Product specifications in this manual are nominal and are provided for the convenience of our customers. They
are all correct at the date of publication. Critical Links reserves the right to make product changes from time to
time, without prior notification, which may change certain specifications or characteristics shown. We therefore
recommend you to check for changes or updates before using for customer projects or further product
developments
No material will be accepted for return unless Critical Links grants permission in writing.
The handling, installation and usage of the edgeBOX are applicable to certain environments and may be
required for code compliance. Features of the device will not provide protection against abuse, misuse, improper
installation or maintenance. It is important that installation, operation and maintenance are performed in
accordance with instructions supplied in the manual. Electricity and electrical devices must always be treated
with caution and respect.
Product Support
The edgeBOX software is distributed according to the End User License Agreement EULA included at the end of
this User Guide. By using the software you agree to be bound by this EULA. If you do not agree to the terms and
limitations of the EULA you should not use the software.
Phone: 973.276.9006
Support Hotline: +1 888 433 4326
Website: www.critical-links.com
Email: support@critical-links.com
4 edgeBOX 5.0 Help
Table of Contents
1. About edgeBOX 10
.....................................................................................................................
1.1. Introducing the award-winning edgeBOX 11
.....................................................................................................................
1.2. edgeBOX's main features 12
1.3. Unpack .....................................................................................................................
and setup edgeBOX 13
.....................................................................................................................
1.4. Connecting to edgeBOX's web interface 14
.....................................................................................................................
1.5. Understanding edgeBOX's web interface 16
.....................................................................................................................
1.6. Connecting to edgeBOX's console 19
1.7. Working.....................................................................................................................
with edgeBOX's LCD panel 20
1.8. License,.....................................................................................................................
Hardware and Software 21
2. Initial Configuration 22
3. Dashboard 26
4. Network 29
.....................................................................................................................
4.1. Configure the internet connection (WAN interface) 30
.........................................................................................................................................................
through another device such as a cable modem or a router 30
.........................................................................................................................................................
through a DSL/PPPoE connection 31
4.2. Change.....................................................................................................................
the local network properties (LAN) 32
4.3. Change.....................................................................................................................
the DMZ settings 33
.....................................................................................................................
4.4. View and manage VLANs 34
.....................................................................................................................
4.5. Interfaces Physical and Logical Status 35
4.6. Monitor.....................................................................................................................
connections through edgeBOX 36
4.7. Change.....................................................................................................................
edgeBOX's hostname and network domain 37
.....................................................................................................................
4.8. View the system routes 38
4.9. Manage.....................................................................................................................
static routes 39
..................................................................................................................... 40
4.10. Wireless
.........................................................................................................................................................
Configure and turn on the wireless network 41
Indicate the.........................................................................................................................................................
type of authentication 43
.........................................................................................................................................................
Make the wireless network more secure 46
.........................................................................................................................................................
Make the wireless network public 47
.....................................................................................................................
4.11. Managing the DNS server 47
.........................................................................................................................................................
Adding or Editing DNS domains 48
How to add ..................................................................................................................................................
a Master domain 48
How to add ..................................................................................................................................................
a Slave domain 50
How to add ..................................................................................................................................................
a Forwarder domain 51
.........................................................................................................................................................
Changing global DNS Settings 51
.........................................................................................................................................................
Managing DNS ACLs 52
.........................................................................................................................................................
Managing hosts on an existing domain 53
.....................................................................................................................
4.12. Use Dynamic DNS 54
.....................................................................................................................
4.13. Using the DHCP service 55
.........................................................................................................................................................
Assign IP addresses using Ranges 56
.........................................................................................................................................................
Assign IP addresses using MAC-IP rules 57
.........................................................................................................................................................
Configure DHCP advanced settings 58
DHCP Leases......................................................................................................................................................... 59
.....................................................................................................................
4.14. Manage the Webcache size and sites 59
.....................................................................................................................
4.15. Using NAT and Port Forwarding 60
..................................................................................................................... 61
4.16. Using QoS
QoS Upload.........................................................................................................................................................
configuration 63
.........................................................................................................................................................
QoS Download configurations 64
......................................................................................................................................................... 64
Service Classification
.........................................................................................................................................................
Internet and DMZ QoS statistics 65
5. VPN 67
5.1. IPSec ..................................................................................................................... 67
General ......................................................................................................................................................... 69
Advanced .................................................................................................................................................. 70
5.2. PPTP ..................................................................................................................... 71
......................................................................................................................................................... 72
PPTP Properties
5.3. L2TP ..................................................................................................................... 73
6. Security 75
6.1. Firewall..................................................................................................................... 75
.........................................................................................................................................................
Securing the Internet and DMZ links 76
.........................................................................................................................................................
Securing Internal Connections 76
.........................................................................................................................................................
Using Advanced Firewall Rules 77
6.2. Setting .....................................................................................................................
up a DMZ 79
6.3. Enabling.....................................................................................................................
NAT for the private networks 80
.....................................................................................................................
6.4. Using Port Forwarding 80
6.5. Website.....................................................................................................................
Access Restrictions 81
Domains ......................................................................................................................................................... 82
......................................................................................................................................................... 83
Words in URL
.....................................................................................................................
6.6. Install and Manage Anti Virus Engines 83
.....................................................................................................................
6.7. Scanning Shared Folders for viruses 83
.....................................................................................................................
6.8. Scanning E-Mail for Viruses 84
Messages ......................................................................................................................................................... 85
Actions ......................................................................................................................................................... 86
Quarantine......................................................................................................................................................... 86
.....................................................................................................................
6.9. Scanning E-Mail for SPAM 87
7. Office Servers 89
7.1. Manage.....................................................................................................................
your web sites and intranets 89
.........................................................................................................................................................
Setting up multiple websites 90
.....................................................................................................................
7.2. E-mail Server and Webmail 92
......................................................................................................................................................... 92
E-mail Queue
.........................................................................................................................................................
E-mail domains and Webmail 93
Aliases and.........................................................................................................................................................
Mailing Lists 93
.........................................................................................................................................................
Settings and Permissions 94
SMTP Access ..................................................................................................................................................
Control 96
.....................................................................................................................
7.3. Windows Server 97
.....................................................................................................................
7.4. Windows Shared Folders 99
Shares ......................................................................................................................................................... 100
Setup Share..................................................................................................................................................
Permissions 102
Temporary.........................................................................................................................................................
Shared Folders 103
.....................................................................................................................
7.5. Windows Shared Printers 103
9. Users 174
..................................................................................................................... 174
9.1. Authentication
Managing .........................................................................................................................................................
network users 175
Importing..................................................................................................................................................
and Exporting Users 177
.................................................................................................................................................. 179
Default Quota
Activating.........................................................................................................................................................
Authentication 179
.........................................................................................................................................................
Using remote authentication 181
..................................................................................................................................................
Using a remote RADIUS Server 181
..................................................................................................................................................
Using a remote LDAP Server 182
..................................................................................................................................................
Using a remote AD Server 183
Customize.........................................................................................................................................................
the user login web page 184
..................................................................................................................... 186
9.2. Privileges
.........................................................................................................................................................
Fine tunning Internet and DMZ access 189
.........................................................................................................................................................
Access to other VLANs 190
9.3. Groups..................................................................................................................... 191
.....................................................................................................................
9.4. Delegate a Local Administrator 191
.....................................................................................................................
9.5. View currently Connected Users 194
.....................................................................................................................
9.6. Configure authorized RADIUS clients 194
..................................................................................................................... 198
10.2. Administration
.....................................................................................................................
10.3. Managing Software Updates 199
.....................................................................................................................
10.4. Backup & Restore 201
Immediate.........................................................................................................................................................
Backup 202
.........................................................................................................................................................
Scheduled Backups 203
10.5. Using.....................................................................................................................
HotBackup for redundancy 205
Managing .........................................................................................................................................................
software updates in a Hotbackup scenario 208
..................................................................................................................... 210
10.6. Notifications
.....................................................................................................................
10.7. Managing and Diagnosing RAID 211
......................................................................................................................................................... 212
Disk Notifications
Replacing .........................................................................................................................................................
a faulty disk 212
.....................................................................................................................
10.8. Reading and Managing System Logs 213
.....................................................................................................................
10.9. RADIUS Accounting 214
..................................................................................................................... 215
10.10. SNMP
..................................................................................................................... 216
10.11. Maintenance
.....................................................................................................................
10.12. Services Control Panel 217
.....................................................................................................................
10.13. Hardware Monitor 217
.....................................................................................................................
10.14. Diagnostic Tools 218
.....................................................................................................................
10.15. Remote Management 219
1 About edgeBOX
Critical Links’ edgeBOX is a network appliance that consolidates the voice, data and IT
functions at a Small and Medium Business (SMB) into one single appliance.
The edgeBOX comes with a wide range of interfaces to connect to the Internet and the PSTN (such
as FXO/FXS, Ethernet, ISDN PRI/BRI, T-1/E-1 etc).
Every edgeBOX has an intuitive GUI that allows the user to access the box and configure the various
functions very easily. NOTE: The box already comes with a set of default configurations that will
allow most customers to just literally power on the box and begin to use it; it also provides a
customer the ability to customize the settings to support their environment.
The edgeBOX:
The edgeBOX eliminates the traditionally painful trade-off between features, complexity and cost at a
SMB. SMBs have had to incur a high degree of complexity (due to the many devices and vendors
needed to be managed) and the attendant cost (due to expensive IT support) to get much needed
voice and data features. Now with the edgeBOX a customer can get a broad range of voice, data
and IT services for a fraction of existing costs. The edgeBOX is changing the rules of the game for
the SMB. The SMBs can now focus on their core competence instead of worrying about the cost and
complexity of managing their networking
The edgeBOX, by integrating the voice, data and IT features, in one appliance and managed by a
simple GUI dramatically reduces the complexity and brings down the costs. The edgeBOX, based on
open source standards, also ensures a best-of-breed solution that is competitively superior in terms
of both feature richness and cost.
A remote based management system ensures remote provisioning, monitoring and management of
several edgeBOX appliances as well, further simplifying and cost reducing maintenance.
The edgeBOX incorporates a set of functional capabilities that are necessary when provisioning voice
and data services at a SMB. If a VoIP service is to be provisioned, for example, in addition to
configuring the IP-PBX, Quality of Service (QoS), Firewall, Router tables, e-mail server, etc, have to
also be usually configured. All this can be done right in the edgeBOX appliance from a GUI and
without having to concern about the peculiarity of different devices, interoperability, and making all of
them work together. This not only reduces the upfront cost but also speeds up service turn up.
The edgeBOX comes provisioned with a default configuration for the router/switch settings and also
for commonly used SIP phones, further enhancing the user experience.
The number of features available on the edgeBOX is unmatched competitively and it provides more
voice and data services than most SMBs would require currently. In addition, value-added application
packages called edgePACKs, are also available for specific vertical segments; these further augment
the networking services in the edgeBOX with application oriented capabilities. Current edgePACKs
include the Learning Management System (for academia), Content Management System (for
managing website content), and edgeExchange (for e-mail, calendar and content sharing).
· DHCP server on the Intranet side with optional automatic name range generation;
· A web server on both the Internet and Intranet side, with optional home pages for every
user of the network;
· DNS Server for both local private domain or as a master name server on the Internet;
· Internet E-Mail Server with anti-spam control.
· Support for SMTP Relay for Road Warriors;
· Full access control over the internal network services and the Internet access;
· 802.1x Port based authentication with Single Sign On;
· User based access control to manage accesses to the network resources;
· Group based access control for third part applications integrated with edgeBOX;
· VLAN aware router. Supports 802.1Q and Inter-VLAN access policies;
· See who is on your network and from what IP address;
· User time and traffic based accounting. Supports optional RADIUS session servers;
· Supports Local User Authentication or Remote User Authentication using a RADIUS
Server, LDAP Server or using Active Directory;
· Backup and Restore of edgeBOX's configuration and of users's data.
· System updates from a remote server.
· Dynamic DNS. Supports DynDNS or No-IP;
· Optional Wireless Network with edgeBOX's access point;
· IMAP and POP3 Servers. Integrated e-mail access using the internal web server;
· VPN tunnels based on the IPSec standard or the PPTP protocol;
· Traffic control in inbound and outbound traffic. Possibility of reserving bandwidth for
important users in your company or for high priority traffic types, such as voice traffic;
· Support for a dynamic Intranet with content management capabilities;
· VoIP Features, including support for line fail over, Interactive Services, Call Rules, Sound
Manager, Conference calls, Hunt Groups, Phone Auto Configuration, etc.
· Fax2Mail and Mail2Fax.
You can perform the initial configuration from a computer connected either:
The LAN interface is initially configured with the IP address 192.168.100.254 and DHCP is
active. This way, to connect your computer to the edgeBOX:
· Configure it to automatically obtain it's local network IP Address from the edgeBOX using
DHCP (recommended);
· Or configure it with a static IP address: the IP address used must lie in the
192.168.100.0/24 range (ex. 192.168.100.50); use 255.255.255.0 for Subnet-Mask; use
192.168.100.254 for Default Gateway; also 192.168.100.254 for Nameserver.
3. Use admin for username and root for password to login (this is the default password; for
security reasons you should change it); hit the Login button.
The edgeBOX web interface will then start loading; please note it might take a few moments and you
may have to accept one ore more warning messages due to the Java Platform. To use the edgeBOX
web interface you'll need the Java Plug-in installed: Java Runtime Environment version 6.
When loading completes you will see the Dashboard page with a quick overview of some relevant
edgeBOX variables and it's global status.
At the top you'll also find links to the Network, VPN, Security, Office Servers, IP-PBX, Users,
System and Reporting sections and menus. Feel free to click the links and navigate the interface.
This will help you get familiar with edgeBOX.
That's it. Congratulations. When you see the Dashboard you are succesfully connected to edgeBOX's
web administration interface, ready to start configuring it.
· have a look at the Understanding edgeBOX's web interface page of this manual, or
This helps to improve the user's experience while maintaining overall coherence among similar
operations and concepts across distinct panels and dialogs. This page introduces those
common concepts and resources and explains their global meaning and usage scenarios.
The following image displays most of these features and will be used as a starting point for further
explanations below:
Navigation
The interface is divided into Sections. Sections are subdivided into Menus. Navigation is a two-step
interaction: choose the Section you want from the sections bar [1] at the top and, once that section
loads, select the configuration Menu from the menus list [2] at the left. Once there you get a
summary overview with current configurations and the most relevant status variables concerning the
topic involved.
Related Topics
In each Menu you'll find context specific links to other related configuration menus in the Related
Topics corner [3]. If you click the links you'll get immediate access to those configurations in a new
popup window. Then, you can make any quick changes you need and get back to your starting point.
This gives you an alternate and useful navigation path.
The Service Status Bar [4] shows you the current operational status of the corresponding
edgeBOX service: the green color indicates the service is active while gray is be used for services
that are not running; the red color is used for error situations.
On the left, an informative text message is displayed accordingly. At the right end, the Service Status
Bar gives you control over the service by means of the Start Service and Stop Service options. By
clicking them you actually instruct edgeBOX to change the administrative status of the service.
All over the interface these three operations [5] are executed in innumerous situations. New lets you
create new entries, Edit allows you to change an existing entry and Delete let's you remove
configurations.
While configuring edgeBOX you'll enter data into several dialogs. In several situations the sequence
of popups that need your input may even become a bit more complex. If you feel lost, or if you're in
doubt, please keep in mind:
· none of the changes you made is actually applied to edgeBOX until you press Save; this also
means that, in order to apply your changes to edgeBOX, you need to press Save at some
point;
· in any situation, if you press Cancel the dialog is immediately aborted and no changes are
propagated to edgeBOX; when in doubt, press Cancel.
Please note: these are global principles that should hold true in the great majority of the
situations you might find.
Glass Pane: in order to keep your interaction with edgeBOX even safer, during the configuration
sequences between the administration interface and edgeBOX itself - usually when you press
Save, but also in other situations - the interface is covered with a Glass Pane that prevents
you from pressing any buttons or interacting with the interface; it's a way to say: "Please wait,
we are busy". Depending on the complexity of the operations being executed you may need to
wait a little bit.
Some of the lists presented may grow a lot as you add new entries. For faster search, those lists
include a filtering option [6] that lets you quickly search for specific entries. In the example image
above we are trying to search for a user called Alves. By entering the alv sequence our search is
considerably narrowed and it's now easy to find the person we are searching for.
Usually located at the top-right corner you will find the Help icon [7]. Clicking it will open a new
browser window directly into the correct page of this manual.
Status Bar
Located in the lower-left corner, the Status Bar [8] shows you when the interface is busy interacting
with edgeBOX. If the operation is successful a green V sign will be displayed. If edgeBOX encounters
some error then a red X will be shown.
Now that you have a global understanding of the interface you can jump to the Initial Configuration
section to get a roadmap.
· keyboard/VGA: connect a keyboard to the PS2 port or any of the USB ports located on the
rear panel; connect a monitor to the VGA port located in the rear panel;
· Serial Port: connect a null-modem (also known as serial cross-over cable; Rx and Tx wires
are "crossed") serial cable to the serial port in the rear panel and the other end to your
laptop's serial port; use no hardware or software flow control, 38400N8 (38400 bit/s, no parity
bit, 8 databits); on Windows you can use Hyperterminal; on Linux you can use minicom;
· SSH: you need to have SSH service active on your Firewall; if you have the Authentication
service running, the Privilege you are assigned to needs to have access to SSH; from the
internal network you can use the address myedgebox.com or the LAN interface IP Address; on
Windows you can use putty; on Linux open a terminal and use the ssh command (ex: ssh
admin@myedgebox.com);
The screen should display a prompt requesting a login/password to be entered. Entrer the usual
admin username and it's password (root if not changed).
At the eOS> prompt type help to get a list of available options; enter help <SOMETHING> to get
specific help on <SOMETHING>;
ex: help service shows you a usage summary of all commands starting with service;
service status will show you a list of services and their current and administrative operational
status;
Use the command line only if you are an advanced user. Using it incorrectly may
compromise edgeBOX's correct functioning or even stop it to work completely.
To see information about the network on the LCD panel, press the Up or Down buttons near
the LCD screen.
The information available is:
To shutdown the edgeBOX, press the Power button. edgeBOX will beep. Then,
· press the Power button again, and edgeBOX will beep twice and start the shutdown
process,
· or press the LCD Enter button. edgeBOX will start the shutdown process and the
message "Shutting down system. Wait..." will be displayed in the LCD.
You can also shutdown the edgeBOX using the web interface. To do this go to the
Webadmin interface, System - Administration section.
· Version 5.0, Build 1, 29/06/2009: software version, build number and build date;
· License Serial Number: edgeBOX license; each edgeBOX has a distinct license;
· Network users limit: maximum number of users allowed for this licence.
2 Initial Configuration
If you've just turned edgeBOX on for the first time, you need to make an initial basic
configuration so that edgeBOX can start managing your network and services.
In seven simple configuration steps you'll understand the concepts and review the sections
in this manual where the configuration details are covered.
If you haven't done this before please follow the steps in the Connecting to edgeBOX's web interface
section of this manual. When you get connected you can jump to Step 1 and get started configuring
edgeBOX
· Concept:
edgeBOX is supposed to work as the main link between any devices/systems in your
internal network and the Internet; whatever you may do - access the Internet, send an
e-mail, make VoIP calls to another country - keep in mind: edgeBOX is the gateway
to the outside world; so, the first step is to connect it's WAN interface to the internet.
· Concept:
your internal network - your LAN, for short - is composed of computers, laptops, IP
Phones and other miscellaneous IP devices like printers and so; they all communicate by
connecting to the so-called TPC/IP Ethernet infrastructure and the messages thus
interchanged are all identified with two distinguishing marks: the IP Address of the
sender and the IP Address of the destination computer or server; each and
every device interacting in a TCP/IP network, like yours, has it's own IP Address; and so
does edgeBOX;
you need to assign such an address to the LAN interface of edgeBOX - through this
interface edgeBOX reaches all those LAN devices and all of them know how to reach
edgeBOX if they need to; all IP devices in your network will somehow find a way to
make messages reach edgeBOX's LAN interface IP Address and edgeBOX will know how
to send them back IP messages identified with it's own LAN IP Address; edgeBOX is
shipped with the LAN 192.168.100.254 IP Address previously configured for you; don't
change it if you don't need to, but if you do...
· Concept:
the hostname is the name by which the edgeBOX is known in the network (the
name that the computers in the network use to refer to the edgeBOX); a hostname is a
descriptive name (gateway, edgebox, fileserver, printerhost); you can choose any
name you want; if you have two offices with an edgeBOX in each, you can call
eboxhead to the first and eboxbranch to the other;
the domain is the name by which your network is known; if you do not have a
registered domain, then you can give your network the domain you want, such as
mycompany.loc; this domain will be private and visible only within your network; for
example, if your company is called MegaSoft, then a possible domain could be megasoft.
com; if you have a registered domain, like critical-links.com, for example, then you can
use that public domain; that domain is visible to everyone in the world throughout the
Internet;
· Concept:
edgeBOX, as any other computer, keeps it's own date and time internally; you can and
should adjust Date and Time; additionally you should adjust your Timezone too:
edgeBOX is shipped to use timezone Europe/London; change it to your location;
several edgeBOX features rely on a correct Date and Time in order to operate in a
timely fashion as expected by network users and other processes;
· Concept:
the Firewall is possibly the most important network security resource shipped with
edgeBOX; it's very important that you consider always having your Firewall service up
and running (don't turn it off unless you really need to); edgeBOX is shipped with the
Firewall service running and this, alone, is enough for providing a very high degree of
edgeBOX Firewall working principle is the definition of Allow/Deny rules for specific
network services and protocols; once you decide the services that should or shouldn't be
available, edgeBOX will automatically determine the best Firewall settings and use them,
to provide the maximum security possible to itself and to your network; the fundamental
concept you should keep in mind is: if my users don't need this service then I will
make it unavailable at the Firewall or if that specific service is not supposed to
be accessible to the Internet then the Firewall will block any requests to it;
· Hands On:
at this moment let's just take a look around to get familiar; go to the Security section in
the Webadmin interface; the Firewall menu will load by default;
notice the services that have allowed access for connections from the Internet; by
default only Ping and Webadmin services are allowed from the Internet; this means
that the administration web interface is available from the outside world; this could be
good if you need to administer edgeBOX from home: later on you may come consider
this unnecessary, and you may wish to increase security even further by removing the
Webadmin from the Internet allowed services; that is configuring your Firewall; but let's
leave it for later;
click the Internal Connections... link; a popup window will show you the list of
forbidden services for your internal network; by default the list is empty: that means
that, by default, your internal users can access all edgeBOX services; this is where you
would add some service that you'dd wish not to be available internally;
right now you may just want to start configuring the Firewall; well... we advise you,
nevertheless, to follow this section through up to Step 7 to get the whole picture; but...
if you really wish to do it, just jump to the Firewall section in this manual for the details (
don't start configuring the Firewall until you have read that section of the manual and
you are confident on what you're doing);
· Concept:
edgeBOX is for Users; a great deal of effort has been put into making edgeBOX a user
oriented product; Users have needs; Users want to use services; Users want to make
Phone calls; Users want to share files and need Phones to chat internally or to make
long distance calls; Users are central in edgeBOX; as more people join your company
edgeBOX will always be ready to provide resources for them: a Phone, a personal
Windows Share for documents, access to the Internet, a personal web page, you name
it...;
furthermore you need to consider Security: if you'll allow everyone to use your network
or just let specific users to use it; allowing access only to specific users gives your
network more security; to let only specific users access the network, you need to
manage (create, edit and delete users) them and setup authentication services;
Authentication is actually a very important aspect but, right now, let's leave it be...;
adding a new User and a Phone for the new user is an easy task; go for it...
· Hands On: go to the Users section in the Webadmin interface and follow the details here
Managing Network Users;
· Concept:
you should change the password; this is a simple, yet very important, concept;
edgeBOX is shipped with a default password for the admin user: "root"; you should
change it;
the admin password is used to access the Webadmin interface; please realize: admin-
root is a very simple guess for most hackers and password exploits and attacks; if you
expose edgeBOX to the Internet this risk is even higher; please change it immediately;
pick a password you can remember and write it down in some safe place, at home, or
some place away from work, away from edgeBOX;
· Hands On: in the Webadmin interface click the System section and choose the
Administration menu; follow the details here...;
At the end of Step 7, you have a pretty good picture of edgeBOX's basics. To step into more
advanced edgeBOX features you might need for your network, please review the following Next
Steps and feel free to navigate around.
activate Webmail ?
enforce Authentication ?
setup VLANs ?
3 Dashboard
The Dashboard provides a quick summary overview of the most relevant edgeBOX variables and
status informations in an intuitive graphical display.
Information is provided in the form of values, colors and icon behaviours and refreshed every 30
seconds. The Dashboard is divided into:
System
· Date & Uptime: current Date and Uptime (time elapsed since last boot); 7/6/2009 17:13
and 14d 11h 32m in the picture;
· Processor:
· Load - processor load indicator (from left to right: 1 minute, 5 minutes and 15
minutes process load average);
· Memory: current instantaneous RAM usage/total and current instantaneous SWAP usage/
total;
· Storage: current instantaneous System Storage and Home Storage percent occupation/
total;
If any of the horizontal bars changes to yellow, you should stay alert. If, on the other hand, you
get persistent reds, that means you should try to diagnose the problem and take action to
prevent any damage or operational instability.
WWW
· WAN IP Address: the currently configured IP address for the WAN interface;
192.168.126.160 in the picture;
· Gateway Test: green if edgeBOX is able to ping the Default Gateway, as depicted; red
otherwise;
· DNS Test: green if edgeBOX can access an operational DNS service, as depicted; red
otherwise;
· Browsing Test: green if edgeBOX can actually browse the World Wide Web, as depicted; red
otherwise;
· Line Color: green indicates edgeBOX considers the WAN connection is fully operational with
respect to those 3 tests; gray otherwise;
· Connection Status: the red connection status icon (a red triangle with an exclamation mark '
! ' inside) will show up if any of the three tests fails: something is not operating as expected; if
the three tests are successful it will not show up; if all three tests fail then a red 'X' icon will
be shown instead;
LAN
· IP Address: the currently configured IP address for the LAN interface (default VLAN);
10.5.5.51 in the picture;
· Line Color: the line connecting edgeBOX to the LAN will be green, as in the picture, if link is
detected on the LAN connector (meaning that edgeBOX is actually connected to an active
network device); if no link is detected the line will change color to gray;
· Connection Status: the red connection status icon (a red triangle with an exclamation mark '
! ' inside) will show up if no LAN hosts are detected (see the also DMZ explanation); in the
situation depicted edgeBOX detects link on the LAN connector and active LAN hosts; if the LAN
connector does not have link (cable disconnected at one of the ends), then a red 'X' icon will
be shown instead;
· LAN icon: colored, as depicted, if your LAN seems operating normally (both LAN link is
detected and LAN hosts activity is detected too); gray-scale otherwise;
· Authentication: On or Off; tells you if the User Authentication service is active; On in the
picture;
· Users Logged In: the amount of users currently authenticated; 15 in the picture;
· Ongoing Calls: the amount of phone calls currently in progress; 2 in the picture;
DMZ
· IP Address: the current IP address on the DMZ interface; 192.168.200.254 in the picture;
· Line Color: same behaviour as for the LAN; the picture shows that the DMZ connector is
actually connected to some device - link detected;
· Connection Status: same behaviour as for the LAN; in the picture the ' ! ' sign is showing:
that means that no hosts are being detected on that interface;
· DMZ icon: colored if link is detected and DMZ hosts activity is detected too; gray-scale
otherwise (as depicted);
Wifi
If your system has wireless, the Wifi icon will show you:
· Line Color: green if WiFi is enabled (as in the picture); gray otherwise;
· SSID: the current wireless SSID is displayed within parentheses (mywifi in the picture);
· Connected Devices: the number of wireless clients currently connected (6 in the picture);
System Messages
· There are new system messages: when new notifications arrive, such as system
messages, software updates or other, the information icon will show up in the lower-left
corner. Just click the Read Messages... link. A new popup window will display them. Please
read them carefully.
4 Network
The Network section is where you can overview and configure most details and
functionalities of your network.
· set the internet connection (WAN), change the local network (LAN) properties;
· overview your virtual networks (VLANs) and specify a domain and a hostname;
· Setup and secure your Wifi network with WEP, WPA and 802.1x;
· view IP routes managed by the edgeBOX (system routes) and create and manage
your own routes (static routes);
· configure edgeBOX's DNS server: add and remove domains, manage access controls
(ACLs) or use Dynamic DNS;
· manage DHCP; edgeBOX includes a DHCP server that allows you to automatically
assign IP Addresses to the computers in your network based on ranges of IP address
or based on specific IP Addresses.
· Allow remote computers to access services on a specific host or hosts within your
private network - Port Forwarding;
· List web sites that you do not want the edgeBOX to cache;
· Manage Quality of Service - QoS: assure bandwidth for services and users;
· Setup a Demilitarized Zone - DMZ for your Internet servers and other special
purposes;
Related Topics:
· Cache Websites
· Firewall
If you change the Forward DNS Servers list and you have the DNS service running,
edgeBOX will use these DNS servers for all external DNS queries. Those settings override any
static or dynamic DNS settings configured for the WAN interface in the Internet Connection menu.
The Primary DNS and, if displayed, the Secondary DNS fields represented in the Internet
Connection menu will automatically revert to the first and second entries in the Forward DNS
Servers list. The DNS servers configured, statically or dynamically, for the Internet Connection will
not be displayed here, because edgeBOX is actually not using them.
If the DNS service is not running edgeBOX will use the DNS servers configured and displayed in
the Internet Connection menu.
Related Topics:
· Cache Websites
· Firewall
· NAT
· Dynamic DNS
· Internet Traffic
· Diagnostic Tools
Obtain the data for the connection automatically from the device (DHCP)
If you chose the DHCP connection method, you don't need to enter any additional information.
The edgeBOX will get all needed information from the DHCP server
· IP Address
· Netmask
· Gateway
· Primary DNS (IP Address)
· Alternative DNS (IP Address - optional).
The primary and alternative DNS servers you type here will be added to the list of DNS
Servers in the Forward DNS Servers list.
If your Internet Service Provider requests it, you can change MTU (Maximum size of the
packets).
3. Type-in the MTU size as agreed with your Internet Service Provider; press Ok;
4. Press Save.
Connection Settings
For this type of connections you must type your username and password (please contact your
Internet Service Provider in order to correctly determine these two settings).
Advanced Options
In the Advanced Options menus you should specify how your connection details will be configured
Advanced Options
Connection
Packets
· MTU: In this section you can override the MTU (Maximum size of the packets); this may
be required by your Internet Service Provider (ISP); to do it, select the option Override
MTU and change the value in the text field to the value requested by your ISP;
· PPPoE over VLAN: select this option if you belong to one of your Internet Service
Provider's VLANs; your ISP may require this; if you select this option, type the VLAN, as
specified by the ISP, in the VLAN field.
Choose the LAN network from the list and click the Edit button at the top of the Networks table.
1. Type the desired IP Address for the edgeBOX (IP Address for the edgeBOX’s internal
interface) in the IP Address field.
2. Type the network mask in the field Subnet Mask.
If you change the local network IP address while you are accessing edgeBOX from
the LAN segment, you may loose access to the edgeBOX web management; in that
case, close your browser, make sure you re-adjust your IP address (DHCP or static),
and you can proceed.
· You need to indicate the new address of the edgeBOX in the browser to connect to the
edgeBOX’s web management. View example.
If you change the edgeBOX’s IP Address to 10.1.1.254, type in your browser the address
https://10.1.1.254:8011.
· You may also need to change the properties of the network connection of the computer you
are using to manage the edgeBOX. View example.
If your computer receives the IP dynamically from the edgeBOX, you may need to ask the
operating system to repair the connection to gets a new IP address. Or if you have defined a
static address in the connections of your computer, you need go change that address to a new
IP address of the network.
Related Topics:
· Cache Websites
· Firewall
· NAT
· Dynamic DNS
· Internet Traffic
· Network
· Interfaces
· DMZ
· Diagnostic Tools
There you will find a list of all networks currently managed by edgeBOX. Choose the DMZ network
from the list and click the Edit button at the top of the Networks table.
1. Change the IP Address and the Netmask fields with the desired information.
2. Click the Apply button in the bottom right corner of the tab.
3. Select the Enable DHCP Server on this Interface if you wish to have DHCP also on the
DMZ network.
Please note: you can activate the DHCP service on the DMZ interface, even if you have Firewall
based DMZ services active.
Related Topics:
· DMZ Traffic
To manage VLANs navigate to the Networks menu in the Network section. Why to use VLANs?
VLANs offer higher performance because they limit packet broadcasts in the network. They also
provide additional security by separating groups of devices.
You can use VLANs, for instance, to:
· Control bandwidth usage and make the network faster - For example, you have
more than 200 devices on your local network and your local network is getting slower
because there is too much broadcast traffic (data that is sent from one computer to all
computers in the network). VLANs will limit the broadcast only to the specified group of
devices within a VLAN instead of broadcasting to all devices in the network.
· Increase security - If you have groups of users that need more security due to the type
of information they share between each other, a VLAN can isolate those users from the
remaining network so that information will not be accessible for other groups.
· Easily manage the network - For example, separate users that have VoIP phones from
users that do not have them.
1. Select the desired VLAN from the list and click the Edit button.
2. Change the desired properties of the VLAN:
To enable a disabled VLAN select it and click the Enable button. The status icon will turn
green.
When you use 802.1x authentication on your switch, the Guest VLAN is the VLAN the
network users are temporarily assigned to if they haven't authenticated yet or if they
have introduced an incorrect username or password.
This VLAN usually has limited network privileges. It is commonly used to display information
about how the users can authenticate properly onto the network. After they authenticate, they
are assigned to their respective VLANs. View an example where VLAN 6 is used as the Guest
VLAN...
If you don't wish to have a Guest VLAN make sure you select the Have no Guest VLAN option
at step 2.
The information displayed is somewhat detailed in that it shows you how edgeBOX implements
certain networking aspects using specific techniques like Bridging and VLANs. It is divided into three
major sections:
Bridges
Here you'll find virtual interfaces used by edgeBOX to logically "attach" several other, logical or
physical, interfaces together: same as saying Bridges.
That's the case of the br0 interface: it commonly bridges together the eth0 (LAN), the eth3 (AUX,
if available) and the ath0 (your wireless interface, if exists). This means that the br0 brings
together those interfaces in order to, thus, form a virtual interface, refered to as br0, to be
treated transparently by edgeBOX kernel as your LAN.
· Interfaces: the current composition of the bridge (eth1, eth3, ath0 for example);
Physical Devices
Shows you a list of physical network interfaces found in the system. For example: eth0, eth2 and so.
For each of them:
· Interface Status: you'll get a graphical indication of Up/Down status and the interface
current connection bit rate in Mbps.
VLANs
This section of the panel shows you your VLANs. Each is identified by it's assigned name, like VLAN_D
or SERVERS, for example.
· Tag: the 802.1Q VLAN ID or Tag in use; this is a distinguishing marker identifying packets
destined at a given VLAN; this Tag is the means by which your VLAN enabled switch or other
VLAN enabled Ethernet devices can tell to which VLAN each packet belongs;
Related Topics:
· What are VLANs ?
You can find it in the Related Topics corner of the Networks menu in the Network section. Just
click the Network link.
The upper part of this panel shows you a graphical overview of your network interfaces: Internet
Local Network and DMZ. For each of them you can read the total bytes sent and received.
This list shows you the network connections currently maintained by edgeBOX. For each connection:
· Source IP / User: the IP address that originated the connection; if a username can be
associated to this IP Address it will be displayed instead of the IP address for easier
identification;
· Destination IP: the other end of the connection; the IP to which this connection is
established;
· Destination Port: transport protocol level destination port, usually identified by a mnemonic
indicating a well know network service like sip or http.
To change the Hostname click the Change... button and type the new name in the hostname text
box (the hostname must be less than 16 characters long).
You can find the Domain of the network in the Hostname and Domain menu in the Network
section. What is the Domain?
The Domain is the name by which your network is known.
As example, server1.mycompany.org indentifies the host server1 within a network domain called
mycompany.org. Other hosts could exist in that same domain, like for example, john-laptop.
mycompany.org. The mycompany.com part is called a domain name.
If you do not have a registered domain, then you can give your network the domain you want.
This domain will be private and only visible within your network. For example, if your
company is called MegaSoft then a possible domain could be megasoft.com.
If you have a registered domain, like critical-links.com, for example, then you can use that public
domain.
To change the domain of the network click the Change... button and type the domain name you
want in the Domain text box.
edgeBOX does not update the reverse hosts files of the DNS Domains when you change the
hostname and you have networks defined on the edgeBOX (the local network or the VLANs) that
do not belong to network classes A, B or C.
If you change the hostname or the domain you need to reboot the edgeBOX so that the
changes take effect. An appropriate popup window will advise you of that need.
The System Routes list should contain several entries. You can not edit these entries because they
are configured automatically by edgeBOX. In the System Route table you should see:
Please note: all necessary routes should be created and managed automatically by
edgeBOX. You can assume that edgeBOX will create and manage automatically all routes needed
for it's correct operation.
If you need to enable access to other hosts or networks that are unknown to edgeBOX or aren't
directly accessible, then you will need to add static routes. You can:
This panel displays also System Routes - routes that are created and managed automatically by the
edgeBOX based on the settings your global LAN, WAN, VLANs, etc.
4.10 Wireless
In the Wireless menu, Network section you can configure and change the properties of the
wireless network.
edgeBOX allows you to have a wireless network and define several configurations to make it more
secure. How does Wireless work on edgeBOX?
edgeBOX provides a wireless LAN access to your office. It can operate with an embedded
Access Point or as an 802.1x Access Point controller if you use several external Access Points
spread through the network.
edgeBOX cannot manage external access points. To manage these access points
you need to use the specific access point's management interface.
As you can see in the image above, you can set several scenarios, as integrated authentication
using edgeBOX users' accounts or external authentication using a remote RADIUS server.
edgeBOX supports for WPA, WEP or 802.1x authentication.
As edgeBOX also provides IP-PBX features, you can combine them with the wireless features
to create wireless VoIP phone access.
By default, edgeBOX's wireless network is already running with a factory configuration defined: the
network name is mybusiness, channel 11 and the WPA password is mydemokey. This way, you can
immediately start providing wireless access on your office, without having to configure anything on
the edgeBOX.
Hit the Change... button to edit. A new window pos up with two tabs:
General
· Name: the name for your wireless network; ex: mywifi; also known as the SSID; the name of
the wireless network is a name of your choice that will work as the public identifier of the
network so users can connect to the network;
· None (Public Network): this operation is insecure; if the network has no authentication
then everyone will be able to connect to it; don't use this option unless you really need to
and you understand the insecurity consequences;
· WAP: Wi-Fi Protected Access; grants a very high level of security and privacy; details are:
Key - a 8 to 63 characters long sequence or a 64 hexadecimal characters sequence; this is
commonly referred to as the PSK (pre-Shared key);
· 802.1x: with this option you can integrate your wireless network in RADIUS based
authentication and accounting setups; hit the Change... button and specify the following:
· Accounting: you can choose to save user statistics and other accounting
information in a remote RADIUS Accounting server (again by specifying it's IP
Address, Port and Password).
Advanced
· Hide Network: if you select this option the network will not appear in the list of available
networks when users look for wireless networks in their computers;
· Allow only specific devices to use the wireless network: click the Add... button to add
a new MAC Address to the list; only the MAC addresses specified will be allowed in the
Wireless network; how to get the MAC address ?
On Windows computers, go to the Start menu and run the Command Prompt; when the black
command line appears type ipconfig /all; the MAC address is identified by the Physical
Address; for example: Physical Address . . . . . . . 00-0C-29-C5-91-9F;
If you wish to temporarily turn of the wireless network for any reason, or if you don't want to have a
wireless network anymore, go to the Wireless menu in the Network section and hit the usual Stop
Service.
The wireless service will be stopped, but the configurations will not be erased. Later on, if you wish
to make the wireless network available again just click Start Service.
If you add a wireless card to the edgeBOX, you need to reboot edgeBOX after you added
the card.
Related Topics:
Indicate the type of authentication for the network
Make the wireless network public
This step will ensure your network is, to some extent, protected against undesired users. To secure
edgeBOX wireless network you can use one of the following authentication methods (protocols):
Which type of authentication should I use?
The type of authentication you use depends on the devices that are going to access the wireless
network. For example, some smartphones or older network devices do not support WPA security
yet, so you need to use WEP authentication to ensure compatibility with all devices.
If you don't need to grant compatibility to older devices, avoid using WEP authentication. WEP is
relatively easy to break. use WPA with a strong password instead because it is more secure.
802.1x authentication is even more secure than WPA authentication. It is normally used to secure
wireless networks on workplaces.
2. Type-in a 10 or 26 hexadecimal characters long sequence; you should use the 26 hexa; but if you
need to ensure compatibility with devices that do not support it, then use the 10 hexa chars
sequence; How must the key be?
The key must be formed using groups of hexadecimal characters (A to F and 0 to 9) separated
by '-'. Example of a 26 chars key: ACBB-8EF2-3410-23AA-F8F0-EEEE-A2.
If all your devices support WPA authentication, then use WPA instead of WEP. WEP is relative
relatively easy to break.
If you need to use WEP then change regularly the WEP keys, to grant a certain level of security.
This is not easy to accomplish if you have many users of the wireless network because you need to
inform them all about the new active key each time you change it.
2. Indicate a key (passphrase or a pre-shared key) that will be used to authenticate to the network.
How must the passphrase or the pre-shared key be?
3. You should indicate the passphrase or the pre-shared key to the users of your network you want
to be able to access the wireless network.
You should try to always use secure passphrases and pre-shared keys to increase the network
security. You can obtain random generated secure keys at the GRC website.
802.1x authentication means that each user who wants to enter the wireless network has to login
using its own username and password, instead of using a network key that is shared by everyone.
1. Go to the General tab and choose the 802.1x option and hit the Change... button.
2. Select WPA in the Data Encryption section. This is normally called WPA-Enterprise. If you have
devices that do not support WPA accessing the wireless network, choose Dynamic WEP instead.
3. Define the Authentication type: where users' username and password are validated when they
try to login to access the wireless network. You can validate these credentials:
It means that, edgeBOX will see if the username and password of the user exist in the edgeBOX's list
of users and if they match. This is the default option.
For a user to be able to login, using the 802.1x method, the user needs to have 802.1x Access
permissions. You can verify these settings in the Privilege user, in the Users section.
It means that, a remote RADIUS server will validate the users' credentials instead of edgeBOX.
Check the option Authenticate Users on another RADIUS Server. Below the option, fields to
indicate how the edgeBOX can connect to the remote server will appear: IP address, port and
password for that server.
If you also wish to save information like the time the users were connected or what did they do, you
can save that information on a remote remote RADIUS server. Check box in the Accounting zone
and indicate how edgeBOX can connect to the remote server (IP Address, port and password).
Related Topics:
Make the wireless network more secure
Even if you don't use this option you still have control over who accesses your wireless
network because users still need to authenticate using a wep key, WAP, or using 802.1x. This
option will restrict even further more the access to the network to specific devices.
You can hide edgeBOX's wireless network from appearing in the list of available networks
people see when they scan for available wireless networks they can connect to in they
computers. Why should I hide the wireless network?
Hiding a wireless network is a way of improving the network's security. It makes difficult
unauthorized access attempts; people won't try to enter a network if they do not know it
exists in the first place.
To hide the network go to the Wireless menu, Network section, hit the Change... button
and select the Advanced tab.
For your network users to use the hidden wireless network, they need will need to
connect to the network manually. This process differs according to the user's Operating
System.
Related Topics:
Indicate the type of authentication for the network
Avoid creating public wireless networks if you don't really want to make it available
for everyone for a given reason.
Wireless networks are more vulnerable to hackers and malicious software because the signal is
available for everybody nearby edgeBOX's access point. If you don't protect the network,
unauthorized people can get access to the information on the computers on the network and use
the connection to access the Internet. Always secure the wireless network if you don't want
everybody to access it.
If you want to make your wireless network public: go to the Wireless menu in the Network
section and select Security: None.
Related Topics:
Configure the wireless network
Indicate the type of authentication for the network
DNS is a network service that translates literal hostnames and domain names (such as webmail.
critical-links.com) into numeric IP addresses (such as 209.85.227.103). For more information see
Wikipedia DNS.
edgeBOX supports DNS through the well-known named server. It is possible to:
· Domains – Where you can indicate all the domains that the DNS server will know.
· Settings – Shows the DNS status and the properties of the DNS server.
· Access Control List – Defines access controls for the domains that the DNS server knows.
Related Topics:
· Dynamic DNS
On the Domains Tab click New. Three possible Domain Types are available. These are:
· Master: a Master domain server stores the domain database locally (also called authoritative
domain for that domain). It will answer the queries for that domain, using that database;
· Slave: a Slave DNS domain gets its zone file information from a zone master and it will respond
as authoritative for those zones for which it is defined to be a 'slave' (it is sometimes referred to
as a secondary);
· Forwarder: a forwarder type domain server does not answer queries directly: it will forward
them to another name server.
Domain Tab
· Allow only internal hosts to query this domain: selecting this will restrict DNS answers to
queries coming form your local networks; if you have a registered domain you will grant access to
external networks to query this zone; otherwise for private domains you will most likely want to
grant only to internal hosts for security reasons.
· Resolution Type: choose Direct or Reverse; this choice is only active if you have selected
Manual for the Reverse DNS Management option in the global Settings tab. If Direct is chosen,
when hosts are added, the forward entries are required (resolving names to IP's). If reverse is
chosen, the host entries required (map IP's to names).
· Network: IP address and the class (A, B or C) of the IP segment for which this domain is valid.
This option is not accessible if you have selected Resolution Type Direct and the Manual Reverse
DNS Management option
· Name Server: here you specify the IP address of the name server. This option is not accessible if
you have selected Resolution Type Reverse and the Manual Reverse DNS Management option.
Hosts Tab
Managing the contents of the Hosts tab is explained in section Managing hosts on an existing domain.
Please refer to that section.
Permissions Tab
If you wish to have higher control of hosts, or networks, for which this domain will be responsive, or
how it will operate, you should use the Permissions Tab. Here you can specify an Access Control
List (ACL) of rules that will be pre-verified before the server determines if, or how, it will process the
DNS queries.
You can have several rules. If a rule matches it will be applied. If no match is found the default
behaviour is to allow queries and transfers but to disallow updates. ACLs created in the Access
Control List tab will be available to you in this process. It might be a good idea to create that list first
and, later, re-use them here, when creating or editing your DNS domains.
· Type: Choose Network or Host based access control rule, and type bellow it the corresponding
values for Network IP address and Netmask or Host IP address
· Query Permissions: from the choice boxes displayed choose if you wish to:
· Allow or Deny Queries: indicates if queries are allowed for this domain
· Allow or Deny Transfers: determines whether other servers are allowed to copy the
zone information from this server.
· Allow or Deny Updates: whether other servers are allowed to submit dynamic updates
for this domain
To add access from Slave domains to a master domain witch is configured to only let
internal hosts make queries, the user needs to add an ACL with the IP/Hostname of the the
respective slave domain and allow the transfer option.
· Refresh time: The number of seconds between the time that a secondary name server (slave)
gets a copy of the zone (or sees that it hasn't changed), and the next time it checks to see if it
needs a new copy.
· Retry time: The time which the edgeBOX will wait before querying a Master (if the master fails to
respond to a request)
· Expire time: The number of seconds that lets the secondary name server(s) know how long they
can hold the information before it is no longer considered authoritative.
· TTL time: Specifies the maximum amount of time other DNS servers and applications should
cache the DNS record. You might wish to lower this if you are going to change your DNS entries
and then increase it to a normal value after the changes have been made and tested
Domain Tab
· Allow only internal hosts to query this domain: selecting this will restrict DNS answers to
queries coming form your local networks; if you have a registered domain you will grant access to
external networks to query this zone; otherwise for private domains you will most likely want to
grant only to internal hosts for security reasons;
· Resolution Type: choose Direct or Reverse; this choice is only active if you have selected
Manual for the Reverse DNS Management option in the global Settings tab;
· Network: IP address and the class (A, B or C) of the IP segment for which this domain is valid;
· Master Servers: here you specify the IP address(es) of Master DNS server(s) for which this
domain is a Slave (from which it gets it's DNS database);
Permissions Tab
If you wish to have higher control of hosts, or networks, for which this domain will be responsive, or
how it will operate, you should use the Permissions Tab. Here you can specify Access Control rules
that will be pre-verified before the server determines if, or how, it will process the DNS queries. You
can have several rules.
· Type: Choose Network or Host based access control rule, and type bellow it the corresponding
values for Network IP address and Netmask or Host IP address;
· Query Permissions: from the choice boxes displayed choose if you wish to
· Allow or Deny Queries: indicates if queries are allowed for this domain;
· Allow or Deny Transfers: determines whether other servers are allowed to copy the
· Domain Name
Server Options
· Manual: the admin is responsible for creating the reverse domain (if a reverse
domain is required)
· Lookup Mode: determines the first nameserver to be consulted when a request is received;
· if Local is chosen, requests are made to the forwarder server(s) and, if not
answered, an attempt will be made to find an answer locally;
· if Remote is selected (this is an appropriate option, only if you have entered forward
DNS servers), the local consult will not be attempted;
· Zone Transfer Format: determines the format used by the server to transfer zones; options
are:
· Many: will pack as many records as possible into a maximum sized message;
· Max. Zone Transfer Time: maximum time allowed for inbound zone transfers;
· Max. Query Cache Time: maximum time requests are cached internally.
This list contains the servers to which queries will be forwarded if the domains queried are not in the
current list of domains. This will be the Name Server(s) used to resolve external domains.
Click the Add button if you wish to add more servers to the list. Use the Move Up and Move Down
buttons to change the order of the entries.
If you change the Forward DNS Servers list and you have the DNS service running,
edgeBOX will use these DNS servers for all external DNS queries. This setting overrides any static
or dynamic DNS settings configured for the WAN interface in the Internet Connection menu.
The Primary DNS and, if displayed, the Secondary DNS fields represented in the Internet
Connection menu will automatically revert to the first and second entries in the Forward DNS
Servers list. The DNS servers configured, statically or dynamically, for the Internet COnnection
will not be displayed there, because edgeBOX is actually not using them.
If the DNS service is not running edgeBOX will use the DNS servers configured and displayed in
the Internet Connection menu.
Go to the Network section, DNS menu and click the Access Control List tab. Two tables are
presented: the System ACLs table and the User ACLs table. The System ACLs are managed
automatically and can not be edited. You can add and edit User ACLs.
Click the New button in the User ACLs table. You need to provide an ACL Name and a set of rules.
ACLs names must start with a letter and can consist of only letters and digits. You can add several
rules.
Rule Type
· localhost: for edgeBOX's system internal localhost interface (please be very careful when
using this one; if you mean 'the hosts on my local network', referring to your LAN/VLAN or
DMZ hosts, you should use localnets instead; the localhost rule is considered an advanced
rule and should only be used in specific situations);
· Use IP Address: here you specify the hosts for this rule by typing-in a Host IP Address or a
Network IP/Netmask pair.
Action
Note: Deny takes precedence over allow. That is, if some host verifies a rule for Deny and,
simultaneously, a rule for Allow, the ACL will deny the DNS service to that host.
For large DNS deployments, all ACLs created here are made available to you, in the Permissions tab,
when you create or edit a DNS domain.
Go to the Network section, DNS menu. Select an existing Master domain (the same applies when
creating a new Master domain). Click on the Hosts tab. The current hosts list is presented. You can
create new entries or manage existing ones.
The first thing you need to do is to choose the Type of DNS record you're adding (this option is only
available when creating new entries).
· Record Type: select from the list; available choices are A, MX, NS, CNAME, SRV and TXT.
· MX: the Domain Name (you need only to enter the left-most part) and the Priority field;
· NS: the Name Server (you need only to enter the left-most part);
· CNAME: the Alias name and the corresponding existing Domain Name;
· SRV: the Service, the Domain Name, the Target Host, the Time-to-Live, Port/Protocol,
Priority, Weight (PWP);
· TXT: the Hostname, the Time-to-Live for this entry and the Text Message specific for this
kind of entry.
The lower this number, the higher the priority. Thus, if one e-mail server is set as 5 and the other as
10, the e-mail server with a priority of 5 will be tried first.
The Time-to-Live (TTL) allows you to specify how frequently domain data may change. It's common
to set this value to several hours normally, but to push it down 5 minutes when changes to DNS are
expected. The longer TTL means faster resolution times because of caching, but also means the data
may be stale for longer;
PWP (Priority, Weight, Port/Protocol): used when more servers are providing the same service;
Priority: the priority of the target host, lower value means more preferred; Weight: A relative weight
for records with the same priority. Used in load balancing; Port: the TCP or UDP port on which the
service is to be found.
You can use one of the two supported dynamic DNS services:
· DynDNS
· No-IP
To see details on how to setup and manage an account on these services, consult www.dyndns.org
or www.no-ip.org.
· When you have that, browse to the Network section and click the Dynamic DNS entry on the
Related Topics (at the lower-left corner of the browser window). A new popup dialog will show
you the current configuration status of your Dynamic DNS service. Click the Configure... button if
you wish to configure it:
· Hostname: this is the name that you created when you set up the account of the
service; type-in the FQDN (fully-qualified domain name; e.g.: mybusiness.no-ip.org or
myserver.dyndns.org);
Usually on boot, computers, IP phones and other devices will request the assignment of an IP
Address, a Netmask, a Default Gateway, DNS sever(s) and other TCP/IP related informations,
in order to be able to actively participate in the network they are attaching to. This process is
accomplished with the Dynamic Host Configuration Protocol - DHCP (to learn more visit
Wikipedia DHCP).
To get an overview of the current status and configurations point your browser to the Network
section, DHCP menu. A table with three tabs will be presented:
· IP Address Ranges: the ranges displayed will be used by your DHCP server to assign IP
addresses to computers or phones that request them;
· Fixed IP Addresses: this section shows you the IP addresses that are automatically assigned to
one specific host or phone; a specific host is identified by it's MAC address; this way you can have
static MAC-IP assignments;
· Advanced Options: here you'll find several global options the server will comply to, such as
maximum lease time and host configuration variables.
Related Topics:
· DHCP Leases
· You can create several IP address intervals as long as they don't overlap; see an
example
If you have a DHCP range from 1.2.3.10 to 1.2.3.100, you will not be able to add another
from 1.2.3.50 to 1.2.3.200 because they overlap;
· Each DHCP range created must completely fit into one of the currently configured internal
networks (LAN, VLANs or DMZ); see an example
Let's use the following reduced scenario for simplicity: your LAN segment is
10.1.10.0/255.255.255.0; you have an active VLAN on the 192.168.103.0/255.255.255.0
segment and your DMZ is 192.168.200.0/255.255.255.0; you will not be able to add a DHCP
range from 192.168.70.10 to 192.168.70.20 because you do not have an internal network
compatible with this range; this range would not be used at all; on the other hand you can
define a DHCP range like 192.168.200.50 to 192.168.200.100 because it fits into one of your
internal networks (the DMZ in this case).
· For each IP address interval you can define a prefix; it will be prepended to the last portion
of the IP assigned, thus forming the hostname sent. View details about the prefix
· Example - If you enter mobile as the prefix and the domain if your network is local.loc,
then a host to which the IP address 192.168.100.200 is assigned, will also receive 'mobile-
200.local.loc' as hostname.
· E-mail Server - If you have edgeBOX e-mail server running and you want to have
domains or hosts in the SMTP Relay list, in the e-mail server's Access Control definitions,
then you must indicate a prefix.
1. Click the New button below the Ranges list in the DHCP tab.
2. On the dialog window indicate the lower IP address of the range in the Start IP
Address field.
3. Indicate the higher IP address of the range in the End IP Address field.
4. Optionally, type the Prefix.
Delete a range
If you delete a DHCP range, the computers that receive IP addresses from that range
may not be able to connect to your network the next time they are turned on. Other failure
situations are possible. Be careful when deleting DHCP ranges.
Related Topics:
· Assign IP addresses using MAC-IP rules
· DHCP Leases
To find the MAC address of a computer you can use the ipconfig /all command in the
command line of Windows systems or ifconfig in the command line of Linux systems.
Related Topics:
· Assign IP addresses using Ranges
· DHCP Leases
Lease Time
The Lease Time is the length of time for which the host can use the IP Address assigned by the DHCP
Service before he is required to request it again from the DHCP Service.
· Default Lease Time: is the default duration, in seconds, a host can use the given IP Address;
· Maximum Lease Time: hosts usually simply ask for an IP Address and use it for the default
lease time; in other situations they can ask for a specific lease time. In those cases, the DHCP
service will assign the IP address for the requested duration if it is smaller than the max;
otherwise the maximum time will be used.
To change any of them just hit the Change... button and type in the desired value(s).
These settings control the Gateway, DNS and Domain Name that will be provided to the network
hosts as part of their IP configuration.
· Gateway: determines the Default Gateway to be provided to the hosts requesting the dynamic
IP configuration; by default this is edgeBOX's LAN IP address; will only be provided to internal
network (LAN, for short) hosts;
· Domain: this is the network domain to be provided; it determines the domain to which the
host belongs when getting it's IP configuration; will be provided only to LAN and DMZ (if
enabled) hosts requesting dynamic IP configuration;
· DNS Server(s): this/these are the DNS servers the host should query in order to resolve
names; by default edgeBOX will take on that task, and thus, the default configuration is to
provide edgeBOX's LAN IP address; will be provided on any network zone to which the DHCP
service is reachable.
If you need to change these default settings, click the Change... button and specify them manually
by entering data into the desired text fiels, in the popup dialog.
Related Topics:
· DHCP Leases
It shows you the IP Address assigned, the Device Name (if available), the host's MAC Address,
and the start - From field - and end - To field - dates of each lease.
The Ping Status column will show you if that specific IP Address is currently present on the
network: select an entry from the list and click the Ping button to update this field.
Click the View expired DHCP Leases... option to get a list of leases considered expired.
edgeBOX acts a Transparent Proxy Caching Server. It makes the webpages your network
users consult more frequently to be loaded quicker, also minimizing WAN bandwidth usage
This is made by saving parts of the webpages in the edgeBOX.
To do this, please navigate to the Network section. Follow the Cache Websites link in the Related
Topics corner.
1. Click the Change... button and select a value between 128MB and 8192MB in the Cache
Disc Size drop down list.
2. Hit the Save... button.
By default. edgeBOX caches all websites. You can indicate websites that you don't want the
edgeBOX to cache. It may be useful for some specific websites, like websites that are very
dynamic and their content changes constantly.
To indicate to the edgeBOX not to cache a website:
By default edgeBOX caches the websites your network workers visit. This is, the Proxy Cache
service is by default running. You can stop the service if you don't want edgeBOX to cache any
websites.
To stop edgeBOX's proxy cache click the Stop Service link at the top. To start caching
websites again, click Start Service.
If you stop caching websites, edgeBOX will not be able to block access to
websites you may have blocked or block access to websites containing words and
expressions you may have blocked in the Website Restrictions options, Security section.
If you have Premium traffic defined in the QoS section, this traffic is not cached by the
edgeBOX.
The process of service and user QoS configuration is different both in the concept itself and the
difficulty to accomplish. On the one hand, service traffic differentiation requires service classification
configuration, that is, information about how the service packets may be recognized among all others
on the network. On the other hand, user traffic is much easier to configure as it only involves
assigning a traffic behavior to a group of users, given by a Privilege.
These two approaches have different purposes. Let's consider that we want to be able to use an
IPSec tunnel no mater how much congested the network is. In this case, we would need to classify
the service by creating a rule to assign an assured rate to every ESP and GRE packets.
Nevertheless, we may not be concerned with a service in particular and we may just want to be able
to grant Internet access to a certain group of users even if the network is overloaded. In this case,
we just need to select an appropriate traffic profile and assign it to the users' Privilege.
Moreover, we may want both the scenarios, the IPSec tunnel and the users' Internet access when
the network is congested. This is possible, just by applying both configurations. It is also important to
keep in mind that service classification is always processed in the first place. The order of packet
classification is the following:
1. Service classification
2. User Privileges
Classification based on the DSCP mark will only be used when the authentication is turned off
because, otherwise, all traffic is somehow included in a user privilege.
Classes of Service
The differentiated traffic behavior is given by CoS (Classes of Service). A CoS is deployed by a
internal mechanism which shapes the network traffic in order to meet a set of expectations such as
the minimum rate, maximum delay, maximum delay variation and maximum packet loss.
The edgeBOX provides a set of CoS according to the Diffserv model. As the Diffserv nomenclature is
very technical, we chose to use a more user friendly one called Olympic. Therefore, the edgeBOX
provides the following CoS:
DSCP Maximum
CoS Olympic CoS Diffserv ToS (hexadecimal)
(hexadecimal) Percentage Rate
10% of non
BE DF 0x0 0x0
premium rate
20% of non
Bronze AF11, AF12, AF13 0xa, 0xb, 0xe 0x28, 0x30, 0x38
premium rate
30% of non
Silver AF21, AF22, AF23 0x12, 0x14, 0x16 0x48, 0x50, 0x58
premium rate
40% of non
Gold AF31, AF32, AF33 0x1a, 0x1c, 0x1e 0x68, 0x70, 0x78
premium rate
Only the Premium class is configurable and cannot be classified directly neither by the users or by the
services. The purpose of this class is to be used to build a set of high priority subclasses called pipes.
Thus a pipe, is a user defined traffic profile, inheriting the Premium configuration except for the rate,
that is, rate is to be set by the user. Therefore, the premium class cannot be assigned but pipes can.
The CoS provided for inbound and outbound traffic are not exactly the same. Actually, for inbound
traffic classification, only two of those classes are provided: BE and Premium. In this context,
although premium has no pipes it can be classified directly.
VoIP QoS
VoIP traffic classification is handled internally as a pipe, that is, VoIP audio (RTP) packets are
classified as Premium and signaling (SIP, IAX) is classified as Gold. The only configuration required is
setting the VoIP assured rate.
However, there is an exception: if the VoIP QoS is set to 0, then it will not use this hidden pipe
anymore and will use the Gold for every VoIP packets class instead.
The QoS Service can be started and stopped on the service bar at the top of the QoS menu,
Network section. Furthermore, it is possible to decide whether to apply or not QoS on each
interface - WAN and DMZ (if available).
Related Topics:
· Privileges
· Internet Traffic
· DMZ Traffic
· Maximum Rate: sets the maximum upload rate; this can be used to limit the upload rate for
all the upload traffic;
· Premium Assured Percentage: sets the maximum percentage of the upload bandwidth
assigned to the Premium CoS;
· VoIP Assured Percentage: sets the percentage of upload Premium bandwidth to be used
for VoIP traffic.
The Advanced Configuration... button opens another window with the advanced upload QoS
settings. These settings consist of the following:
· Mark DSCP: by checking this, packets will be classified and marked according to the Diffserv
architecture; enable this feature only if you have an SLA (Service Level Agreement) with your
ISP;
· Allow other classes to borrow unused Premium bandwidth: selecting the option means
that the Premium CoS will borrow bandwidth whenever it is requested by another CoS and if
that premium bandwidth is not being used. Otherwise unused Premium bandwidth will always
stay unused.
· Pipes Management: by clicking on the New (or Edit) button a window will be presented with
the Pipe configuration. It includes:
· Premium Assured Rate: percentage of the maximum download rate that will be used for
the Premium CoS.
It was also mentioned that the first has higher priority and it is always applied in the first place.
The service configuration panel is accessed in the Network section, QoS menu by clicking the
Create, edit or remove QoS service classification rules option. The parameters which may be
used in service configuration are the following:
· Traffic Direction: sets the direction of the packet; accepted values are LAN->WAN, LAN-
>DMZ, LOCAL->WAN, LOCAL->DMZ, WAN->LAN, WAN->LOCAL, DMZ->LAN, DMZ-
>LOCAL (LOCAL referrers to packets going from or coming to the edgeBOX itself);
· Protocol: protocol of IP packet; accepted values are TCP, UDP, GRE or ESP;
· Source Address: sets the source IP address(es); options are Any IP Address, Single IP
Address or IP Address Range;
· Destination Address: sets the destination IP address(es); options are options are Any IP
Address, Single IP Address or IP Address Range;
· Source Ports: sets the source ports; it accepts a single port, a port-range or a set of ports
and port-ranges. This parameter it's only visible for TCP and UDP protocols;
· Destination Ports: sets the destination ports; it accepts a single port, a port-range or a set
of ports and port-ranges. This parameter it's only visible for TCP and UDP protocols;
· Service Class: sets the CoS which will be assigned to the service. The available options
depends on the traffic direction and on the pipes created. Remember that there are only two
classes in inbound (Best Effort and Premium) and no pipes.
There may be conflicts between service classification rules. For example, let's consider the following
two rules on the following order of priority:
1. All TCP packets from LAN to WAN, from any IP address, to any IP address, form any port, to
the port range 20-100, classified as upBE;
2. All TCP packets from LAN to WAN, from any IP address, to any IP address, form any port, to
port 22, classified as upGold;
In this case, rule 2 will never been reached because, is subsumed by rule 1. In other words, port 22
is included in the port-range specified on rule 1 and as rule 1 has higher priority than rule 2. Only
rule 1 will be used to classify these packets.
On the other hand, inverting the priority, that is, setting rule 2 priority higher than rule 1, will have a
completely different result. In this case, packets destined to port 22 will be classified as Gold and
packets destined to the other ports, from 20 to 100, will be classified as BE, of course, with the
exception of port 22.
Therefore, specifying service classification rules demands special attention to these issues. Rules
priority is changed by selecting a rule and clicking the Up and Down buttons on the toolbar.
For convenience, the Internet Traffic popup can also be reached in the Related Topics corner of
the Internet Connection menu in the Network section. Similarly, the DMZ Traffic popup can
identically be reached in the Related Topics, DMZ menu, Security section.
These panels allow you to view traffic control statistics for the Internet Connection and for the DMZ
interface. Data is calculated for a period of 15 minutes using values that are collected every 2
minutes.
· the two, left and right, upper corner panels show you the inbound and outbound current
bandwidth usage and the current QoS Maximum Rate in Kbps: as example 235 Kbps of
20000 Kbps;
For each of Premium, Gold, Silver, Bronze and Default (BE) QoS traffic classes displays the same
four values: Bandwidth Used, Transmitted Bytes, Transmited Packets, Dropped Packets.
For each of Premium and Default (BE) QoS traffic classes displays the same four values:
Bandwidth Used, Transmitted Bytes, Transmited Packets, Dropped Packets.
You can use the Reset button to bring all values to zero and restart statistics.
5 VPN
This section allows you to review and change VPN configurations
· IPSec
· PPTP
· L2TP
A Virtual Private Network (VPN) provides the means by which two private protected networks,
or a user and a private network, can be made to communicate and interoperate, using an
available link through an unsafe network, such as the public Internet.
This is accomplished by the usage of authentication and encryption techniques which assure privacy
and security form one end to the other, thus providing safe connectivity for remote sites or users.
· IPSec
· PPTP
· L2TP
5.1 IPSec
IPSec VPNs are especially suited for establishing tunnels between two private networks over the
Internet, connecting them securely. This kind of IPSec VPNs is referred to as Net to Net IPSec.
Nevertheless edgeBOX also supports the RoadWarrior type, which is best suited for remote users
to connect to a protected network.
To review or manage your IPSec tunnels, navigate to the IPSec menu in the VPN section. An
overview is presented with a list of configured tunnels, their details and their respective status.
To Start or Stop the IPSec function globally you can use the usual Start Service and Stop Service
options at the top of the menu, in the service status bar. Please note that the IPSec service can not
be started if the WAN interface is not configured.
In addition to the usual management operations (New, Edit and Delete) you can also Start, Stop
and refresh the Status of each tunnel.
Please note that the Status function's correct operation is, architecturally, limited to situations
where the edgeBOX have an interface directly connected to the tunnel local network. If that is not
the case, the Status function will not produce a correct tunnel status information.
To create a new IPSec tunnel, you will need to choose among two kinds of IPSec: Net to Net and
RoadWarrior. The Configured Tunnels table shows you several details about each tunnel:
For tunnels that are running you can select the entry and right-click it with the mouse. You'll get
access to a context menu with an option named View that allows you to view current details of the
running tunnel. All other options are also available.
IPSec Routes
edgeBOX automatically generates and manages IP routing details necessary for the correct
manipulation of IPSec traffic between the two tunnel endpoints. These routes are distinguished with
a specific 'IPSec' identifier in the Device column of the System Routes panel in the the Network
section.
Related Topics:
· Routes
5.1.1 General
After clicking New and choosing the type of IPSec - Net to Net or RoadWarrior - you can configure
several details for the tunnel:
General Tab:
The general tab allows you to configure a VPN tunnel with a minimum of information. That is, a
number of networking and security related parameters are automatically set for you. If you need to
review them or change them, go to the Advanced Tab. Depending on the type of VPN tunnel, you
should provide:
· Local Network: IP Address and Netmask specifying the internal segment on the "local" side of
the tunnel; could be your local LAN (ex. 192.168.100.0/255.255.255.0) or any of your VLANs
(ex. 192.168.101.0/255.255.255.0);
· Shared Key: both local and remote ends of the tunnel must have the same key to initiate
encryption; this key is the pre-shared secret (PSK); the PSK should be generated from purely
random characters;
· Remote Network: IP Address and Netmask specifying the IP segment on the "remote"
side of the tunnel (as will be "seen" locally);
· Gateway: the IP Address of the IPSec server this tunnel is to be established to;
RoadWarrior specific:
5.1.1.1 Advanced
You'll find all IPSec Advanced configurations in the Advanced Tab.
This tab shows you an overview of your current options. To let you fine tune them, a specific
Configure.... button exists in each of the four configurable sections. The defaut values are:
Proposals
· Phase One
· Phase Two
· Perfect Forward Secrecy: provides additional security by preserving the security of your old
encrypted data even with the private key compromised;
· Agressive Mode: Enables faster tunnel creation/operation as fewer messages are exchanged
between peers, but exposes identities of the peers to potential eavesdropping, making it less
secure; generally speaking, avoiding aggressive mode should be preferred when possible, usually
set to on.
ID Information
· Local ID: default local ID (IP Address) or, alternatively an IP Address, a FQDN or an e-mail
address;
· Remote ID: default local ID (IP Address) or, alternatively an IP Address, a FQDN or an e-mail
address;
· Incoming Access: list or rules specifying whether your hosts are, or aren't, visible to remote
hosts over the tunnel;
· Outgoing Access: list of rules blocking access of your hosts to the remote network; by default all
hosts in the network will be able to use the tunnel;
Allowed Services
· this add/remove service list provides the means by which edgeBOX services allowed/denied
through the tunnel; you can grant or revoke access to services running on the edgeBOX for hosts
in the remote network.
5.2 PPTP
PPTP is used to establish VPN tunnels across the Internet. This allows remote users to access the
internal network from anywhere on the Internet.
In the PPTP menu, VPN section, you can review and change your PPTP configuration. A short
overview is provided:
· Remote Users are authenticated by the: local authentication service or remote RADIUS
server
· Connected Users: a table where each connected user is listed as well as the IP address of the
client machine from where the connection was established, and the time at which the connection
was established.
When using PPTP with the (local PC) default remote gateway option checked (connection TCP/
IP options), you will not be able to access the Internet via the PPTP connection. This is because it
makes more sense to access the internet via your local network, which reduces edgeBOX traffic
and encryption overheads. Please review that option if you loose access to the Internet.
Related Topics:
· Privileges
User Authentication
· Authenticate the remote users using the local authentication service: selecting this
option means that the authentication will be performed by edgeBOX. No additional
configuration is needed, such as RADIUS user creation. Authorization for PPTP VPN use is
configured in the User Management panel.
· Authenticate the remote users using a remote RADIUS server: type the IP Address,
the Port and Password for the RADIUS server;
IP Address Assignment
These two fields allow you to set the IP address range which will be assigned to clients connecting
through PPTP. The address range should not overlap the DHCP range, nor should any static IP
addresses in this range be defined.
The process by which edgeBOX determines if a given user - trying to establish a PPTP
connection - is or is not allowed to do it depends solely on the Privileges defined for that user. You
should keep in mind that edgeBOX manages all users permissions around the concept of Privileges.
Access to PPTP is one of those features.
When a user accesses the network using a PPTP connection, the privileges the user has are related
to the access profile the user belongs to. edgeBOX verifies the access rules defined on the
profile of the user to determine access to the LAN and VLANs.
If the profile of the user has the Allow full access to LAN from PPTP connections option
switched on then the user will have access to the LAN as if he was a regular LAN user, with access to
the network services based on the profile policies he belongs to. Else, the user will have no access
privileges at all besides the specific access rules defined in the Access Profile's Destination
Access Policies list.
If you want PPTP users to authenticate in a remote RADIUS server instead of the edgeBOX,
then all the process is made in the Remote Server, so you don't need to create the users in the
edgeBOX.
PPTP users that authenticate in a remote RADIUS server will always belong to the 'Default'
access profile as it is impossible for the edgeBOX to know who they are.
Related Topics:
· Privileges
5.3 L2TP
Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP)
used by Internet service providers to enable the operation of a virtual private network (VPN) over the
Internet.
If you need to configure L2TP go to the VPN section, L2TP menu. A quick overview is provided
stating the current tunnel status.
· Password: Password on the server used for authentication, which is the password for the
above username
· PSK: Pre-Shared secret key (must match the one on the server)
At the end make sure the L2TP service is running. Note: L2TP is not encrypted but simply allows
the tunnel connectivity. Encryption/Privacy should be provided by higher protocol layers and/or
applications.
6 Security
This section allows you to review and change Security related settings such as:
· Firewall: WAN and DMZ service access, Internal Connections, Advanced Firewall, SPI
· Mail Scanner
6.1 Firewall
Configuring the Firewall is an important aspect in the global security of your network, your network
services and your users.
· Apply Firewall settings for connections coming from the Internet and the DMZ
If you do not activate the Firewall service edgeBOX will be working in pure router mode – all services
will be available.
Enabling or disabling a service, allows or blocks access to that service on the edgeBOX. Blocking, for
example, ftp, prevents internal users from accessing edgeBOX's ftp service but still allows users to
ftp, through the firewall, to outside servers. If you wish to block user's connections to other servers
besides edgeBOX then you should look at the user Privileges section.
Related Topics:
· Services
· Privileges
· Connections allowed coming from the Internet: connections originating in the Internet
directed at edgeBOX will be allowed if listed;
· Connections allowed coming from the DMZ: connections originating in the DMZ directed at
edgeBOX will be allowed if listed;
To add or remove a service from these lists click the Change... button. A new dialog window will
popup. In this new dialog please select the sub-panel you wish:
· Internet (WAN), or
· DMZ Network,
and use the Add and Remove buttons to edit the allowed services list according to your needs (note
that managing the firewall is only allowed if the service is running). See an example:
If you wish to block any connections to your SNMP agent that originate in the Internet. You need to
press the Change... button and select the Internet tab. Then, if the SNMP service is listed you need
to remove it from the list (if not listed you're done here). Click it and click the Remove button. Click
Save. That's it: starting now, any connections coming from the Internet to the SNMP service are
unallowed.
Please note that the services you add to this list will be unreachable from the LAN and VLANs
(in the Internet and DMZ panel the rule logic was the oposite: to allow connections; here the rule is
"services added here are unallowed").
The interface is similar. Just Add and Remove items from the list. Press Save in the end.
Services added to the Internal Connections... (blocking) list will be blocked to the LAN and
VLAN users, no matter what configurations you might add somewhere else.
How do I fine tune and manage connections that originate in the internal network ?
This is an important topic when configuring your edgeBOX. You need to keep in mind that edgeBOX
supports extensive mechanisms for granting and controlling Users and their Privileges. Even if
you don't activate the User Authentication service you can manage which services your users have
access to. Please refer to the Users section for detailed information.
Check the Use Advanced Firewall Rules option to activate the rules panel. Configure:
· Default Rule: click Allow or Deny to determine the default rule to be applied when no rule
matches (a Red/Green icon will toggle indicating the current default rule);
A Statefull firewall raises the level of network security obtained because only packets
matching a known connection state will be allowed by the firewall; others will be rejected.
This is actually an increase in network security because you increase the ability of the
firewall to determine if a packet is or is not supposed to be allowed in.
You can have distinct a Default Rule and a diferent SPI setting for each traffic direction. Now you
need to add or edit rules.
Rules
You can create New... rules and Edit... or Delete... existing rules. The order by which rules will be
verified can be changed with the Up and Down buttons.
For each rule, a wizard-like sequence of dialogs will guide you through the creation/edition of your
advanced firewall rules:
· Connection Type: All, TCP (you can choose All destination ports or specify individual ports or
even port ranges like 21, 22, 80, 500-600), UDP (same as TCP) and ICMP;
· From location: Any (connections that originate anywhere), Device (connections that originate in a
specific IP Address), Network (connections that originate in a specific segment, as specified by an
IP Address and a Netmask) and edgeBOX (connections originating in edgeBOX it self);
· To location: Any, Device, Network, edgeBOX (connections directed at this edgeBOX it self).
Show me an example
Lets imagine you need to prevent all computers from IP segment 1.2.3.0/24 from sending any kind of
e-mail through SMTP. This is how you'dd do it: Step 1 Block TCP port 25; Step 2 From Network
1.2.3.0/255.255.255.0, To Any; Step 3 Name nosmtp123.
On the other hand, you might wish to deny any kind of access to a specific host: Step 1 you'dd need
to Block All; Step 2 From: Any To: Device (that specific host IP Address); Step 3 name it
forbidden.
RFC 1918 determines that "because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise links, and packets with private
source or destination addresses should not be forwarded across such links".
Due to the fact that edgeBOX is designed to operate in a variety of network configurations, edgeBOX
can have it's WAN interface attached to a public or private IP segment. So edgeBOX's default
behaviour is not to block routing of incoming or outgoing packets based on the nature - public or
private - of WAN segment.
If you need to implement such behaviour you should add specific firewall rules in the Advanced
Rules... menu.
This interface is configured with an IP address range accessible from the external network (in case
the external network is the Internet, this range will be a public range, and so your ISP must provide
routing to it). Although this address space is accessible from the external network, you will have to
explicitly grant access to hosts residing in it, via appropriate rules. Next, we will show the options
available for configuring a DMZ.
Go to the DMZ menu in the Security section. As usual you can start and stop the service on top.
Make sure you configure an appropriate address range for the DMZ interface, and that traffic with
this subnetwork as its destination, is being appropriately routed to edgeBOX. After checking this
option you will need to create rules to grant access to hosts residing in this subnetwork. The rules
are shown in a table which can be modified with the following options: New, Edit and Delete.
· Port: If you select this option, you will need to specify the single port to which access will be
granted.
· From... To: if you select this option, you may specify a port range to which access will be
granted
· Protocol: The specific protocol to which access will be granted. Choices available are TCP,
UDP, ICMP and ALL.
Related Topics:
· DMZ Traffic
NAT (Network Address Translation) translates the private IP addresses of computers in your internal
networks to a single public IP address, so that the computers can connect to outer networks like the
Internet and have access to several services.
With NAT, you are able to use private addresses in your internal network. All requests made from
internal hosts are seen by the external networks as being made by edgeBOX which then translates
back the response packets' destination addresses to the originating internal host
NAT is by default enabled on the edgeBOX. Also, by default, it is already configured for the LAN and
for each of the VLANs. So you can connect to outer networks from the computers of your network
immediately, without needed to configure anything.
2. Type the IP address and the Netmask of the network for wich you want to have NAT working
(most likely it's one of your internal networks, LAN or VLAN)
3. Use the Drop-Down list to select the interface used to reach the network you just indicated.
Show me an example...
If you use 10.10.10.0/255.255.255.0 for Network IP/Netmask and WAN for the Interface, you are
actually providing the means for the hosts on the 10.10.10.x IP segment to have access to the
Internet or any other external network accessible through the WAN interface, by NAT'ing their IP
addresses on the WAN segment.
Port forwarding allows remote computers (e.g. public machines on the Internet) to
transparently connect to a specific computer within your private networks so they can use
services that your computer shares, like a web service or an e-mail service. With port
forwarding, you can make a service run on an internal host visible to the outside world, as if it
was running on edgeBOX itself.
To make one or more internal services available to external networks click the New button to
create a new entry in the Port Forwarding table. A new dialog will appear. Please specify:
· Interface: choose the interface where you want to make the port forward available (
WAN or DMZ).
· External Settings
· Single Port: to indicate the external Port visible in the interface chosen or,
· Range of Ports: to indicate the start and end ports of the Range of external
ports.
· Internal Settings
· Internal IP:address (in your local network) of the computer that is running the
service you want to make available;
· Single Port: to indicate the internal port, from that IP address, where the
traffic will be forwarded to;
· Range of Ports: to use the same range of ports that was chosen in External
Settings (this option is only available if you have selected Range of Ports in
External Settings).
Note: The web filtering service only blocks words in URL and domains in HTTP (port 80) traffic;
HTTPS and FTP traffic can not be checked; alsonote that HTTP traffic that is configured to use
Premium bandwidth cannot be blocked. This is because Premium bandwidth HTTP traffic bypasses
edgeBOX's Proxy. Also, HTTP traffic that has QoS rules defined in the QoS Services panel cannot be
blocked either.
To configure this service just point your browser to the Security section, Website Restrictions
menu. Clicking the New... button you should choose the type of file you are uploading:
After uploading any file you should enable/disable their usage by clicking the Enable/Disable buttons
according to your needs.
6.5.1 Domains
File Format
The format of the uploaded file is one entry per line.
Each line in the file may be a domain to deny, or can contain regex expressions
To find out more information about Regex exprssions, visit: http://www.regular-expressions.info
A single domain will match all urls under that domain and is case-insensitive
A domain preceded by a dot will match that domain and all subdomains.
A single word will match all urls which contain that word, either completely or as a substring.
It matches the second URL as it contains ToGoOver, which contains the word GoO (recall that the
word lists are not case sensitive).
To perform the installation and configuration of Anti Virus engines and update their IDE files,
navigate to the Security section, click the Mail Scanner menu, and then click the Anti Virus
Engines link, in the Related Topics list.
Select the desired Anti Virus engine and hit the Install or Update button. The Install dialog will
require you to select the appropriate file from your computer. The rest of the task will be automatic.
Currently the supported Anti Virus engines are: Sophos, McAfee and Clamav.
Related Topics:
· E-Mail server
Schedule
· Scan every day at: choose the time of day for the operation,
· using: the Virus Scanning package to use; possible choices are Sophos, McAfee or ClamAV
(Sophos and McAfee engines are not shipped with edgeBOX, so these choices are not
available from the dropdown, unless they are installed)
· Also scan files when they are placed inside the shared folders (this option is only
available for ClamAV).
Actions
Related Topics:
· Anti Virus Engines
Basic Configuration
Please select whether or not e-mail should be scanned for viruses. If so, please specify:
Advanced Configuration
To access further Anti Virus operation details click the Advanced Configuration... button:
· Messages: special options for detecting types of messages or scanning based on message
characteristics;
· Actions: for finer grained configuration of actions to be performed in case a virus is found.
Quarantine
If any e-mails were placed in quarantine you can inspect the by clicking View Quarantine. This will
give you access to the list of infected e-mail messages and their details. You can, at this point, decide
to Forward the message(s), to Unblock it, to Delete it or to View Attachments. There is also a
filter for faster search. See more.
Related Topics:
· Install and Manage Anti Virus Engines
· E-Mail Server
6.8.1 Messages
Message characteristics
· Allow partial messages - allow messages that contain only a fraction of the attachments. As
the scan is not performed on the whole message but on its fragments, it will not be done
properly.
· Allow external message bodies - allow messages where the body is stored in a remote
server and not in the actual message. It will be up to the e-mail client to fetch the message
body later.
Setting this option is particularly dangerous. MailScanner never scans the message body
so it may allow viruses into your network.
· Convert HTML to text - enable the conversion of all HTML tags into plain text.
· Block encrypted messages - enable blocking of encrypted messages.
· Block unencrypted messages - enable blocking of unencrypted messages.
· Expand TNEF - enable expanding of TNEF attachments that are joined in one WINMAIL.DAT
file. If you don’t check this option then the filenames within the TNEF attachments will not be
checked.
6.8.2 Actions
Possible Actions:
6.8.3 Quarantine
View the incoming or outgoing e-mails that are put under quarantine (blocked) by edgeBOX because
they may contain files with virus.
The e-mails are grouped by date inside folders in the list on the left. You can expand and browse
through the folders to find the e-mails. If you expand an e-mail you will be able to see the sender
and the receiver of the mail. If you select an e-mail, its attachments appear on the list on the right.
To remove a blocked e-mail from quarantine and deliver it to its intended receiver:
Make sure you remove all infected files of an e-mail before you unblock it. Delete all
attachments with viruses.
Delete an e-mail
If you want to send a blocked e-mail to a different person than its original receiver:
You can also make operations to the attachments of the e-mails. This is particularly useful to remove
virus from the e-mails without deleting the e-mail. This way you can remove the files that are
infected and then still deliver the e-mail to the receiver.
E-mail spam, also known as junk e-mail, involves nearly identical messages sent to numerous
recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of
spam usually include the aspects that e-mail is unsolicited and sent in bulk. "UCE" refers specifically
to unsolicited commercial e-mail. Spam usually confuses and annoys e-mail users.
In the Security section you'll find the Mail Scanner configuration menu. Click the Anti-Spam tab.
A short summary is presented. Click the Configure... button. Please choose if messages will or will
not be filtered for SPAM. If so, then specify:
· Also log spam-related events: this will make spam related activity to show up in the logs;
An RBL server, or DNSBL, contains lists of internet servers that are considered to SPAMers or
abusers. These lists are dynamic. See details in http://en.wikipedia.org/wiki/DNSBL
Related Topics:
· Install and Manage Anti Virus Engines
· E-mail Server
7 Office Servers
This section allows you to explore and configure several services that enable
communication between the people and integration of software resources in your
company/office. You may wish to:
edgeBOX's internal Web Server can simultaneously serve and manage several distinct and
separately configurable virtual webservers.
This important feature is usually referred to as Virtual Hosts: with a Virtual Hosts enabled web
server - like edgeBOX's - you can setup and deploy any amount of virtual Internet or Intranet http
servers transparently. To do this just hit the New button at the top of the Websites managed by
edgeBOX list and follow the details...
The Web Server menu displays a short summary of the global settings. Click Change... to alter this:
· Maximum Accesses: the maximum amount of simultaneous connections the web server will
allow before starting refusing new connections; the default configured value is 150 which
should me more then enough for the majority of situations; you can safely lower this value,
unless you plan to setup several web sites and expect to have considerable amount of traffic
for all of them;
· Personal Webpages: check the box if users will be allowed to have personal web pages; if
so, those pages will be located in the user's home directory, under the public_html directory;
the user will be able to manage their personal webpage through FTP – after logging on, they
will automatically be placed in their directory. How do I access my personal page ?
Let's assume user John Smith, with username jsmith. The user's personal webpage URL will be
formed from the concatenation of:
So, if the main URL is http://edgeBOX.somedomain.com, then Mr. Smith's webpage will be
accessible at:
· http://yourcompany.somedomain.com/~jsmith or
· http://yourcompany.somedomain.com/users/jsmith
· Webmaster account: this option allows you to change the password for user 'webmaster';
the 'webmaster' has FTP access and owns the directory tree for the Intranet and Internet
websites; the FTP root directory will initially contain two directories ("intra" and "inter"),
corresponding to these websites, but more may be created. This account is initially disabled so
you will have to set a password in order to use it.
Please note: the Webmail service depends on the Webserver; so, if you stop the Webserver, keep
in mind that your Webmail users will lose access to the Webmail.
· Website URL: the name of this virtual host such as mycompany.mydomain.com; a DNS
related warning may popup...
... just to remind you that an A or CNAME record needs to be added to the DNS for this setup
to be complete; note well: you have just entered a name for a host; either this name is
translated to IP in the outside world, or edegBOX must translate it; in this case, for example,
if your domain is local.loc, and you add a virtual host for docs.local.loc, then you need to a
DNS entry for host docs pointing to edgeBOX’s IP Address. Otherwise, no one will be able to
reach this website, simply because the DNS name-to-IP translation can not be performed;
edgeBOX will either create an appropriate DNS host entry for the domain, or remind you that
you will need to create one manually.
If the domain for the new web server entry does not exist:
· and the edgeBOX is not the master domain, the administrator will be informed
that the DNS entry needs to be added manually on the system which is hosting the
domain.
· and the edgeBOX is the master domain, then the new host for that domain will be
added to the DNS domain and the administrator will be informed via a popup.
The DNS entry will only be created if the above condition exists and if the condition shown in
the following table is true:
DNS host information will not automatically be deleted when the web server host is deleted.
· Internal Website: if this website is only accessible internally (like an Intranet), or if it will be
globally available;
· Files Location: where this website's files (html pages, png images, other) will be stored;
options are:
· In the public_html directory: of a given user; type the username; this website will
correspond exactly to the given user's personal webpage;
· In the directory: just type-in the name of a directory to store this site's files (if it
does not exist it will be created); this dir will be located under /home/wwwhost, which
is the filesystem directory where the webmaste user will be placed after logging on
through FTP; the webmaster must now access edgeBOX using FTP and transfer the
website's files into the correct directory; the webmaster password must be activated
before the account is created; please refer to Webmaster Account in the previous
section;
· The files are not stored locally: this option enables you to setup a web site by
aggregating several other sites solely by using redirection of requests; all URLs
accessible on this site, will actually, be redirected to other URLs that you specify in the
table below;
· Additional redirect requests: use the Add..., Edit... and Remove buttons to manage the
list of redirection URLs; if the edgeBOX receives a request for the proxy domain, it will send
the request to the proxy (as nominated in the URL field) and add the path (if there is one) to
the request. For example, if Path=/support/4.7/ and url=http://192.168.100.150, a request to
the edgeBOX for www.clk.com/support will be redirected from the virtual host to the proxy at
http://192.168.100.150/support/4.7/;
· Webmaster E-mail: the optional webmaster e-mail address; if someone tries to load an non-
existent URL, a warning page will be return with this e-mail address as footnote just in case
the person wishes to get in contact.
· Configure other settings and permissions like relay control and message size.
Related Topics:
· Scanning E-mail for Viruses
The table presented shows you the queue of incoming and outgoing e-mails that edgeBOX e-mail
server is processing at the present moment and also e-mails that, for some reason (destination
SMTP server temporarily unreachable, or other reasons) are queued in edgeBOX's e-mail
server awaiting delivery. You can:
· Deliver All: a delivery operation will immediately be attempted; despite edgeBOX tries to
deliver all incoming and outgoing e-mails in queue every 10 minutes, this options allows you to
perform such attempt immediately; please note that the process of attempting delivery may
take some time; in the end some messages may still remain undeliverable; so, please be sure
to reload this panel after some seconds or minutes (especially if there are many messages to
be processes in the queue);
· Forward: click the Forward button after selecting an e-mail; you can forward queued e-mails
to another receiver; this can be useful when, for example, an e-mail is blocked in queue
because its destination e-mail is invalid;
· View Message: click the View Message button after selecting a message to get the details;
Date, From, To, Subject, Size and Status;
Domains
E-mail domains let you configure more than one virtual e-mail server for your company. For example
you could receive e-mails being sent to:
· @mother-house.mybusiness.com and
· @spin-off.mybusiness.com.
You can add as many domains as you wish. edgeBOX will accept e-mail, directed at edgeBOX's
users, for any of the domains specified. Just hit the New button and enter the desired domain.
This topic is not related to domain relaying: see Access Control for details on relaying.
Webmail
Only one domain may be a Webmail domain. For details on using and accessing the webmail
functionality, check Web Mail. To specify the webmail domain click the Change... button and:
· Enable webmail for the specified domain: check this if you wish to have enable webmail;
uncheck if you dont want webmail;
Also note, that the Web Server must be running to access Webmail; so, if you stop the Webserver,
keep in mind that your Webmail users will lose access to their e-mail.
With this element you can provide alternate names for individual users, forward e-mail to another
host or create mailing lists. This table has some predefined aliases related with management that
can not be deleted.
You can choose to redirect e-mail for these aliases to another user, so that they receive the
messages.
Lets imagine edgeBOX user jsmith is actually the person in charge of maintenance in your company.
You can create an e-mail alias for the maintenance service called help-24-7. Just hit the New
button and enter:
· E-mail addresses that will receive the messages: click Add and type jsmith.
That's it. All e-mails sent to help-24-7 will actually be received by Mr. Smith instead (the help-24-7
account doesn't actually exist: it's an alias).
Following the above example, let's say your company has hired the services of an external
maintenance company called Nice&Clean, Inc. Mr. Smith has determined that all e-mails requesting
help will also be received by the guys at Nice&Clean.
All you have to do is: select the help-24-7 / jsmith entry in the aliases table; hit the Edit button
and, in the popup, hit the Add button; type wecanfixit@niceandclean.com in the text field; Save
all in the end.
Starting now, all e-mails sent to the help-24-7 alias will be delivered to Mr. Smith and to the
people at Nice&Clean.
Server Settings
To change any of these hit the corresponding Change... button. The details are:
· Connections Limit: the maximum number of simultaneous connections; above this value,
connections will be rejected; the default setting is Unlimited; check the box and enter the value
you need;
· Message Size Limit: e-mail messages with size greater than this value are not accepted;
depending on your specific needs you might wish to limit the message size to, say, 10 MB or
50MB; these are typical values; the default value is Unlimited; check the box and enter the
value you need;
· Storage Location: by default e-mail will be stored in edgeBOX; you can change this; if you
choose a different host for storing e-mail, edgeBOX will initially accept e-mail directed at any
of it's e-mail domains and them forward those messages to the e-mail storage server; your
network users will typically interact directly (Webmail, SMTP, pop, imap) with the storage
server instead of edgeBOX; if you choose to Save e-mail data in an external server,
please specify:
· Keep original e-mail envelope address: check this if you wish that the domain
name, to which the e-mail was originally sent, be preserved, despite the e-mail will be
received, by the user, from a distinct server;
· Check the box if the SmartHost requires Authentication and type the Username
and Password.
E-mail permissions
· Whether users can send e-mail to external domains from within the local network;
· Whether users can send e-mail to external domains from outside (relay support);
You can also create advanced access control rules based on host, domain, sender and receiver.
Click the Change... button and follow the details here...
Unresolvable Domains
When a sender domain can't be resolved, the e-mail's origin can not be verified; this technique is
widely used by spammers; check the box if you want to:
· Accept e-mail from unresolvable domains; for security reasons the default behaviour is
not to accept;
· Allow users to send e-mail to external domains from within the local network
· Allow users to send e-mail to external domains from within outside (relay support):
by checking this option you are allowing relay to users authenticated while reading e-mail
through pop3 (usually referred to as pop-before-smtp); this a time limited authorisation, as it
will expire some time later; this setting is particularly useful for users who are connecting from
external networks (while traveling for example) and for which we want to allow relaying; n
ormally you only permit e-mails to be relayed (sent) from within your own network, but some
users travel and connect from other places and you want to let those users send (relay) e-mail
through your server: whenever someone logs in via pop3, the server notes the IP address
from which the connection was made, and permits relay from the IP for a limited period.
Advanced Permissions
Allows further refinement of acceptance/denial rules for incoming e-mail based on domains, IP
addresses, senders and receivers. Hit the Change... button. You'll get two lists:
· Choose action: Accept e-mails, Accept and relay e-mails, Reject e-mails; and
select source:
· From specific domain: type-in the domain to which this rule applies, p.ex. critical-
links.com
· From specific subnet: type-in the first 2 or 3 fields of the subnet address (p.ex. 10.1
for a 10.1.0.0/16 segment, or 192.168.100 for a 192.168.100.0/255.255.255.0
segment);
· From specific e-mail address: type-in the sender e-mail address to which this rule
applies;
· Coming From / Going To: select and type the e-mail address to which this rule
applies.
With the Advanced Settings you could come up with complex rule sets to meet very specific
situations.
Note: When entering a value (eg the address or IP), you may use wildcards (“*”). If a given domain
is listed, all sub domains will also be included in the rule.
To set this up point to the Windows Server menu in the Office Servers section of edgeBOX's web
based administration interface:
You have two main options for the behaviour of edgeBOX as part of the Windows network. edgeBOX
can actually be the network's Primary Domain Controller or edgeBOX can just act as a
Workgroup computer.
Learn more...
When edgeBOX acts as a PDC and Roaming Profiles are enabled, a) users' desktop preferences can
stored in edgeBOX and b) their home directory can be mapped to windows network drive Z:
automatically; this makes the task of accessing their files (ex: documents, personal webpage) in
edgeBOX much simpler and intuitive (this setting is not represented in the panel summary);
If edgeBOX is configured to belong to some workgroup it will be visible and accessible to other
Windows Workgroup hosts.
The panel displayed shows you a summary of the current configuration. You should use the
· edgeBOX is the Primary Domain Controller of the Network; in this case the settings are:
· Domain Name: enter the desired Workgroup Name; this is the Workgroup name that all
computers on the network should use to associate to the Workgroup;
· Domain SSID: this setting is not available for configuration; it's created and managed
automatically by edgeBOX and displayed in the initial panel for your convenience;
· when logging into the Domain, the host will download the user's Desktop
preferences from edgeBOX, and
· the users will have their home directory mapped onto drive Z: (if you choose not
to select this option the user's home directory will still be available but not
automatically mapped onto a drive).
· Click the Computers of the domain link to review the workgroup computers currently
connected. In the popup you can:
· hit the Update button if you need to search for new hosts entering the domain or
· the Remove From Domain button if you need to remove a host currently logged-
in. More details...
If a given computer has been added to the edgeBOX domain and some users have
successfully logged-in the domain from that computer, those users will still be able
to login in that computer even if you remove the computer from the popup list. This
happens because the trust relationship is still valid between the users and that
machine.
· PDC support is disabled. edgeBOX just belongs to the windows network; you should
specify:
· Workgroup Name: enter the desired Workgroup Name (all computers with the same
Workgroup name will be associated to the same network group and so will edgeBOX);
· edgeBOX Description: enter a descriptive string for easy identification of edgeBOX in the
network.
WINS Support
WINS performs name registration and resolution. Windows clients can query a WINS server directly,
instead of using the usual broadcast method, thus resulting in an improvement in performance (the
hosts don't need to process broadcast packets). To learn more http://en.wikipedia.org/wiki/
Windows_Internet_Name_Service
Click Change... and check the Provide WINS Support box if you wish to activate WINS. Options
are:
· Use edgeBOX as the WINS Server: edgeBOX will deal with all domain registration and
resolution requests
· Use a remote server as the WINS Server: if another WINS Server exists on your network
and you wish edgeBOX to use it;
· Relay registration and resolution requests to the remote server: with this
option checked edgeBOX will just send the response from the remote server back to
the original client.
· If edgeBOX is not the PDC you can determine if you want or don't want users to be
able to access their homes; use the Allow/Deny button to change this;
· If edgeBOX is the PDC, users always have access to their home directories and the Allow/
Deny button is not available.
· Shares: shared network folders managed by the edgeBOX administrator, with fine-grained
control of permissions and ownerships;
· Temporary Shared Folders: temporary and size-limited, network shared folders freely
created by your network users.
Related Topics:
· Shared Folders Scanning
7.4.1 Shares
To review the currently configured shares, add more Shares, or change details, go to the
Windows Shared Folders menu in the Office Servers section. A list with currently active shared
folders is presented.
For your convenience edgeBOX is shipped with a pre-configured shared folder named Public. This
share is fully accessible to all users. To add new Shares hit the New button - to edit an existing
share the interface is similar:
Please note:
· the setup of a shared folder will require the choice of a network user for the role of Share
Owner and you can pick up specific permissions for specific users or specific Privileges; for this
to be possible, you must have at least one Privilege with access to the Samba service
enabled and, if necessary, some users actually using that Privilege; otherwise the dialog
windows for configuration of the Share will not show you any valid entries to add;
· moreover, if you, at any time, disable the Samba service on any Privilege, it's users will loose
access to the Shares (the Privilege setting is always superimposed on the Share permissions);
· your Firewall may also come into play here: if the Firewall rejects access to the Samba service,
then none of this will be possible; please make sure that the Samba service is not listed in the
Internal Connections... blocked services list; if it is listed you need to remove it, otherwise no
access to shares whatsoever will be possible (the Firewall settings are always superimposed on
anything else).
Share Details
· Share Name: type a name for the share; it should be related to the contents or the purpose
of the share;
· Description: a description string specifying any comment for further details (this will be
visible only if the windows user selects the Details option when viewing his network resources)
· Owner: the share owner; click the Select Owner... button and pick-up a user from the list;
this user will be the share owner (the role of the owner in a share will be clear ahead)
Share Permissions
· uncheck the box if you wish to adjust permissions on this share to specific users and/
or Privileges; in this case please hit the Specify Users Permissions... button and follow
the details here...
· check the box if you do not wish to adjust permissions for specific users or Privileges;
· Disable Write access for regular users. Only the Owner and the Administrators will
be able to Write: other users will not be able to write on the Share; Read access will
depend on each user's permissions; check the box if you want this restriction;
Administrators
Share Options
· Inherit Owner: new Folders and Files will be owned by the share owner;
· Inherit Permissions: new Folders and Files will always have the permissions defined in
Share Permissions;
Related Topics:
· Users
· Privileges
If you change the properties of a shared folder using Windows XP or Windows Vista,
in the Security tab of the shares properties window, leave always selected at least one deny
or allow option when editing the permissions of a user or an access profile. Otherwise Windows
will remove the user or access profile from edgeBOX share permissions' list.
By clicking the Specify Users Permissions... you get a list of Users and Privileges currently
configured with permissions for this Share (please note the icons: Privileges are shown with a
different icon than Users). The details are:
· User/Privilege: the name of the user or Privilege for which each permission applies;
· Allow Read: a green check icon indicates Read permission for this User/Privilege on this
Share
· Allow Write: a green check icon indicates Write permission for this User/Privilege on this
Share
· Deny All: a green check icon indicates no Read nor Write access will be allowed for this User/
Privilege on this Share.
Now, selecting any of the entries and clicking the edit button or clicking the New button you can
reconfigure permissions. The popup dialog will let you choose among remaining Users and Privileges
and, for the ones selected, specify:
· Read and Write access to this share: to Allow Read and Allow Write;
If you remove a Privilege from the list, no user that belongs to that Privilege will be able to
access the Share unless the user has a specific entry in the list. If you remove a user from the list,
the user may still have access to the Share. His permissions will be defined by his Privilege
permissions. On the other hand, when a new Privilege is created users in that Privilege will have
read access to all non-Public shares and Read-Write access to all Public shares. Please keep this in
mind when creating new Privileges. You might need to come back to this section and change these
default settings.
Note that these particular permissions do not override the general permissions of the Share. Ex. if
you use the Disable Write Access for regular users option and you give a specific Write
access, the user will still only be able to read the share.
If you want to use this feature please go to the Windows Shared Folders menu in the Office
Servers section. At the bottom, click the corresponding Change... button. Check the Allow users
to create temporary shared folders box, and set the values for:
· Maximum Life Time: each folder will be automatically erased after this time; minimum: 30
minutes; maximum 240 minutes; all files and folders inside will be lost;
· Maximum Size: the folder is limited in size to this value; you can choose from 8 to 1024 MB;
· Maximum Number: the system will not allow the simultaneous existence of more than this
maximum number of shared folders; if the limit is reached users will have to wait for any of
the folders to be automatically erased before they can create any more folders; you can
choose from 1 to 20 maximum simultaneous folders.
The list displayed will show you your printer(s). For each of them:
· Status: Connected or Not Connected (if a printer is shared but not connected it will be
displayed as Not Connected);
To start sharing a printer, just select it and press the Share button. To stop sharing it hit the
Unshare button.
Please note that the Windows Server must be running for the shared printers to be accessible on
the network.
edgeBOX supports any printer supported by the Common Unix Printing System.
The picture below presents the main areas and the correspondent information contained in each
one.
The IP-PBX Overview is refreshed every 30 seconds and gives you several useful informations in
the form of values and labels, colors, icon behaviours and tooltip texts.
Additionally, many of the values and labels displayed are actually hyperlinks to detailed
information regarding the topic involved: clicking on them will load additional status panels and
configuration menus concerning the topic clicked. The IP-PBX Overview is composed of the
following major sections:
Configuration
· Phones and Faxes: m Phones and n Fax Accounts are currently configured;
Realtime Status
· Calls Status: the counts displayed show you the current usage intensity of several of your
PBX features;
· Services: status and operational details regarding the Authentication for Outgoing Calls
and Autoconfiguration services; the green/gray circles on the left show you the current
administrative status of these services;
· Warnings: the warnings displayed help you diagnose the reds in the central synoptic; the red
'X' and '!' icons displayed tell you that something is not Ok; these Warnings give you a little
more insight onto what is not ok;
Synoptic
The central synoptic of the IP-PBX Overview focuses on the connections of your IP-PBX to the
outside world, attempting to provide a quick grasp of their current operational status.
Up to four lines are displayed linking edgeBOX to the four possible outside world voice
connection types:
· Public Telefony Network: connections to the PSTN through FXO interfaces, BRI cards and
others;
· PBX: connections to other PBXs, through a trusted ISDN Line, from which edgeBOX accepts
calls as internal.
Depending on the specific characteristics of your setup, you may get only a subset of the picture. In
any case, the following global colouring rules apply:
· Line Color: green will tell you that at least one of the connections of each type is healthy
and working as expected; gray will denote total failure or all connections bad, for
each type of connection;
· Connections Status Icon: a green 'V' sign means everything is Ok; a red exclamation
mark '!' tells you something is wrong concerning those types of connections; a red 'X' tells
you there is no connectivity whatsoever in that(those) connection(s).
Point your browser at the Phones menu, in the IP-PBX section of edgeBOX's webadmin interface.
From there you can acomplish the following goals:
Related Topics:
· Groups
· Voice Lines
· Network Users
The list provides information in the form of text labels, colors and icon behaviours. Data is
refreshed every 30 seconds. The list is divided into six columns:
Extension
This column displays the extension's number and name. If this extension is currently assigned to a
specific user then it's username will be shown in shaded color below the number. A small green/
gray circle is displayed on the left, indicating it's current connectivity status.
Configuration
The Configuration column provides a quick summary of the most relevant configuration features
currently active for each phone. In some cases, a short status each of those features is added within
parentheses:
· Voicemail (m msgs): Voicemail is active for this phone and there are currently m new
messages;
· Twinning (nnnn): Twinning is enabled for this extension; this phone is twinned with the
phone at number nnnn; if nnnn is missing then, despite the feature is enabled, there is no
twinned phone at this moment;
· Forward (nnnn): Follow Me is active for this extension; calls are being forwarded to number
nnnn.
Brand / Model
The Brand and Model of supported IP Phones; other IP phones are simply identified by the VoIP
(SIP) or VoIP(IAX) labels; analog phones are identified with the ANALOG label.
IP / Port / MAC
The phone's IP and MAC addresses, if known. A Port number in case of analog phones.
Setup Mode
The Setup column tells you if the phone is configured Automatically by edgeBOX or Manually by
yourself.
Status
The Status shows you the current connectivity status and operational conditions of each phone. The
information displayed depends on the type of phone:
Let us consider extension 1607 in the screenshot above. The extension's name is poly607 and it is
not assigned to any specific user. The green circle at the left indicates the extension is online
(meaning that edgeBOX can actually communicate with the phone over the Ethernet TCP/IP
infrastructure). Actually, the phone is currently Busy - on a call or similar - as displayed in the
Status column.
The Configuration column tells you that this extension has Twinning and Voicemail configured.
There are three new messages in the Voicemail account. The Brand / Model is the text
displayed in the 3rd column: it's a Polycom IP phone.
The Phone's Ethernet Hardware Address is 00:04:F2:18:D3:E6 as and it's currently assigned IP
Address is 192.168.101.199. The Setup Mode is Automatic meaning edgeBOX will automatically
configure this phone.
For details regarding the Synchronize, Manual Config and Phone-to-Extension Assignment
buttons please refer to the Automatic Configuration section of this manual.
To use ISDN phones you need to have an ISDN card with ports configured in NT mode.
This requires hardware configuration. Contact your Reseller/Support before planning a
ISDN Phones scenario.
SIP URI calls are calls made from IP SIP Phones using a URI (like john@mycompany.
com or 2010@mycompany.com) instead of using a number.
· Ring Duration: Time the extension will ring without being answered. After this time the call will
be finished automatically, or handed over to the voicemail system if voicemail is active for the
extension.
· Voicemail: The voicemail settings are also common among all extension types. The fields you
need to provide are the PIN number to access extension's voicemail account an e-mail address
were edgeBOX will send notification about new voicemail messages. More details about
Voicemail...
· Twinning: The twinning feature can be used with any phone type. You can enable or disable the
ability of the user to have twinning, and to configure the number which will be used together
with the extension. For more details see Twinning.
· Identification (Caller ID): The name and number by which calls will be identified to the called
party. Usually identifies the person using the extension. This field is placed in the advanced tab,
and by default is generated using the data introduced previously in the Name field.
Related Topics:
· Voice Lines
· Groups
· Network Users
Please navigate to the Phones menu in the IP-PBX section to create and manage SIP and IAX
phones/extensions. Below you can find the most common operations regarding these types of IP
phones.
Configuring Codecs
Codecs affect the quality and the bandwith consumption at the same time, higher quality
means higher bandwidth consumption.
In the Codecs tab of the new/edit VoIP phone extension dialog you can define the codecs
allowed to be used by the phone using this extension. By default when you create a new VoIP
extension G711 codecs are selected.
As best practice use high quality codecs (like G711) for phones connected in the LAN, and low
bandwith codecs (like GSM or G729) for phones connected in the WAN. This way you will
provide high quality in your internal phones and avoid large Internet bandwith consumption by
your external phones.
You have to make sure that your phone is also configured to use the same audio codecs as the
extension.
For more information see Codecs.
If you have a video enabled phone (or a softphone with video support and a video camera) you
can make video calls using edgeBOX.
In order to do that you must allow the extension to use video codecs (like H261, H263, H263p
or H264) in the Codecs tab of the extension's properties dialog.
You have to make sure that your phone is also configured to use the same video codecs as the
extension. See your phone's manual for instructions.
By default the voice traffic between two VoIP phones flows through the edgeBOX, meaning
when a phone A is calling phone B, voice traffic flow is A > edgeBOX > B. You can change this
flow to be A > B directly, thus reducing traffic and CPU consumption in edgeBOX.
Peer-to-peer mode is specially relevant in scenarios where you have phones connecting from
the Internet (registering through the edgeBOX's WAN port). Imagine the same two phones A
and B in the WAN making a call between themselves, you'll have both of them consuming your
Internet line, if they could connect directly your Internet line would not be used at all (except
for residual SIP traffic).
To allow phones to connect in peer-to-peer mode you need to enable the Can Reinvite option
in the Advanced tab of the extension's properties dialog.
In peer-to-peer calls DTMF shortcuts (like transfer or park) are not supported, because
edgeBOX is not listening the tones anymore. In this case you need to use the correspondent
special keys in your phone.
· Disable NAT Support: to enable/disable this option; necessary when the phone is behind
devices as a router or a firewall; see more in Advanced NAT;
· Do not Send Keep alive packets to this phone: without this option selected edgeBOX will
send keep alive packets to this phone every 2 seconds;
· When not registered this phone is reachable at static IP Address: use this only if this
phone will have a static IP address;
· DFTM Mode: the way the client deals with DTMF signaling; this parameter should be the
same as in the phone itself; options are: RFC2833 - selected by default; INFO; INBAND -
DTMF signaling within the call; note that this type of signaling is not supported by the GSM
codec.
If you are using analog phones connected through ATA (Analog Telephone Adapters)
you must use SIP extension type instead of Analog. The ATA will connect into the LAN and
will behave to edgeBOX as a SIP phone.
Please navigate to the Phones menu in the IP-PBX section to create and manage analog phones/
extensions. If your edgeBOX includes an analog card with FXS ports configured, you will see the New
Analog Phone option when you click the New button in the Phones list. Below you can find the
most common operations concerning analog phones.
· VoIP Phones
· ISDN Phones
You have two options for VoIP phones, both suitable for use with edgeBOX:
· Hardware phones, that work pretty much as a plain old phone, and
The configuration of SIP phones is generally the same among all brands/models. Usually the
configuration is done through a web page provided by the phone itself (open your browser at a url
like http://192.168.100.195) or follow the built in menu on the phone. See your phone's user manual
for more details, or look for a specific edgeBOX How-To document for you phone model.
There are really only three fields you usually need setup:
· SIP Proxy: this is the name (like sip.edgebox.com) or the ip address (like 192.168.100.254)
of the edgeBOX. Pay attention were you are connecting your phone, in the LAN or the WAN.
Usually you connect the phones directly in the LAN of the edgeBOX for local personnel and
remote workers will connect to the WAN from the Internet.
· Account: the Extension Name (like MeetingRoom) that you want your phone to use.
· DTMF: This is the type of Dual Tone Multi-Frequency, and affects the conversation with dial
tones between the phone and edgeBOX. They must match in both sides (the phone and
extension's properties in edgeBOX). The default value in edgeBOX is RFC2833, and that's
usually the same in the phones.
· Codecs: The codecs configured in the phone must match the ones configured in the extension
properties in edgeBOX. The default codecs of a new extension are G711 a-law and G711 u-law
and those are usually supported by default in the phones. Order the list of codec by
preference, edgeBOX will always try to use the first, then the second and so on.
edgeBOX provides an automatic configuration system for Polycom, Linksys, Aastra and Grandstream
phones (see more details here). When the auto-configuration system is enabled, at the moment you
connect the phone's ethernet cable to the LAN of edgeBOX, the phone will be detected (by mac
address) and displayed in the Available Phones list, you can then assign it to an extension.
See Phone Auto-Configuration How To guide, the edgeBOX Online Help or the Phone Configuration
How To available in the edgeBOX documentation.
Connecting analog phones or fax machines to edgeBOX is quite simple. Just plug the phone (or fax)
RJ11 cable to the proper FXS port in the back panel of your edgeBOX.
There are a couple of settings for analog phones that you shall have in mind at this time. These
settings are available in the Advanced tab of the extension's properties dialog in edgeBOX. You can
fine tune these parameters with a few test calls from the extension you're configuring.
· Echo Cancel: This enables/disables the echo cancellation algorithm for calls to this extension
and by default it's enabled. Disable only if you are using a fax machine connected to this
extension and you're experiencing reception problems.
· Transmission Gain: Amount of gain applied to sound transmitted from this extension. The
variation is from -8db to + 8db being the default 0db. Increase when the other end (the callee)
is barely listening; decrease if other end is listening too loud, with too noise or with echo.
· Reception Gain: Amount of gain applied to sound received by this extension. The variation is
from -8db to + 8db being the default 0db. Increase when the you can barely listen; decrease
when listening too loud, with too noise or with echo.
edgeBOX supports EuroISDN BRI phones seamlessly, but there's a number of details and complexities
arising from the underlying ISDN phone technology and the number of different proprietary signaling
built by ISDN phone manufacturers.
When you connect a phone to the network for the first time, it needs to be configured in order to
make calls. This configuration is basically the configuration of the phones account to be used by
the phone. Using the Auto Configuration System you can configure phones remotely, just using
the edgeBOX's web interface.
All the configuration of the phones is available through the IP-PBX > Phones panel.
Only supported SIP phones can be configured directly on the edgeBOX - Auto Phone
Configuration. The currently supported phones are Grandstream GXP 2000; Polycom
SoundPoint IP320 IP330, IP670, IP601; Linksys SPA 901, SPA 922, SPA 932, SPA 941, SPA
942, SPA 962; Aastra 9133i, 480i, 51i, 53i, 55i, 57i and Snom 190, 360.
Forcing the configuration of other models than the ones mentioned above may
result in damage of the configuration of your phone.
· Phones that have been connected just a few seconds before may not be listed yet,
wait a moment for the automatic panel refresh (up to 30 seconds).
· Make sure the Phones Auto Configuration System is running (the service bar at the
top of the panel must be green).
3. Click Assign Extension to Phone button.
4. In the popup window select the phone extension you want to assign and click Add
button.
5. At this point in the phones list the previously <not configured> phone is not listed
anymore, and the line corresponding to the extensions you've selected in step 2
contains the Brand, IP and MAC addresses of the phone.
Depending on the Autoconfiguration Mode and the status of the physical phone you
may need to reboot the before it gets the configured.
If, for example, a user changes incorrectly the configuration of a phone, the phone may stop
working properly. In these cases you can resend the correct configuration to the phone, so it
can work properly again.
To synchronize the phones configuration with edgeBOX's saved configuration:
1. Go to IP-PBX > Phones.
2. Select the phone in the list.
3. Click Synchronize button in the toolbar.
The phone will restart automatically and will get the original configuration upon boot.
Ignore a phone
You can ignore a phone so that edgeBOX doesn't try to send it configurations nor try to call it
to start the Configuration Assistant. Why should I ignore phones?
Ignoring phones can be usefully if you have some phones on your network being managed
by a device other than the edgeBOX. In these situations you don't want edgeBOX to be
trying to send configuration information to those phones.
To ignore a phone:
1. Go to IP-PBX > Phones.
2. Select the desired phone in the list.
3. Click Manual Config button in the toolbar.
The Setup Mode will change to Manual. At this point edgeBOX will no longer try to configure
this phone automatically.
If you want edgeBOX to stop ignoring a phone and start sending configuration information
again just proceed as if you would configure it from start, by using the Assign Extension to
Phone button in the toolbar.
4. At this point you'll see a new item in the list with <not configured> in the extension
column. This item corresponds to the physical phone that was previously associated.
The phone is now free of any configuration, you can delete it (if the phone was definitely
removed from the network), or assign it to another extension.
Replace a broken phone
When a phone it's broken and needs to be replaced by another one proceed as follows:
1. Go to IP-PBX > Phones.
2. Select the desired phone in the list (like 1020).
3. Click Unassign Phone from Extension button in the toolbar. At this point you'll see a new
item in the list with <not configured> in the extension column. This item corresponds to
the physical phone that was previously associated, and another line corresponding with
the extension (like 1020).
4. Edit the phone extension in the list (1020 in this example).
5. Select the new brand of your new phone in the Phone Brand field.
6. Enter the new MAC address of the new phone in the MAC Address field.
You can now physically replace the old phone by the new phone. The new phone will be
configured automatically as soon as you connect it to the network.
Pre-Provisioning Phones
You can also configure phones that haven't yet been connected but will be connected in
the near future. When those phones are plugged in the network for the first time, they will
immediately receive the configuration you have defined and become configured and ready to use
right away.
Pre-provisioning is very useful when you're managing the office from a remote location and you need
to install a new phone. You can just create the phone in the system, and then mail it to the office.
When it arrives the end user just needs to plug it to the network and it's ready to use without further
issues.
You can pre-provision phone independently of your configuration mode (Callback or Silent). Pre-
provisioned phones will be configured as soon as they connect to the network, meaning that when in
Callback mode, the assistant call doesn't happen.
Pre-provision a new phone
Related Topics:
Auto Configuration Modes
edgeBOX provides two different operation modes for auto configuration of the phones. One mode
(Callback) is focused in configuring the phone by using the phone itself, the phone will receive a call
with a configuration wizard where you can dial the extension to assign and respective password
(numeric passwords only). The Silent mode doesn't use any interaction on the phone's end, and all
the configurations are made through the administrator's panel.
Call phones when they are first connected and start the Configuration Assistant
To configure the system to start the Configuration Assistant call each time a user plugs in a
new phone in the network (Callback Mode):
1. Go to IP-PBX > Phones
2. Make sure the Auto Configuration System is running (you should see a green bar at the
top of the panel). If it is not running click Start Service.
3. Click button Change...
4. Select the option Automatically call the phone and start the Configuration Assistant.
5. Click the Save button.
Do not call phones when they are first connected to start the Configuration Assistant
If you don't want the user to receive the Configuration Assistant call when he connects a phone
for the first time (Silent Mode):
1. Go to IP-PBX > Phones
2. Make sure the Auto Configuration System is running (you should see a green bar at the
top of the panel). If it is not running click Start Service.
3. Click button Change...
4. Select the option Do not make the Auto Configuration Assistant call.
5. Click the Save button.
You or the network users can also call the Configuration Assistant at any time (for instance, if they do
not answer the Configuration assistant call) from a given phone to start the phone configuration
process.
To call the Configuration Assistant from a phone of the network, you or the user need to dial
1234, which is the configuration assistant number..
Note: It is only possible to dial the Configuration Assistant if the configuration was interrupted
previously due to some problem and needs to be finished to configure the phone.
Related Topics:
Phone Auto Configuration
The access control policies of a phones group are configured in the Access Control tab when
you create or edit a group.
The policies are organized by the operations: Call Pick Up; Intercom Calls; Call Listening and
Call Recording.
Call Pick Up policies
With Call Pick Up you can specify the set of phones that can pick up calls on this group. The
choices are:
· any phone can pick up calls on this group (this is the default setting)
· only the phones that belong to the group can do this
· no phone, not even from the group, can pick up calls ringing in this group
Intercom Calls policies
With Intercom Calls someone could make a phone call to this group in which the destination
phone will go into loudspeaker mode and the call will be listened to by the people near that
phone. You can choose:
· any network phone can initiate Intercom Calls to the phones on this group (this is the
default setting)
· only phones in the group can initiate Intercom Calls to each other
· this group will not accept Intercom Calls
specify if:
· if phones on this group can be used to listen to calls on other phones (default setting is
'no')
· if calls on these phones can be listened (default setting is 'no')
Call Recording policies
The Call Recording settings for a group allows you to specify:
· if these phones can record calls (see One Touch Recording; default setting is 'no'), and
· if phones on this group can or can't be recorded (see Recording calls; default setting is
'no recording').
Configuration examples
You can configure any number of phone groups, with many variations of access control policies
building from the most simple to the most complex set of policies, depending on your company
requirements. Below you can find some examples of the most typical configurations.
How to create a group of phones that can pickup calls only between them?
In this example, lets assume that you have a group of support personnel and they want to
pickup calls that ringing in another extension of the team (because the person is not at his
desk), but they don't want other people outside the group to pick their calls.
For the scenario above execute the following steps:
1. Go to IP-PBX > Phones.
2. Click Groups in the Related Topics section of the menu.
3. Click New button.
4. Enter a name (like Support) in the Name field.
5. Enter a description (like Support Personnel) in the Description field.
6. Enter a phone number (like 300) for the group in the Extension field. This number will
be used to identify the group from where to pickup the call.
7. Click Add button, select and add the phones to make part of the group (use Ctrl key to
select multiple phones at the same time).
8. Select the Access Control tab.
9. At the Call Pick Up section, select the option Only phones of this group can pick up calls
ringing on these phones.
10.Click Save button.
At this point any phone within the group Support, can pickup calls ringing at any phone of the
group by dialing *8 followed by the group extension number (300 in the example).
When using the group's extension number like *8300 the user will randomly pickup a call
ringing in the group, when using *8<phone extension number> the user will pickup the call
ringing at the specific phone (*81001 will pick the call ringing at phone's extension 1001).
Other phones not belonging to the group Support won't be able to execute pickup to the group,
or specific extensions belonging to the group.
How to create a group of phones that can listen and whisper calls, while others can't?
In this example, lets assume we have a group of supervisors that need the ability to listen
ongoing calls in the Help Desk group, and give instructions to them during the call.
For the scenario scenario above do the following:
1. Create a group called Supervisors.
2. Add to the group the supervisors phones.
3. In Access Control panel, at the Calls Monitoring section, select both policies:
- These phones can be used to listen to ongoing calls on other phones
- Calls on these phones can't be listened by other phones
4. Create a group called Help Desk.
5. Add to the group the phones of the help desk team.
6. In Access Control panel, at the Calls Monitoring section leave both policies unselected.
At this point any phone within the group Supervisors, can listen ongoing calls of any phone in
the group Help Desk by dialing *990* followed by the extension number of the phone to listen
(*990*1001 to listen phone extension 1001). To listen and give instructions at the same time
(whisper mode) dial *991*1001.
8.2.6 Twinning
Twinning enables you to almost duplicate the behaviour of an extension of the network on
another external phone, as a cell phone for example. Learn More.
If you activate and configure twinning with, for example, a cell phone:
· When a call arrives at the network phone (for example, extension 2001) then both the
network phone and the cell phone will ring. The phone that will pick up the call is the one
that will be first answered. This is useful, for example, when a user goes out of office. He
is able to answer calls to his extension on his cell phone.
However, when the user answers a call on his cell phone that was sent by
egdeBOX through an analog line, the user needs to press the # (pound) key
after answering. This will inform edgeBOX that the call was picked up and edgeBOX
will stop ringing the extension of the user. Otherwise the extension will keep on
ringing despite the call had already been answered by the user.
· The user can make calls with his cell phone as if he was on his extension at work, even if
he is at home. The user just needs to dial the number of the company. The call will be
answered by edgeBOX and the user will hear the dial tone again. The user can then make
internal calls just by dialing the extension he wants to call or make outgoing calls that will
appear to the recipient as being made by user's regular work phone.
The twinning feature is defined at each specific phone. By default phones are not allowed to
twin with other phones like cell phones.
To allow a phone to twin with another one:
1. Select the desired network phone from the phone list and click the Edit Phone button.
2. Select the option Activate Twinning.
3. Enter the phone number to be twinned to in the Phone Number field, or you can leave it
blank for the user of the phone to configure it himself. See Configure Twinning using the
phone.
4. Click Save button.
1. Select the desired network phone from the phone list and click the Edit Phone button.
2. In the Twinning section you can see the number of the phone this extension is currently
twinning with.
3. Enter the new phone number in the Phone Number field.
4. Click Save button.
This is particularly useful when the user is close to both phones at the same time, the network
phone and his personal cell phone, for example. In this cases, having both phones ringing at
the same time is not really useful, so you can switch off twinning so just the company phone
rings when a call is received, for example.
1. Select the desired network phone from the phone list and click the Edit Phone button.
2. Unselect the option Activate Twinning.
3. Click Save button.
Note that the feature is still allowed at the phone, it is just not enabled at the moment, this is,
this phone is not twinning with another phone. But you, through edgebOX's interface, or the
phone's user, through the phone, can enable it again at any time.
The user of the phone with twinning can also enable, disable and change the number of the
phone your extension is twinning with, directly on the phone itself instead of the edgeBOX. But
to do so, twinning must be Active on that phone.
· Enable twinning - on your phone, dial *90. Twining will be now enabled.
· Change the phone your phone is twinning with - on your phone, dial *92*
followed by the phone number you want to twin to. For example, if your cell phone is
912154014 you can dial *92*912154014.
· Transfer an ongoing call from the cell phone to the network phone - on your
phone, dial *93 and the call you are answering in the cell phone will continue in the
network phone.
Don't use the Internal Dial Plan for simple operations like the creation or removal of extensions.
Those operations should be performed in the Phones list. The Internal Dial Plan should only be
used for advanced configurations.
You can consider the Internal Dial Plan as a set of individual Extension Dial Plans. The popup
dialog shows you initially:
· on the left: the list of Extensions currently active in the Internal Dial Plan: each new
phone created is automatically added to the Dial Plan and each phone deleted is automatically
removed;
· on the right: when you select an extension on the left; the right-hand panel shows you the
Extension Dial Plan: the configured sequence of actions the PBX will execute upon reception
of a new call for this extension.
As usual, you can use the New button to add new extensions or the Edit button to change existing
entries. For your convenience, a Duplicate button is provided for quickly creating new entries based
on the existing ones. The Configure the Extension Dial Plan popup window will show.
· Extension: type-in the extension name to which this Extension Dial Plan applies;
· with Caller ID: check the box and type-in the Caller ID if you wish to further specify that this
applies only to that specific Caller ID;
· Actions: an ordered list of actions edgeBOX will try to route the call through; use the Up
and Down arrows to change the sequence; use the New and Delete buttons to manage the
contents of the list. For each action you can:
· Forward to Phone: this action forwards the call to a phone; you must select the
phone from the drop-down list that appears below;
· Forward to external number: this action forwards the call to an external number;
you must specify the number you want in the text filed;
· Forward to Queue: with this option the call will be forward to the queue you choose
(see Queues);
· Forward to Conference: you can choose a conference number for the call to be
forwarded to (see Conferences);
· Forward to Group: here the call will be answered by some phone in the group you
specify from the drop-down list;
· Play: the caller will listen to the sound file you choose; the selected sound file will be
played and all numbers entered by the caller will be ignored until the sound has
finished (see here for details on sound files);
· Wait: this action makes the call wait for the specified number of seconds.
When configuring Incoming Call Rules you have at your disposal the following tasks:
Related Topics:
· Voice Lines
· Groups
· Sound Manager
· Music On-Hold
· Automatic Attendants
· Schedules
Each rule as a set of conditions and a set of actions. Conditions determine if the rule is to be
applied or not not, while the Actions specify how the call is to be treated.
Rule Conditions
When a call is received by edgeBOX, the conditions of each incoming call rule are evaluated.
For the first rule to match all conditions, the sequence of actions specified are executed.
· Calls to (DDI): This condition tries to match the destination number (DDI) of the call
with the supplied value; you must enter the DDI in the text field at the right side of the
condition type. This condition is useful when you have multiple public phone numbers,
each one with a different destination department or receptionist.
· Calls from (CallerID): This condition tries to match the originating number (CallerID)
of the call with the supplied value; you must enter the CallerID in the text field at the
right side of the condition type. This condition is useful when you need to redirect a call
based on who's calling.
· Schedule: This conditions evaluates if the call is being made at a particular time or day
(see Schedules for more details). you must choose a Schedule from the drop-down list
at the right side of the condition type. This condition is useful for example when at work
hours (or days) you want the call to be answered by a person, but out of hours (or at
vacations periods or holidays) you want an automated attendant to answer.
In a single rule you can use as many conditions as you want. The rule's actions will be
executed if (and only if) all conditions together are true. So you could easily build up complex
rules such as ''from this origin, to that destination within some period of time''.
Rule Actions
The Rule Actions determine the behaviour in case the rule conditions are met. You can:
· Forward to Phone: this action forwards the call to a phone; you must select the phone
from the drop-down list that appears at the right side;
· Forward to internal number: this action forwards the call to an internal number; you
must specify the number you want in the text filed that appears at the right;
· Forward to external number: this action forwards the call to an external number; you
must specify the number you want in the text filed that appears at the right;
· Ring Phone: this action tries to forward the call to the specified phone by making it ring;
if the phone is not answered then the next action will take place;
· Forward to Voicemail: the call will be forwarded to the chosen extension's voicemail;
you may choose any extension with an active voicemail;
· Forward to Queue: with this option the call will be forward to the queue you choose
(see Queues);
· Forward to Conference: you can choose a conference number for the call to be
forwarded to (see Conferences);
· Forward to Group: here the call will be answered by some phone in the group you
specify from the drop-down list at the right side;
· Answer: the call will be answered;
This type of access has SERIOUS security implications, and GREAT care must
be taken NOT to compromise your security. We advise you to ALWAYS enter a
passcode. If you do not enter a passcode, when the action DISA is executed, the
user gets authenticated automatically. If you select that option and indicate the
passcode, when the DISA action is executed, first is asked the user to enter the
passcode before getting dialtone.
· Start Automated Attendant: this action will start the execution of the specified
automated attendant menu.
You can add several rule actions. Rule actions can be moved Up and Down with the help of the
corresponding buttons. This way you could compose complex sequences for edgeBOX to
execute on the call. As an example you could play a sound, wait for 10 seconds and then
forward the call to some Conference.
· Actions define what is to be done in the call, like answer, play sound files, joining
conferences or jumping to another automated attendant menu;
· Conditions are used to respond to user input, like when a key is pressed, or a number is
dialed.
Automated Attendants are displayed as a tree structure, making it easy to understand the concept of
flow of actions and conditions. Each child node is either an action or a condition which may be
expanded to see it's underlaying actions.
· Forward to Phone: this action forwards the call to a phone; you must select the phone
from the drop-down list that appears at the right side;
· Forward to external number: this action forwards the call to an external number; you
must specify the number you want in the text filed that appears at the right;
· Ring Phone:
· Forward to Voicemail: the call will be forwarded to the chosen extension's voicemail; you
may choose any extension with an active voicemail;
· Forward to Queue: with this option the call will be forward to the queue you choose (see
Queues);
· Forward to Conference: you can choose a conference number for the call to be
forwarded to (see Conferences);
· Forward to Group: here the call will be answered by some phone in the group you specify
from the drop-down list at the right side;
· Answer: the call will be answered;
· Hangup: the call will be hung-up;
· Play: the caller will listen to the sound file you can choose; the selected sound file will be
played and all numbers entered by the caller will be ignored until the message has
completed;
· Play in background: similar to Play, but in this case the user can press keys while
listening, instead of being forced to wait for the sound to finish.
· Wait: this action makes the call wait for the specified number of seconds;
· Start IVR: this action will start the execution of the specified automated attendant menu
(IVR); the drop-down list will show you all currently configured automated attendants for
you to choose the one you want; additionally you can also choose the Internal Extensions
option; in that case the caller will be able to dial the internal extension he wishes to reach;
· DISA: Stands for Direct Inward System Access. Allows someone calling in from outside the
telephone switch (PBX) to obtain an "internal" system dialtone and dial calls as if from one of
the extensions attached to the telephone switch. The DISA application may require the user
to enter a passcode, followed by the pound sign (#). If the passcode is correct, the user will
hear dialtone on which a call may be placed. Is it secure?
This type of access has SERIOUS security implications, and GREAT care must
be taken NOT to compromise your security. We advise you to ALWAYS enter a
passcode. If you do not enter a passcode, when the action DISA is executed, the
user gets authenticated automatically. If you select that option and indicate the
passcode, when the DISA action is executed, first is asked the user to enter the
passcode before getting dialtone.
You can add several rule actions. Rule actions can be moved Up and Down with the help of the
corresponding buttons. This way you could compose complex sequences for edgeBOX to
execute on the call. As an example you could play a sound, wait for 10 seconds and then
forward the call to some Conference.
Conditions are used to execute a set of actions based on the user's input.
· If user pressed keys: This condition will compare the keys typed be the caller, and will
execute the underlying actions if the keys match the ones you specified on this condition;
You must enter the set of keys that should be pressed in the Keys field.
· If user pressed invalid keys: This condition will execute the underlying actions, if the
sequence of keys pressed by the user is not matching any of the previous conditions.
· If user didn't press any key: This condition will execute the underlying actions, if the
user didn't pressed any keys (after a 5 seconds timeout).
8.3.3 Schedules
Schedules allow you to define periods of time for executing rules in Incoming Call Rules. This is
very useful to specify working hours, vacations, holiday periods that you can then easily use when
defining your call rules.
Usually Outgoing Call Rules are used with Least Cost Routing (LCR) in mind, since you can
create rules based on destination number in order to use the least cost route for that destination,
reducing the overall cost of your voice communications.
Please refer to the IP-PBX section's Outgoing Call Rules menu. From that menu you can:
· Configure Outgoing Call Rules and Access Control policies for specific Groups or Devices
Related Topics:
· Configuring Voice Lines
8.4.1 Authentication
edgeBOX supports authentication of outgoing calls. Authentication is based on a PIN assigned
on user creation. Outgoing call permissions, i.e. the type of outgoing calls a user is allowed to make,
are also set on user creation.
The Outgoing Call Rules menu in the IP-PBX section displays the current status of the
authentication service at the top. As usual the green/gray colors are used to show the operational
status of the Outgoing Calls Authentication service. Click the Require users to
authenticate/Don't require users to authenticate to change it.
When active the PBX will block outgoing calls if the user supplied invalid credentials or if the user
doesn't have the necessary permissions to make the call. When inactive, the system will still check
the type of each call, but only to find the correct Route to use. In this mode of operation users are
not required to supply a PIN when making calls.
· Conditions: this is where you define the conditions when to apply the rule, namely:
· Inbound Pattern: the Dialed Number; you can use patterns such as 123*: this will
match all calls to numbers starting with 123;
· Type of call: Free, Local, Long Distance, Mobile, International or Special Call;
· Time of day: the period of the day for which this rule will apply
· Route: which line (or lines) should be used to make the call
· Outbound Pattern: the number to dial out; here you can reuse pattern matches
from the Inbound Pattern; more details below;
The outbound pattern may differ from the inbound, if you wish to transform the
number. One example is when you need to add prefixes to select a specific provider,
say a prefix of 1010 needs to be added, thus your inbound pattern would be 9* (all
numbers starting with 9), whilst your outbound pattern would be 10109*. Other
situation is when you want an outbound prefix like 0, in this case the Inbound pattern
would be 0* and the Outbound pattern would be *.
In the both patterns (outbound and inbound) you can use two special characters: *
matches all remaining digits; X matches exactly one digit, you may use several X
characters to match a specific number of digits. The 'X's must be uppercase.
Examples: The 9* indicates a digit 9 followed by any other numbers. If you entered
9XXX, this would indicate a 9 followed by exactly 3 other digits (which may or may not
include the digit 9)
9. Enter the amount of time in seconds (like 30), this route shall ring before ending the call
(or falling to the next route if defined) in the Timeout field.
10.If you want to enforce a specific Caller ID for the call, check the Caller ID and enter the
number (or text) you want in the CallerID field. More details...
Caller ID is the identifier displayed (usually the number associated with the phone line)
in the destination phone. Not all providers allow this to be changed, in these cases
edgeBOX will change it at the protocol level but produces no effect as the provider will
override it.
11.Click Add.
12.Repeat 7 to 11 adding all routes you wish to use as fall back routes. All these additional
routes will be used if the previous one is not available or times out.
13.Select the Access Control tab.
14.Move the Groups and the Devices from Denied to Allowed, for whom you want to be able
to use the rule. The rule will only be applied if the phone making the call belongs to a
group in the Allowed area, or if the call is coming from a Device in the Allowed area (like
DISA).
15.Click Save to save the rule.
Note: You can test the Demo rule by dialing 123 in one of the already connected phones.
If everything is working properly your call will be answered and you'll listen an automated
attendant saying “Welcome. Thank you for calling. Goodbye”, and then the call will finish.
Please note that this call is made through a connection to Critical Links servers, thus your
edgeBOX needs a working internet connection for this test to work.
· Default rule: This rule is the most generic rule, and will match all calls (except if rules with
more specific conditions are applicable). In a sentence this rule could be read as “Calls to
any number (*), at any time (00:00 – 23:59) made from any phone (Access Group Default)
will follow routes specified”.
Note: When you first receive an edgeBOX, the Default rule doesn't include any routes
(lines) to the PSTN, so you need to edit this rule and add the routes you've connected.
See more in Configuring Voice Lines.
4. Select the route (or line) you want the call to follow through in the Route field.
5. Enter the number (pattern) that should be dialed (usually the same as the Emergency
Number you entered in 3) in the Outbound Pattern field. More details...
The outbound pattern may differ from the inbound, if you wish to transform the
number. One example is when you need to add prefixes to select a specific provider,
say a prefix of 1010 needs to be added, thus your inbound pattern would be 9* (all
numbers starting with 9), whilst your outbound pattern would be 10109*. Other
situation is when you want an outbound prefix like 0, in this case the Inbound pattern
would be 0* and the Outbound pattern would be *.
In the both patterns (outbound and inbound) you can use two special characters: *
matches all remaining digits; X matches exactly one digit, you may use several X
characters to match a specific number of digits. The 'X's must be uppercase.
Examples: The 9* indicates a digit 9 followed by any other numbers. If you entered
9XXX, this would indicate a 9 followed by exactly 3 other digits (which may or may not
include the digit 9)
6. Enter the amount of time in seconds (like 30), this route shall ring before ending the call
(or falling to the next route if defined) in the Timeout field.
7. If you want to enforce a specific Caller ID for the call, check the Caller ID and enter the
number (or text) you want in the CallerID field. More details...
Caller ID is the identifier displayed (usually the number associated with the phone line)
in the destination phone. Not all providers allow this to be changed, in these cases
edgeBOX will change it at the protocol level but produces no effect as the provider will
override it.
8. Click Add.
9. Repeat 5 to 8 adding all routes you wish to use as fall back routes. All these additional
routes will be used if the previous one is not available or times out.
10.Click Save to save the rule.
The Voice Lines panel allows you to manage all these interfaces in a consistent unified approach.
Please go to the IP-PBX section. You can reach the Voice Lines popup from the Incoming Call Rules
, the Outgoing Call Rules and the MailFax Accounts menus, in the Related Topics corner.
When the panel loads you get a summary display of all your phone lines and corresponding status.
Voice lines are classified as follows:
· Public Lines: Lines connected directly to the PSTN (Public Switched Telephone Network). The
panel will automatically display all lines installed based on your hardware configuration. The
supported line types include FXO, ISDN BRI and ISDN PRI.
· VoIP Providers: IP connections to VoIP providers. The signalling protocol used is SIP (Session
Initiation Protocol). How to create a VoIP Provider connection?.
· Remote PBX: Lines connected to a PBX (includes ISDN BRI and ISDN PRI). Calls received on
this lines are considered internal calls, meaning that extensions can be called directly.
· Remote Offices: IP connnections to other office, supported signalling protocols are SIP and
IAX2. Calls received on this lines are considered internal calls, meaning that extensions can be
called directly. How to create a remote office connection?
· All Lines: Display all the above mentioned connection types plus FXS lines, where you can
connect directly analog phones or fax machines.
Step 1: in the first dialog you need to define the destination host and authentication for
the connection. Please fill the details regarding your VoIP provider account:
Authentication
· Authenticate with credentials: if the provider requires authentication please fill in the
Username and Password; additionally you can Customize Authentication Fields;
press the Settings... button and type-in:
· Register Name
· Authentication Name
· From User
· From Domain
· Outbound Proxy
· Realm
· Contact
For convenience you can use the Test Connection button to validate the connection. Once you're
done, press Next.
Please note that calls coming through trusted SIP proxies are only trusted if the proxy name is equal
to the FROM header.
Step 2: in the second dialog you will define codecs and other advanced options. You may
choose to provide:
· Manage Codecs to be used on this connection: select the codecs to be used (these
codecs have to be supported by the provider). You can also select the preferred order of use.
For more information see Codecs section.
In edgeBOX ENUM service is conceptualized as a voice line, meaning that whenever you want a
given Outgoing Rule to search and use ENUM service, you just need to add the ENUM line to your
route. This will make for every call routed through that rule, to send a query to each active ENUM
server to try to lookup the called PSTN number, and if found the call will proceed as an URI call. For
more details about ENUM see Telephone Number Mapping.
ENUM service is used like a Voice Line, so if for a given Outbound Route you want ENUM
service to be used, you need to add ENUM line to your list of routes.
1. Go to IP-PBX > Outgoing Call Rules.
2. Double click the rule where you want to use ENUM (or create a new rule).
3. Select ENUM in the Route combobox, and enter the desired Outbound pattern.
4. Click Add.
5. Use the Up and Down buttons to place the ENUM at your desired execution order (typically
it should come first).
By default edgeBOX comes preconfigured with two ENUM server (e164.org and e164.arpa). If
you need to use others follow the steps below:
1. Go to IP-PBX > Outgoing Call Rules.
2. Select Voice Lines option in Related Topics section.
3. Double click the ENUM Service line.
4. Use Add and Remove buttons to setup your ENUM servers.
5. Click Save button.
Now all the Outgoing Rules that you've configured to use ENUM will query the specified
servers.
A benefit of this configuration is that an extension from edgeBOX A is able to call an extension
registered in edgeBOX B, as if the phone was registered on edgeBOX A.
Note that besides calling internal extensions, all VoIP functionalities will be available for the remote
edgeBOX users (making local calls, making call conferences, etc. ), allowing you to make a
conference call between two remote offices with no costs.
To enable edgeBOX to connect to a Remote Office, please load the Voice Lines dialog and click
the New button. In the subsequent dialog choose Connect to a Remote Office and press Next.
Step 1: in the first step you need to define a name and a security key for the conection:
Name: a descriptive name for the connection (such as office2, for example);
Authentication
Advanced Options
· Manage Codecs: click the Codecs... button and use the following dialog to enable/
disable and prioritize the application of audio and video codecs for this connection; See
Codecs section for more information.
· Manage Protocol (IAX or SIP): click the Protocol... button and choose the protocol
SIP or IAX; for SIP don't forget the Max. Simultaneous calls value;
Click Next.
Step 2: in the second step you need to specify the Remote Office location:
· IP Address / Hostname: type-in the IP address or the FQDN of the remote office IP-PBX;
· Automatically configure remote server: check the box and type-in the administration
password of the remote host.
8.5.4 Hardware
edgeBOX supports automatic hardware detection. All supported VoIP card types are automatically
detected and the system is automatically configured so these cards can be used by the IP-PBX.
All supported card types are displayed in the Voice Lines popup, IP-PBX menu. Each card type has
it's own specific set of configurations. To access them, select the desired entry and click the Edit
button. For each specific type follow the details below:
· ISDN BRI
· ISDN PRI
· Analog FXO-FXS
Mode
· This line connects to an ISDN Phone: if this line will be used to connect a phone; NT Mode
; ports in NT Mode are available when you configure your Incoming Call Rules;
· This line connects to an ISDN Line: if this line will be used to connect edgeBOX to the
exterior using ISDN; TE Mode; ports in TE Mode are available as outbound routes when you
manage Outgoing Call Rules;
NOTE: changing this option requires restarting edgeBOX's PBX and thus hanging-up all ongoing
calls.
Connection Type
Choose the desired connection type: Point to Multi-Point (PMP) or Point to Point (PTP). PTP links
allow only one TE to be connected. PMP links allow to connect up to 8 terminals in parallel along the
bus.
MSN numbers
The MSN numbers are your public phone numbers. You can use this option to restrict the inbound
calls you accept on this ISDN line. Accepting calls restrictions:
· Accept only calls to the following numbers and ignore other calls: use the Add, Edit
and Remove buttons to manage the list of numbers to which this line accepts calls.
Others
· Consider calls on this line as internal calls (Trusted Line): select this option if you want
inbound and outbound calls through this line to be considered internal calls by edgeBOX; this
means that the inbound call rules and outbound call rules will not be applied to these calls;
· Wait for all incoming digits before fallback to Dial Plan: select this option if you want to
wait for all incoming digits before fallback to Dial Plan; it allows edgeBOX to integrate with
PBX's which work with overlap digits.
General
· Mode: shows you the current operating mode for the port; it can be E1 or T1; additionally the
number of ports (31 ports in E1 mode, 22 ports in T1 mode); How to change mode?
· Consider calls on this line as internal calls (Trusted Line): select this option if you want
inbound and outbound calls through this line to be considered internal calls by edgeBOX; this
means that the inbound call rules and outbound call rules will not be applied to these calls;
· Wait for all incoming digits before fallback to Dial Plan: select this option if you want to
wait for all incoming digits before fallback to Dial Plan; it allows edgeBOX to integrate with
PBX's which work with overlap digits.
· Enable Echo Cancellation: select this option if you want the card to use the embedded echo
cancellation mechanisms. Note that this option is only displayed for cards that support echo
cancellation.
Advanced
In the Advanced tab of the configuration details for PRI cards, the following settings may be
changed:
· QSIG;
· E&M
· Timing:
· Primary Master
· Secondar Master
· Slave
· Coding:
· HDB3
· AMI
ISDN Signaling
· Dial Plan: choose from Unknown, Private, Local, National, International, Dynamic;
· Local Dial Plan: choose from Unknown, Private, Local, National, International, Dynamic.
· National Prefix: check the box and enter the desired prefix;
· International Prefix: check the box and enter the desired prefix.
To change the mode from E1 to T1 (or vice-versa) you need to access the hardware and configure
jumpers accordingly; please refer to your support service for more information on how to proceed.
· FXO Module: should be connected to an analogue line, allowing you to receive or make calls
using the PSTN network;
Be careful not to connect phone lines (PSTN lines) in the FXS port. If you do so, the
port will stop working.
Even if you unplug the phone line cable and connect an analog phone into the port, the port will still
not work; you will have to reboot edgeBOX.
When editing an FXO-FXS port you'll be prompted by a panel with two tabs:
General
· This line has a direct phone number assigned: only for FXO mode; check then box and
type-in the desired direct phone number for this line;
Advanced
· Enable "#" confirmation for outgoing twinned calls: only for FXO mode; you need to
select this option if you have Twinning enabled on your analog phone and you are not in the
USA; show me more details...
when an analog phone is in Twinning, if the call is answered on the twin phone, edgeBOX is
not able to know if the call was answered or not because it is an analog line; so it is
necessary to the user to press the # (cardinal) key after answering; this will inform
edgeBOX that the call was picked up and edgeBOX will stop ringing the other extension;
otherwise the extension will keep on ringing despite the call having already been answered
by the user.
· Sound Volume Gain (dBs): adjust the volume for transmission and reception on this line;
· This line receives dialtone: select the period: immediately or up to n seconds; only for
FXO mode;
· Group Calls
· Intercom Calls
· Call Pick-Up
· Twinning
· Follow Me
· Supervised Transfer: transfers a call to another phone by putting it on hold and allowing
you to talk to the transfer destination phone; this allows you to determine if the transfer will
succeed and if the person at the other end will actually be able to accept the call; it is also
know as Attended Call Transfer.
1. When you are answering a call, inform the caller that you are going to transfer the call.
2. Dial the prefix for a blind transfer and the telephone number you wish to transfer the incoming
call to. Example: #12001 to forward the call to extension 2001.
3. The caller is immediately connected to the number you transferred the call to.
4. You will hear the busy line tone, which means the transfer is complete and you can hang up.
If you make a mistake when dialling the number you're transferring the caller to, you and
the caller will be disconnected from the original call. Also, you cannot check to see if the
number you are transferring the call is busy or offline, for example, before making the
transfer. To do that use a Supervised Transfer instead.
1. When you are answering a call, inform the caller that you are going to transfer the call.
2. Dial the prefix for a supervised transfer (*2 by default, but you can change it). The caller will
no longer be able to hear you.
3. Dial the number of the phone number you wish to transfer the incoming call to. After the
person answers, ask if you can transfer the call.
4. If the person says yes, hang up your phone and the call that is on hold will be transferred to
the recipient. If the person says no wait until he/her hangs up. The call on hold will be
transferred back to you and you can inform the person holding that it is not possible to
transfer the call.
If the person to whom you've are transferred the call doesn't answer it in about 15
seconds, the call is transferred back to you. This also happens if that person answers the call
but hangs up the phone before you do.
To end a Supervised Transfer and get back to the initial caller you can dial the Hangup Key
Code (*0 is the default key code for Hangup but you can change it if you want to).
Related Topics:
· Operation Key Codes (Prefixes)
The result of a call directed at a group extension is that all phones in that group will ring: that's a
Group Call. When anyone picks up the call on any of the group's phones all the others stop ringing.
Give me an example...
Let's assume you've just created a new group of phones called whosincharge and you've chosen
the 5432 extension for the group; then you added Mr. Alves', Mr Sousa's and Mr. Carreira's phones
to the group; if you dial 5432 from your phone, all three, Mr Alves', Mr Sousa's and Mr Carreira's
phones will start ringing; if Mr Carreira picks up his phone first you will start talking to him; Mr.
Alves' and Mr Sousa's phones will stop ringing; that's how a Group Call works;
This is useful for making quick announcements (for example: a short request for the sales team to
gather for a quick meeting in the hall), or to try to reach someone that might be nera the phone but
might not be authorized to answer it without being specifically requested to.
To make an Intercom Call you need to dial *9<number> (if you dial *9 followed by a group
number, instead of an extension number, then all phones that belong to the group will answer the
call and go into loudspeaker mode).
The access to this feature is can be restricted based on the Phones Access Control policies.
Additionally, only phones with loudspeaker mode can receive such calls. Phones currently
supported for this feature are:
· Snom
· Linksys
· Aastra
· Grandstream
· Polycom
Related Topics:
· Phones Access Control
This feature is gives you the ability of a user at a phone C to listen to a call between phone A
and phone B. To do this dial *990*<extension number>: you will listen the ongoing call at that
extension;
Call Whispering
This feature consists in the ability to secretly talk to the person at phone A, while listening to
the conversation between A and B, without B's knowledge (just like whispering in the A's ears).
The person at phone B does not ear your voice; only the person at phone A. You need to dial
*991*<extension number>: your phone will allow you to listen to the ongoing call at <extension
number> and you will be able to "whisper" to that extension;
The availability of these features is restricted by the Phones Access Control policies and
depends on the three phones involved: if any of the target phones can not be listened to, or
your own phone can not listen to calls, then none of this will be possible. Make sure to check
out the details at the Phones Access Control section in this manual.
Related Topics:
· Phones Access Control
· by pressing *8: will pick-up any call that belongs to any of the groups the phone belongs to;
· by pressing *8<group extension number>: will pick-up a call to that specific group;
· by pressing *8<phone extension number>: will pick-up a call to that specific extension.
For example, to pick a call ringing at extension 2001, dial the Pick Up prefix *8 plus 2001: *82001.
Related Topics:
· Phone Groups
8.6.6 Twinning
The Twinning feature can, to some extent, be managed directly through the phone: the phone user
can enable, disable and change the number of the phone the extension is twinning with, directly on
the phone itself instead of the through edgeBOX (twinning must be allowed on that phone). To:
· Change the phone your phone is twinning with: dial *92* followed by the phone
let's assume your cell phone is 912154014 and you want your work phone to twin with
your cell phone; you should pick up your work phone and dial, first, *90 (to enable twinning)
and, then, *92*912154014 (to actually start the twinning process); from now on if your work
phone rings your cell phone will ring too; you can pick up the call on any of them.
· Transfer an ongoing call from the cell phone to the work phone: on your cell phone,
dial *93 and the call you are answering in the cell phone will continue in the network phone.
Related Topics:
· Twinning
8.6.7 Follow Me
Follow Me - Allows you to forward calls that arrive at your internal extension to another extension or
phone where you are at the moment. You can't do this operation in edgeBOX's interface, only in the
network phones. How to do it?
· If you are close to your extension - Dial *14* plus the phone number or the extension
number you want your calls to be forward to. For example, if you have a meeting on a
meeting room, and there is a phone there (extension 4002), that you can pick up your
extension and dial *14*4002, and all calls that arrive at your extension will be forward to
the meeting room phone. Or you can indicate your personal cell phone number instead (
*14*912154103), for example, this way all calls that arrive at your extension will be
forward to your cell phone.
· If you are close to the extension you want to forward calls to - Dial *12* plus your
extension number. For example, if you are on a meeting room and you want to forward
calls that arrive at your extension (ext: 2013) to the phone that is on the meeting room,
pick up the meeting room phone and dial *12*2013. All calls that arrive at your extension
will be forward to the meeting room phone.
· If you are close to your extension - Dial *13*. Calls that arrive at your extension will not
be forward to another phone anymore.
· If you are close to another extension - Dial *13* plus your extension number (example:
*13*2013). Calls that arrive at your extension will not be forward to another phone
anymore.
An e-mail message will be sent to the user's e-mail account. Depending on global Voicemail
configurations the sound file may or may not be attached to the e-mail.
The availability of the One Touch recording (OTR) feature for a given call is configurable on a
per Group basis and depends on the phones at both ends: if the phone trying to use OTR belongs
to a group that can not record calls then the recording will not occur; additionally, if the
phone on the other end of the conversation belongs to a group that can not be recorded then
the recording will not take place.
Related Topics:
· Phone Groups and Access Control
If, during a call, the user dials #79<code> the call will be marked with that <code> in the
corresponding CDR log line.
The CDR files, are available through the logmaster FTP account.
Related Topics:
· Logs
To enable dynamic conferences you need to start the Dynamic Conference service in the usual
service bar at the top of the page: you should click the Start Service/Stop Service links on the
right and the bar will change color - green or gray - to show you the current service administrative
status. If you want to, you can Change... the number users dial to access the service. The default is
9000.
Any registered user may dial the pre-defined dynamic conference extension (9000 by default) and
create a conference just by dialing any desired number. That number will become the conference
room number. To join this conference, other users should to dial the pre-defined dynamic
conference extension and enter the conference room number.
Static Conferences
This other type of conference is created by the administrator. The list of static conferences
configured is displayed in the list at the bottom of the Conferences menu.
To create a New static conference a two tabbed dialog window will show:
General
· Number: type-in the desired Conference Number (also known as the Room Number, or
Conference Room Number)
· Public: this conference will be accessible by anyone that tries to join it and you can
not specify a moderator;
Advanced
· Announce when a user joins or leaves the conference: select or deselect the check
box;
· Have a moderator for this conference: check the box if you want a moderator and type-in
the Moderator PIN and repeat for safety
· Number: 9010;
While in a conference, you can press the * to listen to the available options like increase/decrease
volume, mute, and others. The conference moderator has the same privileges as normal users plus
Lock/unlock conference and Eject last user.
Creating Queues
To create a new Queue you need to press the New button (to edit an existing Queue the operations
are similar). An appropriate dialog window will popup. This popup contains two main tabs. In the
General tab you'll find:
· Name: type a name for the queue (when editing an existing queue you cannot change it's
name);
· Assign the calls to: this option allows you to specify the so-called Ring Strategy - the
algorithm used to assign calls to agents; you can choose one of the following options:
· A random agent;
· Agents: since queued calls are answered by the queues's agents, then, agents and/or
extensions must be assigned to the queue, in order for it to function correctly; you can use
the Add and Remove buttons to manage the contents of the Agents list for each queue;
when you click the Add button please choose:
· Add Extension: this option allows you to add extensions to the Queue; select an
extension from the list and hit Add; these extensions will be used by the queuing
system to assign calls to; whoever is near that extension will now start receiving calls
from this queue;
· Add Agent: this options allows you to add users to the Queue; this way you can
assign calls to users in a way that is independent of the extension the user might wish
to use when starting work; a new popup will give you a list of users; select the users
you wish to assign to the queue and click the Next button; users that don not have a
PIN will be assigned one; the last screen shows you this assignement.
In the Advanced tab you get to configure several advanced features of edgeBOX's queues. Please
follow the details here.
The status of the callback login service is controlled by the service bar at the top of the page where
you can Start and Stop the service. Together with the status of the service there's also a
parameter that you can change, Callback Extension, which is the extension number of the callback
login service.
3. At this point the agent is logged in, and listening "Music on-hold". It will be logged in as long as
the phone stays off-hook (on call). Calls delivered to the agent will be proceeded by a "bip"
sound.
This method is very useful for "professional agents" that use an headset and are 100% dedicated
to answering queue calls.
How can an agent login through Callback Service?
The steps for an agent to login at the Callback Service are:
1. Dial the Callback Login Extension (by default the number is 8000). An automated attendant will
answer.
2. Type your agent number, which is the User PIN number (see IP-PBX Authentication for more
details), followed by # key.
3. Type your password (same as the User PIN number), followed by the # key.
4. Type the extension number where the calls to this agent shall be delivered.
How can an agent logout through Callback Service?
The steps for an agent to logout at the Callback Service are:
1. Dial the Callback Login Extension (by default the number is 8000). An automated attendant will
answer.
2. Type your agent number, which is the User PIN number (see IP-PBX Authentication for more
details), followed by # key.
3. Type your password (same as the User PIN number), followed by the # key.
4. When asked by the extension number, just type # key.
· Play music from the Music On Hold library: in this case the caller will listen to
music while waiting; you should additionally specify:
· Indicate the postition in the queue every .. seconds: select this box
and choose the time interval for edgeBOX to update the caller about his
position on the queue; also remember to select the check box immediately
below if you want the users to get also an estimate remaining time for the
call to be answered;
· Calls Hangup:
· Hangup the calls in the queue when there are no agents online: check the box
if you want this;
· Hangup the calls that are not answered in .. seconds: please activate the
box and choose the time in seconds if you want this behaviour for calls that don't
get an answer in time;
· Other Settings:
8.9 Codecs
Codecs are used when converting an analogue voice signal to a digital one. edgeBOX supports
several types of codecs allowing a flexible client configuration. The choice of the codec to be used
usually results from a compromise between sound quality and bandwidth used. If there isn't a
specific system requirement, the choice should be ULAW, because it is compatible with most phones
and softphones available on the market.
Audio Codecs
· G.711 (ULAW): Known as the native codec in modern communication lines. Provides good
quality sound, at the expense of bandwidth. It is the most commonly used codec for VoIP calls
because, besides being supported by most VoIP providers, it has the lowest latency as no type
of compression is used. It is the codec used in PSTN and ISDN lines. This codec is selected by
default in edgeBOX.
· G.711 (ALAW): Basically, a G.711 version used in E1 European lines. This codec is selected by
default in edgeBOX.
· Dialogic ADPCM: This is a legacy codec, kept for compatibility with version 3 of edgeBOX.
· GSM: Usually used on European mobile networks, this codec uses a small amount of bandwidth
providing an acceptable quality of sound.
· Speex: Audio codec designed specifically for speech, and as such, well suited for VoIP.
· G.729: Offers good sound quality with conservative use of bandwidth. However, to be able to
use it you have to activate it and purchase. How to activate G.729?
You need to download the codec from Digium web site. Each license you purchase allows a
single simultaneous use of the codec. Thus, if you purchase 3 licenses, 3 users can
simultaneously use the codec, the fourth person will not be able to use this codec, unless
one of the current users has completed their call.
The codec to purchase is: codec_g729a_v32_i386 in the asterisk-1.4, x86-32 directory on
the Digium site. After downloading to your PC, select the browse button and choose the
codec file and then the upload button, which will then upload the file to the edgeBOX.
After uploading the file, you will need to activate the license(s) (which will be locked to your
edgeBOX hardware), by pressing the activate button.
After pressing the Activate button, you will need to enter the License ID and other details
which you entered when you purchased the License (as shown below).
Press Activate to complete the process.
· G.726: ADPCM can be interchanged between packet voice, PSTN, and PBX networks if the PBX
networks are configured to support ADPCM.
· iLBC: Low bit rate
· G.722: High quality voice codec, this is commonly known as HD-Voice.
Video Codecs:
· H.261: An 1990 ITU video coding standard originally designed for transmission over ISDN lines
on which data rates are multiples of 64 kbit/s. The data rate of the coding algorithm was
designed to be able to operate between 40 Kbits/s and 2 Mbits/s. The standard supports CIF
and QCIF video frames with resolutions of 352x288 and 176x144 respectively (and 4:2:0
sampling with chroma resolutions of 176x144 and 88x72, respectively).
· H.263: is a video codec designed by the ITU-T as a low-bitrate encoding solution for
videoconferencing. It was first designed to be utilized in H.324 based systems (PSTN and other
circuit-switched network videoconferencing and videotelephony), but has since found use in
H.323 (RTP/IP-based videoconferencing), H.320 (ISDN-based videoconferencing), RTSP
(streaming media) and SIP (Internet conferencing) solutions as well.
· H.264: Is a standard video codec capable of providing good video quality at substantially lower
bit rates than previous standards (e.g. half or less the bit rate of MPEG-2, H.263, or MPEG-4 Part
2).
4. E-mail address: enter the e-mail address account of the person of your company that
will receive all incoming faxes; incoming faxes are converted by edgeBOX to e-mails and
then delivered at this e-mail address; you can, for example, fill this field with the e-mail
account of your company's receptionist;
5. Fax E-mail Account: type the name of the e-mail address that will be used by the
network users to send e-mails that will be converted to faxes; for example, if you type
fax_account and the domain on edgeBOX is example.com, then the fax server account
will be fax_account@example.com.
6. Display Number: your fax number; usually this will be the DDI you typed above, in the
Incoming section:
7. Display Company Name: your company name to be displayed at the top of faxes sent
bty edgeBOX;
8. Retry Attempts: the number of times edgeBOX tries to send a fax when the number it
is trying to fax to is busy.
Authentication
9. In the Authorization Type, indicate from which e-mail accounts users can send the e-
mails and if they are required to indicate a password.
· Local means the network users can only send e-mails from the Webmail or from the
edgeBOX local SMTP server. For instance, if they have their edgeBOX e-mail account
configured on Outlook and they send a fax through it, the fax will be accepted, but if
they send the fax through a Gmail or Hotmail account or through an e-mail account of
another edgeBOX, for example, the fax will not be accepted.
· Password means the users can send e-mails from any e-mail account, however they
have to specify a password on the body of the e-mail to authenticate.
· Local + Password means that the users have to use the Webmail or the SMTP server
of edgeBOX to send the e-mails and they also have to specify a password in the body
of the e-mail to authenticate.
Change the type of the attachments, change the language or change the From field of the emails
By default, edgeBOX converts the received faxes to pdf files and sends them as e-mail
attachments to the fax reception e-mail account you specified. Also, by default, edgeBOX sends
all the faxes it receives as e-mails to the e-mail account you specified in English language.
You can change the format the attachments and the language of the e-mails sent by edgeBOX.
To change any of these settings:
Related Topics:
· Voice Lines
· E-mail server
1. Open an e-mail client as Thunderbird or Outlook or edgeBOX's Webmail and create a new e-
mail.
2. Enter the e-mail address of your edgeBOX fax account in the To field.
3. In the Subject type the fax number of your client.
4. Convert the document you want to send to PDF or TIFF format and add it to the e-mail as
an attachment. Note that the document cannot have more than 25 pages.
5. If authentication is required, type PASSWORD: plus the fax account password in the first line of
the body of the message.
6. Send the e-mail.
After edgeBOX receives this e-mail in the fax e-mail account, it will convert the file in attach into
a fax and try to send it to the phone number you indicated in the Subject of the e-mail.
A little while after, you will receive an e-mail from edgeBOX indicating if edgeBOX was able to
deliver the fax to the recipient or if it couldn't deliver it because of some error or because of
the receiver fax being busy.
· Voicemail
· Call Parking
· Automatic Call Recording
· Operation Key Codes
· Customize Sound Files
· Define Country Zone
· Echo Cancellation Options
· G.729 Codec License
· Billing Interface Service
· Asterisk Manager Interface
· Network Address Translation (NAT)
8.11.1 Voicemail
When you created your SIP, Analog or IAX phones you were prompted to configure individual
Voicemail account for each. Additionally, several global options allow you to configure the way users
access their voicemail and the way the feature works globally.
Go to the Options menu in the IP-PBX section. In Voicemail you'll fin the current settings for:
· Voicemail Number: 9999 is the default value;
· Attach sound file: Yes or No; wether edgeBOX sends the voicemail file attached on the e-mail
warning about voicemail;
Click the Voicemail options... link to further specify other details. In the popup dialog please enter:
Extension
Type the extension to be used for users to listen to voicemail;
E-mail body
· Attach sound file to e-mail: check this box if you want the voicemail file to be attached to the
e-mail notification messages;
· Signature: signature of the notification messages;
· Language: language used in notification messages.
Voicemail quotas
Click the Properties... button and enter:
· Max Messages: Maximum number of messages that a user can have in his/her mailbox;
· Max length of message: voicemail messages longer than this will not be saved;
· Min length of message: voicemail messages shorter than this will not be saved.
In the end, if you wish to save your changes, press the Save button, as usual.
The pre-configured park numbers ranges from 700 to 714. You can rise or lower the available
parking base number and the park size.
Go to the Options menu in the IP-PBX section. Click the Call parking options... link and enter the
values desired for:
· Number to dial for parking: you need to dial this number for a call to be parked;
· Parking available lines: total number of parking lines available; park size;
· Parking Max Time (seconds): enter the parking maximum time, in seconds; after this
period the call is hungup.
The Operation Key Codes area shows you the current configuration for those operations. Hit the
Change the keycodes... link and change the keycodes as needed. The Phone Operations section in
this manual shows you the details on the usage of these codes.
The sound files used to accomplish this are accessible to you through the Sound Manager dialog.
You can access it in the Related Topics area of the Incoming Call Rules menu or, for convenience,
you can reach it at the Customize Sound Files... link in the Options menu, both in the IP-PBX
section. The sound files are divided in three groups:
· My Sounds: your own custom sounds, where you can upload new sound files to be used in
Automated Attendants;
· System Sounds: contains all sounds used natively by the PBX, like the voicemail prompts,
conferences, etc...
· Language sounds: sound packages that contain system sounds translated for a given
language.
· The tone zone for all analog cards (if installed). This is important because the ring and busy
tones may differ from country to country
· The language for the sounds prompts. Note that the soundbank for the selected country must
be installed, if not, the default sound bank will be used (system sounds).
· Language: User may want to selected a language for the sound prompts different from the
country tones applied to the phones. If this is the case, user must check the checkbox, and
selected a different language.
The software determines the best configuration from the initial line characteristics and preserves the
settings for the period of the call. The echo cancellation will only be applied to analogue phones,
which have echo cancellation checked. The options are:
· KB1: The default echo canceller. This is the built-in Zaptel echo canceller since Zaptel v1.2.
· MG2: A variation of KB1 to solve some of the scenarios where KB1 fails.
· OSLEC: Stands for "Open Source Line Echo Canceller", and it's considered the best configuration
option for software echo cancellation. It's an evolution of KB1 and MG2 using a different approach.
Usually produces much better results where KB1 and MG2 fail.
Changing echo canceller will issue a restart of the VoIP service engine, and thus all
CURRENT CALL WILL BE TERMINATED!
This panel allows you to add support for the G.729 codec. You need to download the codec from the
Digium web site www.digium.com. Each license you purchase allows only one usage of the codec at
a time. Thus, if you purchase 3 licenses, 3 users can simultaneously use the codec, the fourth person
will not be able to use this codec, unless one of the 3 calls has finished.
The codec to purchase is: codec_g729a_v32_i386 in the asterisk-1.4, x86-32 directory on the
Digium site. After downloading the codec to your PC you can install it with the help of edgeBOX's
webadmin interface.
Please go to the Options menu, in the IP-PBX section and click the G.729 Codec License... link.
Once there hit the Run the G.729 installation wizard... You will be requested to browse your
computer for the file and then you need to click Next. In the following screen just fill in the license
details as obtained from Digium and finish up the process.
To allow billing software to connect to edgeBOX go to the IP-PBX section, Options menu.
Click the Billing Interface Service options... link. Activate the Allow computers with billing
service to connect to edgeBOX option and fill in the rest of the deitails:
Authorized Computers
Only the IP address(es) specified will be allowed to access the Billing service:
· Only from a specific computer: type in a host IP address; only this IP address will have
access;
· Only from a specific network: type in a network IP address and a Netmask; only hosts on this
IP segment will be allowed.
Show me an example
If the billing software can only be used from computers on the local network, for example,
then you have to indicate the IP address of your local network, 192.168.90.0, for example, and
then the netmask of your network; 255.255.255.0.
If it can only be used from a specific computer of the local network then you need to type
the fixed IP address of that computer; 192.168.90.128.
Authentication
Here you must configure a username and a password for the manager software to be able to access
edegBOX:
· Username: a username to be accepted by edgeBOX used for authentication;
· Password: the respective password;
· Repeat Password: repeat for verification.
In the end you will need to allow the Billing service in the Firewall.
If at any time you don't need to allow the Billing Interface anymore just deselect the Allow
computers with billing service to connect to edgeBOX option.
To connect the billing software on a computer to the edgeBOX, depending on the billing software you
will use, you need to indicate:
· The username and password you specified on edgeBOX when you activated the billing service.
· The port used for the billing service: TCP port 5432.
· The database structure:
To configure the Manager Interface go to the Options menu in the IP-PBX section. Follow the
Asterisk Manager interface options... link and select the Allow computers with manager
interface to connect to edgeBOX option.
Authorized Computers
Only the IP address(es) specified will be allowed to access the Manager Interface
· Only from a specific computer: type in a host IP address; only this IP address will have
access;
· Only from a specific network: type in a network IP address and a Netmask; only hosts on this
IP segment will be allowed.
Authentication
Here you must configure a username and its password for the manager software to be able to
access edegBOX:
· Username: a username to be accepted by edgeBOX used for authentication;
· Password: the respective password;
· Repeat Password: repeat for verification.
In the end you will need to allow the CTI service in the Firewall.
If at any time you don't need to allow the Manager Interface just deselect the Allow computers
with manager interface to connect to edgeBOX option.
That being the case, please go to the Options menu in the IP-PBX section and follow the Network
Address Translation (NAT) options... link. The Advanced NAT settings dialog window will come
up.
3. If you have local networks that are managed by the router and you have phones on those
networks, select the option I have additional networks with phones to be served, and
then, in the table below add an entry for each of those networks. Learn More...
edgeBOX can detect phones that are on its local networks (LAN, DMZ and the VLANs).
However, as you have a router in front of edgeBOX you may also have local network
managed by the router. And you may also have phones on those networks. edgeBOX cannot
recognize these phones automatically because it is not managing these networks. So you
need to indicate to edgeBOX the networks so it can recognize the phones and allow them to
register.
You gain access to the Music On-Hold (MOH) configuration popup from the Related Topics corner
in the Queues, Conferences and Incoming Call Rules menus in the IP-PBX section. It displays
the current playlists on the left side. If you click a paylist you'll get it's contents on the right side.
You can upload your own MP3 sound files to edgeBOX. These sound files will be kept in edgeBOX's
MOH Gallery. You'll be able to build your own playlists by choosing sound files from the Gallery.
Managing Playlists
To add a new playlist just hit the New button and select Playlist. A new dialog will ask you for:
· Playlist: enter the desired name for you new play list;
· Play tracks randomly: select this box if you wan the tracks from this list to be played
randomly.
To add tracks to the Playlist choose the play list you want to add files to, click the New button and
choose Track. The Gallery pop's up. Just select the tracks you'dd like to add and press Ok. You've
just added a new track from the Gallery to your playlist.
For each sound file displayed you can execute several actions with the buttons at the top: remove
that file from the list, bring that file to the top of the list, bring it up one position, bring it down one
position and bring in to the bottom if the list.
To access the Gallery click New button and choose Track. The Gallery window will popup:
· Available Tracks: at the top, a list shows you the available sound tracks in the gallery;
· Delete: deletes tracks from the gallery; select a track and hit Delete to remove a track from the
gallery;
· Upload Track...: use this button to search your computer for more MP3 files to add to the
Gallery.
If you wish to activate this service please go to the IP-PBX section and choose the Options menu.
Once there, search for the Automatic Call Recording area. You get a short summary showing you:
· Status: states witch types of calls are currently configured for automatic recording; the
possibilies are: Not recording any calls, Record all calls, Record all incoming calls,
Record all outgoing calls;
· Disk Usage: a coloured horizontal bar will show you, in graphical form, the relative disk space
your call recordings are currently taking up.
Hit the Call Recording options... link to configure the service. The Automatic Call Recording
popup appears. As usual, you can globally enable and disable the service by hitting the Start
Service / Stop Service options at the upper-right corner.
The types of calls being recorded and your current disk occupation are shown just below the service
status bar. Hit the Change... button to configure this:
· Record incoming calls (includes internal calls): select this option to record incoming and
internal calls;
· Record outgoing calls: select this option to record incoming and internal calls;
NOTE: Select both of the above options to record all types of calls; unselecting them
both is the same as not recording any calls;
· Maximum disk space for recordings: type in the maximum amount of storage space you
allow for recordings; above this value edgeBOX will not record calls any more;
All call recordings are made available through the logmaster FTP account. Through that account you
can download and delete any call recordings.
If the recordings take up more than the configured maximum space you need to remove the current
recordings from edgeBOX. After removal the recordings will continue automatically.
The table shown, displays the phones, groups or queues currently configured for recording. Click
Phones to filter table in order to show you only Phones; the same applies for Phone Groups and
Queues. Click All to display all entries.
You need to specify which phones, groups and queues you wish to record. To do this, click the Add
button. From the drop-down list select Phone, Phone Group or Queue; from the list shown select the
entries you want and click the Add button.
Please note that the permissions defined in Phones Group Access Control will be applicable, so
if you have a group of phones with call recording disabled, those calls won't be recorded.
In order to remove an entry, or several entries, from the list, just select them and click the Remove
button. The same goes for the process of adding new entries to the list.
accountcode What account number to use (Only used when Authentication is enable)
src Caller*ID number
dst Destination extension
xt Destination context
clid Caller*ID with text
channel Channel used
dstchannel Destination channel if appropriate
lastapp Last application if appropriate
lastdata Last application data (arguments)
start Start of call (date/time)
answer Anwer of call (date/time)
end End of call (date/time)
duration Total time in system, in seconds (integer)
billsec Total time call is up, in seconds (integer)
disposition What happened to the call: ANSWERED, NO ANSWER, BUSY
amaflags Flags used: DOCUMENTATION, BILL, IGNORE
uniqueid The unique ID for this call
· Voicemail: 9999
· Conferences: 9000
· National Prefix: 0
· International Prefix: 00
· Emergency Number: 112 (for EU countries); given the importance of the Emergency number
, please make sure to review and configure it's Outgoing Call Rules.
Related Topics:
· Voicemail
· Parking
· Conferences
9 Users
In the Users section you can manage Network Users, Authentication and access
Privileges - managing network users is an essential part of edgeBOX. This section lets
you:
· Manage User authentication locally or remotely with Active Directory, LDAP and
RADIUS
· Configure Groups
Related Topics:
· Connected Users
· Groups
· Local Administrator
· Phones
· RADIUS
9.1 Authentication
Authentication is the process by which your network users identify themselves before edgeBOX
when using the network. This process is fundamental for all subsequent access authorizations or
denials in several possible situations, such as access to the Internet, ability to make some or all kinds
of phone calls, and many more.
Even if you choose not to use Authentication, edgeBOX will still manage granting and revoking of
access by means of a default access profile, the All Users Privilege. More on this...
Managing Authentication comprises several related aspects. You might wish to:
Related Topics:
· Connected Users
· Local Administrator
· Phones
· Firewall
· RADIUS
· Groups
It renders your network more secure: access to the network and network services will be granted
only if the user successfully logs-in; furthermore, this additionally allows you to have specific users
accessing specific services and other users being blocked and granted access to different sets of
services. This permits an optimal usage of resources such as bandwidth and processing power.
edgeBOX is shipped with two pre-configured users. Their usernames are "user" and "user2". The
password is "password" for any of them. You can use them to review their configurations and to do
quick experiments.
To add or manage existing users go to the Network Users menu in the Users section of the
administration web interface. A short overview is provided with a summary of user details including
phone extension and online status. Click the New/Edit button. A three tabbed dialog appears:
General
· User Name: First and Last name (up to 127 ASCII characters are allowed);
· Network Login Information: username and password; what are the rules for choosing a
username... ? and the password... ?
· Newtork Access Privilege: determines the network privileges plolicy for a group of users,
like the services they can use or the type of internet access they get; you should choose
among the Privileges in the drop-down list (as configured in the Privileges menu); learn
more about Privileges...
· Max. Sessions: users can be logged-in from 2 computers by default; that means that each
user may have 2 computers logged into the network with his credentials; if he tries to login
from a thrid host he will not be able to; if you need, you can rise or lower this value;
Phone (VoIP)
· Allow the user to make phone calls (VoIP): use the Select Phone... button to search the
list of existent phones and assign one to this user; for convenience you can also use the Add
Phone... button to immediately add a new phone; in this case the process is the same as in
the IP-PBX section - see details...
· VoIP Call Permissions: please select the type of calls this user can make; options are Free,
Local, National, Mobile, International and All Types of Calls; each of these types includes
it's predecessors: National calls include Local calls, Mobile calls include both National and Local
calls, and so on;
· User PIN Number: the pin to be entered if the IP-PBX authentication is turned on, to check
which type of calls the user has permission to make;
Disk Usage
· maximum allowed; you can change this: click Change Max. Disk Space...
When editing an existing user, leave the password field blank if you do not wish to change his
password. This way the password will not be altered.
If you reach the maximum number of users your licence offers, you won't be able to
add or import any more users. To create or import new users on the edgeBOX you need to
delete existing users first or upgrade your edgeBOX solution. See details about the different
edgeBOX solutions in edgeBOX's website.
Export
By clicking Export you'll trigger a dialog window asking you to select a Folder in your computer's
hard-drive; the process will create a new CSV file in this folder; the file name is automatically
chosen; see an example...
If you export you users at 11:43 on 21 June, 2009, the file generated will be named Export_21-06-
09_11.43.csv
Import
An appropriate wizard-like dialog will popup with a detailed explanation of the process:
· Step 1: read the specifications and Browse... a CSV file from your computer's hard drive;
hit Next...
· Step 2: a list is presented with all the available and correct users found in the file; select from
the left the ones you wish to add and click the Add button to add them to the list on the right;
click Next...
· Step 3: a final list with details about the users being imported is presented. Press Finish. This
process may take a few minutes; please wait;
· Step 4: one last step will Export back to your computer a list of the Imports done.
The Import function allows the import of users with the possible following settings:
· Username
· Extension Number
· Extension Name
· Privilege
Some of this fields are mandatory: Firstname + Lastname and Username. VoIP fields are only
considered if they are valid and if both are present (if only extension number is provided, extension
name will be equal to the username, if possible): extensionnumber and extensionname.
The other fields will only be taken into account if present and valid.
If you try to import users with duplicate usernames, you will be asked if you want to:
· keep both and change the new username to "username1" (or "or username2", etc, depending
on the existent users)
If we try to import entries with duplicate PIN numbers, duplicate extension names or duplicate
extension numbers, those entries will be ignored. If we import entries were we have defined valid
extensions (name and number) those extensions will be added to system and the extension's
password will be equal to the user's passwords.
firstname lastname;username;;;;;
firstname lastname;username;password;;;;
firstname lastname;username;password;phoneextension;phonename;;
firstname lastname;username;;phoneextension;phonename;pin;firstname
lastname;username;;;;;privilege
firstname lastname;username;password;;;;accessprofilefirstname lastname;
username;;phoneextension;phonename;;privilege
firstname lastname;username;;phoneextension;phonename;pin;privilege
firstname lastname;username;password;phoneextension;phonename;;
firstname lastname;username;password;phoneextension;phonename;pin;
privilege
· You can only import users if you are managing the network users on the edgeBOX, that
is, if you are not using Remote Authentication, as a LDAP server, for instance.
Click the Change... link below the Disk Space. Type-in the value you need.
edgeBOX will grab these credentials and authenticate users using, as configured, one of the following
methods:
· locally: this is the default authentication method; all Users and Privileges are stored
internally in edgeBOX's internal database;
· remotely using:
To activate authentication go to the Network Users menu in the Users section. Choose the
Authentication Method you want from the Change... button, at the upper-right. If you choose to
authenticate users locally, that's all the configuring you'll need. For the remote authentication
methods please refer to Using Remote Authentication. Press Save and hit the Start Service option.
Authentication requires Firewall: when starting the Authentication Service you'll also need
to activate the Firewall service. If it is not already active, an appropriate dialog message will inform
you that the Firewall will be activated. If the Firewall was already active, this might be a good time
to review your Firewall settings as they may potentially interact with users Privileges. If the
Firewall wasn't previously active, then you need not to worry because the Firewall settings will
fallback to an "allow" approach. But, then again, this might be a good reason to configure it.
When you start the Authentication service the message below will be displayed, regrading the usage
of system access Privileges. Please read it carefully:
You are about to Start the Network Users Authentication Service. If you
4. Changes that you may have done to the "All Users" Privilege will be
kept and will be loaded the next time you switch OFF the Network Users
Authentication.
5. You may reset the "Not Authenticated Users" privilege by opening the
Privileges panel and selecting "Reset Not Authenticated Users privilege
to factory configurations".
When you stop the authentication service the message below will be displayed, regrading the usage
of system access Privileges. Please read it carefully:
You are about to Stop the Network Users Authentication Service. If you
proceed you have to take the following into account:
4. Changes that you may have done to the "Not Authenticated Users"
Privilege will be kept and will be loaded the next time you switch ON
the Network Users Authentication.
5. You may reset the "All Users" privilege by opening the Privileges
panel and selecting "Reset All Users privilege to factory
configurations"
To activate remote authentication go to the Network Users menu, Users section. Choose the
Authentication Method you want from the Change... button, at the upper-right. The currently
supported methods are:
In each there's a convenience Test Connection button that allows you to verify basic connectivity to
the specified server. When you're done press Save and hit the Start Service option. Please refer
to Activating Authentication for common details about the Authentication service.
Activating remote authentication will purge all your locally configured users. An
appropriate warning, in red color, is displayed warning about this.
Related Topics:
Details about edgeBOX's authentication architecture
RADIUS Server
· Port: the TCP port to be used on the RADIUS server (defaults to 1812);
· Timeout: maximum time waiting for the RADIUS server (defaults to 5 seconds);
Privileges Verification
Choose if you wish that the access Privileges to the network services (E-mail, Internet, Secure
connections, etc.) are always verified in the remote RADIUS server and not locally. How to configure
a RADIUS Server to perform users authentication and authorization?
· Authenticate users on the remote server but verify the privileges in system
This might be useful if your company is already using a RADIUS server for authorizing users on
several other services, besides edgeBOX's ones; in this situation it makes sense to have all
Authentication and Authorization relegated by edgeBOX into those servers
As users login for the first time, and their authentication is verified in the Remote RADIUS
Server, their information is saved in the edgeBOX users list. Still, each time the users tries to login,
the authentication will be done in the remote server.
Using an LDAP Server to authenticate the network users: there's an option to toggle
between Basic Mode and Advanced Mode. Type-in:
LDAP Server
Basic Mode
Advanced Mode
· Port: the TCP port to be used on the LDAP server (defaults to 389);
· Timeout: maximum time waiting for the LDAP server (defaults to 5 seconds);
Privileges Verification
Choose if you wish that the access Privileges to the network services (E-mail, Internet, Secure
connections, etc.) are always verified in the remote LDAP server and not locally in the edgeBOX.
· Authenticate users on the remote server but verify the privileges in system
This might be useful if your company is already using an LDAP server for authorizing users on several
other services, besides edgeBOX's ones; in this situation it makes sense to have all Authentication
and Authorization relegated by edgeBOX into those servers.
As users login for the first time, and their authentication is verified in the LDAP Server, their
information is saved in the edgeBOX users list. Still, each time the users tries to login, the
authentication will be done in the remote server.
When you are using remote LDAP, the network users have first to login one time using the LAN
user authentication before they can login in the domain for the first time.
Using a remote Active Directory Server to authenticate the network users: there's an
option to toggle between Basic Mode and Advanced Mode. Type-in:
LDAP Server
Basic Mode
Advanced Mode
· Base DN: see example below box; specify the active directory domain configured in the
Base Name field;
· Base DN 1, Base DN 2: You can set up two additional Base DN. Authentication System
will try to search and authenticate users in these locations also. To enable the text fields
please select the check boxes on the right of each field; to Learn More...
In more elaborate scenarios the Active Directory server might have users spread over
serveral Organizational Units (OUs); if that is the case, edgeBOX can be configured to search
users in all those OUs. An example follows, for a situation where users should be searched
in three OUs (ouone, outwo and outhree), and the administrator user belongs to OU ouone:
Base DN 1: OU=outwo,cn=local,cn=loc
Base DN 2: OU=outhree,cn=local,cn=loc
· Copy the users information from the AD Server to the system's user list: check this
if you'dd like edgeBOX to copy information from the AD server into the internal users list.
As users login for the first time, and their authentication is verified in the Remote AD Server,
their information is saved in the edgeBOX users list. Still, each time the users tries to login, the
authentication will be done in the remote server. If the Active Directory server in not reachable,
and only in this case, then, the authentication system will try to authenticate users locally.
When you are using remote AD authentication, the network users have first to login one
time using the LAN user authentication before they can login in the domain for the first time.
In the Users section - Options menu you can customize several aspects of the appearance of the
login page the local users of the network will use to authenticate:
Network users will only see this page if they are required to login. That is if the Authentication
service is running. See Activating Authentication for details.
To show a welcome message and the company name in the login form
You can upload the files for your custom login page to edgeBOX to have a login page with a
completely different appearance. To do so:
1. After creating your HTML file, your CSS file(s) and your images, create a Zip file (.zip)
with all these files. Show the requirements of the files.
· The zip file can contain image files, one or more CSS files and one html file only.
· The zip file can not contain any folders or sub folders. All files must be all at the
same level, that is, directly inside the zip file.
· You must include the code <!--AUTHENTICATION--!> in the place where you
want the login form to be placed in the HTML file. This code will then be replaced by
the necessary code for the login form.
2. Select the Upload a customized authentication page with your own style option;
3. Click the Browse button and select the Zip file from your computer in the dialog window.
4. Click the Save button to upload the zip file to the edgeBOX
Related Topics:
Manage the firewall properties
9.2 Privileges
The Privileges menu, in the Users section provides the means for bulk management of your
network users and to control their access to the services and areas your network offers, by
configuring access Privileges (policies) to which users will be assigned.
An overview table is shown. On the left, a list showing all current Privileges. Click one of them to get
a summary of it's configurations on the right panel.
Click the New... button. A dialog window will popup with four sections General, Services,
Advanced and Devices:
General
· Name: the name by which this Privilege will be identified; choose simple but meaningful
names like 'no-restr', 'servers35' or 'vips'; what are the rules for the Privilege name ?
the name must start with a letter (lower or upper case); after you can enter any sequence of
letters and digits; a single '-' can also be used excpet for the first and last postions; "[a-zA-Z][a-
zA-Z0-9]*[-]?[a-zA-Z0-9]*[a-zA-Z0-9]"; examples: a-b, a123, Boss-10;
· Internet: here you determine how and when your users can reach the Internet (same as
saying "the world beyond edgeBOX", the World Wide Web); the basic options are to Allow
access to the Internet, Allow access to the Internet between ..h..m and ..h..m and
Do not allow access to the Internet; hit the Advanced Properties... to access further
tuning details;
Services
This panel is of utmost importance as it directly affects the way your users experience network
access, or limitations, while trying to use your network services. This is where you determine, on a
per-Privilege basis, the edgeBOX services accessible by the users:
· Allow access to edgeBOX services listed: users in this Privilege will have access to the
services in the list;
· Allow access to edgeBOX services listed between ..h..m and ..h.m: same as the
previous on but service is granted only within the given time of day period (please take into
account that a delay of up-to 5 minutes may occur; that is because these rules are re-applied
at most, every 5 minutes);
· Do not allow access to edgeBOX services: access is denied regardless of the composition
of the list.
The list below the three options shows the services available for the users with this Privilege. These
services will be available for those users if you choose the 1st or 2nd option. See edgeBOX services
for a short description of all services available here. Use the Add and Remove buttons to edit the list
(this list will not contain the DNS nor the Webadmin services as they are always accessible for host in
the internal network).
Services not included in this list will not be accessible by users in this Privilege. Give me an
example
If you don't add the Samba service to the list of accessible services, no users in this Privilege will be
able to access any File Sharing related resources, Temporary Shared Folders or Windows Shared
printers (Samba is a short term for any windows file sharing, workgroup or domain services).
Please note: these are services running on edgeBOX, not services provided somewhere
else but accessible through the edgeBOX.
Advanced
· Remote Users: if these users will be allowed to connect to the PPTP VPN; additionally you
should specify if they will have access to the LAN;
· VLAN Routing: a listo of rules specifying inter-LAN-VLANs routing permissions for these
users; what type of traffic these users will be allowed to exchange with the other VLANs in
edgeBOX; see more details...
Devices
IP Addresses to which this Privilege will also be applied. Use the left side buttons to manage
the list. Besides containing users, a profile may also contain IP addresses. If an IP is added, that
machine is allowed the access rights of the profile. This allows the machine to automatically
authenticate with the edgeBOX, without the usual login screen.
You can indicate a specific IP address of a machine or you can indicate a range of IP addresses.
Indicating a range is most useful when you, for example, want all devices of a VLAN to be
automatically authenticated.
You can block overall access to certain IP Addresses and/or Protocol services/ports by using the
Advanced Firewall Rules; see details...
edgeBOX contains a web filter that allows you specify Website Restrictions based on words
present in the website's URL or domain; see details...
Additionally, you can block overall access to certain IP addresses by using a block-all type rule in
the Advanced Firewall Rules; see details...
Related Topics:
· Local Administrator
· Firewall
The approach is based on QoS aspects - assigning traffic classes to users - and network services
allowance/denial - somewhat similar to a Firewall configuration. Thres tabs are presented:
Quality of Service
· Class of Service for Upload Traffic: here you can choose to apply the usual Gold, Silver,
Bronze and Best-Effort traffic classes or your own Pipes, if you have configured any; to
learn more...
· Class of Service for Download Traffic: the choice here is Best-Effort or Premium; to learn
more...
Outbound Rules
Rules to control access to the Internet. By default all outbound traffic is allowed. This means that
traffic from the internal network to the Internet is granted access. You can allow or deny
outgoing traffic based on its destination, port and/or protocol.
Click the Add button to add new rule or Edit to change an existing one. For each rule:
· Policy: choose Allow Access or Deny Access (tipically you'll want to add Deny rules here);
· Protocol: All, TCP (you can choose All ports, individual ports or even port ranges like 21, 22,
80, 500-600), UDP (same as TCP) and ICMP;
The list will display all your rules in an easy to read manner. The sequence by which rules appear in
the list can be relevant and you can use the Up and Down buttons to change it
Inbound Rules
By default all incoming Internet traffic is dropped: all connection attempts coming from the Internet
are denied. Here you can allow incoming traffic based on its origin, port and/or protocol.
Click the Add button to add new rule or Edit to change an existing one. For each rule:
· Policy: choose Allow Access or Deny Access (tipically you'll want to add Allow rules here);
· Protocol: All, TCP (you can choose All ports, individual ports or even port ranges like 21, 22,
80, 500-600), UDP (same as TCP) and ICMP;
· From location: Any (connections from anywhere), Device (connections from a specific IP
Address), Network (connections from a specific IP segment, as specified by an IP Address
and a Netmask); a short Description string should also be added.
As for the outbound rules, the sequence by which they appear in the list can be relevant and you
can use the Up and Down buttons to change it.
Please note that controlling access for Inbound traffic may be particularly useful in some very specific
scenarios such as situations where edgeBOX might act as a router for inbound traffic directed at
specific IP addresses that might belong to each Privilege.
Related Topics:
· Firewall
· QoS
By default, users in a given VLAN cannot communicate with users of other VLANs. This also includes
the LAN. The LAN is also know as default VLAN. It's good practice to keep your VLANs isolated from
each other: that's one of the advantages of using VLANs. Nevertheless, if you have specific needs you
can overcome this default behaviour by indicating exceptions: locations (services/ports) on other
VLANs the users will be able to access even though not belonging to that specific VLAN.
Click the Add button to add new rule or Edit to change an existing one. For each rule:
· To Ports: if TPC or UDP are selected you can choose All ports, individual ports or even
port ranges (like 21, 22, 80, 500-600);
The sequence by which they appear in the list can be relevant; you can use the Up and Down
buttons to change it.
9.3 Groups
You can use groups if you have edgeBOX third-party applications; edgepacks. What are edgepacks?
edgePACKs are optional modules for edgeBOX that add functionalities for particular markets or add a
new set of features. Some examples are: edgeLMS and edgeDESKTOP. Learn more details about
edgepacks at edgeBOX's website.
Groups have no direct use in the edgeBOX or the network. If you want to create groups of
users that have common privileges and types of accesses in your network, you should to use
Privileges instead.
If you need to manage groups go to the Groups link in the Related Topics corner, in the Users
section, Network Users menu. A short descriptive table is shown with the currently configured
groups, their description and number of users in each. Click the New... button. A dialog window will
popup:
· Users: the list of users that belong to the Group; use the Add Users... and Remove buttons
to manage the contents of the list; users can be part of one group, several groups or no group
at all.
The local administrator is one of the users of your local network that you give the permission to
manage parts of your network and configure some of your services; someone that can access some
sections of the edgeBOX web interface. How can local admin user access the edgeBOX web
interface?
To make a user of your network local administrator hit Select... and choose from the list.
Now you need to indicate the areas and functionalities of the edgeBOX the local administrator
will have access to:
If you restore an old backup, the local administrator will not change.
edgeBOX has a backup and restore option that allows you to make backups of all the configurations
and data. However, for security reasons local administrator settings are not saved in
edgeBOX backups. View example
For example, if your local administrator was 'john_simmons' and you made a backup of the
edgeBOX at that time, and a some time later you changed the local adminitrator to 'david_parker',
and now you restore that old backup you made, your local administrator will still be
'david_parker'.
It will show you a table with the list of users currently authenticated. The details are:
· IP Address: the IP Address of the host/computer from which the user made his login;
Related Topics:
· How do I add more users ?
· Password: the password edgeBOX will use to access the device and encrypt RADIUS packets;
· Type of device: select the most appropriate from the drop-down list;
· VLAN Assignement: check this if you want edgeBOX to assign a VLAN when performing
This page allows you to view, delete and add remote RADIUS clients for user authentication. These
are normally called NAS (Network Access server). The edgeBOX supports different types of 802.1x
port based authenticators. Some of the devices supported include 802.1x switches with dynamic
VLAN assignment like the Procurve 2650 or the Procurve 420 Access Point for Wireless
communications with multiple SSID and dynamic VLAN assignment.
If you select the Generic 802.1x Access Point or Generic 802.1x Switch from the drop down list, the
IP address is the IP of the AP/Switch and the password the RADIUS client password configured in the
remote AP/Switch.
Name is any text you wish to enter to identify this unit.
If "Enable Dynamic VLAN assignment" is checked, the edgeBOX internal RADIUS server sends the
correct VLAN id to the Switch or Access Point according to the User Access Profile. This feature
allows the remote port based authentication device to put the user in the correct VLAN,
independently of the port / SSID the user is currently connected. You must use a compatible port
based authentication device.
If you select the "HP ProCurve 2650" drop down, the IP address is the IP of the Switch and the
password the login password of the switch.
Name is any text you wish to enter.
If "VLAN assignment" is checked, and after a successful 802.1x user authentication, the edgeBOX
internal RADIUS server sends the correct VLAN id to this switch according to the User Access Profile.
This option allows the Procurve switch to put the user in the correct VLAN, independently of the port
the user is currently connected.
10 System
The System menu allows you to configure a variety system related aspects of the edgeBOX:
· Adjust the Date, the current Time, your Timezone or use an Internet time server
· Shutdown or Reboot
· Backup edgeBOX settings and user files to a secure medium, perform Restore
operations and scheduled Backups
· Receive e-mails and SNMP Traps when relevant status changes occur
· Review or download system logs and configure logging to a remote log server
· View the current status of your hardware devices, like fans, temperature and hard-disk
usage statistics
Adjusting date and time is not possible if you have configured an Internet Time server. In that case
your Date and Time are adjusted automatically. Otherwise just hit the Adjust... button, enter the
desired Date and Time into the popup dialog and press Save.
Time Zone
Internet Time
Synchronize the date and time with a Time Server on the Internet
You can use a time server on the Internet to keep date and time always accurate.
1. Click Change...;
2. Select the Syncronize edgeBOX date and time with a time server on the Internet option
at the top;
3. Select the NTP server you want to synchronize with from the list.
edgeBOX will try to synchronize with the selected server every day. The status/time of the latest
synchronization is shown.
If edgeBOX's date and time is delayed more than 1000 seconds (17 minutes) edgeBOX
will not synchronize and create an entry in the Log Viewer and send a notification by e-mail.
How to synchronize all the network devices with edgeBOX's date and time
Besides synchronizing its date and time with an Internet Time Server, edgeBOX can also work
as a Time Server so you can synchronize all your network devices as phones, computers and
servers with edgeBOX. This way you can keep an the same, accurate, time on every device of
your network.
10.2 Administration
To change edgeBOX administrations settings you need to navigate to the Administration menu in
the System section.
Language
edgeBOX's web management interface supports several languages. Click Change language... and
select the desired one from the list provided. A warning message will inform you of the fact. The
browser will reload the management interface with the newly selected language.
edgeBOX sends several types of system related messages - such as warnings or available software
updates, by e-mail. The recipient of these e-mail messages is not specified by default. So, you need
to edit it yourself.
Hit the Change e-mail... button. Choose the Send system messages to: option and fill in your e-
mail address (this is the e-mail address to which edgeBOX will send system e-mail messages). If you
do not wish to receive e-mail messages just choose the Do not send system messages option.
Administrator Password
When the edgeBOX is installed, the admin password is by default the word root. If you find that
this password is not working correctly, then you should contact your reseller.
To change the password click Change Administrator's password... and type the desired new
password in both the New Password and the Confirm text fields. How do I choose a good
password ?
Shutdown or Restart
You can, at any time, shutdown or restart edgeBOX; just choose the option you need and press Ok.
· receive automatic e-mail messages with information about new software updates,
Status
The menu displays a short summary information stating whether you should check for available
updates or if there are already updates available (this second information is automatic if you
configure automatic checking for updates). Clicking on the buttons you can perform the following
operations:
· Check Now: will immediately check for new updates, without installing them;
· View Update Log: reports all the updates that have been applied to edgeBOX; the list can be
cleared by clicking on the Clear Entries button;
Automatic Updates
You can manually check for and install available updates. But you can also make edgeBOX check for
updates and notify you of the updates so you can install them yourself. You can also ask edgeBOX to
check for updates and install them automatically.
· Disable Automatic Updates: edgeBOX will not try to check for updates;
· Check for updates automatically but let me install manually: edgeBOX will check for
software updates - if updated software packages exist they will be automatically downloaded
but not automatically installed - edgeBOX will let you install them manually;
· Check and install updates automatically: this will make edgeBOX connect to the update
server, download new software packages and, depending on your choice, you will receive
notifications, similar to the ones in the previous option. The following options are available:
· Notify me when Services restart is needed: you should choose this option
if your network users can not tolerate any restarting of services or
restarting edgeBOX itself; in this situation, if services restart is needed or
if a full restart is needed nothing will be installed; you will receive a
notification; you should go to the administration web interface, navigate to
the Software Updates menu - System section - and execute the
installation manually (and any needed restarting, as part of the process); if
no restarting whatsoever is needed, all downloaded packages will be
installed;
· Notify me when System reboot is needed: choose this option if don't mind
that some services may need to be restarted but you don't want edgeBOX
to perform a full restart automatically; if this is the case, then nothing
will be installed and you will receive a notification accordingly; you need to
use the administration web interface to execute the installation manually (and
the needed reboot as part of the process); otherwise software updates will
be installed and the needed restarting of services will be carried out.
Common Settings
· Check every: you can choose to trigger the software updates check task every 6, 12 or 24
hours;
· Starting at: the base hour/minute at which the check will be started; see example...
If you want to check every 6 hours, starting at 13h15m, edgeBOX will check four times a day at
1h15m, 7h15m, 13h15m and 19h15m;
· Also notify me by e-mail: notifications configured in the previous options will also be sent by
e-mail to the administration e-mail address.
If an error occurs while edgeBOX is trying to update, a notification will be displayed in the web
interface indicating you the problem and asking you to try to install the update again.
· Backups may only be created/restored to/from a local USB disk, a remote FTP server, or a
Windows File Share;
· Both the Backup operation and the Restore operation cause edgeBOX to stop several system
and application processes (eg VoIP and authentication); additionally the Restore operation
always requires a system reboot in the end;
· Restore is only supported from the same version of the Operating system to the same version
(eg v4.7 to v4.7).
· Restore is supported from the same architecture to the same architecture only;
· Multiple edgeBOXes can use the same directory, as the backup files have a unique prefix
associated with an edgeBOX
It's important to setup a backup policy from the start, to prevent the loss or corruption of data.
Backup
Please note: the imap, pop and e-mail services are stopped when executing a Backup; this means
that while the Backup is running edgeBOX will not be able to receive or send e-mails and users will
not be able to read their e-mail.
Restore
Here you can manually restore backup files from either a Windows Share, an FTP server or a local
USB disk. Press the Change... button to select the device where the files are stored and enter the
appropriate details (the details needed are in all similar to those described for the backup
operations).
The list on the left will show you all the available Full backups. Click any of them to get a list of the
corresponding Backups points-in-time.
If you select an incremental backup, the system will restore a) this backup and b) all appropriate
incremental backups and the c) the appropriate full backup. Give me an example...
If you restore the Wednesday Incremental, the system will also restore the Tuesday and Monday
Incremental and the Sunday Full backup.
Click on View details to be assured of the details. Finally, you should click Restore to perform the
operation. A dialog will popup with a confirmation telling you that, in the end, edgeBOX will be
rebooted.
If the folder specified (for the FTP server, or Windows share or USB disk) does not exist, the
backup will fail. It will not automatically create the folder.
Once all the relevant fields have been entered, press Save to immediatelly start the backup. The
options are:
Method: FTP allows you to select Method: Windows Share allows Method: USB allows you to
an FTP server which will store the you to select a share from a select a local USB disk (Not
backup files windows server, which will store NTFS formatted) which will
the backup files store the backup files
Server: IP address of the FTP Server: IP address of the Refresh Devices: Will scan
server Windows Server the local USB devices and
present you with a drop down
list to enable you to select the
device which will store the
backup files
Folder: Which folder on the FTP Folder: Which folder on the Partition: If the device has
server where the backups will be Windows Share will receive the more than 1 partition, you can
stored backup files select which one you will use to
store the backup files.
Use Authentication: If checked Use Authentication: If checked Folder: Which folder on the
the username and password fields the username and password fields USB device, where the backups
will be active will be active will be stored
Backup Destination
A summary information is displayed stating the current Backup destination details. See examples...
Hit the Change... button, at the top right corner, to change the destination medium of your scheduled
backups. You can choose to perform backup operations onto an FTP server, a Windows share or
an external USB storage. The dialog presented for this purpose equal to the one in the Immediate
Backup section.
Full Backup
You may create (or disable) a schedule for full backups, except if you have configured Incremental
Backups: the execution of an Incremental backup assumes the execution of a Full backup at some
point in time.
Incremental Backup
Incremental backups backup the files which have been modified since the last Full or Incremental
Backup. The same options are available for Incremental as for Full Backups.
Scheduling
Several scheduling approaches are possible, so that you can fit the backup tasks to better suite your
company's Backup policy. Typically, you would schedule:
The Full and Incremental backups should not be scheduled to occur at the same day and time (it
does not make sense to execute both of them at nearly the same time as the Full backup will render
the incremental backup useless or a waste of time and processing power). If you schedule them at
exactly the same time (hour and minute) the Full backup will take precedence and the Incremental
backup will not occur.
· Day:
· Every Week: any day of week; you can pick up exactly the day(s) you want the backup to
be executed;
· Every Month :once a month; choose a day of the month (please note: if you select a day
such as the 31st and the month has less than 31 days, the backup will not take place);
· Hour and Minute: the exact time of day at which the task should be started.
NOTE: incremental backups are valid only if there is already a full backup. So if you plan on
executing full backups on Sunday and incremental backups on all other days, you should start the
process on Sunday. Incremental backups taken before the first Full backup are invalid and should
not be used.
The Slave edgeBOX works as a backup (hence the name Hotbackup), ready to take over the Master's
place if a failure occurs.
The stable operation of the Hotbackup feature assumes a set of pre-requisites which must be
assured by the adminitrator:
· The base hardware on both edgeBOXes must be exactly the same and the extra
function cards installed on each must be identical and plugged into the same connectors;
· The Slave and Master must have identical operating system releases and revisions. For
example, if you update only the Master with a new revision of the edgeBOX's software, the
Hotbackup process will not be possible. To assure this, you should manage both edgeBOX's
updates manually and not automatically. See details...
Using Hotbackup
To set edgeBOX as a Slave edgeBOX (backup edgeBOX) hit the Change... button:
1. Select the Configure this edgeBOX to act as the Hotbackup Slave option;
2. Indicate below IP Address, Netmask, Default Gateway and Nameserver to be used in
Slave mode; in Slave mode, edgeBOX's networking is reduced to a minimum necessary
only for the Master to be able to access the Slave and replicate it's configs and data
onto it;
3. Click the Save button to start the process; edgeBOX will reboot and run in Slave
mode; in Slave Mode only the LAN interface is active and it's IP basic configurations are
the four values you entered in the previous step; that's the interface to which you
should connect your ethernet cable; it's a good idea to have a VGA and a keyboard
connected to the Slave in order to get a better grasp of the process; when edgeBOX
has finished entering Slave mode an appropriate text mode screen, in the VGA terminal,
will help you determine and remember these settings; if you have an edgBOX with LCD
display, you can view an "S" in the top right corner of the LCD, indicating that the
edgeBOX is running as a Hotbackup Slave;
4. Ethernet Wiring: you can choose any IP address you wish, as long as the Master
edgeBOX can access the Slave through TCP/IP. The most simple way to wire up this
setup is to choose for the Slave an IP address which falls into the Master LAN segment.
For example, if your Master has LAN address 192.168.100.254/255.255.255.0, then you
could choose for the Slave 192.168.100.253/255.255.255.0 and connect the Slave LAN
port the the same switch as the Master LAN port (but, please, keep in mind that this
setup is not the only solution).
When you set edgeBOX in Slave mode, you loose access to the web interface and
you can no longer use the edgeBOX for managing your network. It will only work as
a backup for the Mater edgeBOX. Still, you will be able to access it using it's command line
interface, either locally using a keyboard/VGA or a serial console, or remotely via ssh. This
way you will be able to perform a limited set of commands that are specific to the Slave
Mode.
You can only set your edgeBOX to run in master mode after you have an edgeBOX configured
and working as a Slave edgeBOX. Also, the Slave must be accessible to the Master through the
network.
To make your edgeBOX run in Master mode, click the Change... button:
1. Select the Configure this edgeBOX to act as the Hotbackup Master option;
2. Indicate below the IP address of the Slave edgeBOX and the time of day at which
you want to replicate the configuration and data from the master to the slave; the
replication is made every day at that time;
3. Click the Save button. edgeBOX will search for the Slave, validate it's configuration and
start working as a Master edgeBOX. If you have an edgBOX with LCD display, you can
view an "M" in the top right corner of the LCD, indicating that the edgeBOX is running as
a Master edgeBOX.
Choose a time of day when your network has less activity, for example, during dawn,
because, in order to make the replication, the Master edgeBOX has to stop a
considerable amount of services to grant that the configuration and information are
correctly replicated.
Please note: you should avoid performing administrative tasks close to replication
time. If you are configuring your Master and the replication procedure starts, there could
occur severe damage to your edgeBOX compromising stability. As a practical rule do
not use the GUI or the CLI at replication hours.
When you have an edgeBOX in Slave mode, you loose access to the web interface. Still you
can check its connectivity status from the Master.
To do this just hit the Check Slave button. If the Master determines that the Slave is not
reachable or inconsistently configured a detailed message will be displayed; in normal
situations you will get an Ok assuring you that everything is normal;
In Hotbackup, the replication of the Master edgeBOX's configuration and data is made everyday
at a given hour that you defined when you configured the Hotbackup process. Still you can ask
the Master edgeBOX to replicate at any time.
To do this just click the Replicate Now button. This operation may take a very long time.
Please wait. In the end you will bet an Ok saying that everything went all right; if the operation
fails you will get a detailed diagnostic message. As stated above, please avoid doing any other
tasks while this one is running.
Make sure that your network has few activity when you ask edgeBOX to replicate. Note
that, in order to replicate correctly, edgeBOX has to stop a considerable amount of network
services.
If you have your edgeBOX running in Master Mode and you want to stop using HotBackup and
make the edgeBOX run again in the default normal mode, then hit the Change... button and
select the Disable Hotbackup option (this operatin will not perform any change of
configuration in the Slave). edgeBOX will stop replicating to the slave edgeBOX. All other
services will continue working normally.
If your Master edgeBOX (the edgeBOX that is managing your network) is malfunctioning and
you need the Slave edgeBOX (backup edgeBOX), to take over it's functions:
1. Before initializing the process, check the status of the last replication in the Slave
edgeBOX; please consult the Slave's logs via CLI commands hotbackup view replica
status or hotbackup view slave log; if you have an LCD unit then just srcoll down
the menus in the Slave and you´ll get the Replica Status with a date and an Ok;
2. Shutdown or power-off the Master;
3. Connect all Master's appropriate cables (eg ADSL, ISDN, Analogue etc) to the Slave
edgeBOX;
4. Open the slave edgeBOX's Comand Line Interface (CLI);
5. Type in the command hotbackup returntonormalmode or hotbackup return to normal
mode. The Slave edgeBOX will take over all services previously provided and managed
by the Master; please follow the process until the end;
When you stop the Slave edgeBOX to work as a slave and make it take over the master,
you gain back access to edgeBOX's web interface. To login to the web interface, use the
password that you used to login on the Master edgeBOX (the administrator password is also
replicated onto the Slave).
The Master automatically detects that the Slave has a diferent operating system version/release and
will refuse to proceed.
Updating the Master is quite straightforward. Just follow the process described in the
Software Updates menu, in the System section, but do not select the option that installs
software automatically. You can activate the Check for updates automatically but let me
install manually option in the Software Updates menu. This will not install anything but will
periodically query the update server and send you notifications if needed.
The Slave edgeBOX is not able to execute nor to check for software updates by itself. So,
if you allow the Master to update automatically, all subsequent replication attempts will fail. The
same happens if you update the any of them manually, but you forget to update the other one.
Please keep in mind that the slave, as it finishes the return to normal mode operation, it becomes
a perfect replica of the Master; this is of utmost importance. Despite other/mixed approaches may be
possible, the following may be used as a step-by-step approach to executing the software update on
the slave:
a) Before proceeding with the upgrade of the Slave please note the following:
· As the Slave returns to normal mode it's LAN interface will have the same configuration as the
Master;
· If the Master is the default gateway of the network segment to which the Slave will connect in
ordero to access the update server, then the Slave's WAN interface will obtain an IP address in the
Master's LAN segment. This implies that the WAN and LAN interfaces in the Slave will have
configurations "in" the same IP segment; this will surely frustrate the Slave's attempts to reach the
update server. In this scenario either the Slave's LAN IP address is temporarily changed or, simply,
the Master is turned off and the Slave takes it's place for software upgrade (during the night or
weekend). After update is complete all connections may be brought back to normal and the Slave
returns to Slave mode.
1. Disconnect any network cable which might be connected to the Slave's WAN interface;
2. Access the Slave's Command Line Interface (in Slave Mode there is no GUI); to do this you
can connect your laptop directly to the Slave's LAN connector (using a crossover cable, if
needed) and access the CLI by ssh/putty; in Slave mode there is no DHCP server running, so,
the laptop IP configuration must be manual; using the keyboard and VGA is also a good
approach;
3. Execute the hotbackup return to normal mode command in the Slave's CLI (putty/ssh or
keyboard/VGA); wait until the Slave has finished returning to normal mode of operation (you
determine this by watching it reboot into normal mode from the VGA terminal);
4. If the Slave is going to access the update server using the Master as default gateway, please
change the Slave's LAN IP address by with the CLI command: lan static ip
192.168.70.1/255.255.255.0 (or any other subnet that does not collide either with the
Master's LAN nor any of the VLANs involved); when this command completes you will loose
your connection; you need to re-configure your laptop manually, with, according to the
example given, for example192.168.70.200; this step is not needed at all if the Slave will
connect directly to the internet without the Master involved (unless you have static IP
configuration on the WAN and you are planning to share the same network segment for the
upgrade; in this case you really need to disconnect the Master's WAN interface, in order to
prevent double IP on same segment);
5. Connect to the Slave's WAN interface the cable that will provide internet connectivity (through
the Master or directly through th ISP);
6. Access the Salve's web interface and proceed as described in the Sofware Updates menu
(assuming your laptop is still connected to the LAN interface you should point it to https://
LANIPADDRESS:8011; if your laptop is connecte to the WAN segment of the Slave you should
point to https://WANIPADDRESS:8011); depending ion the type of update it may be necessary
to reboot; make sure no warnings popup and everything processes normally;
8. Access the GUI and reconfigure Hotbackup Slave Mode; re-enter and double check the Slave
Mode's IP settings (IP, Netmask, gateway and nameserver) and apply slave mode again; wait
until edgeBOX is fully back in Slave mode (watch the VGA terminal; it will tell you); re-wire the
slave's network cable(s) back as they were before;
9. Re-wire the Master back to the way it was before (that is, if you changed anything); go to the
Master's GUI and execute the "Check Slave" operation; the result must be "Ok";
10.Execute the "Replicate now" operation if you don not wish to wait for the up-coming daily
replication.
10.6 Notifications
You may find the need to receive notifications regarding Hardware events, RAID status and others.
edgeBOX is able to detect such events and forward them to you by e-mail and by means of SNMP
traps - in case you use SNMP to manage your network(s).
To configure the system to send these specific e-mail notifications and SNMP traps, please go to the
Notifications menu in the System section. As usual, you can Start and Stop the Notifications
service and an appropriate coloured status bar shows you the current operating status.
E-mails
You may Enable, Disable and Edit the details of e-mail notifications:
· Notification
· Hardware status changes: if you want to receive e-mails for temperature changes and
other hardware issues;
· RAID if you want to receive e-mails about hard disk status related to RAID.
· Receiver - the e-mail address to which the notifications will be sent (leaving it as
root@localhost will make the e-mail be delivered to the administrator e-mail address).
SNMP Traps
You may Enable, Disable and Edit the details of SNMP Traps notifications:
· Name
· Hardware status changes: if you want to receive traps for temperature changes and other
hardware issues;
· Backup result summary: if you want to receive traps with the results of your scheduled
backup operations;
· RAID if you want to receive SNMP traps about hard disk status informations related to
RAID.
· Trap Type - Only Enterprise should be selected. Generic will be included for a future release.
· Trap Receiver - IP address of the SNMP management Server which will receive the traps.
· Trap Community - The community which has been configured on the server which will receive
the traps.
· Object ID - The SNMP Object Identifier configured on the server which will receive the traps.
RAID1 uses two (possibly more) disks which each store the same data, so that data is not lost so
long as one disk survives. Total capacity of the array is just the capacity of a single disk. The failure
of one drive, in the event of a hardware or software malfunction, does not increase the chance of a
failure or decrease the reliability of the remaining drives (second, third, etc).
· At the top the array status is presented and it may be one of the following:
· DeviceDisappeared - A mirrored array which was previously configured, has lost a device
and is no longer working as a RAID array
· RebuildStarted - The RAID array has started reconstruction (eg when a disk is replaced, the
new disk has to be reconstructed from the good disk to form the array)
· RebuildFinished - The (new) disk has either completed construction (and is now part of the
RAID1 array) or the construction was aborted.
· Fail - An active disk in the RAID mirror has been marked as faulty.
· FailSpare - A spare disk (if one is available), which was being rebuilt to replace a faulty
device has failed.
· DegradedArray- The Array is degraded (eg disk failure)
· SpareActive - A spare disk (if one exists) which was being rebuilt to replace a faulty disk,
has been successfully rebuilt and has been made active.
No Hot Spare
To replace a faulty disk automatically, i.e, without the need of management intervention, just follow
the steps:
The new disk should synchronize with the active one. The array status may be checked on the RAID
panel.
Note: The replacement disk must match the original disk, it cannot have a larger or smaller disk
capacity (in Bytes)
Hot Spare
If the box has more than two disks, one may not have to shutdown the system immediately. A third
disk (spare) may replace the faulty one. This action is accomplished by the following steps:
2. Highlight the Spare Disk and press the "Add" button, the new disk will be included on the RAID
array and synchronization will begin.
If a spare disk is available in the "Array Disks" panel, it will be automatically used to rebuild the RAID
array in the event of a disk failure with one of the current RAID disks.
To replace the faulty disk, highlight it and select the "Remove" button. Shut down the edgeBOX and
remove and replace (if you wish) with a new disk which has the same Byte capacity as the faulty
disk.
In this case, it would be prudent to add this replacement disk to the "Array Disk" panel for automatic
replacement in the event of another disk failure.
Hotswap
Hotswap is also supported in the Enterprise Appliance, however the following precautions should be
taken:
· Write down all disks serial numbers and respective slot to know which disk is the faulty one.
· The faulty disk may be replaced without shutting down the system. Synchronization process
progress may be checked in the RAID panel.
edgeBOX includes comprehensive solutions for accessing system and application logs (such as
syslog, http logs, voip's cdrs, among others). Point your browser at the Logging menu in the
System section. There you'll find:
Log Viewer
The Log Viewer lets you examine several application's logs with 2 levels of verbosity. Clikc the Log
viewer... link. The Log Viewer panel will popup:
· Service: select the service for which you wish to read logs; the available services are: Anti
Virus, Authentication, Backup, Blacklist, Website Access Restrictions, Daemon, Hardware
Monitor, Hotbackup, Kernel, Mail, RAID, VoIP;
· Verbosity: controls the level of detail of the messages displayed; select High or Low
(changes will be applied to new log messages only); this setting is global to all services;
Each page displays at most 25 lines. The Previous and Next buttons allow you to scroll
chronologically through the pages (earliest messages are displayed first).
Logs Destination
edgeBOX can send logs to a remote logs server. To enable this behaviour click on the Change...
button and specify:
· Server address: the IP Address or host name (FQDN) of the server to which edgeBOX will
send log messages;
· Port: the TCP/IP port number on which the server listens for log messages; 514 is the
default.
You should set the logmaster password from this panel. The logmaster username gives you FTP
access to edgeBOX's log files:
Additionally, this FTP access should be used to access, download and delete call recordings
made by means of the Automatic Call Recording. If your edgeBOX is currently recording calls, you'll
find them inside the call-recordings FTP folder.
· Timeout: The maximum amount of time for connection setup with the RADIUS server. If this
time is exceeded then the next server on the list (if any) will be contacted.
· Log Interval: possible values are “15 minutes”, “30 minutes” and “60 minutes”. This option
allows you to control the period for which account information will be sent to the remote
RADIUS accounting servers.
Note: Accounting is only available with authenticated user sessions. See Authentication for details.
10.10 SNMP
The status of the edgeBOX can be queried using the Simple Network Management Protocol. This
panel controls the SNMP agent running on the edgeBOX.
SNMP Agent
· Enable Access to SNMP Agent - Enables the SNMP agent and allows read-only access to report
the status of the edgeBOX.
· Community string - The name of the community used when requesting access to the SNMP
agent. Avoid well known strings such as “public”, “private” or ones that are easy to guess, e.g.
“edgeBOX”. Specifically “public” is not allowed.
· Any device: edgeBOX's embedded SNMP agent will respond to SNMP queries coming
form any device (with the correct community string obviouslly);
· A specific device: edgeBOX will only respond to SNMP queries coming from this IP
address;
· Devices within the following network segment: edgeBOX will only respond to SNMP
queries coming from this IP segment (as determined by the IP Address and Netmask pair);
· Allow queries for - Enter an object identifier (OID). Access to objects below this level are not
allowed.
SNMP Traps
· Allow edgeBOX to send SNMP trap messages to a Trap manager - Enable notifications to
be sent.
· Receiver - The host name or IP address of a computer (NMS) to which notifications will
be sent.
To configure the type of traps/notifications sent by edgeBOX go to the Notifications section. These
include the Backup, Hardware Monitor and RAID services.
10.11 Maintenance
In the Maintenance module it is possible to schedule system database optimization in order to
improve performance of VoIP service and the Reporting engine.
The main reason to do this is to increase user responsiveness and overall usability. The performance
can be significantly increased by simply enabling this feature, sometimes in order of magnitude of
4000%.
Some edgePakcs, which also depend on the system database, may also benefit from a periodically
optimized database.
To enable this option, go to the Maintenance menu in the System section. A short overview is
provided with:
Use the Change Schedule... and Remove Schedule... buttons to edit or remove the configuration.
The Database Optimization can be done in several recurrence patterns, to know:
For each previous recurrence pattern you should also set the
Database optimization may consume long periods of time (varying from a few minutes to some hours
- in very extreme situations). This depends on the factors as the load of the edgeBOX and the
amount of data being processed, but mostly on the 'how long ago was the last optimization done?' or
the 'was optimization ever done?'.
Please schedule your data optimization for a period of day when there is no (or low) load on your
box, or when no services are being used to minimize the impact on services. See an example...
A very simple example, is to set the edgeBOX database optimization tasks, weekly, every Saturday at
4:00am. This always depends on your service usage. Adapt the best solution for each case. Avoid
colisions with the Hotbackup replication hours and the Backupscheduled operations.
To change status of a service click the service and hit the Start (green) or Stop (red) button at
the top of the table. Note that, changes made here will be effective even after a reboot.
· Overall Health - Yes or No. It is determined by the monitoring software of the disc, based on
the values of the parameters that follow next.
· Temperature.
· Pending Sectors Count - Number of sectors waiting to be remapped to another part of the
disk.
· Total Up Time - Number of hours since the disk has been switched on.
You can receive e-mail notifications about changes detected in the Hardware Monitor; choose
the Hardware Status Changes type Notifications panel.
Ping
Tests for network connectivity. Enter an IP Address or a FQDN and press the Ping button;
· Method:
· UDP: with this option selected the ping method will send a udp packet to the remote host's
echo port; adjust timeout and enter packet size in Bytes;
· TCP: adjust timeout and enter the TCP port to which to send the probes;
· SYN: adjust timeout and enter the TCP port to which to send the probes; if the "SYN"
protocol is specified, the ping method will only send a TCP SYN packet to the remote host
then immediately return. If the syn packet was sent successfully, it will return a true
value, otherwise it will return false.
· All: adjust timeout and enter the TCP port to which to send the probes; this produces a
Ping which will try each method sequentially (ICMP, UDP, TCP then SYN); If one of the
methods receives a reply (eg ICMP), the other methods will not be attempted; if no reply
is received after the timeout, the next method will be attempted until another timeout
elapses, and so on.; continues until either a successful reply is received or all methods
have timed out.
NSLookup
· Host Names: allows you to determine the Name of a specified IP address; enter an IP
address, such as 212.23.34.45 and press the Lookup button;
· Domain Names: allows you do list DNS servers for a given domain; enter a domain name,
such as critical-links.com and press the Lookup button;
· Mail Servers: allows you to determine the mailservers for a specified domain; enter a
domain name, such as google.fr and press the Lookup button;
· IP Addresses: to determine the IP address for a specified domain name or FQDN; enter a
domain name, such as www.fsf.org and press the Lookup button;
· DNS Server: allows you to specify a DNS Server (by IP or name) which will be used to
resolve the IP address. If not set, the edgeBOX default name server is used for the lookup;
Traceroute
Find the route that network packets follow to reach a specified host or IP address. A reference for
how traceroute (tracert on Windows) works can be found at: Traceroute. Note: it may take more
than 10 seconds to complete the task.
Type the IP Address or FQDN in the box and press the Trace button.
· Method: ICMP or UDP; the type of packets used in the traceroute test;
· Timeout: maximum time waiting for test results on each router along the way.
A short overview is shown with the current configurations. To alter these settings press the
Change... button and enter the values for:
· Keep Alive - time interval, in minutes, used to separate the emission of 'keep alive packets'
to the Remote Management Server. The server will use this keep alive connection to warn
administrators of potential problems with the edgeBOX.
11 Reporting
View and export reports about edgeBOX's System, Services and Users.
For each report you can specify a Time Interval. It can be a begin/end day, a single day or
hour, depending on the report you are seeing.
You can export the reports into a printable HTML page that you can print via a browser, or
into a CSV file, for automated processing.
11.1 System
Displays information regarding edgeBOX’s system usage:
· CPU
· Memory
· Load
· Disk Usage
· Interfaces
11.1.1 CPU
The CPU report shows edgeBOX's processor usage, in percentage, per type of process
(user’s and system processes) and cpu idle time.
You can drill down each line into each day to view the CPU usage just for the selected day.
11.1.2 Memory
This report shows used and free memory, in MB.
Drill down in each day to view the memory usage for that day only.
11.1.3 Load
The Load report displays the load of the system through the number of active processes.
Load 1 min values indicate the average active processes in one minute. Load 5 min values indicate
the average active processes in 5 minutes. Load 15 min values indicate the average active processes
15 minutes.
Drill down into each day to view the load of the CPU for each day.
Values below 1 represent good CPU load, between 3 and 4 require you to monitor closely,
and values over 5 require you to take action because the CPU is overloaded.
· The System Storage partition saves the runtime system data information (database and
log information).
· The Home Storage partition is used to save the user account folders and the network
shared folders (Shares).
11.1.5 Interfaces
Shows the traffic received and sent by edgeBOX in the WAN, LAN and DMZ interfaces.
Drill down into each day to check the usage of the interface for that specific day. Scroll down to view
information for the LAN and, if you have one, DMZ interfaces.
11.2 Services
Displays reports showing information about the service usage.
· HTTP Access
· Web Server
· Firewall
· E-mail
· VoIP
· VPN
You can drill down into each line to see daily HTTP accesses and sites visited.
Please note: this report will contain no information if the Proxy Cache service is stopped.
It is possible to drill down into each day to check the accesses on that specific day.
11.2.3 Firewall
This report shows Firewall related information as dropped and rejected (sent back) network
packets grouped by day.
You can drill down each line to a specific time frame in order to identify actions applied to
unauthorized network traffic.
11.2.4 E-mail
The E-mail report shows e-mail service related information in the Services perspective. This
is, you can only see how many sender and receiver e-mail domains (the @mail.com part of the e-
mail address) are processed for the sent and received e-mail.
You can also view the amount of e-mails processed and, how many of those where detected as
being infected with viruses by the Mail Scanner.
If you drill down in each line, you can identify singular e-mail exchange info such as the sender or the
receiver e-mail, if it was locally delivered to edgeBOX, the size of the message and if it was infected
with a virus.
11.2.5 VoIP
The VoIP report displays VoIP service usage. Calls are grouped into:
The image above is a drilled-down detailed of the Internal Calls. The information available includes
the duration of the calls and number of calls made.
11.2.6 VPN
The VPN report gives information about the PPTP VPN tunnels in use in the edgeBOX; number
of users using the VPN service, the number of connections made, and accumulated duration of
connections per day.
11.3 Users
Services data correlated with user information:
· Accounting information
· HTTP Access
· E-mail
· VoIP
· VPN
11.3.1 General
The General report summarizes the activity of users.
Tou can view the inbound and outbound traffic in Mega Bytes, PPTP VPN tunnels and the total
duration of these tunnels, and external calls made and the duration of the calls.
The information is shown only in a tabular format; it is not possible to drill down inside each
line as in other reports.
11.3.2 Accounting
The Accounting report shows network traffic and sessions made by the network users.
You can check the amount of downloads and uploads that are being processed for the
users in each network interface (WAN, LAN and DMZ).
You can drill down in each line of the table to view detailed information for each session of the
users.
If you are not using authentication, the user's IP Address is shown, instead of the username.
Please note: this report will contain no information if the Proxy Cache service is stopped.
11.3.4 E-mail
The E-mail report shows e-mail service related information for each e-mail address.
You can drill down in each line to view e-mail messages details for a particular e-mail account.
11.3.5 VoIP
The VoIP report displays VoIP calls for each phone or user.
For all registered phones the Inbound, Outbound and Internal calls with their associated call duration
is displayed.
Drill down into each type of calls to view the calls made for that type.
If you select a user's calls yo ucan view calls to and from that user for the specified time period:
11.3.6 VPN
The VPN report gives a summary of the PPTP VPNs on edgeBOX. It shows the number of
connections and the total duration of the connections.
Services
Following the Services link, you will enter the edgeBOX Services page (this option will only be
available for users in the internal network); these are browser based user-oriented, commonly
accessible edgeBOX features; on the left you'll find a list of accessible services:
Applications
In the Applications section you'll find links to the following applications (if installed and/or
configured). Follow the links bellow for details:
· Webmail
Any LAN user can request a safe accessing the utilities page (http://<lan address>:8011 and
selecting the "Services" option). The following page will be displayed.
Follow the link "Public Folders". Currently available safes will be displayed, as well as the current
safes' configuration parameters. To create a new safe, select "Create a new safe".
Select the desired settings for your safe. Sizes available will always be less than or equal to the
maximum size configured, as well as the maximum time the safe will be available. To create the
safe, select "Create safe".
Selecting "Public Folders" again will now display the safe just created.
To use the safe, access it like a normal windows share, entering the credentials supplied to
authenticate.
If you want to close the safe before its time expires, go to the Services > "Public Folders" menu and
follow the "Close this Folder" link next to the safe you want to close. You will need to supply the
password for the safe. If the operation completes successfully, the message "Folder closed" will be
displayed.
Note: When a Folder is closed (manually or after the timeout), the folder and contents are deleted.
12.2 Webmail
In the Initial Page of User Services and Application, select the Applications link and then Webmail
(if Webmail is not available, this is because it has not been configured to; see E-mail domains and
Webmail).
You will be presented with the following screen. Select your preferred language and login with your
edgeBOX username and password. Use the interface to send and read your e-mail.
Note that if there are more entries than can be shown on the screen, the additional entries can be
viewed by placing the mouse to the right of the screen, causing the screen to scroll to the right (and
vice-versa)
You are reminded that you need to allow the FOP service on the Firewall Panel, for access and the
Web Server must be running.
· Hang-up a channel
· Transfer a call leg via drag and drop
· Initiate calls via drag and drop
· Barge in on a call using drag and drop
· Drag and drop to create an agent
· Manage queues
· Park/Unpark calls
Select the Applications menu and you should be presented with the following:
(If Webmail is not present on the Menu, this is because you have not selected configured a Webmail
Domain; please refer to the E-mail Server and Webmail for configuration instructions)
When you select Flash operator, you will be presented with the following screen:
To alter this password, enter username and Password as admin and root (respectively) and set a
new password.
To create a call, simply drag the phone icon for the user of interest to the phone icon of
the person you wish to call.
If, for example, you drag the npem phone icon to the jayme icon, npem's phone will ring.
If npem picks up the call, jayme's phone will ring and the call is established.
Once the call is established, both phones will change their green 'LED' to red and the extension
number of the caller will be shown, as well as the duration of the call.
You may force the termination of a call, by double clicking on the red LED.
Note: If a phone is not currently registered with edgeBOX (as thus cannot be rung), the icon will be
greyed out.
In the large panel below, the caller has rung alextalk via the BRI/1 2 connection (as they both have
the same tel number tag of the external caller).
Again, you may terminate a call by double clicking the red LED of the phone (or the line).
12.3.5 Barging
Barging allows the operator to interfere with an active call. Thus if 2 users have established a call,
you could (although this is not generally recommended) drag a phone to one of the phones which is
already connected, to establish a new call (leaving one of the users with a disconnected call!).
To add an Agent, simply drag the phone to the Queue (the phone LED will change from green to
yellow).
To delete the Agent, drag the phone to the queue again (the LED will change from yellow to green).
The top panel (Queue Support) shows the status of the queue (1 caller waiting for an Agent) and the
queue name (support)
The next two panels show the top two (longest in queue) clients in the queue.
To add a client to the queue, simply drag the ringing phone to the queue, or drag one of the phones
which has established a phone connection.
Note: You can reset a queue by double clicking on Queue's (top panel of the three) LED. If you do
this, all callers in the queue will be removed.
You can then drag the parked phone icon to a phone (or elsewhere) to establish a call.
· A caller (A) rings and is routed to the operator (B). They request C's extension.
· The operator can see that C is not on a call and can drag the line icon to C's phone, or
· The operator can put the caller on hold (by dragging the incoming line to the park icon) and drag
the operator phone icon to C's icon to ring C and ask if they wish to take the call.
· The Operator can now either drag the icon from park to C's icon or drag the park icon to their
phone icon and explain that C cannot take the call.
13 Appendices
· Regular services, such as POP3, IMAP, FTP and Internet access for LAN users;
· Windows use (Samba Print and Filesharing);
· Allow authentication from wireless and wired 802.1x port based authentication devices on the
LAN;
· PPTP
· VoIP.
This is always the first level of access to be tested: when if users are required to login (LAN/VLAN
users), any connections are denied - they are in fact discarded by the firewall.
If an user wants to access the Internet, the following steps must be taken:
· The user accesses edgeBOX's authentication page or some website running on port 80 (which
causes a redirection to edgeBOX's authentication page);
· If the credentials entered were valid, the user may or may not be granted access, depending
on his access Privilege.
From this moment on, and if this user's policy grants him access to the Internet, he will be able to
access any remote service. Furthermore, a pop-up window will be displayed, allowing him to log out.
This pop-up window must be kept open to keep the user authenticated. If this window is closed and
no network traffic is detected originating from this user's machine, the authentication will time out
and the user will have to re-authenticate in order to access the Internet. The timeout is set to five
minutes.
As previously mentioned, the policies are handled at the firewall level. After an user authenticates,
appropriate firewall rules are loaded in order to enforce his Privilege profile. A user authenticating
from a PC in the LAN will in fact revert to an IP/MAC address pair, and each rule loaded will refer to
this pair. If the profile to which the user belongs to was granted access to the Internet, a firewall rule
will be loaded allowing all traffic originating from this host to the Internet.
If a Privilege contains an IP address (see the Devices section in Privileges), then firewall rules
reflecting this policy profile featuring this IP will automatically be loaded, making it a static entry.
That is, if a user uses a machine with an IP in a profile, they will be automatically authenticated by
the edgeBOX and will have the profile's privileges (rather than the users profile privileges).
A typical use of this feature is to automatically allow servers to access the Internet. Suppose you
have a Windows update server. By making its IP a member of a group with access to the Internet will
automatically enable access to the Internet for this server.
Due to the concept of system-wide authentication, all services will be authenticated against the
scheme chosen, be it local or remote. There are some services however, namely PPTP and Wireless
that allow you to use another (RADIUS) server to perform authentication.
The following matrix displays the possible combinations for authentication/authorization schemes:
Authorisation Authentication
Local RADIUS Local LDAP
Local RADIUS Remote LDAP
Local RADIUS Remote AD
Local RADIUS Remote RADIUS
Remote RADIUS Remote RADIUS
Remote LDAP Remote LDAP
The first line matches edgeBOX's local configuration (all local). You can have a remote configuration
replicating this configuration, in which RADIUS performs authorisation, having a LDAP backend
performing authentication/authorisation.
Special remarks have to be made when you delegate authorisation/authentication on a remote LDAP
or RADIUS or Active Directory (without "import users" checked) server. As users are remote, they
are not known to edgeBOX before they make their first successful login. Before this happens no user
account is created locally and the same applies for edgeBOX's local RADIUS and LDAP servers
(edgeBOX always keeps a local copy).
When using Active Directory as a remote authentication scheme, you have the option to import the
users. In such a configuration, local accounts and entries will be created locally. This schema works
also in "fail-safe" mode, i.e., if the Active Directory server is not reachable at a certain point the
users will be authenticated locally.
If you are not using local authorisation, you will still be able to edit user's permissions. In this
scenario, after an user logins in for the first time, he will be placed in the "Generic" privilege, and will
be granted permission to access the services configured in the "Generic" privilege.
Bear in mind that although a remote scheme is used, you can still add local users before those users
make their first login. This can be useful if you want to set their service permissions beforehand
(when using local authorisation) or to set the group to which they will belong (by default they are
assigned to the generic group).
Depending on the scheme used, the way a user may perform his first login will vary. The next table
displays this information:
In the examples that follow, the following general configuration will be used by edgeBOX:
· SSID: valebox
· Channel: 1
· Hide Network: not active - this network will be visible for all wireless clients nearby; later you
can activate this if you wish;
· Allow only specific devices to use the wireless network: not active - no Hardware
Address based filtering will occur; later you can configure it.
13.2.1 802.1x
The following picture illustrates the configuration used by edgeBOX for 802.1x authentication and
accounting.
On MS Windows, double-click the "Wireless Network Connection" icon and select the "Wireless
Networks" tab. Make sure the SSID entered is consistent with that defined on edgeBOX (valebox on
our example). Choose "WPA" for "Network Authentication" and "AES" for "Data Encryption". Select
then the "Authentication" tab.
Wireless Networks
Wireless Network Connection
On the Authentication tab, select "Protected EAP (PEAP)" as the "EAP type". Press the "Properties"
button. On the dialog window that pops-up, uncheck the "Validate server certificate" checkbox, and
select "Secure password" as the Authentication Method. Press the "Configure" button.
Authentication
On the dialog window that pops-up, uncheck the "Automatically use my Windows..." checkbox. Press
"OK" on all dialogs to confirm this configuration.
If the configuration succeeds, you should see a balloon warning you to enter credentials to connect to
the wireless network. Clicking on the balloon will display a prompt requiring you to enter the
username and password for a user authorised to connect to the Wireless network.
13.2.2 WPA
If edgeBOX was configured to use WPA as the security scheme, the following settings must be
configured on the client:
Additionally, the network key to be used must also be supplied. Remember that if you choose to use
a preshared key, it must be 64 hexadecimal characters long, if less than 64 characters, it may be
ascii or hex. If this connection is configured to be established manually, when you try to connect to it
a dialog window will be shown, asking you to supply the network key.
You may obtain an automatically generate key from the website https://www.grc.com/passwords.
htm.
Wireless Configuration
Remember that users can olny access these features if they belong to a Privilege for which the
Samba service is accessible.
To add a windows host to edgeBOX's Windows Domain, select "System" under the Windows Control
Panel, and then select the "Computer Name" tab. Select the "Change" button. In the dialog window
that pops-up, select the "Domain" option and enter your domain name (in our example it was
"mydomain").
After you select "OK" to confirm the domain change, you will be required to supply credentials of a
user belonging to the domain administrator's group. In edgeBOX, you have to specifically supply the
username "Administrator", which has the same password as the admin user (defaults to root).
After rebooting the machine, log on to edgeBOX's domain (it should be available on the domains'
list). The user's home directory will be mounted as Z:. In the picture bellow the user's directory
content is shown, where the public_html directory can be accessed. This is the directory where the
user's personal web page will be located. The other directory shown (profile) is where the roaming
profile data will be stored, so the user will retain her desktop definitions after logging off.
1. Go to My Computer.
2. Select the Tools menu and the Map Network Drive option.
Windows does not allow you to mount shares with different username/passwords. It's
possible to disconnect from a share using the command "net use * /delete". This will release
all connections to shares.
It's "net use" which will display which are the active shares and then "net use <share> /
delete", which will disconnect that particular share.possible to specify which share to release,
via the command
· For basic VLAN scenarios any 802.1Q switch will work. For advanced features like port based
authentication, dynamic vlan assignment, 802.1x with single sign on or automatic guest VLAN
more advanced switches will be needed.
· For switches with L3 features it is important to disable inter vlan routing on the switch. Inter
vlan routing is done in the edgeBOX with access profile enforcement.
· Procurve 2650 Series - 802.1Q, 802.1x SSO and Dynamic VLAN assignment
· Procurve 420 Wireless AP (Firmware 2.2.2 or later) - Support for 802.1Q, 802.1X,
Dynamic VLAN assignment
· D-Link DES-1252 - 802.1Q, 802.1x SSO, manual session timeout configuration
· D-Link DES-1228 - 802.1Q, 802.1x SSO, manual session timeout configuration
· SMC Tigerswitch 6726 AL2 - 802.1Q
· Generic L2 switch with 802.1Q VLAN - 802.1Q VLAN only
· Generic L2 switch with 802.1Q VLAN and 802.1x - 802.1Q VLAN + 802.1x Port based
authentication. No single sign on available.
· Generic Wireless AP with 802.1x - 802.1x Authentication only. No single sign on available.
· Windows XP SP2
· MacOS X
· Windows Vista
· Windows Vista SP1
Please find below four possible VLAN deployment scenarios. You might wish to read them in order to
get a better grasp of the concepts or to adapt them to your own needs:
· VLAN Scenario 1
· Standard 802.1q compatible switch
· No 802.1x port based authentication
· No Dynamic VLAN assignment
· No native Guest VLAN on switch
· VLAN Scenario 2
· Standard 802.1q compatible switch with 802.1x
· Support for 802.1x port based authentication
· No Dynamic VLAN assignment
· No native Guest VLAN on switch
· VLAN Scenario 3
· 802.1q compatible switch with 802.1x and dynamic VLAN assignment
· Support for 802.1x port based authentication
· Support for Dynamic VLAN assignment – (HP Procurve switch)
· No native Guest VLAN on switch
· VLAN Scenario 4
· 802.1q compatible switch with 802.1x and dynamic VLAN assignment
· Support for 802.1x port based authentication
· Support for Dynamic VLAN assignment – (HP Procurve switch)
· Native Guest VLAN on switch – (HP Procurve switch)
This is the most basic scenario when deploying VLANs with edgeBOX. In this case the LAN port of the
edgeBOX is connected to a trunk port in the switch. The port on the switch must be configured as
802.1q trunk, allowing all configured VLANs to pass through the link.
1 - When using VLANs, the LAN zone is the same as VLAN 1 (id 1). In most cases the VLAN 1 is the
default VLAN on a new installed switch, and this means all ports are by default configured as being
part of that VLAN.
2 - By default, all traffic between VLAN zones is blocked. This means the edgeBOX firewall does not
allow routing of traffic between VLANs unless the administrator configures it with different type of
access rules.
3 - Access Rules between VLAN segments can be configured per access profile in the VLAN tab.
4 - The only type of user authentication available is Web Login. When a user authenticates
successfully, the firewall enforces the configured User Access Profile rules for WAN, DMZ and access
to other VLAN segments. If the user is not able to authenticate with success, then all traffic to and
from this user will be filtered with the default rules for non-authenticated users.
This is basically the same as Scenario 1. The only addition is that we have some or all ports on the
switch configured for 802.1x port based authentication.
To enable support for 802.1x port based authentication we need to configure the switch to use the
edgeBOX as the RADIUS server for authentication and enable the ports where we want this enforced.
On the edgeBOX this 802.1x based switch, the RADIUS client, needs to be authorized, and this is
done in System->RADIUS->Add.
The edgeBOX supports protocol PEAP-EAP-MSCHAPv2. Both Windows XP and Vista include
supplicants with native support for this authentication type.
In this scenario, for a client PC connected to one of the switch ports configured with 802.1x, the
switch detects the presence of a client and initiates the 802.1x protocol. The authentication request,
made by the Client PC supplicant, will be forwarded by the switch to the configured RADIUS server
for authentication. If the authentication is successful the switch will open the respective port and the
client will be part of the static VLAN configured on that Port. At this point the client will get an IP
address if configured with dhcp and the edgeBOX DHCP server is enabled.
If the authentication is not successful then the port will be closed and the user will not get access to
the network.
The main advantage of using 802.1x is that the user will not be able to access the network until he is
able to get a successful authentication.
supported 802.1x switch is used to deploy those scenarios. A supported switch includes the calling
station MAC address in the RADIUS Access Request packet and is able to process session timeout. In
case the 802.1x switch does not support the calling station attribute, the port based authentication is
still done but the user will need to do a normal weblogin when accessing the Internet or services
running on the gateway.
This is scenario 3 with a switch that supports VLAN dynamic assignment. In this case, after a
successful authentication, the switch moves the associated port to the VLAN configured for that user
access profile. Without a successful authentication the port will be closed and the user wont be able
to access the network.
During 802.1x authentication and on success, the RADIUS server sends additional attributes to the
802.1x authenticator in the switch with information regarding the VLAN id for that particular user.
The edgeBOX supports assignment of a VLAN per access profile.
1. The network infrastructure must be setup with Procurve 2650 or compatible switches in terms
of RADIUS dynamic Vlan assignment. The HP Procurve follows RFC2868 / 3580 with with
Tunnel-Private-Group-ID of type string.
2. Configure the RADIUS client as referred in Scenario 2, select the correct client type and
enable Dynamic VLAN assignment.
3. Configure the User Access Profiles with the correct VLANs. See NAC->Access profiles-
>”Profile”->VLAN->VLAN Name.
The advantage of this scenario is the fact that we can effectively do network access control by port
and at same time we are able to put the user in the correct VLAN even if he does a login outside of is
main work space.
This is scenario 4 with a switch that supports guest VLAN when operating with 802.1x and VLAN
dynamic assignment. This is similar with scenario 3 and the only difference is when the 802.1x user
is not able to authenticate. At this point the switch automatically configures the port to another VLAN
– the Unauthorized-Client VLAN. The unauthorized-client VLAN can be configured using the 802.1x
Open VLAN mode in the Procurve 2650.
As soon as the switch assigns the unauthorized-client VLAN to that port, the connected host is able to
get an IP through DHCP. If the edgeBOX authentication is enabled, the user will be presented with
the edgeBOX web login page when trying to access the Internet.
A practical example:
· Switch ports 4 and 5 are setup for 802.1x with Unauthorized-Client VLAN assigned to VLAN6.
These ports are located in a meeting Room.
· User01 is a member of the engineering profile, configured for VLAN3 (see #3 in scenario 3).
· User01 has his laptop ethernet connection setup for 802.1x authentication.
· Engineering profile has access to Internet, LAN and a few servers located in VLAN2.
· Guest01 is a member of the guest profile.
· Guest01 is a guest user with just a regular dhcp configuration on his laptop.
· Guest profile is configured to have open access to the Internet only. Users in this profile are
not able to access any of the other VLANs or LAN.
· When User01 connects to port 4, a successful 802.1x authentication takes place and the switch
port is automatically configured for VLAN3. User01 is able to work on his own VLAN and access
any other places allowed by his Engineering access profile.
· When Guest01 connects to port 5, the switch is not able to start a 802.1x authentication and
automatically opens the port on VLAN6. At this point he is able to get an IP address through
dhcp and when trying to access the Internet he will be presented with the authentication page.
With a successful web login authentication, the edgeBOX enforces the guest profile for this
user and he is able to access the Internet but nothing else.
· Any other user that tries to connect to one of these ports, without a successful authentication,
will be isolated in VLAN6.
IMPORTANT: be aware that this option erases all configuration, user data and software
updates since the first time the edgeBOX was installed.
In the end the system will reboot and the hard disks will be re-imaged with the original first install
contents.
In several configuration situations - such as the Firewall or user Privileges - you'll be presented with
or even need to select entries from edgeBOX network services list:
General Topics
Use passwords with at least 10 characters, with letters, numbers and special characters like '_', '+'.
The characters right above the numbers in your keyboard are all good candidates too.
If you don't trust your memory, write your password down on a paper and store it at home, away
from your usual work place.
· Username:
· Size: from 3 to 64
· Characters ("^[a-z][a-z0-9-_.]{1,62}[a-z0-9]$")
· the midle characters may additionally contain digits ("0-9"), "-", "_" and "."
· Password:
· Characters ("[a-zA-Z0-9!"#%&'()*+,-./:;<=>?@[]_`{|}]{1,127}"):
· lower ("a-z") and upper ("A-Z") case letters, digits ("0-9") and any of ! " # % &
' ( ) * +, - . / : ; < = > ? @ [ ] _ ` { | }
· Username: you can not change the administration username in edgeBOX; it's always admin
· Password:
· Characters ("[a-zA-Z0-9!"#%&'()*+,-./:;<=>?@[]_`{|}]{1,127}")
· lower ("a-z") and upper ("A-Z") case letters, digits ("0-9") and any of ! " # % &
' ( ) * +, - . / : ; < = > ? @ [ ] _ ` { | }
· Number:
· Size: 1 to 20
· Size: from 1 to 20
· Characters ("[a-z0-9_-"): lower case letters, digits and '_' and '-'