself and to your network; the fundamental
concept you should keep in mind is: if my users don't need this service then I will
make it unavailable at the Firewall or if that specific service is not supposed to
be accessible to the Internet then the Firewall will block any requests to it;
· Hands On:
at this moment let's just take a look around to get familiar; go to the Security section in
the Webadmin interface; the Firewall menu will load by default;
notice the services that have allowed access for connections from the Internet; by
default only Ping and Webadmin services are allowed from the Internet; this means
that the administration web interface is available from the outside world; this could be
good if you need to administer edgeBOX from home: later on you may come consider
this unnecessary, and you may wish to increase security even further by removing the
Webadmin from the Internet allowed services; that is configuring your Firewall; but let's
leave it for later;
click the Internal Connections... link; a popup window will show you the list of
forbidden services for your internal network; by default the list is empty: that means
that, by default, your internal users can access all edgeBOX services; this is where you
would add some service that you'dd wish not to be available internally;
right now you may just want to start configuring the Firewall; well... we advise you,
nevertheless, to follow this section through up to Step 7 to get the whole picture; but...
if you really wish to do it, just jump to the Firewall section in this manual for the details (
don't start configuring the Firewall until you have read that section of the manual and
you are confident on what you're doing);
Step 6: Add a User and a Phone
· Concept:
edgeBOX is for Users; a great deal of effort has been put into making edgeBOX a user
oriented product; Users have needs; Users want to use services; Users want to make
Phone calls; Users want to share files and need Phones to chat internally or to make
long distance calls; Users are central in edgeBOX; as more people join your company
edgeBOX will always be ready to provide resources for them: a Phone, a personal
Windows Share for documents, access to the Internet, a personal web page, you name
it...;
furthermore you need to consider Security: if you'll allow everyone to use your network
or just let specific users to use it; allowing access only to specific users gives your
network more security; to let only specific users access the network, you need to
manage (create, edit and delete users) them and setup authentication services;

Initial Configuration 25
Authentication is actually a very important aspect but, right now, let's leave it be...;
adding a new User and a Phone for the new user is an easy task; go for it...
· Hands On: go to the Users section in the Webadmin interface and follow the details here
Managing Network Users;
Step 7: Change the webadmin password
· Concept:
you should change the password; this is a simple, yet very important, concept;
edgeBOX is shipped with a default password for the admin user: "root"; you should
change it;
the admin password is used to access the Webadmin interface; please realize: admin-
root is a very simple guess for most hackers and password exploits and attacks; if you
expose edgeBOX to the Internet this risk is even higher; please change it immediately;
pick a password you can remember and write it down in some safe place, at home, or
some place away from work, away from edgeBOX;
· Hands On: in the Webadmin interface click the System section and choose the
Administration menu; follow the details here...;
At the end of Step 7, you have a pretty good picture of edgeBOX's basics. To step into more
advanced edgeBOX features you might need for your network, please review the following Next
Steps and feel free to navigate around.
Next Steps: how do I ...
create Windows Shared Folders ?
change User Privileges ?
activate Webmail ?
secure the Internet (WAN) interface ?
configure the Firewall for internal connections ?
enforce Authentication ?
setup VLANs ?

26 edgeBOX 5.0 Help
3 Dashboard
The Dashboard provides a quick summary overview of the most relevant edgeBOX variables and
status informations in an intuitive graphical display.
Information is provided in the form of values, colors and icon behaviours and refreshed every 30
seconds. The Dashboard is divided into:
System
· Date & Uptime: current Date and Uptime (time elapsed since last boot); 7/6/2009 17:13
and 14d 11h 32m in the picture;
· Processor:
· CPU usage - percent CPU usage (averaged over a 5 minutes interval);
· Load - processor load indicator (from left to right: 1 minute, 5 minutes and 15
minutes process load average);
· Temperature: motherboard temperature (if available);
· Memory: current instantaneous RAM usage/total and current instantaneous SWAP usage/
total;

Dashboard 27
· Storage: current instantaneous System Storage and Home Storage percent occupation/
total;
If any of the horizontal bars changes to yellow, you should stay alert. If, on the other hand, you
get persistent reds, that means you should try to diagnose the problem and take action to
prevent any damage or operational instability.
WWW
· WAN IP Address: the currently configured IP address for the WAN interface;
192.168.126.160 in the picture;
· Gateway Test: green if edgeBOX is able to ping the Default Gateway, as depicted; red
otherwise;
· DNS Test: green if edgeBOX can access an operational DNS service, as depicted; red
otherwise;
· Browsing Test: green if edgeBOX can actually browse the World Wide Web, as depicted; red
otherwise;
· Line Color: green indicates edgeBOX considers the WAN connection is fully operational with
respect to those 3 tests; gray otherwise;
· Connection Status: the red connection status icon (a red triangle with an exclamation mark '
! ' inside) will show up if any of the three tests fails: something is not operating as expected; if
the three tests are successful it will not show up; if all three tests fail then a red 'X' icon will
be shown instead;
· WWW icon: colored, as depicted, if WWW is accessible as depicted; gray-scale otherwise;
· Firewall: colored, as depicted, if the Firewall service is running; gray-scale otherwise;
LAN
· IP Address: the currently configured IP address for the LAN interface (default VLAN);
10.5.5.51 in the picture;
· Line Color: the line connecting edgeBOX to the LAN will be green, as in the picture, if link is
detected on the LAN connector (meaning that edgeBOX is actually connected to an active
network device); if no link is detected the line will change color to gray;
· Connection Status: the red connection status icon (a red triangle with an exclamation mark '
! ' inside) will show up if no LAN hosts are detected (see the also DMZ explanation); in the
situation depicted edgeBOX detects link on the LAN connector and active LAN hosts; if the LAN
connector does not have link (cable disconnected at one of the ends), then a red 'X' icon will
be shown instead;
· LAN icon: colored, as depicted, if your LAN seems operating normally (both LAN link is
detected and LAN hosts activity is detected too); gray-scale otherwise;
· Authentication: On or Off; tells you if the User Authentication service is active; On in the

28 edgeBOX 5.0 Help
picture;
· Users Logged In: the amount of users currently authenticated; 15 in the picture;
· Phones Online: the amount of phones currently active; 4 in the picture;
· Ongoing Calls: the amount of phone calls currently in progress; 2 in the picture;
DMZ
· IP Address: the current IP address on the DMZ interface; 192.168.200.254 in the picture;
· Line Color: same behaviour as for the LAN; the picture shows that the DMZ connector is
actually connected to some device - link detected;
· Connection Status: same behaviour as for the LAN; in the picture the ' ! ' sign is showing:
that means that no hosts are being detected on that interface;
· DMZ icon: colored if link is detected and DMZ hosts activity is detected too; gray-scale
otherwise (as depicted);
Wifi
If your system has wireless, the Wifi icon will show you:
· Line Color: green if WiFi is enabled (as in the picture); gray otherwise;
· SSID: the current wireless SSID is displayed within parentheses (mywifi in the picture);
· Connected Devices: the number of wireless clients currently connected (6 in the picture);
System Messages
· There are new system messages: when new notifications arrive, such as system
messages, software updates or other, the information icon will show up in the lower-left
corner. Just click the Read Messages... link. A new popup window will display them. Please
read them carefully.

Network 29
4 Network
The Network section is where you can overview and configure most details and
functionalities of your network.
· set the internet connection (WAN), change the local network (LAN) properties;
· overview your virtual networks (VLANs) and specify a domain and a hostname;
· Setup and secure your Wifi network with WEP, WPA and 802.1x;
· view IP routes managed by the edgeBOX (system routes) and create and manage
your own routes (static routes);
· configure edgeBOX's DNS server: add and remove domains, manage access controls
(ACLs) or use Dynamic DNS;
· manage DHCP; edgeBOX includes a DHCP server that allows you to automatically
assign IP Addresses to the computers in your network based on ranges of IP address
or based on specific IP Addresses.
· Use Network Address Translation - NAT - to allow computers on the network to

connect to outer networks like the Internet.
· Allow remote computers to access services on a specific host or hosts within your
private network - Port Forwarding;
· List web sites that you do not want the edgeBOX to cache;
· Manage Quality of Service - QoS: assure bandwidth for services and users;
· Setup a Demilitarized Zone - DMZ for your Internet servers and other special
purposes;
· Use Diagnostic Tools to solve connectivity issues.
Related Topics:
· Cache Websites
· Firewall

30 edgeBOX 5.0 Help
4.1 Configure the internet connection (WAN interface)

To configure how edgeBOX connects to the Internet or to another wide area network you should
choose the Internet Connection menu in the Network section. There you will be able to change
the configuration for the external WAN Interface. Click the Change... button to select how edgeBOX
connects to the Internet:
· through another device such as a cable modem or a router or
· through a DSL/PPPoE connection.
If you change the Forward DNS Servers list and you have the DNS service running,
edgeBOX will use these DNS servers for all external DNS queries. Those settings override any
static or dynamic DNS settings configured for the WAN interface in the Internet Connection menu.
The Primary DNS and, if displayed, the Secondary DNS fields represented in the Internet
Connection menu will automatically revert to the first and second entries in the Forward DNS
Servers list. The DNS servers configured, statically or dynamically, for the Internet Connection will
not be displayed here, because edgeBOX is actually not using them.
If the DNS service is not running edgeBOX will use the DNS servers configured and displayed in
the Internet Connection menu.
Related Topics:
· Cache Websites
· Firewall
· NAT
· Dynamic DNS
· Internet Traffic
· Diagnostic Tools
4.1.1 through another device such as a cable modem or a router

If, in your setup, edgeBOX connects through another device such as a cable modem or a router, you
can choose to:

Network 31
Obtain the data for the connection automatically from the device (DHCP)
If you chose the DHCP connection method, you don't need to enter any additional information.
The edgeBOX will get all needed information from the DHCP server
Use statically configured IP settings (Static)
You need to provide the:
· IP Address
· Netmask
· Gateway
· Primary DNS (IP Address)
· Alternative DNS (IP Address - optional).
The primary and alternative DNS servers you type here will be added to the list of DNS
Servers in the Forward DNS Servers list.
Advanced Options - MTU
If your Internet Service Provider requests it, you can change MTU (Maximum size of the
packets).
1. Click the Settings... button;
2. Activate the Override MTU check-box;
3. Type-in the MTU size as agreed with your Internet Service Provider; press Ok;
4. Press Save.
4.1.2 through a DSL/PPPoE connection

If edgeBOX connects through DSL/PPPoE connection, you need to provide:
Connection Settings
For this type of connections you must type your username and password (please contact your
Internet Service Provider in order to correctly determine these two settings).
Advanced Options
In the Advanced Options menus you should specify how your connection details will be configured
Advanced Options

32 edgeBOX 5.0 Help
Click the Settings... button:
Connection
You should choose to:
· Obtain the IP Address automatically or specify it yourself;
· Obtain the Gateway automatically or specify it yourself;
· Obtain DNS Servers automatically or specify the desired DNS servers;
Packets
· MTU: In this section you can override the MTU (Maximum size of the packets); this may
be required by your Internet Service Provider (ISP); to do it, select the option Override
MTU and change the value in the text field to the value requested by your ISP;
· PPPoE over VLAN: select this option if you belong to one of your Internet Service
Provider's VLANs; your ISP may require this; if you select this option, type the VLAN, as
specified by the ISP, in the VLAN field.
4.2 Change the local network properties (LAN)

To change the properties of your local (internal) networks, or simply to adjust your LAN interface IP
address, you should navigate to the Networks menu in the Network section. There you will find a
list of all your networks (including VLANs).
Choose the LAN network from the list and click the Edit button at the top of the Networks table.
1. Type the desired IP Address for the edgeBOX (IP Address for the edgeBOX’s internal
interface) in the IP Address field.
2. Type the network mask in the field Subnet Mask.
If you change the local network IP address while you are accessing edgeBOX from
the LAN segment, you may loose access to the edgeBOX web management; in that
case, close your browser, make sure you re-adjust your IP address (DHCP or static),
and you can proceed.
· You need to indicate the new address of the edgeBOX in the browser to connect to the
edgeBOX’s web management. View example.
If you change the edgeBOX’s IP Address to 10.1.1.254, type in your browser the address
https://10.1.1.254:8011.
· You may also need to change the properties of the network connection of the computer you
are using to manage the edgeBOX. View example.
If your computer receives the IP dynamically from the edgeBOX, you may need to ask the

Network 33
operating system to repair the connection to gets a new IP address. Or if you have defined a
static address in the connections of your computer, you need go change that address to a new
IP address of the network.
Related Topics:
· Cache Websites
· Firewall
· NAT
· Dynamic DNS
· Internet Traffic
· Network
· Interfaces
· DMZ
· Diagnostic Tools
4.3 Change the DMZ settings

To change the properties of your DMZ network you should navigate to the Networks menu in the
Network section.
There you will find a list of all networks currently managed by edgeBOX. Choose the DMZ network
from the list and click the Edit button at the top of the Networks table.
1. Change the IP Address and the Netmask fields with the desired information.
2. Click the Apply button in the bottom right corner of the tab.
3. Select the Enable DHCP Server on this Interface if you wish to have DHCP also on the
DMZ network.
Please note: you can activate the DHCP service on the DMZ interface, even if you have Firewall
based DMZ services active.
Related Topics:

34 edgeBOX 5.0 Help
· DMZ Traffic
4.4 View and manage VLANs

edgeBOX allows you to have up to five VLANs active on your network. For more details on
edgeBOX's VLANs and possible scenarios please refer to Appendix D: VLAN Based Infrastructure.
To manage VLANs navigate to the Networks menu in the Network section. Why to use VLANs?
VLANs offer higher performance because they limit packet broadcasts in the network. They also
provide additional security by separating groups of devices.
You can use VLANs, for instance, to:
· Control bandwidth usage and make the network faster - For example, you have
more than 200 devices on your local network and your local network is getting slower
because there is too much broadcast traffic (data that is sent from one computer to all
computers in the network). VLANs will limit the broadcast only to the specified group of
devices within a VLAN instead of broadcasting to all devices in the network.
· Increase security - If you have groups of users that need more security due to the type
of information they share between each other, a VLAN can isolate those users from the
remaining network so that information will not be accessible for other groups.
· Easily manage the network - For example, separate users that have VoIP phones from
users that do not have them.
Change the properties of a VLAN
1. Select the desired VLAN from the list and click the Edit button.
2. Change the desired properties of the VLAN:
· Name – A descriptive name to allow you to identify each VLAN.

· Tag – The number that will be used on the network packets to allow the edgeBOX to
send the packet to the correct VLAN. Each VLAN tag must be different. Your switch
should be configured accordingly
· IP Address and Netmask of the VLAN – edgeBOX will be active on this VLAN with this
IP address. Each computer on this VLAN will have an IP address in this segment.
Disable or enable a VLAN

To disable an enabled VLAN select the desired enabled VLAN from the list and click Disable at
the top of the list. The VLAN status icon will become red.
To enable a disabled VLAN select it and click the Enable button. The status icon will turn
green.
Define the Guest VLAN

Network 35
When you use 802.1x authentication on your switch, the Guest VLAN is the VLAN the
network users are temporarily assigned to if they haven't authenticated yet or if they
have introduced an incorrect username or password.
This VLAN usually has limited network privileges. It is commonly used to display information
about how the users can authenticate properly onto the network. After they authenticate, they
are assigned to their respective VLANs. View an example where VLAN 6 is used as the Guest
VLAN...
To configure the Guest VLAN:
1. Click the Define a Guest VLAN... option;

2. Choose the Use as Guest VLAN the VLAN: and pick the VLAN to be used as Guest
VLAN; back in the Networks list the choosen Guest VLAN will be identified with an
appropriate note;
3. Configure your switch accordingly: to do this you must configure you switch to use that
VLAN as the Guest VLAN.
If you don't wish to have a Guest VLAN make sure you select the Have no Guest VLAN option
at step 2.
4.5 Interfaces Physical and Logical Status

If you need to determine the current physical, operational or logical status of edegBOX's network
physical or logical interfaces you need to load the Interfaces popup. This panel is accessible in the
Related Topcis corner of the Networks menu - Network section.
The information displayed is somewhat detailed in that it shows you how edgeBOX implements
certain networking aspects using specific techniques like Bridging and VLANs. It is divided into three
major sections:
Bridges
Here you'll find virtual interfaces used by edgeBOX to logically "attach" several other, logical or
physical, interfaces together: same as saying Bridges.
That's the case of the br0 interface: it commonly bridges together the eth0 (LAN), the eth3 (AUX,
if available) and the ath0 (your wireless interface, if exists). This means that the br0 brings
together those interfaces in order to, thus, form a virtual interface, refered to as br0, to be
treated transparently by edgeBOX kernel as your LAN.
The informations available are:
· Interfaces: the current composition of the bridge (eth1, eth3, ath0 for example);
· IP address: the current IP configuration (IP/netmask) of this bridged virtual interface.

36 edgeBOX 5.0 Help
Physical Devices
Shows you a list of physical network interfaces found in the system. For example: eth0, eth2 and so.
For each of them:
· MAC Address: the interface physical address, or hardware address;
· IP address: the current IP configuration (IP/netmask) of this interface, if available. If you

don't find the IP address for some of these interfaces it just might happen that they are
bridged. In that case the IP address you're searching for will be found in the respective entry
in the Bridges section;
· Interface Status: you'll get a graphical indication of Up/Down status and the interface
current connection bit rate in Mbps.
VLANs
This section of the panel shows you your VLANs. Each is identified by it's assigned name, like VLAN_D
or SERVERS, for example.
For each of them:
· Tag: the 802.1Q VLAN ID or Tag in use; this is a distinguishing marker identifying packets
destined at a given VLAN; this Tag is the means by which your VLAN enabled switch or other
VLAN enabled Ethernet devices can tell to which VLAN each packet belongs;
· IP address: the current IP configuration (IP/netmask) of edgeBOX in this VLAN.
Related Topics:
· What are VLANs ?
· How do I configure and manage VLANs in edgeBOX ?
· I need more details on deploying VLAN based scenarios with edgeBOX...
4.6 Monitor connections through edgeBOX

In certain situations you will need to determine exactly which network connections are actively
passing through edgeBOX or determine if a given IP address is currently connected to some internet
server. The Network popup will help you with that.

Network 37
You can find it in the Related Topics corner of the Networks menu in the Network section. Just
click the Network link.
Status and traffic of edgeBOX's network interfaces
The upper part of this panel shows you a graphical overview of your network interfaces: Internet
Local Network and DMZ. For each of them you can read the total bytes sent and received.
Connections passing through edgeBOX
This list shows you the network connections currently maintained by edgeBOX. For each connection:
· Source IP / User: the IP address that originated the connection; if a username can be
associated to this IP Address it will be displayed instead of the IP address for easier
identification;
· Source Port: transport protocol level source port;
· Destination IP: the other end of the connection; the IP to which this connection is
established;
· Destination Port: transport protocol level destination port, usually identified by a mnemonic
indicating a well know network service like sip or http.
4.7 Change edgeBOX's hostname and network domain

You can find the Hostname in the Hostname and Domain menu, within the Network section.
What is the Hostname?
The Hostname is the name by which the edgeBOX is known in the network (the name
that the computers of the network use to refer to the edgeBOX). A hostname is a descriptive
name. You can choose any name you want. If you have two offices and two edgeBOXes
managing each one you can call one edgebox1 and the other edgebox2, for example.
To change the Hostname click the Change... button and type the new name in the hostname text
box (the hostname must be less than 16 characters long).
You can find the Domain of the network in the Hostname and Domain menu in the Network
section. What is the Domain?
The Domain is the name by which your network is known.
As example, server1.mycompany.org indentifies the host server1 within a network domain called
mycompany.org. Other hosts could exist in that same domain, like for example, john-laptop.
mycompany.org. The mycompany.com part is called a domain name.

38 edgeBOX 5.0 Help
If you do not have a registered domain, then you can give your network the domain you want.
This domain will be private and only visible within your network. For example, if your
company is called MegaSoft then a possible domain could be megasoft.com.
If you have a registered domain, like critical-links.com, for example, then you can use that public
domain.
To change the domain of the network click the Change... button and type the domain name you
want in the Domain text box.
edgeBOX does not update the reverse hosts files of the DNS Domains when you change the
hostname and you have networks defined on the edgeBOX (the local network or the VLANs) that
do not belong to network classes A, B or C.
If you change the hostname or the domain you need to reboot the edgeBOX so that the
changes take effect. An appropriate popup window will advise you of that need.
4.8 View the system routes

In the Network section you will find the Routes menu. This menu shows you, in a simplified
fashion, the contents of edgeBOX's IP routing table: at the top you'll find the Static Routes table;
bellow it you can find the System Routes table. If you need to add routes to other hosts or networks
please see Manage Static Routes - additional routes that you can create and modify.
The System Routes list should contain several entries. You can not edit these entries because they
are configured automatically by edgeBOX. In the System Route table you should see:
· A route for your local network (LAN interface).

If your local network is 192.168.100.0/24, for example, the list should have a route with the
following information:
192.168.100.0 | 255.255.255.0 | 0.0.0.0 | LAN
· A route for your DMZ network.
If your local network is 192.168.100.200/24, for example, the list should have a route with the
192.168.100.200 | 255.255.255.0 | 0.0.0.0 | DMZ
· A route for every active VLAN (virtual local network VLANs interfaces).
If, for example, you have a VLAN named VLAN_B with the properties: 192.168.102.0/24 in the
edgeBOX's vlan3 interface, the list should have a route with the following information:
192.168.102.0 | 255.255.255.0 | 0.0.0.0 | vlan3 (VLAN_B)
· A route for the internet (WAN interface).
If the network is 192.168.170.254/32, for example, the list should have a route with the
192.168.170.254 | 255.255.255.255 | 0.0.0.0 | WAN

Network 39
· A route for the edgeBOX (Loopback route).

A route that is used in case you do not have a connection to the exterior. The list should have
a route with the information similar to:
127.0.0.0 | 255.0.0.0 | 0.0.0.0 | lo
· A default route (typically, the address of the WAN interface – the gateway address).
If your gateway has the IP address 192.168.170.254, for example, the list should have a route
with the following information:
0.0.0.0 | 0.0.0.0 | 192.168.170.254 | WAN
· IPSec routes will be identified with the IPSec tag on the Interface column
If your the remote IPSec gateway has the IP address 212.12.12.12, and this IPSec tunnel gives
you access to an example 10.0.100.0/24 remote network, for example, the list should have a
route with the following information:
10.0.100.0 | 255.255.255.0 | 212.12.12.12 | IPSec
4.9 Manage static routes

If you need to manually configure routes on edgeBOX, use the Static Routes list in the Routes menu,
Network section.
Please note: all necessary routes should be created and managed automatically by
edgeBOX. You can assume that edgeBOX will create and manage automatically all routes needed
for it's correct operation.
If you need to enable access to other hosts or networks that are unknown to edgeBOX or aren't
directly accessible, then you will need to add static routes. You can:
Create a new route
To create a new route, on the Static Routes panel:
1. Click the New button. It will open a new dialog window.

2. Specify the IP Destination Address of the destination network or host, the
corresponding Destination Netmask and the Gateway (the secondary route through
which edgeBOX will reach the destination network or host)
The added route will appear in the Static Routes list.
This panel displays also System Routes - routes that are created and managed automatically by the
edgeBOX based on the settings your global LAN, WAN, VLANs, etc.

40 edgeBOX 5.0 Help
4.10 Wireless
In the Wireless menu, Network section you can configure and change the properties of the
wireless network.
Configure and turn on the wireless
Indicate the type of wireless authentication
Make the wireless network more secure
Make the wireless network public
edgeBOX allows you to have a wireless network and define several configurations to make it more
secure. How does Wireless work on edgeBOX?
edgeBOX provides a wireless LAN access to your office. It can operate with an embedded
Access Point or as an 802.1x Access Point controller if you use several external Access Points
spread through the network.
edgeBOX cannot manage external access points. To manage these access points
you need to use the specific access point's management interface.

Network 41
As you can see in the image above, you can set several scenarios, as integrated authentication
using edgeBOX users' accounts or external authentication using a remote RADIUS server.
edgeBOX supports for WPA, WEP or 802.1x authentication.
As edgeBOX also provides IP-PBX features, you can combine them with the wireless features
to create wireless VoIP phone access.
By default, edgeBOX's wireless network is already running with a factory configuration defined: the
network name is mybusiness, channel 11 and the WPA password is mydemokey. This way, you can
immediately start providing wireless access on your office, without having to configure anything on
the edgeBOX.
4.10.1 Configure and turn on the wireless network

To review or change your Wireless network, please go to the Wireless menu in the Network
section. A short summary is provided, for quick reference:
· Network Name: the network name, as seen by wireless clients (SSID);

42 edgeBOX 5.0 Help
· Security: WEP, WAP or 802.1x
· Channel: the radio-frequency channel being used
Hit the Change... button to edit. A new window pos up with two tabs:
General
· Name: the name for your wireless network; ex: mywifi; also known as the SSID; the name of
the wireless network is a name of your choice that will work as the public identifier of the
network so users can connect to the network;
· Security: you have 4 choices
· None (Public Network): this operation is insecure; if the network has no authentication
then everyone will be able to connect to it; don't use this option unless you really need to
and you understand the insecurity consequences;
· WEP: Wired Equivalent Privay; details are: Key - a 10 or 26 hexadecimal characters

sequence - and Key Position - choose from 1 to 4; (WEP is considered deprecated and
has been cracked; it's preferable to use WPA instead);
· WAP: Wi-Fi Protected Access; grants a very high level of security and privacy; details are:
Key - a 8 to 63 characters long sequence or a 64 hexadecimal characters sequence; this is
commonly referred to as the PSK (pre-Shared key);
· 802.1x: with this option you can integrate your wireless network in RADIUS based
authentication and accounting setups; hit the Change... button and specify the following:
· Data Encryption: choose WPA or Dynamic WEP;
· Authentication: can be local (using edgeBOX) or remote (using the specified

RADIUS server - IP Address, Port and Password);
· Accounting: you can choose to save user statistics and other accounting
information in a remote RADIUS Accounting server (again by specifying it's IP
Address, Port and Password).
Advanced
· Channel: the radio-frequency broadcast channel to be used (from 1 to 11);
· Hide Network: if you select this option the network will not appear in the list of available
networks when users look for wireless networks in their computers;
· Allow only specific devices to use the wireless network: click the Add... button to add
a new MAC Address to the list; only the MAC addresses specified will be allowed in the
Wireless network; how to get the MAC address ?

Network 43
On Windows computers, go to the Start menu and run the Command Prompt; when the black
command line appears type ipconfig /all; the MAC address is identified by the Physical
Address; for example: Physical Address . . . . . . . 00-0C-29-C5-91-9F;
Change the Channel of the wireless network

You will probably need to change the Channel of the wireless network if you have other devices
than this edgeBOX providing wireless networks nearby; other Access Point devices or other
edgeBOXes, per example, to avoid conflicts with the other devices. This is because each of the
overlapping Access Points must have a different channel.
To change the Channel of the edgeBOX's Access Point, select a channel that is not used in the
overlapping networks in the Channel Selection drop down list in the Basic tab when you are
creating the wireless network.
If you wish to temporarily turn of the wireless network for any reason, or if you don't want to have a
wireless network anymore, go to the Wireless menu in the Network section and hit the usual Stop
Service.
The wireless service will be stopped, but the configurations will not be erased. Later on, if you wish
to make the wireless network available again just click Start Service.
If you add a wireless card to the edgeBOX, you need to reboot edgeBOX after you added
the card.
Related Topics:
Indicate the type of authentication for the network
Make the wireless network public
4.10.2 Indicate the type of authentication

When you create your wireless network you should configure the wireless Security option in the
General tab.
This step will ensure your network is, to some extent, protected against undesired users. To secure
edgeBOX wireless network you can use one of the following authentication methods (protocols):
Which type of authentication should I use?
The type of authentication you use depends on the devices that are going to access the wireless
network. For example, some smartphones or older network devices do not support WPA security
yet, so you need to use WEP authentication to ensure compatibility with all devices.

44 edgeBOX 5.0 Help
If you don't need to grant compatibility to older devices, avoid using WEP authentication. WEP is
relatively easy to break. use WPA with a strong password instead because it is more secure.
802.1x authentication is even more secure than WPA authentication. It is normally used to secure
wireless networks on workplaces.
Use static WEP keys authentication
To use WEP authentication on the wireless network:
1. Go to the General tab and choose the Security WEP.
2. Type-in a 10 or 26 hexadecimal characters long sequence; you should use the 26 hexa; but if you
need to ensure compatibility with devices that do not support it, then use the 10 hexa chars
sequence; How must the key be?
The key must be formed using groups of hexadecimal characters (A to F and 0 to 9) separated
by '-'. Example of a 26 chars key: ACBB-8EF2-3410-23AA-F8F0-EEEE-A2.
If all your devices support WPA authentication, then use WPA instead of WEP. WEP is relative
relatively easy to break.
If you need to use WEP then change regularly the WEP keys, to grant a certain level of security.
This is not easy to accomplish if you have many users of the wireless network because you need to
inform them all about the new active key each time you change it.
Use WPA security
To use WPA authentication on the wireless network:
1. Go to the General tab and choose Security WPA.
2. Indicate a key (passphrase or a pre-shared key) that will be used to authenticate to the network.
How must the passphrase or the pre-shared key be?
· Pre-shared Key - must be composed only of exactly 64 hexadecimal characters (A to F and 0

to 9) and cannot have spaces.
· Passphrase - must be between 8 and 63 characters long and cannot contain spaces, nor
special characters like | \ / : * ? ! < > “.
3. You should indicate the passphrase or the pre-shared key to the users of your network you want
to be able to access the wireless network.
You should try to always use secure passphrases and pre-shared keys to increase the network
security. You can obtain random generated secure keys at the GRC website.
Activate 802.1x authentication

Network 45
802.1x authentication means that each user who wants to enter the wireless network has to login
using its own username and password, instead of using a network key that is shared by everyone.
To use 802.1x authentication on the wireless network:
1. Go to the General tab and choose the 802.1x option and hit the Change... button.
2. Select WPA in the Data Encryption section. This is normally called WPA-Enterprise. If you have
devices that do not support WPA accessing the wireless network, choose Dynamic WEP instead.
3. Define the Authentication type: where users' username and password are validated when they
try to login to access the wireless network. You can validate these credentials:
· Locally on the edgeBOX
It means that, edgeBOX will see if the username and password of the user exist in the edgeBOX's list
of users and if they match. This is the default option.
For a user to be able to login, using the 802.1x method, the user needs to have 802.1x Access
permissions. You can verify these settings in the Privilege user, in the Users section.
· On a remote RADIUS server
It means that, a remote RADIUS server will validate the users' credentials instead of edgeBOX.
Check the option Authenticate Users on another RADIUS Server. Below the option, fields to
indicate how the edgeBOX can connect to the remote server will appear: IP address, port and
password for that server.
If you also wish to save information like the time the users were connected or what did they do, you
can save that information on a remote remote RADIUS server. Check box in the Accounting zone
and indicate how edgeBOX can connect to the remote server (IP Address, port and password).
Related Topics:
Make the wireless network more secure
Make the wireless network public (with no authentication required)

46 edgeBOX 5.0 Help
4.10.3 Make the wireless network more secure

You can configure two settings on the edgeBOX to make your wireless network more secure, even if
you are already using a secure type of authentication:
Allow only specific devices to use the wireless network
If you want just a list of specific computers and other network

devices to be able to use the wireless network, that is, to be able
to connect to edgeBOX's access point.
To do that just enter the MAC Addresses (or Hardware

Addresses) of the computers for which you wish to allow access
to the network: in the Wireless menu, Network section, hit the
Change... button and select the Advanced tab.
Activate the Allow only specific devices to use the network

option and add the desired MAC addresses to the list using the
Add... (or Edit...) button.
If you don't want a computer to belong to the list anymore, select

the MAC Address of the computer from the list and click Remove
.
Even if you don't use this option you still have control over who accesses your wireless
network because users still need to authenticate using a wep key, WAP, or using 802.1x. This
option will restrict even further more the access to the network to specific devices.
Hide the network
You can hide edgeBOX's wireless network from appearing in the list of available networks
people see when they scan for available wireless networks they can connect to in they
computers. Why should I hide the wireless network?
Hiding a wireless network is a way of improving the network's security. It makes difficult
unauthorized access attempts; people won't try to enter a network if they do not know it
exists in the first place.
To hide the network go to the Wireless menu, Network section, hit the Change... button
and select the Advanced tab.
Activate the Hide Network option.
For your network users to use the hidden wireless network, they need will need to
connect to the network manually. This process differs according to the user's Operating
System.
Related Topics:

Network 47
4.10.4 Make the wireless network public

A public wireless network is a network with no authentication method. It means that everyone who
receives the radio signal will be able to enter it and use it.
Avoid creating public wireless networks if you don't really want to make it available
for everyone for a given reason.
Wireless networks are more vulnerable to hackers and malicious software because the signal is
available for everybody nearby edgeBOX's access point. If you don't protect the network,
unauthorized people can get access to the information on the computers on the network and use
the connection to access the Internet. Always secure the wireless network if you don't want
everybody to access it.
If you want to make your wireless network public: go to the Wireless menu in the Network
section and select Security: None.
Related Topics:
Configure the wireless network
4.11 Managing the DNS server

If you need to configure DNS you should navigate to the DNS menu in the Network section. There
you can review and change edgeBOX's DNS Server configuration.
DNS is a network service that translates literal hostnames and domain names (such as webmail.
critical-links.com) into numeric IP addresses (such as 209.85.227.103). For more information see
Wikipedia DNS.
edgeBOX supports DNS through the well-known named server. It is possible to:
· configure master, slave or forwarder type name servers.

· grant query access from internal or external networks.
edgeBOX's DNS configurations are divided in the three first subtabs.
· Domains – Where you can indicate all the domains that the DNS server will know.
· Settings – Shows the DNS status and the properties of the DNS server.
· Access Control List – Defines access controls for the domains that the DNS server knows.
Related Topics:

48 edgeBOX 5.0 Help
· Dynamic DNS
4.11.1 Adding or Editing DNS domains

If you need to add new DNS domains, you should go to the DNS menu in the Network section.
There you will find the current DNS configurations table.
On the Domains Tab click New. Three possible Domain Types are available. These are:
· Master: a Master domain server stores the domain database locally (also called authoritative
domain for that domain). It will answer the queries for that domain, using that database;
· Slave: a Slave DNS domain gets its zone file information from a zone master and it will respond
as authoritative for those zones for which it is defined to be a 'slave' (it is sometimes referred to
as a secondary);
· Forwarder: a forwarder type domain server does not answer queries directly: it will forward
them to another name server.
4.11.1.1 How to add a Master domain

If you need to add, or edit, a Master DNS domain, just follow these steps:
Domain Tab
· Name: the domain name;
· Allow only internal hosts to query this domain: selecting this will restrict DNS answers to
queries coming form your local networks; if you have a registered domain you will grant access to
external networks to query this zone; otherwise for private domains you will most likely want to
grant only to internal hosts for security reasons.
· Resolution Type: choose Direct or Reverse; this choice is only active if you have selected
Manual for the Reverse DNS Management option in the global Settings tab. If Direct is chosen,
when hosts are added, the forward entries are required (resolving names to IP's). If reverse is
chosen, the host entries required (map IP's to names).
· Network: IP address and the class (A, B or C) of the IP segment for which this domain is valid.
This option is not accessible if you have selected Resolution Type Direct and the Manual Reverse
DNS Management option
· Name Server: here you specify the IP address of the name server. This option is not accessible if

Network 49
you have selected Resolution Type Reverse and the Manual Reverse DNS Management option.
Hosts Tab
Managing the contents of the Hosts tab is explained in section Managing hosts on an existing domain.
Please refer to that section.
Permissions Tab
If you wish to have higher control of hosts, or networks, for which this domain will be responsive, or
how it will operate, you should use the Permissions Tab. Here you can specify an Access Control
List (ACL) of rules that will be pre-verified before the server determines if, or how, it will process the
DNS queries.
You can have several rules. If a rule matches it will be applied. If no match is found the default
behaviour is to allow queries and transfers but to disallow updates. ACLs created in the Access
Control List tab will be available to you in this process. It might be a good idea to create that list first
and, later, re-use them here, when creating or editing your DNS domains.
Click the New button and specify the following:
· Type: Choose Network or Host based access control rule, and type bellow it the corresponding
values for Network IP address and Netmask or Host IP address
· Query Permissions: from the choice boxes displayed choose if you wish to:
· Allow or Deny Queries: indicates if queries are allowed for this domain
· Allow or Deny Transfers: determines whether other servers are allowed to copy the
zone information from this server.
· Allow or Deny Updates: whether other servers are allowed to submit dynamic updates
for this domain
To add access from Slave domains to a master domain witch is configured to only let
internal hosts make queries, the user needs to add an ACL with the IP/Hostname of the the
respective slave domain and allow the transfer option.
Time Options Tab
· Refresh time: The number of seconds between the time that a secondary name server (slave)
gets a copy of the zone (or sees that it hasn't changed), and the next time it checks to see if it
needs a new copy.
· Retry time: The time which the edgeBOX will wait before querying a Master (if the master fails to
respond to a request)

50 edgeBOX 5.0 Help
· Expire time: The number of seconds that lets the secondary name server(s) know how long they
can hold the information before it is no longer considered authoritative.
· TTL time: Specifies the maximum amount of time other DNS servers and applications should
cache the DNS record. You might wish to lower this if you are going to change your DNS entries
and then increase it to a normal value after the changes have been made and tested
4.11.1.2 How to add a Slave domain

In order to add, or edit, a Slave DNS domain you need to provide:
Domain Tab
· Name: the domain name;
· Allow only internal hosts to query this domain: selecting this will restrict DNS answers to
queries coming form your local networks; if you have a registered domain you will grant access to
external networks to query this zone; otherwise for private domains you will most likely want to
grant only to internal hosts for security reasons;
· Resolution Type: choose Direct or Reverse; this choice is only active if you have selected
Manual for the Reverse DNS Management option in the global Settings tab;
· Network: IP address and the class (A, B or C) of the IP segment for which this domain is valid;
· Master Servers: here you specify the IP address(es) of Master DNS server(s) for which this
domain is a Slave (from which it gets it's DNS database);
Permissions Tab
If you wish to have higher control of hosts, or networks, for which this domain will be responsive, or
how it will operate, you should use the Permissions Tab. Here you can specify Access Control rules
that will be pre-verified before the server determines if, or how, it will process the DNS queries. You
can have several rules.
Click the New button and specify the following:
· Type: Choose Network or Host based access control rule, and type bellow it the corresponding
values for Network IP address and Netmask or Host IP address;
· Query Permissions: from the choice boxes displayed choose if you wish to
· Allow or Deny Queries: indicates if queries are allowed for this domain;
· Allow or Deny Transfers: determines whether other servers are allowed to copy the

Network 51
zone information from this server.
4.11.1.3 How to add a Forwarder domain

DNS queries for a Forwarder type domain will not be answered by the DNS server. Instead, those
queries will be forwarded to an alternate DNS server.
To add, or edit a Forwarder domain you only need to enter it's:
· Domain Name
· Preferred DNS server and
· Alternative DNS server (optional).
4.11.2 Changing global DNS Settings

In the DNS menu, Network section you will find the global DNS server options. Click the
Settings tab.
Server Options
The settings displayed can be changed by pressing the Change... button:
· Reverse DNS Management
· Automatic: the reverse domain is automatically created
· Manual: the admin is responsible for creating the reverse domain (if a reverse
domain is required)
· Lookup Mode: determines the first nameserver to be consulted when a request is received;
· if Local is chosen, requests are made to the forwarder server(s) and, if not
answered, an attempt will be made to find an answer locally;
· if Remote is selected (this is an appropriate option, only if you have entered forward
DNS servers), the local consult will not be attempted;
See Forward DNS Servers below.
· Zone Transfer Format: determines the format used by the server to transfer zones; options
are:

52 edgeBOX 5.0 Help
· One at a time: will place a single record in each message;
· Many: will pack as many records as possible into a maximum sized message;
· Max. Zone Transfer Time: maximum time allowed for inbound zone transfers;
· Max. Query Cache Time: maximum time requests are cached internally.
Forward DNS Servers
This list contains the servers to which queries will be forwarded if the domains queried are not in the
current list of domains. This will be the Name Server(s) used to resolve external domains.
Click the Add button if you wish to add more servers to the list. Use the Move Up and Move Down
buttons to change the order of the entries.
If you change the Forward DNS Servers list and you have the DNS service running,
edgeBOX will use these DNS servers for all external DNS queries. This setting overrides any static
or dynamic DNS settings configured for the WAN interface in the Internet Connection menu.
The Primary DNS and, if displayed, the Secondary DNS fields represented in the Internet
Connection menu will automatically revert to the first and second entries in the Forward DNS
Servers list. The DNS servers configured, statically or dynamically, for the Internet COnnection
will not be displayed there, because edgeBOX is actually not using them.
If the DNS service is not running edgeBOX will use the DNS servers configured and displayed in
the Internet Connection menu.
4.11.3 Managing DNS ACLs

This section tells you how to allow/deny clients the use of your server to perform DNS lookups. To do
this you need to add one or several Access Control Lists (ACL).
Go to the Network section, DNS menu and click the Access Control List tab. Two tables are
presented: the System ACLs table and the User ACLs table. The System ACLs are managed
automatically and can not be edited. You can add and edit User ACLs.
Click the New button in the User ACLs table. You need to provide an ACL Name and a set of rules.
ACLs names must start with a letter and can consist of only letters and digits. You can add several
rules.
Rule Type
· Use an existing rule: choose from

Network 53
· none: for no hosts,
· any: for any host,
· localhost: for edgeBOX's system internal localhost interface (please be very careful when
using this one; if you mean 'the hosts on my local network', referring to your LAN/VLAN or
DMZ hosts, you should use localnets instead; the localhost rule is considered an advanced
rule and should only be used in specific situations);
· localnets (your LAN, VLANs and DMZ networks),
· external (for networks external to edgeBOX);
· Use IP Address: here you specify the hosts for this rule by typing-in a Host IP Address or a
Network IP/Netmask pair.
Action
· Allow - Access to this domain is available for IP's/Networks in this list.
· Deny - Access to this domain is unavailable for IP's/Networks in this list.
Note: Deny takes precedence over allow. That is, if some host verifies a rule for Deny and,
simultaneously, a rule for Allow, the ACL will deny the DNS service to that host.
For large DNS deployments, all ACLs created here are made available to you, in the Permissions tab,
when you create or edit a DNS domain.
4.11.4 Managing hosts on an existing domain

During the process of creating a new Master domain or editing an existing one, you can manage the
hosts on that domain. That is, you can add or remove existing IPaddress-to-name and name-to-
IPaddress mappings (the management of the domain database).
Go to the Network section, DNS menu. Select an existing Master domain (the same applies when
creating a new Master domain). Click on the Hosts tab. The current hosts list is presented. You can
create new entries or manage existing ones.
The first thing you need to do is to choose the Type of DNS record you're adding (this option is only
available when creating new entries).
· Record Type: select from the list; available choices are A, MX, NS, CNAME, SRV and TXT.
For each of the record types a different set of data is required:
· A: the Host Name and it's IP Address;

54 edgeBOX 5.0 Help
· MX: the Domain Name (you need only to enter the left-most part) and the Priority field;
· NS: the Name Server (you need only to enter the left-most part);
· CNAME: the Alias name and the corresponding existing Domain Name;
· SRV: the Service, the Domain Name, the Target Host, the Time-to-Live, Port/Protocol,
Priority, Weight (PWP);
· TXT: the Hostname, the Time-to-Live for this entry and the Text Message specific for this
kind of entry.
How does the Priority field work ?
The lower this number, the higher the priority. Thus, if one e-mail server is set as 5 and the other as
10, the e-mail server with a priority of 5 will be tried first.
What is the Time-to-Live for ?
The Time-to-Live (TTL) allows you to specify how frequently domain data may change. It's common
to set this value to several hours normally, but to push it down 5 minutes when changes to DNS are
expected. The longer TTL means faster resolution times because of caching, but also means the data
may be stale for longer;
What is the purpose of the PWP ?
PWP (Priority, Weight, Port/Protocol): used when more servers are providing the same service;
Priority: the priority of the target host, lower value means more preferred; Weight: A relative weight
for records with the same priority. Used in load balancing; Port: the TCP or UDP port on which the
service is to be found.
4.12 Use Dynamic DNS

Dynamic DNS is a usefull service when you don't have a fixed IP Address to connect to the
Internet (that is, when you don't have static IP configuration on the WAN side) and you still want to
access your host from external networks by a name of your choice.
You can use one of the two supported dynamic DNS services:
· DynDNS
· No-IP
To see details on how to setup and manage an account on these services, consult www.dyndns.org
or www.no-ip.org.

Network 55
Enabling Dynamic DNS

· You need to have an account on either one of those services.
· When you have that, browse to the Network section and click the Dynamic DNS entry on the
Related Topics (at the lower-left corner of the browser window). A new popup dialog will show
you the current configuration status of your Dynamic DNS service. Click the Configure... button if
you wish to configure it:
· Provider: choose your service provider;
· Hostname: this is the name that you created when you set up the account of the
service; type-in the FQDN (fully-qualified domain name; e.g.: mybusiness.no-ip.org or
myserver.dyndns.org);
· Username: type the username given to you by the provider;
· Password: the password given to you by the provider.
4.13 Using the DHCP service

The DHCP Service assigns IP configurations to hosts, laptops and phones on your internal networks:
LAN, VLANs and, possibly, your DMZ. What exactly is DHCP ?
Usually on boot, computers, IP phones and other devices will request the assignment of an IP
Address, a Netmask, a Default Gateway, DNS sever(s) and other TCP/IP related informations,
in order to be able to actively participate in the network they are attaching to. This process is
accomplished with the Dynamic Host Configuration Protocol - DHCP (to learn more visit
Wikipedia DHCP).
Managing your DHCP server
To get an overview of the current status and configurations point your browser to the Network
section, DHCP menu. A table with three tabs will be presented:
· IP Address Ranges: the ranges displayed will be used by your DHCP server to assign IP
addresses to computers or phones that request them;
· Fixed IP Addresses: this section shows you the IP addresses that are automatically assigned to
one specific host or phone; a specific host is identified by it's MAC address; this way you can have
static MAC-IP assignments;
· Advanced Options: here you'll find several global options the server will comply to, such as
maximum lease time and host configuration variables.

56 edgeBOX 5.0 Help
Related Topics:
· DHCP Leases
4.13.1 Assign IP addresses using Ranges

Here you can define ranges of IP Addresses that will be assigned dynamically. When a computer
in the network requests an IP Address, the DHCP service will assign it an available IP address from
one of the existing ranges.
· You can create several IP address intervals as long as they don't overlap; see an
example
If you have a DHCP range from 1.2.3.10 to 1.2.3.100, you will not be able to add another
from 1.2.3.50 to 1.2.3.200 because they overlap;
· Each DHCP range created must completely fit into one of the currently configured internal
networks (LAN, VLANs or DMZ); see an example
Let's use the following reduced scenario for simplicity: your LAN segment is
10.1.10.0/255.255.255.0; you have an active VLAN on the 192.168.103.0/255.255.255.0
segment and your DMZ is 192.168.200.0/255.255.255.0; you will not be able to add a DHCP
range from 192.168.70.10 to 192.168.70.20 because you do not have an internal network
compatible with this range; this range would not be used at all; on the other hand you can
define a DHCP range like 192.168.200.50 to 192.168.200.100 because it fits into one of your
internal networks (the DMZ in this case).
· For each IP address interval you can define a prefix; it will be prepended to the last portion
of the IP assigned, thus forming the hostname sent. View details about the prefix
· Example - If you enter mobile as the prefix and the domain if your network is local.loc,
then a host to which the IP address 192.168.100.200 is assigned, will also receive 'mobile-
200.local.loc' as hostname.
· E-mail Server - If you have edgeBOX e-mail server running and you want to have
domains or hosts in the SMTP Relay list, in the e-mail server's Access Control definitions,
then you must indicate a prefix.
Create a new range
To create a new range of IP Addresses:
1. Click the New button below the Ranges list in the DHCP tab.
2. On the dialog window indicate the lower IP address of the range in the Start IP
Address field.
3. Indicate the higher IP address of the range in the End IP Address field.
4. Optionally, type the Prefix.
Delete a range

Network 57
To delete a range of IP Addresses:
1. Select the desired range from the Ranges list.

2. Click the Delete button below the list.
3. Click the Apply button to save the changes.
If you delete a DHCP range, the computers that receive IP addresses from that range
may not be able to connect to your network the next time they are turned on. Other failure
situations are possible. Be careful when deleting DHCP ranges.
Related Topics:
· Assign IP addresses using MAC-IP rules
· Overview the settings of the DHCP service
· Configure DHCP advanced settings
· DHCP Leases
4.13.2 Assign IP addresses using MAC-IP rules

The Fixed IP Addresses tab, Network section, DHCP menu, allows you to assign always the
same, specific IP address, to a computer. Each time that specific host or phone requests an IP
address to connect to the network, the server will provide the IP address you specify.
Create a new MAC-IP Rule
To assign a specific IP address to a specific device:
1. Click the New button.

2. Type-in the IP address you want for the device in the IP Address field;
3. Enter the device's MAC address in the corresponding afield.
To find the MAC address of a computer you can use the ipconfig /all command in the
command line of Windows systems or ifconfig in the command line of Linux systems.
Related Topics:
· Assign IP addresses using Ranges
· Configure DHCP advanced settings

58 edgeBOX 5.0 Help
· DHCP Leases
4.13.3 Configure DHCP advanced settings

The Advanced Options tab allows you to further refine your DNS server's configurations. The
Advanced Options are separated into:
Lease Time
The Lease Time is the length of time for which the host can use the IP Address assigned by the DHCP
Service before he is required to request it again from the DHCP Service.
· Default Lease Time: is the default duration, in seconds, a host can use the given IP Address;
· Maximum Lease Time: hosts usually simply ask for an IP Address and use it for the default
lease time; in other situations they can ask for a specific lease time. In those cases, the DHCP
service will assign the IP address for the requested duration if it is smaller than the max;
otherwise the maximum time will be used.
To change any of them just hit the Change... button and type in the desired value(s).
Gateway and DNS
These settings control the Gateway, DNS and Domain Name that will be provided to the network
hosts as part of their IP configuration.
· Gateway: determines the Default Gateway to be provided to the hosts requesting the dynamic
IP configuration; by default this is edgeBOX's LAN IP address; will only be provided to internal
network (LAN, for short) hosts;
· Domain: this is the network domain to be provided; it determines the domain to which the
host belongs when getting it's IP configuration; will be provided only to LAN and DMZ (if
enabled) hosts requesting dynamic IP configuration;
· DNS Server(s): this/these are the DNS servers the host should query in order to resolve
names; by default edgeBOX will take on that task, and thus, the default configuration is to
provide edgeBOX's LAN IP address; will be provided on any network zone to which the DHCP
service is reachable.
If you need to change these default settings, click the Change... button and specify them manually
by entering data into the desired text fiels, in the popup dialog.
Related Topics:

Network 59
· Assign IP addresses using Ranges
· Assign IP addresses using MAC-IP rules
· DHCP Leases
4.13.4 DHCP Leases

The DHCP Leases popup is available in the DHCP menu, Network section, in the Related Topics
corner. It shows you the current list of IP addresses assigned to each computer in your internal
network.
It shows you the IP Address assigned, the Device Name (if available), the host's MAC Address,
and the start - From field - and end - To field - dates of each lease.
The Ping Status column will show you if that specific IP Address is currently present on the
network: select an entry from the list and click the Ping button to update this field.
Click the View expired DHCP Leases... option to get a list of leases considered expired.
4.14 Manage the Webcache size and sites

You can specify websites which you don't want to cache of (cache exceptions). About edgeBOX's
cache.
edgeBOX acts a Transparent Proxy Caching Server. It makes the webpages your network
users consult more frequently to be loaded quicker, also minimizing WAN bandwidth usage
This is made by saving parts of the webpages in the edgeBOX.
To do this, please navigate to the Network section. Follow the Cache Websites link in the Related
Topics corner.
Change the size of the Proxy Cache
1. Click the Change... button and select a value between 128MB and 8192MB in the Cache
Disc Size drop down list.
2. Hit the Save... button.
Indicate cache exceptions

60 edgeBOX 5.0 Help
By default. edgeBOX caches all websites. You can indicate websites that you don't want the
edgeBOX to cache. It may be useful for some specific websites, like websites that are very
dynamic and their content changes constantly.
To indicate to the edgeBOX not to cache a website:
1. Click the New button.

2. Type the IP address of the website that the edgeBOX must not cache in the window
that will pop up.
3. Click OK.
You can also delete and edit these entries.
Do not cache websites / stop the Proxy-Cache Service
By default edgeBOX caches the websites your network workers visit. This is, the Proxy Cache
service is by default running. You can stop the service if you don't want edgeBOX to cache any
websites.
To stop edgeBOX's proxy cache click the Stop Service link at the top. To start caching
websites again, click Start Service.
If you stop caching websites, edgeBOX will not be able to block access to
websites you may have blocked or block access to websites containing words and
expressions you may have blocked in the Website Restrictions options, Security section.
If you have Premium traffic defined in the QoS section, this traffic is not cached by the
edgeBOX.
4.15 Using NAT and Port Forwarding

The usage of NAT and Port Forwarding, being mostly Firewall related, is fully covered in the Security
section.
Please refer to that section for details: NAT and Port Forwarding.

Network 61
4.16 Using QoS

The edgeBOX QoS (Quality of Service) consists of differentiating the network traffic resulting from
the activity of services and/or users.
The process of service and user QoS configuration is different both in the concept itself and the
difficulty to accomplish. On the one hand, service traffic differentiation requires service classification
configuration, that is, information about how the service packets may be recognized among all others
on the network. On the other hand, user traffic is much easier to configure as it only involves
assigning a traffic behavior to a group of users, given by a Privilege.
These two approaches have different purposes. Let's consider that we want to be able to use an
IPSec tunnel no mater how much congested the network is. In this case, we would need to classify
the service by creating a rule to assign an assured rate to every ESP and GRE packets.
Nevertheless, we may not be concerned with a service in particular and we may just want to be able
to grant Internet access to a certain group of users even if the network is overloaded. In this case,
we just need to select an appropriate traffic profile and assign it to the users' Privilege.
Moreover, we may want both the scenarios, the IPSec tunnel and the users' Internet access when
the network is congested. This is possible, just by applying both configurations. It is also important to
keep in mind that service classification is always processed in the first place. The order of packet
classification is the following:
1. Service classification
2. User Privileges
3. Classification based on the packet DSCP mark
Classification based on the DSCP mark will only be used when the authentication is turned off
because, otherwise, all traffic is somehow included in a user privilege.
Classes of Service
The differentiated traffic behavior is given by CoS (Classes of Service). A CoS is deployed by a
internal mechanism which shapes the network traffic in order to meet a set of expectations such as
the minimum rate, maximum delay, maximum delay variation and maximum packet loss.
The edgeBOX provides a set of CoS according to the Diffserv model. As the Diffserv nomenclature is
very technical, we chose to use a more user friendly one called Olympic. Therefore, the edgeBOX
provides the following CoS:
DSCP Maximum
CoS Olympic CoS Diffserv ToS (hexadecimal)
(hexadecimal) Percentage Rate

62 edgeBOX 5.0 Help
10% of non
BE DF 0x0 0x0
premium rate
20% of non
Bronze AF11, AF12, AF13 0xa, 0xb, 0xe 0x28, 0x30, 0x38
premium rate
30% of non
Silver AF21, AF22, AF23 0x12, 0x14, 0x16 0x48, 0x50, 0x58
premium rate
40% of non
Gold AF31, AF32, AF33 0x1a, 0x1c, 0x1e 0x68, 0x70, 0x78
premium rate
Premium EF 0x2e 0xb8 User defined
Only the Premium class is configurable and cannot be classified directly neither by the users or by the
services. The purpose of this class is to be used to build a set of high priority subclasses called pipes.
Thus a pipe, is a user defined traffic profile, inheriting the Premium configuration except for the rate,
that is, rate is to be set by the user. Therefore, the premium class cannot be assigned but pipes can.
The CoS provided for inbound and outbound traffic are not exactly the same. Actually, for inbound
traffic classification, only two of those classes are provided: BE and Premium. In this context,
although premium has no pipes it can be classified directly.
VoIP QoS
VoIP traffic classification is handled internally as a pipe, that is, VoIP audio (RTP) packets are
classified as Premium and signaling (SIP, IAX) is classified as Gold. The only configuration required is
setting the VoIP assured rate.
However, there is an exception: if the VoIP QoS is set to 0, then it will not use this hidden pipe
anymore and will use the Gold for every VoIP packets class instead.
Starting and Stopping QoS
The QoS Service can be started and stopped on the service bar at the top of the QoS menu,
Network section. Furthermore, it is possible to decide whether to apply or not QoS on each
interface - WAN and DMZ (if available).
Related Topics:
· Privileges

Network 63
· Internet Traffic
· DMZ Traffic
4.16.1 QoS Upload configuration

To set QoS upload configurations for the Internet (the same applies for the DMZ, if available) just
hit the corresponding Change... button in the QoS menu, Network section. A new window with the
QoS upload properties will be presented including the following parameters:
· Maximum Rate: sets the maximum upload rate; this can be used to limit the upload rate for
all the upload traffic;
· Premium Assured Percentage: sets the maximum percentage of the upload bandwidth
assigned to the Premium CoS;
· VoIP Assured Percentage: sets the percentage of upload Premium bandwidth to be used
for VoIP traffic.
Advanced QoS Upload Configuration
The Advanced Configuration... button opens another window with the advanced upload QoS
settings. These settings consist of the following:
· Mark DSCP: by checking this, packets will be classified and marked according to the Diffserv
architecture; enable this feature only if you have an SLA (Service Level Agreement) with your
ISP;
· Allow other classes to borrow unused Premium bandwidth: selecting the option means
that the Premium CoS will borrow bandwidth whenever it is requested by another CoS and if
that premium bandwidth is not being used. Otherwise unused Premium bandwidth will always
stay unused.
· Pipes Management: by clicking on the New (or Edit) button a window will be presented with
the Pipe configuration. It includes:
· the pipe's Name;
· the Percentage of Premium assured rate assigned to the pipe.

64 edgeBOX 5.0 Help
4.16.2 QoS Download configurations

To set the QoS download configurations for the Internet or the DMZ, if supported, just click the
corresponding Change... button in the QoS menu, Network section. Download configuration
includes the following parameters:
· Maximum Rate: maximum download rate;
· Premium Assured Rate: percentage of the maximum download rate that will be used for
the Premium CoS.
4.16.3 Service Classification

As mentioned before in this section of the manual, there are three packet classification strategies:
· based on the service,
· based on the user privilege and
· based on the packet DSCP field.
It was also mentioned that the first has higher priority and it is always applied in the first place.
The service configuration panel is accessed in the Network section, QoS menu by clicking the
Create, edit or remove QoS service classification rules option. The parameters which may be
used in service configuration are the following:
· Traffic Direction: sets the direction of the packet; accepted values are LAN->WAN, LAN-
>DMZ, LOCAL->WAN, LOCAL->DMZ, WAN->LAN, WAN->LOCAL, DMZ->LAN, DMZ-
>LOCAL (LOCAL referrers to packets going from or coming to the edgeBOX itself);
· Protocol: protocol of IP packet; accepted values are TCP, UDP, GRE or ESP;
· Source Address: sets the source IP address(es); options are Any IP Address, Single IP
Address or IP Address Range;
· Destination Address: sets the destination IP address(es); options are options are Any IP
Address, Single IP Address or IP Address Range;
· Source Ports: sets the source ports; it accepts a single port, a port-range or a set of ports
and port-ranges. This parameter it's only visible for TCP and UDP protocols;
· Destination Ports: sets the destination ports; it accepts a single port, a port-range or a set
of ports and port-ranges. This parameter it's only visible for TCP and UDP protocols;
· Service Class: sets the CoS which will be assigned to the service. The available options
depends on the traffic direction and on the pipes created. Remember that there are only two
classes in inbound (Best Effort and Premium) and no pipes.

Network 65
Service Rules Priority
There may be conflicts between service classification rules. For example, let's consider the following
two rules on the following order of priority:
1. All TCP packets from LAN to WAN, from any IP address, to any IP address, form any port, to
the port range 20-100, classified as upBE;
2. All TCP packets from LAN to WAN, from any IP address, to any IP address, form any port, to
port 22, classified as upGold;
In this case, rule 2 will never been reached because, is subsumed by rule 1. In other words, port 22
is included in the port-range specified on rule 1 and as rule 1 has higher priority than rule 2. Only
rule 1 will be used to classify these packets.
On the other hand, inverting the priority, that is, setting rule 2 priority higher than rule 1, will have a
completely different result. In this case, packets destined to port 22 will be classified as Gold and
packets destined to the other ports, from 20 to 100, will be classified as BE, of course, with the
exception of port 22.
Therefore, specifying service classification rules demands special attention to these issues. Rules
priority is changed by selecting a rule and clicking the Up and Down buttons on the toolbar.
4.16.4 Internet and DMZ QoS statistics

The Internet Traffic and DMZ Traffic popups are available in the QoS menu, Network section, in
the Related Topics corner. Both display the same kind of information, but each for it's
corresponding network zone: Internet zone (WAN) or DMZ zone.
For convenience, the Internet Traffic popup can also be reached in the Related Topics corner of
the Internet Connection menu in the Network section. Similarly, the DMZ Traffic popup can
identically be reached in the Related Topics, DMZ menu, Security section.
These panels allow you to view traffic control statistics for the Internet Connection and for the DMZ
interface. Data is calculated for a period of 15 minutes using values that are collected every 2
minutes.
Upload Bandwidth and Download Bandwidth
· the two, left and right, upper corner panels show you the inbound and outbound current
bandwidth usage and the current QoS Maximum Rate in Kbps: as example 235 Kbps of
20000 Kbps;
· Transmitted bytes: total transmitted bytes;

66 edgeBOX 5.0 Help
· Transmitted packets: total transmitted packets;
· Dropped packets: total dropped packets.
Upload Bandwidth per class
For each of Premium, Gold, Silver, Bronze and Default (BE) QoS traffic classes displays the same
four values: Bandwidth Used, Transmitted Bytes, Transmited Packets, Dropped Packets.
Download Bandwidth per class
For each of Premium and Default (BE) QoS traffic classes displays the same four values:
Bandwidth Used, Transmitted Bytes, Transmited Packets, Dropped Packets.
You can use the Reset button to bring all values to zero and restart statistics.

VPN 67
5 VPN
This section allows you to review and change VPN configurations
· IPSec
· PPTP
· L2TP
A Virtual Private Network (VPN) provides the means by which two private protected networks,
or a user and a private network, can be made to communicate and interoperate, using an
available link through an unsafe network, such as the public Internet.
This is accomplished by the usage of authentication and encryption techniques which assure privacy
and security form one end to the other, thus providing safe connectivity for remote sites or users.
edgeBOX currently supports three options for enabling VPN connections:
· IPSec
· PPTP
· L2TP
5.1 IPSec
IPSec VPNs are especially suited for establishing tunnels between two private networks over the
Internet, connecting them securely. This kind of IPSec VPNs is referred to as Net to Net IPSec.
Nevertheless edgeBOX also supports the RoadWarrior type, which is best suited for remote users
to connect to a protected network.

68 edgeBOX 5.0 Help
Net to Net IPSec VPN connecting two private networks
To review or manage your IPSec tunnels, navigate to the IPSec menu in the VPN section. An
overview is presented with a list of configured tunnels, their details and their respective status.
To Start or Stop the IPSec function globally you can use the usual Start Service and Stop Service
options at the top of the menu, in the service status bar. Please note that the IPSec service can not
be started if the WAN interface is not configured.
In addition to the usual management operations (New, Edit and Delete) you can also Start, Stop
and refresh the Status of each tunnel.
Please note that the Status function's correct operation is, architecturally, limited to situations
where the edgeBOX have an interface directly connected to the tunnel local network. If that is not
the case, the Status function will not produce a correct tunnel status information.
To create a new IPSec tunnel, you will need to choose among two kinds of IPSec: Net to Net and
RoadWarrior. The Configured Tunnels table shows you several details about each tunnel:
· Name: the tunnel's name
· Gateway: the tunnel's gateway IP address or the RoadWarrior indication
· Networks: the two network endpoints
· Status: the current operational status of each tunnel.
For tunnels that are running you can select the entry and right-click it with the mouse. You'll get
access to a context menu with an option named View that allows you to view current details of the
running tunnel. All other options are also available.
IPSec Routes
edgeBOX automatically generates and manages IP routing details necessary for the correct
manipulation of IPSec traffic between the two tunnel endpoints. These routes are distinguished with
a specific 'IPSec' identifier in the Device column of the System Routes panel in the the Network

VPN 69
section.
Related Topics:
· Routes
5.1.1 General
After clicking New and choosing the type of IPSec - Net to Net or RoadWarrior - you can configure
several details for the tunnel:
General Tab:
The general tab allows you to configure a VPN tunnel with a minimum of information. That is, a
number of networking and security related parameters are automatically set for you. If you need to
review them or change them, go to the Advanced Tab. Depending on the type of VPN tunnel, you
should provide:
· Tunnel Name: a name by which to identify this tunnel
· Local Network: IP Address and Netmask specifying the internal segment on the "local" side of
the tunnel; could be your local LAN (ex. 192.168.100.0/255.255.255.0) or any of your VLANs
(ex. 192.168.101.0/255.255.255.0);
· Shared Key: both local and remote ends of the tunnel must have the same key to initiate
encryption; this key is the pre-shared secret (PSK); the PSK should be generated from purely
random characters;
Net to Net specific:
· Remote Network: IP Address and Netmask specifying the IP segment on the "remote"
side of the tunnel (as will be "seen" locally);
· Gateway: the IP Address of the IPSec server this tunnel is to be established to;
RoadWarrior specific:
· Remote Hosts: any or a specific host.

70 edgeBOX 5.0 Help
5.1.1.1 Advanced
You'll find all IPSec Advanced configurations in the Advanced Tab.
This tab shows you an overview of your current options. To let you fine tune them, a specific
Configure.... button exists in each of the four configurable sections. The defaut values are:
Proposals
· Phase One
· Encryption: Options are 3DES or AES (128 bit encryption)
· Authentication: MD5 or SHA1
· SA Lifetime: 8 hours to 24 hours
· DH Group: Options are Group2 (1024bit) or Group5 (1536bit)
· Phase Two
· Encryption: Options are 3DES or AES (128 bit encryption)
· Authentication: MD5 or SHA1
· SA Lifetime: 1 hour to 8 hours
· DH Group: Options are Group2 (1024bit) or Group5 (1536bit)
· Perfect Forward Secrecy: provides additional security by preserving the security of your old
encrypted data even with the private key compromised;
· Agressive Mode: Enables faster tunnel creation/operation as fewer messages are exchanged
between peers, but exposes identities of the peers to potential eavesdropping, making it less
secure; generally speaking, avoiding aggressive mode should be preferred when possible, usually
set to on.
Please note: edgeBOX supports only AES-128.
ID Information
· Local ID: default local ID (IP Address) or, alternatively an IP Address, a FQDN or an e-mail
address;
· Remote ID: default local ID (IP Address) or, alternatively an IP Address, a FQDN or an e-mail
address;

VPN 71
Tunnel Access Control
· Incoming Access: list or rules specifying whether your hosts are, or aren't, visible to remote
hosts over the tunnel;
· Outgoing Access: list of rules blocking access of your hosts to the remote network; by default all
hosts in the network will be able to use the tunnel;
Allowed Services
· this add/remove service list provides the means by which edgeBOX services allowed/denied
through the tunnel; you can grant or revoke access to services running on the edgeBOX for hosts
in the remote network.
5.2 PPTP
PPTP is used to establish VPN tunnels across the Internet. This allows remote users to access the
internal network from anywhere on the Internet.
PPTP tunnel connecting a host to a private network
In the PPTP menu, VPN section, you can review and change your PPTP configuration. A short
overview is provided:
· Remote Users are authenticated by the: local authentication service or remote RADIUS
server
· IP Addresses are dynamically assigned between ... and ...
· Connected Users: a table where each connected user is listed as well as the IP address of the

72 edgeBOX 5.0 Help
client machine from where the connection was established, and the time at which the connection
was established.
Click the Change... button to edit these settings.
When using PPTP with the (local PC) default remote gateway option checked (connection TCP/
IP options), you will not be able to access the Internet via the PPTP connection. This is because it
makes more sense to access the internet via your local network, which reduces edgeBOX traffic
and encryption overheads. Please review that option if you loose access to the Internet.
Related Topics:
· Privileges
5.2.1 PPTP Properties

To change the PPTP properties, go to the VPN section PPTP menu and click Change.... You'll need to
specify configurations for:
User Authentication
· Authenticate the remote users using the local authentication service: selecting this
option means that the authentication will be performed by edgeBOX. No additional
configuration is needed, such as RADIUS user creation. Authorization for PPTP VPN use is
configured in the User Management panel.
· Authenticate the remote users using a remote RADIUS server: type the IP Address,
the Port and Password for the RADIUS server;
IP Address Assignment
These two fields allow you to set the IP address range which will be assigned to clients connecting
through PPTP. The address range should not overlap the DHCP range, nor should any static IP
addresses in this range be defined.
The process by which edgeBOX determines if a given user - trying to establish a PPTP
connection - is or is not allowed to do it depends solely on the Privileges defined for that user. You
should keep in mind that edgeBOX manages all users permissions around the concept of Privileges.
Access to PPTP is one of those features.

VPN 73
Please read on.
Access Priviliges using Local Authentication
When a user accesses the network using a PPTP connection, the privileges the user has are related
to the access profile the user belongs to. edgeBOX verifies the access rules defined on the
profile of the user to determine access to the LAN and VLANs.
If the profile of the user has the Allow full access to LAN from PPTP connections option
switched on then the user will have access to the LAN as if he was a regular LAN user, with access to
the network services based on the profile policies he belongs to. Else, the user will have no access
privileges at all besides the specific access rules defined in the Access Profile's Destination
Access Policies list.
Access Privileges using remote RADIUS authentication
If you want PPTP users to authenticate in a remote RADIUS server instead of the edgeBOX,
then all the process is made in the Remote Server, so you don't need to create the users in the
edgeBOX.
PPTP users that authenticate in a remote RADIUS server will always belong to the 'Default'
access profile as it is impossible for the edgeBOX to know who they are.
Related Topics:
· Privileges
5.3 L2TP
Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP)
used by Internet service providers to enable the operation of a virtual private network (VPN) over the
Internet.
If you need to configure L2TP go to the VPN section, L2TP menu. A quick overview is provided
stating the current tunnel status.
Click the Change... button. Please provide:
· Server IP: IP address of server
· Username: Username on the server used for authentication
· Password: Password on the server used for authentication, which is the password for the

74 edgeBOX 5.0 Help
above username
· PSK: Pre-Shared secret key (must match the one on the server)
· Keep Connection Alive: Polls the server to maintain the connection
At the end make sure the L2TP service is running. Note: L2TP is not encrypted but simply allows
the tunnel connectivity. Encryption/Privacy should be provided by higher protocol layers and/or
applications.

Security 75
6 Security
This section allows you to review and change Security related settings such as:
· Firewall: WAN and DMZ service access, Internal Connections, Advanced Firewall, SPI
· NAT and Port-Forward
· Website Access Restrictions
· Anti Virus Engines
· Shared Folders Scanning
· Mail Scanner
6.1 Firewall
Configuring the Firewall is an important aspect in the global security of your network, your network
services and your users.
Go to the Firewall menu in the Security section. There you can:
· Apply Firewall settings for connections coming from the Internet and the DMZ
· Adjust firewall blocking rules for Internal Connections
· Fine tune your Firewall using Advanced Firewall Rules
If you do not activate the Firewall service edgeBOX will be working in pure router mode – all services
will be available.
Enabling or disabling a service, allows or blocks access to that service on the edgeBOX. Blocking, for
example, ftp, prevents internal users from accessing edgeBOX's ftp service but still allows users to
ftp, through the firewall, to outside servers. If you wish to block user's connections to other servers
besides edgeBOX then you should look at the user Privileges section.
Related Topics:
· Services

76 edgeBOX 5.0 Help
· Privileges
6.1.1 Securing the Internet and DMZ links

The operation of your Firewall can be managed in the Security section, Firewall menu. This panel
allows you to review and manage your Firewall configuration. By default, after installation, the
Firewall service is running and most services are forbidden from the outside: only Webadmin (https
management) and Ping are allowed.
This menu shows you two horizontal panels:
· Connections allowed coming from the Internet: connections originating in the Internet
directed at edgeBOX will be allowed if listed;
· Connections allowed coming from the DMZ: connections originating in the DMZ directed at
edgeBOX will be allowed if listed;
To add or remove a service from these lists click the Change... button. A new dialog window will
popup. In this new dialog please select the sub-panel you wish:
· Internet (WAN), or
· DMZ Network,
and use the Add and Remove buttons to edit the allowed services list according to your needs (note
that managing the firewall is only allowed if the service is running). See an example:
If you wish to block any connections to your SNMP agent that originate in the Internet. You need to
press the Change... button and select the Internet tab. Then, if the SNMP service is listed you need
to remove it from the list (if not listed you're done here). Click it and click the Remove button. Click
Save. That's it: starting now, any connections coming from the Internet to the SNMP service are
unallowed.
6.1.2 Securing Internal Connections

Clicking Internal Connections... you gain access to a configuration panel that allows you to specify
edgeBOX services that can not be accessed from the LAN and VLANs.
Please note that the services you add to this list will be unreachable from the LAN and VLANs
(in the Internet and DMZ panel the rule logic was the oposite: to allow connections; here the rule is
"services added here are unallowed").
The interface is similar. Just Add and Remove items from the list. Press Save in the end.

Security 77
Services added to the Internal Connections... (blocking) list will be blocked to the LAN and
VLAN users, no matter what configurations you might add somewhere else.
How do I fine tune and manage connections that originate in the internal network ?
This is an important topic when configuring your edgeBOX. You need to keep in mind that edgeBOX
supports extensive mechanisms for granting and controlling Users and their Privileges. Even if
you don't activate the User Authentication service you can manage which services your users have
access to. Please refer to the Users section for detailed information.
6.1.3 Using Advanced Firewall Rules

In most situations you should not need to add extra firewall rules. But if that is the case you can use
the Advanced Rules... link in the Network -> Firewall menu. Using this, you can explicitly allow/
deny incoming/outgoing traffic based on the source, destination and protocol.
Check the Use Advanced Firewall Rules option to activate the rules panel. Configure:
· Inbound Rules / Outbound Rules: to manage rules in each traffic direction;
· Default Rule: click Allow or Deny to determine the default rule to be applied when no rule
matches (a Red/Green icon will toggle indicating the current default rule);
· Stateful Packet Inspection: keep track of the state of incoming/outgoing network

connections (analyse packets in packet context and in connection context); to learn more
see Wikipedia Stateful Firewall; how can it be usefull for me ?
A Statefull firewall raises the level of network security obtained because only packets
matching a known connection state will be allowed by the firewall; others will be rejected.
This is actually an increase in network security because you increase the ability of the
firewall to determine if a packet is or is not supposed to be allowed in.
You can have distinct a Default Rule and a diferent SPI setting for each traffic direction. Now you
need to add or edit rules.
Rules
You can create New... rules and Edit... or Delete... existing rules. The order by which rules will be
verified can be changed with the Up and Down buttons.
For each rule, a wizard-like sequence of dialogs will guide you through the creation/edition of your
advanced firewall rules:

78 edgeBOX 5.0 Help
Step 1: Action and connection type
· Allow/Block connections: choose if this rule is to Allow something or to Deny something;
· Connection Type: All, TCP (you can choose All destination ports or specify individual ports or
even port ranges like 21, 22, 80, 500-600), UDP (same as TCP) and ICMP;
Step 2: Source and destination
· From location: Any (connections that originate anywhere), Device (connections that originate in a
specific IP Address), Network (connections that originate in a specific segment, as specified by an
IP Address and a Netmask) and edgeBOX (connections originating in edgeBOX it self);
· To location: Any, Device, Network, edgeBOX (connections directed at this edgeBOX it self).
Step 3: Name and Summary
· Name: a suggestive name for this rule;
· Summary: at the end, an overview of the rule.
Show me an example
Lets imagine you need to prevent all computers from IP segment 1.2.3.0/24 from sending any kind of
e-mail through SMTP. This is how you'dd do it: Step 1 Block TCP port 25; Step 2 From Network
1.2.3.0/255.255.255.0, To Any; Step 3 Name nosmtp123.
On the other hand, you might wish to deny any kind of access to a specific host: Step 1 you'dd need
to Block All; Step 2 From: Any To: Device (that specific host IP Address); Step 3 name it
forbidden.
Private Network Routing...
RFC 1918 determines that "because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise links, and packets with private
source or destination addresses should not be forwarded across such links".
Due to the fact that edgeBOX is designed to operate in a variety of network configurations, edgeBOX
can have it's WAN interface attached to a public or private IP segment. So edgeBOX's default
behaviour is not to block routing of incoming or outgoing packets based on the nature - public or
private - of WAN segment.
If you need to implement such behaviour you should add specific firewall rules in the Advanced
Rules... menu.

Security 79
6.2 Setting up a DMZ

A DMZ is a small sub-network that sits between a trusted internal network (for example, a Corporate
internal network) and an untrusted external network (such as the Internet). This kind of network is
used as a buffer between the two networks: hosts placed in this network are accessible either from
trusted and untrusted networks, but cannot access the trusted network. Usually, this kind of networks
is used to house Internet servers (web servers, DNS servers, e-mail servers).
This interface is configured with an IP address range accessible from the external network (in case
the external network is the Internet, this range will be a public range, and so your ISP must provide
routing to it). Although this address space is accessible from the external network, you will have to
explicitly grant access to hosts residing in it, via appropriate rules. Next, we will show the options
available for configuring a DMZ.
Enabling your DMZ
Go to the DMZ menu in the Security section. As usual you can start and stop the service on top.
Make sure you configure an appropriate address range for the DMZ interface, and that traffic with
this subnetwork as its destination, is being appropriately routed to edgeBOX. After checking this
option you will need to create rules to grant access to hosts residing in this subnetwork. The rules
are shown in a table which can be modified with the following options: New, Edit and Delete.
A new DMZ rule is set up this way:
· Destination IP: The host/range to which access will be granted;
· Netmask: The netmask to be used;
· Port: If you select this option, you will need to specify the single port to which access will be
granted.
· From... To: if you select this option, you may specify a port range to which access will be
granted
· Protocol: The specific protocol to which access will be granted. Choices available are TCP,
UDP, ICMP and ALL.
Related Topics:
· DMZ Traffic

80 edgeBOX 5.0 Help
6.3 Enabling NAT for the private networks

In the NAT menu, Security section, you can view and change NAT settings for your network. What
is NAT ?
NAT (Network Address Translation) translates the private IP addresses of computers in your internal
networks to a single public IP address, so that the computers can connect to outer networks like the
Internet and have access to several services.
With NAT, you are able to use private addresses in your internal network. All requests made from
internal hosts are seen by the external networks as being made by edgeBOX which then translates
back the response packets' destination addresses to the originating internal host
NAT is by default enabled on the edgeBOX. Also, by default, it is already configured for the LAN and
for each of the VLANs. So you can connect to outer networks from the computers of your network
immediately, without needed to configure anything.
Configure NAT on an internal network
To configure NAT on an internal network:
1. Click the New button and a dialog window will appear
2. Type the IP address and the Netmask of the network for wich you want to have NAT working
(most likely it's one of your internal networks, LAN or VLAN)
3. Use the Drop-Down list to select the interface used to reach the network you just indicated.
Show me an example...
If you use 10.10.10.0/255.255.255.0 for Network IP/Netmask and WAN for the Interface, you are
actually providing the means for the hosts on the 10.10.10.x IP segment to have access to the
Internet or any other external network accessible through the WAN interface, by NAT'ing their IP
addresses on the WAN segment.
6.4 Using Port Forwarding

You can find edgeBOX's Port Forwarding functionality in the Port Forwarding table of the NAT
menu, in the Security section. You can use Port Forwarding from the Internet (WAN interface) to
your local network or from the DMZ to you local network. What is Port Forwarding?

Security 81
Port forwarding allows remote computers (e.g. public machines on the Internet) to
transparently connect to a specific computer within your private networks so they can use
services that your computer shares, like a web service or an e-mail service. With port
forwarding, you can make a service run on an internal host visible to the outside world, as if it
was running on edgeBOX itself.
Add a port/service to Port Forward
To make one or more internal services available to external networks click the New button to
create a new entry in the Port Forwarding table. A new dialog will appear. Please specify:
· Interface: choose the interface where you want to make the port forward available (
WAN or DMZ).
· External Settings
· Single Port: to indicate the external Port visible in the interface chosen or,
· Range of Ports: to indicate the start and end ports of the Range of external
ports.
· Internal Settings
· Internal IP:address (in your local network) of the computer that is running the
service you want to make available;
· Single Port: to indicate the internal port, from that IP address, where the
traffic will be forwarded to;
· Range of Ports: to use the same range of ports that was chosen in External
Settings (this option is only available if you have selected Range of Ports in
External Settings).
6.5 Website Access Restrictions

The edgeBOX provides a web page filtering service that can be used to block access to web sites.
Filtering can be performed on either domain names or by checking URLs for certain keywords.
Note: The web filtering service only blocks words in URL and domains in HTTP (port 80) traffic;
HTTPS and FTP traffic can not be checked; alsonote that HTTP traffic that is configured to use
Premium bandwidth cannot be blocked. This is because Premium bandwidth HTTP traffic bypasses
edgeBOX's Proxy. Also, HTTP traffic that has QoS rules defined in the QoS Services panel cannot be
blocked either.
To configure this service just point your browser to the Security section, Website Restrictions

82 edgeBOX 5.0 Help
menu. Clicking the New... button you should choose the type of file you are uploading:
· Domains list to be denied
· Words-in-URL list to be denied
After uploading any file you should enable/disable their usage by clicking the Enable/Disable buttons
according to your needs.
6.5.1 Domains
File Format
The format of the uploaded file is one entry per line.
Each line in the file may be a domain to deny, or can contain regex expressions
To find out more information about Regex exprssions, visit: http://www.regular-expressions.info
Some one-line examples for the domain file are:
.net Block anything.net (eg www.school.net or https://www.mylocal.net)

[-./]dog[-./] Blocks domains containing the word dog (eg www.ttdoggy.com)
[-./](dog|cat) Blocks domains containing the word dog or cat (eg www.catty.pt)
[-./] Note: There is no space before or after the | character
*\.(exe|bat) Blocks, for example, www.bad.pt/download/file.exe or www.verbad.com/getit.bat
When adding a domain to the file, the following rules apply:
A single domain will match all urls under that domain and is case-insensitive
As an example, if you specify test.com', it will match 'test.com' and 'test.com/help'.
A domain preceded by a dot will match that domain and all subdomains.
For example '.example.com' will match 'example.com' as well as 'new.example.com' or 'old.example.

com'.

Security 83
6.5.2 Words in URL

File Format
The format of the uploaded file is one entry per line.
When adding a word to the file, the following rules apply:
A single word will match all urls which contain that word, either completely or as a substring.
As an example, if you specify 'goo', it will match 'google.com and www.myinfo.pt/ToGoOver/help, as

both URL's contain the word goo.
It matches the second URL as it contains ToGoOver, which contains the word GoO (recall that the
word lists are not case sensitive).
6.6 Install and Manage Anti Virus Engines

Currently, support is available for three Anti Virus engines, Sophos, McAfee and ClamAV. edgeBOX is
not shipped with the Sophos or the McAfee Anti Virus engines installed, so you will have to buy the
appropriate number of licenses to use and upload them to edgeBOX.
To perform the installation and configuration of Anti Virus engines and update their IDE files,
navigate to the Security section, click the Mail Scanner menu, and then click the Anti Virus
Engines link, in the Related Topics list.
Select the desired Anti Virus engine and hit the Install or Update button. The Install dialog will
require you to select the appropriate file from your computer. The rest of the task will be automatic.
Currently the supported Anti Virus engines are: Sophos, McAfee and Clamav.
Related Topics:
· E-Mail server
6.7 Scanning Shared Folders for viruses

The Shared Folders Scanning menu in the Security section allows you to configure the shares
scanner. A summary of the configuration is displayed. Click Change... and specify:
Schedule

84 edgeBOX 5.0 Help
· Scan every day at: choose the time of day for the operation,
· using: the Virus Scanning package to use; possible choices are Sophos, McAfee or ClamAV
(Sophos and McAfee engines are not shipped with edgeBOX, so these choices are not
available from the dropdown, unless they are installed)
· Also scan files when they are placed inside the shared folders (this option is only
available for ClamAV).
Actions
· Delete infected files found
· Delete infected files and send me an e-mail notification
· Don't delete infected files. Just send me an e-mail notification
Related Topics:
· Anti Virus Engines
· Windows Shared Folders
6.8 Scanning E-Mail for Viruses

In the Security section you'll find the Mail Scanner configuration menu. Click the Anti Virus tab.
Click the Configure... button.
Basic Configuration
Please select whether or not e-mail should be scanned for viruses. If so, please specify:
· Anti Virus engine: choose one form the list
· Notify sender: for the sender of the message to be notified
· Notify to the specified e-mail address: and type an e-mail address.
Advanced Configuration
To access further Anti Virus operation details click the Advanced Configuration... button:
· Messages: special options for detecting types of messages or scanning based on message

Security 85
characteristics;
· Actions: for finer grained configuration of actions to be performed in case a virus is found.
Quarantine
If any e-mails were placed in quarantine you can inspect the by clicking View Quarantine. This will
give you access to the list of infected e-mail messages and their details. You can, at this point, decide
to Forward the message(s), to Unblock it, to Delete it or to View Attachments. There is also a
filter for faster search. See more.
Related Topics:
· Install and Manage Anti Virus Engines
· Administrator e-mail address
· System E-mail aliases
· E-Mail Server
6.8.1 Messages
Message characteristics
· Allow partial messages - allow messages that contain only a fraction of the attachments. As
the scan is not performed on the whole message but on its fragments, it will not be done
properly.
Setting this option is very dangerous as viruses may go undetected.
· Allow external message bodies - allow messages where the body is stored in a remote
server and not in the actual message. It will be up to the e-mail client to fetch the message
body later.
Setting this option is particularly dangerous. MailScanner never scans the message body
so it may allow viruses into your network.
· Allow iframe tags - allow messages to carry Iframe tags.

· Allow form tags - allow messages to carry Form tags.
· Allow object codebase tags - allow messages to carry Object codebase tags.
· Convert dangerous HTML to text - enable the conversion of Iframe and Object codebase
tags into plain text. This is a good alternative to disallowing or leaving them untouched.

86 edgeBOX 5.0 Help
· Convert HTML to text - enable the conversion of all HTML tags into plain text.
· Block encrypted messages - enable blocking of encrypted messages.
· Block unencrypted messages - enable blocking of unencrypted messages.
· Expand TNEF - enable expanding of TNEF attachments that are joined in one WINMAIL.DAT
file. If you don’t check this option then the filenames within the TNEF attachments will not be
checked.
6.8.2 Actions
Possible Actions:
· Deliver disinfected messages - infected attached documents are automatically disinfected

and sent to the original recipients.
· Quarantine infections - infected or dangerous attachments are stored in directories created
under the quarantine directory.
· Deliver unparsable TNEF - allow the delivery of Rich Text Format attachments produced by
some versions of Microsoft Outlook that cannot be completely decoded at present.
· Deliver silent viruses - messages that originally contained a silent virus are still delivered,
even if the addresses were chosen at random by the infected PC and did not correspond to
anything a user intended to send.
· Sign clean messages - make MailScanner sign every clean message processed.
· Mark infected messages - If you check this option MailScanner will mark every infected
message and every message that, for some reason had its attachments removed.
· Mark unscanned messages - mark every message that is not scanned by MailScanner.
· Include warning as attachment - include warnings for dangerous or infected attachments
will as an attachment. If this option is not selected then the warnings will simply be included as
inline text.
6.8.3 Quarantine
View the incoming or outgoing e-mails that are put under quarantine (blocked) by edgeBOX because
they may contain files with virus.
The e-mails are grouped by date inside folders in the list on the left. You can expand and browse
through the folders to find the e-mails. If you expand an e-mail you will be able to see the sender
and the receiver of the mail. If you select an e-mail, its attachments appear on the list on the right.
Unblock a quarantined e-mail

Security 87
To remove a blocked e-mail from quarantine and deliver it to its intended receiver:
1. Select the e-mail to unblock from the e-mails list.

2. Click the Unblock and then the Apply button. The e-mail will be sent to its original
receiver.
Make sure you remove all infected files of an e-mail before you unblock it. Delete all
attachments with viruses.
Delete an e-mail
1. Select the e-mail to delete from the e-mails list.

2. Click the Delete and then the Apply button.
Forward an e-mail to another person
If you want to send a blocked e-mail to a different person than its original receiver:
1. Select the e-mail from the e-mails list.

2. Click Forward. A dialog window will appear.
3. Type in the e-mail address of the person you want to forward the e-mail to.
4. Click OK and then Apply to forward the e-mail.
You can also make operations to the attachments of the e-mails. This is particularly useful to remove
virus from the e-mails without deleting the e-mail. This way you can remove the files that are
infected and then still deliver the e-mail to the receiver.
6.9 Scanning E-Mail for SPAM

E-mail can also be scanned for spam. What is spam ?
E-mail spam, also known as junk e-mail, involves nearly identical messages sent to numerous
recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of
spam usually include the aspects that e-mail is unsolicited and sent in bulk. "UCE" refers specifically
to unsolicited commercial e-mail. Spam usually confuses and annoys e-mail users.
In the Security section you'll find the Mail Scanner configuration menu. Click the Anti-Spam tab.
A short summary is presented. Click the Configure... button. Please choose if messages will or will
not be filtered for SPAM. If so, then specify:
· Also log spam-related events: this will make spam related activity to show up in the logs;
· When spam is found:
· Deliver: The message is delivered to the recipient as normal;

· Delete: The message is silently discarded;

88 edgeBOX 5.0 Help
· Attachment: The original message is converted to the attachment of the message.

· RBL servers: this feature allows you to have a anti-spam protection based on existing
spammers' databases (The Realtime Blackhole List - RBL). After checking this option you will
have to provide hosts serving these lists. At the time of this publication examples of hosts
providing such lists are: list.dsbl.org and bl.spamcop.net.
What is an RBL server ?
An RBL server, or DNSBL, contains lists of internet servers that are considered to SPAMers or
abusers. These lists are dynamic. See details in http://en.wikipedia.org/wiki/DNSBL
Related Topics:
· Install and Manage Anti Virus Engines
· E-mail Server

Office Servers 89
7 Office Servers
This section allows you to explore and configure several services that enable
communication between the people and integration of software resources in your
company/office. You may wish to:
· Configure your company's - one or several - websites and intranets
· Setup your e-mail server and enable Webmail
· Create Windows Shares for network file storage
· Allow users to use edgeBOX attached Printers
· Allow users to autonomously create public shared directories
· Configure edgeBOX to act as a Windows PDC (Primary Domain Controller)
7.1 Manage your web sites and intranets

Whether you need to bring up one or several web sites for you company or you want to configure a
web-based intranet to propagate information throughout your company, these are all tasks for
edgeBOX's Web Server, in the Office Servers section.
Adding new Internet websites or web-based intranets
edgeBOX's internal Web Server can simultaneously serve and manage several distinct and
separately configurable virtual webservers.
This important feature is usually referred to as Virtual Hosts: with a Virtual Hosts enabled web
server - like edgeBOX's - you can setup and deploy any amount of virtual Internet or Intranet http
servers transparently. To do this just hit the New button at the top of the Websites managed by
edgeBOX list and follow the details...
Changing global settings
The Web Server menu displays a short summary of the global settings. Click Change... to alter this:
· Maximum Accesses: the maximum amount of simultaneous connections the web server will
allow before starting refusing new connections; the default configured value is 150 which
should me more then enough for the majority of situations; you can safely lower this value,

90 edgeBOX 5.0 Help
unless you plan to setup several web sites and expect to have considerable amount of traffic
for all of them;
· Personal Webpages: check the box if users will be allowed to have personal web pages; if
so, those pages will be located in the user's home directory, under the public_html directory;
the user will be able to manage their personal webpage through FTP – after logging on, they
will automatically be placed in their directory. How do I access my personal page ?
Let's assume user John Smith, with username jsmith. The user's personal webpage URL will be
formed from the concatenation of:
· the main edgeBOX http URL + "~jsmith", or
· the main edgeBOX http URL + "users/jsmith".
So, if the main URL is http://edgeBOX.somedomain.com, then Mr. Smith's webpage will be
accessible at:
· http://yourcompany.somedomain.com/~jsmith or
· http://yourcompany.somedomain.com/users/jsmith
· Webmaster account: this option allows you to change the password for user 'webmaster';
the 'webmaster' has FTP access and owns the directory tree for the Intranet and Internet
websites; the FTP root directory will initially contain two directories ("intra" and "inter"),
corresponding to these websites, but more may be created. This account is initially disabled so
you will have to set a password in order to use it.
Please note: the Webmail service depends on the Webserver; so, if you stop the Webserver, keep
in mind that your Webmail users will lose access to the Webmail.
7.1.1 Setting up multiple websites

This panel allows you to configure one or several HTTP Virtual Hosts.
· Website URL: the name of this virtual host such as mycompany.mydomain.com; a DNS
related warning may popup...
... just to remind you that an A or CNAME record needs to be added to the DNS for this setup
to be complete; note well: you have just entered a name for a host; either this name is
translated to IP in the outside world, or edegBOX must translate it; in this case, for example,
if your domain is local.loc, and you add a virtual host for docs.local.loc, then you need to a
DNS entry for host docs pointing to edgeBOX’s IP Address. Otherwise, no one will be able to
reach this website, simply because the DNS name-to-IP translation can not be performed;
edgeBOX will either create an appropriate DNS host entry for the domain, or remind you that
you will need to create one manually.

Office Servers 91
If the domain for the new web server entry does not exist:
· and the edgeBOX is not the master domain, the administrator will be informed
that the DNS entry needs to be added manually on the system which is hosting the
domain.
· and the edgeBOX is the master domain, then the new host for that domain will be
added to the DNS domain and the administrator will be informed via a popup.
The DNS entry will only be created if the above condition exists and if the condition shown in
the following table is true:
Internal Website DNS Domain Access = DNS Domain Access =

Internal External
Yes Yes (LAN IP) No
No Yes Yes (WAN IP)
DNS host information will not automatically be deleted when the web server host is deleted.
· Internal Website: if this website is only accessible internally (like an Intranet), or if it will be
globally available;
· Files Location: where this website's files (html pages, png images, other) will be stored;
options are:
· In the public_html directory: of a given user; type the username; this website will
correspond exactly to the given user's personal webpage;
· In the directory: just type-in the name of a directory to store this site's files (if it
does not exist it will be created); this dir will be located under /home/wwwhost, which
is the filesystem directory where the webmaste user will be placed after logging on
through FTP; the webmaster must now access edgeBOX using FTP and transfer the
website's files into the correct directory; the webmaster password must be activated
before the account is created; please refer to Webmaster Account in the previous
section;
· The files are not stored locally: this option enables you to setup a web site by
aggregating several other sites solely by using redirection of requests; all URLs
accessible on this site, will actually, be redirected to other URLs that you specify in the
table below;
· Additional redirect requests: use the Add..., Edit... and Remove buttons to manage the
list of redirection URLs; if the edgeBOX receives a request for the proxy domain, it will send
the request to the proxy (as nominated in the URL field) and add the path (if there is one) to
the request. For example, if Path=/support/4.7/ and url=http://192.168.100.150, a request to
the edgeBOX for www.clk.com/support will be redirected from the virtual host to the proxy at
http://192.168.100.150/support/4.7/;
· Webmaster E-mail: the optional webmaster e-mail address; if someone tries to load an non-

92 edgeBOX 5.0 Help
existent URL, a warning page will be return with this e-mail address as footnote just in case
the person wishes to get in contact.
7.2 E-mail Server and Webmail

Please refer to the E-mail server menu in the Office Servers section if you need to:
· Review, deliver, forward or delete e-mails currently in queue;
· Add new e-mail domains;
· Enable and Disable Webmail;
· Add your own aliases and manage simple mailing lists;
· Configure other settings and permissions like relay control and message size.
Related Topics:
· Scanning E-mail for Viruses
· Scanning E-mail for SPAM
7.2.1 E-mail Queue

Choose the Queue tab, in the E-mail Server menu - Office Servers section.
The table presented shows you the queue of incoming and outgoing e-mails that edgeBOX e-mail
server is processing at the present moment and also e-mails that, for some reason (destination
SMTP server temporarily unreachable, or other reasons) are queued in edgeBOX's e-mail
server awaiting delivery. You can:
· Deliver All: a delivery operation will immediately be attempted; despite edgeBOX tries to
deliver all incoming and outgoing e-mails in queue every 10 minutes, this options allows you to
perform such attempt immediately; please note that the process of attempting delivery may
take some time; in the end some messages may still remain undeliverable; so, please be sure
to reload this panel after some seconds or minutes (especially if there are many messages to
be processes in the queue);
· Forward: click the Forward button after selecting an e-mail; you can forward queued e-mails
to another receiver; this can be useful when, for example, an e-mail is blocked in queue
because its destination e-mail is invalid;

Office Servers 93
· View Message: click the View Message button after selecting a message to get the details;
Date, From, To, Subject, Size and Status;
· Delete: to delete an e-mail.
7.2.2 E-mail domains and Webmail

Choose the Domains tab, in the E-mail Server menu - Office Servers section.
Domains
E-mail domains let you configure more than one virtual e-mail server for your company. For example
you could receive e-mails being sent to:
· @mother-house.mybusiness.com and
· @spin-off.mybusiness.com.
You can add as many domains as you wish. edgeBOX will accept e-mail, directed at edgeBOX's
users, for any of the domains specified. Just hit the New button and enter the desired domain.
This topic is not related to domain relaying: see Access Control for details on relaying.
Webmail
Only one domain may be a Webmail domain. For details on using and accessing the webmail
functionality, check Web Mail. To specify the webmail domain click the Change... button and:
· Enable webmail for the specified domain: check this if you wish to have enable webmail;
uncheck if you dont want webmail;
· Domain: choose the domain for which webmail will be accessible.
Also note, that the Web Server must be running to access Webmail; so, if you stop the Webserver,
keep in mind that your Webmail users will lose access to their e-mail.
7.2.3 Aliases and Mailing Lists

Choose the Domains tab, in the E-mail Server menu - Office Servers section. In this panel, you
may edit the aliases' list.
E-mail aliases allow forwarding of e-mail to alternative e-mail recipients

94 edgeBOX 5.0 Help
With this element you can provide alternate names for individual users, forward e-mail to another
host or create mailing lists. This table has some predefined aliases related with management that
can not be deleted.
You can choose to redirect e-mail for these aliases to another user, so that they receive the
messages.
Creating a simple e-mail alias
Lets imagine edgeBOX user jsmith is actually the person in charge of maintenance in your company.
You can create an e-mail alias for the maintenance service called help-24-7. Just hit the New
button and enter:
· Alias: type-in the new alias help-24-7;
· E-mail addresses that will receive the messages: click Add and type jsmith.
That's it. All e-mails sent to help-24-7 will actually be received by Mr. Smith instead (the help-24-7
account doesn't actually exist: it's an alias).
Creating a simple mailing list
Following the above example, let's say your company has hired the services of an external
maintenance company called Nice&Clean, Inc. Mr. Smith has determined that all e-mails requesting
help will also be received by the guys at Nice&Clean.
All you have to do is: select the help-24-7 / jsmith entry in the aliases table; hit the Edit button
and, in the popup, hit the Add button; type wecanfixit@niceandclean.com in the text field; Save
all in the end.
Starting now, all e-mails sent to the help-24-7 alias will be delivered to Mr. Smith and to the
people at Nice&Clean.
7.2.4 Settings and Permissions

Choosing the Settings and Permissions tab, E-mail Server menu, Office Severs section, you
gain access to some advanced configuration options for your E-mail server and users. The panel
shows you summarized information as a quick overview.
Server Settings
To change any of these hit the corresponding Change... button. The details are:

Office Servers 95
· Connections Limit: the maximum number of simultaneous connections; above this value,
connections will be rejected; the default setting is Unlimited; check the box and enter the value
you need;
· Message Size Limit: e-mail messages with size greater than this value are not accepted;
depending on your specific needs you might wish to limit the message size to, say, 10 MB or
50MB; these are typical values; the default value is Unlimited; check the box and enter the
value you need;
· Storage Location: by default e-mail will be stored in edgeBOX; you can change this; if you
choose a different host for storing e-mail, edgeBOX will initially accept e-mail directed at any
of it's e-mail domains and them forward those messages to the e-mail storage server; your
network users will typically interact directly (Webmail, SMTP, pop, imap) with the storage
server instead of edgeBOX; if you choose to Save e-mail data in an external server,
please specify:
· Hostname/IP: the hostname or IP Address of such server;
· Keep original e-mail envelope address: check this if you wish that the domain
name, to which the e-mail was originally sent, be preserved, despite the e-mail will be
received, by the user, from a distinct server;
· SmartHost server: A SmartHost is an e-mail server through which outgoing e-mail is

relayed: that host will actually perform delivery to the final destination e-mail server, instead
of edgeBOX; in an example situation, some ISPs block outgoing e-mail traffic and require their
users to send out all e-mail through the ISP's e-mail server: that server will be the SmartHost
for edgeBOX; the default setting is None; to change this, just check the Send messages
through a SmartHost box and enter:
· Hostname/IP: the hostname or IP Address of the SmartHost;
· Check the box if the SmartHost requires Authentication and type the Username
and Password.
E-mail permissions
A short overview is presented:
· Whether users can send e-mail to external domains from within the local network;
· Whether users can send e-mail to external domains from outside (relay support);
· Whether e-mail from unresolvable domains is or is not to be accepted.
You can also create advanced access control rules based on host, domain, sender and receiver.
Click the Change... button and follow the details here...

96 edgeBOX 5.0 Help
7.2.4.1 SMTP Access Control

Choosing the Settings and Permissions tab on the E-mail Server menu - Office Severs section -
you can click the Change... button in the E-mail Permission area:
Unresolvable Domains
When a sender domain can't be resolved, the e-mail's origin can not be verified; this technique is
widely used by spammers; check the box if you want to:
· Accept e-mail from unresolvable domains; for security reasons the default behaviour is
not to accept;
E-mail to external domains
Check the corresponding box if you want to:
· Allow users to send e-mail to external domains from within the local network
· Allow users to send e-mail to external domains from within outside (relay support):
by checking this option you are allowing relay to users authenticated while reading e-mail
through pop3 (usually referred to as pop-before-smtp); this a time limited authorisation, as it
will expire some time later; this setting is particularly useful for users who are connecting from
external networks (while traveling for example) and for which we want to allow relaying; n
ormally you only permit e-mails to be relayed (sent) from within your own network, but some
users travel and connect from other places and you want to let those users send (relay) e-mail
through your server: whenever someone logs in via pop3, the server notes the IP address
from which the connection was made, and permits relay from the IP for a limited period.
Advanced Permissions
Allows further refinement of acceptance/denial rules for incoming e-mail based on domains, IP
addresses, senders and receivers. Hit the Change... button. You'll get two lists:
· Accept or Reject e-mails based on the connection
· Choose action: Accept e-mails, Accept and relay e-mails, Reject e-mails; and
select source:
· From specific domain: type-in the domain to which this rule applies, p.ex. critical-
links.com
· From specific subnet: type-in the first 2 or 3 fields of the subnet address (p.ex. 10.1
for a 10.1.0.0/16 segment, or 192.168.100 for a 192.168.100.0/255.255.255.0
segment);

Office Servers 97
· From specific e-mail address: type-in the sender e-mail address to which this rule
applies;
· Accept or Reject e-mails based on the sender/receiver
· Choose action: Accept e-mails or Reject e-mails;
· Coming From / Going To: select and type the e-mail address to which this rule
applies.
With the Advanced Settings you could come up with complex rule sets to meet very specific
situations.
Note: When entering a value (eg the address or IP), you may use wildcards (“*”). If a given domain
is listed, all sub domains will also be included in the rule.
7.3 Windows Server

edgeBOX can interact with other hosts in your network just as if it was a regular Windows server.
Besides the usual file/folder sharing and printer sharing services, edgeBOX may also act as a Primary
Domain Controller (PDC) and WINS server.
To set this up point to the Windows Server menu in the Office Servers section of edgeBOX's web
based administration interface:
Primary Domain Controller / Workgroup
You have two main options for the behaviour of edgeBOX as part of the Windows network. edgeBOX
can actually be the network's Primary Domain Controller or edgeBOX can just act as a
Workgroup computer.
Learn more...
When edgeBOX acts as a PDC and Roaming Profiles are enabled, a) users' desktop preferences can
stored in edgeBOX and b) their home directory can be mapped to windows network drive Z:
automatically; this makes the task of accessing their files (ex: documents, personal webpage) in
edgeBOX much simpler and intuitive (this setting is not represented in the panel summary);
If edgeBOX is configured to belong to some workgroup it will be visible and accessible to other
Windows Workgroup hosts.
The panel displayed shows you a summary of the current configuration. You should use the

98 edgeBOX 5.0 Help
Change... button to alter this behaviour or change any of the settings:
· edgeBOX is the Primary Domain Controller of the Network; in this case the settings are:
· Domain Name: enter the desired Workgroup Name; this is the Workgroup name that all
computers on the network should use to associate to the Workgroup;
· Description: a descriptive identification string;
· Domain SSID: this setting is not available for configuration; it's created and managed
automatically by edgeBOX and displayed in the initial panel for your convenience;
· store the user's Desktop preferences on the edgeBOX:
· when logging into the Domain, the host will download the user's Desktop
preferences from edgeBOX, and
· the users will have their home directory mapped onto drive Z: (if you choose not
to select this option the user's home directory will still be available but not
automatically mapped onto a drive).
· Click the Computers of the domain link to review the workgroup computers currently
connected. In the popup you can:
· hit the Update button if you need to search for new hosts entering the domain or
· the Remove From Domain button if you need to remove a host currently logged-
in. More details...
If a given computer has been added to the edgeBOX domain and some users have
successfully logged-in the domain from that computer, those users will still be able
to login in that computer even if you remove the computer from the popup list. This
happens because the trust relationship is still valid between the users and that
machine.
How to add computers to the domain? See Appendix C.
· PDC support is disabled. edgeBOX just belongs to the windows network; you should
specify:
· Workgroup Name: enter the desired Workgroup Name (all computers with the same
Workgroup name will be associated to the same network group and so will edgeBOX);
· edgeBOX Description: enter a descriptive string for easy identification of edgeBOX in the
network.

Office Servers 99
WINS Support
Provides the WINS service. What is WINS?
WINS performs name registration and resolution. Windows clients can query a WINS server directly,
instead of using the usual broadcast method, thus resulting in an improvement in performance (the
hosts don't need to process broadcast packets). To learn more http://en.wikipedia.org/wiki/
Windows_Internet_Name_Service
Click Change... and check the Provide WINS Support box if you wish to activate WINS. Options
are:
· Use edgeBOX as the WINS Server: edgeBOX will deal with all domain registration and
resolution requests
· Use a remote server as the WINS Server: if another WINS Server exists on your network
and you wish edgeBOX to use it;
· Server IP Address: type-in the remote WINS Server IP Address;
· Relay registration and resolution requests to the remote server: with this
option checked edgeBOX will just send the response from the remote server back to
the original client.
Home Directories Access
· If edgeBOX is not the PDC you can determine if you want or don't want users to be
able to access their homes; use the Allow/Deny button to change this;
· If edgeBOX is the PDC, users always have access to their home directories and the Allow/
Deny button is not available.
7.4 Windows Shared Folders

The Windows Shared Folders functions, in the Office Servers section, are sub-divided into two
major features:
· Shares: shared network folders managed by the edgeBOX administrator, with fine-grained
control of permissions and ownerships;

100 edgeBOX 5.0 Help
· Temporary Shared Folders: temporary and size-limited, network shared folders freely
created by your network users.
Related Topics:
· Shared Folders Scanning
7.4.1 Shares
To review the currently configured shares, add more Shares, or change details, go to the
Windows Shared Folders menu in the Office Servers section. A list with currently active shared
folders is presented.
For your convenience edgeBOX is shipped with a pre-configured shared folder named Public. This
share is fully accessible to all users. To add new Shares hit the New button - to edit an existing
share the interface is similar:
Please note:
· the setup of a shared folder will require the choice of a network user for the role of Share
Owner and you can pick up specific permissions for specific users or specific Privileges; for this
to be possible, you must have at least one Privilege with access to the Samba service
enabled and, if necessary, some users actually using that Privilege; otherwise the dialog
windows for configuration of the Share will not show you any valid entries to add;
· moreover, if you, at any time, disable the Samba service on any Privilege, it's users will loose
access to the Shares (the Privilege setting is always superimposed on the Share permissions);
· your Firewall may also come into play here: if the Firewall rejects access to the Samba service,
then none of this will be possible; please make sure that the Samba service is not listed in the
Internal Connections... blocked services list; if it is listed you need to remove it, otherwise no
access to shares whatsoever will be possible (the Firewall settings are always superimposed on
anything else).
Share Details
· Share Name: type a name for the share; it should be related to the contents or the purpose
of the share;
· Description: a description string specifying any comment for further details (this will be
visible only if the windows user selects the Details option when viewing his network resources)

Office Servers 101
· Owner: the share owner; click the Select Owner... button and pick-up a user from the list;
this user will be the share owner (the role of the owner in a share will be clear ahead)
Share Permissions
· All users can access this Share:
· uncheck the box if you wish to adjust permissions on this share to specific users and/
or Privileges; in this case please hit the Specify Users Permissions... button and follow
the details here...
· check the box if you do not wish to adjust permissions for specific users or Privileges;
· Disable Write access for regular users. Only the Owner and the Administrators will
be able to Write: other users will not be able to write on the Share; Read access will
depend on each user's permissions; check the box if you want this restriction;
Administrators
· Select Administrators... button to add or remove Administrators of this share;

Administrators are users who have full control of a share;
Share Options
· Inherit Owner: new Folders and Files will be owned by the share owner;
· Inherit Permissions: new Folders and Files will always have the permissions defined in
Share Permissions;
· Hide Unreadable: do not show files users cannot read.
How do I map/mount an edgeBOX Share onto a X: drive on my Windows desktop ?
Related Topics:
· Users
· Privileges

If you change the properties of a shared folder using Windows XP or Windows Vista,
in the Security tab of the shares properties window, leave always selected at least one deny
or allow option when editing the permissions of a user or an access profile. Otherwise Windows
will remove the user or access profile from edgeBOX share permissions' list.
7.4.1.1 Setup Share Permissions

Setup Share Permissions
By clicking the Specify Users Permissions... you get a list of Users and Privileges currently
configured with permissions for this Share (please note the icons: Privileges are shown with a
different icon than Users). The details are:
· User/Privilege: the name of the user or Privilege for which each permission applies;
· Allow Read: a green check icon indicates Read permission for this User/Privilege on this
Share
· Allow Write: a green check icon indicates Write permission for this User/Privilege on this
Share
· Deny All: a green check icon indicates no Read nor Write access will be allowed for this User/
Privilege on this Share.
Now, selecting any of the entries and clicking the edit button or clicking the New button you can
reconfigure permissions. The popup dialog will let you choose among remaining Users and Privileges
and, for the ones selected, specify:
· Read only access to this share: to Allow Read;
· Write only access to this share: to Allow Write;
· Read and Write access to this share: to Allow Read and Allow Write;
· Deny all access: to Deny All.
If you remove a Privilege from the list, no user that belongs to that Privilege will be able to
access the Share unless the user has a specific entry in the list. If you remove a user from the list,
the user may still have access to the Share. His permissions will be defined by his Privilege
permissions. On the other hand, when a new Privilege is created users in that Privilege will have
read access to all non-Public shares and Read-Write access to all Public shares. Please keep this in

Office Servers 103
mind when creating new Privileges. You might need to come back to this section and change these
default settings.
Note that these particular permissions do not override the general permissions of the Share. Ex. if
you use the Disable Write Access for regular users option and you give a specific Write
access, the user will still only be able to read the share.
7.4.2 Temporary Shared Folders

Enabling Temporary Shared Folders allows users to dynamically create network shared folders to
share files when necessary. These folders are deleted automatically after a while.
If you want to use this feature please go to the Windows Shared Folders menu in the Office
Servers section. At the bottom, click the corresponding Change... button. Check the Allow users
to create temporary shared folders box, and set the values for:
· Maximum Life Time: each folder will be automatically erased after this time; minimum: 30
minutes; maximum 240 minutes; all files and folders inside will be lost;
· Maximum Size: the folder is limited in size to this value; you can choose from 8 to 1024 MB;
· Maximum Number: the system will not allow the simultaneous existence of more than this
maximum number of shared folders; if the limit is reached users will have to wait for any of
the folders to be automatically erased before they can create any more folders; you can
choose from 1 to 20 maximum simultaneous folders.
How does one create a shared folder ?
7.5 Windows Shared Printers

Printer sharing is an easy task in edgeBOX. Simply connect the printer to one of edgeBOX's USB port
(s). Power-up the printer and go to the Windows Shared Printers menu in the Office Servers
section.
The list displayed will show you your printer(s). For each of them:
· Name: the printer's manufacturer and model;
· Status: Connected or Not Connected (if a printer is shared but not connected it will be
displayed as Not Connected);

· Share: Shared or Not Shared.
To start sharing a printer, just select it and press the Share button. To stop sharing it hit the
Unshare button.
Please note that the Windows Server must be running for the shared printers to be accessible on
the network.
edgeBOX supports any printer supported by the Common Unix Printing System.

IP-PBX and VoIP 105
8 IP-PBX and VoIP

edgeBOX IP-PBX provides all the telephony features a small business needs, including call
conferences, parking and forwarding, IVR, LCR, ACD, fallback to PSTN, among others. The
PBX allows for the integration of ordinary VoIP extensions with plain standard analogue or
digital (ISDN) phone lines.
Tasks to configure your phone system

To setup your VoIP system, configuration options are divided into categories having in mind
the main tasks you need to perform. These tasks are accessible directly as main topics on the
left menu of the UI's IP-PBX section.
· Overview - Understand your phone system deployment: In this section you can see the
overall phone system logical scenario, together with the real time status of the phone
system, like connections, phones, calls, and others. Identified system warnings will also
be displayed providing a quick way to identify and follow up on potential system
problems.
· Phones - Managing your phones: In this section is where you define and configure
everything about the phones, extensions and correspondent configurations like voicemail,
twinning, codecs. Here you can also organize your phones into groups for better
organization and access policy definition.
· Incoming Call Rules - Defining Incoming Call Rules: Whenever the system receives a call
from the outside world, incoming call rules apply. Here you can define the flow of every
incoming call depending on caller (CallerID) and callee (DID) numbers and time
schedule. You can divert the call to automated attendants, specific extensions, voicemail,
DISA, IVR and others.
· Outgoing Call Rules - Defining Outgoing Call Rules: Every time a user makes a call to the
outside world, outgoing call rules apply. This is where you can define the route(s) and
prefixes to use to make a call. You can also restrict access to calls based on dialed
number, type of call and time period.
· Managing Conference Rooms: This is where you create and manage conferencing
rooms, and the automated conference rooms service.
· Managing Call Queues: Queues are perfect for Customer Support and Sales
Departments. Whenever you have a stream of customer calls to be answered, and those
calls can't be always answered immediately then you should use queues. The queue will
place the calls in music-on-hold until an agent is available to answer the call.
· Mailfax accounts: Mailfax provides a facility where you don't need an actual fax machine
running in your company. The fax documents will be sent and received through e-mail
messages. Those messages will be converted to (and from) phone calls.
· Advanced Setup Options: In this section you will find advanced setup options like
Country, Voicemail main number, Call parking number, Call recording rules and others. If
you're using PSTN voice cards (ISDN or Analog) you shall setup the country settings
since it may impact on the voice quality because some parameters vary from country to
country.

Working with the phone system

Having the phone system setup and running, user's can start using it for daily work. See
below the pointers to how users can interact with the phone system:
· Phone Operations: The most basic tool to use the phone system is of course the phone
itself. edgeBOX supports SIP, IAX and Analog phones, providing a number of keycode
operations like transfer, forward, twinning, park and others. In this section you can see a
complete list of phone operations and default keycodes.
· edgeDESKTOP: This is an application that provides a self-service operations for the end
user. All extensions and phone operations are available from the application's UI,
seamlessly integrated with the user's phone.
· Flash Operator Panel: This is an application specifically for PBX receptionist/operator
use. Allows the Operator to view the current status of the PBX and can use drag and
drop functionality to make, for example, calls add move calls to queues.
8.1 IP-PBX Overview

When you load the IP-PBX section in the webadmin interface you get an overview display where can
see the overall phone system logical scenario, together with the real time status of the phone
system, like connections, phones, calls, and others. Identified system warnings will also be displayed
providing a quick way to identify and follow up on potential system problems.
Understanding the IP-PBX Overview panel
The picture below presents the main areas and the correspondent information contained in each
one.

IP-PBX and VoIP 107
The IP-PBX Overview is refreshed every 30 seconds and gives you several useful informations in
the form of values and labels, colors, icon behaviours and tooltip texts.
Additionally, many of the values and labels displayed are actually hyperlinks to detailed
information regarding the topic involved: clicking on them will load additional status panels and
configuration menus concerning the topic clicked. The IP-PBX Overview is composed of the
following major sections:
Configuration
Displays a summary with your current configurations regarding:
· Phones and Faxes: m Phones and n Fax Accounts are currently configured;
· PBX: m conferences, n groups and k queues are currently configured.
Realtime Status
Shows you realtime status in terms of:
· Calls Status: the counts displayed show you the current usage intensity of several of your
PBX features;
· Services: status and operational details regarding the Authentication for Outgoing Calls
and Autoconfiguration services; the green/gray circles on the left show you the current
administrative status of these services;

· Warnings: the warnings displayed help you diagnose the reds in the central synoptic; the red
'X' and '!' icons displayed tell you that something is not Ok; these Warnings give you a little
more insight onto what is not ok;
Synoptic
The central synoptic of the IP-PBX Overview focuses on the connections of your IP-PBX to the
outside world, attempting to provide a quick grasp of their current operational status.
Up to four lines are displayed linking edgeBOX to the four possible outside world voice
connection types:
· Remote Offices: SIP or IAX connections to other remote edgeBOX's;
· VoIP Providers: connections to VoIP service providers on the Internet;
· Public Telefony Network: connections to the PSTN through FXO interfaces, BRI cards and
others;
· PBX: connections to other PBXs, through a trusted ISDN Line, from which edgeBOX accepts
calls as internal.
Depending on the specific characteristics of your setup, you may get only a subset of the picture. In
any case, the following global colouring rules apply:
· Line Color: green will tell you that at least one of the connections of each type is healthy
and working as expected; gray will denote total failure or all connections bad, for
each type of connection;
· Connections Status Icon: a green 'V' sign means everything is Ok; a red exclamation
mark '!' tells you something is wrong concerning those types of connections; a red 'X' tells
you there is no connectivity whatsoever in that(those) connection(s).
8.2 Managing your phones

This section brings together several aspects related to the manipulation and configuration of your
phones and the corresponding edgeBOX features. Topics are separated in a task oriented approach.
Point your browser at the Phones menu, in the IP-PBX section of edgeBOX's webadmin interface.
From there you can acomplish the following goals:
· Understanding the Phones list
· Create SIP, IAX, Analog and ISDN phone extenxions
· Use Phones Automatic Configuration

IP-PBX and VoIP 109
· Create Groups of Phones and Manage Access control in bulk
· Understand and Manage Twinning
Related Topics:
· Groups
· Automatic Call Recording
· Internal Dial Plan
· Voice Lines
· Network Users
8.2.1 Understanding the Phones list

The Phones list in the IP-PBX section displays a considerable amount of information about all
phones configured in edgeBOX. This manual section helps you understand it fully as it may help you
getting a quick overview of your phones status and also provide immediate detailed
information regarding each of them. In conjunction with the Overview panel, this list may prove to
be a useful diagnostic and overview tool for your installed VoIP infrastructure.
The list provides information in the form of text labels, colors and icon behaviours. Data is
refreshed every 30 seconds. The list is divided into six columns:
Extension
This column displays the extension's number and name. If this extension is currently assigned to a

specific user then it's username will be shown in shaded color below the number. A small green/
gray circle is displayed on the left, indicating it's current connectivity status.
Configuration
The Configuration column provides a quick summary of the most relevant configuration features
currently active for each phone. In some cases, a short status each of those features is added within
parentheses:
· Voicemail (m msgs): Voicemail is active for this phone and there are currently m new
messages;
· Twinning (nnnn): Twinning is enabled for this extension; this phone is twinned with the
phone at number nnnn; if nnnn is missing then, despite the feature is enabled, there is no
twinned phone at this moment;
· Forward (nnnn): Follow Me is active for this extension; calls are being forwarded to number
nnnn.
Brand / Model
The Brand and Model of supported IP Phones; other IP phones are simply identified by the VoIP
(SIP) or VoIP(IAX) labels; analog phones are identified with the ANALOG label.
IP / Port / MAC
The phone's IP and MAC addresses, if known. A Port number in case of analog phones.
Setup Mode
The Setup column tells you if the phone is configured Automatically by edgeBOX or Manually by
yourself.
Status
The Status shows you the current connectivity status and operational conditions of each phone. The
information displayed depends on the type of phone:
· IP Phones (SIP or IAX): Offline, Online, Ringing or Busy;
· Analog Phones: OnHook, OffHook, Ringing or Busy;
· ISDN Phones: Up, Down, Ringing or Busy.
Show me a detailed example...
Let us consider extension 1607 in the screenshot above. The extension's name is poly607 and it is
not assigned to any specific user. The green circle at the left indicates the extension is online
(meaning that edgeBOX can actually communicate with the phone over the Ethernet TCP/IP

IP-PBX and VoIP 111
infrastructure). Actually, the phone is currently Busy - on a call or similar - as displayed in the
Status column.
The Configuration column tells you that this extension has Twinning and Voicemail configured.
There are three new messages in the Voicemail account. The Brand / Model is the text
displayed in the 3rd column: it's a Polycom IP phone.
The Phone's Ethernet Hardware Address is 00:04:F2:18:D3:E6 as and it's currently assigned IP
Address is 192.168.101.199. The Setup Mode is Automatic meaning edgeBOX will automatically
configure this phone.
For details regarding the Synchronize, Manual Config and Phone-to-Extension Assignment
buttons please refer to the Automatic Configuration section of this manual.
8.2.2 Creating phones

Extensions in edgeBOX work like phone accounts, for any phone you want to connect to edgeBOX you
need an account (extension) to register into.
There are four different types of phone extensions supported:
· SIP: Used for IP Phones compliant with the SIP protocol. The SIP protocol is the most widely
available in IP phones.
· IAX: Used for IP Phones compliant with the IAX2 protocol.
· Analog: Used for Analog phones and Fax machines. The phone (or fax machine) is connected
directly in one FXS ports in edgeBOX's back panel using a RJ11 cable. You need the analog card
option in your edgeBOX with FXS ports.
· ISDN: Used for ISDN phones. The phone is connected directly in one of the ISDN BRI ports in
edgeBOX's back panel using an ISDN cable. You need the ISDN BRI card option in your edgeBOX.
To use ISDN phones you need to have an ISDN card with ports configured in NT mode.
This requires hardware configuration. Contact your Reseller/Support before planning a
ISDN Phones scenario.
Common properties among all phone types

Independently of the phone type (SIP, IAX, Analog or ISDN) there's some information that is common
among them.
Follows a description of each one of them:
· Name: This is the “friendly” name of extension (like John) and the login name for the VoIP
account. You can dial this name to call the extension. When you call from this extension, the
name will be displayed at destination's extension.
· Number: The number used to dial to the extension (like 2010).
· This extension can be called directly through incoming lines (Publish Extension): When
checked means that this phone will be able to receive SIP URI calls. What are SIP URI calls?

SIP URI calls are calls made from IP SIP Phones using a URI (like john@mycompany.
com or 2010@mycompany.com) instead of using a number.
· Ring Duration: Time the extension will ring without being answered. After this time the call will
be finished automatically, or handed over to the voicemail system if voicemail is active for the
extension.
· Voicemail: The voicemail settings are also common among all extension types. The fields you
need to provide are the PIN number to access extension's voicemail account an e-mail address
were edgeBOX will send notification about new voicemail messages. More details about
Voicemail...
· Twinning: The twinning feature can be used with any phone type. You can enable or disable the
ability of the user to have twinning, and to configure the number which will be used together
with the extension. For more details see Twinning.
· Identification (Caller ID): The name and number by which calls will be identified to the called
party. Usually identifies the person using the extension. This field is placed in the advanced tab,
and by default is generated using the data introduced previously in the Name field.
Please follow the links below for details:

· IP Phone extensions
· Analog Phones and FAXes
· ISDN Phone extensions
Default configured phones

edgeBOX comes with 3 already configured example phones. The phone "user" is associated with one
of the example users that also exist by default. The other two phones, phone "desk" and phone
"room", are not associated with any user.
· Phone "user" - Extension Number: "1000"; Extension Password: "1000"; Extension PIN: "1000".
· Phone "room" - Extension Number: "1010"; Extension Password: "1010"; Extension PIN: "1010".
· Phone "desk" - Extension Number: "1020"; Extension Password: "1020"; Extension PIN: "1020".
Related Topics:
· Voice Lines
· Groups
· Network Users

IP-PBX and VoIP 113
8.2.2.1 SIP and IAX phone extensions

SIP is the most widely available VoIP protocol in IP phones. Another protocol, called IAX is also
supported by edgeBOX.
Please navigate to the Phones menu in the IP-PBX section to create and manage SIP and IAX
phones/extensions. Below you can find the most common operations regarding these types of IP
phones.
Quick steps to create a VoIP phone extension
1. Goto IP-PBX > Phones.

2. Click New, and select New SIP/IAX Phone.
3. Enter the number you want to assign in the Number field. This number will be used to dial
to this extension.
4. Enter the name you want for your extension (like MeetingRoom) in the Name field.
5. Enter the password you want for this extension in the Password field, and repeat in Repeat
Password field.
When using Phone Auto-Configuration system in Callback mode for configuring

phones, use numbers for the password instead of letters, it will be easier to enter when
using the phone keypad. Phone Auto-Configuration applies only to SIP phones.
6. Click Add to save the phone settings.

Only basic properties are mentioned above, those that are mandatory (an typically the the only
ones you need), for a description of other properties see Common Properties and other
Advanced Phone Properties below.
Configuring Codecs
Codecs affect the quality and the bandwith consumption at the same time, higher quality
means higher bandwidth consumption.
In the Codecs tab of the new/edit VoIP phone extension dialog you can define the codecs
allowed to be used by the phone using this extension. By default when you create a new VoIP
extension G711 codecs are selected.
As best practice use high quality codecs (like G711) for phones connected in the LAN, and low
bandwith codecs (like GSM or G729) for phones connected in the WAN. This way you will
provide high quality in your internal phones and avoid large Internet bandwith consumption by
your external phones.
You have to make sure that your phone is also configured to use the same audio codecs as the
extension.
For more information see Codecs.
Enabling Video Calls
If you have a video enabled phone (or a softphone with video support and a video camera) you
can make video calls using edgeBOX.

In order to do that you must allow the extension to use video codecs (like H261, H263, H263p
or H264) in the Codecs tab of the extension's properties dialog.
You have to make sure that your phone is also configured to use the same video codecs as the
extension. See your phone's manual for instructions.
Allow phones to connect in peer-to-peer mode (Can Reinvite)
By default the voice traffic between two VoIP phones flows through the edgeBOX, meaning
when a phone A is calling phone B, voice traffic flow is A > edgeBOX > B. You can change this
flow to be A > B directly, thus reducing traffic and CPU consumption in edgeBOX.
Peer-to-peer mode is specially relevant in scenarios where you have phones connecting from
the Internet (registering through the edgeBOX's WAN port). Imagine the same two phones A
and B in the WAN making a call between themselves, you'll have both of them consuming your
Internet line, if they could connect directly your Internet line would not be used at all (except
for residual SIP traffic).
To allow phones to connect in peer-to-peer mode you need to enable the Can Reinvite option
in the Advanced tab of the extension's properties dialog.
In peer-to-peer calls DTMF shortcuts (like transfer or park) are not supported, because
edgeBOX is not listening the tones anymore. In this case you need to use the correspondent
special keys in your phone.
Other Advanced options
· Disable NAT Support: to enable/disable this option; necessary when the phone is behind
devices as a router or a firewall; see more in Advanced NAT;
· Do not Send Keep alive packets to this phone: without this option selected edgeBOX will
send keep alive packets to this phone every 2 seconds;
· When not registered this phone is reachable at static IP Address: use this only if this
phone will have a static IP address;
· DFTM Mode: the way the client deals with DTMF signaling; this parameter should be the
same as in the phone itself; options are: RFC2833 - selected by default; INFO; INBAND -
DTMF signaling within the call; note that this type of signaling is not supported by the GSM
codec.

IP-PBX and VoIP 115
8.2.2.2 Analog phone extensions and fax machines

If your edgeBOX includes an analog card with FXS ports, you can connect your analog phones or fax
machines directly to those ports.
If you are using analog phones connected through ATA (Analog Telephone Adapters)
you must use SIP extension type instead of Analog. The ATA will connect into the LAN and
will behave to edgeBOX as a SIP phone.
Please navigate to the Phones menu in the IP-PBX section to create and manage analog phones/
extensions. If your edgeBOX includes an analog card with FXS ports configured, you will see the New
Analog Phone option when you click the New button in the Phones list. Below you can find the
most common operations concerning analog phones.
Creating an analog extension to connect a analog phone

2. Click New, and select New Analog Phone.
3. Enter the number you want to assign in the Number field. This number will be used to dial to
this extension.
5. Select the port number (like Zaptel/11 for port number 11) where you will connect the phone
in Line (FXS) field. What is the port number?
The Port Number will match the numbers written on the physical ports in the back of your
edgeBOX.
Only basic properties are mentioned above, those that are mandatory (an typically the the only
ones you need), for a description of other properties see Common Properties and Advanced
Analog Phone Properties.
Creating an analog extension to connect a fax machine

An fax machine is connected to edgeBOX the same way as an analog phone, so the steps to
create the extension are the same. However there's a very important detail when configuring the
fax's extension, which is about echo cancellation.
Fax machines are very sensitive to variations in the sound timings, and echo cancellation
algorithms tweak those timings. So, in order to have a proper fax extension, make sure you
disable the echo cancellation for the respective extension.
To disable echo cancellation edit the phone extension, and in the Advanced tab uncheck the
option "Use Echo Cancellation...".
Advanced Analog Phone properties

There are a couple of settings for analog phones that you shall have in mind at this time. This
settings are available in the Advanced tab of the extension's properties dialog in edgeBOX. You
can fine tune these parameters with a few test calls from the extension you're configuring.
· Use Echo Cancellation: This enables/disables the echo cancellation algorithm for calls to
this extension and by default it's enabled. Disable only if you are using a fax machine

connected to this extension and you're experiencing reception problems.

· Transmission Gain: Amount of gain applied to sound transmitted from this extension. The
variation is from -8db to + 8db being the default 0db (middle position of the slider). Increase
when the other end (the callee) is barely listening; decrease if other end is listening too
loud, with too noise or with echo.
· Reception Gain: Amount of gain applied to sound received by this extension. The variation
is from -8db to + 8db being the default 0db (middle position of the slider). Increase when
the you can barely listen; decrease when listening too loud, with too noise or with echo.
8.2.2.3 ISDN Phone extensions

Please navigate to the Phones menu in the IP-PBX section to create and manage ISDN phones.
Below you can find the most common operations regarding this type phones.
Quick steps to create an ISDN phone extension

2. Click New, and select New ISDN Phone.
3. Enter the number you want to assign in the Number field. This number will be used to dial
to this extension.
5. Select the Line to which you want to connect the ISDN Phone in the Line (BRI)/MSN field.
6. Click the Advanced Tab
7. Check the box if you allow the extension to be called directly through incoming lines
8. Select also the Ring duration.
Only some properties are mentioned above. For a description of other properties see Common
Properties.
8.2.3 Connecting phones

The following sub-sections give you details on how to connect your:
· VoIP Phones
· Analog Phones and FAXes
· ISDN Phones

IP-PBX and VoIP 117
8.2.3.1 Connecting VoIP Phones

VoIP phones are the most common phone types used today and the most flexible. You have
available on the market a number of these phones with a wide range of prices. edgeBOX works
seamlessly with Polycom, Linksys, Aastra and Granstream phones but any phone following the SIP
standard protocol will be able to use edgeBOX.
You have two options for VoIP phones, both suitable for use with edgeBOX:
· Hardware phones, that work pretty much as a plain old phone, and
· Software Phones that you can run in your laptop.
Manually configuring and connecting a SIP Phone
The configuration of SIP phones is generally the same among all brands/models. Usually the
configuration is done through a web page provided by the phone itself (open your browser at a url
like http://192.168.100.195) or follow the built in menu on the phone. See your phone's user manual
for more details, or look for a specific edgeBOX How-To document for you phone model.
There are really only three fields you usually need setup:
· SIP Proxy: this is the name (like sip.edgebox.com) or the ip address (like 192.168.100.254)
of the edgeBOX. Pay attention were you are connecting your phone, in the LAN or the WAN.
Usually you connect the phones directly in the LAN of the edgeBOX for local personnel and
remote workers will connect to the WAN from the Internet.
· Account: the Extension Name (like MeetingRoom) that you want your phone to use.
· Password: the password of the extension.
Other fields you may need to have in attention are:
· DTMF: This is the type of Dual Tone Multi-Frequency, and affects the conversation with dial
tones between the phone and edgeBOX. They must match in both sides (the phone and
extension's properties in edgeBOX). The default value in edgeBOX is RFC2833, and that's
usually the same in the phones.
· Codecs: The codecs configured in the phone must match the ones configured in the extension
properties in edgeBOX. The default codecs of a new extension are G711 a-law and G711 u-law
and those are usually supported by default in the phones. Order the list of codec by
preference, edgeBOX will always try to use the first, then the second and so on.
Automatic configuration of SIP Phones
edgeBOX provides an automatic configuration system for Polycom, Linksys, Aastra and Grandstream
phones (see more details here). When the auto-configuration system is enabled, at the moment you
connect the phone's ethernet cable to the LAN of edgeBOX, the phone will be detected (by mac
address) and displayed in the Available Phones list, you can then assign it to an extension.

See Phone Auto-Configuration How To guide, the edgeBOX Online Help or the Phone Configuration
How To available in the edgeBOX documentation.
8.2.3.2 Connecting Analog Phones and FAX machines

Analog Phones and Fax Machines
Connecting analog phones or fax machines to edgeBOX is quite simple. Just plug the phone (or fax)
RJ11 cable to the proper FXS port in the back panel of your edgeBOX.
Analog phone settings
There are a couple of settings for analog phones that you shall have in mind at this time. These
settings are available in the Advanced tab of the extension's properties dialog in edgeBOX. You can
fine tune these parameters with a few test calls from the extension you're configuring.
· Echo Cancel: This enables/disables the echo cancellation algorithm for calls to this extension
and by default it's enabled. Disable only if you are using a fax machine connected to this
extension and you're experiencing reception problems.
· Transmission Gain: Amount of gain applied to sound transmitted from this extension. The
variation is from -8db to + 8db being the default 0db. Increase when the other end (the callee)
is barely listening; decrease if other end is listening too loud, with too noise or with echo.
· Reception Gain: Amount of gain applied to sound received by this extension. The variation is
from -8db to + 8db being the default 0db. Increase when the you can barely listen; decrease
when listening too loud, with too noise or with echo.
8.2.3.3 Connecting ISDN Phones

ISDN Phones
edgeBOX supports EuroISDN BRI phones seamlessly, but there's a number of details and complexities
arising from the underlying ISDN phone technology and the number of different proprietary signaling
built by ISDN phone manufacturers.
Contact your Support before planning an ISDN phone deployment.

IP-PBX and VoIP 119
8.2.4 Automatic configuration of phone devices

The Auto Phone Configuration allows you to configure VoIP phones of your network directly
on the edgeBOX, avoiding this way, the configuration of each phone locally on the phone itself, or,
avoiding the users to have to configure the phones themselves. Learn more.
When you connect a phone to the network for the first time, it needs to be configured in order to
make calls. This configuration is basically the configuration of the phones account to be used by
the phone. Using the Auto Configuration System you can configure phones remotely, just using
the edgeBOX's web interface.
All the configuration of the phones is available through the IP-PBX > Phones panel.
Only supported SIP phones can be configured directly on the edgeBOX - Auto Phone
Configuration. The currently supported phones are Grandstream GXP 2000; Polycom
SoundPoint IP320 IP330, IP670, IP601; Linksys SPA 901, SPA 922, SPA 932, SPA 941, SPA
942, SPA 962; Aastra 9133i, 480i, 51i, 53i, 55i, 57i and Snom 190, 360.
Forcing the configuration of other models than the ones mentioned above may
result in damage of the configuration of your phone.
How does it work?

The Phone Auto Configuration allows you to configure VoIP phones directly on the edgeBOX, avoiding
the configuration on the phone itself.
Each phone downloads a configuration file from the TFTP (Trivial FTP) service. This file is generated
and maintained by edgeBOX based on the phone brand and model, and reflects the configuration of
the extension associated with the physical. Whenever you change the settings of the extension, a
new file is generated and the phone is informed that a new file is available. At this point the phone
reboots automatically and downloads the new configuration file.
New phones are detected upon the DHCP dialog between the Phone and edgeBOX, thus only phones
configured through DHCP will be automatically detected.
Configure a detected phone
To configure a phone that was connected to the network:
1. Go to IP-PBX > Phones.

2. Select the phone in the list. You'll see the phone in a line with <not configured> in the
column Extension. You can identify uniquely the phone by the MAC address. Why the
phone is not listed?
· Phones that have been connected just a few seconds before may not be listed yet,
wait a moment for the automatic panel refresh (up to 30 seconds).
· Make sure the Phones Auto Configuration System is running (the service bar at the
top of the panel must be green).
3. Click Assign Extension to Phone button.
4. In the popup window select the phone extension you want to assign and click Add
button.

5. At this point in the phones list the previously <not configured> phone is not listed
anymore, and the line corresponding to the extensions you've selected in step 2
contains the Brand, IP and MAC addresses of the phone.
Depending on the Autoconfiguration Mode and the status of the physical phone you
may need to reboot the before it gets the configured.
Synchronize a phone's configuration with edgeBOX
If, for example, a user changes incorrectly the configuration of a phone, the phone may stop
working properly. In these cases you can resend the correct configuration to the phone, so it
can work properly again.
To synchronize the phones configuration with edgeBOX's saved configuration:
2. Select the phone in the list.
3. Click Synchronize button in the toolbar.
The phone will restart automatically and will get the original configuration upon boot.
Ignore a phone
You can ignore a phone so that edgeBOX doesn't try to send it configurations nor try to call it
to start the Configuration Assistant. Why should I ignore phones?
Ignoring phones can be usefully if you have some phones on your network being managed
by a device other than the edgeBOX. In these situations you don't want edgeBOX to be
trying to send configuration information to those phones.
To ignore a phone:
2. Select the desired phone in the list.
3. Click Manual Config button in the toolbar.
The Setup Mode will change to Manual. At this point edgeBOX will no longer try to configure
this phone automatically.
Stop ignoring a phone
If you want edgeBOX to stop ignoring a phone and start sending configuration information
again just proceed as if you would configure it from start, by using the Assign Extension to
Phone button in the toolbar.
Remove the configuration of a phone
To remove the configuration of a phone:

2. Select the desired phone in the list.
3. Click Unassign Phone from Extension button in the toolbar.

IP-PBX and VoIP 121
4. At this point you'll see a new item in the list with <not configured> in the extension
column. This item corresponds to the physical phone that was previously associated.
The phone is now free of any configuration, you can delete it (if the phone was definitely
removed from the network), or assign it to another extension.
Replace a broken phone
When a phone it's broken and needs to be replaced by another one proceed as follows:
2. Select the desired phone in the list (like 1020).
3. Click Unassign Phone from Extension button in the toolbar. At this point you'll see a new
item in the list with <not configured> in the extension column. This item corresponds to
the physical phone that was previously associated, and another line corresponding with
the extension (like 1020).
4. Edit the phone extension in the list (1020 in this example).
5. Select the new brand of your new phone in the Phone Brand field.
6. Enter the new MAC address of the new phone in the MAC Address field.
You can now physically replace the old phone by the new phone. The new phone will be
configured automatically as soon as you connect it to the network.
Pre-Provisioning Phones
You can also configure phones that haven't yet been connected but will be connected in
the near future. When those phones are plugged in the network for the first time, they will
immediately receive the configuration you have defined and become configured and ready to use
right away.
Pre-provisioning is very useful when you're managing the office from a remote location and you need
to install a new phone. You can just create the phone in the system, and then mail it to the office.
When it arrives the end user just needs to plug it to the network and it's ready to use without further
issues.
You can pre-provision phone independently of your configuration mode (Callback or Silent). Pre-
provisioned phones will be configured as soon as they connect to the network, meaning that when in
Callback mode, the assistant call doesn't happen.
Pre-provision a new phone

2. Select (double click) the desired phone in the list (or Click New, and select New SIP
Phone to create the a new extension).
3. Enable the option Assign a physical phone to this extension.
4. Select the brand of your new phone in the Phone Brand field.
5. Enter the MAC address of the new phone in the MAC Address field. Where can i find the
MAC address?
Usually the MAC address is printed in a sticker placed at the bottom of the phone, and
also in the package.
6. Click Save button.

Related Topics:
Auto Configuration Modes
8.2.4.1 Auto Configuration Modes
edgeBOX provides two different operation modes for auto configuration of the phones. One mode
(Callback) is focused in configuring the phone by using the phone itself, the phone will receive a call
with a configuration wizard where you can dial the extension to assign and respective password
(numeric passwords only). The Silent mode doesn't use any interaction on the phone's end, and all
the configurations are made through the administrator's panel.
Use Case for Callback configuration mode

1. Plug the phone.
2. The configuration assistant calls the phone. At this point you should answer the call.
3. Press “1” to start auto configuration.
4. Dial number of an already existing extension.
5. Dial password of the extension.
6. Hang up the phone.
7. Phone will reboot and start with the configured settings.
Use Case for Silent configuration mode

1. Plug/Restart the phone
2. Your phone will be listed in IP-PBX > Phones panel as <not configured>.
3. Assign the phone to the extension by pressing the Assign extension to Phone button in the
toolbar.
4. Restart/Replug the phone to get the new configuration.
Which configuration mode shall I use?
Use the Silent Configuration Mode:

· When you already have phones configured in the office.
· When you know mac-addresses.
Use the Callback configuration mode:

· When you need your customer to configure the phones.
· When you don't know mac-addresses.
· When setting up a new office on the field.
Call phones when they are first connected and start the Configuration Assistant

IP-PBX and VoIP 123
To configure the system to start the Configuration Assistant call each time a user plugs in a
new phone in the network (Callback Mode):
1. Go to IP-PBX > Phones
2. Make sure the Auto Configuration System is running (you should see a green bar at the
top of the panel). If it is not running click Start Service.
3. Click button Change...
4. Select the option Automatically call the phone and start the Configuration Assistant.
5. Click the Save button.
Do not call phones when they are first connected to start the Configuration Assistant
If you don't want the user to receive the Configuration Assistant call when he connects a phone
for the first time (Silent Mode):
1. Go to IP-PBX > Phones
2. Make sure the Auto Configuration System is running (you should see a green bar at the
top of the panel). If it is not running click Start Service.
3. Click button Change...
4. Select the option Do not make the Auto Configuration Assistant call.
You or the network users can also call the Configuration Assistant at any time (for instance, if they do
not answer the Configuration assistant call) from a given phone to start the phone configuration
process.
How to call the Configuration Assistant?
To call the Configuration Assistant from a phone of the network, you or the user need to dial
1234, which is the configuration assistant number..
Note: It is only possible to dial the Configuration Assistant if the configuration was interrupted
previously due to some problem and needs to be finished to configure the phone.
Related Topics:
Phone Auto Configuration
8.2.5 Phone Groups and Access Control

edgeBOX allows you as an administrator, to define access control policies restricting the operations
and types of calls that user's or specific extensions can execute. The phones access control
mechanism has in it's base Groups of Phones.
Basically you need to create a Phones Group, and then define what operations that group can
execute. The same applies to Outgoing Call Rules, where you can specify to which Groups a specific
rule is applicable to.

About Phone Groups

Basic steps to create a phones group.
To create a group of phones proceed as follows:

2. Click Groups in the Related Topics section of the menu.
3. Click New button.
4. Enter a name (like Sales) in the Name field.
5. Enter a description (like Sales Personnel) in the Description field.
6. Enter a phone number (like 450) for the group in the Extension field. This number is
optional, when defined enables Group Calls, like calling all phones in the group at the
same time.
7. Click Add button, select and add the phones to make part of the group (use Ctrl key to
select multiple phones at the same time).
8. Select the Access Control tab.
9. Define the access control policies to apply to the phones in the group (see examples
below for better understanding).
10.Click Save button.
Description of the Access Control policies
The access control policies of a phones group are configured in the Access Control tab when
you create or edit a group.
The policies are organized by the operations: Call Pick Up; Intercom Calls; Call Listening and
Call Recording.
Call Pick Up policies
With Call Pick Up you can specify the set of phones that can pick up calls on this group. The
choices are:
· any phone can pick up calls on this group (this is the default setting)
· only the phones that belong to the group can do this
· no phone, not even from the group, can pick up calls ringing in this group
Intercom Calls policies
With Intercom Calls someone could make a phone call to this group in which the destination
phone will go into loudspeaker mode and the call will be listened to by the people near that
phone. You can choose:
· any network phone can initiate Intercom Calls to the phones on this group (this is the
default setting)
· only phones in the group can initiate Intercom Calls to each other
· this group will not accept Intercom Calls
Call Listening policies

With Call Listening you can listen to ongoing calls on other extensions. In this panel you can

IP-PBX and VoIP 125
specify if:
· if phones on this group can be used to listen to calls on other phones (default setting is
'no')
· if calls on these phones can be listened (default setting is 'no')
Call Recording policies
The Call Recording settings for a group allows you to specify:
· if these phones can record calls (see One Touch Recording; default setting is 'no'), and
· if phones on this group can or can't be recorded (see Recording calls; default setting is
'no recording').
Configuration examples
You can configure any number of phone groups, with many variations of access control policies
building from the most simple to the most complex set of policies, depending on your company
requirements. Below you can find some examples of the most typical configurations.
How to create a group of phones that can pickup calls only between them?
In this example, lets assume that you have a group of support personnel and they want to
pickup calls that ringing in another extension of the team (because the person is not at his
desk), but they don't want other people outside the group to pick their calls.
For the scenario above execute the following steps:
2. Click Groups in the Related Topics section of the menu.
4. Enter a name (like Support) in the Name field.
5. Enter a description (like Support Personnel) in the Description field.
6. Enter a phone number (like 300) for the group in the Extension field. This number will
be used to identify the group from where to pickup the call.
7. Click Add button, select and add the phones to make part of the group (use Ctrl key to
select multiple phones at the same time).
8. Select the Access Control tab.
9. At the Call Pick Up section, select the option Only phones of this group can pick up calls
ringing on these phones.
10.Click Save button.
At this point any phone within the group Support, can pickup calls ringing at any phone of the
group by dialing *8 followed by the group extension number (300 in the example).
When using the group's extension number like *8300 the user will randomly pickup a call
ringing in the group, when using *8<phone extension number> the user will pickup the call
ringing at the specific phone (*81001 will pick the call ringing at phone's extension 1001).
Other phones not belonging to the group Support won't be able to execute pickup to the group,
or specific extensions belonging to the group.

How to create a group of phones that can listen and whisper calls, while others can't?
In this example, lets assume we have a group of supervisors that need the ability to listen
ongoing calls in the Help Desk group, and give instructions to them during the call.
For the scenario scenario above do the following:
1. Create a group called Supervisors.
2. Add to the group the supervisors phones.
3. In Access Control panel, at the Calls Monitoring section, select both policies:
- These phones can be used to listen to ongoing calls on other phones
- Calls on these phones can't be listened by other phones
4. Create a group called Help Desk.
5. Add to the group the phones of the help desk team.
6. In Access Control panel, at the Calls Monitoring section leave both policies unselected.
At this point any phone within the group Supervisors, can listen ongoing calls of any phone in
the group Help Desk by dialing *990* followed by the extension number of the phone to listen
(*990*1001 to listen phone extension 1001). To listen and give instructions at the same time
(whisper mode) dial *991*1001.
8.2.6 Twinning
Twinning enables you to almost duplicate the behaviour of an extension of the network on
another external phone, as a cell phone for example. Learn More.
If you activate and configure twinning with, for example, a cell phone:
· When a call arrives at the network phone (for example, extension 2001) then both the
network phone and the cell phone will ring. The phone that will pick up the call is the one
that will be first answered. This is useful, for example, when a user goes out of office. He
is able to answer calls to his extension on his cell phone.
However, when the user answers a call on his cell phone that was sent by
egdeBOX through an analog line, the user needs to press the # (pound) key
after answering. This will inform edgeBOX that the call was picked up and edgeBOX
will stop ringing the extension of the user. Otherwise the extension will keep on
ringing despite the call had already been answered by the user.
· The user can make calls with his cell phone as if he was on his extension at work, even if
he is at home. The user just needs to dial the number of the company. The call will be
answered by edgeBOX and the user will hear the dial tone again. The user can then make
internal calls just by dialing the extension he wants to call or make outgoing calls that will
appear to the recipient as being made by user's regular work phone.
Activate Twinning for an extension

IP-PBX and VoIP 127
The twinning feature is defined at each specific phone. By default phones are not allowed to
twin with other phones like cell phones.
To allow a phone to twin with another one:
1. Select the desired network phone from the phone list and click the Edit Phone button.
2. Select the option Activate Twinning.
3. Enter the phone number to be twinned to in the Phone Number field, or you can leave it
blank for the user of the phone to configure it himself. See Configure Twinning using the
phone.
Change the twinned phone number
2. In the Twinning section you can see the number of the phone this extension is currently
twinning with.
3. Enter the new phone number in the Phone Number field.
Turn off twinning
This is particularly useful when the user is close to both phones at the same time, the network
phone and his personal cell phone, for example. In this cases, having both phones ringing at
the same time is not really useful, so you can switch off twinning so just the company phone
rings when a call is received, for example.
To turn twinning off of a phone:
2. Unselect the option Activate Twinning.
Note that the feature is still allowed at the phone, it is just not enabled at the moment, this is,
this phone is not twinning with another phone. But you, through edgebOX's interface, or the
phone's user, through the phone, can enable it again at any time.
Configure Twinning using the phone
The user of the phone with twinning can also enable, disable and change the number of the
phone your extension is twinning with, directly on the phone itself instead of the edgeBOX. But
to do so, twinning must be Active on that phone.
· Enable twinning - on your phone, dial *90. Twining will be now enabled.
· Disable twinning - on your phone, dial *91. Twinning will be disabled.
· Change the phone your phone is twinning with - on your phone, dial *92*

followed by the phone number you want to twin to. For example, if your cell phone is
912154014 you can dial *92*912154014.
· Transfer an ongoing call from the cell phone to the network phone - on your
phone, dial *93 and the call you are answering in the cell phone will continue in the
network phone.
8.2.7 Internal Dial Plan

The Internal Dial Plan popup window is accessible in the Related Topics corner of the Phones
menu, in the IP-PBX section. The Internal Dial Plan menu gives you access to a finer-grained control
of the way edgeBOX processes calls: it allows you to route each call through a set of simple or
complex sequences for each call processed.
Don't use the Internal Dial Plan for simple operations like the creation or removal of extensions.
Those operations should be performed in the Phones list. The Internal Dial Plan should only be
used for advanced configurations.
You can consider the Internal Dial Plan as a set of individual Extension Dial Plans. The popup
dialog shows you initially:
· on the left: the list of Extensions currently active in the Internal Dial Plan: each new
phone created is automatically added to the Dial Plan and each phone deleted is automatically
removed;
· on the right: when you select an extension on the left; the right-hand panel shows you the
Extension Dial Plan: the configured sequence of actions the PBX will execute upon reception
of a new call for this extension.
As usual, you can use the New button to add new extensions or the Edit button to change existing
entries. For your convenience, a Duplicate button is provided for quickly creating new entries based
on the existing ones. The Configure the Extension Dial Plan popup window will show.
Configure the Extension Dial Plan
This dialog lets you configure, for a specific entry:
· Extension: type-in the extension name to which this Extension Dial Plan applies;
· with Caller ID: check the box and type-in the Caller ID if you wish to further specify that this
applies only to that specific Caller ID;

IP-PBX and VoIP 129
· Actions: an ordered list of actions edgeBOX will try to route the call through; use the Up
and Down arrows to change the sequence; use the New and Delete buttons to manage the
contents of the list. For each action you can:
· Forward to Phone: this action forwards the call to a phone; you must select the
phone from the drop-down list that appears below;
· Forward to external number: this action forwards the call to an external number;
you must specify the number you want in the text filed;
· Forward to Voicemail: the call will be forwarded to the chosen extension's

voicemail; you may choose any extension with an active voicemail;
· Forward to Queue: with this option the call will be forward to the queue you choose
(see Queues);
· Forward to Conference: you can choose a conference number for the call to be
forwarded to (see Conferences);
· Forward to Group: here the call will be answered by some phone in the group you
specify from the drop-down list;
· Answer: the call will be answered;
· Hangup: the call will be hung-up;
· Play: the caller will listen to the sound file you choose; the selected sound file will be
played and all numbers entered by the caller will be ignored until the sound has
finished (see here for details on sound files);
· Wait: this action makes the call wait for the specified number of seconds.
8.3 Configuring incoming call rules

Incoming Call Rules instruct edgeBOX on how to deal with a call coming from the outside world. The
Incoming Call Rules menu is accessible in the IP-PBX section.
When configuring Incoming Call Rules you have at your disposal the following tasks:
· Creating Incoming Call Rules.
· Build Automatic Attendant voice menus.
· Define Schedules (or calendars).
Related Topics:

· Voice Lines
· Groups
· Sound Manager
· Music On-Hold
· Automatic Attendants
· Schedules
8.3.1 Creating incoming call rules

Incoming Call Rules define how an incoming call is routed through the system, and how it's going
to be answered. It can be redirected to a specific extension, to voicemail or to automated attendants.
The Incoming Call Rules menu can be reached in the IP-PBX section. There are two default
example rules: work-hours and after-hours.
Each rule as a set of conditions and a set of actions. Conditions determine if the rule is to be
applied or not not, while the Actions specify how the call is to be treated.
A rule is composed by:

· a rule priority; to determine the order by which the rules are evaluated. Rules are applied in
the order of appearance. Click on a rule and use the UP and Down buttons to change the order.
· a rule name; which is a human readable name describing the rule.
· rule conditions; to determine if the rule is to be applied or not not.
· rule actions; that define how the call is to be treated.
Basic steps to create an Incoming Call Rule
1. Go to IP-PBX > Incoming Call Rules.

3. Enter the name of the rule in the Rule name field.
4. Select a condition in the Conditions combobox.
5. Enter the parameter value for the condition in the text field at right side of the condition.
6. Click Add button to add the condition to the rule. Repeat from step 4 for as many
conditions as you need.
7. Select an action in the Actions combobox.
8. Enter the parameters for the action in the fields at right side of the action.
9. Click Add button to add the action to the rule. Repeat from step 7 for as many conditions
as you need.

IP-PBX and VoIP 131
10.Click Save button to save the rule.

11.At the rules list, use the Move Up and Move Down buttons in the toolbar to place the rule
in the order you desire to be evaluated.
Rule Conditions
When a call is received by edgeBOX, the conditions of each incoming call rule are evaluated.
For the first rule to match all conditions, the sequence of actions specified are executed.
· Calls to (DDI): This condition tries to match the destination number (DDI) of the call
with the supplied value; you must enter the DDI in the text field at the right side of the
condition type. This condition is useful when you have multiple public phone numbers,
each one with a different destination department or receptionist.
· Calls from (CallerID): This condition tries to match the originating number (CallerID)
of the call with the supplied value; you must enter the CallerID in the text field at the
right side of the condition type. This condition is useful when you need to redirect a call
based on who's calling.
· Schedule: This conditions evaluates if the call is being made at a particular time or day
(see Schedules for more details). you must choose a Schedule from the drop-down list
at the right side of the condition type. This condition is useful for example when at work
hours (or days) you want the call to be answered by a person, but out of hours (or at
vacations periods or holidays) you want an automated attendant to answer.
In a single rule you can use as many conditions as you want. The rule's actions will be
executed if (and only if) all conditions together are true. So you could easily build up complex
rules such as ''from this origin, to that destination within some period of time''.
Rule Actions
The Rule Actions determine the behaviour in case the rule conditions are met. You can:
· Forward to Phone: this action forwards the call to a phone; you must select the phone
from the drop-down list that appears at the right side;
· Forward to internal number: this action forwards the call to an internal number; you
must specify the number you want in the text filed that appears at the right;
· Forward to external number: this action forwards the call to an external number; you
· Ring Phone: this action tries to forward the call to the specified phone by making it ring;
if the phone is not answered then the next action will take place;
· Forward to Voicemail: the call will be forwarded to the chosen extension's voicemail;
you may choose any extension with an active voicemail;
· Forward to Queue: with this option the call will be forward to the queue you choose
(see Queues);
· Forward to Group: here the call will be answered by some phone in the group you
specify from the drop-down list at the right side;


· Play: the caller will listen to the sound file you can choose; the selected sound file will be
played and all numbers entered by the caller will be ignored until the message has
completed;
· Change CallerID: to change the CallerID to a diferent one; you must type it on the right;
you can use constructs like "Ricardo Loureiro <916291182>" or even the usual * and X
signs for field replacement (see more on this below);
· Set Project Code: to label the call detail record (CDR) with the supplied code; you must
type the code on the right;
· Change Music On Hold: to change the music to be played if the call is placed on hold;
· Wait: this action makes the call wait for the specified number of seconds;
· DISA: Stands for Direct Inward System Access. Allows someone calling in from outside
the telephone switch (PBX) to obtain an "internal" system dialtone and dial calls as if from
one of the extensions attached to the telephone switch. The DISA application may require
the user to enter a passcode, followed by the pound sign (#). If the passcode is correct,
the user will hear dialtone on which a call may be placed. Is it secure?
This type of access has SERIOUS security implications, and GREAT care must
be taken NOT to compromise your security. We advise you to ALWAYS enter a
passcode. If you do not enter a passcode, when the action DISA is executed, the
user gets authenticated automatically. If you select that option and indicate the
passcode, when the DISA action is executed, first is asked the user to enter the
passcode before getting dialtone.
· Start Automated Attendant: this action will start the execution of the specified
automated attendant menu.
You can add several rule actions. Rule actions can be moved Up and Down with the help of the
corresponding buttons. This way you could compose complex sequences for edgeBOX to
execute on the call. As an example you could play a sound, wait for 10 seconds and then
forward the call to some Conference.
Use of pattern characters
You can make use of patterns in your rules.

· Pattern 'X': each X accounts for exactly one digit; if, for example, you specify ''Calls
From (DDI): 9876543XX'' you could latter, in the same rule, specify an action like
''Forward to Internal Number 99XX''. In each call the XX sequence from the DDI will be
evaluated and re-used in the action. In this case a call from 987654321 would be
forwarded to internal number 9921.
· Pattern '*': the symbol * accounts for any digit sequence.

IP-PBX and VoIP 133
8.3.2 Defining Automated Attendant menus

edgeBOX provides a flexible Automated Attendant builder, fully integrating all of edgeBOX's VoIP
PBX functionalities, allowing the administrator to create response menus for a large range of
applications. Callers using a touch tone phone will be able to navigate these menus by pressing the
appropriate numbers.
An automated attendant menu is built with actions and conditions:
· Actions define what is to be done in the call, like answer, play sound files, joining
conferences or jumping to another automated attendant menu;
· Conditions are used to respond to user input, like when a key is pressed, or a number is
dialed.
Automated Attendants are displayed as a tree structure, making it easy to understand the concept of
flow of actions and conditions. Each child node is either an action or a condition which may be
expanded to see it's underlaying actions.
Basic steps to create an automated attendant
1. Go to IP-PBX > Incoming Call Rules

2. Click Automatic Attendants option in the Related Topics section of the menu
3. Click New button in the toolbar.
4. Enter a name to identify the automatic attendant in the Name field.
5. Click Add Action button in the toolbar.
6. Select the desired action in the Action combo box.
7. Enter the parameter values for the action in the fields shown below the Action combo
box.
8. Click Save to confirm the action. Repeat from step 5 to add more actions. To change to
action's order execution use the up and down arrow button in the toolbar.
9. Click Add Condition button in the toolbar.
10.Select the type of action desired.
11.For actions to be executed when a condition is met, select the condition in the list, and
click Add Action (steps 5 to 8).
12.Click Save button when finished.
Automatic Attendant's Actions
· Forward to Phone: this action forwards the call to a phone; you must select the phone
from the drop-down list that appears at the right side;
· Forward to external number: this action forwards the call to an external number; you
· Ring Phone:
· Forward to Voicemail: the call will be forwarded to the chosen extension's voicemail; you
may choose any extension with an active voicemail;

· Forward to Queue: with this option the call will be forward to the queue you choose (see
Queues);
· Forward to Group: here the call will be answered by some phone in the group you specify
from the drop-down list at the right side;
· Play: the caller will listen to the sound file you can choose; the selected sound file will be
played and all numbers entered by the caller will be ignored until the message has
completed;
· Play in background: similar to Play, but in this case the user can press keys while
listening, instead of being forced to wait for the sound to finish.
· Wait: this action makes the call wait for the specified number of seconds;
· Start IVR: this action will start the execution of the specified automated attendant menu
(IVR); the drop-down list will show you all currently configured automated attendants for
you to choose the one you want; additionally you can also choose the Internal Extensions
option; in that case the caller will be able to dial the internal extension he wishes to reach;
· DISA: Stands for Direct Inward System Access. Allows someone calling in from outside the
telephone switch (PBX) to obtain an "internal" system dialtone and dial calls as if from one of
the extensions attached to the telephone switch. The DISA application may require the user
to enter a passcode, followed by the pound sign (#). If the passcode is correct, the user will
hear dialtone on which a call may be placed. Is it secure?
This type of access has SERIOUS security implications, and GREAT care must
be taken NOT to compromise your security. We advise you to ALWAYS enter a
passcode. If you do not enter a passcode, when the action DISA is executed, the
user gets authenticated automatically. If you select that option and indicate the
passcode, when the DISA action is executed, first is asked the user to enter the
passcode before getting dialtone.
You can add several rule actions. Rule actions can be moved Up and Down with the help of the
corresponding buttons. This way you could compose complex sequences for edgeBOX to
execute on the call. As an example you could play a sound, wait for 10 seconds and then
forward the call to some Conference.
Automatic Attendant's Conditions
Conditions are used to execute a set of actions based on the user's input.
· If user pressed keys: This condition will compare the keys typed be the caller, and will
execute the underlying actions if the keys match the ones you specified on this condition;
You must enter the set of keys that should be pressed in the Keys field.
· If user pressed invalid keys: This condition will execute the underlying actions, if the
sequence of keys pressed by the user is not matching any of the previous conditions.
· If user didn't press any key: This condition will execute the underlying actions, if the
user didn't pressed any keys (after a 5 seconds timeout).

IP-PBX and VoIP 135
8.3.3 Schedules
Schedules allow you to define periods of time for executing rules in Incoming Call Rules. This is
very useful to specify working hours, vacations, holiday periods that you can then easily use when
defining your call rules.
To define a schedule proceed as follows:

1. Go to the IP-PBX section, Incoming Call Rules menu;
2. Click the Schedules option in the Related Topics section of the menu;
3. Click New button;
4. Enter a name identifying the schedule in the Name field;
5. Next you must specify a set of time Rules. You can do this based on:
· Date: you can either specify a range of calendar days or a single day,
· Time: you can specify any time span within a day, from 0h0m up to 23h59m,
· Days: you can either specify a range of week days or a single week day.
You can specify multiple rules for a schedule. In that case the schedule will actually be defined as the
superposition of all rules (logic AND). Give me an example...
As an example you could specify a three rules based schedule as: ''Date: from 1/7/2009 to
31/12/2009'' AND ''Time: from 9h00m to 18h59m'' AND ''Days: from Monday to Friday''. You would
call this schedule WorkHours2ndSemester09.
8.4 Define your outgoing call rules

Outgoing Call Rules instruct edgeBOX on how to route calls to the outside world. You can have
distinct rules based on Phone Dialing, Dialed Number and Time.
Usually Outgoing Call Rules are used with Least Cost Routing (LCR) in mind, since you can
create rules based on destination number in order to use the least cost route for that destination,
reducing the overall cost of your voice communications.
Please refer to the IP-PBX section's Outgoing Call Rules menu. From that menu you can:
· Configure edgeBOX to require PIN authentication for outgoing calls
· Configure Outgoing Call Rules and Access Control policies for specific Groups or Devices
· Configure the Emergency route

Related Topics:
· Configuring Voice Lines
· Phones Groups Access Control
· Configure usage of ENUM routes
8.4.1 Authentication
edgeBOX supports authentication of outgoing calls. Authentication is based on a PIN assigned
on user creation. Outgoing call permissions, i.e. the type of outgoing calls a user is allowed to make,
are also set on user creation.
The Outgoing Call Rules menu in the IP-PBX section displays the current status of the
authentication service at the top. As usual the green/gray colors are used to show the operational
status of the Outgoing Calls Authentication service. Click the Require users to
authenticate/Don't require users to authenticate to change it.
When active the PBX will block outgoing calls if the user supplied invalid credentials or if the user
doesn't have the necessary permissions to make the call. When inactive, the system will still check
the type of each call, but only to find the correct Route to use. In this mode of operation users are
not required to supply a PIN when making calls.
8.4.2 Rules Definition

An Outgoing Call Rule is defined by the following data:
· Conditions: this is where you define the conditions when to apply the rule, namely:
· Inbound Pattern: the Dialed Number; you can use patterns such as 123*: this will
match all calls to numbers starting with 123;
· Type of call: Free, Local, Long Distance, Mobile, International or Special Call;
· Time of day: the period of the day for which this rule will apply
· Routes: in the routes section you define
· Route: which line (or lines) should be used to make the call
· Outbound Pattern: the number to dial out; here you can reuse pattern matches
from the Inbound Pattern; more details below;

IP-PBX and VoIP 137
· Timeout: timeout for this route;
· CallerID: outgoing caller ID.
Steps to create a new outgoing call rule
1. Goto IP-PBX > Outgoing Call Rules.

2. Click New button in the toolbar.
3. Enter a name for the rule (like US_Calls) in the Name field.
4. Enter the dialed pattern (or number) you want as a condition to apply this rule (like 001*
for all numbers started with 001, or 800XXXXXXX for all 10 digit numbers started with
800) in the Inbound Pattern field.
5. Classify the type of access level required to use this rule (like Free) in the Type of Call
field.
6. Enter the time period you want this rule to be applicable, in the From and To fields. The
rule is only applied to calls made during the specified time period. This way you can have
different rules in different time schedules to the same destination number.
7. Select the route (or line) you want the call to follow through in the Route field.
8. Enter the number (pattern) that should be dialed (usually the same as the Inbound
Pattern you entered in 3) in the Outbound Pattern field. More details...
The outbound pattern may differ from the inbound, if you wish to transform the
number. One example is when you need to add prefixes to select a specific provider,
say a prefix of 1010 needs to be added, thus your inbound pattern would be 9* (all
numbers starting with 9), whilst your outbound pattern would be 10109*. Other
situation is when you want an outbound prefix like 0, in this case the Inbound pattern
would be 0* and the Outbound pattern would be *.
In the both patterns (outbound and inbound) you can use two special characters: *
matches all remaining digits; X matches exactly one digit, you may use several X
characters to match a specific number of digits. The 'X's must be uppercase.
Examples: The 9* indicates a digit 9 followed by any other numbers. If you entered
9XXX, this would indicate a 9 followed by exactly 3 other digits (which may or may not
include the digit 9)
9. Enter the amount of time in seconds (like 30), this route shall ring before ending the call
(or falling to the next route if defined) in the Timeout field.
10.If you want to enforce a specific Caller ID for the call, check the Caller ID and enter the
number (or text) you want in the CallerID field. More details...
Caller ID is the identifier displayed (usually the number associated with the phone line)
in the destination phone. Not all providers allow this to be changed, in these cases
edgeBOX will change it at the protocol level but produces no effect as the provider will
override it.
11.Click Add.
12.Repeat 7 to 11 adding all routes you wish to use as fall back routes. All these additional
routes will be used if the previous one is not available or times out.
13.Select the Access Control tab.

14.Move the Groups and the Devices from Denied to Allowed, for whom you want to be able
to use the rule. The rule will only be applied if the phone making the call belongs to a
group in the Allowed area, or if the call is coming from a Device in the Allowed area (like
DISA).
15.Click Save to save the rule.
Default Outgoing Call Rules
There are two pre-configured outgoing call rules in edgeBOX:

· Demo rule: This rule is meant for testing purposes only. In a sentence this rule could be
read as “Calls to number 123, at any time, made from any phone will follow demo-proxy
route”. demo-proxy is a ITSP connection to Critical Links data center for you to test your
edgeBOX setup.
Note: You can test the Demo rule by dialing 123 in one of the already connected phones.
If everything is working properly your call will be answered and you'll listen an automated
attendant saying “Welcome. Thank you for calling. Goodbye”, and then the call will finish.
Please note that this call is made through a connection to Critical Links servers, thus your
edgeBOX needs a working internet connection for this test to work.
· Default rule: This rule is the most generic rule, and will match all calls (except if rules with
more specific conditions are applicable). In a sentence this rule could be read as “Calls to
any number (*), at any time (00:00 – 23:59) made from any phone (Access Group Default)
will follow routes specified”.
Note: When you first receive an edgeBOX, the Default rule doesn't include any routes
(lines) to the PSTN, so you need to edit this rule and add the routes you've connected.
See more in Configuring Voice Lines.
8.4.3 Emergency number

The Emergency rule is a special rule to be used when the emergency number (e.g: 911 or 112) is
dialed. The emergency rule it's a system rule and cannot be deleted. You can easily identify it by the
red cross icon . This rule behaves pretty much the same way as other rules but authorization
and authentication policies are bypassed, meaning that every connected phone (even phones in
"not registered" state due to bad password) are allowed to make the call.
Steps to setup the Emergency call rule
1. Goto IP-PBX > Outgoing Call Rules.

2. Select the rule Emergency and click Edit button in the toolbar (double mouse click also
works).
3. Enter the emergency number (like 911) in the Emergency Number field.

IP-PBX and VoIP 139
4. Select the route (or line) you want the call to follow through in the Route field.
5. Enter the number (pattern) that should be dialed (usually the same as the Emergency
Number you entered in 3) in the Outbound Pattern field. More details...
The outbound pattern may differ from the inbound, if you wish to transform the
number. One example is when you need to add prefixes to select a specific provider,
say a prefix of 1010 needs to be added, thus your inbound pattern would be 9* (all
numbers starting with 9), whilst your outbound pattern would be 10109*. Other
situation is when you want an outbound prefix like 0, in this case the Inbound pattern
would be 0* and the Outbound pattern would be *.
In the both patterns (outbound and inbound) you can use two special characters: *
matches all remaining digits; X matches exactly one digit, you may use several X
characters to match a specific number of digits. The 'X's must be uppercase.
Examples: The 9* indicates a digit 9 followed by any other numbers. If you entered
9XXX, this would indicate a 9 followed by exactly 3 other digits (which may or may not
include the digit 9)
6. Enter the amount of time in seconds (like 30), this route shall ring before ending the call
(or falling to the next route if defined) in the Timeout field.
7. If you want to enforce a specific Caller ID for the call, check the Caller ID and enter the
number (or text) you want in the CallerID field. More details...
Caller ID is the identifier displayed (usually the number associated with the phone line)
in the destination phone. Not all providers allow this to be changed, in these cases
edgeBOX will change it at the protocol level but produces no effect as the provider will
override it.
8. Click Add.
9. Repeat 5 to 8 adding all routes you wish to use as fall back routes. All these additional
routes will be used if the previous one is not available or times out.
10.Click Save to save the rule.
8.5 Configuring Voice Lines

edgeBOX can be connected to the public telephony network or to the IP network in a
number of ways. With edgeBOX you can manage your connections such as ISDN or FXO-FXS
hardware, or pure VoIP interfaces such as SIP or IAX2.
The Voice Lines panel allows you to manage all these interfaces in a consistent unified approach.
Please go to the IP-PBX section. You can reach the Voice Lines popup from the Incoming Call Rules
, the Outgoing Call Rules and the MailFax Accounts menus, in the Related Topics corner.
When the panel loads you get a summary display of all your phone lines and corresponding status.
Voice lines are classified as follows:

· Public Lines: Lines connected directly to the PSTN (Public Switched Telephone Network). The
panel will automatically display all lines installed based on your hardware configuration. The
supported line types include FXO, ISDN BRI and ISDN PRI.
· VoIP Providers: IP connections to VoIP providers. The signalling protocol used is SIP (Session
Initiation Protocol). How to create a VoIP Provider connection?.
· Remote PBX: Lines connected to a PBX (includes ISDN BRI and ISDN PRI). Calls received on
this lines are considered internal calls, meaning that extensions can be called directly.
· Remote Offices: IP connnections to other office, supported signalling protocols are SIP and
IAX2. Calls received on this lines are considered internal calls, meaning that extensions can be
called directly. How to create a remote office connection?
· All Lines: Display all the above mentioned connection types plus FXS lines, where you can
connect directly analog phones or fax machines.
8.5.1 VoIP Providers

To enable edgeBOX to connect to a VoIP provider on the Internet, please load the Voice Lines dialog
and click the New button. In the subsequent dialog choose Connect to a VoIP provider on the
Internet and press Next.
Step 1: in the first dialog you need to define the destination host and authentication for
the connection. Please fill the details regarding your VoIP provider account:
· Name: type in an identification name for this provider;
· IP Address / Hostname: type-in the IP address or the FQDN of your provider;
Authentication
· Authentication is not required
· Authenticate with credentials: if the provider requires authentication please fill in the
Username and Password; additionally you can Customize Authentication Fields;
press the Settings... button and type-in:
· Register Name
· Authentication Name
· From User
· From Domain
· Outbound Proxy
· Realm
· Contact

IP-PBX and VoIP 141
For convenience you can use the Test Connection button to validate the connection. Once you're
done, press Next.
Please note that calls coming through trusted SIP proxies are only trusted if the proxy name is equal
to the FROM header.
Step 2: in the second dialog you will define codecs and other advanced options. You may
choose to provide:
· Max Calls: maximum number of simultaneous calls allowed;
· Manage Codecs to be used on this connection: select the codecs to be used (these
codecs have to be supported by the provider). You can also select the preferred order of use.
For more information see Codecs section.
· Manage DTMF and other advanced options:
· Disable NAT support
· Disable Keep Alive
· DTMF Mode: inband, info and rfc2833
8.5.2 ENUM service

edgeBOX supports ENUM, which is a service to map PSTN telephone numbers into VoIP URLs.
In edgeBOX ENUM service is conceptualized as a voice line, meaning that whenever you want a
given Outgoing Rule to search and use ENUM service, you just need to add the ENUM line to your
route. This will make for every call routed through that rule, to send a query to each active ENUM
server to try to lookup the called PSTN number, and if found the call will proceed as an URI call. For
more details about ENUM see Telephone Number Mapping.
How to use ENUM service?
ENUM service is used like a Voice Line, so if for a given Outbound Route you want ENUM
service to be used, you need to add ENUM line to your list of routes.
1. Go to IP-PBX > Outgoing Call Rules.
2. Double click the rule where you want to use ENUM (or create a new rule).
3. Select ENUM in the Route combobox, and enter the desired Outbound pattern.
4. Click Add.
5. Use the Up and Down buttons to place the ENUM at your desired execution order (typically
it should come first).


Now, outbound calls following this rule will be converted to URI Calls whenever the ENUM
server returns a valid URI for the dialed number.
How to configure ENUM service?
By default edgeBOX comes preconfigured with two ENUM server (e164.org and e164.arpa). If
you need to use others follow the steps below:
1. Go to IP-PBX > Outgoing Call Rules.
2. Select Voice Lines option in Related Topics section.
3. Double click the ENUM Service line.
4. Use Add and Remove buttons to setup your ENUM servers.
Now all the Outgoing Rules that you've configured to use ENUM will query the specified
servers.
8.5.3 Remote Offices

The Remote Office functionality allows the creation of an IAX or SIP trunk between two edgeBOXs.
Calls between these devices benefit from an optimised connection, resulting in a better use in
bandwidth.
A benefit of this configuration is that an extension from edgeBOX A is able to call an extension
registered in edgeBOX B, as if the phone was registered on edgeBOX A.
Note that besides calling internal extensions, all VoIP functionalities will be available for the remote
edgeBOX users (making local calls, making call conferences, etc. ), allowing you to make a
conference call between two remote offices with no costs.
To enable edgeBOX to connect to a Remote Office, please load the Voice Lines dialog and click
the New button. In the subsequent dialog choose Connect to a Remote Office and press Next.
Step 1: in the first step you need to define a name and a security key for the conection:
Name: a descriptive name for the connection (such as office2, for example);
Authentication
· Password: the password to use in the connection;
Advanced Options
· Manage Codecs: click the Codecs... button and use the following dialog to enable/

IP-PBX and VoIP 143
disable and prioritize the application of audio and video codecs for this connection; See
Codecs section for more information.
· Manage Protocol (IAX or SIP): click the Protocol... button and choose the protocol
SIP or IAX; for SIP don't forget the Max. Simultaneous calls value;
Click Next.
Step 2: in the second step you need to specify the Remote Office location:
· IP Address / Hostname: type-in the IP address or the FQDN of the remote office IP-PBX;
· Automatically configure remote server: check the box and type-in the administration
password of the remote host.
Press the Finish button when done.
8.5.4 Hardware
edgeBOX supports automatic hardware detection. All supported VoIP card types are automatically
detected and the system is automatically configured so these cards can be used by the IP-PBX.
All supported card types are displayed in the Voice Lines popup, IP-PBX menu. Each card type has
it's own specific set of configurations. To access them, select the desired entry and click the Edit
button. For each specific type follow the details below:
· ISDN BRI
· ISDN PRI
· Analog FXO-FXS
8.5.4.1 ISDN BRI

When editing a BRI port, you can configure the following parameters:
Mode
Choose the desired operating mode:
· This line connects to an ISDN Phone: if this line will be used to connect a phone; NT Mode
; ports in NT Mode are available when you configure your Incoming Call Rules;

· This line connects to an ISDN Line: if this line will be used to connect edgeBOX to the
exterior using ISDN; TE Mode; ports in TE Mode are available as outbound routes when you
manage Outgoing Call Rules;
NOTE: changing this option requires restarting edgeBOX's PBX and thus hanging-up all ongoing
calls.
Connection Type
Choose the desired connection type: Point to Multi-Point (PMP) or Point to Point (PTP). PTP links
allow only one TE to be connected. PMP links allow to connect up to 8 terminals in parallel along the
bus.
· Point to Multi-Point (PMP)
· Point to Point (PTP)
MSN numbers
The MSN numbers are your public phone numbers. You can use this option to restrict the inbound
calls you accept on this ISDN line. Accepting calls restrictions:
· Accept calls to any number
· Accept only calls to the following numbers and ignore other calls: use the Add, Edit
and Remove buttons to manage the list of numbers to which this line accepts calls.
Others
Select the following two options as required:
· Consider calls on this line as internal calls (Trusted Line): select this option if you want
inbound and outbound calls through this line to be considered internal calls by edgeBOX; this
means that the inbound call rules and outbound call rules will not be applied to these calls;
· Wait for all incoming digits before fallback to Dial Plan: select this option if you want to
wait for all incoming digits before fallback to Dial Plan; it allows edgeBOX to integrate with
PBX's which work with overlap digits.
8.5.4.2 ISDN PRI

When editing a PRI port, you get a two tabbed dialog window:
General
· Mode: shows you the current operating mode for the port; it can be E1 or T1; additionally the
number of ports (31 ports in E1 mode, 22 ports in T1 mode); How to change mode?

IP-PBX and VoIP 145
· Ports: the current port assignment (example 5-35 for an E1);
· Group: the current Group;
· Consider calls on this line as internal calls (Trusted Line): select this option if you want
inbound and outbound calls through this line to be considered internal calls by edgeBOX; this
means that the inbound call rules and outbound call rules will not be applied to these calls;
· Wait for all incoming digits before fallback to Dial Plan: select this option if you want to
wait for all incoming digits before fallback to Dial Plan; it allows edgeBOX to integrate with
PBX's which work with overlap digits.
· Enable Echo Cancellation: select this option if you want the card to use the embedded echo
cancellation mechanisms. Note that this option is only displayed for cards that support echo
cancellation.
Advanced
The advanced tab gives you access to further configuration details
In the Advanced tab of the configuration details for PRI cards, the following settings may be
changed:
· SwitchType: switching used by the line. Available options are:
· EuroISDN, used in Europe;
· QSIG;
· Signalling: signalling used by this span. Available options are:
· CPE, used on the client side;
· NET, used on the network side.
· E&M
· Timing:
· Primary Master
· Secondar Master
· Slave
· Coding:
· HDB3
· AMI

ISDN Signaling
· Dial Plan: choose from Unknown, Private, Local, National, International, Dynamic;
· Local Dial Plan: choose from Unknown, Private, Local, National, International, Dynamic.
Customize National and International Prefixes
· National Prefix: check the box and enter the desired prefix;
· International Prefix: check the box and enter the desired prefix.
8.5.4.2.1 How to change configuration mode (E1 / T1)
To change the mode from E1 to T1 (or vice-versa) you need to access the hardware and configure
jumpers accordingly; please refer to your support service for more information on how to proceed.
To see more information about E1 and T1 see here.
8.5.4.3 Analogue FXO-FXS

To allow connection to analogue lines, edgeBOX supports TDM Digium cards. FXO and FXS modules
may be installed in this card:
· FXO Module: should be connected to an analogue line, allowing you to receive or make calls
using the PSTN network;
· FXS Module: should be connected to an analogue phone or fax machine.
Be careful not to connect phone lines (PSTN lines) in the FXS port. If you do so, the
port will stop working.
Even if you unplug the phone line cable and connect an analog phone into the port, the port will still
not work; you will have to reboot edgeBOX.
When editing an FXO-FXS port you'll be prompted by a panel with two tabs:

IP-PBX and VoIP 147
General
· Number: number of lines for this card;
· Mode: FXO or FXS;
· Enable Echo Cancellation: only if card supports echo cancellation;
· This line has a direct phone number assigned: only for FXO mode; check then box and
type-in the desired direct phone number for this line;
Advanced
· Enable "#" confirmation for outgoing twinned calls: only for FXO mode; you need to
select this option if you have Twinning enabled on your analog phone and you are not in the
USA; show me more details...
when an analog phone is in Twinning, if the call is answered on the twin phone, edgeBOX is
not able to know if the call was answered or not because it is an analog line; so it is
necessary to the user to press the # (cardinal) key after answering; this will inform
edgeBOX that the call was picked up and edgeBOX will stop ringing the other extension;
otherwise the extension will keep on ringing despite the call having already been answered
by the user.
· Sound Volume Gain (dBs): adjust the volume for transmission and reception on this line;
· This line receives dialtone: select the period: immediately or up to n seconds; only for
FXO mode;
8.6 Phone operations

This section of the manual brings together hands-on information on how to execute several useful
operations or configurations directly with your phone:
· Blind and Supervised Transfers
· Group Calls
· Intercom Calls
· Call Listening and Call Whispering
· Call Pick-Up
· Twinning
· Follow Me

· One Touch Recording
· Labeling CDR records with Cost Centers
8.6.1 Blind and Supervised Transfers

edgeBOX allows you to execute Calls Transfers from your phone to other phones. There are two
major kinds of transfers:
· Blind Transfer: immediately transfers the call to another number;
· Supervised Transfer: transfers a call to another phone by putting it on hold and allowing
you to talk to the transfer destination phone; this allows you to determine if the transfer will
succeed and if the person at the other end will actually be able to accept the call; it is also
know as Attended Call Transfer.
Blind Transfer - How to do it?
1. When you are answering a call, inform the caller that you are going to transfer the call.
2. Dial the prefix for a blind transfer and the telephone number you wish to transfer the incoming
call to. Example: #12001 to forward the call to extension 2001.
3. The caller is immediately connected to the number you transferred the call to.
4. You will hear the busy line tone, which means the transfer is complete and you can hang up.
If you make a mistake when dialling the number you're transferring the caller to, you and
the caller will be disconnected from the original call. Also, you cannot check to see if the
number you are transferring the call is busy or offline, for example, before making the
transfer. To do that use a Supervised Transfer instead.
Supervised Transfer - How to do it?
1. When you are answering a call, inform the caller that you are going to transfer the call.
2. Dial the prefix for a supervised transfer (*2 by default, but you can change it). The caller will
no longer be able to hear you.
3. Dial the number of the phone number you wish to transfer the incoming call to. After the
person answers, ask if you can transfer the call.
4. If the person says yes, hang up your phone and the call that is on hold will be transferred to
the recipient. If the person says no wait until he/her hangs up. The call on hold will be
transferred back to you and you can inform the person holding that it is not possible to
transfer the call.

IP-PBX and VoIP 149
If the person to whom you've are transferred the call doesn't answer it in about 15
seconds, the call is transferred back to you. This also happens if that person answers the call
but hangs up the phone before you do.
Hangup a Supervised Transfer - How to do it?
To end a Supervised Transfer and get back to the initial caller you can dial the Hangup Key
Code (*0 is the default key code for Hangup but you can change it if you want to).
Related Topics:
· Operation Key Codes (Prefixes)
8.6.2 Group Calls

Group Calls are calls directed at a Group extension number (instead of a Phone extension number).
When you create Groups of phones you are prompted for an optional Extension number to be
assigned to the group. That's the group's extension.
The result of a call directed at a group extension is that all phones in that group will ring: that's a
Group Call. When anyone picks up the call on any of the group's phones all the others stop ringing.
Give me an example...
Let's assume you've just created a new group of phones called whosincharge and you've chosen
the 5432 extension for the group; then you added Mr. Alves', Mr Sousa's and Mr. Carreira's phones
to the group; if you dial 5432 from your phone, all three, Mr Alves', Mr Sousa's and Mr Carreira's
phones will start ringing; if Mr Carreira picks up his phone first you will start talking to him; Mr.
Alves' and Mr Sousa's phones will stop ringing; that's how a Group Call works;
8.6.3 Intercom Calls

An Intercom Calls is a special kind of call for which the destination phone will automatically answer
the call and go into loudspeaker mode. The call will be listened to by the people near that phone.
Why is this useful ?
This is useful for making quick announcements (for example: a short request for the sales team to
gather for a quick meeting in the hall), or to try to reach someone that might be nera the phone but
might not be authorized to answer it without being specifically requested to.

To make an Intercom Call you need to dial *9<number> (if you dial *9 followed by a group
number, instead of an extension number, then all phones that belong to the group will answer the
call and go into loudspeaker mode).
The access to this feature is can be restricted based on the Phones Access Control policies.
Additionally, only phones with loudspeaker mode can receive such calls. Phones currently
supported for this feature are:
· Snom
· Linksys
· Aastra
· Grandstream
· Polycom
Related Topics:
· Phones Access Control
8.6.4 Call Listening and Call Whispering

Call Listening
This feature is gives you the ability of a user at a phone C to listen to a call between phone A
and phone B. To do this dial *990*<extension number>: you will listen the ongoing call at that
extension;
Call Whispering
This feature consists in the ability to secretly talk to the person at phone A, while listening to
the conversation between A and B, without B's knowledge (just like whispering in the A's ears).
The person at phone B does not ear your voice; only the person at phone A. You need to dial
*991*<extension number>: your phone will allow you to listen to the ongoing call at <extension
number> and you will be able to "whisper" to that extension;
The availability of these features is restricted by the Phones Access Control policies and
depends on the three phones involved: if any of the target phones can not be listened to, or

IP-PBX and VoIP 151
your own phone can not listen to calls, then none of this will be possible. Make sure to check
out the details at the Phones Access Control section in this manual.
Related Topics:
· Phones Access Control
8.6.5 Call Pick-Up

Call Pick-Up is the ability to grab a ringing call at a given extension. Call Pick-Up operations are
bound to the limitations defined for the Groups the phone belongs to (please make sure to review
those settings in the Groups section of this manual).
Your phone will be able to pick up calls:
· by pressing *8: will pick-up any call that belongs to any of the groups the phone belongs to;
· by pressing *8<group extension number>: will pick-up a call to that specific group;
· by pressing *8<phone extension number>: will pick-up a call to that specific extension.
For example, to pick a call ringing at extension 2001, dial the Pick Up prefix *8 plus 2001: *82001.
Related Topics:
· Phone Groups
8.6.6 Twinning
The Twinning feature can, to some extent, be managed directly through the phone: the phone user
can enable, disable and change the number of the phone the extension is twinning with, directly on
the phone itself instead of the through edgeBOX (twinning must be allowed on that phone). To:
· Enable twinning: dial *90. Twining will be now enabled;
· Disable twinning: dial *91. Twinning will be disabled;
· Change the phone your phone is twinning with: dial *92* followed by the phone

number to twin with; show me an example...
let's assume your cell phone is 912154014 and you want your work phone to twin with
your cell phone; you should pick up your work phone and dial, first, *90 (to enable twinning)
and, then, *92*912154014 (to actually start the twinning process); from now on if your work
phone rings your cell phone will ring too; you can pick up the call on any of them.
· Transfer an ongoing call from the cell phone to the work phone: on your cell phone,
dial *93 and the call you are answering in the cell phone will continue in the network phone.
Related Topics:
· Twinning
8.6.7 Follow Me
Follow Me - Allows you to forward calls that arrive at your internal extension to another extension or
phone where you are at the moment. You can't do this operation in edgeBOX's interface, only in the
network phones. How to do it?
To enable Follow Me:
· If you are close to your extension - Dial *14* plus the phone number or the extension
number you want your calls to be forward to. For example, if you have a meeting on a
meeting room, and there is a phone there (extension 4002), that you can pick up your
extension and dial *14*4002, and all calls that arrive at your extension will be forward to
the meeting room phone. Or you can indicate your personal cell phone number instead (
*14*912154103), for example, this way all calls that arrive at your extension will be
forward to your cell phone.
· If you are close to the extension you want to forward calls to - Dial *12* plus your
extension number. For example, if you are on a meeting room and you want to forward
calls that arrive at your extension (ext: 2013) to the phone that is on the meeting room,
pick up the meeting room phone and dial *12*2013. All calls that arrive at your extension
will be forward to the meeting room phone.
To disable Follow Me:
· If you are close to your extension - Dial *13*. Calls that arrive at your extension will not
be forward to another phone anymore.
· If you are close to another extension - Dial *13* plus your extension number (example:
*13*2013). Calls that arrive at your extension will not be forward to another phone
anymore.

IP-PBX and VoIP 153
8.6.8 One Touch Recording

Users can start the recorder by pressing *9 during the call. After the call finishes the file with the call
recorded will be available at the user's Voicemail.
An e-mail message will be sent to the user's e-mail account. Depending on global Voicemail
configurations the sound file may or may not be attached to the e-mail.
The availability of the One Touch recording (OTR) feature for a given call is configurable on a
per Group basis and depends on the phones at both ends: if the phone trying to use OTR belongs
to a group that can not record calls then the recording will not occur; additionally, if the
phone on the other end of the conversation belongs to a group that can not be recorded then
the recording will not take place.
Related Topics:
· Phone Groups and Access Control
8.6.9 Labeling CDR records with Cost Centers

CDR Project Codes
If, during a call, the user dials #79<code> the call will be marked with that <code> in the
corresponding CDR log line.
The CDR files, are available through the logmaster FTP account.
Related Topics:
· Logs
· VoIP activity logs - CDR

8.7 Conference Rooms

You can setup edgeBOX's conference support in the IP-PBX section, Conferences menu. Two
major types of conferences are supported:
· Dynamic conferences: created freely by the users,
· Static conferences: created by the administrator.
Dynamic Conference service
To enable dynamic conferences you need to start the Dynamic Conference service in the usual
service bar at the top of the page: you should click the Start Service/Stop Service links on the
right and the bar will change color - green or gray - to show you the current service administrative
status. If you want to, you can Change... the number users dial to access the service. The default is
9000.
Any registered user may dial the pre-defined dynamic conference extension (9000 by default) and
create a conference just by dialing any desired number. That number will become the conference
room number. To join this conference, other users should to dial the pre-defined dynamic
conference extension and enter the conference room number.
Static Conferences
This other type of conference is created by the administrator. The list of static conferences
configured is displayed in the list at the bottom of the Conferences menu.
To create a New static conference a two tabbed dialog window will show:
General
· Number: type-in the desired Conference Number (also known as the Room Number, or
Conference Room Number)
· Type: you need to choose from
· Public: this conference will be accessible by anyone that tries to join it and you can
not specify a moderator;
· Security-enabled Conference: the access to this conference will be restricted to

users that know the conference PIN; additionally you will have an option to choose a
moderatror PIN;
· Conference Pin: type the desired conference PIN;
· Music On-Hold: choose the music Playlist for this conference;

IP-PBX and VoIP 155
Advanced
· Maximum: maximum number of simultaneous members the conference may accept;
· Announce when a user joins or leaves the conference: select or deselect the check
box;
· Have a moderator for this conference: check the box if you want a moderator and type-in
the Moderator PIN and repeat for safety
· Don't allow members to communicate until moderator joins the conference:

check the box if you want this behaviour.
edgeBOX is shipped with a pre-configured Static Security-enabled conference for your

convenience:
· Number: 9010;
· Conference Pin: 9910;
· Moderator Pin: 9911.
While in a conference, you can press the * to listen to the available options like increase/decrease
volume, mute, and others. The conference moderator has the same privileges as normal users plus
Lock/unlock conference and Eject last user.
8.8 Managing Call Queues

The Queues menu in the IP-PBX section allows you to manage edgeBOX's call queuing system.
Configured queues are shown in a tabular manner.
Creating Queues
To create a new Queue you need to press the New button (to edit an existing Queue the operations
are similar). An appropriate dialog window will popup. This popup contains two main tabs. In the
General tab you'll find:
· Name: type a name for the queue (when editing an existing queue you cannot change it's
name);
· Assign the calls to: this option allows you to specify the so-called Ring Strategy - the
algorithm used to assign calls to agents; you can choose one of the following options:

· The agent that picks up the phone first (all ring);
· Each agent in turn;
· The agent that has been longer without calls;
· The agent that answered less calls;
· A random agent;
· Each agent in turn but keep track of the order;
· Agents: since queued calls are answered by the queues's agents, then, agents and/or
extensions must be assigned to the queue, in order for it to function correctly; you can use
the Add and Remove buttons to manage the contents of the Agents list for each queue;
when you click the Add button please choose:
· Add Extension: this option allows you to add extensions to the Queue; select an
extension from the list and hit Add; these extensions will be used by the queuing
system to assign calls to; whoever is near that extension will now start receiving calls
from this queue;
· Add Agent: this options allows you to add users to the Queue; this way you can
assign calls to users in a way that is independent of the extension the user might wish
to use when starting work; a new popup will give you a list of users; select the users
you wish to assign to the queue and click the Next button; users that don not have a
PIN will be assigned one; the last screen shows you this assignement.
In the Advanced tab you get to configure several advanced features of edgeBOX's queues. Please
follow the details here.
CallBack Login Service

CallBack agent service is a way for agents to be logged in, without requiring the agent to have the
phone off-hook (on call) to receive calls. Using this service whenever a call from a queue needs to be
delivered to an agent, the extension where the agent has logged in will ring. This agent login method
is useful for agents that are not fully dedicated to answering queue calls, allowing them to have the
phone on-hook as apposed to the standard method of having the call into the queue system always
on going.
The status of the callback login service is controlled by the service bar at the top of the page where
you can Start and Stop the service. Together with the status of the service there's also a
parameter that you can change, Callback Extension, which is the extension number of the callback
login service.
How can an agent login?

The standard login for an agent is through the following steps.
1. Dial *22 followed by your by the User PIN number (see IP-PBX Authentication for more details).
An automated attendant will answer.
2. Type your password (same as the User PIN number), followed by the # key.

IP-PBX and VoIP 157
3. At this point the agent is logged in, and listening "Music on-hold". It will be logged in as long as
the phone stays off-hook (on call). Calls delivered to the agent will be proceeded by a "bip"
sound.
This method is very useful for "professional agents" that use an headset and are 100% dedicated
to answering queue calls.
How can an agent login through Callback Service?
The steps for an agent to login at the Callback Service are:
1. Dial the Callback Login Extension (by default the number is 8000). An automated attendant will
answer.
2. Type your agent number, which is the User PIN number (see IP-PBX Authentication for more
details), followed by # key.
4. Type the extension number where the calls to this agent shall be delivered.
How can an agent logout through Callback Service?
The steps for an agent to logout at the Callback Service are:
1. Dial the Callback Login Extension (by default the number is 8000). An automated attendant will
answer.
2. Type your agent number, which is the User PIN number (see IP-PBX Authentication for more
details), followed by # key.
4. When asked by the extension number, just type # key.
8.8.1 Advanced Settings for Queues

In the Advanced tab you get to configure several optional features of edgeBOX's queues:
· Waiting Sound: you can choose to
· Play the regular ring tone, or you can
· Play music from the Music On Hold library: in this case the caller will listen to
music while waiting; you should additionally specify:
· Playlist: select the desired playlist from the drop-down list;
· Indicate the postition in the queue every .. seconds: select this box
and choose the time interval for edgeBOX to update the caller about his
position on the queue; also remember to select the check box immediately
below if you want the users to get also an estimate remaining time for the
call to be answered;
· Calls Hangup:
· Hangup the calls in the queue when there are no agents online: check the box
if you want this;

· Hangup the calls that are not answered in .. seconds: please activate the
box and choose the time in seconds if you want this behaviour for calls that don't
get an answer in time;
· Other Settings:
· Maximum Number of simultaneous calls waiting
· Relative priority of this queue: Low, Medium, High, Very High;
· Agent Answer Time
8.9 Codecs
Codecs are used when converting an analogue voice signal to a digital one. edgeBOX supports
several types of codecs allowing a flexible client configuration. The choice of the codec to be used
usually results from a compromise between sound quality and bandwidth used. If there isn't a
specific system requirement, the choice should be ULAW, because it is compatible with most phones
and softphones available on the market.
Audio Codecs
· G.711 (ULAW): Known as the native codec in modern communication lines. Provides good
quality sound, at the expense of bandwidth. It is the most commonly used codec for VoIP calls
because, besides being supported by most VoIP providers, it has the lowest latency as no type
of compression is used. It is the codec used in PSTN and ISDN lines. This codec is selected by
default in edgeBOX.
· G.711 (ALAW): Basically, a G.711 version used in E1 European lines. This codec is selected by
default in edgeBOX.
· Dialogic ADPCM: This is a legacy codec, kept for compatibility with version 3 of edgeBOX.
· GSM: Usually used on European mobile networks, this codec uses a small amount of bandwidth
providing an acceptable quality of sound.
· Speex: Audio codec designed specifically for speech, and as such, well suited for VoIP.
· G.729: Offers good sound quality with conservative use of bandwidth. However, to be able to
use it you have to activate it and purchase. How to activate G.729?
You need to download the codec from Digium web site. Each license you purchase allows a
single simultaneous use of the codec. Thus, if you purchase 3 licenses, 3 users can
simultaneously use the codec, the fourth person will not be able to use this codec, unless
one of the current users has completed their call.
The codec to purchase is: codec_g729a_v32_i386 in the asterisk-1.4, x86-32 directory on
the Digium site. After downloading to your PC, select the browse button and choose the
codec file and then the upload button, which will then upload the file to the edgeBOX.
After uploading the file, you will need to activate the license(s) (which will be locked to your
edgeBOX hardware), by pressing the activate button.

IP-PBX and VoIP 159
After pressing the Activate button, you will need to enter the License ID and other details
which you entered when you purchased the License (as shown below).
Press Activate to complete the process.
· G.726: ADPCM can be interchanged between packet voice, PSTN, and PBX networks if the PBX
networks are configured to support ADPCM.
· iLBC: Low bit rate
· G.722: High quality voice codec, this is commonly known as HD-Voice.
Video Codecs:
· H.261: An 1990 ITU video coding standard originally designed for transmission over ISDN lines
on which data rates are multiples of 64 kbit/s. The data rate of the coding algorithm was
designed to be able to operate between 40 Kbits/s and 2 Mbits/s. The standard supports CIF
and QCIF video frames with resolutions of 352x288 and 176x144 respectively (and 4:2:0
sampling with chroma resolutions of 176x144 and 88x72, respectively).
· H.263: is a video codec designed by the ITU-T as a low-bitrate encoding solution for
videoconferencing. It was first designed to be utilized in H.324 based systems (PSTN and other
circuit-switched network videoconferencing and videotelephony), but has since found use in
H.323 (RTP/IP-based videoconferencing), H.320 (ISDN-based videoconferencing), RTSP
(streaming media) and SIP (Internet conferencing) solutions as well.
· H.264: Is a standard video codec capable of providing good video quality at substantially lower
bit rates than previous standards (e.g. half or less the bit rate of MPEG-2, H.263, or MPEG-4 Part
2).
8.10 MailFax Service

With the MailFax service you can send faxes (via a software modem) from a fax machine to
edgeBOX's fax gateway. This fax is then converted to an e-mail and sent to the fax mail account. You
may also send a fax via e-mail. The e-mail will be converted to fax format and sent to the remote fax
machine. You can find the MailFax Accounts menu in the IP-PBX section.
Create a new fax account
1. Go to the MailFax Accounts menu;

2. Click the New button in the MailFax Accounts list. A dialog window will appear:
FAX Account: Incoming Fax Settings

3. FAX Number: the DDI associated to your FAX line; this is the number people use when
they sent faxes to your company;
4. E-mail address: enter the e-mail address account of the person of your company that
will receive all incoming faxes; incoming faxes are converted by edgeBOX to e-mails and
then delivered at this e-mail address; you can, for example, fill this field with the e-mail
account of your company's receptionist;
FAX Account: Outgoing Fax Settings
5. Fax E-mail Account: type the name of the e-mail address that will be used by the

network users to send e-mails that will be converted to faxes; for example, if you type
fax_account and the domain on edgeBOX is example.com, then the fax server account
will be fax_account@example.com.
6. Display Number: your fax number; usually this will be the DDI you typed above, in the
Incoming section:
7. Display Company Name: your company name to be displayed at the top of faxes sent
bty edgeBOX;
8. Retry Attempts: the number of times edgeBOX tries to send a fax when the number it
is trying to fax to is busy.
Authentication
9. In the Authorization Type, indicate from which e-mail accounts users can send the e-
mails and if they are required to indicate a password.
· Local means the network users can only send e-mails from the Webmail or from the
edgeBOX local SMTP server. For instance, if they have their edgeBOX e-mail account
configured on Outlook and they send a fax through it, the fax will be accepted, but if
they send the fax through a Gmail or Hotmail account or through an e-mail account of
another edgeBOX, for example, the fax will not be accepted.
· Password means the users can send e-mails from any e-mail account, however they
have to specify a password on the body of the e-mail to authenticate.
· Local + Password means that the users have to use the Webmail or the SMTP server
of edgeBOX to send the e-mails and they also have to specify a password in the body
of the e-mail to authenticate.
Change the type of the attachments, change the language or change the From field of the emails
By default, edgeBOX converts the received faxes to pdf files and sends them as e-mail
attachments to the fax reception e-mail account you specified. Also, by default, edgeBOX sends
all the faxes it receives as e-mails to the e-mail account you specified in English language.
You can change the format the attachments and the language of the e-mails sent by edgeBOX.
To change any of these settings:
1. Go to the MailFax Accounts menu in the IP-PBX section;

2. A short 3 fields summary displays the current configurations; click the Change... button;
a new dialog will come up;
3. Please enter:
E-mail Language
4. select the desired language for the mailfaxes
Attachment format
5. choose PDF or TIFF
From E-mail
6. The From field in the e-mails sent by edgeBOX with the incoming FAXes.
How to send a fax using MailFax service?

IP-PBX and VoIP 161
Related Topics:
· Voice Lines
· E-mail server
8.10.1 How to send a fax using MailFax?

Lets suppose you wish to send a invoice to a customer:
1. Open an e-mail client as Thunderbird or Outlook or edgeBOX's Webmail and create a new e-
mail.
2. Enter the e-mail address of your edgeBOX fax account in the To field.
3. In the Subject type the fax number of your client.
4. Convert the document you want to send to PDF or TIFF format and add it to the e-mail as
an attachment. Note that the document cannot have more than 25 pages.
5. If authentication is required, type PASSWORD: plus the fax account password in the first line of
the body of the message.
6. Send the e-mail.
After edgeBOX receives this e-mail in the fax e-mail account, it will convert the file in attach into
a fax and try to send it to the phone number you indicated in the Subject of the e-mail.
A little while after, you will receive an e-mail from edgeBOX indicating if edgeBOX was able to
deliver the fax to the recipient or if it couldn't deliver it because of some error or because of
the receiver fax being busy.

8.11 Advanced VoIP Options

Several VoIP related advanced features are accessible via Options menu in the IP-PBX section.
· Voicemail
· Call Parking
· Operation Key Codes
· Customize Sound Files
· Define Country Zone
· Echo Cancellation Options
· G.729 Codec License
· Billing Interface Service
· Asterisk Manager Interface
· Network Address Translation (NAT)
8.11.1 Voicemail
When you created your SIP, Analog or IAX phones you were prompted to configure individual
Voicemail account for each. Additionally, several global options allow you to configure the way users
access their voicemail and the way the feature works globally.
Go to the Options menu in the IP-PBX section. In Voicemail you'll fin the current settings for:
· Voicemail Number: 9999 is the default value;
· Attach sound file: Yes or No; wether edgeBOX sends the voicemail file attached on the e-mail
warning about voicemail;
Click the Voicemail options... link to further specify other details. In the popup dialog please enter:
Extension
Type the extension to be used for users to listen to voicemail;
E-mail message from

· Address: e-mail address to be used in the From field; this is important as some e-mail servers
may reject this e-mail if the sending domain (the part at the right of the @ in the address you
type) is unresolvable, or does not exist; if users experience instability or don't receive the e-mail
warnings please make sure you are using a resolvable domain;
· Name: the name to be used as the sender of the e-mail;
E-mail body

IP-PBX and VoIP 163
· Attach sound file to e-mail: check this box if you want the voicemail file to be attached to the
e-mail notification messages;
· Signature: signature of the notification messages;
· Language: language used in notification messages.
Voicemail quotas
Click the Properties... button and enter:
· Max Messages: Maximum number of messages that a user can have in his/her mailbox;
· Max length of message: voicemail messages longer than this will not be saved;
· Min length of message: voicemail messages shorter than this will not be saved.
In the end, if you wish to save your changes, press the Save button, as usual.
8.11.2 Call Parking

Call parking allows a person to put a call on hold at one telephone and continue the conversation
from any other telephone set. It is activated by dialing the parking number (by default 700, but you
can change this). This action transfers the current telephone conversation to an unused park
extension number, 703 as example, and immediately puts the conversation on hold. You can up the
parked call from another internal phone later on by dialing 703 on the desired phone.
The pre-configured park numbers ranges from 700 to 714. You can rise or lower the available
parking base number and the park size.
Go to the Options menu in the IP-PBX section. Click the Call parking options... link and enter the
values desired for:
· Number to dial for parking: you need to dial this number for a call to be parked;
· Parking available lines: total number of parking lines available; park size;
· Parking Max Time (seconds): enter the parking maximum time, in seconds; after this
period the call is hungup.
8.11.3 Operation Key Codes

If you need to change the current key codes for the Assisted Transfer, Blind Transfer, Pickup a
call and Hangup operations, you can do it in the Options menu, IP-PBX section.
The Operation Key Codes area shows you the current configuration for those operations. Hit the
Change the keycodes... link and change the keycodes as needed. The Phone Operations section in
this manual shows you the details on the usage of these codes.

8.11.4 Customize Sound Files

edgeBOX can use sound prompts in several situations such as the process of receiving and routing an
external call to a Queue for example. In this process edgeBOX may be configured to playback
instructions to the caller or warnings of several types.
The sound files used to accomplish this are accessible to you through the Sound Manager dialog.
You can access it in the Related Topics area of the Incoming Call Rules menu or, for convenience,
you can reach it at the Customize Sound Files... link in the Options menu, both in the IP-PBX
section. The sound files are divided in three groups:
· My Sounds: your own custom sounds, where you can upload new sound files to be used in
Automated Attendants;
· System Sounds: contains all sounds used natively by the PBX, like the voicemail prompts,
conferences, etc...
· Language sounds: sound packages that contain system sounds translated for a given
language.
Upload a custom sound file

2. Select the Sound Manager option at the Related Topics section;
3. Select My Sounds package;
4. Click Add button and select Sound File option;
5. Click the Browse button and select a sound file from your file system (.gsm files);
6. Enter a description for the file (usually a text script of what the sound says);
7. Click Add button;
You can now use this sound file when creating Incoming Call Rules, or Automated
Attendants.
Upload a language sound bank

2. Select the Sound Manager option at the Related Topics section;
3. Click Add, and select Sound Bank option;
4. Select a sound bank file from your file system (.tar.gz or .zip format);
5. Click Open;
The language pack will now be listed below System Sounds with the name of the language
(like Portuguese);
edgeBOX will use the language pack correspondent to the Country Zone definition in the
Options menu.

IP-PBX and VoIP 165
8.11.5 Define Country Zone

To configure specific regional/country settings go to the IP-PBX section and click the Define
Country (Zone)... link in the Options menu. A popup dialog will open:
· Zone: choose the appropriate country/zone for your needs;
This setting will apply country settings to three different areas:
· The tone zone for all analog cards (if installed). This is important because the ring and busy
tones may differ from country to country
· The frequency of the generated tones for the PBX phones.
· The language for the sounds prompts. Note that the soundbank for the selected country must
be installed, if not, the default sound bank will be used (system sounds).
· Language: User may want to selected a language for the sound prompts different from the
country tones applied to the phones. If this is the case, user must check the checkbox, and
selected a different language.
· National Prefix: may be filled by default; edit as needed;
· International Prefix: may be filled by default; edit as needed.
8.11.6 Echo Cancellation

This panel offers a range of choices to allow for software echo cancellation.
The software determines the best configuration from the initial line characteristics and preserves the
settings for the period of the call. The echo cancellation will only be applied to analogue phones,
which have echo cancellation checked. The options are:
· KB1: The default echo canceller. This is the built-in Zaptel echo canceller since Zaptel v1.2.
· MG2: A variation of KB1 to solve some of the scenarios where KB1 fails.
· OSLEC: Stands for "Open Source Line Echo Canceller", and it's considered the best configuration
option for software echo cancellation. It's an evolution of KB1 and MG2 using a different approach.
Usually produces much better results where KB1 and MG2 fail.
Changing echo canceller will issue a restart of the VoIP service engine, and thus all
CURRENT CALL WILL BE TERMINATED!

8.11.7 G.729 Licensing

G.729 Licensing
This panel allows you to add support for the G.729 codec. You need to download the codec from the
Digium web site www.digium.com. Each license you purchase allows only one usage of the codec at
a time. Thus, if you purchase 3 licenses, 3 users can simultaneously use the codec, the fourth person
will not be able to use this codec, unless one of the 3 calls has finished.
The codec to purchase is: codec_g729a_v32_i386 in the asterisk-1.4, x86-32 directory on the
Digium site. After downloading the codec to your PC you can install it with the help of edgeBOX's
webadmin interface.
Please go to the Options menu, in the IP-PBX section and click the G.729 Codec License... link.
Once there hit the Run the G.729 installation wizard... You will be requested to browse your
computer for the file and then you need to click Next. In the following screen just fill in the license
details as obtained from Digium and finish up the process.
8.11.8 Billing Service

Allow billing software, such as Easylink for example, to connect to edgeBOX's database. What is
billing software?
Billing software is an application used to calculate call costs. edgeBOX saves all important
information about calls, as the time of the day a call was made, the line used, the duration of the
call or the user that made the call. Billing software can connect to edgeBOX's calls database,
retrieve that information all calculate and the cost for a billing service.
To allow billing software to connect to edgeBOX go to the IP-PBX section, Options menu.
Click the Billing Interface Service options... link. Activate the Allow computers with billing
service to connect to edgeBOX option and fill in the rest of the deitails:
Authorized Computers
Only the IP address(es) specified will be allowed to access the Billing service:
· Only from a specific computer: type in a host IP address; only this IP address will have
access;
· Only from a specific network: type in a network IP address and a Netmask; only hosts on this
IP segment will be allowed.
Show me an example
If the billing software can only be used from computers on the local network, for example,
then you have to indicate the IP address of your local network, 192.168.90.0, for example, and
then the netmask of your network; 255.255.255.0.
If it can only be used from a specific computer of the local network then you need to type
the fixed IP address of that computer; 192.168.90.128.

IP-PBX and VoIP 167
Authentication
Here you must configure a username and a password for the manager software to be able to access
edegBOX:
· Username: a username to be accepted by edgeBOX used for authentication;
· Password: the respective password;
· Repeat Password: repeat for verification.
In the end you will need to allow the Billing service in the Firewall.
If at any time you don't need to allow the Billing Interface anymore just deselect the Allow
computers with billing service to connect to edgeBOX option.
Configuring your billing software
To connect the billing software on a computer to the edgeBOX, depending on the billing software you
will use, you need to indicate:
· The username and password you specified on edgeBOX when you activated the billing service.
· The port used for the billing service: TCP port 5432.
· The database structure:
- Database Model: Asterisk

- Database Name: edgereporting
- Table: cdr
- Fields: all fields of the cdr table
8.11.9 Manager Interface

Manager
If you enable the manager interface you will be able to establish a telnet connection to edgeBOX's IP
PBX, allowing you such diverse administration options as placing calls remotely or receiving events
related to the state of calls and extensions. This interface may be useful if you own some kind of
monitoring software which you want to integrate with edgeBOX.
To configure the Manager Interface go to the Options menu in the IP-PBX section. Follow the
Asterisk Manager interface options... link and select the Allow computers with manager
interface to connect to edgeBOX option.
Authorized Computers
Only the IP address(es) specified will be allowed to access the Manager Interface
· Only from a specific computer: type in a host IP address; only this IP address will have
access;
· Only from a specific network: type in a network IP address and a Netmask; only hosts on this
IP segment will be allowed.

Authentication
Here you must configure a username and its password for the manager software to be able to
access edegBOX:
· Username: a username to be accepted by edgeBOX used for authentication;
· Password: the respective password;
· Repeat Password: repeat for verification.
In the end you will need to allow the CTI service in the Firewall.
If at any time you don't need to allow the Manager Interface just deselect the Allow computers
with manager interface to connect to edgeBOX option.
8.11.10 Advanced NAT

You need to configure Advanced NAT if you have a scenario where edgeBOX does not connect
directly to the Internet but is behind a Router with NAT and Port Forward, and you want to allow
remote phones (a phone you have at home, for example) to register in edgeBOX and behave as
internal extensions.
That being the case, please go to the Options menu in the IP-PBX section and follow the Network
Address Translation (NAT) options... link. The Advanced NAT settings dialog window will come
up.
To indicate that edgeBOX is behind a router:
1. Activate the My box is behind a router with NAT option.

2. Indicate in the following field below the router WAN IP address or its hostmane.

IP-PBX and VoIP 169
3. If you have local networks that are managed by the router and you have phones on those
networks, select the option I have additional networks with phones to be served, and
then, in the table below add an entry for each of those networks. Learn More...
edgeBOX can detect phones that are on its local networks (LAN, DMZ and the VLANs).
However, as you have a router in front of edgeBOX you may also have local network
managed by the router. And you may also have phones on those networks. edgeBOX cannot
recognize these phones automatically because it is not managing these networks. So you
need to indicate to edgeBOX the networks so it can recognize the phones and allow them to
register.
4. Click the Save button to save the settings.

5. To finish, you need then to configure on the router port forward from port 5060 of the router
to port 5060 of edgeBOX.
8.12 Music On-Hold

Music On-Hold (MOH) allows you to specify a number of Playlists to be used when putting calls on
hold.
Playlists are lists of sound files to be used in several possible situations:
· Queues: you can specify the playlist to be used on a per-queue basis (see the Queues
section);
· Conferences: you can specify the playlist conference members will listen to while they wait
for the conference to start (please refer to Conferences section);
· ICR: you can choose the playlist to be used for each call (see Incoming Call Rules).

You gain access to the Music On-Hold (MOH) configuration popup from the Related Topics corner
in the Queues, Conferences and Incoming Call Rules menus in the IP-PBX section. It displays
the current playlists on the left side. If you click a paylist you'll get it's contents on the right side.
You can upload your own MP3 sound files to edgeBOX. These sound files will be kept in edgeBOX's
MOH Gallery. You'll be able to build your own playlists by choosing sound files from the Gallery.
Managing Playlists
To add a new playlist just hit the New button and select Playlist. A new dialog will ask you for:
· Playlist: enter the desired name for you new play list;
· Play tracks randomly: select this box if you wan the tracks from this list to be played
randomly.
To add tracks to the Playlist choose the play list you want to add files to, click the New button and
choose Track. The Gallery pop's up. Just select the tracks you'dd like to add and press Ok. You've
just added a new track from the Gallery to your playlist.
For each sound file displayed you can execute several actions with the buttons at the top: remove
that file from the list, bring that file to the top of the list, bring it up one position, bring it down one
position and bring in to the bottom if the list.
Managing the Gallery
To access the Gallery click New button and choose Track. The Gallery window will popup:
· Available Tracks: at the top, a list shows you the available sound tracks in the gallery;
· Delete: deletes tracks from the gallery; select a track and hit Delete to remove a track from the
gallery;
· Upload Track...: use this button to search your computer for more MP3 files to add to the
Gallery.
8.13 Automatic Call Recording

edgeBOX can record phone calls automatically. The recordings are kept in edgeBOX internal storage.
You can, at any time, access the recordings by FTP, download them to your computer and erase
them to avoid disk space saturation.
If you wish to activate this service please go to the IP-PBX section and choose the Options menu.
Once there, search for the Automatic Call Recording area. You get a short summary showing you:
· Status: states witch types of calls are currently configured for automatic recording; the
possibilies are: Not recording any calls, Record all calls, Record all incoming calls,
Record all outgoing calls;
· Disk Usage: a coloured horizontal bar will show you, in graphical form, the relative disk space
your call recordings are currently taking up.

IP-PBX and VoIP 171
Hit the Call Recording options... link to configure the service. The Automatic Call Recording
popup appears. As usual, you can globally enable and disable the service by hitting the Start
Service / Stop Service options at the upper-right corner.
Types of Calls and Maximum disk size
The types of calls being recorded and your current disk occupation are shown just below the service
status bar. Hit the Change... button to configure this:
· Record incoming calls (includes internal calls): select this option to record incoming and
internal calls;
· Record outgoing calls: select this option to record incoming and internal calls;
NOTE: Select both of the above options to record all types of calls; unselecting them
both is the same as not recording any calls;
· Maximum disk space for recordings: type in the maximum amount of storage space you
allow for recordings; above this value edgeBOX will not record calls any more;
All call recordings are made available through the logmaster FTP account. Through that account you
can download and delete any call recordings.
If the recordings take up more than the configured maximum space you need to remove the current
recordings from edgeBOX. After removal the recordings will continue automatically.
Phones, Groups and Queues to be recorded
The table shown, displays the phones, groups or queues currently configured for recording. Click
Phones to filter table in order to show you only Phones; the same applies for Phone Groups and
Queues. Click All to display all entries.
You need to specify which phones, groups and queues you wish to record. To do this, click the Add
button. From the drop-down list select Phone, Phone Group or Queue; from the list shown select the
entries you want and click the Add button.
Queues will only be recorded if the incoming/internal check box is selected.
Please note that the permissions defined in Phones Group Access Control will be applicable, so
if you have a group of phones with call recording disabled, those calls won't be recorded.
In order to remove an entry, or several entries, from the list, just select them and click the Remove
button. The same goes for the process of adding new entries to the list.

8.14 VoIP activity logs - CDR

You can obtain the VoIP activity log files (also known as CDR) via FTP with the logmaster account.
They are stored with the filename Master.csv (the current log file).
The log files are rotated daily (Master.csv.1-7) and kept for seven days, after which the oldest file is
overwritten by the new log file.
The entries in the Log file have the following meaning:
accountcode What account number to use (Only used when Authentication is enable)
src Caller*ID number
dst Destination extension
xt Destination context
clid Caller*ID with text
channel Channel used
dstchannel Destination channel if appropriate
lastapp Last application if appropriate
lastdata Last application data (arguments)
start Start of call (date/time)
answer Anwer of call (date/time)
end End of call (date/time)
duration Total time in system, in seconds (integer)
billsec Total time call is up, in seconds (integer)
disposition What happened to the call: ANSWERED, NO ANSWER, BUSY
amaflags Flags used: DOCUMENTATION, BILL, IGNORE
uniqueid The unique ID for this call
8.15 Default Predefined Phone Numbers

The initial edgeBOX configuration uses a set of pre-defined phone numbers (that you may eventually
change overtime). These are:
· Voicemail: 9999

IP-PBX and VoIP 173
· Call Parking: 700 - 715
· Conferences: 9000
· National Prefix: 0
· International Prefix: 00
· Emergency Number: 112 (for EU countries); given the importance of the Emergency number
, please make sure to review and configure it's Outgoing Call Rules.
Related Topics:
· Voicemail
· Parking
· Conferences

9 Users
In the Users section you can manage Network Users, Authentication and access
Privileges - managing network users is an essential part of edgeBOX. This section lets
you:
· Add, remove or change network users
· Assign a Phone to a user
· Configure Privileges network and service access
· Assign a configurable set of administration capabilities to a Local Administrator user
· Manage User authentication locally or remotely with Active Directory, LDAP and
RADIUS
· Configure Groups
· Customize the login page for user authentication
Related Topics:
· Connected Users
· Groups
· Local Administrator
· Phones
· RADIUS
9.1 Authentication
Authentication is the process by which your network users identify themselves before edgeBOX
when using the network. This process is fundamental for all subsequent access authorizations or
denials in several possible situations, such as access to the Internet, ability to make some or all kinds
of phone calls, and many more.

Users 175
Even if you choose not to use Authentication, edgeBOX will still manage granting and revoking of
access by means of a default access profile, the All Users Privilege. More on this...
Managing Authentication comprises several related aspects. You might wish to:
· Add or change a network user
· Configure Privileges for users
· Configure local authentication
· Configure a remote Active Directory, RADIUS or LDAP server for autehtication
Related Topics:
· Connected Users
· Phones
· Firewall
· RADIUS
· Groups
9.1.1 Managing network users

You can allow everyone to use your network and the network services, or you can assign specific
permissions for granting and revoking access to specific users or groups of users. Why should I do
this ?
It renders your network more secure: access to the network and network services will be granted
only if the user successfully logs-in; furthermore, this additionally allows you to have specific users
accessing specific services and other users being blocked and granted access to different sets of
services. This permits an optimal usage of resources such as bandwidth and processing power.
Managing Network Users
edgeBOX is shipped with two pre-configured users. Their usernames are "user" and "user2". The
password is "password" for any of them. You can use them to review their configurations and to do
quick experiments.

To add or manage existing users go to the Network Users menu in the Users section of the
administration web interface. A short overview is provided with a summary of user details including
phone extension and online status. Click the New/Edit button. A three tabbed dialog appears:
General
· User Name: First and Last name (up to 127 ASCII characters are allowed);
· Network Login Information: username and password; what are the rules for choosing a
username... ? and the password... ?
· Newtork Access Privilege: determines the network privileges plolicy for a group of users,
like the services they can use or the type of internet access they get; you should choose
among the Privileges in the drop-down list (as configured in the Privileges menu); learn
more about Privileges...
· Max. Sessions: users can be logged-in from 2 computers by default; that means that each
user may have 2 computers logged into the network with his credentials; if he tries to login
from a thrid host he will not be able to; if you need, you can rise or lower this value;
Phone (VoIP)
· Allow the user to make phone calls (VoIP): use the Select Phone... button to search the
list of existent phones and assign one to this user; for convenience you can also use the Add
Phone... button to immediately add a new phone; in this case the process is the same as in
the IP-PBX section - see details...
· VoIP Call Permissions: please select the type of calls this user can make; options are Free,
Local, National, Mobile, International and All Types of Calls; each of these types includes
it's predecessors: National calls include Local calls, Mobile calls include both National and Local
calls, and so on;
· User PIN Number: the pin to be entered if the IP-PBX authentication is turned on, to check
which type of calls the user has permission to make;
Disk Usage
· user's current disk usage and
· maximum allowed; you can change this: click Change Max. Disk Space...
When editing an existing user, leave the password field blank if you do not wish to change his
password. This way the password will not be altered.
If you reach the maximum number of users your licence offers, you won't be able to
add or import any more users. To create or import new users on the edgeBOX you need to
delete existing users first or upgrade your edgeBOX solution. See details about the different
edgeBOX solutions in edgeBOX's website.

Users 177
9.1.1.1 Importing and Exporting Users

In the Network Users menu, Users section, you'll find two buttons that allow you to Import and
Export the users list. You can add a number of network users to the edgeBOX by Importing them
from a CSV file in your computer. The reverse operation is also possible. You can, at any time,
Export the users list onto a CSV file.
Export
By clicking Export you'll trigger a dialog window asking you to select a Folder in your computer's
hard-drive; the process will create a new CSV file in this folder; the file name is automatically
chosen; see an example...
If you export you users at 11:43 on 21 June, 2009, the file generated will be named Export_21-06-
09_11.43.csv
Import
An appropriate wizard-like dialog will popup with a detailed explanation of the process:
· Step 1: read the specifications and Browse... a CSV file from your computer's hard drive;
hit Next...
· Step 2: a list is presented with all the available and correct users found in the file; select from
the left the ones you wish to add and click the Add button to add them to the list on the right;
click Next...
· Step 3: a final list with details about the users being imported is presented. Press Finish. This
process may take a few minutes; please wait;
· Step 4: one last step will Export back to your computer a list of the Imports done.
The Import function allows the import of users with the possible following settings:
· Name (first and last)
· Username
· Password - if field is empty one will be provided
· Extension Number
· Extension Name
· User PIN number

· Privilege
Some of this fields are mandatory: Firstname + Lastname and Username. VoIP fields are only
considered if they are valid and if both are present (if only extension number is provided, extension
name will be equal to the username, if possible): extensionnumber and extensionname.
The other fields will only be taken into account if present and valid.
If you try to import users with duplicate usernames, you will be asked if you want to:
· keep the existent user
· replace the existent user with the new one
· keep both and change the new username to "username1" (or "or username2", etc, depending
on the existent users)
If we try to import entries with duplicate PIN numbers, duplicate extension names or duplicate
extension numbers, those entries will be ignored. If we import entries were we have defined valid
extensions (name and number) those extensions will be added to system and the extension's
password will be equal to the user's passwords.
How must the information be arranged in the CSV file?

The available options are:
firstname lastname;username;;;;;
firstname lastname;username;password;;;;
firstname lastname;username;password;phoneextension;phonename;;
firstname lastname;username;;phoneextension;phonename;pin;firstname
lastname;username;;;;;privilege
firstname lastname;username;password;;;;accessprofilefirstname lastname;
username;;phoneextension;phonename;;privilege
firstname lastname;username;;phoneextension;phonename;pin;privilege
firstname lastname;username;password;phoneextension;phonename;;
firstname lastname;username;password;phoneextension;phonename;pin;
privilege
About importing users:
· You can only import users if you are managing the network users on the edgeBOX, that
is, if you are not using Remote Authentication, as a LDAP server, for instance.

Users 179
9.1.1.2 Default Quota

When creating new users a default quota is suggested. If you want to change it go to the Options
menu in the Users section.
Click the Change... link below the Disk Space. Type-in the value you need.
9.1.2 Activating Authentication

After you have setup your Users you might want to increase the security and manageability of your
network by activating Authentication: users will be required to enter their username and
password into a Web based authentication page.
edgeBOX will grab these credentials and authenticate users using, as configured, one of the following
methods:
· locally: this is the default authentication method; all Users and Privileges are stored
internally in edgeBOX's internal database;
· remotely using:
· a remote Active Directory server,
· a remote LDAP server or
· a remote RADIUS server.
To activate authentication go to the Network Users menu in the Users section. Choose the
Authentication Method you want from the Change... button, at the upper-right. If you choose to
authenticate users locally, that's all the configuring you'll need. For the remote authentication
methods please refer to Using Remote Authentication. Press Save and hit the Start Service option.
Authentication requires Firewall: when starting the Authentication Service you'll also need
to activate the Firewall service. If it is not already active, an appropriate dialog message will inform
you that the Firewall will be activated. If the Firewall was already active, this might be a good time
to review your Firewall settings as they may potentially interact with users Privileges. If the
Firewall wasn't previously active, then you need not to worry because the Firewall settings will
fallback to an "allow" approach. But, then again, this might be a good reason to configure it.
System access Privileges with Authentication Active
When you start the Authentication service the message below will be displayed, regrading the usage
of system access Privileges. Please read it carefully:
You are about to Start the Network Users Authentication Service. If you

proceed you have to take the following into account:
1. The "All Users" Privilege will not be displayed in the Privileges

Panel since Network Users will be asked to authenticate themselves.
2. The "Not Authenticated Users" Privilege will be displayed in the

Privileges panel. This Privilege will be applied as a default rule for
all non authenticated users, so one must take into account that
configurations of this Privilege may affect users that fail
authentication or even before they are requested to authenticate.
3. If you have previously changed the "Not Authenticated Users"

Privilege those changes will now be loaded.
4. Changes that you may have done to the "All Users" Privilege will be
kept and will be loaded the next time you switch OFF the Network Users
Authentication.
5. You may reset the "Not Authenticated Users" privilege by opening the
Privileges panel and selecting "Reset Not Authenticated Users privilege
to factory configurations".
System access Privileges with Authentication Stopped
When you stop the authentication service the message below will be displayed, regrading the usage
of system access Privileges. Please read it carefully:
You are about to Stop the Network Users Authentication Service. If you
proceed you have to take the following into account:
1. The "Not Authenticated Users" Privilege will not be displayed in the

Privileges Panel since now there won't be any unauthenticated users.
2. The "All Users" Privilege will be displayed in the Privileges panel.

This Privilege will be applied as a default rule for all users, so one
must take into account that configurations of this Privilege may affect
users from other Privileges.
3. If you have previously changed the "All Users" Privilege those

changes will now be loaded into system.
4. Changes that you may have done to the "Not Authenticated Users"
Privilege will be kept and will be loaded the next time you switch ON
the Network Users Authentication.
5. You may reset the "All Users" privilege by opening the Privileges
panel and selecting "Reset All Users privilege to factory
configurations"

Users 181
9.1.3 Using remote authentication

edgeBOX allows you to use remote user authentication. With remote authentication, users are
authenticated in a remote server instead of the edgeBOX when they try to login to the network. The
whole process is transparent for the user as edgeBOX will do all the work.
To activate remote authentication go to the Network Users menu, Users section. Choose the
Authentication Method you want from the Change... button, at the upper-right. The currently
supported methods are:
· Authenticate users on a remote Active Directory Server,
· Authenticate users on a remote LDAP Server,
· Authenticate users on a remote RADIUS server.
In each there's a convenience Test Connection button that allows you to verify basic connectivity to
the specified server. When you're done press Save and hit the Start Service option. Please refer
to Activating Authentication for common details about the Authentication service.
Activating remote authentication will purge all your locally configured users. An
appropriate warning, in red color, is displayed warning about this.
Related Topics:
Details about edgeBOX's authentication architecture
9.1.3.1 Using a remote RADIUS Server

To authenticate users on a remote RADIUS server type-in:
RADIUS Server
· IP Address: type the IP address of the remote server;
· Password: to be used to access the RADIUS server;
· Port: the TCP port to be used on the RADIUS server (defaults to 1812);
· Timeout: maximum time waiting for the RADIUS server (defaults to 5 seconds);
Privileges Verification
Choose if you wish that the access Privileges to the network services (E-mail, Internet, Secure

connections, etc.) are always verified in the remote RADIUS server and not locally. How to configure
a RADIUS Server to perform users authentication and authorization?
· Authenticate users on the remote server but verify the privileges in system
· Verify also user's network privileges on the remote server
Why is this useful ?
This might be useful if your company is already using a RADIUS server for authorizing users on
several other services, besides edgeBOX's ones; in this situation it makes sense to have all
Authentication and Authorization relegated by edgeBOX into those servers
As users login for the first time, and their authentication is verified in the Remote RADIUS
Server, their information is saved in the edgeBOX users list. Still, each time the users tries to login,
the authentication will be done in the remote server.
9.1.3.2 Using a remote LDAP Server
Using an LDAP Server to authenticate the network users: there's an option to toggle
between Basic Mode and Advanced Mode. Type-in:
LDAP Server
Basic Mode
· Domain: the LDAP domain;
· Group: the optional LDAP Group;
· Username: to be used by edgeBOX's LDAP client to access the LDAP Server;
Advanced Mode
· Base DN: see example below box;
· Bind DN: see example below box;
Common to both modes
· Password: to be used by edgeBOX's LDAP client to access the LDAP Server;
· Port: the TCP port to be used on the LDAP server (defaults to 389);
· Timeout: maximum time waiting for the LDAP server (defaults to 5 seconds);

Users 183
Privileges Verification
Choose if you wish that the access Privileges to the network services (E-mail, Internet, Secure
connections, etc.) are always verified in the remote LDAP server and not locally in the edgeBOX.
· Authenticate users on the remote server but verify the privileges in system
· Verify also user's network privileges on the remote server
Why is this usefull ?
This might be useful if your company is already using an LDAP server for authorizing users on several
other services, besides edgeBOX's ones; in this situation it makes sense to have all Authentication
and Authorization relegated by edgeBOX into those servers.
As users login for the first time, and their authentication is verified in the LDAP Server, their
information is saved in the edgeBOX users list. Still, each time the users tries to login, the
authentication will be done in the remote server.
When you are using remote LDAP, the network users have first to login one time using the LAN
user authentication before they can login in the domain for the first time.
9.1.3.3 Using a remote AD Server
Using a remote Active Directory Server to authenticate the network users: there's an
option to toggle between Basic Mode and Advanced Mode. Type-in:
LDAP Server
Basic Mode
· Domain: the Active Directory domain;
· Group: the optional AD Group;
· Username: to be used by edgeBOX to access the Server;
Advanced Mode
· Base DN: see example below box; specify the active directory domain configured in the
Base Name field;
· Base DN 1, Base DN 2: You can set up two additional Base DN. Authentication System
will try to search and authenticate users in these locations also. To enable the text fields

please select the check boxes on the right of each field; to Learn More...
In more elaborate scenarios the Active Directory server might have users spread over
serveral Organizational Units (OUs); if that is the case, edgeBOX can be configured to search
users in all those OUs. An example follows, for a situation where users should be searched
in three OUs (ouone, outwo and outhree), and the administrator user belongs to OU ouone:
Base DN: OU=ouone,cn=local,cn=loc
Base DN 1: OU=outwo,cn=local,cn=loc
Base DN 2: OU=outhree,cn=local,cn=loc
Bind DN: cn=administrator,OU=ouone,cn=local,cn=loc
· Bind DN: see example below box;
Common to both modes
· Password: to be used by edgeBOX's LDAP client to access the AD Server;
· Port: the TCP port to be used on the AD server (defaults to 389);
· Timeout: maximum time waiting for the AD server (defaults to 5 seconds);
· Copy the users information from the AD Server to the system's user list: check this
if you'dd like edgeBOX to copy information from the AD server into the internal users list.
As users login for the first time, and their authentication is verified in the Remote AD Server,
their information is saved in the edgeBOX users list. Still, each time the users tries to login, the
authentication will be done in the remote server. If the Active Directory server in not reachable,
and only in this case, then, the authentication system will try to authenticate users locally.
When you are using remote AD authentication, the network users have first to login one
time using the LAN user authentication before they can login in the domain for the first time.
9.1.4 Customize the user login web page

If your looking for information regarding Default User Quotas please follow this link.
In the Users section - Options menu you can customize several aspects of the appearance of the
login page the local users of the network will use to authenticate:

Users 185
· Change the Company Logo;

· Change the company name and information text;
· Upload a customized authentication page with your own style.
Network users will only see this page if they are required to login. That is if the Authentication
service is running. See Activating Authentication for details.
To change your Company logotype
1. Click Change the Company Logo;

2. Click the Select Image... button and select the image with the logo from your computer.
All most common image formats are supported.
3. Click the Upload button save the image to the edgeBOX.
To show a welcome message and the company name in the login form
1. Click the Change the company name and information text

2. Type-in the desired Information text; this text can contain HTML; if you enter HTML in
this field the browser will display it correctly;
3. Type-in the Company Name
4. Press Save.
View the changes

To view the changes and the appearance of the login page, go to a computer of the local network,
open a web browser, and type and try to open a random website. The new login page with the
changes you made will appear.
Use a custom login page

Completely modify the look & feel of the login page by uploading your own HTML, CSS and image
files.
Upload the files for a custom login page
You can upload the files for your custom login page to edgeBOX to have a login page with a
completely different appearance. To do so:
1. After creating your HTML file, your CSS file(s) and your images, create a Zip file (.zip)
with all these files. Show the requirements of the files.
· The zip file can contain image files, one or more CSS files and one html file only.
· The zip file can not contain any folders or sub folders. All files must be all at the
same level, that is, directly inside the zip file.
· You must include the code <!--AUTHENTICATION--!> in the place where you

want the login form to be placed in the HTML file. This code will then be replaced by
the necessary code for the login form.
2. Select the Upload a customized authentication page with your own style option;
3. Click the Browse button and select the Zip file from your computer in the dialog window.
4. Click the Save button to upload the zip file to the edgeBOX
Related Topics:
Manage the firewall properties
9.2 Privileges
The Privileges menu, in the Users section provides the means for bulk management of your
network users and to control their access to the services and areas your network offers, by
configuring access Privileges (policies) to which users will be assigned.
An overview table is shown. On the left, a list showing all current Privileges. Click one of them to get
a summary of it's configurations on the right panel.
Click the New... button. A dialog window will popup with four sections General, Services,
Advanced and Devices:
General
· Name: the name by which this Privilege will be identified; choose simple but meaningful
names like 'no-restr', 'servers35' or 'vips'; what are the rules for the Privilege name ?
the name must start with a letter (lower or upper case); after you can enter any sequence of
letters and digits; a single '-' can also be used excpet for the first and last postions; "[a-zA-Z][a-
zA-Z0-9]*[-]?[a-zA-Z0-9]*[a-zA-Z0-9]"; examples: a-b, a123, Boss-10;
· Internet: here you determine how and when your users can reach the Internet (same as
saying "the world beyond edgeBOX", the World Wide Web); the basic options are to Allow
access to the Internet, Allow access to the Internet between ..h..m and ..h..m and
Do not allow access to the Internet; hit the Advanced Properties... to access further
tuning details;
· DMZ: same as for Internet;
Services

Users 187
This panel is of utmost importance as it directly affects the way your users experience network
access, or limitations, while trying to use your network services. This is where you determine, on a
per-Privilege basis, the edgeBOX services accessible by the users:
· Allow access to edgeBOX services listed: users in this Privilege will have access to the
services in the list;
· Allow access to edgeBOX services listed between ..h..m and ..h.m: same as the
previous on but service is granted only within the given time of day period (please take into
account that a delay of up-to 5 minutes may occur; that is because these rules are re-applied
at most, every 5 minutes);
· Do not allow access to edgeBOX services: access is denied regardless of the composition
of the list.
The list below the three options shows the services available for the users with this Privilege. These
services will be available for those users if you choose the 1st or 2nd option. See edgeBOX services
for a short description of all services available here. Use the Add and Remove buttons to edit the list
(this list will not contain the DNS nor the Webadmin services as they are always accessible for host in
the internal network).
Services not included in this list will not be accessible by users in this Privilege. Give me an
example
If you don't add the Samba service to the list of accessible services, no users in this Privilege will be
able to access any File Sharing related resources, Temporary Shared Folders or Windows Shared
printers (Samba is a short term for any windows file sharing, workgroup or domain services).
Please note: these are services running on edgeBOX, not services provided somewhere
else but accessible through the edgeBOX.
Advanced
· 802.1x Authentication: these users will be able to authenticate in edgeBOX be means of

the IEEE802.1x; additionally you may specify whether you wish to assign a specific VLAN for
these users; if you wish that the users of this access profile belong to the LAN network
instead, don't choose this option; this option is relevant only when you have a switch or
switches in your network infrastructure that support dynamic VLAN assigment; one of the
supported L2 switches with this feature is the Procurve 2650; with this feature active the
switch will automatically move the switch port, where the user is connected and after a
successful 802.1x authentication, to this VLAN.; to learn more...
· IPSec: if these users will be able to access IPSec VPNs;
· Remote Users: if these users will be allowed to connect to the PPTP VPN; additionally you
should specify if they will have access to the LAN;
· VLAN Routing: a listo of rules specifying inter-LAN-VLANs routing permissions for these

users; what type of traffic these users will be allowed to exchange with the other VLANs in
edgeBOX; see more details...
Devices
IP Addresses to which this Privilege will also be applied. Use the left side buttons to manage
the list. Besides containing users, a profile may also contain IP addresses. If an IP is added, that
machine is allowed the access rights of the profile. This allows the machine to automatically
authenticate with the edgeBOX, without the usual login screen.
You can indicate a specific IP address of a machine or you can indicate a range of IP addresses.
Indicating a range is most useful when you, for example, want all devices of a VLAN to be
automatically authenticated.
How do I restrict access to services other than edgeBOX services ?
You can block overall access to certain IP Addresses and/or Protocol services/ports by using the
Advanced Firewall Rules; see details...
How do I restrict access to certain types of web sites ?
edgeBOX contains a web filter that allows you specify Website Restrictions based on words
present in the website's URL or domain; see details...
Additionally, you can block overall access to certain IP addresses by using a block-all type rule in
the Advanced Firewall Rules; see details...
Related Topics:
· Firewall
· RADIUS devices authenticating in edgeBOX
· Remote Authentication and Authorization
· Adding Users and changing their Privileges

Users 189
9.2.1 Fine tunning Internet and DMZ access

This panel allows you Advanced Configuration options for defining how users access the Internet
(same for the DMZ).
The approach is based on QoS aspects - assigning traffic classes to users - and network services
allowance/denial - somewhat similar to a Firewall configuration. Thres tabs are presented:
This panel presents three tabs:
Quality of Service
· Class of Service for Upload Traffic: here you can choose to apply the usual Gold, Silver,
Bronze and Best-Effort traffic classes or your own Pipes, if you have configured any; to
learn more...
· Class of Service for Download Traffic: the choice here is Best-Effort or Premium; to learn
more...
Outbound Rules
Rules to control access to the Internet. By default all outbound traffic is allowed. This means that
traffic from the internal network to the Internet is granted access. You can allow or deny
outgoing traffic based on its destination, port and/or protocol.
Click the Add button to add new rule or Edit to change an existing one. For each rule:
· Policy: choose Allow Access or Deny Access (tipically you'll want to add Deny rules here);
· Protocol: All, TCP (you can choose All ports, individual ports or even port ranges like 21, 22,
80, 500-600), UDP (same as TCP) and ICMP;
· To location: Any (connections to any host), Device (connections to a specific IP Address),

Network (connections to a specific IP segment, as specified by an IP Address and a
Netmask); a short Description string should also be added;
The list will display all your rules in an easy to read manner. The sequence by which rules appear in
the list can be relevant and you can use the Up and Down buttons to change it
Inbound Rules
By default all incoming Internet traffic is dropped: all connection attempts coming from the Internet
are denied. Here you can allow incoming traffic based on its origin, port and/or protocol.

· Policy: choose Allow Access or Deny Access (tipically you'll want to add Allow rules here);
· Protocol: All, TCP (you can choose All ports, individual ports or even port ranges like 21, 22,
80, 500-600), UDP (same as TCP) and ICMP;
· From location: Any (connections from anywhere), Device (connections from a specific IP
Address), Network (connections from a specific IP segment, as specified by an IP Address
and a Netmask); a short Description string should also be added.
As for the outbound rules, the sequence by which they appear in the list can be relevant and you
can use the Up and Down buttons to change it.
Please note that controlling access for Inbound traffic may be particularly useful in some very specific
scenarios such as situations where edgeBOX might act as a router for inbound traffic directed at
specific IP addresses that might belong to each Privilege.
Related Topics:
· Firewall
· QoS
9.2.2 Access to other VLANs

Inter VLAN Access
By default, users in a given VLAN cannot communicate with users of other VLANs. This also includes
the LAN. The LAN is also know as default VLAN. It's good practice to keep your VLANs isolated from
each other: that's one of the advantages of using VLANs. Nevertheless, if you have specific needs you
can overcome this default behaviour by indicating exceptions: locations (services/ports) on other
VLANs the users will be able to access even though not belonging to that specific VLAN.
· Protocol: All, TCP , UDP and ICMP;
· To Ports: if TPC or UDP are selected you can choose All ports, individual ports or even
port ranges (like 21, 22, 80, 500-600);
· To Address: Any (connections to anywhere), Device (connections to a specific IP Address),

Network (connections to a specific IP segment, as specified by an IP Address and a Netmask).
The sequence by which they appear in the list can be relevant; you can use the Up and Down
buttons to change it.

Users 191
9.3 Groups
You can use groups if you have edgeBOX third-party applications; edgepacks. What are edgepacks?
edgePACKs are optional modules for edgeBOX that add functionalities for particular markets or add a
new set of features. Some examples are: edgeLMS and edgeDESKTOP. Learn more details about
edgepacks at edgeBOX's website.
Groups have no direct use in the edgeBOX or the network. If you want to create groups of
users that have common privileges and types of accesses in your network, you should to use
Privileges instead.
If you need to manage groups go to the Groups link in the Related Topics corner, in the Users
section, Network Users menu. A short descriptive table is shown with the currently configured
groups, their description and number of users in each. Click the New... button. A dialog window will
popup:
· Name: choose a name for this group
· Description: Type-in a short description
· Users: the list of users that belong to the Group; use the Add Users... and Remove buttons
to manage the contents of the list; users can be part of one group, several groups or no group
at all.
9.4 Delegate a Local Administrator

Go to the Users section. Click the Local Administrator option, in the Related Topics corner.
The local administrator is one of the users of your local network that you give the permission to
manage parts of your network and configure some of your services; someone that can access some
sections of the edgeBOX web interface. How can local admin user access the edgeBOX web
interface?
To have access to the edgeBOX, the local administrator has to:
1. Go to a computer of the local network (LAN).

2. With a browser, open the webpage https://myedgeBOX.com, (or as an alternative, point
the browser to the IP address of any of the WAN or LAN interfaces; this will be needed
only if edgeBOX is not your DNS server)

3. After the page opens, click the link Login.
edgeBOX initial page
4. Type the username and password he uses to authenticate to the network.

5. Click the Login button.
Create a local administrator of the edgeBOX
To make a user of your network local administrator hit Select... and choose from the list.
Now you need to indicate the areas and functionalities of the edgeBOX the local administrator
will have access to:
1. A tree like data structure is presented.

2. You can collapse and expand the tree by clicking the '+' and '-' signs. Check the areas
you want the local administrator to have access to. Each section (main menu option) of
the edgeBOX is represented by a branch and the menus inside it are represented by sub-
branches; you need to check the ones you want. View an example

Users 193
Remove the local administrator
Just hit Remove on the dialog window
If you restore an old backup, the local administrator will not change.
edgeBOX has a backup and restore option that allows you to make backups of all the configurations
and data. However, for security reasons local administrator settings are not saved in
edgeBOX backups. View example
For example, if your local administrator was 'john_simmons' and you made a backup of the
edgeBOX at that time, and a some time later you changed the local adminitrator to 'david_parker',
and now you restore that old backup you made, your local administrator will still be
'david_parker'.

9.5 View currently Connected Users

If you need to get a list of Users connected to the system you can do it: just navigate to the
Users section and click the Connected Users in the Related Topics corner.
It will show you a table with the list of users currently authenticated. The details are:
· Name: the user's full name;
· Login: the user's username (or login name);
· Privilege: the Privilege under which the user is logged;
· IP Address: the IP Address of the host/computer from which the user made his login;
· MAC Address: the hardware address of that host/computer.
Related Topics:
· How do I add more users ?
· How do I configure network access privileges ?
9.6 Configure authorized RADIUS clients

When you need to authorize network devices to access RADIUS authentication in edgeBOX, go to the
Users section and hit the RADIUS option in the Related Topics area. You'll need to specify their IP
Addresses and the type of device, among other settings:
· IP Address: the device's IP Address;
· Name: the device's name;
· Password: the password edgeBOX will use to access the device and encrypt RADIUS packets;
· Confirm Password: retype the password;
· Type of device: select the most appropriate from the drop-down list;
· VLAN Assignement: check this if you want edgeBOX to assign a VLAN when performing

Users 195
authentication for this device.
This page allows you to view, delete and add remote RADIUS clients for user authentication. These
are normally called NAS (Network Access server). The edgeBOX supports different types of 802.1x
port based authenticators. Some of the devices supported include 802.1x switches with dynamic
VLAN assignment like the Procurve 2650 or the Procurve 420 Access Point for Wireless
communications with multiple SSID and dynamic VLAN assignment.
Supported EAP methods: PEAP-EAP-MSCHAPv2 and EAP-TTLS.
If you select the Generic 802.1x Access Point or Generic 802.1x Switch from the drop down list, the
IP address is the IP of the AP/Switch and the password the RADIUS client password configured in the
remote AP/Switch.
Name is any text you wish to enter to identify this unit.
If "Enable Dynamic VLAN assignment" is checked, the edgeBOX internal RADIUS server sends the
correct VLAN id to the Switch or Access Point according to the User Access Profile. This feature
allows the remote port based authentication device to put the user in the correct VLAN,
independently of the port / SSID the user is currently connected. You must use a compatible port
based authentication device.
If you select the "HP ProCurve 2650" drop down, the IP address is the IP of the Switch and the
password the login password of the switch.
Name is any text you wish to enter.
If "VLAN assignment" is checked, and after a successful 802.1x user authentication, the edgeBOX
internal RADIUS server sends the correct VLAN id to this switch according to the User Access Profile.
This option allows the Procurve switch to put the user in the correct VLAN, independently of the port
the user is currently connected.

10 System
The System menu allows you to configure a variety system related aspects of the edgeBOX:
· Adjust the Date, the current Time, your Timezone or use an Internet time server
· Change the language or the administrator's password and e-mail address
· Shutdown or Reboot
· Manage Software Updates - manually or automatically - and receive related

notifications by e-mail
· Backup edgeBOX settings and user files to a secure medium, perform Restore
operations and scheduled Backups
· Configure edgeBOX's Hotbackup redundancy system
· Receive e-mails and SNMP Traps when relevant status changes occur
· Review or download system logs and configure logging to a remote log server
· Send user's Accounting records to a RADIUS server
· Globally enable/disable the embedded SNMP Agent
· Schedule regular maintenance operations to optimize edgeBOX's relational database

performance
· View and change the status edgeBOX's main network services
· View the current status of your hardware devices, like fans, temperature and hard-disk
usage statistics
· Configure a Remote Management server
10.1 Adjusting Date and Time

To adjust time related settings please point the browser to the System section, Date and Time
menu. There you can view and adjust edgeBOX's date and time and synchronize with a preferred
Internet Time Server to keep the date and time always accurate.
Adjusting date and time is not possible if you have configured an Internet Time server. In that case
your Date and Time are adjusted automatically. Otherwise just hit the Adjust... button, enter the
desired Date and Time into the popup dialog and press Save.

System 197
Time Zone
Change the time zone
1. Hit the Change... button;

2. Pick the world Zone from the list on the left and the City closest to edgeBOX from the list on
the right.
3. Press Save.
Internet Time
Synchronize the date and time with a Time Server on the Internet
You can use a time server on the Internet to keep date and time always accurate.
1. Click Change...;
2. Select the Syncronize edgeBOX date and time with a time server on the Internet option
at the top;
3. Select the NTP server you want to synchronize with from the list.
edgeBOX will try to synchronize with the selected server every day. The status/time of the latest
synchronization is shown.
If edgeBOX's date and time is delayed more than 1000 seconds (17 minutes) edgeBOX
will not synchronize and create an entry in the Log Viewer and send a notification by e-mail.
How to synchronize all the network devices with edgeBOX's date and time
Besides synchronizing its date and time with an Internet Time Server, edgeBOX can also work
as a Time Server so you can synchronize all your network devices as phones, computers and
servers with edgeBOX. This way you can keep an the same, accurate, time on every device of
your network.
To synchronize a device with edgeBOX's date and time:
1. Go to the device's date and time settings.

2. Search for the option to Synchronize with an Internet Time Server.
3. Indicate that the the time server you want to synchronize with is edgeBOX. To do that
you can type in edgeBOX's IP address or edgeBOX's hostmane. For example, if
edgeBOX's hostname is ebox and the network domain is example.com and edgeBOX's IP
address is 192.168.100.254, then you can type ebox.example.com or 192.168.100.254.

10.2 Administration
To change edgeBOX administrations settings you need to navigate to the Administration menu in
the System section.
Language
edgeBOX's web management interface supports several languages. Click Change language... and
select the desired one from the list provided. A warning message will inform you of the fact. The
browser will reload the management interface with the newly selected language.
System E-mail Messages
edgeBOX sends several types of system related messages - such as warnings or available software
updates, by e-mail. The recipient of these e-mail messages is not specified by default. So, you need
to edit it yourself.
Hit the Change e-mail... button. Choose the Send system messages to: option and fill in your e-
mail address (this is the e-mail address to which edgeBOX will send system e-mail messages). If you
do not wish to receive e-mail messages just choose the Do not send system messages option.
The default sender e-mail address edgebox@example.com is an invalid e-mail address. It is

made of the word edgebox and edgeBOX's default internal domain: example.com.
You can change it to a valid address so people can reply to those messages. Also, you can change
it to a valid e-mail to avoid problems with E-mail Servers because E-mail Servers usually perform
validation of domains when they deliver e-mails. example.com is not a valid public domain and thus
edgeBOX may find problems in delivery to the final domain.
Administrator Password
When the edgeBOX is installed, the admin password is by default the word root. If you find that
this password is not working correctly, then you should contact your reseller.
To change the password click Change Administrator's password... and type the desired new
password in both the New Password and the Confirm text fields. How do I choose a good
password ?
Shutdown or Restart
You can, at any time, shutdown or restart edgeBOX; just choose the option you need and press Ok.

System 199
10.3 Managing Software Updates

The updates available are new functionalities, security updates or performance enhancements.
Please go to the System section, Software Updates menu, if you need to:
· get a list or install available software updates,
· install edgeBOX's third party applications - the edgePaks,
· receive automatic e-mail messages with information about new software updates,
· have software updates managed and installed automatically.
Status
The menu displays a short summary information stating whether you should check for available
updates or if there are already updates available (this second information is automatic if you
configure automatic checking for updates). Clicking on the buttons you can perform the following
operations:
· Check Now: will immediately check for new updates, without installing them;
· View Update Log: reports all the updates that have been applied to edgeBOX; the list can be
cleared by clicking on the Clear Entries button;
· Install Updates: installs available updates.
Automatic Updates
You can manually check for and install available updates. But you can also make edgeBOX check for
updates and notify you of the updates so you can install them yourself. You can also ask edgeBOX to
check for updates and install them automatically.
Hit the Change... button:
· Disable Automatic Updates: edgeBOX will not try to check for updates;
· Check for updates automatically but let me install manually: edgeBOX will check for
software updates - if updated software packages exist they will be automatically downloaded
but not automatically installed - edgeBOX will let you install them manually;
· choose the Notify me when updates are available option to receive a

graphical notification in the Dashboard;
· Check and install updates automatically: this will make edgeBOX connect to the update
server, download new software packages and, depending on your choice, you will receive

notifications, similar to the ones in the previous option. The following options are available:
· Notify me when Updates are installed: in this situation edgeBOX will

actually install the downloaded updates and, if necessary, execute a full
restart or, if applicable, restart the services that need to be restarted; this
approach may not be the most appropriate for your needs; please note the
following two options;
· Notify me when Services restart is needed: you should choose this option
if your network users can not tolerate any restarting of services or
restarting edgeBOX itself; in this situation, if services restart is needed or
if a full restart is needed nothing will be installed; you will receive a
notification; you should go to the administration web interface, navigate to
the Software Updates menu - System section - and execute the
installation manually (and any needed restarting, as part of the process); if
no restarting whatsoever is needed, all downloaded packages will be
installed;
· Notify me when System reboot is needed: choose this option if don't mind
that some services may need to be restarted but you don't want edgeBOX
to perform a full restart automatically; if this is the case, then nothing
will be installed and you will receive a notification accordingly; you need to
use the administration web interface to execute the installation manually (and
the needed reboot as part of the process); otherwise software updates will
be installed and the needed restarting of services will be carried out.
Common Settings
· Check every: you can choose to trigger the software updates check task every 6, 12 or 24
hours;
· Starting at: the base hour/minute at which the check will be started; see example...
If you want to check every 6 hours, starting at 13h15m, edgeBOX will check four times a day at
1h15m, 7h15m, 13h15m and 19h15m;
· Also notify me by e-mail: notifications configured in the previous options will also be sent by
e-mail to the administration e-mail address.
If an error occurs while edgeBOX is trying to update, a notification will be displayed in the web
interface indicating you the problem and asking you to try to install the update again.

System 201
10.4 Backup & Restore

edgeBOX can schedule backups to occur periodically at a predefined time, day and date. These
backups can be stored either on a remote FTP server, remote a Windows File Share, or on a USB
disk connected to the edgeBOX. The following notes aplly:
· Backups may only be created/restored to/from a local USB disk, a remote FTP server, or a
Windows File Share;
· Both the Backup operation and the Restore operation cause edgeBOX to stop several system
and application processes (eg VoIP and authentication); additionally the Restore operation
always requires a system reboot in the end;
· Local USB disks can not be formatted as NTFS;
· Restore is only supported from the same version of the Operating system to the same version
(eg v4.7 to v4.7).
· Restore is supported from the same architecture to the same architecture only;
· Multiple edgeBOXes can use the same directory, as the backup files have a unique prefix
associated with an edgeBOX
· Full backups and Incremental backups are supported
· The backup can not be stored in the edgeBOX it self.
It's important to setup a backup policy from the start, to prevent the loss or corruption of data.
Backup
Using the buttons provided you can choose to:
· Backup Now... if at any time you need to execute a Manual backup;
· Schedule... if you prefer a time based schedule of cyclic backup operations.
Please note: the imap, pop and e-mail services are stopped when executing a Backup; this means
that while the Backup is running edgeBOX will not be able to receive or send e-mails and users will
not be able to read their e-mail.
Restore
Here you can manually restore backup files from either a Windows Share, an FTP server or a local

USB disk. Press the Change... button to select the device where the files are stored and enter the
appropriate details (the details needed are in all similar to those described for the backup
operations).
The list on the left will show you all the available Full backups. Click any of them to get a list of the
corresponding Backups points-in-time.
If you select an incremental backup, the system will restore a) this backup and b) all appropriate
incremental backups and the c) the appropriate full backup. Give me an example...
Lets assume, as example, the following backup policy:
· Sunday: Full Backup
· Monday to Saturday: Incremental Backup
If you restore the Wednesday Incremental, the system will also restore the Tuesday and Monday
Incremental and the Sunday Full backup.
Click on View details to be assured of the details. Finally, you should click Restore to perform the
operation. A dialog will popup with a confirmation telling you that, in the end, edgeBOX will be
rebooted.
10.4.1 Immediate Backup

Manual backup allows you to undertake a backup immediately. Selecting one of the three possible
backup destinations:
· Use an FTP server from the network
· Use a Windows Shared folder from the network
· Use a USB Flash disk attached to edgeBOX
It is not possible to save the backup locally on the edgeBOX itself.
If the folder specified (for the FTP server, or Windows share or USB disk) does not exist, the
backup will fail. It will not automatically create the folder.
Once all the relevant fields have been entered, press Save to immediatelly start the backup. The
options are:
FTP Windows Share USB

System 203
Method: FTP allows you to select Method: Windows Share allows Method: USB allows you to
an FTP server which will store the you to select a share from a select a local USB disk (Not
backup files windows server, which will store NTFS formatted) which will
the backup files store the backup files
Server: IP address of the FTP Server: IP address of the Refresh Devices: Will scan
server Windows Server the local USB devices and
present you with a drop down
list to enable you to select the
device which will store the
backup files
Port: FTP Port (usually 21) Device: The chosen device

(You may have more than 1
USB disk connected) on which
the backups will be stored
Folder: Which folder on the FTP Folder: Which folder on the Partition: If the device has
server where the backups will be Windows Share will receive the more than 1 partition, you can
stored backup files select which one you will use to
store the backup files.
Use Authentication: If checked Use Authentication: If checked Folder: Which folder on the
the username and password fields the username and password fields USB device, where the backups
will be active will be active will be stored
Username: The username of the Username: The username of the

account you are going to use on account you are going to use on
the FTP server the Windows File server
Password: The password of the Password: The password of the

account which you are going to account which you are going to
use on the FTP server use on the Windows File server
10.4.2 Scheduled Backups

This panel allows you to specify a scheduled backup regime. For full and incremental backups.
Backup Destination
A summary information is displayed stating the current Backup destination details. See examples...

· Backup destination: FTP server (212.13.13.212)
· Backup destination: Windows share (192.168.100.55)
· Backup destination: USB flash disk
Hit the Change... button, at the top right corner, to change the destination medium of your scheduled
backups. You can choose to perform backup operations onto an FTP server, a Windows share or
an external USB storage. The dialog presented for this purpose equal to the one in the Immediate
Backup section.
Full Backup
You may create (or disable) a schedule for full backups, except if you have configured Incremental
Backups: the execution of an Incremental backup assumes the execution of a Full backup at some
point in time.
Incremental Backup
Incremental backups backup the files which have been modified since the last Full or Incremental
Backup. The same options are available for Incremental as for Full Backups.
Scheduling
Several scheduling approaches are possible, so that you can fit the backup tasks to better suite your
company's Backup policy. Typically, you would schedule:
· Full Backup: on Sundays at 04:00 and
· Incremental Backup: at 04:00, every day from Monday to Saturday
The Full and Incremental backups should not be scheduled to occur at the same day and time (it
does not make sense to execute both of them at nearly the same time as the Full backup will render
the incremental backup useless or a waste of time and processing power). If you schedule them at
exactly the same time (hour and minute) the Full backup will take precedence and the Incremental
backup will not occur.
The scheduling possibilities are:
· Day:
· Every Day: the operation will take place every day;
· Every Week: any day of week; you can pick up exactly the day(s) you want the backup to
be executed;
· Every Month :once a month; choose a day of the month (please note: if you select a day
such as the 31st and the month has less than 31 days, the backup will not take place);

System 205
· Hour and Minute: the exact time of day at which the task should be started.
NOTE: incremental backups are valid only if there is already a full backup. So if you plan on
executing full backups on Sunday and incremental backups on all other days, you should start the
process on Sunday. Incremental backups taken before the first Full backup are invalid and should
not be used.
10.5 Using HotBackup for redundancy

Using two edgeBOXes, the Hotbackup menu, in the System section, allows you to configure one of
them - the Master - to manage the network and daily replicate its configuration and data to the
other edgeBOX - the Slave.
The Slave edgeBOX works as a backup (hence the name Hotbackup), ready to take over the Master's
place if a failure occurs.
Assumptions and pre-requisites
The stable operation of the Hotbackup feature assumes a set of pre-requisites which must be
assured by the adminitrator:
· The base hardware on both edgeBOXes must be exactly the same and the extra
function cards installed on each must be identical and plugged into the same connectors;
· The Slave and Master must have identical operating system releases and revisions. For
example, if you update only the Master with a new revision of the edgeBOX's software, the
Hotbackup process will not be possible. To assure this, you should manage both edgeBOX's
updates manually and not automatically. See details...
Using Hotbackup
Setting edgeBOX as Slave
To set edgeBOX as a Slave edgeBOX (backup edgeBOX) hit the Change... button:
1. Select the Configure this edgeBOX to act as the Hotbackup Slave option;
2. Indicate below IP Address, Netmask, Default Gateway and Nameserver to be used in
Slave mode; in Slave mode, edgeBOX's networking is reduced to a minimum necessary
only for the Master to be able to access the Slave and replicate it's configs and data

onto it;
3. Click the Save button to start the process; edgeBOX will reboot and run in Slave
mode; in Slave Mode only the LAN interface is active and it's IP basic configurations are
the four values you entered in the previous step; that's the interface to which you
should connect your ethernet cable; it's a good idea to have a VGA and a keyboard
connected to the Slave in order to get a better grasp of the process; when edgeBOX
has finished entering Slave mode an appropriate text mode screen, in the VGA terminal,
will help you determine and remember these settings; if you have an edgBOX with LCD
display, you can view an "S" in the top right corner of the LCD, indicating that the
edgeBOX is running as a Hotbackup Slave;
4. Ethernet Wiring: you can choose any IP address you wish, as long as the Master
edgeBOX can access the Slave through TCP/IP. The most simple way to wire up this
setup is to choose for the Slave an IP address which falls into the Master LAN segment.
For example, if your Master has LAN address 192.168.100.254/255.255.255.0, then you
could choose for the Slave 192.168.100.253/255.255.255.0 and connect the Slave LAN
port the the same switch as the Master LAN port (but, please, keep in mind that this
setup is not the only solution).
When you set edgeBOX in Slave mode, you loose access to the web interface and
you can no longer use the edgeBOX for managing your network. It will only work as
a backup for the Mater edgeBOX. Still, you will be able to access it using it's command line
interface, either locally using a keyboard/VGA or a serial console, or remotely via ssh. This
way you will be able to perform a limited set of commands that are specific to the Slave
Mode.
Set your edgeBOX as the Master edgeBOX
You can only set your edgeBOX to run in master mode after you have an edgeBOX configured
and working as a Slave edgeBOX. Also, the Slave must be accessible to the Master through the
network.
To make your edgeBOX run in Master mode, click the Change... button:
1. Select the Configure this edgeBOX to act as the Hotbackup Master option;
2. Indicate below the IP address of the Slave edgeBOX and the time of day at which
you want to replicate the configuration and data from the master to the slave; the
replication is made every day at that time;
3. Click the Save button. edgeBOX will search for the Slave, validate it's configuration and
start working as a Master edgeBOX. If you have an edgBOX with LCD display, you can
view an "M" in the top right corner of the LCD, indicating that the edgeBOX is running as
a Master edgeBOX.
Choose a time of day when your network has less activity, for example, during dawn,
because, in order to make the replication, the Master edgeBOX has to stop a
considerable amount of services to grant that the configuration and information are
correctly replicated.

System 207
Please note: you should avoid performing administrative tasks close to replication
time. If you are configuring your Master and the replication procedure starts, there could
occur severe damage to your edgeBOX compromising stability. As a practical rule do
not use the GUI or the CLI at replication hours.
Check the status of the Slave edgeBOX
When you have an edgeBOX in Slave mode, you loose access to the web interface. Still you
can check its connectivity status from the Master.
To do this just hit the Check Slave button. If the Master determines that the Slave is not
reachable or inconsistently configured a detailed message will be displayed; in normal
situations you will get an Ok assuring you that everything is normal;
Manually replicate edgeBOX's configuration and data to the Slave edgeBOX
In Hotbackup, the replication of the Master edgeBOX's configuration and data is made everyday
at a given hour that you defined when you configured the Hotbackup process. Still you can ask
the Master edgeBOX to replicate at any time.
To do this just click the Replicate Now button. This operation may take a very long time.
Please wait. In the end you will bet an Ok saying that everything went all right; if the operation
fails you will get a detailed diagnostic message. As stated above, please avoid doing any other
tasks while this one is running.
Make sure that your network has few activity when you ask edgeBOX to replicate. Note
that, in order to replicate correctly, edgeBOX has to stop a considerable amount of network
services.
Stop edgeBOX from being in Master mode
If you have your edgeBOX running in Master Mode and you want to stop using HotBackup and
make the edgeBOX run again in the default normal mode, then hit the Change... button and
select the Disable Hotbackup option (this operatin will not perform any change of
configuration in the Slave). edgeBOX will stop replicating to the slave edgeBOX. All other
services will continue working normally.
Make the Slave edgeBOX take-over if the Master edgeBOX fails
If your Master edgeBOX (the edgeBOX that is managing your network) is malfunctioning and
you need the Slave edgeBOX (backup edgeBOX), to take over it's functions:
1. Before initializing the process, check the status of the last replication in the Slave
edgeBOX; please consult the Slave's logs via CLI commands hotbackup view replica
status or hotbackup view slave log; if you have an LCD unit then just srcoll down

the menus in the Slave and you´ll get the Replica Status with a date and an Ok;
2. Shutdown or power-off the Master;
3. Connect all Master's appropriate cables (eg ADSL, ISDN, Analogue etc) to the Slave
edgeBOX;
4. Open the slave edgeBOX's Comand Line Interface (CLI);
5. Type in the command hotbackup returntonormalmode or hotbackup return to normal
mode. The Slave edgeBOX will take over all services previously provided and managed
by the Master; please follow the process until the end;
When you stop the Slave edgeBOX to work as a slave and make it take over the master,
you gain back access to edgeBOX's web interface. To login to the web interface, use the
password that you used to login on the Master edgeBOX (the administrator password is also
replicated onto the Slave).
10.5.1 Managing software updates in a Hotbackup scenario

When you use the Hotbackup functionality, you should manage edgeboxes' updates manually
and not automatically to grant that the Master and the Slave have identical software versions.
Software updates, in the context of Hotbackup, is a process that should be planned
carefully.
The Master automatically detects that the Slave has a diferent operating system version/release and
will refuse to proceed.
· Master software update
Updating the Master is quite straightforward. Just follow the process described in the
Software Updates menu, in the System section, but do not select the option that installs
software automatically. You can activate the Check for updates automatically but let me
install manually option in the Software Updates menu. This will not install anything but will
periodically query the update server and send you notifications if needed.
· Slave software update
The Slave edgeBOX is not able to execute nor to check for software updates by itself. So,
if you allow the Master to update automatically, all subsequent replication attempts will fail. The
same happens if you update the any of them manually, but you forget to update the other one.
Please keep in mind that the slave, as it finishes the return to normal mode operation, it becomes
a perfect replica of the Master; this is of utmost importance. Despite other/mixed approaches may be
possible, the following may be used as a step-by-step approach to executing the software update on
the slave:
a) Before proceeding with the upgrade of the Slave please note the following:

System 209
· As the Slave returns to normal mode it's LAN interface will have the same configuration as the
Master;
· If the Master is the default gateway of the network segment to which the Slave will connect in
ordero to access the update server, then the Slave's WAN interface will obtain an IP address in the
Master's LAN segment. This implies that the WAN and LAN interfaces in the Slave will have
configurations "in" the same IP segment; this will surely frustrate the Slave's attempts to reach the
update server. In this scenario either the Slave's LAN IP address is temporarily changed or, simply,
the Master is turned off and the Slave takes it's place for software upgrade (during the night or
weekend). After update is complete all connections may be brought back to normal and the Slave
returns to Slave mode.
b) The steps to executed the software update on the Slave are:
1. Disconnect any network cable which might be connected to the Slave's WAN interface;
2. Access the Slave's Command Line Interface (in Slave Mode there is no GUI); to do this you
can connect your laptop directly to the Slave's LAN connector (using a crossover cable, if
needed) and access the CLI by ssh/putty; in Slave mode there is no DHCP server running, so,
the laptop IP configuration must be manual; using the keyboard and VGA is also a good
approach;
3. Execute the hotbackup return to normal mode command in the Slave's CLI (putty/ssh or
keyboard/VGA); wait until the Slave has finished returning to normal mode of operation (you
determine this by watching it reboot into normal mode from the VGA terminal);
4. If the Slave is going to access the update server using the Master as default gateway, please
change the Slave's LAN IP address by with the CLI command: lan static ip
192.168.70.1/255.255.255.0 (or any other subnet that does not collide either with the
Master's LAN nor any of the VLANs involved); when this command completes you will loose
your connection; you need to re-configure your laptop manually, with, according to the
example given, for example192.168.70.200; this step is not needed at all if the Slave will
connect directly to the internet without the Master involved (unless you have static IP
configuration on the WAN and you are planning to share the same network segment for the
upgrade; in this case you really need to disconnect the Master's WAN interface, in order to
prevent double IP on same segment);
5. Connect to the Slave's WAN interface the cable that will provide internet connectivity (through
the Master or directly through th ISP);
6. Access the Salve's web interface and proceed as described in the Sofware Updates menu
(assuming your laptop is still connected to the LAN interface you should point it to https://
LANIPADDRESS:8011; if your laptop is connecte to the WAN segment of the Slave you should
point to https://WANIPADDRESS:8011); depending ion the type of update it may be necessary
to reboot; make sure no warnings popup and everything processes normally;
7. Disconnect the Slave's WAN cable;
8. Access the GUI and reconfigure Hotbackup Slave Mode; re-enter and double check the Slave
Mode's IP settings (IP, Netmask, gateway and nameserver) and apply slave mode again; wait
until edgeBOX is fully back in Slave mode (watch the VGA terminal; it will tell you); re-wire the
slave's network cable(s) back as they were before;

9. Re-wire the Master back to the way it was before (that is, if you changed anything); go to the
Master's GUI and execute the "Check Slave" operation; the result must be "Ok";
10.Execute the "Replicate now" operation if you don not wish to wait for the up-coming daily
replication.
10.6 Notifications
You may find the need to receive notifications regarding Hardware events, RAID status and others.
edgeBOX is able to detect such events and forward them to you by e-mail and by means of SNMP
traps - in case you use SNMP to manage your network(s).
To configure the system to send these specific e-mail notifications and SNMP traps, please go to the
Notifications menu in the System section. As usual, you can Start and Stop the Notifications
service and an appropriate coloured status bar shows you the current operating status.
E-mails
You may Enable, Disable and Edit the details of e-mail notifications:
· Notification
· Hardware status changes: if you want to receive e-mails for temperature changes and
other hardware issues;
· RAID if you want to receive e-mails about hard disk status related to RAID.
· Receiver - the e-mail address to which the notifications will be sent (leaving it as
root@localhost will make the e-mail be delivered to the administrator e-mail address).
· E-mail Subject - The subject of the e-mail message.
· Status - Whether each e-mail notification is active or not.
SNMP Traps
You may Enable, Disable and Edit the details of SNMP Traps notifications:
· Name
· Hardware status changes: if you want to receive traps for temperature changes and other
hardware issues;

System 211
· Backup result summary: if you want to receive traps with the results of your scheduled
backup operations;
· RAID if you want to receive SNMP traps about hard disk status informations related to
RAID.
· Trap Type - Only Enterprise should be selected. Generic will be included for a future release.
· Trap Receiver - IP address of the SNMP management Server which will receive the traps.
· Trap Community - The community which has been configured on the server which will receive
the traps.
· Object ID - The SNMP Object Identifier configured on the server which will receive the traps.
· SNMP Version - SNMP versions 1 and 2c are available options .
· Status - Whether each e-mail notification is active or not..
10.7 Managing and Diagnosing RAID

A RAID array distributes data across several physical disks which look to the operating system and
the user like a single disk. Several different arrangements are possible. Currently, only RAID1 is
supported and it is managed by the RAID menu in the System section (this menu is only available if
your system uses RAID).
RAID1 uses two (possibly more) disks which each store the same data, so that data is not lost so
long as one disk survives. Total capacity of the array is just the capacity of a single disk. The failure
of one drive, in the event of a hardware or software malfunction, does not increase the chance of a
failure or decrease the reliability of the remaining drives (second, third, etc).
The panel has the following elements:
· At the top the array status is presented and it may be one of the following:
· Clean - all disks in the array are active

· Recovering - the array is rebuilding, i.e, it is mirroring the disks
· Degraded - there is a faulty disk in the array
· A list with the array disks

· A button to add a disk to the array and another button to remove a disk from the array.

10.7.1 Disk Notifications

If the status of the array changes, a notification action may be performed as defined on the
Notifications panel. Notification actions will occur under the following circumstances:
· DeviceDisappeared - A mirrored array which was previously configured, has lost a device
and is no longer working as a RAID array
· RebuildStarted - The RAID array has started reconstruction (eg when a disk is replaced, the
new disk has to be reconstructed from the good disk to form the array)
· RebuildFinished - The (new) disk has either completed construction (and is now part of the
RAID1 array) or the construction was aborted.
· Fail - An active disk in the RAID mirror has been marked as faulty.
· FailSpare - A spare disk (if one is available), which was being rebuilt to replace a faulty
device has failed.
· DegradedArray- The Array is degraded (eg disk failure)
· SpareActive - A spare disk (if one exists) which was being rebuilt to replace a faulty disk,
has been successfully rebuilt and has been made active.
10.7.2 Replacing a faulty disk

If the array becomes degraded the faulty disk should be replaced. There are different ways to
perform disk replacement:
No Hot Spare
To replace a faulty disk automatically, i.e, without the need of management intervention, just follow
the steps:
1. Write down the serial number of the faulty disk

2. Shutdown the edgeBOX at the earliest opportunity
3. Replace the faulty disk (check the serial number) - the new disk must have the same capacity
(in bytes) as the faulty disk.
4. Start the system
The new disk should synchronize with the active one. The array status may be checked on the RAID
panel.
Note: The replacement disk must match the original disk, it cannot have a larger or smaller disk
capacity (in Bytes)
Hot Spare
If the box has more than two disks, one may not have to shutdown the system immediately. A third
disk (spare) may replace the faulty one. This action is accomplished by the following steps:
1. Highlight the faulty disk and press the "Remove" button

System 213
2. Highlight the Spare Disk and press the "Add" button, the new disk will be included on the RAID
array and synchronization will begin.
If a spare disk is available in the "Array Disks" panel, it will be automatically used to rebuild the RAID
array in the event of a disk failure with one of the current RAID disks.
To replace the faulty disk, highlight it and select the "Remove" button. Shut down the edgeBOX and
remove and replace (if you wish) with a new disk which has the same Byte capacity as the faulty
disk.
In this case, it would be prudent to add this replacement disk to the "Array Disk" panel for automatic
replacement in the event of another disk failure.
Hotswap
Hotswap is also supported in the Enterprise Appliance, however the following precautions should be
taken:
· Write down all disks serial numbers and respective slot to know which disk is the faulty one.
· The faulty disk may be replaced without shutting down the system. Synchronization process
progress may be checked in the RAID panel.
10.8 Reading and Managing System Logs

Reading system or services logs may become necessary as a way to understand or solve specific
operational issues.
edgeBOX includes comprehensive solutions for accessing system and application logs (such as
syslog, http logs, voip's cdrs, among others). Point your browser at the Logging menu in the
System section. There you'll find:
Log Viewer
The Log Viewer lets you examine several application's logs with 2 levels of verbosity. Clikc the Log
viewer... link. The Log Viewer panel will popup:
· Service: select the service for which you wish to read logs; the available services are: Anti
Virus, Authentication, Backup, Blacklist, Website Access Restrictions, Daemon, Hardware
Monitor, Hotbackup, Kernel, Mail, RAID, VoIP;
· Verbosity: controls the level of detail of the messages displayed; select High or Low
(changes will be applied to new log messages only); this setting is global to all services;
Each page displays at most 25 lines. The Previous and Next buttons allow you to scroll
chronologically through the pages (earliest messages are displayed first).

Logs Destination
edgeBOX can send logs to a remote logs server. To enable this behaviour click on the Change...
button and specify:
· Also store edgeBOX logs in a remote server: check this box;
· Server address: the IP Address or host name (FQDN) of the server to which edgeBOX will
send log messages;
· Port: the TCP/IP port number on which the server listens for log messages; 514 is the
default.
Log manager password
You should set the logmaster password from this panel. The logmaster username gives you FTP
access to edgeBOX's log files:
· System Log Files (sys.log)
· HTTP/HTTPS Access Logs (access_log)
· VoIP CDR's (Master.csv files)
Additionally, this FTP access should be used to access, download and delete call recordings
made by means of the Automatic Call Recording. If your edgeBOX is currently recording calls, you'll
find them inside the call-recordings FTP folder.
10.9 RADIUS Accounting

This menu option allows you to review and configure the RADIUS servers used for accounting. Note
that you can have authentication and accounting performed by the same server, or have different
servers for each purpose. The table lists all the servers configured. The configured servers will be
contacted in sequence, and the first one to answer will store the data. The accounting data applies
only to the WAN interface.
To add a new RADIUS Accounting server you'll need:
· Server IP: The IP address for the new server;

· Server Port: The port used. The default value is 1813, but another port may be used.
· Password: The password used by edgeBOX's RADIUS client to access the server
· Confirm Password: Confirm the password you have entered

System 215
· Timeout: The maximum amount of time for connection setup with the RADIUS server. If this
time is exceeded then the next server on the list (if any) will be contacted.
· Log Interval: possible values are “15 minutes”, “30 minutes” and “60 minutes”. This option
allows you to control the period for which account information will be sent to the remote
RADIUS accounting servers.
Note: Accounting is only available with authenticated user sessions. See Authentication for details.
10.10 SNMP
The status of the edgeBOX can be queried using the Simple Network Management Protocol. This
panel controls the SNMP agent running on the edgeBOX.
SNMP Agent
Configures read-only SNMP access to the edgeBOX.
· Enable Access to SNMP Agent - Enables the SNMP agent and allows read-only access to report
the status of the edgeBOX.
· Community string - The name of the community used when requesting access to the SNMP
agent. Avoid well known strings such as “public”, “private” or ones that are easy to guess, e.g.
“edgeBOX”. Specifically “public” is not allowed.
· Allow queries from:
· Any device: edgeBOX's embedded SNMP agent will respond to SNMP queries coming
form any device (with the correct community string obviouslly);
· A specific device: edgeBOX will only respond to SNMP queries coming from this IP
address;
· Devices within the following network segment: edgeBOX will only respond to SNMP
queries coming from this IP segment (as determined by the IP Address and Netmask pair);
· Allow queries for - Enter an object identifier (OID). Access to objects below this level are not
allowed.
SNMP Traps
Configures the host (NMS) to which traps/notifications will sent.
· Allow edgeBOX to send SNMP trap messages to a Trap manager - Enable notifications to
be sent.

· Community - The name of the community used when sending a notification/trap.
· Receiver - The host name or IP address of a computer (NMS) to which notifications will
be sent.
To configure the type of traps/notifications sent by edgeBOX go to the Notifications section. These
include the Backup, Hardware Monitor and RAID services.
10.11 Maintenance
In the Maintenance module it is possible to schedule system database optimization in order to
improve performance of VoIP service and the Reporting engine.
The main reason to do this is to increase user responsiveness and overall usability. The performance
can be significantly increased by simply enabling this feature, sometimes in order of magnitude of
4000%.
Some edgePakcs, which also depend on the system database, may also benefit from a periodically
optimized database.
To enable this option, go to the Maintenance menu in the System section. A short overview is
provided with:
· current configuration and
· last database optimization execution date and time.
Use the Change Schedule... and Remove Schedule... buttons to edit or remove the configuration.
The Database Optimization can be done in several recurrence patterns, to know:
· Every Week: Performs Database Optimization on a weekly basis.
· Every two weeks: Performs Database Optimization on a biweekly basis.
· Every four weeks: Performs Database Optimization every four weeks.
For each previous recurrence pattern you should also set the
· day of week and
· time hour and minute
for running database optimization.

System 217
When to schedule optimizations ?
Database optimization may consume long periods of time (varying from a few minutes to some hours
- in very extreme situations). This depends on the factors as the load of the edgeBOX and the
amount of data being processed, but mostly on the 'how long ago was the last optimization done?' or
the 'was optimization ever done?'.
Please schedule your data optimization for a period of day when there is no (or low) load on your
box, or when no services are being used to minimize the impact on services. See an example...
A very simple example, is to set the edgeBOX database optimization tasks, weekly, every Saturday at
4:00am. This always depends on your service usage. Adapt the best solution for each case. Avoid
colisions with the Hotbackup replication hours and the Backupscheduled operations.
10.12 Services Control Panel

For your convenience, the System section includes a Services panel where you can review and
control - start / stop - the administrative operational status of edgeBOX's main user services. For all
services displayed:
· Name: the service's name, or common abbreviation;
· Description: the service's description;
· Status: whether they are running or not.
To change status of a service click the service and hit the Start (green) or Stop (red) button at
the top of the table. Note that, changes made here will be effective even after a reboot.
10.13 Hardware Monitor

Information of the velocity of edgeBOX's fans, the CPU speed and several status of the hard disk(s).
It is updated every 15 seconds. Hard disks information:
· Overall Health - Yes or No. It is determined by the monitoring software of the disc, based on
the values of the parameters that follow next.
· Temperature.
· Bad Sectors Count - Number of sectors which are unusable.

· Pending Sectors Count - Number of sectors waiting to be remapped to another part of the
disk.
· CRC Errors Count - Number of errors when writing to the disk.
· Total Up Time - Number of hours since the disk has been switched on.
You can receive e-mail notifications about changes detected in the Hardware Monitor; choose
the Hardware Status Changes type Notifications panel.
10.14 Diagnostic Tools

You can reach the Diagnostic Tools menu from the System section. It provides some basic
network and connectivity diagnostics:
Ping
Tests for network connectivity. Enter an IP Address or a FQDN and press the Ping button;
For additional options press +Show options...:
· Method:
· ICMP: adjust timeout and enter packet size in Bytes
· UDP: with this option selected the ping method will send a udp packet to the remote host's
echo port; adjust timeout and enter packet size in Bytes;
· TCP: adjust timeout and enter the TCP port to which to send the probes;
· SYN: adjust timeout and enter the TCP port to which to send the probes; if the "SYN"
protocol is specified, the ping method will only send a TCP SYN packet to the remote host
then immediately return. If the syn packet was sent successfully, it will return a true
value, otherwise it will return false.
· All: adjust timeout and enter the TCP port to which to send the probes; this produces a
Ping which will try each method sequentially (ICMP, UDP, TCP then SYN); If one of the
methods receives a reply (eg ICMP), the other methods will not be attempted; if no reply
is received after the timeout, the next method will be attempted until another timeout
elapses, and so on.; continues until either a successful reply is received or all methods
have timed out.

System 219
NSLookup
To diagnose DNS problems. Depending on your Lookup for selection:
· Host Names: allows you to determine the Name of a specified IP address; enter an IP
address, such as 212.23.34.45 and press the Lookup button;
· Domain Names: allows you do list DNS servers for a given domain; enter a domain name,
such as critical-links.com and press the Lookup button;
· Mail Servers: allows you to determine the mailservers for a specified domain; enter a
domain name, such as google.fr and press the Lookup button;
· IP Addresses: to determine the IP address for a specified domain name or FQDN; enter a
domain name, such as www.fsf.org and press the Lookup button;
· DNS Server: allows you to specify a DNS Server (by IP or name) which will be used to
resolve the IP address. If not set, the edgeBOX default name server is used for the lookup;
· Timeout: maximum time waiting for test results;
Traceroute
Find the route that network packets follow to reach a specified host or IP address. A reference for
how traceroute (tracert on Windows) works can be found at: Traceroute. Note: it may take more
than 10 seconds to complete the task.
Type the IP Address or FQDN in the box and press the Trace button.
· Method: ICMP or UDP; the type of packets used in the traceroute test;
· Timeout: maximum time waiting for test results on each router along the way.
10.15 Remote Management

Allows communication between edgeBOX and a Remote Management server. Such a server allows
the management of several edgeBOXes at the same time.
A short overview is shown with the current configurations. To alter these settings press the
Change... button and enter the values for:
· Remote Management Server - the IP address;

· Keep Alive - time interval, in minutes, used to separate the emission of 'keep alive packets'
to the Remote Management Server. The server will use this keep alive connection to warn
administrators of potential problems with the edgeBOX.

Reporting 221
11 Reporting
View and export reports about edgeBOX's System, Services and Users.
For each report you can specify a Time Interval. It can be a begin/end day, a single day or
hour, depending on the report you are seeing.
You can export the reports into a printable HTML page that you can print via a browser, or
into a CSV file, for automated processing.
11.1 System
Displays information regarding edgeBOX’s system usage:
· CPU
· Memory
· Load
· Disk Usage
· Interfaces
11.1.1 CPU
The CPU report shows edgeBOX's processor usage, in percentage, per type of process
(user’s and system processes) and cpu idle time.
You can drill down each line into each day to view the CPU usage just for the selected day.

11.1.2 Memory
This report shows used and free memory, in MB.
Drill down in each day to view the memory usage for that day only.

Reporting 223
11.1.3 Load
The Load report displays the load of the system through the number of active processes.
Load 1 min values indicate the average active processes in one minute. Load 5 min values indicate
the average active processes in 5 minutes. Load 15 min values indicate the average active processes
15 minutes.
Drill down into each day to view the load of the CPU for each day.

Values below 1 represent good CPU load, between 3 and 4 require you to monitor closely,
and values over 5 require you to take action because the CPU is overloaded.
11.1.4 Disk Usage

This report displays the hard disk usage, in percentage and in MB, per Storage.
Scroll down to view disk usage for both Storages. Drill down into each day to view usage for that day
only.

Reporting 225
· The System Storage partition saves the runtime system data information (database and
log information).
· The Home Storage partition is used to save the user account folders and the network
shared folders (Shares).
11.1.5 Interfaces
Shows the traffic received and sent by edgeBOX in the WAN, LAN and DMZ interfaces.
Drill down into each day to check the usage of the interface for that specific day. Scroll down to view
information for the LAN and, if you have one, DMZ interfaces.

11.2 Services
Displays reports showing information about the service usage.
· HTTP Access
· Web Server
· Firewall
· E-mail
· VoIP
· VPN
11.2.1 HTTP Access

The HTTP Accesses report displays information about HTTP accesses through edgeBOX. This
means, the total number of sites, accumulated traffic in Mega Bytes, page hits and users yielding
these accesses.
You can drill down into each line to see daily HTTP accesses and sites visited.

Reporting 227
Please note: this report will contain no information if the Proxy Cache service is stopped.
11.2.2 Web Server

The Web Server report shows accesses to edgeBOX's web server. It is where the Intranet and
Extranet websites and the users' personal webpages are storaged.
You can view the total number of visits to every page and the generated traffic, in Mega Bytes to
edgeBOX's web server.
It is possible to drill down into each day to check the accesses on that specific day.

11.2.3 Firewall
This report shows Firewall related information as dropped and rejected (sent back) network
packets grouped by day.
You can drill down each line to a specific time frame in order to identify actions applied to
unauthorized network traffic.

Reporting 229
11.2.4 E-mail
The E-mail report shows e-mail service related information in the Services perspective. This
is, you can only see how many sender and receiver e-mail domains (the @mail.com part of the e-
mail address) are processed for the sent and received e-mail.
You can also view the amount of e-mails processed and, how many of those where detected as
being infected with viruses by the Mail Scanner.
If you drill down in each line, you can identify singular e-mail exchange info such as the sender or the
receiver e-mail, if it was locally delivered to edgeBOX, the size of the message and if it was infected
with a virus.

11.2.5 VoIP
The VoIP report displays VoIP service usage. Calls are grouped into:
· Internal Calls - calls made between phones connected to edgeBOX.

· Outbound Calls - calls made to external phones.
· Inbound Calls - calls received from outside edgeBOX's network to internal phones connected to
the edgeBOX.

Reporting 231
The image above is a drilled-down detailed of the Internal Calls. The information available includes
the duration of the calls and number of calls made.
11.2.6 VPN
The VPN report gives information about the PPTP VPN tunnels in use in the edgeBOX; number
of users using the VPN service, the number of connections made, and accumulated duration of
connections per day.

11.3 Users
Services data correlated with user information:
· Accounting information
· HTTP Access
· E-mail
· VoIP
· VPN
11.3.1 General
The General report summarizes the activity of users.
Tou can view the inbound and outbound traffic in Mega Bytes, PPTP VPN tunnels and the total
duration of these tunnels, and external calls made and the duration of the calls.
The information is shown only in a tabular format; it is not possible to drill down inside each
line as in other reports.

Reporting 233
11.3.2 Accounting
The Accounting report shows network traffic and sessions made by the network users.
You can check the amount of downloads and uploads that are being processed for the
users in each network interface (WAN, LAN and DMZ).
You can drill down in each line of the table to view detailed information for each session of the
users.
If you are not using authentication, the user's IP Address is shown, instead of the username.

11.3.3 HTTP Access

The HTTP Accesses report displays information about HTTP website accesses made by the
network users. HTTPS website accesses are not showed.
The report details the total number of sites, accumulated download traffic in Mega Bytes and number
of page hits.
You can also drill down in each line of the table to see the sites visited for each user.
Please note: this report will contain no information if the Proxy Cache service is stopped.
11.3.4 E-mail
The E-mail report shows e-mail service related information for each e-mail address.
You can drill down in each line to view e-mail messages details for a particular e-mail account.

Reporting 235
11.3.5 VoIP
The VoIP report displays VoIP calls for each phone or user.
For all registered phones the Inbound, Outbound and Internal calls with their associated call duration
is displayed.
Drill down into each type of calls to view the calls made for that type.
If you select a user's calls yo ucan view calls to and from that user for the specified time period:

11.3.6 VPN
The VPN report gives a summary of the PPTP VPNs on edgeBOX. It shows the number of
connections and the total duration of the connections.

12 User Services and Applications

On the initial page, besides Login option, you will find the and Services and Applications options.
Initial Page - How do I get here ?
Point your browser to https://myedgebox.com, https://LAN-IP-Address:8011 , or, if from outside,

https://WAN-IP-Address:8011 .
Services
Following the Services link, you will enter the edgeBOX Services page (this option will only be
available for users in the internal network); these are browser based user-oriented, commonly
accessible edgeBOX features; on the left you'll find a list of accessible services:
· Temporary Shared Folders
Applications
In the Applications section you'll find links to the following applications (if installed and/or
configured). Follow the links bellow for details:
· Webmail
· Flash Operator Panel

12.1 Temporary Shared Folders

Safes are available only for LAN users and may be used when there's a need for a temporary space
for storage. Any user on your network can ask for a box to store files and access it as a normal
Windows share. To be able to use safes, the following conditions must be met:
· The Windows Server service must be running;

· Temporary Shared Folders must be active;
· The user must belong to Privilege with access to the Samba service.
Any LAN user can request a safe accessing the utilities page (http://<lan address>:8011 and
selecting the "Services" option). The following page will be displayed.
Follow the link "Public Folders". Currently available safes will be displayed, as well as the current
safes' configuration parameters. To create a new safe, select "Create a new safe".
Select the desired settings for your safe. Sizes available will always be less than or equal to the
maximum size configured, as well as the maximum time the safe will be available. To create the
safe, select "Create safe".

Safe creation window
If the safe was successfully created, credentials to access it will be displayed.
credentials to access the safe
Selecting "Public Folders" again will now display the safe just created.

Public safes list
To use the safe, access it like a normal windows share, entering the credentials supplied to
authenticate.

If you want to close the safe before its time expires, go to the Services > "Public Folders" menu and
follow the "Close this Folder" link next to the safe you want to close. You will need to supply the
password for the safe. If the operation completes successfully, the message "Folder closed" will be
displayed.
Note: When a Folder is closed (manually or after the timeout), the folder and contents are deleted.

12.2 Webmail
In the Initial Page of User Services and Application, select the Applications link and then Webmail
(if Webmail is not available, this is because it has not been configured to; see E-mail domains and
Webmail).
You will be presented with the following screen. Select your preferred language and login with your
edgeBOX username and password. Use the interface to send and read your e-mail.

12.3 Flash Operator Panel (FOP)

Flash Operator Panel (FOP) is a switchboard type application which is able to display information
about the PBX activity in real time.
Note that if there are more entries than can be shown on the screen, the additional entries can be
viewed by placing the mouse to the right of the screen, causing the screen to scroll to the right (and
vice-versa)
You are reminded that you need to allow the FOP service on the Firewall Panel, for access and the
Web Server must be running.
FOP allows you to view:
· Which extensions are busy, ringing or available

· Who is talking and to whom
· SIP and IAX registration status (Greys out if offline)
· MeetMe room status (number of participants)
· Queue status (number of users waiting)
· Parked channels
· Logged in Agents

FOP allows you to perform the following actions:
· Hang-up a channel
· Transfer a call leg via drag and drop
· Initiate calls via drag and drop
· Barge in on a call using drag and drop
· Drag and drop to create an agent
· Manage queues
· Park/Unpark calls
12.3.1 FOP Login

To Access the FOP Interface, enter the edgeBOX URL into your browser, which should present you
with the following Menu.
Select the Applications menu and you should be presented with the following:

(If Webmail is not present on the Menu, this is because you have not selected configured a Webmail
Domain; please refer to the E-mail Server and Webmail for configuration instructions)
When you select Flash operator, you will be presented with the following screen:
The default Security Code login is: root
To alter this password, enter username and Password as admin and root (respectively) and set a
new password.

12.3.2 Initiate a Call
To create a call, simply drag the phone icon for the user of interest to the phone icon of
the person you wish to call.
If, for example, you drag the npem phone icon to the jayme icon, npem's phone will ring.
If npem picks up the call, jayme's phone will ring and the call is established.
Once the call is established, both phones will change their green 'LED' to red and the extension
number of the caller will be shown, as well as the duration of the call.
You may force the termination of a call, by double clicking on the red LED.

Note: If a phone is not currently registered with edgeBOX (as thus cannot be rung), the icon will be
greyed out.
12.3.3 External Calls

A call which is from an outside line, tags the incoming route with the callers number and also tags
the person they have called, with their telephone number.
In the large panel below, the caller has rung alextalk via the BRI/1 2 connection (as they both have
the same tel number tag of the external caller).
Again, you may terminate a call by double clicking the red LED of the phone (or the line).

12.3.4 Transfer a call

To transfer a call, you simply drag the icon to the panel where you wish to place the call. Thus you
could drag a callers icon to a phone, or to a Queue, or park the call (etc).
12.3.5 Barging
Barging allows the operator to interfere with an active call. Thus if 2 users have established a call,
you could (although this is not generally recommended) drag a phone to one of the phones which is
already connected, to establish a new call (leaving one of the users with a disconnected call!).
12.3.6 Create an Agent

Assuming that you have configured a Queue, you can add phones to the Queue to act as Agents for
the Queue.
To add an Agent, simply drag the phone to the Queue (the phone LED will change from green to
yellow).
To delete the Agent, drag the phone to the queue again (the LED will change from yellow to green).

12.3.7 Queue Managment

Each Queue, consists of three panels, as shown below.
The top panel (Queue Support) shows the status of the queue (1 caller waiting for an Agent) and the
queue name (support)
The next two panels show the top two (longest in queue) clients in the queue.
To add a client to the queue, simply drag the ringing phone to the queue, or drag one of the phones
which has established a phone connection.
Note: You can reset a queue by double clicking on Queue's (top panel of the three) LED. If you do
this, all callers in the queue will be removed.
12.3.8 Park-Unpark Calls

To park a call, simply drag their phone, or their incoming line, to the Parked queue.

The phone/line will then show the their parked position.
You can then drag the parked phone icon to a phone (or elsewhere) to establish a call.
12.3.9 Conference Calls

To enter a conference, simply drag the phone icon (or line) to the conference icon, which will cause
the phone to ring.
The Conference will show the number of users of the conference.
12.3.10 Typical Caller Scenario

A typical scenario is as follows:
· A caller (A) rings and is routed to the operator (B). They request C's extension.
· The operator can see that C is not on a call and can drag the line icon to C's phone, or
· The operator can put the caller on hold (by dragging the incoming line to the park icon) and drag
the operator phone icon to C's icon to ring C and ask if they wish to take the call.
· The Operator can now either drag the icon from park to C's icon or drag the park icon to their
phone icon and explain that C cannot take the call.

Appendices 251
13 Appendices
13.1 Appendix A: Authentication

edgeBOX runs several services under which you have to provide credentials. There are a several
possible authentication scenarios and configurations.
In this appendix, edgeBOX's authentication architecture will be explained. It is important to
understand these concepts, as they will be needed if you want to deploy a remote authentication
scenario.
We will shown what happens when the "Require users to login" option is enabled. The complete
sequence of events will be reviewed and detailed. Finally, some remote configuration examples will
be shown.
13.1.1 Authentication architecture

Authentication (proving who you are) and authorisation (what you can do) are handled in a mixed
manner in edgeBOX. Considering first a local authentication scenario, upon user creation you need to
provide a password and define which services a user will be authorised to use.
Services available in edgeBOX are:
· Regular services, such as POP3, IMAP, FTP and Internet access for LAN users;
· Windows use (Samba Print and Filesharing);
· Allow authentication from wireless and wired 802.1x port based authentication devices on the
LAN;
· PPTP
· VoIP.
Internally, edgeBOX uses a RADIUS server, configured to use an LDAP backend.
13.1.2 Require users to login vs Privileges policies

Connections originating from the LAN to the Internet, to the DMZ network and to services running on
edgeBOX are granted by default. But you may choose to limit this access by enforcing an access
Privilege. This is done by activating the Authentication service - the Privilege policies will be enforced
at the Firewall level.
This is always the first level of access to be tested: when if users are required to login (LAN/VLAN

users), any connections are denied - they are in fact discarded by the firewall.
If an user wants to access the Internet, the following steps must be taken:
· The user accesses edgeBOX's authentication page or some website running on port 80 (which
causes a redirection to edgeBOX's authentication page);
· The user enters his credentials (username/password);
· If the credentials entered were valid, the user may or may not be granted access, depending
on his access Privilege.
From this moment on, and if this user's policy grants him access to the Internet, he will be able to
access any remote service. Furthermore, a pop-up window will be displayed, allowing him to log out.
This pop-up window must be kept open to keep the user authenticated. If this window is closed and
no network traffic is detected originating from this user's machine, the authentication will time out
and the user will have to re-authenticate in order to access the Internet. The timeout is set to five
minutes.
Privileges allow the following items to be configured:
· QoS classes assigned to WAN/DMZ connections;
· Access to the Internet: time interval and services;
· Access to edgeBOX's services: time interval and services;
· Access to the DMZ: time interval and services;
· Inter VLAN access.
· Access to IPSec VPNs.
· Access to PPTP VPN sessions.
As previously mentioned, the policies are handled at the firewall level. After an user authenticates,
appropriate firewall rules are loaded in order to enforce his Privilege profile. A user authenticating
from a PC in the LAN will in fact revert to an IP/MAC address pair, and each rule loaded will refer to
this pair. If the profile to which the user belongs to was granted access to the Internet, a firewall rule
will be loaded allowing all traffic originating from this host to the Internet.
If a Privilege contains an IP address (see the Devices section in Privileges), then firewall rules
reflecting this policy profile featuring this IP will automatically be loaded, making it a static entry.
That is, if a user uses a machine with an IP in a profile, they will be automatically authenticated by
the edgeBOX and will have the profile's privileges (rather than the users profile privileges).
A typical use of this feature is to automatically allow servers to access the Internet. Suppose you
have a Windows update server. By making its IP a member of a group with access to the Internet will
automatically enable access to the Internet for this server.

Appendices 253
13.1.3 Putting it all together

Suppose a user in the LAN tries to access the Internet or an edgeBOX service and the Authentication
service is running. The complete sequence of events is as follows:
· If the user tries to access edgeBOX's port 8010/8011, access is granted;

· Otherwise, if the user tries to access any website on port 80 or edgeBOX's authentication
page, the authentication page is displayed;
· Otherwise (any other application), access is denied by the firewall.
· After entering his credentials, edgeBOX's RADIUS server is queried. If a reject argument is
found, access is denied (authorization failed);
· Otherwise, LDAP is queried. if the password does not match, access is denied (authentication
failed);
· Otherwise, access is granted (authorization AND authentication succeeded);
· At this point, rules reflecting this user's Privilege policy are loaded into the firewall. The IP/
MAC address pair in these rules are the user's PC IP/MAC address pair.
· If the user has requested a web page and his policy allows, his browser will be redirected to
the web page requested and a small window will pop-up, containing a message indicating
success and a logout button. Otherwise, access will be denied.
· If the user closes the pop-up window and no network traffic is generated for 6 minutes, the
rules will be unloaded from the firewall and further connections denied. The user will have to
reauthenticate.
· Otherwise, the user will be granted access according to his Privilege.
13.1.4 Remote configuration

So far we have assumed edgeBOX handles both authentication and authorization using its local
RADIUS and ldap servers. However, these two functions can be delegated on remote servers,
allowing for a multitude of different configurations and scenarios.
Due to the concept of system-wide authentication, all services will be authenticated against the
scheme chosen, be it local or remote. There are some services however, namely PPTP and Wireless
that allow you to use another (RADIUS) server to perform authentication.
The following matrix displays the possible combinations for authentication/authorization schemes:
Authorisation Authentication
Local RADIUS Local LDAP
Local RADIUS Remote LDAP
Local RADIUS Remote AD
Local RADIUS Remote RADIUS
Remote RADIUS Remote RADIUS
Remote LDAP Remote LDAP

The first line matches edgeBOX's local configuration (all local). You can have a remote configuration
replicating this configuration, in which RADIUS performs authorisation, having a LDAP backend
performing authentication/authorisation.
Special remarks have to be made when you delegate authorisation/authentication on a remote LDAP
or RADIUS or Active Directory (without "import users" checked) server. As users are remote, they
are not known to edgeBOX before they make their first successful login. Before this happens no user
account is created locally and the same applies for edgeBOX's local RADIUS and LDAP servers
(edgeBOX always keeps a local copy).
When using Active Directory as a remote authentication scheme, you have the option to import the
users. In such a configuration, local accounts and entries will be created locally. This schema works
also in "fail-safe" mode, i.e., if the Active Directory server is not reachable at a certain point the
users will be authenticated locally.
If you are not using local authorisation, you will still be able to edit user's permissions. In this
scenario, after an user logins in for the first time, he will be placed in the "Generic" privilege, and will
be granted permission to access the services configured in the "Generic" privilege.
Bear in mind that although a remote scheme is used, you can still add local users before those users
make their first login. This can be useful if you want to set their service permissions beforehand
(when using local authorisation) or to set the group to which they will belong (by default they are
assigned to the generic group).
Depending on the scheme used, the way a user may perform his first login will vary. The next table
displays this information:
Authentication Sheme Used First Login

Local, AD (with user import) or
using any service: FTP, POP3, PPTP, WiFi or LAN
Remote LDAP
Remote RADIUS or AD (without
only using LAN authentication.
user import)
13.2 Appendix B: Connecting to Wireless

In this appendix, it will be shown how to configure a MS Windows client station to connect to
edgeBOX's wireless access point using 802.1x and WPA.
Not all wireless cards will support these security schemes - a firmware upgrade may be needed in
some cases. Some cards have their own managing software. In the examples that follow, only the
native MS Windows client was used. To be able to have MS Windows controlling your Wireless
connection, you must start the "Wireless Zero Configuration" service.

Appendices 255
Wireless configuration applet.

Notice that windows is being used to configure wireless
In the examples that follow, the following general configuration will be used by edgeBOX:
· SSID: valebox
· Channel: 1
· Hide Network: not active - this network will be visible for all wireless clients nearby; later you
can activate this if you wish;
· Allow only specific devices to use the wireless network: not active - no Hardware
Address based filtering will occur; later you can configure it.

13.2.1 802.1x
The following picture illustrates the configuration used by edgeBOX for 802.1x authentication and
accounting.
On MS Windows, double-click the "Wireless Network Connection" icon and select the "Wireless
Networks" tab. Make sure the SSID entered is consistent with that defined on edgeBOX (valebox on
our example). Choose "WPA" for "Network Authentication" and "AES" for "Data Encryption". Select
then the "Authentication" tab.

Appendices 257
Wireless Networks
Wireless Network Connection
On the Authentication tab, select "Protected EAP (PEAP)" as the "EAP type". Press the "Properties"
button. On the dialog window that pops-up, uncheck the "Validate server certificate" checkbox, and
select "Secure password" as the Authentication Method. Press the "Configure" button.
Authentication
Protected EAP Properties
On the dialog window that pops-up, uncheck the "Automatically use my Windows..." checkbox. Press
"OK" on all dialogs to confirm this configuration.

If the configuration succeeds, you should see a balloon warning you to enter credentials to connect to
the wireless network. Clicking on the balloon will display a prompt requiring you to enter the
username and password for a user authorised to connect to the Wireless network.
If the connection was successful, its status will appear as "Connected".
13.2.2 WPA
If edgeBOX was configured to use WPA as the security scheme, the following settings must be
configured on the client:
· Network Authentication: WPA-PSK

· Data Encryption: AES.
Additionally, the network key to be used must also be supplied. Remember that if you choose to use

Appendices 259
a preshared key, it must be 64 hexadecimal characters long, if less than 64 characters, it may be
ascii or hex. If this connection is configured to be established manually, when you try to connect to it
a dialog window will be shown, asking you to supply the network key.
You may obtain an automatically generate key from the website https://www.grc.com/passwords.
htm.
Wireless Configuration
Network key dialog

13.3 Appendix C: Windows Integration

This appendix will shown you how to use some of edgeBOX's Windows Server features, namely, how
to:
· Add a Windows computer to edgeBOX's Domain
· Map an edgeBOX Shared Folder on Windows
Remember that users can olny access these features if they belong to a Privilege for which the
Samba service is accessible.
13.3.1 Adding a Windows Host to edgeBOX Domain

This section details the process of adding a windows host to the edgeBOX Windows Domain - this
assumes edgeBOX is running the Windows Server and acting as a Primary Domain Controller. Please
make sure to catch all the details in the Windows Server section. The windows host will be added to
the Domian provided by edgeBOX.
To add a windows host to edgeBOX's Windows Domain, select "System" under the Windows Control
Panel, and then select the "Computer Name" tab. Select the "Change" button. In the dialog window
that pops-up, select the "Domain" option and enter your domain name (in our example it was
"mydomain").
After you select "OK" to confirm the domain change, you will be required to supply credentials of a
user belonging to the domain administrator's group. In edgeBOX, you have to specifically supply the
username "Administrator", which has the same password as the admin user (defaults to root).
join domain dialog

Appendices 261
change domain dialog
If the operations was successful, the following dialog will be displayed.
After rebooting the machine, log on to edgeBOX's domain (it should be available on the domains'
list). The user's home directory will be mounted as Z:. In the picture bellow the user's directory
content is shown, where the public_html directory can be accessed. This is the directory where the
user's personal web page will be located. The other directory shown (profile) is where the roaming
profile data will be stored, so the user will retain her desktop definitions after logging off.
13.3.2 Mapping a Shared Folder on Windows
To map an edgeBOX shared folder on a virtual Drive
1. Go to My Computer.
2. Select the Tools menu and the Map Network Drive option.

3. Select the character you to use for the drive.

4. Type the IP address of edgeBOX, followed by the name of the shared folder. For example: \
\192.168.90.254\rui.
Windows does not allow you to mount shares with different username/passwords. It's
possible to disconnect from a share using the command "net use * /delete". This will release
all connections to shares.
It's "net use" which will display which are the active shares and then "net use <share> /
delete", which will disconnect that particular share.possible to specify which share to release,
via the command
13.4 Appendix D: VLAN based Infrastructure

With the introduction of VLANs in the edgeBOX architecture the type of scenarios where an edgeBOX
can be deployed has been significantly increased. From a basic network infrastructure with generic
802.1Q Switches to full port based authentication devices with dynamic VLAN assignment, a broad
range of scenarios are possible.
Some of the supported features depend on the type of Switch or Wireless AP used for deployment.
· For basic VLAN scenarios any 802.1Q switch will work. For advanced features like port based
authentication, dynamic vlan assignment, 802.1x with single sign on or automatic guest VLAN
more advanced switches will be needed.
· For switches with L3 features it is important to disable inter vlan routing on the switch. Inter
vlan routing is done in the edgeBOX with access profile enforcement.

Appendices 263
Type of Authenticators supported:
· Procurve 2650 Series - 802.1Q, 802.1x SSO and Dynamic VLAN assignment
· Procurve 420 Wireless AP (Firmware 2.2.2 or later) - Support for 802.1Q, 802.1X,
Dynamic VLAN assignment
· D-Link DES-1252 - 802.1Q, 802.1x SSO, manual session timeout configuration
· D-Link DES-1228 - 802.1Q, 802.1x SSO, manual session timeout configuration
· SMC Tigerswitch 6726 AL2 - 802.1Q
· Generic L2 switch with 802.1Q VLAN - 802.1Q VLAN only
· Generic L2 switch with 802.1Q VLAN and 802.1x - 802.1Q VLAN + 802.1x Port based
authentication. No single sign on available.
· Generic Wireless AP with 802.1x - 802.1x Authentication only. No single sign on available.
Type of 802.1x supplicants tested (PEAP-EAP-MSCHAPv2):
· Windows XP SP2
· MacOS X
· Windows Vista
· Windows Vista SP1
Please find below four possible VLAN deployment scenarios. You might wish to read them in order to
get a better grasp of the concepts or to adapt them to your own needs:
· VLAN Scenario 1
· Standard 802.1q compatible switch
· No 802.1x port based authentication
· No Dynamic VLAN assignment
· No native Guest VLAN on switch
· VLAN Scenario 2
· Standard 802.1q compatible switch with 802.1x
· Support for 802.1x port based authentication
· VLAN Scenario 3
· 802.1q compatible switch with 802.1x and dynamic VLAN assignment
· Support for Dynamic VLAN assignment – (HP Procurve switch)

· VLAN Scenario 4
· Native Guest VLAN on switch – (HP Procurve switch)
13.4.1 VLAN Scenario 1

Characteristics of this scenario:
· Standard 802.1q compatible switch

· No 802.1x port based authentication
This is the most basic scenario when deploying VLANs with edgeBOX. In this case the LAN port of the
edgeBOX is connected to a trunk port in the switch. The port on the switch must be configured as
802.1q trunk, allowing all configured VLANs to pass through the link.

Appendices 265
1 - When using VLANs, the LAN zone is the same as VLAN 1 (id 1). In most cases the VLAN 1 is the
default VLAN on a new installed switch, and this means all ports are by default configured as being
part of that VLAN.
2 - By default, all traffic between VLAN zones is blocked. This means the edgeBOX firewall does not
allow routing of traffic between VLANs unless the administrator configures it with different type of
access rules.
3 - Access Rules between VLAN segments can be configured per access profile in the VLAN tab.
4 - The only type of user authentication available is Web Login. When a user authenticates
successfully, the firewall enforces the configured User Access Profile rules for WAN, DMZ and access
to other VLAN segments. If the user is not able to authenticate with success, then all traffic to and
from this user will be filtered with the default rules for non-authenticated users.

· Standard 802.1q compatible switch with 802.1x


This is basically the same as Scenario 1. The only addition is that we have some or all ports on the
switch configured for 802.1x port based authentication.
To enable support for 802.1x port based authentication we need to configure the switch to use the
edgeBOX as the RADIUS server for authentication and enable the ports where we want this enforced.
On the edgeBOX this 802.1x based switch, the RADIUS client, needs to be authorized, and this is
done in System->RADIUS->Add.
The edgeBOX supports protocol PEAP-EAP-MSCHAPv2. Both Windows XP and Vista include
supplicants with native support for this authentication type.
In this scenario, for a client PC connected to one of the switch ports configured with 802.1x, the
switch detects the presence of a client and initiates the 802.1x protocol. The authentication request,
made by the Client PC supplicant, will be forwarded by the switch to the configured RADIUS server
for authentication. If the authentication is successful the switch will open the respective port and the
client will be part of the static VLAN configured on that Port. At this point the client will get an IP
address if configured with dhcp and the edgeBOX DHCP server is enabled.
If the authentication is not successful then the port will be closed and the user will not get access to
the network.
The main advantage of using 802.1x is that the user will not be able to access the network until he is
able to get a successful authentication.
Support for Single Sign On (SSO)

Scenarios based on 802.1x include support for automatic user login. The only requirement is that a

Appendices 267
supported 802.1x switch is used to deploy those scenarios. A supported switch includes the calling
station MAC address in the RADIUS Access Request packet and is able to process session timeout. In
case the 802.1x switch does not support the calling station attribute, the port based authentication is
still done but the user will need to do a normal weblogin when accessing the Internet or services
running on the gateway.


This is scenario 3 with a switch that supports VLAN dynamic assignment. In this case, after a
successful authentication, the switch moves the associated port to the VLAN configured for that user
access profile. Without a successful authentication the port will be closed and the user wont be able
to access the network.
During 802.1x authentication and on success, the RADIUS server sends additional attributes to the
802.1x authenticator in the switch with information regarding the VLAN id for that particular user.
The edgeBOX supports assignment of a VLAN per access profile.
The following is needed to deploy this feature:

1. The network infrastructure must be setup with Procurve 2650 or compatible switches in terms
of RADIUS dynamic Vlan assignment. The HP Procurve follows RFC2868 / 3580 with with
Tunnel-Private-Group-ID of type string.
2. Configure the RADIUS client as referred in Scenario 2, select the correct client type and
enable Dynamic VLAN assignment.
3. Configure the User Access Profiles with the correct VLANs. See NAC->Access profiles-
>”Profile”->VLAN->VLAN Name.
The advantage of this scenario is the fact that we can effectively do network access control by port
and at same time we are able to put the user in the correct VLAN even if he does a login outside of is
main work space.


· Native Guest VLAN on switch – (HP Procurve switch)

Appendices 269
This is scenario 4 with a switch that supports guest VLAN when operating with 802.1x and VLAN
dynamic assignment. This is similar with scenario 3 and the only difference is when the 802.1x user
is not able to authenticate. At this point the switch automatically configures the port to another VLAN
– the Unauthorized-Client VLAN. The unauthorized-client VLAN can be configured using the 802.1x
Open VLAN mode in the Procurve 2650.
As soon as the switch assigns the unauthorized-client VLAN to that port, the connected host is able to
get an IP through DHCP. If the edgeBOX authentication is enabled, the user will be presented with
the edgeBOX web login page when trying to access the Internet.
A practical example:
· Switch ports 4 and 5 are setup for 802.1x with Unauthorized-Client VLAN assigned to VLAN6.
These ports are located in a meeting Room.
· User01 is a member of the engineering profile, configured for VLAN3 (see #3 in scenario 3).
· User01 has his laptop ethernet connection setup for 802.1x authentication.
· Engineering profile has access to Internet, LAN and a few servers located in VLAN2.
· Guest01 is a member of the guest profile.
· Guest01 is a guest user with just a regular dhcp configuration on his laptop.
· Guest profile is configured to have open access to the Internet only. Users in this profile are
not able to access any of the other VLANs or LAN.
· When User01 connects to port 4, a successful 802.1x authentication takes place and the switch
port is automatically configured for VLAN3. User01 is able to work on his own VLAN and access
any other places allowed by his Engineering access profile.
· When Guest01 connects to port 5, the switch is not able to start a 802.1x authentication and
automatically opens the port on VLAN6. At this point he is able to get an IP address through
dhcp and when trying to access the Internet he will be presented with the authentication page.
With a successful web login authentication, the edgeBOX enforces the guest profile for this
user and he is able to access the Internet but nothing else.
· Any other user that tries to connect to one of these ports, without a successful authentication,
will be isolated in VLAN6.
13.5 Appendix E: Factory Reset

The factory reset option is only available through the CLI (Command Line Interface). Use the "system
factory" command to initiate a factory reset.
IMPORTANT: be aware that this option erases all configuration, user data and software
updates since the first time the edgeBOX was installed.
In the end the system will reboot and the hard disks will be re-imaged with the original first install
contents.

13.6 Appendix F: edgeBOX Network Services

edgeBOX Network Services list
In several configuration situations - such as the Firewall or user Privileges - you'll be presented with
or even need to select entries from edgeBOX network services list:
· Billing - Calls cost information
· CTI - Phone and Computer Integration
· DNS - Domain and IP Address translation
· edgeDESKTOP - edgeDESKTOP interface
· eMI - Remote Management Interface
· FlashOperator - Phones Swicthboard
· FTP - File Transfers
· HTTP - Web Server
· IMAP4 - E-mail retrieving
· LDAP - Authentication and Accounting
· Monit - Network services monitoring
· Munin - Network services monitoring
· Nagios - Network services monitoring
· NTP - Date and Time Synchronization
· POP3 - E-mail retrieving
· RADIUS - Authentication and Accounting
· Samba - Windows Domain and File Sharing
· SNMP - Network devices monitoring
· SSH - Secure Shell
· TFTP - Simple File transfers
· VoIP - VoIP Telephony

Appendices 271
13.7 Appendix G: Usernames and Passwords

The choice of Usernames and Passwords is a relevant topic when configuring edgeBOX.
General Topics
Change the password once in a while. Don't use simple passwords.
Use passwords with at least 10 characters, with letters, numbers and special characters like '_', '+'.
The characters right above the numbers in your keyboard are all good candidates too.
If you don't trust your memory, write your password down on a paper and store it at home, away
from your usual work place.
See more specific details bellow.
For regular users:
· Username:
· Size: from 3 to 64
· Characters ("^[a-z][a-z0-9-_.]{1,62}[a-z0-9]$")
· must start with a low case letter "a-z"
· the midle characters may additionally contain digits ("0-9"), "-", "_" and "."
· up to 62 additional lower case letters and/or digits can be used ("[a-z0-9]{1,62}")
· Password:
· Characters ("[a-zA-Z0-9!"#%&'()*+,-./:;<=>?@[]_`{|}]{1,127}"):
· lower ("a-z") and upper ("A-Z") case letters, digits ("0-9") and any of ! " # % &
' ( ) * +, - . / : ; < = > ? @ [ ] _ ` { | }
Specifically for the admin user:
· Username: you can not change the administration username in edgeBOX; it's always admin
· Password:

· Characters ("[a-zA-Z0-9!"#%&'()*+,-./:;<=>?@[]_`{|}]{1,127}")
· lower ("a-z") and upper ("A-Z") case letters, digits ("0-9") and any of ! " # % &
' ( ) * +, - . / : ; < = > ? @ [ ] _ ` { | }
Specifically for phones:
· Number:
· Size: 1 to 20
· Characters: only digits ("0-9"); one single leading '+' if needed;
· Name and Password:
· Characters ("[a-z0-9_-"): lower case letters, digits and '_' and '-'

Edge Box User Manual 50

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Edge Box User Manual 50

Diunggah oleh

Hak Cipta:

Format Tersedia

Dramatically simplifying voice and data networking

USER MANUAL V5.0

End User License Agreement

Critical Links, Inc

695 Route 46 West

Critical Links, Inc.

Critical Links, Inc.

8. IP-PBX and VoIP 105

Critical Links, Inc.

Twinning ......................................................................................................................................................... 151

10. System 196

Critical Links, Inc.

11. Reporting 221

12. User Services and Applications 237

Critical Links, Inc.

FOP Login......................................................................................................................................................... 244

13. Appendices 251

Critical Links, Inc.

Specifically, it provides IP-PBX and VoIP, comprehensive Networking, Quality of Service

While all this is commonly delivered using up to 8 different independent products/devices,

Introducing the award-winning edgeBOX

edgeBOX's main features

Unpack and install edgeBOX to the network

Connecting to edgeBOX's web interface

Understanding edgeBOX's web interface

Connecting to edgeBOX's console

Working with edgeBOX LCD panel

License, Hardware and Software

Critical Links, Inc.

1.1 Introducing the award-winning edgeBOX

1. Dramatically simplifies the SMB voice and data infrastructure

· It replaces up to 8 independent products/devices with 1 device

2. Increases Productivity and Convenience at the SMB

· Provides the broadest range of voice, data and IT capability

3. Reduces initial investment & recurring operational expenses over 60%

· Initial cost reduced to less than a third of a multi-device solution

4. Environmentally (and economically) friendly

· Much smaller carbon footprint lower power/space consumption

Critical Links, Inc.

More information on the edgeBOX:

Critical Links, Inc.

1.2 edgeBOX's main features

Critical Links, Inc.

1.3 Unpack and setup edgeBOX

1. Introduce you to all the edgeBOX components,

Critical Links, Inc.

1.4 Connecting to edgeBOX's web interface

· directly to edgeBOX's LAN interface, or

· to a hub or a switch connected to edgeBOX's LAN interface.

Then, from the computer:

1. With a browser, open the webpage https://myedgebox.com or https://192.168.100.254:8011;

2. After the page opens, click the Login link;

Critical Links, Inc.

edgeBOX initial page

Critical Links, Inc.

edgeBOX webadmin initial page: the Dashboard

At this point you might want to:

· jump to the Initial Configuration section to get a an initial roadmap.

1.5 Understanding edgeBOX's web interface

Critical Links, Inc.

Service Status and Service Start/Stop

Critical Links, Inc.

New - Edit - Delete