IP40 Version 1.0 Appliance User’s Guide · a quick reference on configuring features in Nokia...

IP40 Version 1.0 Appliance User’sGuide

N450916001 Rev A

October 2003

COPYRIGHT

©2003 Nokia. All rights reserved.Rights reserved under the copyright laws of the United States.

RESTRICTED RIGHTS LEGEND

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

IMPORTANT NOTE TO USERS

This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

Nokia reserves the right to make changes without further notice to any products herein.

TRADEMARKS

Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.

Nokia Contact Information

Corporate Headquarters

Regional Contact Information

Web Site http://www.nokia.com

Telephone 1-888-477-4566 or 1-650-625-2000

Fax 1-650-691-2170

Mail Address

Nokia Inc.313 Fairchild DriveMountain View, California94043-2215 USA

Americas Nokia313 Fairchild DriveMountain View, CA 94043-2215USA

Tel: 1-877-997-9199Outside USA and Canada: +1 512-437-7089email: [email protected]

Europe, Middle East, and Africa

Nokia House, Summit AvenueSouthwood, FarnboroughHampshire GU14 ONG UK

Tel: UK: +44 161 601 8908Tel: France: +33 170 708 166email: [email protected]

Asia-Pacific 438B Alexandra Road#07-00 Alexandra TechnoparkSingapore 119968

Tel: +65 6588 3364email: [email protected]

2 Nokia IP40 User Guide

http://www.nokia.com

mailto:[email protected]




Nokia Customer Support

Web Site: https://support.nokia.com/

Email: [email protected]

Americas Europe

Voice: 1-888-361-5030 or 1-613-271-6721

Voice: +44 (0) 125-286-8900

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666

Asia-Pacific

Voice: +65-67232999

Fax: +65-67232897

021216

Nokia IP40 User Guide 3

https://support.nokia.com/


Contents

In This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Menu Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

About the Nokia IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Nokia IP40 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Nokia IP40 Satellite 16, Satellite 32, Satellite Unlimited . . . . . . . . . . . . . . . . . . . . 18Nokia IP40 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Diagnostics and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Nokia IP40 Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Network Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Appliance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24IP40 Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24IP40 Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2 Installing the Nokia IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Before You Install the Nokia IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Setting Up Nokia IP40 with Microsoft Windows 98 or Millennium Operating Systems 27Setting Up Nokia IP40 with Microsoft Windows XP and 2000 Operating Systems 31Setting up Nokia IP40 with an Apple Computer . . . . . . . . . . . . . . . . . . . . . . . . . . 35Connecting the Nokia IP40 to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Installing Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36


3 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

First Time Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Configuring Nokia IP40 for Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Making Initial Nokia IP40 Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Setting the Nokia IP40 Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Registering with Nokia Support Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Connecting to a Central Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Logging On to the Nokia IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Accessing the IP40 securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Logging Off. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Understanding the Web based GUI of IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Using the Nokia IP40 Web User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

GUI Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4 Accessing the Nokia IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Connection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Configuration Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Connecting the Nokia IP40 to a computer by Using the Console Port. . . . . . . . . 50Using Telnet to Connect to the Nokia IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Enabling and Disabling Telnet Access to the Nokia IP40 . . . . . . . . . . . . . . . . . 53Using Secure Shell (SSH) to Connect to the Nokia IP40. . . . . . . . . . . . . . . . . . . 53Accessing the Nokia IP40 using HTTP and HTTPS . . . . . . . . . . . . . . . . . . . . . . 53

Managing large scale deployments of the Nokia IP40 . . . . . . . . . . . . . . . . . . . . . . 53Nokia Horizon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54SmartCenter Large Scale Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Sofaware Security Management Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

5 Connecting to the Internet using IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Configuring for Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Using the Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Direct LAN Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Cable Connection Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

MAC Cloning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60DSL Connection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Manually Configuring the Internet Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63LAN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Cloning a MAC Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Viewing Internet Connection Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Enabling/Disabling the Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Using Quick Internet Connection/Disconnection. . . . . . . . . . . . . . . . . . . . . . . . . . . 69Configuring a Backup Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69


6 Managing Your Local Area Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Configuring Network Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Enabling and Disabling the DHCP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Changing IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Enabling/Disabling Hide NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Configuring a DMZ Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Using Static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Adding and Editing Static NAT mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Viewing and Deleting Static NAT Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Using Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7 Setting Up the Security Policy in IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Setting the Firewall Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Configuring Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Customing your security policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Creating Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Allow and Block Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Deleting Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Defining an Exposed Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

8 Configuring Network Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Changing Your Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Viewing and Editing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Deleting Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Setting Up Remote VPN Access for Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Using RADIUS Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Secure Shell Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Enabling/Disabling SSH Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96SSH Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Using SSH Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Configuring Advanced Secure Shell Server Options. . . . . . . . . . . . . . . . . . . . . . . 97

Configuring Server Authentication of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Configuring and Managing SSH Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Managing Authorized Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Secure Socket Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Enabling HTTPS Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Generating a self-signed Certificate and Private Key. . . . . . . . . . . . . . . . . . . . . . . 101Installing a Certificate and Private Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101


9 Configuring and monitoring using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

SNMP Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103SNMP Configuration from the Nokia IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Setting up SNMP access to the Nokia IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . 103Configuring the SNMP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Configuring SNMP Parameters from the Command-line Interface . . . . . . . . . . 105

10 Configuring the Nokia IP40 through Out of Band Management . . . . . . . . . . . 107

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Configuring for OOB from the Nokia IP40 GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Configuring the Nokia IP40 for OOB from the CLI . . . . . . . . . . . . . . . . . . . . . . . . 109

Configuring the modem settings from the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 109Secure Shell and HTTPS Access through Out of Band Dial-in. . . . . . . . . . . . . . . 109Upgrading the firmware through Out of Band Dial-in (Failsafe Mode) . . . . . . . . . 110Booting in to Failsafe Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Special Deployment Mode in the Nokia IP40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

11 Configuring Device Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Host Name Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Date and Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113System Logging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Network Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Managing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Exporting the IP40 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Importing the IP40 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Firmware Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Firmware Upgrade in Failsafe Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Installing Your Product Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Resetting the IP40 to Factory Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

To reset the IP40 to factory defaults using the Reset button . . . . . . . . . . . . . . . 122

12 Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Viewing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Viewing the Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Viewing Active Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Viewing Active Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Viewing VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Viewing Diagnostics Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

13 Working with VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Remote Access VPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Configuring a Remote Access VPN Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131


Configuring a Site to Site VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Completing Site Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Setting Up the Nokia IP40 Satellite X as a VPN Server . . . . . . . . . . . . . . . . . . . . . 134To set up your IP40 as a VPN server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Deleting a VPN Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Logging on to a VPN Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Logging On from the Nokia IP40 GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Logging On Through my.vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Logging Off a VPN Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137SecuRemote to Satellite X (VPN Client to Gateway) . . . . . . . . . . . . . . . . . . . . . . . 138

Setting up IP40 Satellite X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Setting up SecuRemote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Setting up the Nokia IP40 Tele 8 as VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . 139Adding VPN Sites by Using the Nokia IP40 Tele 8 . . . . . . . . . . . . . . . . . . . . . . . 139Adding VPN Sites by Using IP40 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

To add or edit VPN sites by using IP40 Satellite X . . . . . . . . . . . . . . . . . . . . . 142IP40Tele to IP40 Satellite X (VPN Client to Gateway) . . . . . . . . . . . . . . . . . . . . . . 143

Setting up IP40 Tele 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Setting up IP40 Satellite X. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

IP40 Tele 8 to Check Point v4.1/ NG/ FP1/ FP2/FP3/NG AI . . . . . . . . . . . . . . . . . 144Setting up IP40 Tele 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Setting up Check Point Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

IP40 Tele 8 to Check Point NG AI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Setting up IP40 Tele 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Setting up Check Point NG AI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Site-to-Site VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145IP40 Satellite X in NAT and No-NAT Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

No-NAT Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146NAT Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Installing VPN Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Defining Backup VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Satellite X to Satellite X (VPN Gateway to Gateway) . . . . . . . . . . . . . . . . . . . . . 149Setting up the Nokia IP40 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Satellite X to VPN-1 (Site-to-Site VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Setting up the Nokia IP40 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

IP40 Satellite X to Check Point FP3/DAIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Setting Up Check Point FP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Setting up the Nokia IP40 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

IP40 Satellite X to Check Point SmartCenter FP3/NG AI . . . . . . . . . . . . . . . . . . 152Setting Up Check Point SmartCenter FP3/NG AI . . . . . . . . . . . . . . . . . . . . . . 152Setting up the Nokia IP40 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Setting Up Check Point SmartCenter NG AI using Certificates . . . . . . . . . . . . 152Setting up the Nokia IP40 Satellite X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153


IP40 Satellite X to Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

14 Using Managed Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Starting your Subscription Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Viewing Services Information from Account Page . . . . . . . . . . . . . . . . . . . . . . . 158Refreshing your Service Center Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Configuring your Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Disconnecting from your Service Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Sofaware Security Management Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Selecting Categories for Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Virus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Enabling/Disabling Email Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Selecting Protocols for Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Temporarily Disabling Email Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Automatic and Manual Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Checking for Software Updates when Locally Managed . . . . . . . . . . . . . . . . . . 165Checking for Software Updates When Remotely Managed. . . . . . . . . . . . . . . . 166

Nokia Horizon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166SmartCenter LSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

15 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Viewing Firmware Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Resetting the IP40 to factory defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Running Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

A Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Safety Precautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

B Warranty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

C End User License Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

D Compliance Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Compliance Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190FCC Notice (US) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190


About This Guide

This guide provides information and procedures for how to install and configure the Nokia IP40 security platform. This guide provides information about the new features incorporated in to the Nokia IP40 appliance. This version of Nokia IP40 uses the SofaWare VPN-1 Embedded NG. For a quick reference on configuring features in Nokia IP40, see the Nokia IP40 Quick Start Guide and the IP40 Online Help that is part of the graphical user interface (GUI) in the device.

Installation and maintainance should be performed by experienced technicians or Nokia-approved service providers only.

This preface provides the following information:

! In This Guide

! Conventions This Guide Uses

! Related Documentation

In This GuideThis guide is organized into the following chapters and appendixes:

! Chapter 1, “Introduction,” provides the information you need to know before installing the Nokia IP40.

! Chapter 2, “Installing the Nokia IP40,” explains how to install the device, lists operating system requirements, protocols and how to establish a network connection.

! Chapter 3, “Getting Started,” describes how to start using the IP40, provides information on first-time login and connecting to the Internet.

! Chapter 4, “Accessing the Nokia IP40,” discusses different methods of connecting to your IP40 and methods of configuring the device.

! Chapter 5, “Configuring the IP40 for Internet Connection,” describes how to configure your IP40 for connecting to the Internet, and viewing and managing your Internet connection.

! Chapter 6, “Managing Your Local Area Network,” explains how to configure the features that the IP40 provides.

! Chapter 7, “Setting Up the Security Policy in IP40,” discusses methods to define the firewall level, configure virtual servers and create firewall rules.

! Chapter 8, “Configuring Network Access,” describes the network access procedures and usage of SSH and SSL.


3

! Chapter 9, “Configuring and monitoring using SNMP,” explains the procedure to configure Simple Network Management Protocol, set community strings, and send and enable SNMP traps.

! “Configuring the Nokia IP40 through Out of Band Management,” explains the method to configure the Nokia IP40 through Out of Band Management.

! Chapter 11, “Configuring Device Functions,” discusses how to configure device functions such as setting date and time, loading factory defaults and performing firmware upgrade.

! Chapter 12, “Viewing Reports,” explains how to view reports such as Event Log, Active Computers, Active Connections, and VPN Tunnels.

! Chapter 13, “Working with VPNs,” explains how to configure a VPN by using the IP40.

! Chapter 14, “Using Managed Services,” describes methods for enabling and using subscription services such as Web filtering, email antivirus, and automatic and manual updates.

! Chapter 15, “Troubleshooting,”discusses typical problems users encounter and provides solutions to these problems.

! Appendix A, “Specifications,” describes the Nokia IP40 specifications

! Appendix B, “Warranty,” contains te warranty for the Nokia IP40

! Appendix C, “End User License Agreement,” contains the End User License Agreement for the Nokia IP40.

! Appendix D, “Compliance Information,” contains the compliance information for the Nokia IP40.

Conventions This Guide UsesThe following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.

Notices

WarningWarnings advise the user that bodily injury might occur because of a physical hazard.

CautionCautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.

NoteNotes provide information of special interest or recommendations.


Conventions This Guide Uses

Command-Line ConventionsThis section defines the elements of commands that are available in Nokia products. You might encounter one or more of the following elements on a command-line path.

Table 1 Command-Line Conventions

Convention Description

command This required element is usually the product name or other short word that invokes the product or calls the compiler or preprocessor script for a compiled Nokia product. It might appear alone or precede one or more options. You must spell a command exactly as shown and use lowercase letters.

Italics Indicates a variable in a command that you must supply. For example:

delete interface if_name

Supply an interface name in place of the variable. For example:

delete interface nic1

angle brackets < > Indicates arguments for which you must supply a value:

retry-limit <1–100>

Supply a value. For example:

retry-limit 60

Square brackets [ ] Indicates optional arguments.

delete [slot slot_num]

For example:

delete slot 3

Vertical bars, also called a pipe (|)

Separates alternative, mutually exclusive elements.

framing <sonet | sdh>

To complete the command, supply the value. For example:

framing sonet

or

framing sdh

-flag A flag is usually an abbreviation for a function, menu, or option name, or for a compiler or preprocessor argument. You must enter a flag exactly as shown, including the preceding hyphen.


3

Text ConventionsTable 2 describes the text conventions this guide uses.

Menu ItemsNokia IP40 menu items in procedures are separated by the greater than sign.

.ext A filename extension, such as .ext, might follow a variable that represents a filename. Type this extension exactly as shown, immediately after the name of the file. The extension might be optional in certain products.

( . , ; + * - / ) Punctuation and mathematical notations are literal symbols that you must enter exactly as shown.

' ' Single quotation marks are literal symbols that you must enter as shown.

Table 1 Command-Line Conventions (continued)


Table 2 Text Conventions


monospace font Indicates command syntax, or represents computer or screen output, for example:Log error 12453

bold monospace font Indicates text you enter or type, for example:

# configure nat

Key names Keys that you press simultaneously are linked by a plus sign (+):Press Ctrl + Alt + Del.

Menu commands Menu commands are separated by a greater than sign (>):Choose File > Open.

The words enter and type Enter indicates you type something and then press the Return or Enter key.Do not press the Return or Enter key when an instruction says type.

Italics • Emphasizes a point or denotes new terms at the place where they are defined in the text.

• Indicates an external book title reference.• Indicates a variable in a command:

delete interface if_name


Related Documentation

For example, Start > Programs > Nokia > Security indicates that you first click Start, then choose the Programs menu command, then choose Nokia, and finally choose Security

Related Documentation In addition to this guide, documentation for this product includes the following:

! Nokia IP40 Quick Start Guide—Provides a description of the system features and an overview of how to get your appliance up and running.

! Nokia IP40 CLI Reference Guide—Provides a description of all IP40 commands that are used for managing the appliance.

! IP40 Release Notes—Provides important information you should know before installing and configuring the IP40 appliance.


3


1 Introduction

This chapter introduces the Nokia IP40 appliance. It includes the following topics:

! “About the Nokia IP40” on page 17

! “Nokia IP40 Features” on page 18

! “Nokia IP40 Package Contents” on page 23

! “Network Requirements” on page 24

! “IP40 Rear Panel” on page 24

! “IP40 Front Panel” on page 26

About the Nokia IP40The Nokia IP40 is an advanced Internet security appliance that enables secure high-speed Internet or corporate access from the home or office. The IP40 uses VPN-1 Embedded NG software from SofaWare Technologies. The VPN-1 Embedded NG firewall, based on the Check Point FireWall-1 Stateful Inspection technology, inspects and filters all incoming and outgoing traffic, blocking all unauthorized traffic.

The IP40 is a hardware appliance and is easy to install. It allows you to share your Internet connection among several computers, other network devices and enables advanced home and office networking, besides providing protection for your entire network.

With the IP40, corporate as well as home users can subscribe to security services, such as firewall security updates, parental control and so on. Business users can securely connect to the corporate network.

The IP40 is available with the following licenses:

! Nokia IP40 Tele 8

! Nokia IP40 Satellite 16

! Nokia IP40 Satellite 32

! Nokia IP40 Satellite U (Unlimited)

All these versions of IP40 provide a web-based interface that enables you to configure and manage the IP40.

The IP40 comes pre-installed with the license of your choice. The IP40 can be upgraded to the more advanced configuration, without replacing the hardware. Contact your local reseller for details on license upgrade.


1 Introduction

Nokia IP40 Tele 8The IP40 Tele 8 is for home telecommuters and work extenders who also need VPN client access. The IP40 Tele 8 supports both firewall and VPN client capabilities over an eight-node network. The appliance supports VPN client capabilities for users to connect to the central office from their home with firewall protection, extending the enterprise network to the employees’ home offices.

Nokia IP40 Satellite 16, Satellite 32, Satellite UnlimitedThe IP40 Satellite 16, IP40 Satellite 32 and IP40 Satellite Unlimited provide full firewall and VPN connectivity for remote and branch offices or independent, small and medium enterprises with sixteen, thirty-two and unlimited node networks, respectively. All of the products also support as many as ten VPN tunnels and operate as a VPN gateway. Using these solutions, remote and branch offices can securely exchange information between them, with distributed enterprises and small and medium enterprises, with excellent performance at a low price.

Nokia IP40 Features Go through the following section for a summary of IP40 features:

Connectivity

Table 3

Feature Nokia IP40 Tele 8Nokia IP40 Satellite (16/32/Unlimited)

LAN, WAN, DMZ and Control Ports

(No DMZ Support)

Unnumbered PPP

PPPoE Client

PPTP client

DHCP server


About the Nokia IP40

Firewall

DHCP client

Backup Internet connection, static NAT, static routes

Table 4


Based on Check Point Firewall Stateful Inspection Technology

Network Address Translation (NAT)

User defined rules

DoS protection

Anti-spoofing

Attack logging

H.323 support

Exposed host

DMZ network

Table 3



1 Introduction

VPN

Table 5

Feature Nokia IP40 Tele8Nokia IP40 Satellite (16/32/Unlimited)

IPSEC VPN remote access server

IPSEC VPN site-to-site gateway

IPSEC VPN remote access client

VPN pass through

X.509 certificates

SecuRemote server

RADIUS support

DAIP with VPN certificates

Backup VPN gateways

SmartCenter Connector (SSC) NG AI support

Bypass NAT

Route all traffic



Management

Multiple PPP connections

Active tunnels

Table 6


Web-based management

Access to IP40 through OOB, SSH and SNMP

HTTPS access

Remote firmware upgrades

Nokia Horizon Manager v 1.3.1 support

Multiple administrators

Management systems (Nokia Horizon Manager, Sofaware SMP, Check Point SmartCenter)

Table 5

Feature Nokia IP40 Tele8Nokia IP40 Satellite (16/32/Unlimited)


1 Introduction

Security Services

Table 7


Firewall security updates

Software updates

Web filtering

Email antivirus protection

Dynamic DNS service (available with SMP)

VPN management

Centralized logging

Customized security policy

Protocol support for TCP/IP, ICMP, GRE, ESP and UDP



Diagnostics and Maintenance

Nokia IP40 Package ContentsThe Nokia IP40 shipping box includes the following items:

! Nokia IP40 Internet security appliance

! A Universal Power Supply

! A country specific power cord for universal power supply

! An Ethernet-crossover cable, labeled Crossover

! An RS-232 console (null modem) cable

! The IP40 CD. The IP40 CD includes the following documents needec to set up and use the device:

! Quickstart Guide

! User Guide (this document)

! Release Notes (if needed)

! Translated Manuals (Spanish, Japanese, Chinese)

! CLI Reference Guide

! A TFTP Server

! IP reset tool

! Adobe Acrobat Reader

Table 8


Configuration Import/Export

Firmware upgrade

Preset configuration

Known good configuration

Diagnostic Tools (netstat, traceroute, arp, ping, WHOIS, nslookup, tcpdump)


1 Introduction

! IP40 Quick Start Guide, printed

! IP40 Release Notes, printed (if needed)

! IP40 License Document, printed

You can run the CD on a Windows machine with a CD drive.

Network RequirementsTo set up the IP40 to connect to the Internet, you need:

! A broadband Internet connection by cable or DSL modem with Ethernet interface (RJ-45)

! 10BaseT or 100BaseT Ethernet switch or hub (optional)

! 10BaseT or 100BaseT network interface card installed on each computer

! TCP/IP network protocol installed on each computer

! CAT5 network cable with RJ-45 connectors for each computer

! Internet Explorer 5.0 or later, or Netscape Navigator 4.5 and later

NoteNokia recommends use of either Microsoft Internet Explorer 5.5 or higher, or Netscape Navigator 4.7 or higher.

Appliance OverviewThe following sections provide an overview of your device’s rear and front panels.

IP40 Rear Panel All physical connections (network and power) to the IP40 are made through the rear panel.


Appliance Overview

Figure 1 Rear View of Nokia IP40

The items on the rear panel of the IP40 are explained in Table 1.

Table 9 Rear Panel of the IP40

Label Description

Power A power jack used for supplying power to the device.Connect the power adapter to this jack. The device connects to the power source.

AUX The auxiliary port or dial-in port is a 9-pin male connector. This port is used to dial in to IP40 through a modem when IP40 is unreachable through other ports.

LAN Local area network: Ethernet port (RJ-45) used for connecting computers or other network devices

DMZ Demilitarized Zone: Ethernet port (RJ-45) used for connecting computers or other network devices. Similar to LAN port in operation.

WAN Wide area network: An Ethernet port (RJ-45) used to connect your cable or xDSL modem.

Console The Console port is a 9-pin male connector which can be connected to the serial (COM) port of your computer. You can then use the command-line Interface (CLI) of IP40 through a serial program such as HyperTerminal to communicate with the device.

Reset Used to reboot/reset the IP40 to its factory defaults. Use a large flat tipped object, such as a thick paper clip to press the reset button.Short Press (1 second): Reboots IP40

Long Press (7 seconds): Resets the IP40 to its factory defaults. This results in loss of all security services and passwords.Short Press during bootup: Boots the IP40 in specialdeployment mode. DO NOT USE A SHARP PIN OR THIN PIECE OF METAL TO PRESS THE RESET BUTTON.

CONSOLE WAN DMZ LAN AUXILIARY POWER00409


1 Introduction

IP40 Front PanelYou can monitor the IP40 operations by viewing the LEDs on the front panel.

Figure 2 Front Panel of Nokia IP40

The items on the front panel of the IP40 are explained in Table 2.

Table 10 Front Panel of Nokia IP40

LED Description

PWR Off: Device not powered onGreen Solid: Device is on

STAT Off: Device Off

Green Solid: Device passed hardware test and finished booting.Red Solid: Hardware errorAmber Solid: Booting

Green Blinking: Device passed Hardware and has fully booted, is at its default state; First time password has not been setRed Blinking: Software error

Amber Blinking: Device is performing a function such as setting factory defaults, loading firmware, loading an exported configuration.

LAN

DMZ

WAN

Off: No Link

Green Solid: Interface connected and auto-negotiated at 10 Mbps

Amber Solid: Interface connected and auto-negotiated at 100 Mbps

Amber/Green Blinking: Traffic passing through the interface

00418


2 Installing the Nokia IP40


This chapter describes how to set up and install the Nokia IP40 in a networking environment. The chapter covers the following topics:

! “Before You Install the Nokia IP40” on page 27

! “Setting Up Nokia IP40 with Microsoft Windows 98 or Millennium Operating Systems” on page 27

! “Setting Up Nokia IP40 with Microsoft Windows XP and 2000 Operating Systems” on page 31

! “Setting up Nokia IP40 with an Apple Computer” on page 35

! “Connecting the Nokia IP40 to the Network” on page 35

! “Installing Your Network” on page 36

Before You Install the Nokia IP40Before you connect and set up the IP40, you must check the following:

! Whether TCP/IP is installed on your computer.

! The TCP/IP settings of your computer, to ensure it obtains its IP address automatically.

The following sections guide you through the TCP/IP setup and installation process.

Setting Up Nokia IP40 with Microsoft Windows 98 or Millennium Operating Systems

If you are using Windows 98 or Windows Me, configure TCP/IP as follows.



To check for TCP/IP Installation

1. Choose Start > Settings > Control Panel.

The Control Panel window appears.

2. Double click the Network icon. The Network window appears.

3. In the Network window, check if TCP/IP appears in the network components list and if it is already configured with the Ethernet card installed on your computer.

If TCP/IP is already installed and configured on your computer, skip the following section on installing TCP/IP.


Before You Install the Nokia IP40

To Install TCP/IP

1. In the Network window, click Add. The Select Network Component Type window appears.

2. Choose Protocol and click Add. The Select Network Protocol window appears.

3. In the Select Network Protocol window, choose Microsoft in Manufacturers and TCP/IP in Network Protocols.

4. Click OK.

If you are prompted for original Windows installation files, provide the installation CD and relevant path, D:\win98, D:\win95 and so on.

5. Restart your computer if prompted.

To make TCP/IP Settings

If you are connecting the IP40 to an existing LAN, consult your network manager/system administrator for the correct configuration.

1. In the Network window, double-click the TCP/IP Service for the Ethernet card on your computer. (TCP/ IP > PCI Fast Ethernet DEC 21143 Based Adapter).

The TCP/IP Properties window opens.



2. Click the Gateway tab and remove any installed gateways.

3. Click the DNS Configuration tab and click Disable DNS radio button.

4. Click the IP Address tab, and click Obtain an IP address automatically radio button.



NoteNokia recommends that you use DHCP to assign IP addresses instead of assigning a static IP address to your computer. To assign a static IP address, select Specify an IP address and enter an IP address in the range of 192.168.10.129 to 254. Enter 255.255.255.0 as the Subnet Mask. Click OK to save the new settings.

5. Click Yes when prompted for “Do you want to restart your computer?”

Your computer restarts for the new settings to take effect.

Your computer is now ready to access the IP40.

Setting Up Nokia IP40 with Microsoft Windows XP and 2000 Operating Systems

Windows XP has an Internet connection firewall option. Nokia recommends that you disable the firewall option if you are using IP40.

To check for TCP/IP installation

1. Click Start > Settings > Control Panel (Start > Control Panel from Windows XP)

The Control Panel window appears.



2. Double click the Network and Dial-up Connections icon (Network Connections icon from Windows XP).

The Network and Dial-up Connections window appears.

3. Right-click the Local Area Connection icon and select Properties from the drop-down menu.

The Local Area Connection Properties window appears.



4. Check for TCP/IP in the Component list and whether it is configured with the Ethernet card installed on your computer.

If TCP/IP does not appear in the Components list, install it as described in the following section. If TCP/IP is already installed, skip the next section.

To Install TCP/IP

1. In the Local Area Connection Properties window, click Install. The Select Network Component Type window appears.

2. Choose Protocol and click Add. The Select Network Protocol window appears.



3. In the Select Network Protocol window, choose Internet Protocol (TCP/IP) and click OK to install the TCP/IP protocol on your computer.

TCP/IP protocol is installed on your computer.

To make TCP/IP settings

1. In the Local Area Connection Properties window, double-click Internet Protocol (TCP/IP) and click Properties.

The Internet Protocol (TCP/IP) Properties window opens.

2. Select Obtain an IP address automatically.

NoteNokia recommends that you use DHCP to assign IP addresses instead of assigning a static IP address to your computer. To assign a static IP address, select Specify an IP address and



enter an IP address in the range of 192.168.10.129 to 254. Enter 255.255.255.0 as the Subnet Mask. Click OK to save the new settings.

1. Click Obtain DNS server address automatically.

2. Click OK to save the new settings.

Your computer is now ready to access your IP40.

Setting up Nokia IP40 with an Apple ComputerUse the following procedure to set up the TCP/IP protocol:

To make TCP/IP settings

1. Choose Apple Menus > Control Panels > TCP/IP

The TCP/IP Window appears.

2. Select Ethernet from the Connect via drop-down list.

3. Select Using DHCP Server from the Configure drop-down list.

4. Close the window and save the setup.

Connecting the Nokia IP40 to the NetworkThe following topology examples illustrate the proper network cabling.



Installing Your NetworkPlan your network and the location of the IP40, then install your network.

To install the network

1. Connect the LAN cable:

! Connect one end of the Ethernet cable to the LAN port at the back of the unit.

! Connect the other end of the Ethernet cable to the computer, hubs, or another network device.

2. Connect the DMZ cable:

! Connect one end of the Ethernet cable to the DMZ port at the back of the unit.

! Connect the other end of the Ethernet cable to the computer, hubs, or another network device.

3. Connect the WAN cable:

! Connect one end of the Ethernet cable to the WAN port at the back of the unit.

! Connect the other end of the Ethernet cable to a cable modem, xDSL modem, or a corporate network.

4. Connect the power adapter to the power socket at the back of the device.

5. Plug in the AC power adapter to the wall electrical outlet


3 Getting Started

You are now ready to perform the basic configurations and settings to your IP40.

This chapter includes the following topics:

! “First Time Login” on page 37

! “Configuring Nokia IP40 for Internet Connection” on page 38

! “Making Initial Nokia IP40 Settings” on page 39

! “Logging On to the Nokia IP40” on page 43

! “Accessing the IP40 securely” on page 44

! “Understanding the Web based GUI of IP40” on page 45

First Time Login After connecting IP40 to your network as in section “Connecting the Nokia IP40 to the Network,” wait for the STAT LED to turn green and proceed as follows.

1. Open your Web browser and enter http://my.firewall in the location text box.

The first time login screen appears, prompting for password.

If you are unable to access the GUI portal, refer to the Troubleshooting Chapter in this document.

NoteThe IP40 ships without a password defined. If you are logging in for the first time, you will be prompted to define the password by entering it twice. If you have already logged in before, enter the username and password you previously defined.


3 Getting Started

2. Enter a password and re-enter the password to confirm.

NoteThe password must be between five to eleven alphanumeric characters. To change the password, click Setup on the navigation bar and click Password.

Configuring Nokia IP40 for Internet ConnectionThis section provides information on making the initial settings for your IP40 using the Setup Wizard and connecting to Internet.

To connect to Internet from Nokia IP40

1. After you set the administrator password, you are prompted for making the initial settings from the Setup Wizard.

The Wizard will guide you through making Internet connection, setting device time, registering for support services and performing other basic configurations.

Click OK to continue.

2. The Internet Connection Method dialog box appears.


Making Initial Nokia IP40 Settings

For more information Chapter 5, “Configuring the IP40 for Internet Connection.”

NoteRefer to Chapter 5 for information on connecting to the Internet.

Making Initial Nokia IP40 SettingsOnce you exit the Internet Connection Method wizard, you will be prompted for setting the device time. This section provides information on using the Setup Wizard set the device time and to make the initial IP40 settings.

Setting the Nokia IP40 TimeYou are prompted to set your device time. You can do it as follows:


3 Getting Started

To set the IP40 device time

1. When the IP40 Set Time Wizard dialog box appears, click the appropriate setting, depending on the time settings you want to make.

a. If you select Your computer’s clock, the IP40 is automatically updated with the time settings of your computer.

b. If you click Keep the current time, the IP40 retains its current time settings. No changes to the time settings are made.

c. If you click Specify date and time, you can manually update the IP40 time settings.

The Specify Time and Date dialog box appears.

Click Next to change your IP40 time settings

d. If you choose to use a time server by clicking on Use a Time Server radio button, the following dialog box appears.



e. Specify the IP addresses of the Primary and Secondary servers, which you want to use as NTP time servers. Also select your time zone by using the pull down menu under Time Zone.

f. Click Next

g. The following dialog box appears, indicating that time settings have been changed successfully

h. Click on Finish to exit the Set Time Wizard

Registering with Nokia Support Site.You can register with Nokia Support Site once you have made your time settings.

The following dialog box appears once you have exited the Set Time Wizard.


3 Getting Started

Check the checkbox, and click Next.

You will be automatically taken to Nokia Support website:

https://support.nokia.com/agreement/SOHOregister.shtml.

Use the instructions in the webpage to complete the registration process and gain access to support web resources and software updates.

Connecting to a Central Management ServerOnce you have registered for support the following screen appears. This screen allows you to define the central management server that the IP40 connects to.

The IP40 can connect to a central management server to allow central management of the firewall and VPN policies. Central management can also allow the IP40 to subscribe to additional services such as Anitivirus and URL filtering. The central server can either be a Check Point Smart Center, Smart Center Pro, or Security Management Platform server.

If your IP40 is centrally managed by any of these servers be sure "I wish to connect to a service center" is checked and enter the IP address of the central management server in the "Specified IP" field and click next. You will then be prompted to enter the authentication information that allows the IP40 to talk to the management server where you previously defined the IP40 object.

If you are not managed by a central management server be sure "I wish to connect to a service center" is not checked and click next.



Refer to Managing large scale deployments of the Nokia IP40 on page 53 for information on connecting to service centers, and to Chapter 14, “Using Managed Services,” for information on using subscription services

Logging On to the Nokia IP40Once you exit from the Setup Wizard, the IP40 Welcome screen appears. The following section shows how to log on subsequently.

To access the user interface of the IP40,

1. Open your Web browser, enter http://my.firewall.

Click Enter.

The Nokia IP40 initial login page appears.

2. Enter the password directly for the IP40 Tele 8 license.

For the IP40 Satellite X licenses, enter the username and password. If you are logging on for the first time, you should use admin as the username.

NoteThe default user name for all Nokia IP40 licenses is admin. For the IP40 Satellite X licenses, you can define additional users. These additional users have separate username and password. For the IP40 Tele 8 license, you can only logon with username admin. However, you can change the password. The password in all cases should be five to eleven alphanumeric characters.

You will need to define your password in two instances:

! At the initial Login

! When you reset the device to defaults.

After the initial login, the Welcome screen appears. A sample Welcome screen is shown.

The Welcome screen displays the product identity of your device (Tele 8 or Satellite X).


3 Getting Started

Accessing the IP40 securelyYou can access the IP40 graphical user interface (GUI) through HTTPS either remotely or locally (from your internal network). For information on accessing through HTTPS from a remote location, refer to “Enabling HTTPS Web Access” on page 99.

NoteFirst configure HTTPS to access the IP40 GUI from a remote location.

To access the IP40 through HTTPS from your internal location

1. To access the IP40 locally:

Enter https://my.firewall:981 in the address bar of your browser (the URL starts with https, not http).

2. The IP40 GUI welcome page appears.

Logging OffLogging off terminates the IP40 session. To connect to the IP40 again, enter the password.

To log out of IP40, perform one of the following procedures:

! If you are connected locally, click Logout.


Understanding the Web based GUI of IP40

The Logout screen appears.

If you are connected through HTTPS, close the browser window.

For information on connecting to your device through HTTPS, refer to the section below.

Understanding the Web based GUI of IP40Once you have logged on to IP40 using HTTP or HTTPS, you can configure the IP40 in two ways:

For a configuration to take effect, make sure you click Submit.

Refer to the below sections for a brief description of main components of IP40 GUI. You will be ready to make advanced configuration changes once you are familiar with these.

Using Quick Setup Wizard Configure the most common settings required for the IP40 to be up and running. The GUI automatically takes you through this wizard after your initial login.

Using Advanced GUI Configure the various advanced features provided in the IP40.


3 Getting Started

Using the Nokia IP40 Web User InterfaceTable 11 Main components of the GUI - Summary

GUI MapFigure 3 shows the main components of the GUI.

The following table gives the name and functionality of each button in Nokia IP40 GUI.

NoteThe Tele 8 license of IP40 does not support all the features mentioned in the table below. Refer to “Nokia IP40 Features” on page 18 for information on features supported by the Tele configuration.

No. Component Description

1. Navigation Bar Access various feature sets in the IP40

2. Tabs Bar Access and configure all features in the IP40

3. Wizard Setup the IP40 with the most common settings quickly.

4. Status Bar Status after a specific configuration

5. Help Online help to assist you in configuring the IP40


Understanding the Web based GUI of IP40

Table 12 Navigation Bar

Main Tab Secondary Tabs Description

Welcome Displays Welcome and configuration information

Reports Event Log Displays the last 100 events in three different categories - Blue, Red, Orange and Green.

Active Computers Allows you to view computers on your network

Active Connections

Allows you to view current connections between your network and the external world

VPN Tunnels Displays list of established VPN tunnels

Security Firewall Allows you to control firewall security level

Servers Enables you to selectively allow incoming traffic from known applications and Internet services

Rules Enables you to customize your security policy

Exposed Host Enables you to define a Demilitarized Zone, i.e. a computer not protected by firewall

Services Account Provides information on services available in your service plan, and manage security services

Network Internet Displays information on network setup and activity

My Network Enables you to configure network settings

Modem Allows you to specify your modem’s type, dial mode and port speed

Static NAT Allows you to specify a NATed address for a given IP address

Static Routes Enables you to specify individual computers that can connect to IP40

Setup Firmware Displays current firmware version and details

Logging Enables you to specify Syslog server and Syslog port

Management Enables you to specify the protocols and accessing information for IP40

Tools Comprises of several tools to effectively manage your IP40


3 Getting Started

Users Internal Users Allows you to view, add, edit and delete list of IP40 users

RADIUS Enables you to change your RADIUS settings

VPN VPN Server Allows you to enable or disable VPN server

VPN Sites Allows you to view and edit list of configured VPN sites

VPN Login Enables you to manually login to a VPN site

Certificate Allows you to control certificates for site-to-site VPN usage

Help Online Help

Logout Logs you out of IP40

Table 12 Navigation Bar

Main Tab Secondary Tabs Description


4 Accessing the Nokia IP40

This chapter discusses the methods for accessing and configuring the Nokia IP40. This chapter also provides an introduction to managing large scale deployments of the IP40 centrally using Nokia Horizon Manager, SmartCenter Large Scale Manager and Sofaware Security Management Portal.

The main topics for this chapter include:

! “Connection Methods” on page 49

! “Configuration Methods” on page 44

! “Connecting the Nokia IP40 to a computer by Using the Console Port” on page 50

! “Using Telnet to Connect to the Nokia IP40” on page 51

! “Enabling and Disabling Telnet Access to the Nokia IP40” on page 53

! “Accessing the Nokia IP40 using HTTP and HTTPS” on page 53

! “Managing large scale deployments of the Nokia IP40” on page 53

Connection MethodsYou can connect to your IP40 locally through LAN, WAN, DMZ or Console ports for Inband management. You can also connect from a remote location using modem dial-in for Out of Band Management (OOB).

For information on using OOB to configure your device, refer to “Configuring the Nokia IP40 through Out of Band Management” on page 107.

Typically your device’s WAN port is connected to your Internet Service Provider (ISP), while the LAN port is connected to your computer, or to a hub, in case you are using IP40 between your computer network and the outside world. You can connect your computer to the console port of your IP40 to manage the device using CLI.

Configuration MethodsThe Nokia IP40 supports the following configuration methods:

! Command-line interface using console, Telnet, Secure Shell (SSH).

! Web user interface using http and https.



Connecting the Nokia IP40 to a computer by Using the Console Port

Your IP40 has a console serial port. Connect the RS-232 cable (that is shipped along with the appliance) from the serial port of your computer to the console port of IP40. You can then manage the device using a terminal emulation program such as HyperTerminal.

To Connect to Nokia IP40 Using HyperTerminal

1. Start the HyperTerminal program as follows:

Start > Programs > Accessories > Communications > HyperTerminal

The Connection Description window appears.

2. Assign a name for your connection, such as IP40. Click OK.

3. Select the serial port that you will be using - COM1 or COM2. Click OK.

4. Once you have selected the serial port, the COM1 (or COM2) Properties window appears.

Select the following port settings:

! Bits per second: 9600

! Data bits: 8

! Parity: None

! Stop bits: 1

! Flow control: None


Configuration Methods

Click OK to continue.

5. The login prompt is displayed by default.

The IP40 ships without a password defined. If you are logging in for the first time, you will be prompted to define the password by entering it twice. If you have logged in before, enter the username and password you previously defined.

Refer to CLI Reference Guide for information on CLI commands.

Using Telnet to Connect to the Nokia IP40 You can access the Command Line Interface of your IP40 through a Telnet session.

NoteTelnet access is enabled only from the LAN side. You can allow Telnet access from the WAN side by configuring separate user rules.

To connect to your IP40 using Telnet

1. Click Start > Run

2. In the command strip that appears, type telnet followed by your device’s IP address



NoteBefore you start Telnet, ensure that the Telnet program is installed on your computer and your IP40 can be accessed using Telnet. The method for starting Telnet differs between various operating systems. The method given here can be used for starting Telnet from Windows 2000 operating system.

If you device IP address is 192.168.10.1, your screen will appear as follows:

3. Click OK, and and the telnet command window appears with a login prompt

4. Once you enter your user name and password, you will be able to manage your IP40 using simple commands

5. Pressing the tab key, gives you a list of useful, simple commands to start managing your IP40. Refer to the CLI Reference Guide for more information.


Managing large scale deployments of the Nokia IP40

Enabling and Disabling Telnet Access to the Nokia IP40You can use the following command from the IP40 CLI to enable or disable telnet access to the device:

set acl service telnet

The Telnet service is enabled by default.

You can disable it by using the following command:

set acl service telnet disable

This command will disable Telnet access from the WAN, LAN and DMZ ports.

Using Secure Shell (SSH) to Connect to the Nokia IP40You can use Secure Shell (SSH) to access IP40 securely. SSH is an application protocol and software suite that allows secure network services over an insecure network such as the Internet.

NoteBy default, SSH access is allowed only from LAN.

To access your IP40 using SSH

1. Install an SSH client that allows you make SSH connections to your IP40

2. Provide the following information to connect to the device:

a. IP Address of the device

b. User name

c. Authentication method, whether Password or Public Key

3. Refer to the documentation for your SSH client for additional information

Refer to Chapter 8, “Configuring Network Access” for more information on SSH.

Accessing the Nokia IP40 using HTTP and HTTPSYou can access and manage your IP40 through a user-friendly GUI. For more information, refer to Accessing the IP40 securely on page 44 for more information.

Managing large scale deployments of the Nokia IP40Nokia IP40 devices can be centrally managed using the following applications:

! Nokia Horizon Manager

! SmartCenter LSM and



! Sofaware Security Management Portal.

These centralized management applications allow you to manage large scale deployments.

An overview of managing your device using these systems is given below. Refer to Chapter 14, “Using Managed Services” for details.

Nokia Horizon Manager You can manage Nokia IP40 using Nokia Horizon Manager. Nokia Horizon Manager is a software application designed to manage and configure a large number of Nokia security platforms (devices) that reside on a corporate enterprise, managed service provider (MSP), or hosted applications service provider network (ASP).

You can use the Nokia Horizon Manager to perform Software Inventory, Configuration and Image Management operations.

NoteYou can manage IP40 using Nokia Horizon Manager 1.3.1 onwards.

SmartCenter Large Scale ManagerCheck Point’s SmartCenter Large Scale Manager (LSM) allows you to manage many Check Point Remote Office/Branch Office (ROBO) gateways from a single SmartCenter Server. Refer to Check Point’s SmartCenter LSM documentation for additional information on installing and configuring LSM.

Sofaware Security Management PortalThe SofaWare Management Center (SMC) is a web-based application for managing and configuring the SofaWare Security Management Portal (SMP). SofaWare’s managed security platform enables centralized management of a large number of firewalls embedded in residential broadband access devices or gateways.

The Sofaware SMP can be used for both policy and configuration management.

NoteYou should configure the management servers using Sofaware Management Center, before you can use subscription services like Web Filtering, E-mail Anti Virus and Software Updates using Nokia IP40.

Using the Software Management Center, you can:

! Update security policies and user interface files


Managing large scale deployments of the Nokia IP40

! Configure and fine-tune Sofaware management services like Web filtering, email antivirus and software updates.


5 Connecting to the Internet using IP40

This chapter explains how to configure the Internet connection. Once configured, you can access the Internet safely and securely through the IP40.

This chapter includes the following main topics:

! “Using the Setup Wizard” on page 57

! “Manually Configuring the Internet Setting” on page 63

! “Viewing Internet Connection Information” on page 67

! “Enabling/Disabling the Internet Connection” on page 68

! “Using Quick Internet Connection/Disconnection” on page 69

! “Configuring a Backup Internet Connection” on page 69

Configuring for Internet ConnectionYou can configure your Internet connection using one of the following setup tools:

! The Setup Wizard: guides you through the configuration process step by step.

! Advanced Setup: offers advanced setup options.

NoteYou must configure the Internet connection on initial operation and after all reset to defaults operations.

Using the Setup WizardThe Setup Wizard can be used to configure the Internet connection for IP40. The Setup Wizard guides you through the configuration process step by step.

To configure the Internet connection using Setup Wizard

1. Click Network from the main menu and click on the Internet tab.

The Internet page appears.



2. Click on the Setup Wizard button at the bottom of the screen.

The Setup Wizard window appears.

3. Click Next to proceed. The Internet Connection Method screen appears.

You can choose between three modes of broadband connection:

! Direct Local area network (LAN) Connection

! Cable modem


Configuring for Internet Connection

! PPTP or PPPoE Dialer

Select the Internet connection method to use for connecting to the Internet and click Next.

NoteIf you select PPTP or PPPoE dialer, do not use dial up software to connect to the Internet. The IP40 does the PPPoE negotiation.

Direct LAN ConnectionIf you want to use a direct LAN connection to connect to the Internet, proceed as follows:

1. Select Direct LAN from the list of Internet connection methods and click Next.

A Connecting message appears followed by a Connected message.

Once connected, the wizard prompts you to register your details and set up your subscription options, which vary from product to product.

Refer to Chapter 3, “Getting Started,” for information on configuring device time, registering with Nokia Support Center and subscribing to additional services using the Setup Wizard.

2. Follow the instructions until the wizard is done, and then click Finish

You are now connected to the Internect using a direct LAN connection.

Cable Connection SettingsIf you selected cable modem connection in the previous procedure, the Host Name screen appears.



MAC CloningSome ISPs require registration of MAC addresses of the computer behind the cable modem before an Internet connection can be established.

The Nokia IP40 takes the place of the computer behind the Cable modem and the local user can use MAC Cloning to enter the original computer MAC address without contacting the ISP for changing that information.

To configure for cable modem connection

1. Enter the Host name.

This field is optional. It might be required by your ISP and if so the ISP provides it.

2. Click Next.

The Confirmation message appears.

3. Click Next.

The system attempts to connect to the Internet.

At the end of the connection process the Connected message appears. Once connected, the wizard will prompt you to register your details and set up your subscription options, which vary from product to product.

4. Follow the instructions until the wizard is done, and then click Finish.

DSL Connection SettingsIf you selected a PPTP or PPPoE connection method, the following screen appears.


Configuring for Internet Connection

To connect using DSL Connection

1. Select the connection method that your DSL provider uses.

2. Click Next.

NoteMost DSL providers use PPPoE. If you are uncertain about which connection method to use, contact your DSL provider.

To connect using PPPoE connection method

If you select PPPoE, the PPPoE Configuration window appears.



In the PPPoE dialog box enter the following,

1. Your Username, Password and confirm the Password.

2. The service name.

This is optional.

3. Click Next.

The system attempts to connect to the Internet through the DSL connection. At the end of the connection process, the Connected message appears. Once connected, the wizard prompts you to register your details and set up your subscription options, which vary from product to product.


To connect using PPTP connection method

If you select PPTP, the PPTP configuration window appears.

1. Enter the Username, Password and confirm the Password.

2. Enter the service name.

3. The IP address of the DSL modem in the Server IP field.

4. The IP address required to access the DSL modem in the Client IP field.

5. The Subnet Mask of the DSL modem in the Subnet Mask field.

6. Click Next.

The Connecting message appears while the system attempts to connect to the Internet through the DSL connection. At the end of the connection process, the Connected message appears.


Manually Configuring the Internet Setting

To connect using Automatic DHCP method

If you enabled automatic DHCP, no further settings are required. The Confirmation message appears.

1. Click Next.

The system attempts to connect to the Internet through the selected connection. The Connecting message appears. At the end of the connection process the Connected message appears.

Once connected, the wizard will prompt you to register your details, install the product key and set up your subscription options, which may vary from product to product.


Manually Configuring the Internet SettingYou can manually configure the advanced features in the IP40 using Advanced Setup.

To configure the Internet connection

1. Proceed as per steps 1 and 2 in “Using the Setup Wizard.”

2. Click Cancel on the Welcome page of the Internet Setup Wizard.

The Welcome page appears.

3. In the Navigation Bar, click Network.

4. Click Edit on the Internet page



The Setup Wizard page appears.

5. From the Connection Type drop-down list, select the Internet connection you are using or intend to use.

The display changes according to the connection type you selected. Perform the following procedures in accordance with the connection type you choose.

LAN ConnectionIf using a LAN connection, enter the following:


This field is optional. If a service center requires it, the Host Name will be provided by them.

2. If you do not want the IP40 to obtain an IP address automatically using DHCP, do the following:

a. Clear the Obtain IP address automatically (using DHCP) check box.

b. Enter the IP address provided by your service provider.

c. Select the Subnet mask that applies to the IP address you entered.

d. Enter the IP address of the default gateway of your service provider.

e. Enter the Preferred DNS server IP address.

f. Enter the Alternate DNS server IP address.


Manually Configuring the Internet Setting

3. To assign an IP address automatically using DHCP, but not configure DNS servers automatically, do the following:

a. Check the Obtain DNS Servers automatically check box.

b. Enter the Preferred DNS server IP address.

c. Enter the Alternative DNS server IP address.

4. Click Apply.

To use a cable modem connection


This field is optional: some ISPs might require it and they will provide the host name.

2. Click Apply.

To use a PPPoE connection

If using a PPPoE connection, enter the following information:

1. Enter your Username and Password and confirm the Password.

2. Enter the service name as given by your service center.

NoteIf your service center did not provide you with a service name, leave this text box empty.



You can set the maximum transmission unit size (MTU). Nokia recommends that you leave this field empty. However, to modify the default MTU, consult with your service center.

3. If you are not using automatic configuration of DNS servers, do the following:

a. Clear the Obtain DNS servers automatically check box.


c. Enter the Alternate DNS server IP addres

4. Click Apply.

To use a PPTP connection

If using a PPTP connection, enter the following information:

1. Enter your Username and Password and confirm the Password.

2. Enter the service name as given by your Service Center.

3. Enter the IP address of the PPTP server as given by your Service Center.

4. Enter the IP address of the PPTP client as given by your Service Provider.

5. Select the PPTP client subnet as given by your Service Provider.

You can configure the MTU size. Nokia recommends that you leave this field empty. Consult your Service Provider to modify the default MTU.

6. If you are not using automatic configuration of DNS servers, do the following:

a. Clear the Obtain DNS servers automatically check box.


c. Enter the Alternate DNS server IP address.

7. Click Apply.

Cloning a MAC AddressA MAC address is a 12-digit identifier assigned to every network device. If your ISP restricts connections to specific, recognized MAC addresses, you must clone a MAC address.


Viewing Internet Connection Information

To clone a MAC address

1. Click Network in the main menu, and click the Internet tab


2. Click the Edit button against the Cloned MAC Address field

The MAC cloning page appears

3. Do one of the following:

a. Click This Computer to automatically clone the MAC address of your computer to the IP40

Or

b. If the ISP requires authentication using the MAC address of a different computer, enter the MAC address in the MAC cloning field

4. Click Apply

5. Click Back

The Internet page reappears with the MAC address of your computer displayed

Viewing Internet Connection InformationYou can view information on your Internet connections in terms of status, duration and activity.

To view Internet connection information

1. Click Network in the main menu, and click the Internet tab


The following information is displayed:



Enabling/Disabling the Internet ConnectionYou can enable or disable the Internet connection using this feature.

To enable/disable the Internet Connection

1. Click Network in the main menu and click the Internet tab

The Internet page appears

2. Next to the Internet connection, do one of the following:

a. To enable the connection, click the adjacent cross mark

The button changes to check mark and the connection is enabled

b. To disable the connection, click the adjacent check mark

The button changes to cross mark and the connection is disabled

Table 13

Field Description

Status Indicates the connection’s status

Duration Indicates the connection duration, if active. The duration is given in the format hh:mm:ss, where:

hh=hoursmm=minutesss=seconds

IP Address Your IP address

Enabled Indicates whether or not the connection is enabled.

WAN MAC Address

The MAC address of IP40

Cloned MAC Address

The cloned MAC address

Received packets

The number of data packets received in the active connection

Sent Packets The number of data packets sent in the active connection


Using Quick Internet Connection/Disconnection

Using Quick Internet Connection/DisconnectionBy using the Connect or Disconnect button (depending on the connection status) on the Internet page, you can establish a quick Internet connection using the currently selected connection type. In the same manner, you can terminate the active connection.

The Internet connection retains its Connected/Not Connected status until the IP40 is rebooted. The IP40 then connects to the Internet if the connection is enabled. For information on enabling the Internet connection, see the section on Enabling/Disabling the Internet Connection.

Configuring a Backup Internet Connection With IP40, you can configure both a primary and a secondary Internet connection. The secondary connection acts as a backup, so that if the primary connection fails, the IP40 remains connected to the Internet.

Use the Edit buttons against Primary and Secondary Connection types for configuring a backup Internet connection.

To physically connect multiple WAN devices to the IP40, a switch connected to the WAN port is required with multiple devices connected to that switch.

Refer to “Connecting the Nokia IP40 to the Network” on page 35 for basic topology illustrations.


6 Managing Your Local Area Network

This chapter explains the steps to manage your local area network using Nokia IP40.

You can manage and configure your network connection and settings, and view information on the connection in terms of status, connection duration, and activity.

This chapter covers the following topics:

! “Configuring Network Settings” on page 71

! “Enabling and Disabling the DHCP Server” on page 71

! “Changing IP Addresses” on page 72

! “Enabling/Disabling Hide NAT” on page 73

! “Configuring a DMZ Network” on page 73

! “Using Static NAT” on page 74

! “Using Static Routes” on page 77

Configuring Network Settings

CautionNetwork Settings are advanced settings. Nokia recommends that these settings should not be changed unless it is necessary and you are qualified to do so. Changing network settings might result in losing the connection to the IP40.

If you change the network settings to incorrect values and are unable to correct the error, reset the IP40 to its factory default settings.

To reset the IP40 to its factory default settings, choose Setup > Firmware > Factory Defaults. You can also press the reset button at the back of the device.

Enabling and Disabling the DHCP ServerThe IP40 has a built-in DHCP (Dynamic Host Configuration Protocol) server which is enabled by default. This allows the IP40 to configure all the devices on your network automatically.

If you have another DHCP server configured in your network, you must disable the DHCP server in your IP40 before connecting the IP40 on to the network.



To enable or disable the DHCP server,

1. In the Navigation Bar, click Network > My Network.

The My Network page appears.

2. In the DHCP Server list, select Enabled or Disabled.

3. Click Apply.

4. If you do not have another DHCP server in your network, and your computers were originally configured differently, do the following:

! Reconfigure all the computers on your network.

! Use DHCP to disable the Obtain IP address automatically setting in the TCP/IP settings.

Changing IP AddressesYou can change the IP address of your IP40. You can also change the entire range of IP addresses in your network using the IP40 Satellite X licenses. You might want to do this if, for example, you are adding the IP40 to a large existing network and do not want the network IP address range to change, or if you are using a DHCP server other than the IP40, that assigns addresses within a different range.

If you change the IP address of your IP40, you might have to manually change the network interface TCP/IP setting when you use static IP, or renew the DHCP lease when you use Dynamic IP.

To change the IP addresses in your network


2. Enter new values in the Internal Network Range fields.

3. To reset the network to its default settings, with the DHCP server enabled and the internal network range is 192.168.10.1, click Default.

4. Click Apply. The following things happen:


Configuring Network Settings

! If you changed the internal network range to X.X.X.X, the IP address of the IP40 is changed to X.X.X.1

! If you chose to reset the network to its default settings, the settings are reset.


! If your computer is configured to obtain its IP address automatically (using DHCP), and the DHCP server in your IP40 is enabled, restart your computer. Your computer obtains an IP address in the new range.

! Otherwise, manually reconfigure your computer to use the new address range using the TCP/IP settings.

Enabling/Disabling Hide NATNetwork Address Translation (NAT) enables you to share a single IP address among several computers.

NoteNAT can only be disabled in IP40 Satellite X licenses. NAT is enabled by default. If NAT is disabled, you need to buy an IP address range.

To enable NAT



2. Select Enabled.

3. Click Apply.

NAT is enabled.

Configuring a DMZ NetworkIn addition to the LAN network, IP40 allows you to define a second internal network called a DMZ (Demilitarized Zone) network. By default, all traffic is allowed from the LAN network to the DMZ network, and no traffic is allowed from the DMZ network to the LAN network. You can customize this behaviour by creating Firewall user rules.

For example, you could assign your company’s accounting department to the LAN network and the rest of the company to the DMZ network. The accounting department would be able to connect to all company computers, while the rest of the employees would not be able to access any sensitive information on the accounting department computers. You could then create firewall rules that allow specific DMZ computers (such as a manager’s computer) to connect to the LAN network and the accounting department.



To configure a DMZ Network

1. Click Network in the main menu and click the My Network tab.


2. Go to the DMZ Network Settings area

3. If desired, enable or disable Hide NAT

4. In the IP40 DMZ IP text box, enter the IP address of the DMZ network’s default gateway

NoteThe DMZ network must not overlap the LAN network

5. In the DMZ Subnet Mask text box, type the DMZ’s internal network range

6. To reset the network to its default settings, do the following:

a. Click Default

A confirmation message appears

b. Click OK

The default settings are restored.

c. Click Apply

A warning message appears

d. Click OK

A success message appears

Using Static NATStatic NAT (or one-to-one NAT) allows the mapping of Internet IP addresses or address ranges to hosts inside the internal network.

This is useful if you want a computer in your private network to have its own Internet IP address. For example, if you have both a mail server and a web server in your network, you can map each one to a separate Internet IP address.

Static NAT rules do not imply any security rules. To allow incoming traffic to a host for which you have defined Static NAT, you must create an Allow rule. When specifying firewall rules for such hosts, use the host’s internal IP address, and not the Internet IP address to which the internal IP address is mapped.

NoteStatic NAT and Hide NAT can be used together


Using Static NAT

NoteIP40 supports Proxy ARP (Address Resolution Protocol). When an external source attempts to communicate with a computer which has static NAT enabled, the IP40 automatically replies to ARP queries with its own MAC address, thereby enabling communication. As a result, the Static NAT Internet IP addresses appear to external sources to be real computers connected to the WAN interface.

Adding and Editing Static NAT mappingsThe following procedure explains how to add or edit Static NAT mappings.

To add or edit a Static NAT mapping

1. Click Network in the main menu, and click the Static NAT tab.

The Static NAT page appears.


! To add a new Static NAT mapping, click New

! To edit an existing Static NAT mapping, click Edit

The Static NAT wizard opens, with the Static NAT Mapping dialog box displayed.



3. Complete the fields using the information given in the table below

4. Click Next

The Static NAT Mapping Updated dialog box is displayed.

5. Click Finish

If you added a new mapping, it appears in the static NAT page

Table 14 Static NAT Fields

In this field... Do this...

Map this WAN IP checkbox

Click this option to map an Internet IP address to a local computer.You must then fill in the MAP this WAN IP and To this Internal IP fields

MAP this WAN IP checkbox

Type the desired Internet IP address

To this Internal IP Type the IP address of the local computer, or click This Computer to specify your computer

Map this WAN IP range

Click this option to map a range of Internet IP addresses to a range of local computer IP addresses of the same size

You mist then fill in the Map this WAN IP range and To this Internal IP range fields


Using Static Routes

Viewing and Deleting Static NAT MappingsThe below procedures explain how to view and delete static NAT mappings.

To view static NAT mappings

1. Click Network in the main menu, and click the Static NAT tab

The Static NAT page appears with a list of existing static NAT mappings

To delete static NAT mapping

2. To delete a static NAT mapping, do the following:

a. In the desired static NAT mapping row, click the Delete icon

A confirmation message appears

b. Click OK

The mapping is selected

Using Static Routes

NoteIt is generally not necessary to specify static routes. Only define static routes if it is required.

A static route is a setting that explicitly specifies the route for packets destined for a certain subnet. Packets with a destination that does not match any defined static route will be routed to the default gateway.

To modify the default gateway, see the section on Using a LAN Connection.

The Static Routes page lists all existing routes, including the default, and indicates whether each route is currently “Up”, or reachable, or not.

To add a static route

1. Click Network in the main menu, and click the Static Routes tab.

The Static Routes page appears, with a listing of existing static routes.

MAP this WAN IP range

Type the desired Internet IP address range

To this Internal IP range

Type the range of local computer IP addresses

Table 14 Static NAT Fields




2. Click New Route.

The Edit Route page appears.

3. Complete the fields using information given in the table below

4. Click Apply

The new static route is saved.


Using Static Routes

To edit a static route

1. Click Network in the main menu, and click the Static Routes tab

The Static Routes page appears, with a listing of existing static routes

2. To edit the route details, do the following:

a. In the desired route row, click Edit

The Edit Route page appears displaying the destination network, subnet mask, and gateway IP of the selected route

b. Edit the fields using the above table.

c. Click Apply.

The changes are saved.

To delete a static route

1. Click Network in the main menu, and click the Static Routes tab

The Static Routes page appears, with a listing of existing static routes

2. In the desired route row, click the Delete icon

A confirmation message appears.

3. Click OK.

The route is deleted.

Table 15 Edit Route Page Fields


Destination Network

Type the network address of the destination network

Subnet Mask Select the subnet mask

Gateway IP Type the IP address of the gateway (next hop router) to which to route the packets destined for this network


7 Setting Up the Security Policy in IP40

This chapter describes how to set up the Nokia IP40 security policy. It includes the following topics:

! “Setting the Firewall Security Level” on page 81

! “Configuring Virtual Servers” on page 82

! “Creating Firewall Rules” on page 83

! “Allow and Block Rules” on page 84

! “Deleting Rules” on page 87

! “Defining an Exposed Host” on page 87

Setting the Firewall Security LevelYou can control the firewall security level on the Firewall page. This level can be adjusted to three states:

! Low level security — enforces basic control on incoming connections, while permitting all outgoing connections.

! Medium level security — enforces strict control on all incoming connections, while permitting safe outgoing connections.

! High level security — enforces strict control on all incoming and outgoing connections.

The default security level is Medium. Refer to “Customing your security policy” on page 83 for information on customizing your security policy.

To change the firewall security level

1. In the Navigation Bar click Security.

The Firewall page appears.



2. To set the security level, drag the slider.

The IP40 security level changes accordingly.

NoteYou may experience a temporary break in the service.

Configuring Virtual Servers

NoteIf you do not intend to host any public Internet servers (Web server, mail server and so on) in your network, you can skip this section.

You can selectively allow incoming network connections into your network. For example, you can set up your own Web server, mail server, Telnet server or an FTP server.

To allow a service to be run on a host



2. Click the Servers tab.

The Virtual Servers page appears, displaying a list of services and a host IP address for each allowed service.


Customing your security policy

3. In the Allow column, select the check box of the desired service or application.

If you are using IP40 Satellite X, the appropriate check box in the VPN Only column is enabled.

4. To allow only connections made through a VPN, select the VPN Only check box.

5. In the Host IP text box of the selected service or application type the IP address of the computer that will run the service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the service.

6. Click Apply.

A success message appears, and the selected computer is allowed to run the desired service or application.

To restrict access from external network

1. In the Navigation Bar, click Security > Servers.

The Virtual Servers page appears, displaying a list of services and a host IP address for each allowed service.

2. In the desired service or application row, click Clear.

The Host IP text box of the desired service is cleared.

3. Click Apply.

The service or application for the specific host is not allowed.

Customing your security policyThe below sections describe how to customize your security policy.

Creating Firewall RulesThe IP40 checks the protocol used, the ports range, and destination IP address when deciding whether to allow or block traffic. User defined rules have priority over the default rules.



By default, in the Medium security level, the IP40 blocks all connection attempts from the Internet (WAN) to the LAN, and allows all outgoing connection attempts from the LAN to the Internet (WAN).

Allow and Block RulesThe Allow and Block rules provide you with greater flexibility in defining and customizing your security policy. You can allow additional inbound services not on the Virtual Servers list, or block outbound communications for specific port ranges and protocols.

To permit incoming access from the Internet to your internal network, for specific port ranges and protocols, you must create a new Allow rule. To block outgoing access from your internal network to the Internet, for specific port ranges and protocols, create a new Block rule.

To create a new rule

1. In the Navigation Bar, click Security.


2. Click on the Rules tab to add any rule.

3. Click on Add Rule button on the Rules page to select the type of rule that you want to add.

Depending on the tab you select, the Allow and Forward rule or the Allow Rules or the Block Rules page appears.


Customing your security policy

NoteIn IP40 Tele 8, the Allow Rules page does not contain a VPN Only column, and the Block Rules page does not contain an Also VPN column.

4. Complete the fields using the information in table below.

5. Click Next

The Destination and Source dialog box appears.

6. Complete the fields using information from the table below

The Done dialog box appears.



7. Click Finish.

The new rule appears in the Firewall Rules page.

Table 16 Firewall Rule Fields


Any Service Click this option to specify that the rule should apply to any service

Standard Service

Click this option to specify that the rule should apply to a specific standard serviceYou must then select the desired service from the drop-down list

Custom Service

Click this option to specify that the rule should apply to a specific non-standard service

The Protocol and Port Range fields are enabled. You must fill them in.

Protocol Select the protocol (ESP, GRE, TCP, UDP or ANY) for which the rule should apply

Ports To specify the port range to which the rule applies, type the start port number in the left text box, and the end port number in the right text box

Note: If you do not enter a port range, the rule will apply to all ports. If you enter only one port number, the range will include only that port.

Source Select the source of the connections you want to allow/block

To specify an IP address, select Specified IP and type the desired IP address in the text box

Destination Select the destination of the connections you want to allow or block.

To specify an IP address, select Specified IP and type the desired IP address in the text box


Defining an Exposed Host

Deleting Rules

To delete an existing rule



2. Click the Rules tab . Click the Delete icon of the rule you wish to delete.


3. Click OK.

The rule is deleted.

Defining an Exposed HostThe IP40 allows you to define an exposed host, which is a computer that is not protected y the firewall. This is useful for setting up a public server. It will allow unlimited incoming and outgoing connections between the Internet and the exposed host computer.

CautionEntering an IP address may make the designated computer vulnerable to external attacks. Defining an exposed host is not recommended unless you are fully aware of the Security risks.

To define a computer as an exposed host

1. Click Security in the main menu, and click the Exposed Host tab.

The Exposed Host page appears.

2. In the Exposed Host text box, type the IP address of the computer you wish to define as an exposed host. Alternatively, you can click This Computer to define your computer as the exposed host.

3. Click Apply



The selected computer is now defined as an exposed host.


8 Configuring Network Access

This chapter describes how to create and manage Nokia IP40 users. Network Access Procedures, Secure Shell (SSH) and Secure Socket Layer (SSL) are also discussed in this chapter.

The chapter includes the following sections:

! “Changing Your Password” on page 89

! “Adding Users” on page 91

! “Viewing and Editing Users” on page 91

! “Deleting Users” on page 93

! “Setting Up Remote VPN Access for Users” on page 93

! “Network Access Methods” on page 89

! “Secure Shell” on page 95

! “Secure Socket Layer” on page 99

Changing Your PasswordYou can change your password at any time. The method for changing password varies depending on the IP40 configuration you are using.

The default username for Nokia IP40 Tele 8 Configuration is admin. You can change the password for this user.

To change the password using IP40 Tele 8

1. In the Navigation Bar click Password.

The Password page appears.



2. Edit the Password and Confirm password fields.

NoteUse 5 to 25 characters (letters or numbers) for the new password.

3. Click Apply.

Your changes are saved.

In Nokia IP40 Satellite X, you can define multiple users and perform the following tasks:

! Changing Your Password

! Adding Users

! Viewing and Editing Users

! Deleting Users

! Setting Up Remote VPN Access for Users

To change password using IP40 Satellite X

1. In the Navigation Bar click Users.

The Users page appears.

2. In the username row, click Edit.

The Edit User page appears.

3. Edit the Password and Confirm password fields.


Adding Users

NoteUse 5 to 25 alphanumeric characters for the new password.

4. Click Apply.

Your changes are saved.

Adding UsersYou can perform this task only with IP40 Satellite X. The number of IP40 users you can add is limited according to your software.

To add a user

1. In the Navigation Bar, click Users.


2. Click New User.

The Edit User page appears. The options that appear on the page depend on the software and services you are using.

3. Complete the fields using the information in the below table.

4. Click Apply.

The new user is saved. The Edit User page appears.

Viewing and Editing UsersYou can perform this task only with IP40 Satellite X.

To view or edit users





2. In the desired user's row, click Edit.

The Edit User page appears with the user's details. The options that appear on the page depend on the software and services you are using.

3. To edit the user's details, do the following:

a. Edit the fields with the help of the below table.

b. Click Apply.

The changes are saved.

4. To return to the Users page without making any changes, click Cancel.

Table 17 Edit User Page Fields

Field Action

Username Enter a username for the user.You cannot change the “admin” user's username.

Password Enter a password for the user. Use five to twenty-five alphanumeric characters (letters or numbers) for the new password.

Confirm Password Re-enter the user’s password

Administrator Level

Select the user’s level of access to the Nokia IP40 portal:The levels are:• No Access: The user cannot access the

IP40.• Read/Write: The user can log on to the

IP40 and modify system settings.• Read Only: The user can log on to the

IP40, but cannot modify system settings. For example, you could assign this administrator level to technical support personnel who need to view the Event Log.

The default level is No Access.

The “admin” user’s Administrator Level (Read/Write) cannot be changed.

VPN Remote Access

Allows the user to connect to this IP40 using their VPN client. For further information on setting up VPN remote access, see Chapter 13, “Working with VPNs.”This option is available in IP40 Satellite X configuration only.

Web Filtering Override

Allows the user to override web filtering.This option only appears if the Web Filtering service is defined.


Deleting Users

Deleting UsersYou can delete users only with IP40 Satellite X.

NoteThe “admin” user cannot be deleted.

To delete a user



2. In the desired user’s row, click the Erase icon.


3. Click OK.

The user is deleted.

Setting Up Remote VPN Access for UsersYou can setup VPN access for users only with IP40 Satellite X.

If you are using IP40 as a VPN server, you can allow users to access it remotely through their VPN clients (a Check Point SecureClient, Check Point SecuRemote, IP40 Tele 8, or another IP40 Satellite X).

To set up remote VPN access for a user

1. Enable your VPN server using the procedure in “Setting Up Your IP40 as a VPN Server.”

2. Add the user to the system, using the procedure in “Adding Users.”

You must select the VPN Remote Access option.

Using RADIUS AuthenticationYou can use RADIUS to authenticate both IP40 users and VPN clients trying to connect to the IP40.

When a user accesses the IP40 GUI and tries to log on, the IP40 sends the entered user name and password to the RADIUS server. The server then checks whether the RADIUS database contains a matching user name and password pair. If so, the user is logged on.

To use RADIUS authentication

1. Click Users in the main menu, and click the RADIUS tab.

The RADIUS page appears.



2. Complete the fields using the information in below table

3. Click Apply

Table 18 RADIUS Page Fields


Address Type the IP address of the computer that will run the RADIUS service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the serviceTo clear the text box, click Clear

Port Type the port number on the RADIUS server’s host computer.

To reset this field to the default port (1812), click Default.

Shared Secret Type the shared secret to use for secure communication with the RADIUS server

Administrator Level

Select the level of access to the IP40 portal to assign to all users authenticated by the RADIUS server.The levels are:• No Access: The user cannot access the IP40• Read/Write: The user can log on to the IP40 and modify system

settings• Read Only: The user can log on to the IP40, but cannot modify

system settings

The default level is No Access.

Web Filtering Override

Select this option to allow all users authenticated by the RADIUS server to override Web Filtering.This option only appears if the Web Filtering service is defined.


Secure Shell

Secure Shell

Secure Shell DescriptionSecure Shell is a program to log in to another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. IP40 1.0 supports SSH 2.0.

The SSH feature in IP40 will provide secure remote access to the device. In addition, SCP is also supported to enable secure upgrade of the device, downloading of public keys and HTTPS certificates and Import/Export features.

Configuring SSHTo start using SSH remotely, you should first set IP40 to accept requests from SSH clients.

To enable IP40 to accept SSH requests

1. Go to the setup page from the main menu, and click on the Management tab.

The Management page appears.

NoteSecure Shell access is enabled by default from the LAN and DMZ interfaces. Setting of management rules, which is described in this section is applicable only for allowing Secure Shell access from the WAN side.

2. From the drop down menu against SSH, choose one of the following:

! Internal Network

! Internal Network + VPN



! IP Address Range

! ANY

depending on the access restrictions you want to provide. Clicking on Internal Network enables only machines from your Internal Network to access your IP40 through SSH; Similarly, clicking on ANY enables any host (with “Any” IP address) to connect to IP40 through SSH, and so on.

Enabling/Disabling SSH Service

NoteSecure Shell options cannot be configured from the Nokia IP40 GUI. You should use the command-line options from a command shell (such as HyperTerminal) to configure these options. A brief listing of important command-line options for configuring Secure Shell (SSH) has been included in the user guide for the purpose of introduction. Refer to IP40 CLI Reference Guide for additional and detailed information.

Use the following commands to enable, disable and show the status of SSH service.

set ssh server enable <0 / 1>

show ssh server enable

Arguments

enable <0 / 1>

The value of 0 disables SSH and the value of 1 enables SSH. The default value is 1 since Secure Shell is enabled by default.

SSH Authentication MethodsThere are two SSH authentication methods:

! Password Authentication — Password authentication is set up by default. In this method, you can connect to the SSH server running on IP40 from the SSH client installed on your machine, after entering your password.

! Public Key Authentication — Public Key Authentication is one of the most secure ways to authenticate using SSH. The basic principle in Public Key Authentication is the use of a pair of computer generated keys - private key and public key. A public key is not useful unless you have the corresponding private key.


Secure Shell

Using SSH ClientYou first need to have an SSH client to connect to the SSH server running on IP40. Install an SSH client if you do not have one already.

You can use the SSH client to connect to the IP40 using password authentication or public key authentication. Refer to the user manual of the SSH client you are using for additional information.

Configuring Advanced Secure Shell Server OptionsFor additional information on using the command line options, refer to CLI Reference Guide.

Configuring Server Authentication of UsersUse the following commands to configure the type of authentication the server will use to authenticate users:

set ssh server

password-authentication <0 / 1>publickey-authentication <0 / 1>

Use the following commands to show user authentication configurations.

show ssh serverpassword-authenticationpublickey-authentication

Configuring Server Protocol Details

Use the following commands to configure SSH protocols.

set ssh serverciphers namekeepalives <on / off>listen-addr addresslisten-addr2 addressmaxconnections Numberport <1-65535>

Use the following commands to show SSH protocol configurations.

show ssh servercipherskeepaliveslisten-addrlisten-addr2maxconnectionsport



Configuring Service Details

Use the following commands to configure the service details.

set ssh serverlogin-grace-time integer

Use the following commands to show the service details.

show ssh serverlogin-grace-time

Configuring Server Implementation

Use the following commands to configure the type of authentication the server will use to authenticate users.

set ssh serverlog-level name

Use the following commands to show service detail configurations.

show ssh serverlog-level

Configuring and Managing SSH Key Pairs

Managing New Host Keys

Use the following commands to generate new host keys.

set ssh hostkeydsa size <768 / 1024 / 2048 / 4096>rsa size <768 / 1024 / 2048 / 4096>

Use the following commands to view host keys.

show ssh hostkeydsarsa

Managing Authorized KeysUse the following commands to add authorized keys.

add ssh authkeys<dsa/rsa> user admin <openssh-format/ssh2-format> file

Use the following commands to delete authorized keys.


Secure Socket Layer

delete ssh authkeys<dsa/rsa> user admin id

Use the following commands to view autorized keys configured for various user accounts.

show ssh authkeys<dsa/rsa> user admin id identifier<dsa/rsa> user admin list

Secure Socket LayerA Web browser indicates a secure web page by displaying a closed lock symbol. This indicates that SSL is enabled. The URL, in such a case, starts with https:// rather than http://.

Secure Sockets Layer (SSL) is a protocol designed to enable secure communications over an insecure network such as the Internet. SSL provides encryption and integrity of communications along with strong authentication using digital certificates.

Enabling HTTPS Web AccessYou can enable HTTPS remote access, so that IP40 users can securely access the IP40 portal from the Internet, by accessing the URL https://X.X.X.X:981, where X.X.X.X is the IP40 Internet IP address.

NoteThe URL https://my.firewall is accessible from the Internal network by default.

To enable HTTPS web access

1. In the main menu, click Setup.

The Setup page appears.

2. Click on the Management tab.

The Management page appears.



3. Against the HTTPS menu, click on:

! Internal Network, to enable only users of your internal network to access your IP40 through HTTPS

! Internal Network + VPN, to enable users of your internal network and users connected to your IP40 through a VPN tunnel to access your box through HTTPS

! IP Address Range, to give a range of IP addresses; Traffic from these IP addresses alone can access your IP40 through HTTPS

! ANY, to enable traffic generated from any IP address to access your IP40 through HTTPS

4. Click on the Apply button once you have made the settings.

The Saved Successfully message appears.

To access the IP40 from a remote location:

1. Enter https://<external IP address of IP40>:981 in the address bar of your browser. (Note that the URL starts with https, not http.)

If you are accessing the IP40 for the first time, the security certificate in the IP40 is not yet known to the browser, so a Security Alert appears.

Click Yes to install the security certificate of the IP40 that you are trying to access. If using Internet Explorer 5.0 or later, do the following:

a. Click View Certificate.

The Certificate information screen appears, with the General tab displayed.

b. Click Install Certificate.

The Certificate Import Wizard opens.

c. Click Next.

The Certificate Store appears.

Select Automatically select the Certificate Store based on the type of certificate.


Generating a self-signed Certificate and Private Key

d. Click Next.

Completing the Certificate Import Wizard.

e. Click Finish.

The Root certificate Store message appears.

f. Click Yes.

The certificate is installed.

Generating a self-signed Certificate and Private KeyUse the following command to generate a certificate and its associated private key. To better ensure your security, you should generate the certificate and private key over a trusted connection.

generate https ssl-certificate key-bits <512 | 768 | 1024> <passphrase name | prompt-passphrase> country name state-or-province name locality name organization name organizational-unit name common-name name e-mail address name <cert-file path | cert-request-file path> key-file path

Refer to IP40 CLI Reference Guide for additional information.

Installing a Certificate and Private KeyUse the following commands to copy a certificate and its associated private key in the /var/etc/https_ssl_cert_server.crt and /var/etc/https_ssl_server.key files. Copying the certificate and private key to these files makes them available to establish SSL-secure web connections.

set https ssl-certificatecert-file path key-file path <passphrase name | prompt-passphrase>

Refer to IP40 CLI Reference Guide for additional information.


9 Configuring and monitoring using SNMP

This chapter provides information on configuring the Simple Network Management Protocol (SNMP) and how to use SNMP to manage the Nokia IP40.


! “SNMP Description” on page 103

! “SNMP Configuration from the Nokia IP40” on page 103

! “Setting up SNMP access to the Nokia IP40” on page 103

! “Configuring the SNMP Parameters” on page 104

! “Configuring SNMP Parameters from the Command-line Interface” on page 105

SNMP DescriptionThe Simple Network Management Protocol (SNMP) is a de-facto industry standard for monitoring and management of devices on data communication networks, telecommunication systems and other globally reachable devices. Practically every organization dealing with computers and related devices expects to be able to centrally monitor, diagnose and configure each such device across local and wide area networks. SNMP is the protocol that enables this interaction.

SNMP Configuration from the Nokia IP40You can use the Nokia IP40 GUI portal and the command-line interface to set, change and view parameters for SNMP.

Setting up SNMP access to the Nokia IP40You should specifically allow or disallow SNMP manager software running outside your network from monitoring the IP40.



To enable SNMP Access:

1. Click Setup in the main menu, and click on the Management tab.

The Management window appears.

2. Click the drop-down menu against SNMP, and select one of the following:

! Internal Network

! Internal Network + VPN

! IP Address Range

! ANY

! Disabled

If you select Internal Network, then SNMP access to the IP40 is allowed only from computers in your internal network or LAN; if you select IP Address Range, you can specify a range of IP addresses from where SNMP access is allowed to your IP40 and so on.

Configuring the SNMP ParametersOnce you set the SNMP access rules, you can configure the SNMP parameters from the Nokia IP40 GUI.

To configure the SNMP parameters:

1. Define the SNMP community name.

A community name must be specified if you want to monitor your device using SNMP.

2. Click on the Advanced tab.

The SNMP Configuration window appears:


SNMP Description

3. Specify the System Location, such as IP40 Lab/California.

4. Mention the System Contact, such as contact person and phone number.

5. Mention the SNMP port. This number defines the port where the SNMP daemon will run.

6. Define the SNMP traps which need to be generated:

! Startup — If you check this box, SNMP trap will be generated and reported to the SNMP Manager when the SNMP daemon restarts.

! Link up/down — If you check this box, SNMP trap will be generated and reported to the SNMP Manager when the connection to WAN or LAN is temporarily unavailable or becomes available.

! User Login — If you check this box, SNMP trap will be generated and reported to the SNMP manager when SNMP access is made with an incorrect community name.

7. Specify the IP address where the SNMP Manager is running, so that traps that are generated can be sent to the correct IP address. The default port number is 162.

NoteYou need to set the trapPduAgent to a specified IP address from the command prompt so as to view the IP address of the device from where a trap is generated. Use the command ‘set snmp trappduAgent ip_address’ from the IP40 CLI for setting the trapPduAgent. You cannot set the trapPduAgent from the IP40 GUI portal. Refer to the IP40 CLI Reference Guide for more information.

Configuring SNMP Parameters from the Command-line InterfaceYou can use the SNMP CLI commands to set and view parameters for SNMP.

Setting SNMP Parameters from the command-line interface

You can set the SNMP parameters from CLI using the set command.



set snmpcontact - SNMP Contactdaemon - SNMP Daemonlocation - SNMP Locationport - SNMP PorttrapPduAgent - snmp trappduagenttrapreceiver - snmp Trapreceivertraps - SNMP Traps

Viewing SNMP Parameters from the command-line interface

You can view the SNMP parameters from CLI using the show command.

show snmpcommunity - SNMP Communitycontact - SNMP Contactdaemon - SNMP Daemonlocation - SNMP Locationport - SNMP PorttrapPduAgent - snmp trappduagenttrapreceiver - snmp Trapreceivertraps - SNMP Traps

Refer to the Nokia IP40 CLI Reference Guide for additional and detailed information on using the set and show commands to set and view the SNMP parameters.


10 Configuring the Nokia IP40 through Out of Band Management

This chapter explains how to configure the Nokia IP40 using Out of Band Management (OOB). It includes the following topics:

! “Overview” on page 107

! “Configuring for OOB from the Nokia IP40 GUI” on page 107

! “Configuring the Nokia IP40 for OOB from the CLI” on page 109

! “Upgrading the firmware through Out of Band Dial-in (Failsafe Mode)” on page 110

! “Booting in to Failsafe Mode” on page 110

Overview The Nokia IP40 supports supports remote management using Out of Band Management (OOB). To use OOB, a modem is connected to the AUX port of your appliance. The IP40 acts as a Remote Access Server (RAS) and waits for the incoming call. An administrator can dial in to the device using a dial-up interface, and use HTTPS, SSH, or SNMP protocols to monitor or configure the device.

The Out of Band Management feature is useful in cases where you are unable to connect to your device locally using either LAN, WAN or DMZ ports. In these cases, you can use OOB to bring up your device for normal operations. The Nokia IP40 supports ISDN terminal adapter or analog modems for modem dial-in.

To connect a modem to the Nokia IP40

1. Connect a modem to the AUX port of your IP40

2. Connect to the device from a computer configured with dial-up interface.

3. Use the username and password already defined to log in.

Configuring for OOB from the Nokia IP40 GUIYou need to configure the modem settings from the IP40 GUI before using the OOB feature.



To configure the modem settings from the IP40 GUI

1. Click Network from the main menu, and select the Modem tab.

The Modem page appears.

2. From the drop-down menu next to Modem type, select Standard or Custom.

In the case of Custom Modem, you can specify additional initializaton string, apart from the standard initialization string (refer to Step 6).

3. From the drop-down menu next to Dial mode, select Tone or Pulse.

4. Select the port speed in bps from the drop-down menu next to Port Speed.

This speed defines the modem port speed. The values can be 9600, 19200. 38400, 57600, 115200, 230400 or 460800 bps.

5. Check the box next to Answer incoming PPP calls, if you want to answer the incoming PPP calls.

6. Enter a suitable string next to Initialization String. This string will be used for accessing additional Modem features.

For example, to disable the modem speakers, enter the initialization string ATM0.

NoteRefer to the user manual of your modem for finding out the suitable init string.

7. Click Apply to save your modem settings.

8. Click on the Test button to verify whether your modem settings are working fine.

NoteYou cannot configure all the OOB parameters from the IP40 GUI. The parameters which cannot be configured from GUI such as address of the OOB interface, destination address of the OOB interface and set IP header compression have default values. Use the CLI only to change these values.


Configuring the Nokia IP40 for OOB from the CLI

Configuring the Nokia IP40 for OOB from the CLIThe set interface oob command can be used for configuring the OOB parameters.

set interface oobaddress - Set address of oob interfacedestination - Set destination address of oob interfacedisable - Disable out of band managementecho-interval - Set LCP echo intervalenable - Enable out of band managementidle-time - Set idle timemax-echo-failures - Set maximum LCP echo failuresvjcompression - Set IP header compression (VJ Compression)

Similarly the show interface oob command can be used for viewing the OOB parameters.

Configuring the modem settings from the CLIYou can set the modem settings like dial mode, custom initialization string and baud rate from the IP40 CLI.

set modemdialmode - Set modem dial modeextrainit - Set custom initialization stringmanufacturer - Configure modem Manufacturerrate - Set modem baud rate

Refer to the Nokia IP40 CLI Reference Guide for more information on using the OOB commands.

Secure Shell and HTTPS Access through Out of Band Dial-in

You can access the Nokia IP40 using Secure Shell (SSH) or HTTPS and configure the device. Once you dial in to the Nokia IP40 from a modem (Refer to “To connect a modem to the Nokia IP40” on page 107 for details), you can establish a normal SSH or HTTPS session.

Refer to “Secure Shell” on page 95 for details on using the Secure Shell and to “Enabling HTTPS Web Access” on page 99 for details on using HTTPS.

NoteYou should allow SSH and HTTPS access on the Nokia IP40 before you establish the sessions from OOB dial-in. Refer to “Configuring Virtual Servers” on page 82 for details.



Upgrading the firmware through Out of Band Dial-in (Failsafe Mode)

You can use the OOB feature in the IP40 for remote HTTPS/SSH access and to perform firmware upgrade.

To upgrade the firmware through OOB from failsafe kernel

1. Boot in to the failsafe kernel. Refer to the following section for more details.

2. After booting, dial in to the box with username admin and password password.

NoteIP40 uses the IP address 192.168.40.1 for the dial-up interface

3. Open a telnet session to your IP40 using the above IP address and user name/password information

4. Upload the firmware file to the device using FTP or TFTP. You will be prompted for confirming firmware upgrade once the upload is completed

5. Upgrade your device’s firmware by clicking Yes. IP40 will verify whether the firmware file you uploaded is valid before upgrading.

Booting in to Failsafe ModeThe IP40 goes in to the failsafe mode when the main kernel gets corrupted. If the main kernel gets corrupted, the IP40 loads a failsafe kernel to the RAM. For the device to function properly, it must be upgraded with a new firmware.

You can upgrade the firmware using OOB or using Console and LAN.

If the device is booted in failsafe mode, you will get the following login prompt:

Welcome to IP40 (failsafe)

login:

The user name and password are “admin” and “password” respectively.

Special Deployment Mode in the Nokia IP40Holding the reset button and plugging the power to IP40 , boots the device in special deployment mode. In this mode, firewall allows access to SSH/HTTPS from OOB for half an hour. You can set the first-time password and configure the device remotely using OOB. However after half an hour, firewall will start filtering the traffic as usual. This might cause disconnection of existing SSH/HTTPS sessions over the OOB interface.


Special Deployment Mode in the Nokia IP40

The default user name and password for OOB are admin and password respectively if the first-time password is not set. Using this special mode, you can manage the device remotely using OOB for half an hour irrespective of current firewall filters.


11 Configuring Device Functions

This chapter describes how to configure the common device functions such as setting up of host name, configuring the date and time, and system logging. The chapter also discusses how to load factory default configuration, perform firmware upgrade and upgrade the product key.


! “Host Name Configuration” on page 113

! “Date and Time Configuration” on page 113

! “System Logging Configuration” on page 114

! “Network Utilities” on page 114

! “Exporting the IP40 Configuration” on page 116

! “Firmware Upgrade” on page 118

! “Firmware Upgrade in Failsafe Mode” on page 119

! “Resetting the IP40 to Factory Defaults” on page 121

Host Name ConfigurationYou can set the host name of your device using the following procedure.

To set the host name using command-line

Use the following commands to view or change your platform’s host name:

show hostname

set hostname name

Refer to IP40 CLI Reference Guide for more information on setting the host name.

Date and Time ConfigurationYou can use the Set Time Wizard from Setup > Tools > Set Time to set the date and time for your IP40. Refer to “Setting the Nokia IP40 Time” on page 39 for information on setting the date and time.



For advanced date and time configuration using the NTP server, refer IP40 CLI Reference Guide.

System Logging ConfigurationThe Nokia IP40 supports local event logging, which can be viewed from Reports > Event Log. Up to 100 events can be logged here. An external syslog server can also be configured using the following method.

To configure an external Syslog server

1. Click Setup from the main menu, and select the Logging tab.

The Logging page appears.

2. Enter the IP address for the syslog server against the Syslog server field.

NoteThe Syslog server can run either on a computer outside your network, or on a computer inside your IP40 network.

3. Specify the port number where the syslog server will run. The default port number is 514.

To set the syslog server from the command-line

Use the following commands from the IP40 command-line interface to set the syslog server.

set syslogaddress - Syslog server addressport - Syslog server port

Refer to IP40 CLI Reference Guide for more information on setting the Syslog server.

Network UtilitiesYou can use the following network utilities from the IP40 GUI:


Managing Configuration

! Ping

! Traceroute

! WHOIS

To use the network utilities from the Nokia IP40 GUI

1. Click Setup from the main menu, and select the Tools tab.

The tools page appears.

2. Select Ping, traceroute or WHOIS from the drop-down menu next to IP tools, depending on the tool you want to use.

3. Enter the IP address in the IP address field.

Click the Go button on the right.

4. The IP Tools window appears, providing the network statistic.

The below screen shows an example of Ping tool usage.

Managing Configuration You can export and import the existing IP40 configuration.



This is useful when you want to upgrade the firmware of your device, but do not want to lose the current configuration. This feature can also be used when the device is accidentally misconfigured, and the original configuration needs to be restored.

The configuration file (*.cfg), which includes all the IP40 settings can be used to backup and restore the settings.

Exporting the IP40 ConfigurationYou can export the IP40 configuration to a *.cfg file, and use this file to backup and restore IP40 settings, as needed. The configuration file includes all your settings.

Exporting the IP40 Configuration

1. Click Setup in the main menu, and click the Tools tab.

The Tools page appears.

2. Click Export.

A standard File Download dialog box appears.

3. Click Save. The Save As dialog box appears.

4. Browse to a destination directory of your choice.

5. Type a name for the configuration file and click Save.


Managing Configuration

The *.cfg configuration file is created and saved to the specified directory.

Importing the IP40 ConfigurationIn order to restore the configuration of your appliance from a configuration file, you must import the file:

To import the IP40 configuration

1. Click Setup in the main menu, and click the Tools tab


2. Click Import.

The Import Settings page appears.


! In the Import Settings field, type the full path to the configuration file.

Or

! Click Browse, and browse to the configuration file.

4. Click Upload.

A Confirmation message appears.

5. Click OK.

The IP40 settings are imported.

A success message appears.

6. Click OK.

The Tools page reappears.



NoteYou can use the HTTP, TFTP, FTP, SCP protocols through the IP40 command-line interface for configuration export and import. Refer to IP40 CLI Reference Guide for additional information.

Firmware UpgradeYou can upgrade the IP40 to a new firmware version of the product. If you are subscribed to Software Updates, firmware updates are performed automatically. These updates include new product features and protection against new security threats.

If you are not subscribed to the Software Updates service, you must update your firmware manually.

To update firmware manually

1. In the Navigation Bar click Setup.

The Firmware page appears.

2. Click Firmware Update.

The Firmware Update page appears

3. Click Browse.

A browse window appears.

4. Select the firmware file that you have purchased.

5. Click Upload.

6. The IP40 firmware is updated - this may take one minute.

Upon updating, the the IP40 restarts automatically.


Firmware Upgrade in Failsafe Mode

Firmware Upgrade in Failsafe Mode When the IP40 goes to failsafe mode, you can use the following procedure for upgrading the firmware. Refer to “Upgrading the firmware through Out of Band Dial-in (Failsafe Mode)” on page 110 for information on upgrading firmware in failsafe mode through OOB.

To upgrade the firmware using Console and LAN

1. Connect to the console. Use “admin” and “password” as the default user name and password.

Welcome to IP40 (failsafe)

login: admin

password:

Device is running in failsafe mode. You must upgrade the device immediately.

2. Specify the LAN IP address and Netmask when prompted.

3. The device waits for the FTP client to upload the firmware once the LAN interface is configured.

Device is waiting for ftp client to upload the firmware.

You must close ftp session using ‘quit’ command after uploading firmware.

Press Ctrl+C to Cancel.

4. FTP to the configured LAN IP address and upload the firmware.

5. The device requests your confirmation for firmware upgrade after successful firmware upload. Press ‘y’ to confirm.

6. The device displays the appropriate message depending on success or failure of firmware upgrade.

Installing Your Product KeyYour IP40 is identified by the product key that is obtained when you purchase the device. You can purchase and upgrade to any of the other versions of the IP40.

To install a product key


2. Click the Firmware tab.

The Firmware page appears



3. Click Upgrade Product.

The Setup Wizard opens, with the Install License dialog box displayed.

4. Select Product Key.

5. In the Product Key field, enter the new product key.

6. Click Next.

The Installed New Product Key dialog box appears.

7. To register your IP40, check I want to register my product.


Resetting the IP40 to Factory Defaults

8. Click Next.

A new browser window opens with https://support.nokia.com/agreement/SOHOregister.html.

9. Click Finish.

The IP40 restarts and the Welcome page appears.

Resetting the IP40 to Factory DefaultsYou can reset the IP40 to its default settings. When you reset your IP40, it reverts to the state it was originally in when you purchased it, and your firmware reverts to the version that shipped with the IP40.

WarningThis operation erases all your settings and password information. You will have to set a new password and reconfigure your IP40 for Internet connection. For information on performing these tasks, see “Setting up the IP40”.

You can reset the IP40 to defaults via the Web management interface (software) or by manually pressing the Reset button (hardware) located at the back of the box.

To reset the IP40 to factory defaults via the Web Interface

1. Click Setup in the main menu, and click the Tools tab.


2. Click Factory Settings.




3. Click OK.

! The Please Wait screen appears.

! The IP40 returns to its factory defaults.

! The IP40 is restarted (the PWR LED flashes quickly).

This may take up to a minute.

! The Login page re-appears.

NoteSince the network settings change, you will not be able to access the device immediately. Release and Renew the IP address by running the Refresh IP tool located in the tools folder on the CDROM, and then access the IP40 GUI portal.

To reset the IP40 to factory defaults using the Reset buttonRestore Defaults button is inside a hole on the back panel of the IP40. To press the button, use a large flat tipped object, such as a thick papaer clip. Pressing the Restore Defaults button for 7 seconds restores all IP40 settings back to factory defaults. The button works only after booting is complete, and the green light must be illuminated to activate the button. The status light goes off while defaults are being restored, and re-lights after defaults are restored and the IP40 begins to reboot. It takes over 2 minutes to restore defaults.


12 Viewing Reports

This chapter provides an overview of the reports you can view from the Nokia IP40 GUI, and how to view them.

This chapter includes the following topics:

! “Viewing the Event Log” on page 123

! “Viewing Active Computers” on page 124

! “Viewing Active Connections” on page 125

! “Viewing VPN Tunnels” on page 126

! “Viewing Diagnostics Summary” on page 127

Viewing ReportsYou can view the following reports on the IP40 GUI:

! Event Log

! Active computers

! Active connections

! VPN tunnels

Viewing the Event LogYou can track network activity by using the event log. The event log displays the last 100 events in the following categories:

! Events highlighted in blue indicate changes in your setup that you made or as a result of a security update implemented by your service center.

! Events highlighted in red indicate connection attempts that your firewall blocked.

! Events highlighted in orange indicate attempts that your custom security rules blocked.

The logs detail the date and time the event occurred, and its type. If the event is a communication attempt that was rejected by the firewall, the event details include the source and destination IP address, the destination port, and the protocol used (TCP, UDP, and so on) for the communication attempt.


12 Viewing Reports

To view the event log

1. In the Navigation Bar click Reports.

The Event Log page appears.

2. Do any of the following:

! Click the Refresh button to refresh the display.

! Click the Clear button to clear all events.

! If an event is highlighted in red, indicating a blocked attack on your network, you can display the attacker's details, by clicking on the IP address of the attacking machine.

The IP40 queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information. This information is useful in tracking down external attacks.

Viewing Active ComputersThe Viewing Active Computers option allows you to view the currently active computers on your network. The active computers are graphically displayed, each with its name, IP address, and settings (DHCP, Static, and so on).

You can also view node limit information.

To view the active computers

1. In the Navigation Bar click Reports > Active Computers.

The Active Computers page appears.


Viewing Reports

If you exceed the maximum number of computers allowed by your license, a warning message appears, and the computers over the node limit are marked in red. These computers might not be able to access the Internet through the IP40.

NoteTo increase the number of computers that your license allows, you must upgrade your product.

If desired, click the Refresh button to refresh the display.

2. To view node limit information:

a. Click Node Limit.

The Node Limit window appears with installed software product and the number of nodes used.

b. Click Close to close the window.

Viewing Active ConnectionsThe Viewing Active Connections option allows you to view the currently active connections between your network and the external world. The active connections are displayed as a list, specifying source IP address, destination IP address and port, and the protocol used (TCP, UDP, and so on).

To view the active connections,

1. In the Navigation Bar click Reports > Active Connections.

The Active Connections Page appears.


12 Viewing Reports

2. Do the following:

! Click the Refresh button to refresh the display.

! To view information on the destination machine, click on its IP address.

The IP40 queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information.

Viewing VPN TunnelsYou can view a list of currently established VPN tunnels.

A VPN tunnel is created whenever your computer attempts to communicate with a computer at the VPN site, after you have logged on to the site. When you log off, all open tunnels connecting to a VPN site are closed.

To view VPN tunnels

1. Click Reports.

The Event Log page appears.

2. In the submenu, click VPN Tunnels.

The VPN Tunnels page appears with a table of open tunnels to VPN sites.


Viewing Reports

The VPN Tunnels table includes the following columns:

You can refresh the table by refreshing the browser.

Viewing Diagnostics SummaryYou can view the diagnostics summary for your device from IP40 GUI. The diagnostics summary provides useful information about your device, such as Node Limit, Network Status, Primary Network Status, Secondary Network Status, My Network Status, Setup State, Users State, Security and Subscription Services. Apart from this, you can get the following basic information about your IP40 from the diagnostics summary.

To view Diagnostics Summary

1. From the main menu, click on Setup > Tools.


2. Click on the Diagnostics button, which is present on the right hand side.

3. The Diagnostics window pops up. A section of the diagnostics window displaying information on Serial Number, Nokia Firmware Version, Firmware Version, Bootcode Version, Hardware Type, Hardware Version, Uptime, Node Limit, Network Status has been shown below.

Table 19 VPN Tunnels

Column Information

Site The VPN site’s name

Username The User logged on to the VPN site

Encryption Type

The type of encryption used to secure the connection, followed by the type of authentication used to verify the user’s identity.

This information is presented in the following format - Encryption Type/ Authentication Type

Established Time

The Time when the VPN Tunnel is established.This information is presented in the following format - Hour:Minute:Second

VPN Gateway

The IP Address of the VPN Gateway to which the Tunnel is connected


12 Viewing Reports

4. You can use the scroll bar on your IP40 Diagnostics Window for viewing more information on your IP40.


Overview

13 Working with VPNs

This chapter describes how to use the Nokia IP40 as a VPN client, server or gateway. It includes the following topics:

! “Overview” on page 129

! “Remote Access VPNs” on page 131

! “Setting Up the Nokia IP40 Satellite X as a VPN Server” on page 134

! “SecuRemote to Satellite X (VPN Client to Gateway)” on page 138

! “Setting up the Nokia IP40 Tele 8 as VPN Client” on page 139

! “IP40Tele to IP40 Satellite X (VPN Client to Gateway)” on page 143

! “IP40 Tele 8 to Check Point v4.1/ NG/ FP1/ FP2/FP3/NG AI” on page 144

! “IP40 Tele 8 to Check Point NG AI” on page 144

! “Site-to-Site VPNs” on page 145

OverviewIn addition to a full firewall functionality, the IP40 Tele 8 and Satellite X enable secure telecommuter access from home to the office network through the virtual private network (VPN) functionality.

A VPN consists of at least one VPN server or gateway, and several VPN clients. A VPN server makes the corporate network remotely available to authorized users, such as employees working from home, who connect to the VPN server by using VPN clients. A VPN gateway can be connected to another VPN gateway in a permanent, bi-directional relationship. The two connected networks function as a single network.

A connection between two VPN sites is called a VPN tunnel. VPN tunnels encrypt and authenticate all traffic through them. Through these tunnels, you can safely use your company’s network resources when you work at home. For example, you can securely read email, use your company intranet, or access your company database from home.

The IP40 Tele 8, Satellite X licenses provide VPN functionality.

The IP40 Tele 8 acts as a VPN client and can establish secure VPN tunnels to your office VPN gateway.

The IP40 Satellite X can act as a VPN client, a VPN server, or a VPN gateway.



Both Tele 8 and Satellite X enable a number of solutions to support your VPN connectivity needs that are explained in the subsequent sections:

Figure 4 VPN Topologies

Table 20 VPN Topologies

VPN Client Gateway

SecuRemote/ VPN Client

Satellite

Tele Satellite

Tele Check Point v4.1, NG, FP1, FP2, FP3, NG AI

Tele Check Point NG AI (RAS Community)

Satellite (Gateway) Satellite (Gateway)

Satellite (Gateway) VPN-1, Check Point v4.1, NG, FP1, FP2, FP3, NG AI

Satellite Check Point NG AI LSM (DAIP Object)

Satellite Check Point NG AI (Star Community)

Satellite Windows 2000

SecuRemoteCheck Point v4.1/NG/FP1/FP2Safe@gateway (RAS community)

FP3 (DAIP)Check Point v4.1/NG/FP1/FP2Safe@gateway (Star VPN community)Windows 2000 (server and host)

VPN Clients VPN Gateway

IP40 Tele

IP40 Satellite

IP40 Satellite VPN-1 Gateway

00400


Remote Access VPNs

Remote Access VPNs

Configuring a Remote Access VPN Site1. Click VPN in the main menu, and click the VPN Sites tab.

2. Click the New Site button at the bottom of the page.

3. The IP40 VPN site wizard appears.

If you select Remote Access VPN, the VPN Network Configuration dialog box appears.

To configure a remote access VPN site

1. Enter the IP address of the VPN gateway.


! To obtain the network configuration by downloading it from the VPN site, select Download Configuration. This option automatically configures your VPN settings by downloading the network topology definition from the VPN server.

NoteDownloading the network configuration is only possible if you are connecting to a Check Point VPN-1 or IP40 Satellite VPN gateway.

! To provide the network configuration manually, select Specify Configuration

! To route all network traffic via the site, including Internet traffic, select Route All Traffic.

3. Click Next.

The following things happen in the order below:

! If you choose Specify Configuration, a second VPN Network Configuration dialog box appears. Do the following:

a. In the Destination network column, enter up to three destination network addresses at the VPN site to which you want to connect.

b. In the Subnet mask column, select the subnet masks for the destination network addresses.

c. Click Next

! The VPN Login dialog box appears.




! To configure the site for manual login, select Manual Login

! To enable the IP40 to log on to the VPN site automatically, do the following:

a. Select Automatic Login

b. Enter a user name and password to be used for logging on to the VPN site.

NoteWhile Automatic Login provides all of the computers on your home network with constant access to the VPN site, Manual Login connects only to the computer you are currently logged on to the VPN site, and only when the appropriate user name and password are entered.

For further information on Automatic and Manual Login, see “Logging on to a VPN Site”.

The Connecting screen appears.

The Contacting VPN Site screen appears.

5. Click Next.

Proceed to “Completing Site Creation” on page 134.

NoteThis Configuration is supported for IP40 Tele 8 license or in case of IP40 Satellite X when VPN Server is Disabled

Configuring a Site to Site VPN GatewayIf you selected site-to-site VPN, the VPN Network Configuration dialog box appears.


Remote Access VPNs

To configure a site-to-site VPN gateway

1. Enter the IP address of the VPN gateway.

2. Check the Unrestricted Access box if the NAT rules should be bypassed.

3. Select the Download Configuration option if the topology is to be downloaded.

a. Enter the Topology user and Topology password.

b. Check Use Shared Secret or Use Certificate depending on the secure communication method to be used.

c. If you choose Use Shared Secret, enter the Shared Secret.

4. If Specify Configuration option is slected

a. In the Destination network column, enter up to three destination network addresses at the VPN site to which you want to connect.

b. In the Subnet mask column, select the subnet masks for the destination network addresses.

NoteObtain the destination networks and subnet masks from the VPN site’s system administrator.

c. Click Next.

The Shared Secret dialog box appears.

d. Enter the shared secret to use for secure communications with the VPN site.

This shared secret is a string used to identify the VPN sites to each other. The secret can contain spaces and special characters.

e. Click Next.

5. If the Route All Traffic option is selected

You are ready to complete your VPN site. Refer to “Completing Site Creation” on page 134 to continue.



Completing Site CreationOnce you configure a VPN site, the Site Name dialog box appears.

To complete VPN site creation

1. Enter a name for the VPN site. You may choose any name.

2. Click Next.

The VPN Site Created screen appears.

a. Enter the Site name

b. If the Keep Alive Option is selected then enter Host IP address.

The connection is kept alive by sending packets to the IP address entered.

3. Click Finish.

The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.

NoteYou can see the downloaded topology on your IP40 device by from http://my.firewall/vpntopo.html

Setting Up the Nokia IP40 Satellite X as a VPN ServerUsing IP40 Satellite X, you can make your network remotely available to authorized users by setting up your IP40 as a VPN server.

To set up your IP40 as a VPN server1. In the Navigation Bar, click VPN.

The VPN Server page appears.

2. Drag the On/Off lever to On.

The VPN server is enabled.

3. Follow the procedures in “Setting Up Remote VPN Access for Users.”


Setting Up the Nokia IP40 Satellite X as a VPN Server

Deleting a VPN SiteYou can delete a VPN site from the IP40 Tele 8 and IP40 Satellite X.

To delete a VPN site

1. In the navigation bar, click VPN.


2. Click VPN Sites.

The VPN Sites page appears with a list of VPN Sites.

3. In the desired VPN site row, click the Delete VPN icon.


4. Click OK.

The VPN site is deleted.

Logging on to a VPN SiteIf you chose automatic login, a VPN tunnel is created automatically when you try to access the VPN site.

If you chose manual login, log on to a VPN site every time you want to access the VPN site.

You can log on to a VPN site either through the Nokia IP40 GUI or the my.vpn page. When you log on, a VPN tunnel is established. Only the computer from which you logged on can use the tunnel. To share the tunnel with other computers in your home network, you must log on to the VPN site from those computers, using the same username and password.



NoteYou can use a single username and password for each VPN destination gateway.

Logging On from the Nokia IP40 GUITo log on to a VPN site from the IP40 GUI, do the following:

1. Click VPN.

The VPN Sites page appears, with a list of VPN sites.

2. In the VPN submenu, click VPN Login.

The VPN Login page appears.

3. Select the site you want to log on.

4. Enter your username and password in the appropriate fields.

5. Click Connect.

! If your IP40 is configured to automatically download the network configuration, the IP40 downloads the network configuration.

! If you had specified a network configuration when adding the VPN site, the IP40 attempts to create a tunnel to the VPN site.

! The VPN Login Status box and the Connecting screen appears. Once the IP40 has finished connecting, the Status field changes to Connected. The VPN Login Status box remains open until you log off of the VPN site.

! Once the IP40 has finished connecting, the status changes to connected.


Setting Up the Nokia IP40 Satellite X as a VPN Server

Logging On Through my.vpn

NoteYou do not need to know the my.firewall page administrator's password to use the my.vpn page.

To log on to a VPN site through the my.vpn page

1. Go to http://my.vpn. The VPN Login screen appears.

2. Select the site to which you want to log on.

3. Enter your user name and password in the appropriate fields.

4. Click Connect.

! If the IP40 is configured to automatically download the network configuration, the IP40 downloads the network configuration.

! If when adding the VPN site you specified a network configuration, the IP40 attempts to create a tunnel to the VPN site.

! The VPN Login Status box appears. The Status field tracks the progress of the connection.

! Once the IP40 has finished connecting, the Status field changes to Connected.

! The VPN Login Status box remains open until you log off of the VPN site.

Logging Off a VPN SiteYou need to manually log off of a VPN site if:

! you are using IP40 Tele.

! the VPN site is a remote access VPN site configured for manual login.



To log off a VPN site

1. In the VPN Login Status box, click Close.

All open tunnels from the IP40 to the VPN site are closed, and the VPN Login Status box closes.

NoteClosing the browser or dismissing the VPN Login Status box also terminates the VPN session within a short time.

SecuRemote to Satellite X (VPN Client to Gateway)This VPN topology enables IP40 Tele 8, Satellite X, Check Point SecuRemote and SecureClient VPN clients to connect to an IP40 Satellite X VPN server.

NoteIn this configuration, the IP40 Satellite X VPN server must have a static IP address / domain name.

A sample implementation of the VPN client-to-IP40 Satellite X VPN server solution, in which two IP40 devices, a Check Point SecuRemote, and a Check Point SecureClient act as VPN clients that download topology information from the IP40 Satellite X VPN server is shown below.

IP40 TeleExt: 66.93.53.4/22

Int: 192.168.10.1/22

IP40 HUBExt: 66.93.53.2/22Int: 192.168.1.1/22

IP40 SatelliteExt: 66.93.53.3/22

Int: 192.168.11.1/22

192.168.10.1/22

SecuRemote SecureClient

192.168.11.0/22

00403

192.168.1.0/22

Tele - manual mode VPNSatellite - Automatic mode VPN


Setting up the Nokia IP40 Tele 8 as VPN Client

Figure 5 SecuRemote and SecureClient to Satellite X

Setting up IP40 Satellite XConfigure a VPN tunnel between SecuRemote and IP40 Satellite X.

To set up IP40 Satellite X

1. Add a User. Refer to the section “Managing Users” for more information.

2. Enable VPN Access for the User.

3. Enable VPN server.

Setting up SecuRemoteDefine your VPN sites as IP40 Satellite X to set up SecuRemote.

Refer Check Point Desktop Security Guide, VPN-1 SecuRemote Client” for information on how to Configure SecuRemote.

Setting up the Nokia IP40 Tele 8 as VPN ClientYou can configure the IP40 Tele 8 as a VPN client.

To enable the VPN client functionality in your IP40

! If you have subscribed to Security services, then connect with your service provider or enterprise and receive a security subscription.

! If you are using the IP40 in a standalone mode, add the license manually.

Adding VPN Sites by Using the Nokia IP40 Tele 8Using the Nokia IP40 Tele 8, you can define only remote access VPN sites. To define site-to-site VPN gateways, you must have IP40 Satellite X.

VPN sites represent VPN gateways to which you can connect. You must define VPN sites before you connect to them.

To add or edit VPN sites

1. In the Navigation Bar, click VPN.

The VPN Sites page appears, with a list of VPN sites.

2. Do either of the following:

a. To add a VPN site, click New Site.

b. To edit a VPN site, click Edit in the desired VPN site's row.

The Nokia VPN Site Wizard opens, as shown in the Figure below.



3. Click Next.

The VPN Gateway Address dialog box appears.

4. Enter the IP address of the VPN gateway to which you want to connect, as given by the network administrator.

5. Click Next.

The VPN Network Configuration dialog box appears.


! Download Configuration — To obtain network configuration from a VPN site. This option automatically downloads the Network Topology (gateway information and rules) from the VPN site.

! Specify Configuration — To provide the network configuration manually.

! Route All Traffic — To route all network traffic from the VPN site.

NoteDownloading the network configuration is only possible if you are connecting to a Check Point VPN-1 or Nokia IP40 Satellite X VPN Gateway.

Specify Configuration

7. If you chose Specify Configuration in the preceding procedure, a dialog box appears.


Setting up the Nokia IP40 Tele 8 as VPN Client

8. Enter the destination network address and subnet mask of the site to which you want to connect.

NoteObtain the destination network and subnet mask from the VPN gateway system administrator.

9. Click Next.

The Site Name dialog box appears.

10. Enter a name for the VPN site.

11. Click Next.The VPN Site Created screen appears.

12. Click Finish.

13. Select the VPN Login tab,

! Login if you need to authenticate each time a VPN tunnel is created.

NoteAutomatic Login feature will not be available for IP40 Tele 8 License.



Download Configuration

If you chose Download Configuration in Adding VPN sites by using IP40 Tele 8, a dialog box appears.

1. Click Next, the Network Topology will be downloaded from the specified VPN gateway.

The VPN Login page appears.

2. Follow steps 9 to 13 in Specify Configuration section to proceed.

The VPN Sites page updates with the added VPN sites. If you edited a VPN site, the modifications are reflected in the VPN Sites list.

Route All Traffic

If you chose Route All Traffic in Adding VPN sites by using the IP40 Tele 8:

1. The VPN Network Configuration dialog box appears with the note, “Only one VPN Profile can be configured as “Route All Traffic”.

2. Check either Download Configuration or Specify Configuration depending on how you want to obtain the VPN network configuration

3. Follow steps 9 to 13 in Specify Configuration section to proceed.

Adding VPN Sites by Using IP40 Satellite XYou can define each VPN site according to the function you want IP40 Satellite X to perform when connecting to the site:

VPN Client — Define the VPN site as a Remote Access VPN site using the procedure below.

VPN Gateway — Do the following:

! Define the second VPN site as a site-to-site VPN gateway by using the procedure below.

! Define the first VPN site as a site-to-site VPN gateway.

To add or edit VPN sites by using IP40 Satellite X1. In the Navigation Bar, click VPN.


2. In the VPN submenu, click VPN Sites.

The VPN Sites page appears with a list of VPN sites.

3. Do either of the following:

! To add a VPN site, click New Site.

! To edit a VPN site, click Edit in the desired VPN site’s row.

The IP40 VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.


IP40Tele to IP40 Satellite X (VPN Client to Gateway)


! Select Remote Access VPN to establish remote access from your VPN client to a VPN server or gateway.

! Select site-to-site VPN to create a permanent bi-directional connection to another gateway.

5. Click Next.

The VPN Gateway Address dialog box appears.

6. Enter the IP address of the VPN gateway to which you want to connect, as given to you by the network administrator.

7. Click Next.

8. The VPN Network Configuration dialog box appears. Refer to “Remote Access VPNs” on page 131 to proceed.

IP40Tele to IP40 Satellite X (VPN Client to Gateway)The Nokia IP40 Tele 8 functions in VPN client mode, in which connection is initiated only by the VPN client.

IP40 Tele 8 uses only a manual mode VPN connection. To select the VPN gateway to which you want to establish a VPN connection, go to http://my.vpn.

Figure 6 IP40 Tele 8 as VPN Client

If the VPN client is enabled, the IP40 GUI Navigation Bar includes a VPN menu option. In addition, the Reports pages includes an additional VPN Tunnels submenu that allows you to view the active VPN tunnels.

Non Routable IPsNetwork 1

Non Routable IPsNetwork 2

Initiate VPN Session/ Tunnel

IP30 Tele IP30 Satellite



NoteYou can use IP40 Tele 8 only in NAT mode.

Setting up IP40 Tele 8Configure a VPN Tunnel between an IP40 Tele 8 and an IP40 Satellite X.

On IP40 Tele 8 (VPN client) add a VPN site.

Setting up IP40 Satellite XConfigure a VPN Tunnel between an IP40 Tele 8 and an IP40 Satellite X.

To set up the IP40 Satellite X

1. Add a User.

2. Enable VPN remote access for the user you added.

3. Enable the VPN Server.

IP40 Tele 8 to Check Point v4.1/ NG/ FP1/ FP2/FP3/NG AIThe IP40 Tele 8 can be used as a VPN client to establish a VPN connectivity with a Check Point server using version 4.1, NG, FP1, FP2, FP3 or NG AI.

Setting up IP40 Tele 8Configure a VPN Tunnel between an IP40 Tele 8 and an IP40 Satellite X.

On IP40 Tele 8 (VPN client) add a VPN site.

Setting up Check Point ServerOpen the Check Point policy editor and select Firewall-1/ VPN -1 workstation object that will receive the Safe@VPN session request.

IP40 Tele 8 to Check Point NG AIThe IP40 Tele 8 can be used as a VPN client to establish a VPN connectivity with Check Point NG AI server using a Safe@gateway dynamic object. This topology uses a remote access VPN community.

An illustration of this topology is shown.


Site-to-Site VPNs

IP40 Tele 8 uses only a manual mode VPN connection. To select the VPN gateway to which you want to establish a VPN connection, go to http://my.vpn.

Setting up IP40 Tele 8To configure a VPN Tunnel between an IP40 Tele 8 and Check Point FP3, on IP40 Tele 8 (VPN client) add a VPN site.

Setting up Check Point NG AIConfigure a Safe@gateway dynamic object on the Check Point SmartBoard.

To set up Check Point NG AI

1. Create a Safe@gateway as a dynamic object.

2. Create a user and add the user to the VPN users group.

3. Create a remote access VPN community.

Include NG AI firewall object in the participating gateway.

Include the Users group in the participating users.

4. In the policy editor, create a rule with

Source User - any

Destination - any

Via - remote access community

Target - NG AI firewall object

NoteYou can also use Check Point FP3 in place of NG AI

Site-to-Site VPNs

IP40 Satellite X in NAT and No-NAT ModesVPN configuration allows you to choose how your VPN should function. Use of NAT and No-NAT modes offers great flexibility.

No-NAT is the default mode of operation, in which the protected networks at each site are known and are predefined.

NAT mode allows you to define VPNs at peer gateway sites without knowing the protected network behind the IP40 devices.



To access a resource that is protected by a VPN in NAT mode, you must contact the hiding (Internet) address of the VPN gateway. Your request is then forwarded to the correct computer in the protected network according to the defined security rules.

To access a resource that is protected by a VPN in No-NAT mode, you must contact the IP address of the final computer in the destination network that you want to reach.

NoteYou can establish VPN tunnels between a combination of NAT and No-NAT devices. This possibility is not discussed in this guide.

No-NAT ModeUse no-NAT mode in site-to-site VPNs, where bi-directional initiation of traffic within a VPN is required between hosts with routable IP addresses.

NoteYou can only use No-NAT mode with IP40 Satellite X.

The Figure below shows a site-to-site VPN in No-NAT mode. Both VPN peers are considered site-to-site VPN gateways, and traffic is directly established from the source host to the destination host. In this example, hosts on either network can initiate traffic to hosts on the peer network. Both Network 1 and Network 2 are using routable IP addresses.

Figure 7 No-NAT Mode

NAT ModeNAT mode should be used in site-to-site VPNs, where bi-directional initiation of traffic between networks using private IP addresses is required.

The Figure below shows two instances of a site-to-site VPN gateways in NAT mode.

Routable IPNetwork-1

Initiate VPN Tunnels

IP40 Satellite

FW-1/VPN-1

Routable IPNetwork-2Internet

00408


Site-to-Site VPNs

Figure 8 NAT Mode

Solution A: IP40 Satellite X to VPN-1 (Site-to-Site VPN)

Hosts on Network 1 establish the TCP/IP connection to the external IP address of the IP40 Satellite X site-to-site VPN gateway. The IP40 Satellite X device is configured through the IP40 GUI Security page to port forward the inbound traffic to the defined host.

Solution B: Satellite X to Satellite X (Site-to-Site VPN)

IP40 Satellite X supports the creation of site-to-site VPN connections between two or more IP40 Satellite X devices. Hosts on either network can directly initiate traffic to hosts on the peer network. The IP40 Satellite X is configured through the IP40 GUI Security page to port forward the inbound traffic to the defined host.

Installing VPN CertificatesThe VPN Certificates are used to authenticate a VPN connection established between Check Point SmartCenter NG AI using Check Point Large Scale Manager and the dynamically configured IP40 using DAIP.

The certificate created on the Check Point NG AI can be uploaded on to the IP40 Satellite X.

To upload VPN Certificates and to create a Dynamic VPN Site using Check Point LSM

1. On the Navigation Bar, click Services > Connect.

The Subscription Services Wizard appears.

2. Enter the IP address of the Check Point NG AI Management station


3. Enter the Gateway Id and Registration Key which is used while creating the IP40 Dynamic Object on the LSM

4. The Connecting Screen appears.

After Connecting the list of Services downloaded is displayed.

5. Click Finish.

6. Click the VPN button on the main menu and select the VPN Certificate tab

7. Click on the VPN Sites tab to see the Dynamic VPN tunnel created between your IP40 and Check Point NG AI management station

Non RoutableIP Network-1

Non RoutableIP Network-2

Initiate VPN Tunnels

FW-1/ VPN-1 IP40 Satellite

Internet

00407



To delete the Certificate from your IP40 device



2. Uncheck I wish to Connect to the Service Center Option

3. Click Next

4. Click Finish

5. Select the VPN button on the main menu and select the VPN Sites tab

6. The Site is automatically deleted

7. Select the VPN Certificates tab and click on Uninstall Certificate button to delete the certificate

Defining Backup VPN GatewayA backup VPN gateway can be defined to support the main or primary VPN gateway. If the primary VPN gateway fails, the back up gateway takes over.

To define a backup VPN Gateway

1. Click VPN from the main menu, and select the VPN Sites tab.

2. Click the New Site button at the bottom of the page.

The VPN Site Wizard page appears.

3. Select Site to Site VPN, and click Next.

The VPN Gateway address page appears.

4. Enter the IP address of the primary Check Point management station with enforcement module, and click Next.

The VPN Network Configuration page appears.

5. Next to Destination Network 1, enter the network address behind the primary Check Point management station with enforcement module.

Enter 255.255.255.0 as the subnet mask.

6. Next to Destination Network 2, enter the network address behind the secondary Check Point management station with enforcement module.

Enter 255.255.255.0 as the subnet mask.

7. Enter the IP address of the secondary Check Point management station in the Backup Gateway field.


Site-to-Site VPNs

NoteTo configure the primary and secondary Check Point management stations, refer to the Check Point Multiple Entry Point document.

Satellite X to Satellite X (VPN Gateway to Gateway)The VPN configuration between an IP40 Satellite X and another IP40 Satellite X enables you to establish site-to-site VPN connections between IP40 site-to-site VPN gateways.

NoteIn this configuration, both IP40 Satellite X Site-to-Site VPN gateways must have a static IP address.

The Figure below shows a sample implementation of the Satellite X to Satellite X solution with three Satellite X devices. Each IP40 device acts as a Site-to-Site VPN gateway for a fully secure network. The networks communicate through VPN connections.

Figure 9 Satellite X to Satellite X

Setting up the Nokia IP40 Satellite XConfigure a VPN tunnel between two IP40 Satellite X devices (site-to-site VPN).


1. Specify the IP address of IP40 Satellite X on the remote IP40 Satellite X.

2. Enter the Shared Secret (a password that is known to both of the IP40 Satellite X devices).

SatelliteExt: 66.93.53.4/22

Int: 192.168.10.1/22


Int: 192.168.20.1/22


Int: 192.168.12.1/22

192.168.10.1/22 192.168.12.0/22

00402

192.168.20.0/22



To set up the remote IP40 Satellite X

1. Specify the IP address of your IP40 Satellite X.

2. Enter the Shared Secret (a password that is known to both the IP40 Satellite X devices.)

Satellite X to VPN-1 (Site-to-Site VPN)The IP40 Satellite X to VPN-1 or Check Point v4.1, NG, FP1, FP2 , FP3 or NG AI configuration enables you to establish site-to-site VPN connections between an IP40 Satellite X site-to-site VPN gateway and a VPN-1 site-to-site VPN gateway.

NoteIn this solution model, both the VPN-1 and IP40 Satellite X Site-to-Site VPN gateways must have a static IP address.

The figure below shows an implementation of the IP40 Satellite X to Check Point VPN-1 solution, in which two IP40 Satellite X devices are connected to a VPN-1 site-to-site VPN gateway.

Figure 10 Satellite X to VPN-1

Setting up the Nokia IP40 Satellite XConfigure a VPN Tunnel between an IP40 Satellite X and Check Point VPN-1 server or gateway.

To configure the IP40 Satellite X

1. Specify the IP address of IP40 Satellite X on the VPN-1 server.

2. Enter the Shared Secret (a password that is known to both the IP40 Satellite X and the VPN-1 Server).


Int: 192.168.10.1/22

VPN-1 (Hub)Ext: 66.93.53.2/22Int: 192.168.1.1/22

Check PointFirewall-1 NG


Int: 192.168.11.1/22

192.168.10.0/22 192.168.11.0/22

00401

192.168.1.0/22


Site-to-Site VPNs

NoteFor information on setting up VPN-1, refer to the Check Point Virtual Private Networks.

IP40 Satellite X to Check Point FP3/DAIPThe IP40 Satellite X can be used as a VPN server to establish a VPN connectivity with Check Point FP3 server using Check Point FP3 DAIP object.

Setting Up Check Point FP3Configure a VPN Tunnel between an IP40 Satellite X and Check Point FP3 server.

To set up Check Point FP3

1. Define a DAIP object.

Enable IKE.

2. Use VPN export tool to create a .p12 certificate from the internal certificate defined for the DAIP object.

3. Configure a rule set with the following:

Source: internal network of the IP40 DAIP object

Destination: internal network of FP3

Select Encrypt

Push the policy on to the FP3 firewall object.

4. Import the certificate to the computer to which the IP40 Satellite X is connected.

Use FTP or a floppy disk to import the certificate.

Setting up the Nokia IP40 Satellite XConfigure a VPN Tunnel between an IP40 Satellite X and Check Point FP3 server.


1. On the IP40 GUI, click VPN.

The VPN page appears.

2. Click Certificates.

On the Certificates page, browse for the certificate.

Click Upload.

3. Enter the Certificate pass phrase that you use to create the certificate.

4. Click OK.



When creating a VPN connection between IP40 Satellite X and Check Point FP3, select Use Certificate instead of Use Shared Secret.

IP40 Satellite X to Check Point SmartCenter FP3/NG AI The IP40 Satellite X can be used as a VPN server to establish a VPN connectivity with SmartCenter FP3/NG AI server using Safe@gateway with a static IP address (VPN Star Community).

Setting Up Check Point SmartCenter FP3/NG AIConfigure the Check Point SmartCenter FP3 for a VPN connection with IP40 Satellite X.

To set up Check Point SmartCenter FP3/NG AI

1. Define a Safe@ gateway with a static IP address.

2. Create a new Star Community.

3. Configure VPN central gateway as the FP3 firewall object.

4. Configure Safe@gateway as Satellite X gateway.

5. Define access rules with the following:

Source: Any

Destination: Any

If Via: Remote Access

Action: Accept

Install On: FP3 firewall object

Setting up the Nokia IP40 Satellite XConfigure the IP40 Satellite X for VPN connection with SmartCenter FP3.

1. Specify the IP address of IP40 Satellite X on the VPN-1 server.

2. Enter the Shared Secret (a password that is known to both the IP40 Satellite X and the VPN-1 Server).

Setting Up Check Point SmartCenter NG AI using CertificatesConfigure the Check Point SmartCenter NG AI for a VPN connection with IP40 Satellite X using Certificates.

To set up Check Point SmartCenter FP3

1. Define a Safe@ gateway with a dynamic IP address.

2. Create a new Star Community.

3. Configure VPN central gateway as the NG AI firewall object.


Site-to-Site VPNs

4. Configure Safe@gateway as Satellite X gateway.

5. Define access rules with the following:

Source: Any

Destination: Any

If Via: Remote Access

Action: Accept

Install On: NG AI firewall object

Setting up the Nokia IP40 Satellite XConfigure the IP40 Satellite X for VPN connection with SmartCenter NG AI using Certificates.



2. Enter the IP address of the Check Point NG AI Management station


3. Enter the Gateway ID and Registration Key which is used while creating the IP40 Dynamic Object on the LSM

4. The Connecting Screen appears.

After Connecting, the list of Services downloaded screen is shown

5. Click Finish.

6. Click the VPN button on the main menu and select the VPN Certificate tab

7. Select the VPN Sites tab and Click on New Site

8. Specify the IP address of the Check Point NG AI management station and check on the Unrestricted option.

9. Click Next

10. Select Specify Configuration option

11. Enter the Destination network and the subnet mask

12. Click Next

13. Select the option Use Certificate

14. Click Next

15. Finish

IP40 Satellite X to Windows 2000You can configure for VPN connectivity between the IP40 Satellite X and a Windows 2000 server in the following scenarios:

! Windows gateway to IP40 Satellite X in restricted mode



For more information on how to configure the Windows 2000 server, refer SofaWare’s Configuring Windows 2000/ XP IPSec to Site-to-Site VPN.


14 Using Managed Services

This chapter explains how to start and use subscription services, such as automatic software and security policy updates, content filtering, email virus scanning and remote logging. It includes the following topics:

! “Starting your Subscription Services” on page 155

! “Sofaware Security Management Portal” on page 160

! “Automatic and Manual Updates” on page 165

! “Nokia Horizon Manager” on page 166

! “SmartCenter LSM” on page 167

Refer to “Sofaware Security Management Portal” on page 54 for information on using Sofaware Management Center to configure subscription services like Web Filtering, E-mail Antivirus and Software Updates.

Starting your Subscription Services

To start your subscription

1. Click Services in the main menu, and click the Account tab.

The Account page appears.

2. In the Service Account area, click Connect.

The Setup Wizard opens, with the Subscription Services dialog box displayed.



3. Make sure the I wish to connect to a Service Center check box is selected.


! To connect to the Sofaware Service Center, select

usercenter.sofaware.com

! To specify a Service Center, do the following:

a. Select Specified

b. In the Specified text box, enter the desired Service Center’s IP address, as given to you by the Service Center.

5. Click Next.

! The Connecting... screen appears

! If the Service Center requires authentication, a second Service Center Login dialog box appears.

Do the following:

a. Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider.

b. Click Next

! The Connecting... screen appears.



! The Confirmation dialog box appears with a list of services to which you are subscribed.

6. Click Next.

The Done screen appears with a success message.

7. Click Finish.

The following things happen:

! If a new firmware is available, the IP40 downloads it. This may take several minutes. Once the download is complete, the IP40 restarts using the new firmware.

! The Welcome page appears.



! The services to which you are subscribed are now available on your IP40 and listed as such on the Account page. See “Viewing Services Information” section for more information.

Viewing Services Information from Account PageThe Account page displays the following information about your subscription:

Refreshing your Service Center ConnectionThis option restarts the connection to the Service Center and refreshes the service settings of your device.

To refresh your Service Center connection



Table 21 Account Page Fields

This field... Displays...

Service Center Name

The name of the Service Center to which you are connected (if known)

Subscription will end on

The date on which your subscription to services will end

Service The services available in your service plan

Subscription The status of your subscription to each service:• Subscribed• Not Subscribed

Status The status of each service:• Connected: You are connected to the service through the

Service Center• N/A: The service is not available.

Mode The mode to which each service is set.

For further information, see sections on Web Filtering, Virus Scanning and Automatic and Manual Updates.



2. In the Service Account area, click Refresh.

The IP40 reconnects to the Service Center.

Your service settings are refreshed.

Configuring your AccountThis option allows you to access your Service Center Web site, which may offer additional configuration options for your account.

To configure your account



2. In the Service Account area, click Configure.

NoteIf no additional settings are available from your Service Center, this button will not appear.

Your Service Center Web site opens.

3. Follow the on-screen instructions.

Disconnecting from your Service CenterIf desired, you can disconnect from your Service Center.

To disconnect from your Service Center



2. In the Service Account area, click Connect.



The Setup Wizard opens, with the first Subscription Services dialog box displayed.

3. Click the I wish to connect to a Service Center check box.

4. Click Next.

The Done screen appears with a success message.

5. Click Finish.

The following things happen:

! You are disconnected from the Service Center.

! The Services to which you were subscribed are no longer available on your IP40

Sofaware Security Management PortalThe SofaWare Management Center (SMC) is a web-based application for managing and configuring the SofaWare Security Management Portal (SMP). SofaWare’s managed security platform enables centralized management of a large number of firewalls embedded in residential broadband access devices or gateways.

NoteYou should configure the management servers using SMC, before you can use subscription services like Web Filtering, E-mail Anti Virus and Software Updates.

Using the Software Management Center, you can:

! Browse and update your user database

! Update security policies and user interface files

! Configure and fine-tune Sofaware management servers

To configure Sofaware Management Center (On SMC):

1. Click on New Gateway from the main menu of SMC portal.

The new gateway page appears:

2. Select a new gateway type, IP40. The Registration Key is automatically generated.

3. Save the settings that you have made.

Click on the Servers button from the main menu for a list of server groups and management servers.

Refer to Sofaware Management Portal/Sofaware Management Center documents for more information.


Sofaware Security Management Portal

Web FilteringWhen enabled, access to Web content is restricted according to the categories specified under ‘Allow Categories’. Adult users will be able to view Web pages with no restrictions, only after they have provided the administrator password via the Web Filtering pop-up window.

Enabling/Disabling Web Filtering

NoteIf you are remotely managed, contact your Service Center to change these settings.

To enable/disable Web Filtering

1. Click Services in the main menu, and click the Web Filtering tab.

The Web Filtering page appears.

2. Drag the On/Off lever upwards or downwards.

Web Filtering is enabled/disabled for all internal network computers

Selecting Categories for BlockingYou can define which types of Web sites should be considered appropriate for your family or office members., by selecting the categories. Categories marked with a check mark will remain



visible, while categories marked with a cross mark will be blocked and will require the administrator password for viewing.


To allow/block a category

1. In the Allow Categories area, click the check mark or the cross mark next to the desired category.

2. Click Apply.

To temporarily disable Web Filtering

1. Click Services in the main menu, and click the Web Filtering tab.

The Web Filtering page appears.

2. Click Snooze.

! Web Filtering is temporarily disabled for all internal network computers.

! The Snooze button changes to Resume.

! The Web Filtering Off popup Window opens.

3. To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page.

! The service is re-enabled for all internal network computers.

! If you clicked Resume in the Web Filtering page, the button changes to Snooze.


Sofaware Security Management Portal

! If you clicked Resume in the Web Filtering Off popup window, the popup window closes.

Virus ScanningEnabling this option will result in automatic scanning of your email for the detection and elimination of all known viruses and vandals.

Enabling/Disabling Email Antivirus


To enable/disable Email Antivirus

1. Click Services in the main menu, and click the Email Antivirus tab.

The Email Antivirus page appears.

2. Drag the On/Off lever upwards or downwards.

Email Antivirus is enabled/disabled for all internal network computers.



Selecting Protocols for ScanningIf you are locally managed, you can define which protocols should be scanned for viruses:

! Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol will be scanned.

! Email sending (SMTP). If enabled, all outgoing email will be scanned.

Protocols marked with check mark will be scanned, while those marked with cross mark will not.


To enable virus scanning for a protocol

1. In the Protocols area, click on the check mark or cross mark next to the desired protocol.

2. Click Apply.

Temporarily Disabling Email AntivirusIf you are having problems sending or receiving email you can temporarily disable the Email Antivirus service.

To temporarily disable Email Antivirus

1. Click Services in the main menu, and click the Email Antivirus tab.

The Email Antivirus page appears.

2. Click Snooze.

! Email Antivirus is temporarily disabled for all internal network computers.

! The Snooze button changes to Resume.

! The Email Antivirus Off popup window opens.


Automatic and Manual Updates

3. To re-enable the service, click Resume, either in the popup window, or on the Email Antivirus page.

! The service is re-enabled for all internal network computers.

! If you clicked Resume in the Email Antivirus page, the button changes to Snooze.

! If you clicked Resume in the Email Antivirus Off popup window, the popup window closes.

Automatic and Manual UpdatesIf you are subscribed to Software Updates, you can check for new security and software updates.

Checking for Software Updates when Locally ManagedIf your IP40 is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates must be checked for manually.

To configure software updates when locally managed

1. Click Services in the main menu, and click the Software Updates tab.

The Software Updates page appears.

2. To set the IP40 to automatically check for and install new software updates, drag the Automatic/Manual level upwards.

The IP40 checks for new updates and installs them according to its schedule.



NoteWhen the Software Updates service is set to Automatic, you can still manually check for updates.

3. To set the IP40 so that software updates must be checked for manually, drag the Automatic/Manual level downwards.

The IP40 does not check for software updates automatically.

4. To manually check for software updates, click Update Now.

The system checks for new updates and installs them.

Checking for Software Updates When Remotely ManagedIf your IP40 is remotely managed, it automatically checks for software updates and installs them without user intervention. However, you can still check for updates manually, if needed.

To manually check for security and software updates

1. Click Services in the main menu, and click the Software Updates tab.

The Software Updates page appears.

2. Click Update Now.

The system checks for new updates and installs them.

Nokia Horizon ManagerYou can manage your IP40 using Nokia Horizon Manager (NHM) in a powerful manner. Nokia Horizon Manager is a software application designed to manage and configure a large number of Nokia security platforms (devices) that reside on a corporate enterprise, managed service provider (MSP), or hosted applications service provider network (ASP).

NoteYou can manage IP40 using NHM 1.3.1 and above only.


SmartCenter LSM

Using NHM for accessing and managing your IP40

! From IP40 GUI

1. From your IP40 GUI, click on Setup > Management.

2. Choose IP Address Range next to SSH, and specify the IP address of Nokia Horizon Manager.

3. Click Apply.

! From NHM Interface

1. Choose Devices > Create Devices to create an IP40 device

2. Click Nokia Small Office Series Platform - IP40 for device type

3. In the Device text box, type the Device Name (IP40) or the IP address

4. Click Yes for Use Secure connection

5. Type the device login and password

6. Click OK at the bottom of the menu. Your IP40 device is created

Refer to NHM 1.3.1 user guide for details.

SmartCenter LSM Check Point’s SmartCenter Large Scale Manager (LSM) allows you to manage many Check Point Remote Office/Branch Office (ROBO) gateways from a single SmartCenter Server. The Check Point LSM concept is based on Gateway Profiles which are defined in the standard Check Point SmartDashboard. Each Gateway Profile represents many ROBO Gateways.

Refer to Check Point’s SmartCenter LSM documentation for additional information on installing and configuring LSM. A brief overview is presented below.

To configure NG AI and IP40 for site to site using LSM profiles

IP40 Side

1. Connect the IP40 to the SmartCenter.

! Click Services > Connect from the main menu

! Specify the IP address of Check Point LSM, and click Next.

! Type the Gateway ID and registration key as defined in Safe@ROBO in LSM (step 5), and click Next to continue

! After successful connection, the following screen appears giving a list of services to which you have subscribed.

2. Open http://my.firewall and verify the following before you proceed:

a. That Enterprise site was added to the VPN site page

b. That the LSM profile object certificate was synchronized to the device

c. Topology was loaded to the device. This should be verified from



http://my.firewall/vpntopo.html

3. You can verify that the tunnel is open by sending packets from IP40 to the VPN-1 GW.

Check Point Side

1. Enable LSM: In the command prompt, type “LSMenabler on” and reset the FW services.

2. Open SmartDashboard (SD) and define new Safe@ LSM profile.

3. Name the LSM profile, and click OK.

4. Click Save on SD, and close SD. Open SmartLSM.

5. Define new Safe@ ROBO, and select the LSM profile you have defined. Make sure to choose the correct HA type (IP40, IP30 etc).

6. Open SD again, and define a Star Community.

Place VPN-1 GW in the “Central Gateway”, and the LSM profile in “Satellite Gateway”.

7. Define a new UDP service on ports 9281-9282, and call it SW.

8. Place SW service in Excluded Services of the Star Community you have defined.

9. Create the rule base, or policy used for managing your device.

10. Install the policy.


Frequently Asked Questions

15 Troubleshooting

If the IP40 does not function normally, refer Frequently Asked Questions, and perform the required tasks:

Frequently Asked QuestionsI cannot access the Internet. What should I do?

Check for the following:

! Check if the PWR LED is active. If not, check the power connection to the IP40.

! Check if the WAN LED is on. If not check the network cable to the modem and make sure the modem is turned on.

! Check if the LAN LED for the port used by your computer is on. If not, check if the network cable linking your computer to the IP40 is connected properly.

! Using your web browser go to http://my.firewall and see whether “connected” appears on the status bar. Make sure that the IP40 network settings are configured as per your Service Center directions.

! Check your TCP/IP configuration according to Chapter 2.

! If the firewall level is set to “High”, try setting it to “Medium” or “Low”.

! If Web Filtering or E-mail anti-virus scanning are on, try turning them off.

! Erase all your block rules through the security menu.

! Check with your ISP for possible service outage.

! Check whether you are exceeding the maximum number of computers allowed by your license. Refer Viewing Computers.

I cannot access http://my.firewall or http://my.vpn. What should I do?

! Verify that the IP40 is operating (PWR LED is active)

! Check if the LAN LED for the port used by your computer is on. If not, check the network cable linking your computer and IP40 is connected properly.

! Try surfing to 192.168.1.1 instead of to my.firewall.

Note192.168.1.1 is the default value, and it may vary if you changed it in the My Network page.


15 Troubleshooting

! Check your TCP/IP configuration according to Chapter 2.

! Restart the IP40 and your broadband modem by disconnecting the power and reconnecting after 5 seconds.

! If your web browser is configured to use an HTTP proxy to access the Internet, add my.firewall or my.vpn to your proxy exceptions list.

Every time I start Internet Explorer, the application searches for an Internet connection. This is unnecessary, since I am connected through the IP40. What should I do?

For Internet Explorer, versions 5 and 6, do the following:

1. Open the browser.

2. On the Tools menu, click Internet Options…, then click the Connections tab.

3. For each item in the Dial-up Settings list, do the following:

a. Select the item.

b. Select Never dial a connection.

4. Click Apply.

5. Click OK.

6. Close all active browsers and try again.

Every time I start Outlook Express, the application searches for an Internet connection. This is unnecessary, since I am connected through the IP40. What should I do?

For Outlook Express, versions 5 and 6, do the following:

7. Open Outlook Express.

8. On the Tools menu, click Accounts, then click the Mail tab.

9. For each of the accounts configured in the mail window, do the following:

a. Click Properties, then click the Connection tab.

b. Clear the Always connect to this account using check box.

c. Click OK.

10. Click Close.

11. Close all active browsers and try again.

I run a public Web server at home but it cannot be accessed externally, although it is accessible to the computers on my network. What should I do?

Surf to the security page and use the Servers submenu to allow access to your server.

My network seems extremely slow. What should I do?

! The Ethernet cables may be faulty. For proper operation, the IP40 requires STP CAT5 (Shielded Twisted Pair Category 5) Ethernet cables. Make sure that this specification is printed on your cables.

! Your Ethernet card may be faulty or incorrectly configured. Try replacing your Ethernet card.



I cannot play a certain network game. What should I do?

! Turn the IP40 security to Low and try again.

! If the game still does not work, set the computer you wish to play from to be the DMZ server.

! When you have finished playing the game make sure to clear the DMZ setting otherwise your security might be compromised.

I have forgotten my password. What should I do?

Reset the IP40 to factory defaults using the Reset button as detailed in “Resetting the IP40 to factory defaults.” Note that this will erase all your settings.

I cannot connect to a VPN site using IP40 Satellite or IP40 Tele. What should I do?

Check whether there is a problem with your VPN client:

Do one of the following:

1. If you are using IP40 Tele, add the demo Check Point VPN site, using the procedure “Adding and Editing VPN Sites using IP40 Tele,” as follows:

a. In the VPN Gateway Address dialog box, enter 207.40.230.20 in the VPN Gateway field.

b. In the VPN Network Configuration dialog box, select Download Configuration.

2. If you are using IP Satellite, add the demo Check Point VPN site, using the procedure Adding and Editing VPN Sites using IP40 Tele, as follows:

a. In the Welcome to the VPN Site Wizard dialog box, select Remote Access VPN.

b. In the VPN Gateway Address dialog box, enter 207.40.230.20 in the VPN Gateway field.

c. In the VPN Network Configuration dialog box, select Download Configuration.

3. Log on to the demo site, using “vpndemo” as your username and password.

4. Surf to http://207.40.230.22

The Check Point VPN-1 SecuRemote Demo Site should open and inform you that you successfully created a VPN tunnel.

I changed the network settings to incorrect values and am unable to correct my error. What should I do?

Reset the network to its default settings using the button on the back of the IP40 unit.

I am using the IP40 with another DSL/Cable router, and I am having problems with some applications.

The IP40 performs Network Address Translation (NAT). It is possible to use the IP40 behind another device that performs NAT, such as a DSL router or Wireless router, but the device will block all incoming connections from reaching your IP40.

To fix this problem, do ONE of the following. (The solutions are listed in order of preference.)

! Consider whether you really need the router. The IP40 can be used as a replacement for your router, unless you need it for some additional functionality that it provides, such as Wireless access.


15 Troubleshooting

! If possible, disable NAT in the router. Refer to the router's documentation for instructions on how to do this.

The following suggestions will work only if the router is connected to the WAN port of the IP40:

! If the router has a “DMZ Computer” option, set it to the IP40 external IP address.

! Set the router to direct all incoming connections to the external IP address of IP40.

Keep in mind that if you use the IP40 behind another NAT device, you may lose some of the advantages of the IP40, such as broad application support and high performance.

I cannot open http://my.firewall page when the LAN address is changed what should I do?

Renew the IP address of the computer using ipconfig

I cannot connect to the HTTPS server in the DMZ. What should I do?

Ensure that HTTPS access to the Device is enabled.

I cannot establish HTTPS session to the device even when the HTTPS access to the Device is permitted what should I do?

Ensure that the Browser supports 128 bit cipher strength.

I cannot send SMTP or POP3 traffic across the Decice what should I do?

Do ONE of the following. (The solutions are listed in order of preference.):

! If Anti Virus scanning is on, try turning it off.

! If the anti virus is required then make sure that the CVP server and SMTP server in the Server page of SMC are correctly configured.

I cannot send HTTP traffic across the IP40. What do I do?

Do ONE of the following. (The solutions are listed in order of preference.):

! If Web Filtering scanning are on, try turning it off.

! If the URL filtering is required, then make sure the UFP server in the Server page of SMC is correctly configured.

I cannot connect to SmartCenter FP3 VPN site using IP40 Satellite X when using Dynamic IP with cerificate support (DAIP). What should I do?

! Check for the installed certificate VPN >Certficate.

! Check for the following error messages in Reports >Event Log:



I cannot connect to the Check Point SmartCenter FP3 VPN site using IP40 Satellite 10 or Satellite 25 configured using VPN Communities. What should I do?

Check for the following error messages in Report >Event Log:

I cannot connect to IP40 Satellite VPN site using IP40 Satellite X. What should I do?

Check for the following error messages in Report->Event Log:

Error Message Verify

Failed to Create VPN tunnel:Client Encrypt Notification

Ensure that on the FP3 management station the authentication mechanism followed is 3DES/SHA1

Failed to Create VPN tunnel:Could not validate my certificate

Ensure that the certificate used in the device is the one associated to the certificate created for this gateway on Smart Center FP3

Failed to Create VPN tunnel:Invalid certificate

Ensure that the certificate used is not expired

Failed to Create VPN tunnel:Invalid cert encoding

Ensure that the certificate used is PKCS#12 format


Failed to Create VPN tunnel: payload malformed

Ensure that the safe@gateway object defined for this device at Smart Center FP3 uses the same shared secret

Extended Authentication Failure

Check for the correct Username/Password given for the VPN site during login


Failed to Create VPN tunnel: payload malformed

Ensure that both gateways use the same shared secret

Failed to Create VPN tunnel: N/A

Check for the validity of the User on the remote IP40 gateway


15 Troubleshooting

Viewing Firmware StatusThe firmware is the software program embedded in the IP40.

You can view your current firmware version and additional details.

To view the firmware status

1. In the Navigation Bar click on Setup.




The Firmware page displays a table with the following information:

! Firmware Version - the current version of the firmware.

! Hardware Type - the type of the current IP40 hardware.

! Hardware Version - the current hardware version of the IP40.

! Installed Product -the licensed software and the number allowed nodes.

! Uptime - the time that elapsed from the moment the unit was turned on.

Resetting the IP40 to factory defaultsYou can reset to factory defaults using the GUI or by manually pressing the Reset button.

Refer to “Resetting the IP40 to Factory Defaults” on page 121 for more information.

Running DiagnosticsYou can view technical information about IP40 hardware, firmware, license, network status, and subscription services.

This information is useful for troubleshooting. You can copy and paste it into the body an email and send it to technical support.

To run diagnostics





3. Click Diagnostics.

Technical information about the IP40 appears in a new window.

4. To refresh the contents of the window, click Refresh.

The contents are refreshed.



5. To close the window, click Close.


15 Troubleshooting


A Specifications

Technical Specifications

Safety PrecautionsRead the following safety instructions before attempting to install or operate the Nokia IP40. Read the installation and operation procedures provided in this User Guide. Failure to follow the instructions may result in damage to equipment and / or personal injuries.

! Before cleaning the IP40, unplug the power cord. Use only a soft cloth dampened with water for cleaning.

! Any changes or modification to this product not explicitly approved by the manufacturer could void any assurances of safety or performance and could result in violation of Part 15 of the FCC Rules.

! When installing the IP40, ensure that the vents are not blocked.

! Do not use the IP40 outdoors.

! Do no expose the IP40 to liquid or moisture.

! Do not expose the IP40 to extreme high or low temperatures.

! Do not drop, throw, or bend the IP40 since rough treatment could damage it.

! Do not use any accessories other than those approved by Nokia. Failure to do so may result in loss of performance, damage to the product, fire, electric shock or injury, and will void the warranty.

! Do no disassemble or open the IP40. Failure to comply will void the warranty.

Table 22 Specifications

Height 1.2 inches Input AC Power - 9VAC

Width - 8.0 inches Power Consumption - 13.5 W

Length - 4.8 inches Power Supply - 100 VAC, 120 VAC or 230 VAC

Weight - 1.8 lbs


A Specifications

! Do not route the cable sin a walkway or in a location that will crimp the cables.


B Warranty

THE TERMS AND CONDITIONS SET FORTH ON THIS DOCUMENT CONSTITUTE THE ENTIRE AGREEMENT BETWEEN Nokia, Inc., A DELAWARE CORPORATION (“NOKIA”), AND CUSTOMER IN RESPECT OF THE NOKIA SOFTWARE INCLUDED IN THE PRODUCT PACKAGE, INCLUDING ANY DOCUMENTATION THERETO (the "SOFTWARE"). NOKIA WILL NOT BE BOUND BY ANY TERMS OF ANY PRIOR AGREEMENT OR UNDERSTANDING THAT ARE INCONSISTENT WITH THE TERMS HEREIN. THE SOFTWARE IS LICENSED ONLY ON THE CONDITION THAT THE CUSTOMER ACCEPTS THE TERMS OF THIS AGREEMENT. BY OPENING THE PACKAGE AND/OR BY MAKING USE OF THE ENCLOSED SOFTWARE YOU AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT PLEASE IMMEDIATELY RETURN THE SOFTWARE IN THE PRODUCT PACKAGE TO THE PLACE YOU PURCHASED IT FOR FULL REFUND.

1. SOFTWARE LICENSE. Unless Customer is an approved Managed Service Provider, Nokia grants to Customer a personal, nonexclusive and nontransferable license to use the Software in object code form solely as embedded in equipment provided by Nokia. If Customer is an approved Managed Service Provider ("MSP"), Nokia grants a nonexclusive and non transferable license to demonstrate the Software to clients and prospective clients in order to market MSP's managed services and to use the Software to provide managed services provided that each copy of the Software is used solely on behalf of and for the benefit of a single client on the single piece of equipment provided by Nokia. An MSP may discontinue use of the Software on behalf of one client and use the Software to provide managed services to another single client.

Customer may make one (1) archival copy of the Software provided Customer affixes to such copy all copyright, confidentiality and proprietary notices that appear on the original. Customer shall not otherwise, in whole or in part, copy the Software or documentation; modify the Software or create derivative works thereof; reverse compile or reverse assemble all or any portion of the Software; rent, lease, distribute, sell, or use for time-sharing purposes, the Software; or use or allow the Software to be used for the direct benefit of any third party. Any fixes, updates or new releases of the Software, which may be made available to Customer, shall be deemed part of the "Software," subject to the restrictions and limitations contained in this license.

2. PROPRIETARY RIGHTS. All right, title and interest in and to the Software and documentation, and any copies thereof provided by Nokia or which may be made by Customer, are and shall remain the exclusive property of Nokia or Nokia’s licensors (Nokia and its licensors are collectively referred

Document Title Variable 179

B Warranty

to as “Software Owners”). Each Software Owner shall have the right to enforce this Agreement against the Customer as to such Software Owner’s Software.

3. LIMITED WARRANTY.

a. Software Warranty. Nokia warrants that the Software will substantially conform to the published specifications for a period of ninety (90) days, plus a thirty (30) day transit allowance, from the date of shipment. If the Software is found to contain a substantial nonconformance, Nokia’s sole obligation under this warranty shall be, at Nokia’s option: (a) to correct, or provide a "work around" for any material programming error or defect in the Software, or (b) to refund to Licensee the purchase price paid and this Agreement shall terminate.

b. Warranty Services. In the event of a warranted problem with respect to the Software, Customer shall call its reseller for warranty services. All repair services are provided by Nokia's authorized reseller from whom the Customer has purchased the product on which the Software is imbedded.

c. Exclusions. The above warranty does not apply if the Software or the equipment on which it resides (1) has been altered, except as authorized by Nokia, (2) has not been installed, operated, repaired or maintained in accordance with any installation, handling, maintenance or operating instructions supplied by Nokia, (3) has been subjected to unusual physical or electrical stress, misuse, negligence or accident, (4) has been used in ultra-hazardous activities, or (5) has been used in such a way that Nokia cannot reasonably reproduce the Software error. Furthermore, the above warranty does not apply to any portion of the product supplied by a third party. In no event does Nokia warrant that the Software is error-free or that the Customer will be able to operate it without problems or service interruptions.

d. DISCLAIMER. THE WARRANTY ABOVE IS IN LIEU OF, AND NOKIA DISCLAIMS, ALL OTHER WARRANTIES AND CONDITIONS, EXPRESSED OR IMPLIED, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUALITY, NON-INFRINGEMENT, NON-INTERRUPTION OF USE, FREEDOM FROM BUGS OR OTHERWISE. NO DEALER OR RESELLER IS AUTHORIZED TO MAKE ANY MODIFICATIONS, EXTENSIONS, OR ADDITIONS TO THIS WARRANTY. NOKIA SPECIFICALLY DISCLAIMS ANY WARRANTY FOR THIRD PARTY SOFTWARE SUPPLIED WITH THE PRODUCT.

4. LIMITATION OF LIABILITY. IN NO EVENT WILL NOKIA, ITS SUPPLIERS OR RESELLERS BE LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY, TORT OR OTHER THEORY FOR DIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES (INCLUDING WITHOUT LIMITATION LOSS OF PROFIT OR DATA), WHETHER OR NOT THEY BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS. IN THE EVENT THAT ANY EXCLUSION CONTAINED HEREIN SHALL BEHELD TO BE INVALID FOR ANY REASON AND NOKIA BECOMES LIABLE FOR LOSS OR DAMAGE THAT MAY LAWFULLY BE LIMITED, SUCH LIABILITY SHALL BE LIMITED TO THE PURCHASE PRICE. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. SOME STATES DO NOT ALLOW THE

180 Document Title Variable

LIMITATION OR EXCLUSION OF CERTAIN LIABILITIES OR DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO CUSTOMER BY LAW.

5. EXPORT RESTRICTIONS. Customer shall not export or transmit, directly or indirectly, the Software or any technical data (including processes and services) received from Nokia, nor the direct product thereof, outside of the United States without prior authorization of the U.S. Government if such authorization is required. Customer shall obtain all licenses, permits and approvals required by any government. Customer agrees to comply with all export laws, rules, policies, procedures, restrictions and regulations of the Department of Commerce or other United States or foreign agency or authority, and not to export, or allow the export or reexport of any goods in violation of any such restrictions, laws or regulations. Customer will indemnify and hold harmless Nokia for any violation or alleged violation by Customer of such laws, rules, policies, procedures, restrictions or regulations.

6. CONFIDENTIAL INFORMATION. Customer agrees that aspects of the Software and documentation, including the specific design and structure of individual programs and the composition of the whole, constitute trade secrets and/or copyrighted material of Nokia. Customer shall not itself, nor shall Customer permit others to, disclose, provide, or otherwise make available such trade secrets or copyrighted material in any form to any third party without the prior consent of Nokia. Customer agrees to implement reasonable security measures to protect such trade secrets and copyrighted material. The obligations of confidentiality shall not apply to information, which has entered the public domain except where such entry is the result of Customer’s breach of this Agreement.

7. FORCE MAJEURE. Nokia shall not be liable for any delay or failure in performance whatsoever due to reasons beyond its reasonable control.

8. TERM AND TERMINATION. This Agreement is effective until terminated. The license to the Software granted by Nokia will terminate upon any attempt by Customer to transfer or assign the Software, this Agreement or any rights or obligations hereunder without Nokia’s prior written consent. In addition, Nokia may terminate this Agreement effective fifteen (15) days following the giving of written notice to Customer upon the occurrence of Customer's failure to perform any of its existing or future obligations hereunder if such breach shall remain uncured. Upon termination, Customer shall cease all use of the Software and shall destroy or return to Nokia the original(s) and all copies of the Software and documentation made or furnished hereunder. Customer may terminate the License at any time by destroying all copies of the Software and documentation. The provisions of Sections 2, 4, 6, 9, and 10 shall survive any termination.

9. APPLICABLE LAW. This Agreement shall be governed by and construed in accordance with the laws of the State of California and the United States without regard to conflicts of laws provisions thereof and without regard to the United Nations Convention on Contracts for the International Sale of Goods. To the extent permitted by law, the parties waive any and all rights, privileges and obligations which may derive from any codification of the body of law generally referred to as the "Uniform Commercial Code".

10. MISCELLANEOUS. No waiver of rights under this Agreement by either party shall constitute a subsequent waiver of this or any other right under this Agreement. In the event that any of the terms of this Agreement become or are declared to be illegal by any Court of competent jurisdiction, such term(s) shall be null and void and shall be deemed deleted from this Agreement. All remaining terms of this Agreement shall remain in full force and effect. In the event of a breach of this Agreement, the breaching party shall pay to the other party any reasonable attorneys’ fees and other costs and

Document Title Variable 181

B Warranty

expenses incurred by the non-breaching party in connection with the enforcement of any provisions of this Agreement.

If the Software is licensed to a U.S. Governmental user, the following shall apply. The Software and documentation licensed in this agreement are “commercial items” and are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with the Federal Acquisition Guidelines and related laws, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the US. Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement.

182 Document Title Variable

C End User License Agreement

This EndUser License Agreement (the "Agreement") is an agreement between you (both the individual installing the Product and any legal entity on whose behalf such individual is acting) (hereinafter "You" or " Your") and SofaWare Technologies Ltd. (hereinafter " SofaWare ").

TAKING ANY STEP TO SET-UP OR INSTALL THE PRODUCT CONSTITUTES YOUR ASSENT TO AND ACCEPTANCE OF THIS END USER LICENSE AGREEMENT. WRITTEN APPROVAL IS NOT A PREREQUISITE TO THE VALIDITY OR ENFORCEABILITY OF THIS AGREEMENT AND NO SOLICITATION OF ANY SUCH WRITTEN APPROVAL BY OR ON BEHALF OF YOU SHALL BE CONSTRUED AS AN INFERENCE TO THE CONTRARY. IF YOU HAVE ORDERED THIS PRODUCT AND SUCH ORDER IS CONSIDERED AN OFFER BY YOU, SOFAWARE'S ACCEPTANCE OF YOUR OFFER IS EXPRESSLY CONDITIONAL ON YOUR ASSENT TO THE TERMS OF THIS AGREEMENT, TO THE EXCLUSION OF ALL OTHER TERMS. IF THESE TERMS ARE CONSIDERED AN OFFER BY SOFAWARE, YOUR ACCEPTANCE IS EXPRESSLY LIMITED TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE WITH ALL THE TERMS OF THIS AGREEMENT, YOU MUST RETURN THIS PRODUCT WITH THE ORIGINAL PACKAGE AND THE PROOF OF PAYMENT TO THE PLACE YOU OBTAINED IT FOR A FULL REFUND.

1. DEFINITIONS:

1.1 "Product" means the object code copy of the software program provided to You in connection with this Agreement, together with the associated original electronic media and/or associated hardware devices and all accompanying manuals and other documentation, and together with all enhancements, upgrades, and extensions thereto that may be provided by SofaWare to You from time to time, unless otherwise indicated by SofaWare. If You are a Standard User the Product shall be associated with the SofaWare S-box obtained by you, if you are a Managed Service Provider the Product shall be an object code copy that allows the management of SofaWare S-box Licensed Configurations for a defined amount of Service Customers.

1.2 "Licensed Configuration" means to the extent applicable, as indicated on the License Key, the choice of features and the maximum number of nodes (an internal computing device with an IP address) on the trusted side of the firewall or any other hardware or software specifications, as declared by You in Your purchase order, or request for License Key, if the Product purchased by You does not come with a License Key then the Licensed Configuration shall be the minimum configuration allowed by the user manual of SofaWare S-Box, and upon which the licensing fee was based.



1.3 "License Key" means the code provided to You by SofaWare which enables the Product to operate for the specified Licensed Configuration.

1.4 "Third Party Software" means any software programs provided by third parties contained in the Product as detailed in the Third Party Software Addendum attached to this Agreement.

1.5 "Third Party Software Provider" means the third party which has the right to provide and grant licenses for the use of Third Party Software.

1.6 You are a "Managed Service Provider" if (a) You are in the regular business of providing firewall, VPN, or IP addressing management for a fee to entities that are not Your affiliates ("Service Customers"); or if you are a Company that provides such managed services to Standard Users that are a part of your corporation or of your affiliated companies ("Clients")(b) You indicated in Your purchase order or in requesting the License Key that You intend to use the Products on behalf of Service Customers or Clients; and (c) you purchased the managed service provider package.

1.7 You are a "Standard User" if You indicated in Your purchase order or in requesting the License Key that You intend to use the Products on Your own behalf, or you obtained the products from a Managed Service Provider, reseller, vendor or any other intermediate supplier.

2. LICENSE AND RESTRICTIONS:

2.1 License. Subject to the terms and conditions of this Agreement, SofaWare hereby grants only to You, a non-exclusive, non-sublicensable, non-transferable license to install and use the Product in accordance with the relevant end user documentation provided by SofaWare for the Licensed Configuration. You have no right to receive, use or examine any source code or design documentation relating to the Product.

2.2 Standard User Restrictions. If You are a Standard User, the Products are licensed to You solely for use by You for Your own operations. No Product, nor any portion thereof, may be used by or on behalf of, accessed by, re-sold to, rented to, or distributed to any other party.

2.3 Managed Service Provider Restrictions. If You are a Managed Service Provider, the Products are licensed to You for use by You to provide policy management for the operations of Your Service Customers or Clients from an authorized location. No Product, nor any portion thereof, may be used by or on behalf of, accessed by, re-sold to, rented to, or distributed to any other party, except for the management of Your Clients or Service Customers who have made a valid purchase of the Product. Distribution of the Product to Service Customers requires that You enter into a Reseller and/or Managed Service Agreement with SofaWare or its authorized representative.

2.4 General Restrictions. You may not copy the Product, in whole or in part. The Product is licensed to You solely for your internal use by You and for You and the Product or any portion thereof may not be used or accessed by, sub-licensed to, re-sold to, rented to, or distributed to any other party. You agree not to allow others to use the Product and You will not use the Product for the benefit of third parties. You acknowledge that the source code of the Product, and the underlying ideas or concepts, are valuable intellectual property of SofaWare and You agree not to, except as expressly authorized and only to the extent established by applicable statutory law, attempt to (or permit others to) decipher, reverse translate, decompile, disassemble or otherwise reverse engineer or attempt to reconstruct or discover any source code or underlying ideas or algorithms or file formats or programming or interoperability interfaces of


the Products by any means whatsoever. You will not develop methods to enable unauthorized parties to use the Product, or to develop any other product containing any of the concepts and ideas contained in the Product. You will not (and will not allow any third party to) modify Product or incorporate any portion of Product into any other software or create a derivative work of any portion of the Product. You will not (and will not allow any third party to) remove any copyright or other proprietary notices from the Product.

2.5 Specific Restrictions. The Product is licensed to You based on the applicable Licensed Configuration purchased The License permits the use of the Product in accordance with the designated number of IP addresses. Without derogation from any applicable laws, it is a violation of this End User License Agreement to create, set-up or design any hardware, software or system which alters the number of readable IP addresses presented to the Product with the intent, or resulting effect, of circumventing the Licensed Configuration.

2.6 Evaluation License. This Section 2.6 shall only apply if You are licensing the Product for an initial sixty (60) day evaluation period. The license is valid only for a period of sixty (60) days from the delivery of the Product, and is designed to allow You to evaluate the Product during such period. In the event that You wish to enter into a longer-term license agreement with SofaWare, the terms and conditions of this Agreement shall be applicable. In the event that You determine not to enter into a licensing transaction with SofaWare at the end of such sixty (60) day evaluation period, or in the event that SofaWare advises You that discussions with respect to a licensing transaction have terminated, then Your rights under this Agreement shall terminate and You shall promptly return all Product to the representative that supplied the Product.

3. MAINTENANCE AND SUPPORT:

SofaWare has no obligation to provide support, maintenance, upgrades, modifications, or new releases under this Agreement. Any purchase of upgrades shall be subject to this End User License Agreement, unless otherwise determined by SofaWare.

4. TITLE AND INTELLECTUAL PROPERTY:

All right, title, and interest in and to the Product shall remain with SofaWare and its licensors. The Product is protected under international copyright, trademark and trade secret and patent laws. The license granted herein does not constitute a sale of the Product or any portion or copy of it.

5. TERM AND TERMINATION:

This Agreement is effective until terminated. SofaWare may terminate this Agreement at any time upon Your breach of any of the provisions hereof. Upon termination of this Agreement, You agree to cease all use of the Product and to return to SofaWare or destroy the Product and all documentation and related materials in your possession, and so certify to SofaWare. Except for the license granted herein and as expressly provided herein, the terms of this Agreement shall survive termination.

6. INDEMNIFICATION:

SofaWare shall have the right, but not the obligation, to defend or settle, at its option, any action at law against You arising from a claim that Your permitted use of the Product under this Agreement infringes any patent, copyright, or other ownership rights of a third party. You agree to provide SofaWare with written notice of any such claim within ten (10) days of Your notice thereof and provide reasonable assistance in its defense. SofaWare has sole discretion and



control over such defense and all negotiations for a settlement or compromise, unless it declines to defend or settle, in which case You are free to pursue any alternative You may have.

7. LIMITED WARRANTY, WARRANTY DISCLAIMERS AND LIMITATION OF LIABILITY:

7.1 Limited Warranty. SofaWare warrants to You that the encoding of the software program on the media on which the Product is furnished will be free from defects in material and workmanship, and that the Product shall substantially conform to its user manual, as it exists at the date of delivery as can be found on SofaWare's web page (www.sofaware.com or www.s-box.com), for a period of ninety (90) days from the date of purchase. SofaWare's entire liability and Your exclusive remedy shall be, at SofaWare's option, either: (i) return of the price paid to SofaWare for the Product, resulting in the termination of this Agreement, or (ii) repair or replacement of the Product or media that does not meet this limited warranty. EXCEPT FOR THE LIMITED WARRANTIES SET FORTH IN THIS SECTION 7.1, THE PRODUCT AND ANY SERVICES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. SOFAWARE DOES NOT WARRANT THAT THE PRODUCT WILL MEET YOUR REQUIREMENTS OR THAT ITS OPERATION WILL BE UNINTERRUPTED OR ERROR FREE. SOFAWARE DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some jurisdictions do not allow the exclusion of implied warranties or limitations on how long an implied warranty may last, so the above limitations may not apply to You. This warranty gives You specific legal rights. You may have other rights which vary from jurisdiction to jurisdiction.

7.2 Limitation of Liability. EXCEPT FOR PERSONAL INJURY, IN NO EVENT WILL SOFAWARE BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DAMAGES ARISING OUT OF THE SUBJECT MATTER OF THIS AGREEMENT, THE PRODUCT OR ANY SERVICES UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER THEORY, FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS), OR FOR LOSS OF OR CORRUPTION OF DATA), OR FOR COST OF PROCUREMENT OF SUBSTITUTE GOODS OR TECHNOLOGY, IRRESPECTIVE OF WHETHER SOFAWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOFAWARE'S MAXIMUM LIABILITY FOR DAMAGES SHALL BE LIMITED TO THE LICENSE FEES RECEIVED BY SOFAWARE UNDER THIS LICENSE FOR THE PARTICULAR PRODUCT(S) WHICH CAUSED THE DAMAGES. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to You.

8. GOVERNMENT REGULATION AND EXPORT CONTROL

8.1 Government Regulations. You agree that the Product will not be shipped, transferred, or exported into any country or used in any manner prohibited by law.

8.2 Export. The Product is subject to export control laws of the State of Israel and/or may be subject to additional export control laws applicable to You or in Your jurisdiction, including, without limitation, the United States. If the Product contains any encryption device You must contact SofaWare's export regulation information page (www.sofaware.com or www.s-box.com) for specific information. You agree that You will not ship, transfer, or export the Product into any country, or make available or use the Product in any manner, prohibited by law.


8.3 You understand and acknowledge that upon entry of the Product into the United States it becomes subject to regulation by agencies of the U.S. government, including the U.S. Department of Commerce, which prohibit export or diversion of certain products and technology to certain countries. Any and all of Your obligations with respect to the Product shall be subject in all respects to such United States laws and regulations as shall from time to time govern the license and delivery of technology and products abroad by persons subject to the jurisdiction of the United States, including the Export Administration Act of 1979, as amended, any successor legislation, and the Export Administration Regulations ("EAR") issued by the Department of Commerce, International Trade Administration,and Bureau of Export Administration. You warrant that You will comply in all respects with the export and reexport restrictions applicable to the Product and will otherwise comply with the EAR or other United States laws and regulations in effect from time to time.

8.4 You warrant and agree that You are not: (i) located in, under the control of, or a national or resident of Cuba, Iraq, Libya, North Korea, Iran, Syria, Sudan or Yugoslavia, or (ii) on the U.S Treasury Department list of Specially Designated Nationals or the U.S. Commerce Department's Table of Deny Orders.

9. GENERAL:

9.1 Miscellaneous. You may not assign your rights or obligations under this Agreement without the prior written consent of SofaWare. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, that provision of the Agreement will be enforced to the maximum extent permissible so as to effect the intent of the Agreement, and the remainder of the provisions of this Agreement shall remain in full force and effect. The laws of the State of Israel shall govern all issues arising under or relating to this Agreement, without giving effect to the conflict of laws principles thereof. All disputes arising under or relating to this Agreement shall be resolved exclusively in the appropriate Israeli court sitting in Tel Aviv, Israel. This Agreement will not be governed by the United Nations Convention on Contracts for the International Sales of Goods, the application of which is expressly excluded. This Agreement sets forth the entire understanding and agreement between You and SofaWare and may be amended only in writing signed by both parties.

9.2 Third Party Software. Certain Third Parties Software may be provided with the Product for use in connection with the Product subject to the licenses of their respective proprietors. The Third Parties Software may be used only in connection with the Products. The provisions of this Agreement shall apply to all Third Party Software Providers and to Third Party Software as if they were the Product and SofaWare, respectively.

9.3 Government Restricted Rights. This provision applies to Product acquired directly or indirectly by or on behalf of any Government. The Product is a commercial product, licensed on the open market at market prices, and was developed entirely at private expense and without the use of any U.S. Government funds. Any use modification, reproduction, release, performance, display, or disclosure of the Product by any Government shall be governed solely by the terms of this Agreement and shall be prohibited except to the extent expressly permitted by the terms of this Agreement, and no license to the Product is granted to any government requiring different terms.

9.4 Questions? Should You have any questions concerning this Agreement contact the manufacturer at SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan, Israel 52522.


D Compliance Information

Declaration of Conformity according to ISO/IEC Guide 22 and EN 45104

Manufacturer’s name:Nokia Corporation

Manufacturer’s address:313 Fairchild DriveMountain View, CA 94043- 2215 USA

declares that the product:

Product name:IP40

Model number:IP40

Product options:All

Serial number:1 to 100,000

Date first applied:2003

conforms to the following standards:

Safety:EN60950:1992, A1,A2:1993, A3:1995, A4:1997, A11:1998

with Japanese National Deviations

EMC:EN50024, EN55022B 1998, CISPR 22 Class B 1985, EN61000-3-2, EN61000-3-3

Supplementary information:

“The product complies with the requirements of the Low Voltage Directive 73/23/EEC and the EMC Directive 89/336/EEC.”

Alan HutchinsonQuality EngineerMountain View, CaliforniaUSA

European contact:Greg ShortellNokia Telecommunications2 Heathrow Blvd, 284 Bath RoadHeathrow, Middlesex UB7 ODQ England



Compliance StatementThis hardware complies with the following standards:

Emissions

FCC Part 15, Subpart B, Class B US and CanadaEN55022B: (CISPR 22, Class B) European Community (CE)EN6100-3-2 European Community (CE)EN6100-3-3 European Community (CE)

Immunity

EN50024: European Community (CE)EN61000-4-2EN61000-4-3EN61000-4-4EN61000-4-5EN61000-4-6EN61000-4-8EN61000-4-11ENV50204

Safety

UL1950 USCAN/CSA 22.2, No. 950-M95 CanadaEN60950 European Community (CE, TUV)EN60950 Japan(with Japanese National Deviations)

FCC Notice (US)This device has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This device generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this device does cause harmful interference to radio or television reception, the user is encouraged to try to correct the interference by one or more of they following measures:

! Reorient or relocate the receiving antenna.

! Increase the separation between the computer and receiver.

! Connect the computer into an outlet on a circuit different from that to which the receiver is connected.

! Consult the dealer or an experienced radio/TV technician for help.

CautionCaution: Any changes or modifications not expressly approved by the grantee of this device could void the user’s authority to operate the equipment.


FCC Notice (US)


AAdding VPN Sites Using IP30 Tele 139Advanced Setup, Using 63Automatic DHCP, Using 63

CChanging IP Addresses 72Changing Your Password 90Comamnd Line Interface (CLI) 47Compliance Specifications 189compliance standards

emission 190safety 190

Configuration, Download 142Configuration, Specify 140Configure, Network Settings 71Configuring, Remote Access VPN Site 143Configuring, Site to Site VPN Gateway 143Configuring, Virtual Servers 82Connection, Cable 65Connection, LAN 64Connectivity 18Creating Rules 83Creating, Allow and Block Rules 84

DDiagnostics 174documentation

conventions 12structure 11

documentation, related 15

Eemissions 190Enabling NAT 73Enabling, DHCP Server 71

FFCC Notice 190Frequently Asked Questions 169

Iimmunity 190IP30 GUI 71IP30 Satellite in NAT and No-NAT Modes 153IP30 Satellite to Check Point FP3 151IP30 Satellite to Check Point SmartCenter FP3 152IP30 Satellite to Windows 2000 147

IP30 Tele to Check Point FP3 144IP30 Tele to Check Point v4.1/ NG/ FP1/ FP2 144IP30 Tele, Using 154IP30, Front Panel 26IP30, Logging Off 44IP30, Logging On 71IP30, Remote Access 76IP30, secure accessing 44IP30, Setting up the Security Policy 81IP30Tele to IP30 Satellite 143

LLogging Off of a VPN Site 137Logging On Through my.vpn 137Logging on to a VPN Site 135Logging On Using IP30 GUI 136

MMac Cloning 60Managing Your Network 71Millennium 27

NNetwork Requirements 24Nokia IP30, About 17Nokia IP30, Features 18

PPackage Contents 23PPPoE, Using 61Precautions, safety 177Product Key, Installing 69

Rrelated documentation 15Reset to factory defaults 174

Ssafety 190Satellite to Satellite 145Satellite to VPN-1 150SecuRemote to Satellite 138Setting the Firewall Security Level 81Setting Up IP30 Satellite as VPN Server 134specifications

compliance 190emissions 190

Nokia IP40 User Guide Index - 193

safety 190Specifications, Technical 177Static Routes 68

TTCP/IP Installation 28TCP/IP Settings 29TCP/IP, Installation 28TCP/IP, installation 31TCP/IP, Settings 29TCP/IP, settings 34

UUsers, Deleting 93Using VPN Certificates 138

VViewing, Active Computers 124Viewing, Active Connections 125Viewing, Event Log 123Viewing, Firmware Status 174Viewing, Reports 123Viewing, VPN Tunnels 126

WWindows 98 27Windows, 2000 31Windows, XP 31

Index - 194 Nokia IP40 User Guide

IP40 Version 1.0 Appliance User’s Guide · a quick reference on configuring features in Nokia...

Documents

Transcript of IP40 Version 1.0 Appliance User’s Guide · a quick reference on configuring features in Nokia...