User Configuration / System Default

The Zyxel Device comes with pre-configured System Default zones that you cannot delete. You can create your own User Configuration zones

Add

Click this to create a new, user-configured zone.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove a user-configured trunk, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.Click Refresh to update information in this screen.

#

This field is a sequential value, and it is not associated with any interface.

Name

This field displays the name of the zone.

Member

This field displays the names of the interfaces that belong to each zone.

Reference

This field displays the number of times an Object Reference is used in a policy.

Name

For a system default zone, the name is read only.

For a user-configured zone, type the name used to refer to the zone. You may use 1-31 alphanumeric characters, underscores (_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Member List

Available lists the interfaces and VPN tunnels that do not belong to any zone. Select the interfaces and VPN tunnels that you want to add to the zone you are editing, and click the right arrow button to add them.

Member lists the interfaces and VPN tunnels that belong to the zone. Select any interfaces that you want to remove from the zone, and click the left arrow button to remove them.

OK

Click OK to save your customized settings and exit this screen.

Cancel

Click Cancel to exit this screen without saving.

Admin Users

 

 

admin

Change Zyxel Device configuration (web, CLI)

WWW, TELNET, SSH, FTP, Console

limited-admin

Look at Zyxel Device configuration (web, CLI)

Perform basic diagnostics (CLI)

WWW, TELNET, SSH, Console

Access Users

 

 

user

Access network services

Browse user-mode commands (CLI)

WWW, TELNET, SSH

guest

Access network services

WWW

ext-user

External user account

WWW

ext-group-user

External group user account

WWW

guest-manager

Create dynamic guest accounts

WWW

dynamic-guest

Access network services

Hotspot Portal

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific user.

User Name

This field displays the user name of each user.

User Type

This field displays the types of user accounts the Zyxel Device uses:

Description

This field displays the description for each user.

Reference

This displays the number of times an object reference is used in a profile.

User Name

Type the user name for this user account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User names have to be different than user group names, and some words are reserved.

User Type

This field displays the types of user accounts the Zyxel Device uses:

Password

This field is not available if you select the ext-user or ext-group-user type.

Enter a password of from 1 to 64 characters for this user account. If you selected Enable Password Complexity in Configuration > Object > User/Group > Setting, it must consist of at least 8 characters and at most 64. At least 1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as !@#$%^&*()_+.

Retype

This field is not available if you select the ext-user or ext-group-user type.

Group Identifier

This field is available for a ext-group-user type user account.

Specify the value of the AD or LDAP server’s Group Membership Attribute that identifies the group to which this user belongs.

Associated AAA Server Object

This field is available for a ext-group-user type user account. Select the AAA server to use to authenticate this account’s users.

Description

Enter the description of each user, if any. You can use up to 60 printable ASCII characters. Default descriptions are provided.

Email

Type one or more valid email addresses for this user so that email messages can be sent to this user if required. A valid email address must contain the @ character. For example, this is a valid email address: abc@example.com.

Mobile Number

Type a valid mobile telephone number for this user so that SMS messages can be sent to this user if required. A valid mobile telephone number can be up to 20 characters in length, including the numbers 1~9 and the following characters in the square brackets [+*#()-].

Authentication Timeout Settings

If you want the system to use default settings, select Use Default Settings. If you want to set authentication timeout to a value other than the default settings, select Use Manual Settings then fill your preferred values in the fields that follow.

Lease Time

If you select Use Default Settings in the Authentication Timeout Settings field, the default lease time is shown.

If you select Use Manual Settings, you need to enter the number of minutes this user has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically , the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.

Reauthentication Time

If you select Use Default Settings in the Authentication Timeout Settings field, the default lease time is shown.

If you select Use Manual Settings, you need to type the number of minutes this user can be logged into the Zyxel Device in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out.

User VLAN ID

This field is available for a ext-group-user type user account.

Select this option to enable dynamic VLAN assignment on the Zyxel Device. When a user is authenticated successfully, all data traffic from this user is tagged with the VLAN ID number you specify here.

This allows you to assign a user of the ext-group-user type to a specific VLAN based on the user credentials instead of using an AAA server.

Configuration Validation

Use a user account from the group specified above to test if the configuration is correct. Enter the account’s user name in the User Name field and click Test.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Removing a group does not remove the user accounts in the group.

References

Select an entry and click References to open a screen that shows which settings use the entry

#

This field is a sequential value, and it is not associated with a specific user group.

Group Name

This field displays the name of each user group.

Description

This field displays the description for each user group.

Member

This field lists the members in the user group. Each member is separated by a comma.

Reference

This displays the number of times an object reference is used in a profile.

Name

Type the name for this user group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. User group names have to be different than user names.

Description

Enter the description of the user group, if any. You can use up to 60 characters, punctuation marks, and spaces.

Member List

The Member list displays the names of the users and user groups that have been added to the user group. The order of members is not important. Select users and groups from the Available list that you want to be members of this group and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Move any members you do not want included to the Available list.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

User Authentication Timeout Settings

Default Authentication Timeout Settings

These authentication timeout settings are used by default when you create a new user account. They also control the settings for any existing user accounts that are set to use the default settings. You can still manually configure any user account’s authentication timeout settings.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

#

This field is a sequential value, and it is not associated with a specific entry.

These are the kinds of user account the Zyxel Device supports.

This is the default lease time in minutes for each type of user account. It defines the number of minutes the user has to renew the current session before the user is logged out.

Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically, the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.

This is the default reauthentication time in minutes for each type of user account. It defines the number of minutes the user can be logged into the Zyxel Device in one session before having to log in again. Unlike Lease Time, the user has no opportunity to renew the session without logging out.

Miscellaneous Settings

Select this check box if access users can renew lease time automatically, as well as manually, simply by selecting the Updating lease time automatically check box on their screen.

This is applicable for access users.

Select this check box if you want the Zyxel Device to monitor how long each access user is logged in and idle (in other words, there is no traffic for this access user). The Zyxel Device automatically logs out the access user once the User idle timeout has been reached.

This is applicable for access users.

This field is effective when Enable user idle detection is checked. Type the number of minutes each access user can be logged in and idle before the Zyxel Device automatically logs out the access user.

Login Security

Enter how often users must change their password when they log into the Zyxel Device. You can choose from once a day to once a year.

Associate the password expiration to a specific Zyxel Device. Default is this Zyxel Device (myrouter) or select Custom and enter the IP address or Fully Qualified Domain Name (FQDN).

Select this to enforce the following conditions in a user password. Requiring a strong password is good for security. The conditions are that the password must consist of at least 8 characters and at most 64. At least 1 character must be a number, at least 1 a lower case letter, at least 1 an upper case letter and at least 1 a special character from the keyboard, such as !@#$%^&*()_+.

User Logon Settings

Select this check box if you want to set a limit on the number of simultaneous logins by admin users. If you do not select this, admin users can login as many times as they want at the same time using the same or different IP addresses.

This field is effective when Limit ... for administration account is checked. Type the maximum number of simultaneous logins by each admin user.

Select this check box if you want to set a limit on the number of simultaneous logins by non-admin users. If you do not select this, access users can login as many times as they want as long as they use different IP addresses.

This field is effective when Limit ... for access account is checked. Type the maximum number of simultaneous logins by each access user.

Select Block to stop new users from logging in when the Maximum number per access account is reached.

Select Remove previous user and login to disassociate the first user that logged in and allow a new user to log in when the Maximum number per access account is reached.

User Lockout Settings

Select this check box to set a limit on the number of times each user can login unsuccessfully (for example, wrong password) before the IP address is locked out for a specified amount of time.

This field is effective when Enable logon retry limit is checked. Type the maximum number of times each user can login unsuccessfully before the IP address is locked out for the specified lockout period. The number must be between 1 and 99.

This field is effective when Enable logon retry limit is checked. Type the number of minutes the user must wait to try to login again, if logon retry limit is enabled and the maximum retry count is reached. This number must be between 1 and 65,535 (about 45.5 days).

Apply

Click Apply to save the changes.

Reset

Click Reset to return the screen to its last-saved settings.

User Type

This read-only field identifies the type of user account for which you are configuring the default settings.

Lease Time

Enter the number of minutes this type of user account has to renew the current session before the user is logged out. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited.

Admin users renew the session every time the main screen refreshes in the Web Configurator. Access users can renew the session by clicking the Renew button on their screen. If you allow access users to renew time automatically , the users can select this check box on their screen as well. In this case, the session is automatically renewed before the lease time expires.

Reauthentication Time

Type the number of minutes this type of user account can be logged into the Zyxel Device in one session before the user has to log in again. You can specify 1 to 1440 minutes. You can enter 0 to make the number of minutes unlimited. Unlike Lease Time, the user has no opportunity to renew the session without logging out.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

User-defined lease time (max ... minutes)

Access users can specify a lease time shorter than or equal to the one that you specified. The default value is the lease time that you specified.

Renew

Access users can click this button to reset the lease time, the amount of time remaining before the Zyxel Device automatically logs them out. The Zyxel Device sets this amount of time according to the:

Updating lease time automatically

This box appears if you checked the Allow renewing lease time automatically box in the Setting screen. Access users can select this check box to reset the lease time automatically 30 seconds before it expires. Otherwise, access users have to click the Renew button to reset the lease time.

Remaining time before lease timeout

This field displays the amount of lease time that remains, though the user might be able to reset it.

Remaining time before auth. timeout

This field displays the amount of time that remains before the Zyxel Device automatically logs the access user out, regardless of the lease time.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

MAC Address/OUI

This field displays the MAC address or OUI (Organizationally Unique Identifier of computer hardware manufacturers) of wireless clients using MAC authentication with the Zyxel Device local user database.

Description

This field displays a description of the device identified by the MAC address or OUI.

MAC Address/OUI

Type the MAC address (six hexadecimal number pairs separated by colons or hyphens) or OUI (three hexadecimal number pairs separated by colons or hyphens) to identify specific wireless clients for MAC authentication using the Zyxel Device local user database. The OUI is the first three octets in a MAC address and uniquely identifies the manufacturer of a network device.

Description

Enter an optional description of the wireless device(s) identified by the MAC or OUI. You can use up to 60 characters, punctuation marks, and spaces.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

type

User Type. Possible Values: admin, limited-admin, dynamic-guest, user, guest.

leaseTime

Lease Time. Possible Values: 1-1440 (minutes).

reauthTime

Reauthentication Time. Possible Values: 1-1440 (minutes).

Add

Click this to add a new radio profile.

Edit

Click this to edit the selected radio profile.

Remove

Click this to remove the selected radio profile.

Activate

To turn on an entry, select it and click Activate.

Inactivate

To turn off an entry, select it and click Inactivate.

References

Click this to view which other objects are linked to the selected radio profile.

#

This field is a sequential value, and it is not associated with a specific profile.

Status

This icon is lit when the entry is active and dimmed when the entry is inactive.

Profile Name

This field indicates the name assigned to the radio profile.

Frequency Band

This field indicates the frequency band which this radio profile is configured to use.

Schedule

This field displays the schedule object which defines when this radio profile can be used.

Apply

Click Apply to save your changes back to the Zyxel Device.

Reset

Click Reset to return the screen to its last-saved settings.

Hide / Show Advanced Settings

Click this to hide or show the Advanced Settings in this window.

General Settings

 

Select this option to make this profile active.

Enter up to 31 alphanumeric characters to be used as this profile’s name. Spaces and underscores are allowed.

Select how to let wireless clients connect to the AP.

Select the wireless channel bandwidth you want the AP to use.

A standard 20 MHz channel offers transfer speeds of up to 144Mbps (2.4GHz) or 217Mbps (5GHZ) whereas a 40MHz channel uses two standard channels and offers speeds of up to 300Mbps (2.4GHz) or 450Mbps (5GHZ). An IEEE 802.11ac-specific 80MHz channel offers speeds of up to 1.3Gbps.

40 MHz (channel bonding or dual channel) bonds two adjacent radio channels to increase throughput. A 80 MHz channel consists of two adjacent 40 MHz channels. The wireless clients must also support 40 MHz or 80 MHz. It is often better to use the 20 MHz setting in a location where the environment hinders the wireless signal.

Because not all devices support 40 MHz and/or 80 MHz channels, select 20/40MHz or 20/40/80MHz to allow the AP to adjust the channel bandwidth automatically.

Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the wireless clients do not support channel bonding.

Select the wireless channel which this radio profile should use.

It is recommended that you choose the channel least in use by other APs in the region where this profile will be implemented. This will reduce the amount of interference between wireless clients and the AP to which this profile is assigned.

Select DCS to have the AP automatically select the radio channel upon which it broadcasts by scanning the area around it and determining what channels are currently being used by other devices.

Select Manual and specify the channels the AP uses.

This field is available when you set Channel Selection to DCS.

Enter a number of minutes. This regulates how often the AP surveys the other APs within its broadcast radius. If the channel on which it is currently broadcasting suddenly comes into use by another AP, the AP will then dynamically select the next available clean channel or a channel with lower interference.

This field is available when you set Channel Selection to DCS.

Select this to have the AP wait until all connected clients have disconnected before switching channels.

If you disable this then the AP switches channels immediately regardless of any client connections. In this instance, clients that are connected to the AP when it switches channels are dropped.

This field is available when you set Channel Selection to DCS.

Select auto to have the AP search for available channels automatically in the 2.4 GHz band. The available channels vary depending on what you select in the 2.4 GHz Channel Deployment field.

Select manual and specify the channels the AP uses in the 2.4 GHz band.

This field is available only when you set Channel Selection to DCS and set 2.4 GHz Channel Selection Method to manual.

Select the check boxes of the channels that you want the AP to use.

This field is available only when you set Channel Selection to DCS and set 2.4 GHz Channel Selection Method to auto.

Select Three-Channel Deployment to limit channel switching to channels 1,6, and 11, the three channels that are sufficiently attenuated to have almost no impact on one another. In other words, this allows you to minimize channel interference by limiting channel-hopping to these three “safe” channels.

Select Four-Channel Deployment to limit channel switching to four channels. Depending on the country domain, if the only allowable channels are 1-11 then the Zyxel Device uses channels 1, 4, 7, 11 in this configuration; otherwise, the Zyxel Device uses channels 1, 5, 9, 13 in this configuration. Four channel deployment expands your pool of possible channels while keeping the channel interference to a minimum.

This field is available only when you select 11a, 11a/n or 11ac in the 802.11 Band field.

Select this if your APs are operating in an area known to have RADAR devices. This allows the device to downgrade its frequency to below 5 GHz in the event a RADAR signal is detected, thus preventing it from interfering with that signal.

Enabling this forces the AP to select a non-DFS channel.

This shows auto and allows the AP to search for available channels automatically in the 5 GHz band.

Advanced Settings

 

Select the country code of where the Zyxel Device is located/installed.

The available channels vary depending on the country you selected. Be sure to select the correct/same country for both radios on an AP and all connected APs, in order to prevent roaming failure and interference to other systems.

This field is available only when the channel width is 20/40MHz or 20/40/80MHz.

Set the guard interval for this radio profile to either Short or Long.

The guard interval is the gap introduced between data transmission from users in order to reduce interference. Reducing the interval increases data transfer rates but also increases interference. Increasing the interval reduces data transfer rates but also reduces interference.

Select this to enable A-MPDU aggregation.

Message Protocol Data Unit (MPDU) aggregation collects Ethernet frames along with their 802.11n headers and wraps them in a 802.11n MAC header. This method is useful for increasing bandwidth throughput in environments that are prone to high error rates.

Enter the maximum frame size to be aggregated.

Enter the maximum number of frames to be aggregated each time.

Select this to enable A-MSDU aggregation.

Mac Service Data Unit (MSDU) aggregation collects Ethernet frames without any of their 802.11n headers and wraps the header-less payload in a single 802.11n MAC header. This method is useful for increasing bandwidth throughput. It is also more efficient than A-MPDU except in environments that are prone to high error rates.

Enter the maximum frame size to be aggregated.

Use RTS/CTS to reduce data collisions on the wireless network if you have wireless clients that are associated with the same AP but out of range of one another. When enabled, a wireless client sends an RTS (Request To Send) and then waits for a CTS (Clear To Send) before it transmits. This stops wireless clients from transmitting packets at the same time (and causing data collisions).

A wireless client sends an RTS for all packets larger than the number (of bytes) that you enter here. Set the RTS/CTS equal to or higher than the fragmentation threshold to turn RTS/CTS off.

When a wirelessly networked device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in low-power mode before waking up to handle the beacon. A high value helps save current consumption of the access point.

Delivery Traffic Indication Message (DTIM) is the time period after which broadcast and multicast packets are transmitted to mobile clients in the Active Power Management mode. A high DTIM value can cause clients to lose connectivity with the network. This value can be set from 1 to 255.

Select the check box to use the signal threshold to ensure wireless clients receive good throughput. This allows only wireless clients with a strong signal to connect to the AP.

Clear the check box to not require wireless clients to have a minimum signal strength to connect to the AP.

Set a minimum client signal strength. A wireless client is allowed to connect to the AP only when its signal strength is stronger than the specified threshold.

-20 dBm is the strongest signal you can require and -76 is the weakest.

Set a minimum kick-off signal strength. When a wireless client’s signal strength is lower than the specified threshold, the Zyxel Device disconnects the wireless client from the AP.

-20 dBm is the strongest signal you can require and -90 is the weakest.

Select this option to allow a wireless client to try to associate with the AP again after it is disconnected due to weak signal strength.

Set the maximum number of times a wireless client can attempt to re-connect to the AP

Multicast Settings

Use this section to set a transmission mode and maximum rate for multicast traffic.

Set how the AP handles multicast traffic.

Select Multicast to Unicast to broadcast wireless multicast traffic to all of the wireless clients as unicast traffic. Unicast traffic dynamically changes the data rate based on the application’s bandwidth requirements. The retransmit mechanism of unicast traffic provides more reliable transmission of the multicast traffic, although it also produces duplicate packets.

Select Fixed Multicast Rate to send wireless multicast traffic at a single data rate. You must know the multicast application’s bandwidth requirements and set it in the following field.

If you set the multicast transmission mode to fixed multicast rate, set the data rate for multicast traffic here. For example, to deploy 4 Mbps video, select a fixed multicast rate higher than 4 Mbps.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to add a new SSID profile.

Edit

Click this to edit the selected SSID profile.

Remove

Click this to remove the selected SSID profile.

References

Click this to view which other objects are linked to the selected SSID profile (for example, radio profile).

#

This field is a sequential value, and it is not associated with a specific profile.

Profile Name

This field indicates the name assigned to the SSID profile.

SSID

This field indicates the SSID name as it appears to wireless clients.

Security Profile

This field indicates which (if any) security profile is associated with the SSID profile.

QoS

This field indicates the QoS type associated with the SSID profile.

MAC Filtering Profile

This field indicates which (if any) MAC Filter Profile is associated with the SSID profile.

VLAN ID

This field indicates the VLAN ID associated with the SSID profile.

Create new Object

Select an object type from the list to create a new one associated with this SSID profile.

Profile Name

Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed.

SSID

Enter the SSID name for this profile. This is the name visible on the network to wireless clients. Enter up to 32 characters, spaces and underscores are allowed.

Security Profile

Select a security profile from this list to associate with this SSID. If none exist, you can use the Create new Object menu to create one.

MAC Filtering Profile

Select a MAC filtering profile from the list to associate with this SSID. If none exist, you can use the Create new Object menu to create one.

MAC filtering allows you to limit the wireless clients connecting to your network through a particular SSID by wireless client MAC addresses. Any clients that have MAC addresses not in the MAC filtering profile of allowed addresses are denied connections.

The disable setting means no MAC filtering is used.

QoS

Select a Quality of Service (QoS) access category to associate with this SSID. Access categories minimize the delay of data packets across a wireless network. Certain categories, such as video or voice, are given a higher priority due to the time sensitive nature of their data packets.

QoS access categories are as follows:

disable: Turns off QoS for this SSID. All data packets are treated equally and not tagged with access categories.

WMM: Enables automatic tagging of data packets. The Zyxel Device assigns access categories to the SSID by examining data as it passes through it and making a best guess effort. If something looks like video traffic, for instance, it is tagged as such.

WMM_VOICE: All wireless traffic to the SSID is tagged as voice data. This is recommended if an SSID is used for activities like placing and receiving VoIP phone calls.

WMM_VIDEO: All wireless traffic to the SSID is tagged as video data. This is recommended for activities like video conferencing.

WMM_BEST_EFFORT: All wireless traffic to the SSID is tagged as “best effort,” meaning the data travels the best route it can without displacing higher priority traffic. This is good for activities that do not require the best bandwidth throughput, such as surfing the Internet.

WMM_BACKGROUND: All wireless traffic to the SSID is tagged as low priority or “background traffic”, meaning all other access categories take precedence over this one. If traffic from an SSID does not have strict throughput requirements, then this access category is recommended. For example, an SSID that only has network printers connected to it.

Rate Limiting (Per Station Traffic Rate)

Define the maximum incoming and outgoing transmission data rate per wireless station

Define the maximum incoming transmission data rate (either in Mbps or Kbps) on a per-station basis.

Define the maximum outgoing transmission data rate (either in Mbps or Kbps) on a per-station basis.

Band Select:

To improve network performance and avoid interference in the 2.4 GHz frequency band, you can enable this feature to use the 5 GHz band first. You should set 2.4GHz and 5 GHz radio profiles to use the same SSID and security settings.

Select standard to have the AP try to connect the wireless clients to the same SSID using the 5 GHZ band. Connections to an SSID using the 2.4GHz band are still allowed.

Otherwise, select disable to turn off this feature.

Forwarding Mode

Select a forwarding mode (Tunnel or Local bridge) for traffic from this SSID.

VLAN ID

If you selected Local Bridge forwarding mode, enter the VLAN ID that will be used to tag all traffic originating from this SSID if the VLAN is different from the native VLAN. All the wireless station’s traffic goes through the associated AP’s gateway.

If you selected the Tunnel forwarding mode, select a VLAN interface. All the wireless station’s traffic is forwarded to the Zyxel Device first.

Hidden SSID

Select this if you want to “hide” your SSID from wireless clients. This tells any wireless clients in the vicinity of the AP using this SSID profile not to display its SSID name as a potential connection. Not all wireless clients respect this flag and display it anyway.

When an SSID is “hidden” and a wireless client cannot see it, the only way you can connect to the SSID is by manually entering the SSID name in your wireless connection setup screen(s) (these vary by client, client connectivity software, and operating system).

Enable Intra-BSS Traffic Blocking

Select this option to prevent crossover traffic from within the same SSID.

Local VAP Setting

This part of the screen only applies to Zyxel Device models that have built-in wireless functionality (AP).

VLAN Support

Select On to have the Zyxel Device assign the VLAN ID listed in the top part of the screen to the built-in AP.

Select Off to have the Zyxel Device ignore the VLAN ID listed in the top part of the screen. Select an Outgoing Interface to have the Zyxel Device assign an IP address in the same subnet as the selected interface to the built-in AP.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to add a new security profile.

Edit

Click this to edit the selected security profile.

Remove

Click this to remove the selected security profile.

References

Click this to view which other objects are linked to the selected security profile (for example, SSID profile).

#

This field is a sequential value, and it is not associated with a specific profile.

Profile Name

This field indicates the name assigned to the security profile.

Security Mode

This field indicates this profile’s security mode (if any).

Profile Name

Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed.

Security Mode

Select a security mode from the list: none, wep, wpa2, or wpa2-mix.

Fast Roaming Settings

IEEE 802.11r fast roaming, which is also known as Fast BSS Transition (FT), allows wireless clients to quickly move from one AP to another in a WiFi network that uses WPA2 with 802.1x authentication. Information from the original association is passed to the target AP when the client roams. The client doesn’t need to perform the whole 802.1x authentication process. Messages exchanged between the target AP and client are reduced and performed using one of the two methods:

Select this to turn on IEEE 802.11r fast roaming on the AP (Zyxel Device). This is good for wireless clients that transport a lot of real-time interactive traffic, such as voice and video. Wireless clients should also support WPA2 and fast roaming to associate with the AP (Zyxel Device) and roam seamlessly.

Radius Server Type

Select Internal to use the Zyxel Device’s internal authentication database, or External to use an external RADIUS server for authentication.

Primary / Secondary Radius Server Activate

Select this to have the Zyxel Device use the specified RADIUS server.

Radius Server IP Address

Enter the IP address of the RADIUS server to be used for authentication.

Radius Server Port

Enter the port number of the RADIUS server to be used for authentication.

Radius Server Secret

Enter the shared secret password of the RADIUS server to be used for authentication.

MAC Authentication

Select this to use an external server or the Zyxel Device’s local database to authenticate wireless clients by their MAC addresses. Users cannot get an IP address if the MAC authentication fails.

An external server can use the wireless client’s account (username/password) or Calling Station ID for MAC authentication. Configure the ones the external server uses.

Select the separator the external server uses for the two-character pairs within account MAC addresses.

Select the case (upper or lower) the external server requires for letters in the account MAC addresses.

RADIUS servers can require the MAC address in the Calling Station ID RADIUS attribute.

Select the separator the external server uses for the pairs in calling station MAC addresses.

Select the case (upper or lower) the external server requires for letters in the calling station MAC addresses.

802.1X

Select this to enable 802.1x secure authentication.

This field is available only when you set the RADIUS server type to Internal.

Select an authentication method if you have created any in the Configuration > Object > Auth. Method screen.

Enter the interval (in seconds) between authentication requests. Enter a 0 for unlimited requests.

The following fields are available if you set Security Mode to wep.

Idle Timeout

Enter the idle interval (in seconds) that a client can be idle before authentication is discontinued.

Authentication Type

Select a WEP authentication method. Choices are Open or Share key.

Key Length

Select the bit-length of the encryption key to be used in WEP connections.

If you select WEP-64:

or

If you select WEP-128:

or

Key 1~4

Based on your Key Length selection, enter the appropriate length hexadecimal or ASCII key.

The following fields are available if you set Security Mode to wpa, wpa2 or wpa2-mix.

PSK

Select this option to use a Pre-Shared Key with WPA encryption.

Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.

Cipher Type

Select an encryption cipher type from the list.

Idle Timeout

Enter the idle interval (in seconds) that a client can be idle before authentication is discontinued.

Group Key Update Timer

Enter the interval (in seconds) at which the AP updates the group WPA encryption key.

Pre-Authentication

This field is available only when you set Security Mode to wpa2 or wpa2-mix and enable 802.1x authentication.

Enable or Disable pre-authentication to allow the AP to send authentication information to other APs on the network, allowing connected wireless clients to switch APs without having to re-authenticate their network connection.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to add a new MAC filtering profile.

Edit

Click this to edit the selected MAC filtering profile.

Remove

Click this to remove the selected MAC filtering profile.

References

Click this to view which other objects are linked to the selected MAC filtering profile (for example, SSID profile).

#

This field is a sequential value, and it is not associated with a specific profile.

Profile Name

This field indicates the name assigned to the MAC filtering profile.

Filter Action

This field indicates this profile’s filter action (if any).

Profile Name

Enter up to 31 alphanumeric characters for the profile name. This name is only visible in the Web Configurator and is only for management purposes. Spaces and underscores are allowed.

Filter Action

Select allow to permit the wireless client with the MAC addresses in this profile to connect to the network through the associated SSID; select deny to block the wireless clients with the specified MAC addresses.

Add

Click this to add a MAC address to the profile’s list.

Edit

Click this to edit the selected MAC address in the profile’s list.

Remove

Click this to remove the selected MAC address from the profile’s list.

#

This field is a sequential value, and it is not associated with a specific profile.

MAC Address

This field specifies a MAC address associated with this profile.

Description

This field displays a description for the MAC address associated with this profile. You can click the description to make it editable. Enter up to 60 characters, spaces and underscores allowed.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to add a new monitor mode profile.

Edit

Click this to edit the selected monitor mode profile.

Remove

Click this to remove the selected monitor mode profile.

Activate

To turn on an entry, select it and click Activate.

Inactivate

To turn off an entry, select it and click Inactivate.

References

Click this to view which other objects are linked to the selected monitor mode profile (for example, an AP management profile).

#

This field is a sequential value, and it is not associated with a specific user.

Status

This icon is lit when the entry is active and dimmed when the entry is inactive.

Profile Name

This field indicates the name assigned to the monitor profile.

Apply

Click Apply to save your changes back to the Zyxel Device.

Reset

Click Reset to return the screen to its last-saved settings.

Activate

Select this to activate this monitor mode profile.

Profile Name

This field indicates the name assigned to the monitor mode profile.

Channel dwell time

Enter the interval (in milliseconds) before the AP switches to another channel for monitoring.

Scan Channel Mode

Select auto to have the AP switch to the next sequential channel once the Channel dwell time expires.

Select manual to set specific channels through which to cycle sequentially when the Channel dwell time expires. Selecting this options makes the Scan Channel List options available.

Country Code

Select the country code of where the Zyxel Device is located/installed.

The available channels vary depending on the country you selected. Be sure to select the correct/same country for both radios on an AP and all connected APs, in order to prevent roaming failure and interference to other systems.

After changing the country code, the AP channel setting will be reset if your manually selected channel(s) are not valid in the new country code setting.

Set Scan Channel List (2.4 GHz)

Move a channel from the Available channels column to the Channels selected column to have the APs using this profile scan that channel when Scan Channel Mode is set to manual.

These channels are limited to the 2 GHz range (802.11 b/g/n).

Set Scan Channel List (5 GHz)

Move a channel from the Available channels column to the Channels selected column to have the APs using this profile scan that channel when Scan Channel Mode is set to manual.

These channels are limited to the 5 GHz range (802.11 a/n).

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Hide / Show Advanced Settings

Click this to display a greater or lesser number of configuration fields.

ZyMesh Provision Group

By default, this shows the MAC address used by the Zyxel Device’s first Ethernet port.

Say you have two AP controllers (Zyxel Devices) in your network and the primary AP controller is not reachable. You may want to deploy the second/backup AP controller in your network to replace the primary AP controller. In this case, it is recommended that you enter the primary AP controller’s ZyMesh Provision Group MAC address in the second AP controller’s ZyMesh Provision Group field.

If you didn’t change the second AP controller’s MAC address, managed APs in an existing ZyMesh can still access the networks through the second AP controller and communicate with each other. But new managed APs will not be able to communicate with the managed APs in the existing ZyMesh, which is set up with the primary AP controller’s MAC address.

To allow all managed APs to communicate in the same ZyMesh, you can just set the second AP controller to use the primary AP controller’s MAC address. Otherwise, reset all managed APs to the factory defaults and set up a new ZyMesh with the second AP controller’s MAC address.

Next

Click this button and follow the on-screen instructions to update the AP controller’s MAC address.

Add

Click this to add a new profile.

Edit

Click this to edit the selected profile.

Remove

Click this to remove the selected profile.

#

This field is a sequential value, and it is not associated with a specific profile.

Profile Name

This field indicates the name assigned to the profile.

ZyMesh SSID

This field shows the SSID specified in this ZyMesh profile.

Profile Name

Enter up to 31 alphanumeric characters for the profile name.

ZyMesh SSID

Enter the SSID with which you want the managed AP to connect to a root AP or repeater to build a ZyMesh link.

Pre-Shared Key

Enter a pre-shared key of between 8 and 63 case-sensitive ASCII characters (including spaces and symbols) or 64 hexadecimal characters.

The key is used to encrypt the wireless traffic between the APs.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Configuration

 

Click this to add a new application object.

Click this to edit the selected application object.

Click this to remove the selected application object.

Click this to view which other objects are linked to the selected application object.

Use Clone to create a new entry by modifying an existing one.

#

This field is a sequential value associated with an application object.

Name

This field indicates the name assigned to the application object.

Description

This field shows some extra information on the application object.

Content

This field shows the application signature(s) in this application object.

Reference

This displays the number of times an object reference is used in a profile.

License

You need to buy a license or use a trial license in order to use IDP/AppPatrol signatures. These fields show license-related information.

This field shows whether you have activated an IDP/AppPatrol signatures license

This field shows the type of IDP/AppPatrol signatures license you have activated

Signature Information

An activated license allows you to download signatures to the Zyxel Device from myZyxel. These fields show details on the signatures downloaded.

The version number increments when signatures are updated at myZyxel. This field shows the current version downloaded to the Zyxel Device.

This field shows the date (YYYY-MM-DD) and time the current signature version was released.

If your signature set is not the most recent, click this to go to Configuration > Licensing > Signature Update > IDP / AppPatrol to update your signatures.

Name

Type a name to identify this application rule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Description

You may type some extra information on the application object here.

Add

Click this to create a new application rule.

Remove

Click this to remove the selected application rule.

#

This field is a sequential value associated with this application rule.

Category

This field shows the category to which the signature belongs in this application rule.

Application

This displays the name of the application signature used in this application rule.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Query

 

Choose signatures in one of the following ways:

Query Result

The results of the search are displayed here.

This field is a sequential value associated with this signature

This field shows the category to which the signature belongs. Select the checkbox to add this signature to the application object.

This displays the name of the application signature.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to add a new application group.

Edit

Click this to edit the selected application group.

Remove

Click this to remove the selected application group.

References

Click this to view which other objects are linked to the selected application group.

#

This field is a sequential value associated with an application group.

Name

This field indicates the name assigned to the application group.

Description

You may type some extra information on the application group here.

Member

This field shows the application objects in this application group.

Reference

This displays the number of times an object reference is used in a profile.

License

You need to buy a license or use a trial license in order to use IDP/AppPatrol signatures. These fields show license-related information.

This field shows whether you have activated an IDP/AppPatrol signatures license

This field shows the type of IDP/AppPatrol signatures license you have activated

Signature Information

An activated license allows you to download signatures to the Zyxel Device from myZyxel. These fields show details on the signatures downloaded.

The version number increments when signatures are updated at myZyxel. This field shows the current version downloaded to the Zyxel Device.

This field shows the date (YYYY-MM-DD) and time the current signature version was released.

If your signature set is not the most recent, click this to go to Configuration > Licensing > Signature Update > IDP / AppPatrol to update your signatures.

Name

Enter a name for the group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Description

This field displays the description of each group, if any. You can use up to 60 characters, punctuation marks, and spaces.

Member List

The Member list displays the names of the application and application group objects that have been added to the application group. The order of members is not important.

Select items from the Available list that you want to be members and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Move any members you do not want included to the Available list.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

IPv4 Address Configuration

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry

#

This field is a sequential value, and it is not associated with a specific address.

Name

This field displays the configured name of each address object.

Type

This field displays the type of each address object. “INTERFACE” means the object uses the settings of one of the Zyxel Device’s interfaces.

IPv4 Address

This field displays the IPv4 addresses represented by each address object. If the object’s settings are based on one of the Zyxel Device’s interfaces, the name of the interface displays first followed by the object’s current address settings.

Reference

This displays the number of times an object reference is used in a profile.

IPv6 Address Configuration

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific address.

Name

This field displays the configured name of each address object.

Type

This field displays the type of each address object. “INTERFACE” means the object uses the settings of one of the Zyxel Device’s interfaces.

IPv6 Address

This field displays the IPv6 addresses represented by each address object. If the object’s settings are based on one of the Zyxel Device’s interfaces, the name of the interface displays first followed by the object’s current address settings.

Name

Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Address Type

Select the type of address you want to create.

IP Address

This field is only available if the Address Type is HOST. This field cannot be blank. Enter the IP address that this address object represents.

Starting IP Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents.

Ending IP Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the end of the range of IP address that this address object represents.

Network

This field is only available if the Address Type is SUBNET, in which case this field cannot be blank. Enter the IP address of the network that this address object represents.

Netmask

This field is only available if the Address Type is SUBNET, in which case this field cannot be blank. Enter the subnet mask of the network that this address object represents. Use dotted decimal format.

Interface

If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents.

Country

If you selected Geography as the Address Type, use this field to select a country.

FQDN

If you selected FQDN as the Address Type, use this field to enter a fully qualified domain name.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Name

Type the name used to refer to the address. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Object Type

Select the type of address you want to create.

IPv6 Address

This field is only available if the Address Type is HOST. This field cannot be blank. Enter the IP address that this address object represents.

IPv6 Starting Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents.

IPv6 Ending Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the end of the range of IP address that this address object represents.

IPv6 Address Prefix

This field is only available if the Address Type is SUBNET. This field cannot be blank. Enter the IPv6 address prefix that the Zyxel Device uses for the LAN IPv6 address.

Interface

If you selected INTERFACE IP, INTERFACE SUBNET, or INTERFACE GATEWAY as the Address Type, use this field to select the interface of the network that this address object represents.

IPv6 Address Type

Select whether the IPv6 address is a link-local IP address (LINK LOCAL), static IP address (STATIC), an IPv6 StateLess Address Auto Configuration IP address (SLAAC), or is obtained from a DHCPv6 server (DHCPv6).

Country

If you selected Geography as the Address Type, use this field to select a country.

FQDN

If you selected FQDN as the Address Type, use this field to enter a fully qualified domain name.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

IPv4 Address Group Configuration

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific address group.

Name

This field displays the name of each address group.

Description

This field displays the description of each address group, if any.

Reference

This displays the number of times an object reference is used in a profile.

IPv6 Address Group Configuration

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific address group.

Name

This field displays the name of each address group.

Description

This field displays the description of each address group, if any.

Name

Enter a name for the address group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Description

This field displays the description of each address group, if any. You can use up to 60 characters, punctuation marks, and spaces.

Member List

The Member list displays the names of the address and address group objects that have been added to the address group. The order of members is not important.

Select items from the Available list that you want to be members and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Move any members you do not want included to the Available list.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Country Database Update

Latest Version

This is the latest country-to-IP address database version on myZyxel. You need to have a registered Content Filter Service license.

Current Version

This is the country-to-IP address database version currently on the Zyxel Device.

Update Now

Click this to check for the latest country-to-IP address database version on myZyxel. The latest version is downloaded to the Zyxel Device and replaces the current version if it is newer. There are logs to show the update status. You need to have a registered Content Filter Service license.

Auto Update

If you want the Zyxel Device to check weekly for the latest country-to-IP address database version on myZyxel, select the checkbox, choose a day and time each week and then click Apply. The default day and time displayed is the Zyxel Device current day and time.

Custom IPv4/IPv6 to Geography Rules

Add

Click this to create a new entry.

IPv4/v6 to Geography

Enter an IP address, then click this button to query which country this IP address belongs to.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

#

This field is a sequential value, and it is not associated with a specific entry.

Geolocation

This field displays the name of the country or region that is associated with this IP address.

Type

This field displays whether this address object is HOST, RANGE or SUBNET.

IPv4 Address

This field displays the IPv4 addresses represented by the type of address object.

Country

Select the country or region that maps to this IP address.

Address Type

Select the type of address you want to create. Choices are: HOST, RANGE, SUBNET.

IP Address

This field is only available if the Address Type is HOST. This field cannot be blank. Enter the IP address that this address object represents.

IP Starting Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the beginning of the range of IP addresses that this address object represents.

IP Ending Address

This field is only available if the Address Type is RANGE. This field cannot be blank. Enter the end of the range of IP address that this address object represents.

Network / Netmask

These fields are only available if the IPv4 Address Type is SUBNET. They cannot be blank. Enter the network IP and subnet mask that defines the IPv4 subnet.

IPv6 Address Prefix

This field is only available if the IPv6 Address Type is SUBNET. This field cannot be blank. Enter the IPv6 address prefix that the Zyxel Device uses for the LAN IPv6 address.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific service.

Name

This field displays the name of each service.

Content

This field displays a description of each service.

Reference

This displays the number of times an object reference is used in a profile.

Name

Type the name used to refer to the service. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

IP Protocol

Select the protocol the service uses. Choices are: TCP, UDP, ICMP, ICMPv6, and User Defined.

Starting Port

Ending Port

This field appears if the IP Protocol is TCP or UDP. Specify the port number(s) used by this service. If you fill in one of these fields, the service uses that port. If you fill in both fields, the service uses the range of ports.

ICMP Type

This field appears if the IP Protocol is ICMP or ICMPv6.

Select the ICMP message used by this service. This field displays the message text, not the message number.

IP Protocol Number

This field appears if the IP Protocol is User Defined.

Enter the number of the next-level protocol (IP protocol). Allowed values are 1 - 255.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific service group.

Family

This field displays the Server Group supported type, which is according to your configurations in the Service Group Add/Edit screen.

There are 3 types of families:

Name

This field displays the name of each service group.

By default, the Zyxel Device uses services starting with “Default_Allow_” in the security policies to allow certain services to connect to the Zyxel Device.

Description

This field displays the description of each service group, if any.

Reference

This displays the number of times an object reference is used in a profile.

Name

Enter the name of the service group. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Description

Enter a description of the service group, if any. You can use up to 60 printable ASCII characters.

Member List

The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important.

Select items from the Available list that you want to be members and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Move any members you do not want included to the Available list.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

One Time

Click this to create a new entry.

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

Select an entry and click References to open a screen that shows which settings use the entry.

This field is a sequential value, and it is not associated with a specific schedule.

This field displays the name of the schedule, which is used to refer to the schedule.

This field displays the date and time at which the schedule begins.

This field displays the date and time at which the schedule ends.

This displays the number of times an object reference is used in a profile.

Recurring

Click this to create a new entry.

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

Select an entry and click References to open a screen that shows which settings use the entry.

This field is a sequential value, and it is not associated with a specific schedule.

This field displays the name of the schedule, which is used to refer to the schedule.

This field displays the time at which the schedule begins.

This field displays the time at which the schedule ends.

This displays the number of times an object reference is used in a profile.

Configuration

Type the name used to refer to the one-time schedule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Date Time

Specify the year, month, and day when the schedule begins.

Specify the hour and minute when the schedule begins.

Specify the year, month, and day when the schedule ends.

Specify the hour and minute when the schedule ends.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Configuration

Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Date Time

Specify the hour and minute when the schedule begins each day.

Specify the hour and minute when the schedule ends each day.

Weekly

Select each day of the week the recurring schedule is effective.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

 

Click this to create a new entry.

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

Select an entry and click References to open a screen that shows which settings use the entry.

This field is a sequential value, and it is not associated with a specific schedule.

This field displays the name of the schedule group, which is used to refer to the schedule.

This field displays the description of the schedule group.

This field lists the members in the schedule group. Each member is separated by a comma.

This displays the number of times an object reference is used in a profile.

 

Type the name used to refer to the recurring schedule. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Enter a description of the service group, if any. You can use up to 60 printable ASCII characters.

The Member list displays the names of the service and service group objects that have been added to the service group. The order of members is not important.

Select items from the Available list that you want to be members and move them to the Member list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Move any members you do not want included to the Available list.

Click OK to save your changes back to the Zyxel Device.

Click Cancel to exit this screen without saving your changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific AD or LDAP server.

Name

This field displays the name of the Active Directory.

Server Address

This is the address of the AD or LDAP server.

Base DN

This specifies a directory. For example, o=Zyxel, c=US.

Name

Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.

Description

Enter the description of each server, if any. You can use up to 60 printable ASCII characters.

Server Address

Enter the address of the AD or LDAP server.

Backup Server Address

If the AD or LDAP server has a backup server, enter its address here.

Port

Specify the port number on the AD or LDAP server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535.

This port number should be the same on all AD or LDAP server(s) in this group.

Base DN

Specify the directory (up to 127 alphanumerical characters). For example, o=Zyxel, c=US.

This is only for LDAP.

Use SSL

Select Use SSL to establish a secure connection to the AD or LDAP server(s).

Search time limit

Specify the timeout period (between 1 and 300 seconds) before the Zyxel Device disconnects from the AD or LDAP server. In this case, user authentication fails.

Search timeout occurs when either the user information is not in the AD or LDAP server(s) or the AD or LDAP server(s) is down.

Case-sensitive User Names

Select this if the server checks the case of the usernames.

Bind DN

Specify the bind DN for logging into the AD or LDAP server. Enter up to 127 alphanumerical characters.

For example, cn=zywallAdmin specifies zywallAdmin as the user name.

Password

If required, enter the password (up to 15 alphanumerical characters) for the Zyxel Device to bind (or log in) to the AD or LDAP server.

Retype to Confirm

Retype your new password for confirmation.

Login Name Attribute

Enter the type of identifier the users are to use to log in. For example “name” or “e-mail address”.

Alternative Login Name Attribute

If there is a second type of identifier that the users can use to log in, enter it here. For example “name” or “e-mail address”.

Group Membership Attribute

An AD or LDAP server defines attributes for its accounts. Enter the name of the attribute that the Zyxel Device is to check to determine to which group a user belongs. The value for this attribute is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values.

For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”.

Domain Authentication for MSChap

Select the Enable checkbox to enable domain authentication for MSChap.

This is only for Active Directory.

User Name

Enter the user name for the user who has rights to add a machine to the domain.

This is only for Active Directory.

User Password

Enter the password for the associated user name.

This is only for Active Directory.

Retype to Confirm

Retype your new password for confirmation.

This is only for Active Directory.

Realm

Enter the realm FQDN.

This is only for Active Directory.

NetBIOS Name

Type the NetBIOS name. This field is optional. NetBIOS packets are TCP or UDP packets that enable a computer to connect to and communicate with a LAN which allows local computers to find computers on the remote network and vice versa.

Configuration Validation

Use a user account from the server specified above to test if the configuration is correct. Enter the account’s user name in the Username field and click Test.

OK

Click OK to save the changes.

Cancel

Click Cancel to discard the changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field displays the index number.

Name

This is the name of the RADIUS server entry.

Server Address

This is the address of the AD or LDAP server.

Name

Enter a descriptive name (up to 63 alphanumerical characters) for identification purposes.

Description

Enter the description of each server, if any. You can use up to 60 printable ASCII characters.

Server Address

Enter the address of the RADIUS server.

Authentication Port

Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535.

Backup Server Address

If the RADIUS server has a backup server, enter its address here.

Backup Authentication Port

Specify the port number on the RADIUS server to which the Zyxel Device sends authentication requests. Enter a number between 1 and 65535.

Timeout

Specify the timeout period (between 1 and 300 seconds) before the Zyxel Device disconnects from the RADIUS server. In this case, user authentication fails.

Search timeout occurs when either the user information is not in the RADIUS server or the RADIUS server is down.

NAS IP Address

Type the IP address of the NAS (Network Access Server).

Case-sensitive User Names

Select this if you want configure your username as case-sensitive.

Key

Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the Zyxel Device.

The key is not sent over the network. This key must be the same on the external authentication server and the Zyxel Device.

Group Membership Attribute

A RADIUS server defines attributes for its accounts. Select the name and number of the attribute that the Zyxel Device is to check to determine to which group a user belongs. If it does not display, select user-defined and specify the attribute’s number.

This attribute’s value is called a group identifier; it determines to which group a user belongs. You can add ext-group-user user objects to identify groups based on these group identifier values.

For example you could have an attribute named “memberOf” with values like “sales”, “RD”, and “management”. Then you could also create a ext-group-user user object for each group. One with “sales” as the group identifier, another for “RD” and a third for “management”.

OK

Click OK to save the changes.

Cancel

Click Cancel to discard the changes.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field displays the index number.

Method Name

This field displays a descriptive name for identification purposes.

Method List

This field displays the authentication method(s) for this entry.

Name

Specify a descriptive name for identification purposes.

You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. For example, “My_Device”.

Add

Click this to create a new entry. Select an entry and click Add to create a new entry after the selected entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

Move

To change a method’s position in the numbered list, select the method and click Move to display a field to type a number for where you want to put it and press [ENTER] to move the rule to the number that you typed.

The ordering of your methods is important as Zyxel Device authenticates the users using the authentication methods in the order they appear in this screen.

#

This field displays the index number.

Method List

Select a server object from the drop-down list box. You can create a server object in the AAA Server screen.

The Zyxel Device authenticates the users using the databases (in the local user database or the external authentication server) in the order they appear in this screen.

If two accounts with the same username exist on two authentication servers you specify, the Zyxel Device does not continue the search on the second authentication server when you enter the username and password that doesn’t match the one on the first authentication server.

OK

Click OK to save the changes.

Cancel

Click Cancel to discard the changes.

General Settings

 

Enable

Select the check box to require double-layer security to access a secured network behind the Zyxel Device via a VPN tunnel.

Valid Time

Enter the maximum time (in minutes) that the user must click or tap the authorization link in the SMS or email in order to get authorization for the VPN connection.

Two-factor Authentication for Services:

Select which kinds of VPN tunnels require Two-Factor Authentication. You should have configured the VPN tunnel first.

User/Group

This list displays the names of the users and user groups that can be selected for two-factor authentication. The order of members is not important. Select users and groups from the Selectable User/Group Objects list that require two-factor authentication for VPN access to a secured network behind the Zyxel Device and move them to the Selected User/Group Objects list. You can double-click a single entry to move it or use the [Shift] or [Ctrl] key to select multiple entries and use the arrow button to move them.

Similarly, move user/groups that do not you do not require two-factor authentication back to the Selectable User/Group Objects list.

Delivery Settings

Use this section to configure how to send an SMS or email for authorization.

Deliver Authorize Link Method:

Select one or both methods:

Authorize Link URL Address:

Configure the link that the user will receive in the SMS or email. The user must be able to access the link.

Message

You can either create a default message in the text box or upload a message file (Use Multilingual file) from your computer. The message file must be named '2FA-msg.txt' and be in UTF-8 format. To create the file, click Download the default 2FA-msg.txt example and edit the file for your needs. (If you make a mistake, use Restore Customized File to Default to restore your customized file to the default.) Use Select a File Path to locate the final file on your computer and then click Upload to transfer it to the Zyxel Device.

The message in either the text box or the file must contain the <url> variable within angle brackets, while the <user>, <host>, and <time> variables are optional.

Apply

Click Apply to save the changes.

Reset

Click Reset to return the screen to its last-saved settings.

PKI Storage Space in Use

This bar displays the percentage of the Zyxel Device’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.

Add

Click this to go to the screen where you can have the Zyxel Device generate a certificate or a certification request.

Edit

Double-click an entry or select it and click Edit to open a screen with an in-depth list of information about the certificate.

Remove

The Zyxel Device keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action.

References

You cannot delete certificates that any of the Zyxel Device’s features are configured to use. Select an entry and click References to open a screen that shows which settings use the entry.

#

This field displays the certificate index number. The certificates are listed in alphabetical order.

Name

This field displays the name used to identify this certificate. It is recommended that you give each certificate a unique name.

Type

This field displays what kind of certificate this is.

REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request.

SELF represents a self-signed certificate.

CERT represents a certificate issued by a certification authority.

Subject

This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.

Issuer

This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.

Valid From

This field displays the date that the certificate becomes applicable.

Valid To

This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.

Import

Click Import to open a screen where you can save a certificate to the Zyxel Device.

Refresh

Click Refresh to display the current validity status of the certificates.

Name

Type a name to identify this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.

Subject Information

Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although you must specify a Host IP Address, Host IPv6 Address, Host Domain Name, or E-Mail. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information.

Select a radio button to identify the certificate’s owner by IP address, domain name or e-mail address. Type the IP address (in dotted decimal notation), domain name or e-mail address in the field provided. The domain name or e-mail address is for identification purposes only and can be any string.

A domain name can be up to 255 characters. You can use alphanumeric characters, the hyphen and periods.

An e-mail address can be up to 63 characters. You can use alphanumeric characters, the hyphen, the @ symbol, periods and the underscore.

Organizational Unit

Identify the organizational unit or department to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.

Organization

Identify the company or group to which the certificate owner belongs. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.

Town (City)

Identify the town or city where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.

State, (Province)

Identify the state or province where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.

Country

Identify the nation where the certificate owner is located. You can use up to 31 characters. You can use alphanumeric characters, the hyphen and the underscore.

Key Type

Select RSA to use the Rivest, Shamir and Adleman public-key algorithm.

Select DSA to use the Digital Signature Algorithm public-key algorithm.

Key Length

Select a number from the drop-down list box to determine how many bits the key should use (512 to 2048). The longer the key, the more secure it is. A longer key also uses more PKI storage space.

Extended Key Usage

This field displays how the Zyxel Device generates and stores a request for server authentication, client authentication, and/or IKE Intermediate authentication certificate.

Select this to have Zyxel Device generate and store a request for server authentication certificate.

Select this to have Zyxel Device generate and store a request for client authentication certificate.

Select this to have Zyxel Device generate and store a request for IKE Intermediate authentication certificate.

Create a self-signed certificate

Select this to have the Zyxel Device generate the certificate and act as the Certification Authority (CA) itself. This way you do not need to apply to a certification authority for certificates.

Create a certification request and save it locally for later manual enrollment

Select this to have the Zyxel Device generate and store a request for a certificate. Use the My Certificate Details screen to view the certification request and copy it to send to the certification authority.

Copy the certification request from the My Certificate Details screen and then send it to the certification authority.

OK

Click OK to begin certificate or certification request generation.

Cancel

Click Cancel to quit and return to the My Certificates screen.

Name

This field displays the identifying name of this certificate. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.

Certification Path

This field displays for a certificate, not a certification request.

Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself).

If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself). If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The Zyxel Device does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.

Refresh

Click Refresh to display the certification path.

Certificate Information

These read-only fields display detailed information about the certificate.

Type

This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). “X.509” means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.

Version

This field displays the X.509 version number.

Serial Number

This field displays the certificate’s identification number given by the certification authority or generated by the Zyxel Device.

Subject

This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O), State (ST), and Country (C).

Issuer

This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country.

With self-signed certificates, this is the same as the Subject Name field.

“none” displays for a certification request.

Signature Algorithm

This field displays the type of algorithm that was used to sign the certificate. The Zyxel Device uses rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Some certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).

Valid From

This field displays the date that the certificate becomes applicable. “none” displays for a certification request.

Valid To

This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired. “none” displays for a certification request.

Key Algorithm

This field displays the type of algorithm that was used to generate the certificate’s key pair (the Zyxel Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).

Subject Alternative Name

This field displays the certificate owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL).

Key Usage

This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.

Basic Constraint

This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. This field does not display for a certification request.

MD5 Fingerprint

This is the certificate’s message digest that the Zyxel Device calculated using the MD5 algorithm.

SHA1 Fingerprint

This is the certificate’s message digest that the Zyxel Device calculated using the SHA1 algorithm.

Certificate in PEM (Base-64) Encoded Format

This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a binary certificate into a printable form.

You can copy and paste a certification request into a certification authority’s web page, an e-mail that you send to the certification authority or a text editor and save the file on a management computer for later manual enrollment.

You can copy and paste a certificate into an e-mail to send to friends or colleagues or you can copy and paste a certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).

Export Certificate Only

Use this button to save a copy of the certificate without its private key. Click this button and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.

Password

If you want to export the certificate with its private key, create a password and type it here. Make sure you keep this password in a safe place. You will need to use it if you import the certificate to another device.

Export Certificate with Private Key

Use this button to save a copy of the certificate with its private key. Type the certificate’s password and click this button. Click Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.

OK

Click OK to save your changes back to the Zyxel Device. You can only change the name.

Cancel

Click Cancel to quit and return to the My Certificates screen.

File Path

Type in the location of the file you want to upload in this field or click Browse to find it.

You cannot import a certificate with the same name as a certificate that is already in the Zyxel Device.

Browse

Click Browse to find the certificate file you want to upload.

Password

This field only applies when you import a binary PKCS#12 format file. Type the file’s password that was created when the PKCS #12 file was exported.

OK

Click OK to save the certificate on the Zyxel Device.

Cancel

Click Cancel to quit and return to the My Certificates screen.

PKI Storage Space in Use

This bar displays the percentage of the Zyxel Device’s PKI storage space that is currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.

Edit

Double-click an entry or select it and click Edit to open a screen with an in-depth list of information about the certificate.

Remove

The Zyxel Device keeps all of your certificates unless you specifically delete them. Uploading a new firmware or default configuration file does not delete your certificates. To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so. Subsequent certificates move up by one when you take this action.

References

You cannot delete certificates that any of the Zyxel Device’s features are configured to use. Select an entry and click References to open a screen that shows which settings use the entry.

#

This field displays the certificate index number. The certificates are listed in alphabetical order.

Name

This field displays the name used to identify this certificate.

Subject

This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.

Issuer

This field displays identifying information about the certificate’s issuing certification authority, such as a common name, organizational unit or department, organization or company and country. With self-signed certificates, this is the same information as in the Subject field.

Valid From

This field displays the date that the certificate becomes applicable.

Valid To

This field displays the date that the certificate expires. The text displays in red and includes an Expired! message if the certificate has expired.

Import

Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the Zyxel Device.

Refresh

Click this button to display the current validity status of the certificates.

Name

This field displays the identifying name of this certificate. You can change the name. You can use up to 31 alphanumeric and ;‘~!@#$%^&()_+[]{}’,.=- characters.

Certification Path

Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate. If the issuing certification authority is one that you have imported as a trusted certificate, it may be the only certification authority in the list (along with the end entity’s own certificate). The Zyxel Device does not trust the end entity’s certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.

Refresh

Click Refresh to display the certification path.

Enable X.509v3 CRL Distribution Points and OCSP checking

Select this check box to turn on/off certificate revocation. When it is turned on, the Zyxel Device validates a certificate by getting Certificate Revocation List (CRL) through HTTP or LDAP (can be configured after selecting the LDAP Server check box) and online responder (can be configured after selecting the OCSP Server check box).

OCSP Server

Select this check box if the directory server uses OCSP (Online Certificate Status Protocol).

Type the protocol, IP address and path name of the OCSP server.

The Zyxel Device may need to authenticate itself in order to assess the OCSP server. Type the login name (up to 31 ASCII characters) from the entity maintaining the server (usually a certification authority).

Type the password (up to 31 ASCII characters) from the entity maintaining the OCSP server (usually a certification authority).

LDAP Server

Select this check box if the directory server uses LDAP (Lightweight Directory Access Protocol). LDAP is a protocol over TCP that specifies how clients access directories of certificates and lists of revoked certificates.

Type the IP address (in dotted decimal notation) of the directory server.

Use this field to specify the LDAP server port number. You must use the same server port number that the directory server uses. 389 is the default server port number for LDAP.

The Zyxel Device may need to authenticate itself in order to assess the CRL directory server. Type the login name (up to 31 ASCII characters) from the entity maintaining the server (usually a certification authority).

Type the password (up to 31 ASCII characters) from the entity maintaining the CRL directory server (usually a certification authority).

Certificate Information

These read-only fields display detailed information about the certificate.

Type

This field displays general information about the certificate. CA-signed means that a Certification Authority signed the certificate. Self-signed means that the certificate’s owner signed the certificate (not a certification authority). X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates.

Version

This field displays the X.509 version number.

Serial Number

This field displays the certificate’s identification number given by the certification authority.

Subject

This field displays information that identifies the owner of the certificate, such as Common Name (CN), Organizational Unit (OU), Organization (O) and Country (C).

Issuer

This field displays identifying information about the certificate’s issuing certification authority, such as Common Name, Organizational Unit, Organization and Country.

With self-signed certificates, this is the same information as in the Subject Name field.

Signature Algorithm

This field displays the type of algorithm that was used to sign the certificate. Some certification authorities use rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm). Other certification authorities may use rsa-pkcs1-md5 (RSA public-private key encryption algorithm and the MD5 hash algorithm).

Valid From

This field displays the date that the certificate becomes applicable. The text displays in red and includes a Not Yet Valid! message if the certificate has not yet become applicable.

Valid To

This field displays the date that the certificate expires. The text displays in red and includes an Expiring! or Expired! message if the certificate is about to expire or has already expired.

Key Algorithm

This field displays the type of algorithm that was used to generate the certificate’s key pair (the Zyxel Device uses RSA encryption) and the length of the key set in bits (1024 bits for example).

Subject Alternative Name

This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL).

Key Usage

This field displays for what functions the certificate’s key can be used. For example, “DigitalSignature” means that the key can be used to sign certificates and “KeyEncipherment” means that the key can be used to encrypt text.

Basic Constraint

This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path.

MD5 Fingerprint

This is the certificate’s message digest that the Zyxel Device calculated using the MD5 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.

SHA1 Fingerprint

This is the certificate’s message digest that the Zyxel Device calculated using the SHA1 algorithm. You can use this value to verify with the certification authority (over the phone for example) that this is actually their certificate.

Certificate

This read-only text box displays the certificate or certification request in Privacy Enhanced Mail (PEM) format. PEM uses lowercase letters, uppercase letters and numerals to convert a binary certificate into a printable form.

You can copy and paste the certificate into an e-mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution (via floppy disk for example).

Export Certificate

Click this button and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save.

OK

Click OK to save your changes back to the Zyxel Device. You can only change the name.

Cancel

Click Cancel to quit and return to the Trusted Certificates screen.

File Path

Type in the location of the file you want to upload in this field or click Browse to find it.

You cannot import a certificate with the same name as a certificate that is already in the Zyxel Device.

Browse

Click Browse to find the certificate file you want to upload.

OK

Click OK to save the certificate on the Zyxel Device.

Cancel

Click Cancel to quit and return to the previous screen.

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific entry.

Profile Name

This field displays the profile name of the ISP account. This name is used to identify the ISP account.

Protocol

This field displays the protocol used by the ISP account.

Authentication Type

This field displays the authentication type used by the ISP account.

User Name

This field displays the user name of the ISP account.

Profile Name

This field is read-only if you are editing an existing account. Type in the profile name of the ISP account. The profile name is used to refer to the ISP account. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Protocol

This field is read-only if you are editing an existing account. Select the protocol used by the ISP account. Your ISP will provide you with a related username, password and IP (server) information. Options are:

pppoe - This ISP account uses the PPPoE protocol.

pptp - This ISP account uses the PPTP protocol.

l2tp - This ISP account uses the L2TP protocol.

Authentication Type

Use the drop-down list box to select an authentication protocol for outgoing calls. Options are:

CHAP/PAP - Your Zyxel Device accepts either CHAP or PAP when requested by this remote node.

Chap - Your Zyxel Device accepts CHAP only.

PAP - Your Zyxel Device accepts PAP only.

MSCHAP - Your Zyxel Device accepts MSCHAP only.

MSCHAP-V2 - Your Zyxel Device accepts MSCHAP-V2 only.

Encryption Method

This field is available if this ISP account uses the PPTP protocol. Use the drop-down list box to select the type of Microsoft Point-to-Point Encryption (MPPE). Options are:

nomppe - This ISP account does not use MPPE.

mppe-40 - This ISP account uses 40-bit MPPE.

mppe-128 - This ISP account uses 128-bit MMPE.

User Name

Type the user name given to you by your ISP.

Password

Type the password associated with the user name above. The password can only consist of alphanumeric characters (A-Z, a-z, 0-9). This field can be blank.

Retype to Confirm

Type your password again to make sure that you have entered is correctly.

IP Address/FQDN

Enter the IP address or Fully-Qualified Domain Name (FQDN) of the PPTP or L2TP server.

Server IP

If this ISP account uses the PPPoE protocol, this field is not displayed.

If this ISP account uses the PPTP protocol, type the IP address of the PPTP server.

Connection ID

This field is available if this ISP account uses the PPTP protocol. Type your identification name for the PPTP server. This field can be blank.

Service Name

If this ISP account uses the PPPoE protocol, type the PPPoE service name to access. PPPoE uses the specified service name to identify and reach the PPPoE server. This field can be blank.

If this ISP account uses the PPTP protocol, this field is not displayed.

Compression

Select On button to turn on stac compression, and select Off to turn off stac compression. Stac compression is a data compression technique capable of compressing data by a factor of about four.

Idle Timeout

This value specifies the number of seconds that must elapse without outbound traffic before the Zyxel Device automatically disconnects from the PPPoE/PPTP server. This value must be an integer between 0 and 360. If this value is zero, this timeout is disabled.

OK

Click OK to save your changes back to the Zyxel Device. If there are no errors, the program returns to the ISP Account screen. If there are errors, a message box explains the error, and the program stays in the ISP Account Edit screen.

Cancel

Click Cancel to return to the ISP Account screen without creating the profile (if it is new) or saving any changes to the profile (if it already exists).

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to be able to modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field displays the index number.

Name

This field displays the name of the object.

Address

This field displays the IP address/URL of the application server or the location of a file share.

Type

This field shows whether the object is a file-sharing, web-server, Outlook Web Access, Virtual Network Computing, or Remote Desktop Protocol SSL application.

Create new Object

Use this to configure any new settings objects that you need to use in this screen.

Object

Type

Select Web Application or File Sharing from the drop-down list box.

Web Application

Server Type

This field only appears when you choose Web Application as the object type.

Specify the type of service for this SSL application.

Select Web Server to allow access to the specified web site hosted on the local network.

Select OWA (Outlook Web Access) to allow users to access e-mails, contacts, calenders via Microsoft Outlook-like interface using supported web browsers. The Zyxel Device supports one OWA object.

Select VNC to allow users to manage LAN computers that have Virtual Network Computing remote desktop server software installed.

Select RDP to allow users to manage LAN computers that have Remote Desktop Protocol remote desktop server software installed.

Select Weblink to create a link to a web site that you expect the SSL VPN users to commonly use.

Name

Enter a descriptive name to identify this object. You can enter up to 31 characters (“0-9”, “a-z”, “A-Z”, “-” and “_”). Spaces are not allowed.

URL

This field only appears when you choose Web Application as the object type.

This field displays if the Server Type is set to Web Server, OWA, or Weblink.

Enter the Fully-Qualified Domain Name (FQDN) or IP address of the application server.

Remote users are restricted to access only files in this directory. For example, if you enter “\remote\” in this field, remote users can only access files in the “remote” directory.

If a link contains a file that is not within this domain, then remote users cannot access it.

Preview

This field only appears when you choose Web Application or File Sharing as the object type.

This field displays if the Server Type is set to Web Server, OWA or Weblink.

Click Preview to access the URL you specified in a new web browser screen.

Entry Point

This field only appears when you choose Web Application as the object type.

This field displays if the Server Type is set to Web Server or OWA.

This field is optional. You only need to configure this field if you need to specify the name of the directory or file on the local server as the home page or home directory on the user screen.

Web Page Encryption

This field only appears when you choose Web Application as the object type.

Select this option to prevent users from saving the web content.

Shared Path

This field only appears when you choose File Sharing as the object type.

Specify the IP address, domain name or NetBIOS name (computer name) of the file server and the name of the share to which you want to allow user access. Enter the path in one of the following formats.

“\\<IP address>\<share name>”

“\\<domain name>\<share name>”

“\\<computer name>\<share name>”

For example, if you enter “\\my-server\Tmp”, this allows remote users to access all files and/or folders in the “\Tmp” share on the “my-server” computer.

OK

Click OK to save the changes and return to the main SSL Application Configuration screen.

Cancel

Click Cancel to discard the changes and return to the main SSL Application Configuration screen.

Configuration

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific object.

Name

This field displays the name of each request object.

Type

This field displays the request type of each request object.

Interface

This field displays the interface used for each request object.

Value

This field displays the value for each request object.

Name

Type the name for this request object. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Request Type

Select the request type for this request object. You can choose from Prefix Delegation, DNS Server, NTP Server, or SIP Server.

Interface

Select the interface for this request object.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.

Configuration

Add

Click this to create a new entry.

Edit

Double-click an entry or select it and click Edit to open a screen where you can modify the entry’s settings.

Remove

To remove an entry, select it and click Remove. The Zyxel Device confirms you want to remove it before doing so.

References

Select an entry and click References to open a screen that shows which settings use the entry.

#

This field is a sequential value, and it is not associated with a specific object.

Name

This field displays the name of each lease object.

Type

This field displays the request type of each lease object.

Interface

This field displays the interface used for each lease object.

Value

This field displays the value for each lease object.

Name

Type the name for this lease object. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.

Lease Type

Select the lease type for this lease object. You can choose from Prefix Delegation, DNS Server, Address, Address Pool, NTP Server, or SIP Server.

Interface

Select the interface for this lease object.

DUID

If you select Prefix Delegation or Address in the Lease Type field, enter the DUID of the interface.

Prefix

If you select Prefix Delegation or Address in the Lease Type field, enter the IPv6 prefix of the interface.

DNS Server

If you select DNS Server in the Lease Type field, select a request object or User Defined in the DNS Server field and enter the IP address of the DNS server in the User Defined Address field below.

Starting IP Address

If you select Address Pool in the Lease Type field, enter the first of the contiguous addresses in the IP address pool.

End IP Address

If you select Address Pool in the Lease Type field, enter the last of the contiguous addresses in the IP address pool.

NTP Server

If you select NTP Server in the Lease Type field, select a request object or User Defined in the NTP Server field and enter the IP address of the NTP server in the User Defined Address field below.

SIP Server

If you select SIP Server in the Lease Type field, select a request object or User Defined in the SIP field and enter the IP address of the SIP server in the User Defined Address field below.

User Defined Address

If you select DNS Server, NTP Server, or SIP Server as your lease type, you must enter the IP address of the server your selected.

OK

Click OK to save your changes back to the Zyxel Device.

Cancel

Click Cancel to exit this screen without saving your changes.