IPBrick Reference Manual

Transcription

IPBrick
Reference Guide
Version 4.3
iPortalMais
March 2008
2
c
Copyright iPortalMais
All rights reserved. March 2008.
The information in this manual is submitted to changes without previous communication. The presented explanations, technical data, configurations and recommendations are precise and trustful. Nevertheless they have no expressed or
implied guarantees.
Reference Guide - Version 4.3
iPortalMais - 2007
Contents
1 Aim of this document
11
2 Before Starting
13
3 IPBrick.I
3.1 Machines Groups . . . . . . .
3.2 Machine Management . . . .
3.3 User Groups . . . . . . . . . .
3.4 Users Management . . . . . .
3.5 Domain Server . . . . . . . .
3.6 File Server . . . . . . . . . . .
3.6.1 Individual Work Areas
3.6.2 Group Work Areas . .
3.6.3 Kaspersky . . . . . . .
3.7 E-mail . . . . . . . . . . . . .
3.7.1 Configure . . . . . . .
3.7.2 Definitions . . . . . . .
3.7.3 Queue Management . .
3.7.4 Users management . .
3.7.5 Mailing Lists . . . . .
3.7.6 Kaspersky Anti-Vı́rus .
3.7.7 Kaspersky Anti-Spam
3.8 Print Server . . . . . . . . . .
3.9 Backup . . . . . . . . . . . . .
3.9.1 Arkeia . . . . . . . . .
3.9.2 Remote . . . . . . . .
3.10 Fax Server . . . . . . . . . . .
3.10.1 Fax2Mail . . . . . . .
3.10.2 Mail2Fax . . . . . . .
3.10.3 Statistics . . . . . . . .
3.11 Terminal Server . . . . . . . .
3.11.1 Configuration . . . . .
3.11.2 Client configuration . .
15
15
16
18
21
26
26
28
30
33
37
38
40
41
42
44
46
51
54
56
56
62
64
64
69
70
72
72
76
iPortalMais - 2007
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4
CONTENTS
4 IPBrick.C
4.1 Firewall . . . . . . . . . . . . . . . . . . .
4.1.1 Available Services . . . . . . . . . .
4.1.2 Block Services . . . . . . . . . . . .
4.2 Proxy . . . . . . . . . . . . . . . . . . . .
4.2.1 Configuration . . . . . . . . . . . .
4.2.2 Statistics . . . . . . . . . . . . . . .
4.2.3 Kaspersky Proxy . . . . . . . . . .
4.3 VPN . . . . . . . . . . . . . . . . . . . . .
4.3.1 PPTP . . . . . . . . . . . . . . . .
4.3.2 IPSec . . . . . . . . . . . . . . . .
4.3.3 SSL . . . . . . . . . . . . . . . . .
4.4 E-mail . . . . . . . . . . . . . . . . . . . .
4.4.1 Get Mail from ISP . . . . . . . . .
4.4.2 Mail Copy . . . . . . . . . . . . . .
4.5 Web Server . . . . . . . . . . . . . . . . .
4.5.1 Creating a new site . . . . . . . . .
4.5.2 Management . . . . . . . . . . . . .
4.6 Webmail . . . . . . . . . . . . . . . . . . .
4.6.1 Servers . . . . . . . . . . . . . . . .
4.7 VoIP . . . . . . . . . . . . . . . . . . . . .
4.7.1 Registered Phones . . . . . . . . .
4.7.2 Alternative Addresses . . . . . . .
4.7.3 Online phones . . . . . . . . . . . .
4.7.4 Access Classes . . . . . . . . . . . .
4.7.5 Call Statistics . . . . . . . . . . . .
4.7.6 Routes Management . . . . . . . .
4.7.7 Attendance sequence . . . . . . . .
4.7.8 Call groups . . . . . . . . . . . . .
4.7.9 IVR Attendance . . . . . . . . . . .
4.7.10 Call Conference . . . . . . . . . . .
4.7.11 Call Parking . . . . . . . . . . . . .
4.7.12 Scheduling . . . . . . . . . . . . . .
4.7.13 Music on hold . . . . . . . . . . . .
4.7.14 DISA . . . . . . . . . . . . . . . . .
4.7.15 Call queues . . . . . . . . . . . . .
4.7.16 Call Manager . . . . . . . . . . . .
4.8 IM . . . . . . . . . . . . . . . . . . . . . .
4.8.1 Enabling / disabling the IM server
5 Advanced Configurations
5.1 IPBrick . . . . . . . . . .
5.1.1 Definitions . . . . .
5.1.2 System Information
5.1.3 Web Access . . . .
5.1.4 Authentication . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
79
79
79
81
81
82
90
90
93
93
94
97
99
99
103
103
103
105
107
107
108
109
112
114
115
115
117
121
121
123
123
125
125
127
128
129
131
133
133
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
137
. 137
. 137
. 138
. 139
. 142
iPortalMais - 2007
CONTENTS
5.2
5.3
5.4
5.5
5.6
5.7
5.8
Network . . . . . . . . . . . .
5.2.1 Firewall . . . . . . . .
5.2.2 Route management . .
5.2.3 QOS . . . . . . . . . .
5.2.4 Service Routing . . . .
Mail service example . . . . .
Web access example . . . . .
Support Service . . . . . . . .
5.5.1 LDAP . . . . . . . . .
5.5.2 DNS . . . . . . . . . .
5.5.3 DHCP . . . . . . . . .
5.5.4 ENUM . . . . . . . . .
5.5.5 Images Server . . . . .
5.5.6 Registered Telephones
Disaster recovery . . . . . . .
5.6.1 Configurations . . . . .
5.6.2 Applications . . . . . .
System . . . . . . . . . . . . .
5.7.1 Services . . . . . . . .
5.7.2 Task Manager . . . . .
5.7.3 Date and Hour . . . .
5.7.4 System users . . . . .
5.7.5 System Logs . . . . . .
5.7.6 SSH . . . . . . . . . .
5.7.7 Reboot . . . . . . . . .
5.7.8 Shutdown . . . . . . .
Telephony . . . . . . . . . . .
5.8.1 Cards . . . . . . . . .
5.8.2 Interfaces . . . . . . .
5.8.3 SIP peers . . . . . . .
6 Apply Configurations
5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
145
145
149
149
151
156
158
162
162
162
167
173
174
174
175
175
177
178
178
180
181
181
182
182
184
184
184
185
186
188
189
7 Appendix A - Join in the domain
191
7.1 Join in the domain . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
7.1.1 Windows XP Professional Workstation . . . . . . . . . . . . 192
8 Appendix B - Configuring a VPN connection
195
8.1 Configuring a VPN connection (PPTP) . . . . . . . . . . . . . . . . 195
9 Appendix C - Configuration of a VPN SSL connection (Open
VPN)
197
9.1 Configuration of a VPN SSL Connection (Open VPN) . . . . . . . 197
9.1.1 Two or more SSL certificates . . . . . . . . . . . . . . . . . 197
9.1.2 Configuration of a SSL Connection for Windows Vista . . . 198
iPortalMais - 2007
6
CONTENTS
iPortalMais - 2007
List of Figures
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
3.19
3.20
3.21
3.22
3.23
3.24
3.25
3.26
3.27
3.28
3.29
3.30
3.31
3.32
3.33
3.34
3.35
3.36
Machines Groups . . . . . . . . . . . . . . . . . . . . . . . . . .
Machine Management . . . . . . . . . . . . . . . . . . . . . . .
Machine Management - Insert . . . . . . . . . . . . . . . . . . .
Machine Management - Modify . . . . . . . . . . . . . . . . . .
Machine Management - Delete . . . . . . . . . . . . . . . . . . .
User Groups - Insert . . . . . . . . . . . . . . . . . . . . . . . .
User Groups - Groups List . . . . . . . . . . . . . . . . . . . . .
User Groups - Users . . . . . . . . . . . . . . . . . . . . . . . .
Groups - List . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users Management - List . . . . . . . . . . . . . . . . . . . . . .
Users Management - Insert . . . . . . . . . . . . . . . . . . . . .
Users Management - Detail . . . . . . . . . . . . . . . . . . . .
Users Management - Modify . . . . . . . . . . . . . . . . . . . .
Domain Server . . . . . . . . . . . . . . . . . . . . . . . . . . .
Work Areas - Summary . . . . . . . . . . . . . . . . . . . . . . .
Work Areas - Summary of Individual Areas . . . . . . . . . . .
Work Areas - Individual . . . . . . . . . . . . . . . . . . . . . .
Work Areas - Group - Insert . . . . . . . . . . . . . . . . . . . .
Work Areas - Group - Management . . . . . . . . . . . . . . . .
Work Areas - Group - Access Groups . . . . . . . . . . . . . . .
Workareas - Kaspersky Licence . . . . . . . . . . . . . . . . . .
Workareas - Kaspersky - Configure . . . . . . . . . . . . . . . .
Workareas - Kaspersky . . . . . . . . . . . . . . . . . . . . . . .
Workareas - Kaspersky - Statistics . . . . . . . . . . . . . . . . .
E-mail - Configure . . . . . . . . . . . . . . . . . . . . . . . . .
E-Mail - Definitions . . . . . . . . . . . . . . . . . . . . . . . . .
E-mail - Queue Management . . . . . . . . . . . . . . . . . . . .
E-Mail - Alternative addresses, Forwarding and automatic replys
E-mail - Insert . . . . . . . . . . . . . . . . . . . . . . . . . . . .
E-mail - Modify . . . . . . . . . . . . . . . . . . . . . . . . . . .
E-mail - Internal contacts . . . . . . . . . . . . . . . . . . . . .
E-Mail - Anti-vı́rus . . . . . . . . . . . . . . . . . . . . . . . . .
E-Mail - General configurations . . . . . . . . . . . . . . . . . .
Anti-virus - Groups Management . . . . . . . . . . . . . . . . .
Anti-virus - Notification Rules . . . . . . . . . . . . . . . . . . .
Anti-virus - Filter . . . . . . . . . . . . . . . . . . . . . . . . . .
iPortalMais - 2007
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
16
17
18
19
19
20
20
21
22
24
25
25
26
27
28
29
30
31
32
33
34
34
36
37
39
40
42
43
45
45
46
47
48
48
49
49
8
LIST OF FIGURES
3.37
3.38
3.39
3.40
3.41
3.42
3.43
3.44
3.45
3.46
3.47
3.48
3.49
3.50
3.51
3.52
3.53
3.54
3.55
3.56
3.57
3.58
3.59
3.60
3.61
3.62
3.63
Anti-virus - Statistics . . . . . .
Anti-Spam - Protected Domains
Anti-Spam - Actions . . . . . .
Anti-Spam - Rules . . . . . . .
Anti-Spam - Statistics . . . . .
Insert a network printer . . . .
Inserting a network printer . . .
Arkeia - Main Menu . . . . . .
Arkeia - Running Jobs . . . . .
Arkeia - Backups confirmation .
Arkeia - Add Users . . . . . . .
Arkeia - Directories to save . . .
Arkeia - Levels . . . . . . . . .
Backup task insertion . . . . . .
Backup task options . . . . . .
Backup tasks list . . . . . . . .
Scheduling a task . . . . . . . .
Fax Server - Configure . . . . .
Fax Server - Telefony Card . .
Fax Server - Serial Fax Modem
Fax Server - Fax Users . . . . .
Fax Server - Fax line definitions
Fax Server - Sent Faxes . . . . .
Fax Server - Received Faxes . .
Fax Server - Current Faxes . . .
Terminal Server . . . . . . . . .
Terminal Server - Configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
50
52
52
53
53
55
56
58
58
59
60
61
61
63
64
65
65
66
67
67
68
69
70
71
72
73
75
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.12
4.13
4.14
4.15
4.16
4.17
4.18
Firewall - Available Services . . . . . . .
Firewall - Block Services . . . . . . . . .
Proxy - Configuration . . . . . . . . . . .
Proxy - Rules . . . . . . . . . . . . . . .
Proxy - Source groups . . . . . . . . . .
Proxy - Destination groups . . . . . . . .
Proxy - Access Lists . . . . . . . . . . .
Proxy - Remote Proxy . . . . . . . . . .
Proxy - Other configurations . . . . . . .
Proxy - Statistics . . . . . . . . . . . . .
Proxy - Kaspersky - Licence . . . . . . .
Proxy - Kaspersky - General Settings . .
Proxy - Kaspersky - Statistics . . . . . .
VPN PPTP - Users . . . . . . . . . . . .
VPN - IPSec . . . . . . . . . . . . . . .
VPN - SSL . . . . . . . . . . . . . . . .
Get Mail from ISP . . . . . . . . . . . .
Get mail from ISP - Servers Management
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
80
81
82
84
85
86
88
88
90
91
92
93
94
95
96
97
100
101
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
iPortalMais - 2007
LIST OF FIGURES
9
4.19
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.27
4.28
4.29
4.30
4.31
4.32
4.33
4.34
4.35
4.36
4.37
4.38
4.39
4.40
4.41
4.42
4.43
4.44
4.45
4.46
4.47
4.48
4.49
4.50
4.51
Get mail from ISP - Add Account . . . .
Mail copy . . . . . . . . . . . . . . . . .
Web Server - Hosted sites . . . . . . . .
Web Server - Adding sites . . . . . . . .
Web Server - Site Management . . . . .
Web Server - Alias management . . . . .
WebMail - Servers . . . . . . . . . . . .
Registered Phones . . . . . . . . . . . .
VoIP - Options . . . . . . . . . . . . . .
Alternative Addresses . . . . . . . . . . .
Online phones . . . . . . . . . . . . . . .
Access Classes . . . . . . . . . . . . . . .
Call statistics . . . . . . . . . . . . . . .
VoIP - Routes Management . . . . . . .
VoIP - Local Routes . . . . . . . . . . .
VoIP - Outbound routes to SIP servers .
VoIP - Sequence settings . . . . . . . . .
VoIP - Attendance sequences . . . . . . .
VoIP - Call groups . . . . . . . . . . . .
VoIP - IVR attendance . . . . . . . . . .
VoIP - Call Conference . . . . . . . . . .
VoIP - Call Parking . . . . . . . . . . . .
VoIP - Call Parking - Modify . . . . . .
VoIP - Scheduling . . . . . . . . . . . . .
VoIP - Insert rules . . . . . . . . . . . .
VoIP - Music on hold . . . . . . . . . . .
VoIP - DISA - Insert . . . . . . . . . . .
VoIP - Queue definitions . . . . . . . . .
VoIP - Call Manager configuration . . .
VoIP - Call Manager . . . . . . . . . . .
Enabling Instant Messaging Server . . .
Blocking MSN applications . . . . . . . .
Web messenger sites blocking in firewall
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
102
102
104
104
106
106
108
109
110
113
114
116
116
117
118
120
121
122
122
124
124
125
126
126
127
128
129
130
131
132
134
134
135
5.1
5.2
5.3
5.4
5.5
5.6
5.7
5.8
5.9
5.10
5.11
5.12
IPBrick Advanced Settings . . . . . . . .
System Information . . . . . . . . . . . .
Web Access . . . . . . . . . . . . . . . .
Language . . . . . . . . . . . . . . . . .
Authentication . . . . . . . . . . . . . .
Update . . . . . . . . . . . . . . . . . . .
Rede - Firewall . . . . . . . . . . . . . .
Network - Firewall - Insert . . . . . . . .
Network - Firewall - Order . . . . . . . .
Network - Route management . . . . . .
Network - QoS management . . . . . . .
Network - QOS - General Configurations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
139
140
141
142
143
145
146
148
148
149
150
151
iPortalMais - 2007
10
LIST OF FIGURES
5.13
5.14
5.15
5.16
5.17
5.18
5.19
5.20
5.21
5.22
5.23
5.24
5.25
5.26
5.27
5.28
5.29
5.30
5.31
5.32
5.33
5.34
5.35
5.36
5.37
5.38
5.39
5.40
5.41
Network - Service Routing . . . . . . .
LDAP . . . . . . . . . . . . . . . . . .
DNS - Insert forward and reverse name
DNS - Domains Management . . . . .
DNS - Forwarders . . . . . . . . . . . .
DNS - Name resolution . . . . . . . . .
DHCP - Subnets . . . . . . . . . . . .
DHCP - General Options . . . . . . . .
DHCP - Subnets Definition . . . . . .
Redundancy . . . . . . . . . . . . . . .
DHCP - Machines . . . . . . . . . . . .
ENUM . . . . . . . . . . . . . . . . . .
Registered Telephones . . . . . . . . .
Replace Settings . . . . . . . . . . . .
Download Configurations . . . . . . . .
Upload remote configurations . . . . .
Application data backups list . . . . .
Restore confirmation . . . . . . . . . .
Services . . . . . . . . . . . . . . . . .
System Date and Hour . . . . . . . . .
System users . . . . . . . . . . . . . . .
System Logs . . . . . . . . . . . . . . .
SSH . . . . . . . . . . . . . . . . . . .
Server Reboot . . . . . . . . . . . . . .
Shutdown server . . . . . . . . . . . . .
Telephony - Insert . . . . . . . . . . . .
Telephony . . . . . . . . . . . . . . . .
Telephony - Interfaces . . . . . . . . .
Telephony - SIP peers . . . . . . . . .
6.1
System update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
. . . . . . . . .
. . . . . . . . .
resolution zones
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
152
162
164
165
167
168
169
169
170
172
173
174
175
176
177
178
179
179
180
181
182
183
183
184
185
186
187
187
188
iPortalMais - 2007
Chapter 1
Aim of this document
This reference guide give you a detailed description of the following IPBrick
menus:
• IPBrick.I configuration;
• IPBrick.C configuration;
• Advanced configurations.
In appendix we present the procedure to deal with the Workstation configurations. You will find the following configurations
• Process of joining a workstation (MS Windows) in a domain;
• Procedures for the establishment of a virtual private network (VPN) PPTP
and SSL.
iPortalMais - 2007
12
Aim of this document
iPortalMais - 2007
Chapter 2
Before Starting
You can access IPBrick with a browser, for example the Internet Explorer or
the Mozilla Firefox. The IPBrick IP address is by default 192.168.69.199. The
address to write on the browser bar is https://192.168.69.199.
When you open a WEB session with IPBrick you will see a web page authentication. After a correct validation IPBrick allows you to change the domain and
the IP networks of the private and public server interfaces.
Attention: If the communication network where you are trying to install IPBrick has already a DHCP server you should deactivate this in order to avoid
conflicts.
For more information about installing IPBrick and configuring a workstation,
please consult the Installation Manual.
IPBrick web interface management is divided into 3 main menus:
• IPBrick.I ;
• IPBrick.C ;
• Advanced Configurations.
In IPBrick.I you configure basic Intranet services and in IPBrick.C you configure basic communication services. The Advanced Settings menu has additionally
configurations to the basic services and it allows you to obtain information about
the operating conditions of IPBrick.
Any configuration done in IPBrick will only take effect after Updating Settings.
Changing configurations in the following menus:
• Advanced Configurations
IPBrick
Definitions;
• Advanced Configurations
IPBrick
Authentication;
iPortalMais - 2007
14
Before Starting
causes a restart of IPBrick (IPBrick needs approximately 1 minute to restart,
depending on the hardware where it is installed).
After the administrator has executed Apply Configurations it’s important
to connect a Pen Drive to the server where IPBrick is installed in order to save
the updated system configurations. This way the Disaster Recovery is guaranteed,
one of the surplus values of IPBrick. For example, when the hard drive crashes
down you can quickly restore the configurations with the IPBrick Installation Cd
and the Pen Drive.
On the management interface there are several links that allow you to surf in
IPBrick. You will find links like:
• Back - allows you to turn back to the previous page without saving changes;
• Insert - allows you to insert new items;
• Change - allows you to change item settings;
• Delete - allows you to delete an item;
iPortalMais - 2007
Chapter 3
IPBrick.I
This chapter describes the IPBrick.I menus used to manage the main Intranet
services.
It is divided into the following main sections:
• Machine Groups
• Machines Management;
• User Groups;
• Users Management;
• Domain server;
• File Server;
• E-mail;
• Print Server;
• Backup;
• Fax Server;
• Terminal Server.
3.1
Machines Groups
In this menu you can manage groups of machines that lets you create groups
and assign machines to each group. For instance, machine groups can be used to
configure web proxy accesses. To insert a group of machines you have to set:
• Group name: The name assigned to the group of machines.
• Group type:
– Machines Subnets: Depending on the used IP address, the groups of
machines can be split into defined sizes.
iPortalMais - 2007
16
IPBrick.I
– Machines: If you choose this option and Insert, it’s possible to assign
existing network machines to the group.
• Machine count: If the group is a subnet of machines, you can choose the
number of machines for the group;
• Subnet: This field defines the subnet for the group of machines. It represents
the range of IP addresses concerning the defined group.
By clicking Insert, the group is created and its settings are displayed. In that
screen you can see three links: Back to go back to the list; Modify to change the
name of the present group; Delete to remove the group of machines.
Figure 3.1: Machines Groups
3.2
Machine Management
This section deals with adding or changing machine registrations (e.g. PC,
laptop, printer).
A machine is represented by a name, an IP address, a MAC address and the
machine type, as you can see in Figure 3.2.
There are three types of machines:
• WorkStation;
• IP Phone;
iPortalMais - 2007
3.2 Machine Management
17
• WorkStation + SoftPhone.
Figure 3.2: Machine Management
In order to insert a machine you only have to define the type, introduce the
name and IP Address (Figure 3.3). In this way the machine is registered in the
LDAP and the DNS server. If you fill in the MAC Address field with the MAC
adddress of the machine to be registered then a port is also created for this machine
in the DHCP server.
⇒ Note: The machine MAC address can be obtained from the network connection icon in Windows XP or by executing the order ipconfig /all in the command
line.
! Attention:
• The computer name has to be an alphanumerial name. Exceptions are the
characters _ and -;
• The computer name shouldn’t have spaces nor diacritical marks on characters
neither punctuation. Its maximum size should be 15 characters;
• Is is not allowed to register neither machine with the same name nor machine
whose names are identical with a registered user log in;
• For a registration of a Windows station, the name as to be always in small
letters and if necessary change the Computer name to small letters, too.
iPortalMais - 2007
18
IPBrick.I
Figure 3.3: Machine Management - Insert
You can access the modify and delete options of a machine by clicking over its
name in the form from Figure 3.2. If you click the link Modify, the form from
Figure 3.4 is displayed and enables you to redefine the machine parameters. If you
click Delete, the form from Figure Figure 3.5 is displayed to confirm your action.
3.3
User Groups
A group is an set of users generally created when you wish that all people in
that group share the same permissions to a group of files. In this section you
manage IPBrick user groups.
• To create a new group (Figure 3.6):
– Click on Insert;
– Choose the group name.
• To add or remove users from a group:
– Click on the group name (Figure 3.9);
– In the generated page (Figure 3.8) choose the users that should be added
or removed from the defined group.
There are two pre-defined groups that cannot be deleted or changed. These
groups are:
• Administrators;
iPortalMais - 2007
3.3 User Groups
19
Figure 3.4: Machine Management - Modify
Figure 3.5: Machine Management - Delete
iPortalMais - 2007
20
IPBrick.I
Figure 3.6: User Groups - Insert
Figure 3.7: User Groups - Groups List
iPortalMais - 2007
3.4 Users Management
21
Figure 3.8: User Groups - Users
• General.
Users that belong to the Administrators group have administrator permissions
in the domain served by IPBrick. You may add or remove users of this group with
the exception of the pre-defined Administrator. The General group is a common
group for all users created in IPBrick.
! Attention:
• When inserting new groups their name can be in capital and/or small letters.
• The group name can contain spaces, but can’t have more than 32 only alphanumerial characters without accents.
• When the user is created, there shouldn’t be other group with the same
name, including domains.
3.4
Users Management
In this section you learn how to register new users, change the information of
already existing users and delete users. When creating a new user IPBrick creates
automatically an e-mail account, and individual work area (user drive space in the
server) and a net logon in order to identify the user in the domain.
After being installed, IPBrick creates by default one user and two groups.
The created user have the login Administrator and the two groups are the
Administrators and the General. The user with Administrator login has a work
area created in the Work Area 1. This user has special characteristics because he
iPortalMais - 2007
22
IPBrick.I
Figure 3.9: Groups - List
iPortalMais - 2007
23
belongs to the Administrators group and is responsible for the management of
some system functions. Therefore he can never be removed.
The user registration is composed of the following fields:
• Name: User’s identification.
• Login: User’s identification to be used for any IPBrick authentication process.
• Server: Selection of the server where the e-mail account shall be created.
The e-mail account stands for the hard drive space in the server where various user contents are stored, including e-mail inbox, windows profile and
documents. If there are slaves servers they are also listed.
• Work Area: Partition of the server drive selected to create the account. The
users should be distributed the fairest way in order to use the available space
most efficiently.
• E-Mail: User’s e-mail address. By default, it is equivalent to the login. In
case you give another address it will serve as an alias for the original e-mail.
• Password: Password definition.
• Retype Password: Confirmation of the password
• Quota: Value that limits the user hard drive space in the system. The unit
os measurement is kilobytes. If you don’t indicate a value limite the user
will have unlimited space to occupy.
• Biometric Validation: It allows the user to verify if he may validate himself through biometric data.
! Attention:
• When inserting users only use characters without accents for their name,
login and e-mail address.
• Spaces, brackets, full stops, small and capital letters are possible in the Name
field.
• You are not allowed to use spaces in the Login field. Avoid using capital
letters.
• Every login has to be unique. There cannot be a login with the same name
of a machine registered in IPBrick.
iPortalMais - 2007
24
IPBrick.I
Figure 3.10: Users Management - List
In order to modify some user information you have to click over the name (Figure 3.10).
In the form where you change the user (Figure 3.13) you can see all fields
that were defined when the user account was created. The only exception is the
uidNumber which is an IPBrick user identification number. The password is not
shown. All defined fields are editable with the exception of the following ones:
login, server, work area and uidNumber.
To remove a IPBrick user record:
• Click on the user name;
• In the generated page, besides from displaying user properties, you can also
erase its record.
⇒ Note: The user contentes (personal files, profile, e-mails) are not eliminated when deleting his registration. They are moved to an administrative share
called BackupX (X representing the number of the work area where the user was
registered, 1 or 2). Only members of the Administrators group have access to
this share from any Windows station. Therefore they have to do the following.
• Press the keys [Win]+[R] at the same time
• Write \\ipbrick\backup1 and press the button ”OK”
All folders and files deleted in these administrative shares are finally eliminated
in IPBrick.
iPortalMais - 2007
25
Figure 3.11: Users Management - Insert
Figure 3.12: Users Management - Detail
iPortalMais - 2007
26
IPBrick.I
Figure 3.13: Users Management - Modify
3.5
Domain Server
IPBrick as a Intranet server manages all the network resources belonging to
a certain domain and provides important network support services as DNS and
DHCP. A relevant feature to consider in the domain server 1 is that it works with
the authentication server, where all the users have a username/password match
defined in the LDAP database of IPBrick. PDC is checked whenever there is a
authentication demand in a workstation.
In this section you define the name of the domain served by IPBrick as well as
the IPBrick function:
• Authentication in the domain=YES: IPBrick will be a Primary Domain
Controller in the chosen domain;
• Authentication in the domain=NO: IPBrick will not operate as a domain
server.
⇒ Note: The information on this page is only valid for the MS Windows
environment. The IPBrick Domain Name field is related to the Workgroup or
Domain Name in the MS Windows environment.
3.6
File Server
A workarea corresponds to a physical partition in the drive with the denomination /home1 or /home2. When a new user is created, the system also creates its
1
Primary Domain Controller
iPortalMais - 2007
3.6 File Server
27
Figure 3.14: Domain Server
iPortalMais - 2007
28
IPBrick.I
personal account that represents a folder structure that supports the user account.
1. Personal Accounts: located in the MS Windows environment, containing
e-mails files and the user profile.
2. Group Sharing: responsible for storing user group files
3. Administrative Sharing: responsible for sharing user accounts and eliminated group sharings. These areas are only available for Administrators.
IPBrick has two Work Areas by default: Work Area 1 and Work Area 2.
When you click on Work Areas you are given a list of all users and sharing groups
classified by Work Area as well as information about the occupied space in the
system of each individual Work Areas (Figure 3.15).
Figure 3.15: Work Areas - Summary
3.6.1
Individual Work Areas
When you select Work Areas Individual, IPBrick shows you a list with
the existing Work Areas and a schedule of the ocupation rate for each Work Area.
These Work Areas correspond to the hard drive space where the data of users is
stored that are registered in the Users Management.
iPortalMais - 2007
3.6 File Server
29
Figure 3.16: Work Areas - Summary of Individual Areas
iPortalMais - 2007
30
IPBrick.I
! Attention: If the occupied space in the Work Areas reaches 100% users can
longer save their data in IPBrick. More over, e-mails are no more delivered to the
users. They stay in the queue till some space is released in the Work Areas. It is
recommended to keep the occupation rate of each Work Areas under 95%.
When you click on a Work Area, e.g. Work Area 1, you are given a list with
all users introduced in this area as well as the occupied space of each user. Ease
user area is created the moment you make the IPBrick registration in IPBrick.I
Users Management.
Figure 3.17: Work Areas - Individual
3.6.2
Group Work Areas
The group work areas are network shares. You can create network shares in
any Work Area. After creating a network share you have to define the permissions
of the users registered in IPBrick.
When inserting a Group Work Area you have to fill in the following fields:
• Name: Name of the share folder. Try to avoid spaces, characters with accents
and punctuation;
iPortalMais - 2007
3.6 File Server
31
• Description: Information about the user type wanted for this share;
• Responsável: (This field is optional);
• Recycle bin: Enables the use of a recycle bin;
• Name of the Recycle bin folder: If you choose to enable the previous
option, you can set in this field the folder that will be used as a recycle bin.
Figure 3.18: Work Areas - Group - Insert
Group - Insert After creating a Group Work Area you have to give permissions
to the users in order to have access to the network share. There are 3 different
types of permissions:
• None - No access to the share. Users have no access to open a share folder
of a workstation.
• Read Only - Users have access to share folders and its files. Neverthelesse,
they are not allowed to change these files.
• Read/Write - Users have access to share folders and its files and are allowed
to change files and save changes.
iPortalMais - 2007
32
IPBrick.I
Permissions are given to individual users or user groups. Users groups are
defined in IPBrick.I Group Management.
For example, in order to create a share folder for users belonging to a commercial department you have to do the following steps:
• Create group ”Dept Financeiro”, in Group Management and add the users
of this department to the group.
• Create an area called ”Financeiro” in Work Areas
Group.
• Give read and write permissions to the group ”Dept Financeiro”. The other
groups have either reading permissions or no access to this area.
⇒ Note: When defining user group permissions any change in the General
group leads to changes for all the other groups. This happens because all users
introduced in IPBrick are part of General group.
Figure 3.19: Work Areas - Group - Management
⇒ Note: A deleted share is no more available for users. All files in this share
are moved to an administrative share called BackupX (X representing the number
of the work area where the share was created, 1 or 2) that you find in the same
Work Area. Only useres belonging to the IPBrick Administrators group have
access to this administrative folder. You can access this share from a Windows
station. Therefore you have to do the following steps:
• Press the keys [Win]+[R] at the same time
iPortalMais - 2007
3.6 File Server
33
Figure 3.20: Work Areas - Group - Access Groups
• Write \\ipbrick\backup1 and press ”OK” (share that exist in Workarea 1)
All files and folders deleted in these administrative share are definitively deleted
in IPBrick.
3.6.3
Kaspersky
Kaspersky Antivirus for Samba Server (file server) is already installed in IPBrick. After inserting a valid license (Figure 3.21), Kaspersky Antivirus for Samba
Server is activated and displays the interface with the following links:
• Update: After the license expiration you should renew with a new license
file;
• Delete: Removes the license;
• Configure: It provides you a general Anti-Virus configuration option;
• Work areas: Antivirus behaviour in work areas;
• Statistics: Interface with specific statistics about the file server Anti-Virus.
Configuration
General settings:
• Notify from the address: Sender that will make the notifications;
iPortalMais - 2007
34
IPBrick.I
Figure 3.21: Workareas - Kaspersky Licence
Figure 3.22: Workareas - Kaspersky - Configure
iPortalMais - 2007
3.6 File Server
35
• Notify to the address: Email address that will receive notifications.
Object settings:
• Directory exclusion mask: Directories that will be analysed;
• File exclusion mask: Files that will be analysed;
• Packed Files: If you choose this item, this type of file will be analysed;
• Archives: If you choose this item, this type of file will be analysed;
• Auto-extraction files: If you choose this item, this type of file will be
analysed;
• Email database: If you choose this item, this type of file will be analysed;
• Text format email: If you choose this item, this type of file will be analysed.
Scan settings:
• Cure: If activated, detected virus will be automatically removed;
• Use heuristic: If activated, virus can be detected through the analysis of
the code with characteristics and behaviour similar to a virus;
• Usar IChecker: If the file was not modified since the last time that was
checked, there will be no new analysis for this file.
Actions Settings: Defines what the Anti-Virus will do with infected and suspecting files or with warnings
• Remove: Removes the file;
• Inalterado: Doesn’t make any action on the file;
• Move: Moves the file.
Notification settings: Defines what notifications the Anti-Virus will do about
infected and suspecting files or with warnings.
• Notify user through winpopup: Notification using the Windows net send
command;
• Notify user through email;
• Notify administrator through email.
To change settings click on Modify.
iPortalMais - 2007
36
IPBrick.I
Figure 3.23: Workareas - Kaspersky
Workareas
By default, work areas are verified when they are opened and closed. You can
set for each share if it will be protected, or not, and if it will be verified when users
open and/or close files.
Statistics
Several statistics are displayed in this interface:
• Virus Statistics in period: Options to display present graphic in Virus
Statistics:
– Start: The starting date for statistics;
– View: Can be set in hours, days, months or years;
– Repetition: Scale of the graphic horizontal axis;
– Group: It enables you to group data, depending on the chosen view
• Vı́rus statistics: The display can be filtered by: Infected files, protected,
corrupted, errors and files where disinfection failed;
• Virus list: Can be organized by Virus name/Number of occurrences.
iPortalMais - 2007
3.7 E-mail
37
Figure 3.24: Workareas - Kaspersky - Statistics
3.7
E-mail
Email is the most used network service in Internet, increasingly replacing traditional mail and fax. The protocol that is used to send electronic messages is SMTP
(Simple Mail Transfer Protocol) that runs on gate 25 TCP. It enables email sending
for one or several recipients and is implemented by MTA (Mail Transfer Agents).
IPBrick MTA is Qmail2 .
SMTP is only capable of sending messages, being necessary to users the use
of an email client that supports the protocols aiming to download messages from
servers POP3/IMAP.
IPBrick’s Email section is composed by:
• Configure
• Queue Management
• Users Management
• Mailing Lists
• Auto respond
• Kaspersky Anti-Virus
• Kaspersky Anti-SPAM
2
http://cr.yp.to/qmail.html
iPortalMais - 2007
38
IPBrick.I
3.7.1
Configure
An important concept about the email server configuration is open relay. A
server that works in open relay processes messages between senders and recipients
out of the server domain, that actually can even be non-existent. Obviously, IPBrick doesn’t work as open relay, only forwarding Internet emails to domains that
are explicitly indicated.
Is is important to mention four very simple and decisive concepts in the E-mail
configuration:
1. Domains served by IPBrick: E-mail addresses with destination to the IPBrick server itself, that is, the associatead e-mail accounts are in the local
network. E-mails that are in the queue and whose recipient is one of these
domains are not sent to another server in order to be delivered. The domains
served by the machine have to be correctly configured in each DNS domain
server. That is, the ”E-mail servers” of these domains have to be configured
to this machine.
2. Domains wich IPBrick allows to be forwarded to the destination
server (relay): IPBrick forwards all the messages that have their domains
in this list and will be accepted by the server to a queue list. Messages to
other recipients that don’t belong to this domains won’t be accepted by the
server (please see 3 .
3. IP networks for total relay: IPBrick relays to any domain as long as
the e-mail is sent from his corresponding internal network. If there are
different internal IP networks it is necessary to add these networks to the
list. This way all machines in the networks are able to send e-mails to other
domains using IPBrick as a relay server.
4. SMTP routes: SMTP routes are configured when you want e-mails to follow
a certain way (server) in order to find their recipient. Normally, a SMTP
route is defined by default (showing the SMTP route and leaving the Domain
empty).When the server is not correctly registered with the IP name in the
Internet DNS, you have to define a SMTP route. In this route it should be
either the server responsible for the forward of firm e-mails or the SMTP
server of the ISP used by firms to access the Internet. This configuration is
necessary because certain e-mail servers make additional verifications of the
sending server authenticity. If they can’t resolve the server name into the
corresponding IP address, the mail may be deleted or sent back as SPAM. In
case no SMTP route is used the server tries to send the mails in the queue
by his own. With the help of the DNS registrations he tries to find the recipients directly in the Internet.
3
Only e-mails from the Internet respecting these rules are processed. IPBrick is not configured
as open-relay.
iPortalMais - 2007
3.7 E-mail
39
Each e-mail configuration option has a link to Insert new entries (Figure 3.25).
Figure 3.25: E-mail - Configure
The domains for local delivery (domains with IPBrick serves) and relay (domains which IPBrick forwards) can be edited and/or deleted. The exception is
the domain whose name is the same as that of the machine in the local networks
or that of the local domain in the relay.
⇒ Note: To make IPBrick relay e-mails to another server that has the accounts, the firm base domain has to be retreated from the domains served by
IPBrick, since it is a domain served by IPBrick by default.
By default IPBrick only forwards email messages that come from is private
network. If there are different internal IP networks, they should be added to let
them send messages.
There are two different types of SMTP routes:
1. FQDN4 of the route server. For example: smtp.exchange.telepac.pt.
2. IP address of the route server. Please give attention to the brackets 195.22.133.45.
In the following you are given two examples of configurations, one with an
IP for a specific domain and another configuration for the same domain with the
FQDN:
4
Fully Qualified Domain Name
iPortalMais - 2007
40
IPBrick.I
First Example:
Domain
: abzas.miz
SMTP route : 195.22.133.45
Second Exemple:
Domain
: abzas.miz
SMTP route : smtp.exchange.telepac.pt
An important configuration is that of a machine relaying e-mails. Whenever
you add in this situation a SMTP route by default (without indicating the domain) you have to add another SMTP route to forward e-mails do the internal
e-mail server. In the following you can see an example of such a configuration. In
this configuration IPBrick is relaying e-mails to an internal e-mail server called
accounts with the SMTP route smtp.isp.pt defined by default:
Domain: domain.com
SMTP route: contas.domain.com
Domain:
SMTP route: smtp.isp.pt
3.7.2
Definitions
Figure 3.26: E-Mail - Definitions
There is a link called Definitions (see Figure 3.26) to define characteristics
of the e-mail server:
• Maximum e-mail size
Value by default: unlimited.
iPortalMais - 2007
3.7 E-mail
41
• Maximum time to hold the message in the server
Value by default: 604800 seconds.
• Maximum number for simultaneous SMTP connections
Value by default: 20
• Incoming message timeout
Value by default: 1200 seconds
• Outgoing message timeout
Value by default: 1200 seconds
• Reject emails from invalid domains
• Default value: Yes
• Reject emails from invalid servers
Default value: No
In this interface it is even possible to define permissions of sending and receiving
e-mails:
• Valid internal recipients A list with valid e-mail addresses. Valid addresses are e-mails with recipients of this list and e-mails accepted by the
server.
⇒ Note: Only e-mails with addresses that are introduced as valid internal
recipients in the list will be delivered.
• Invalid senders A list with e-mail addresses that are not allowed to send
e-mails.
3.7.3
Queue Management
The Queue Management (Figure 3.27) allows you to manage and visualize emails that are in the e-mail server queue waiting to be delivered to their local or
remote recipient.
You can see the number of e-mails that are in the queue waiting to be delivered
to their local or remote recipient as wellas the total number of e-mails in the queue.
The list presents the following fields:
• ID: the only e-mail identification added by IPBrick ;
• Date: e-mail sending date;
• From: e-mail sender;
• To: e-mail recepient;
• Subject: Message subject;
iPortalMais - 2007
42
IPBrick.I
Figure 3.27: E-mail - Queue Management
• Size: Message size displayed in Kbytes.
You can delete several e-mails at the same time by selecting the corresponding
checkboxes and clicking in the Delete Mails option. You have to confirm this
action in order to eliminate the chosen mails.
! Attention: E-mails deleted in the queue are eliminated definitely.
When selecting a mail you can see its complete source. This operation is done
in real time. Therefor is not necessary to Update Settings.
3.7.4
Users management
This option provides a centralized management for each user email account of
the system and you can configure:
• State;
• Alternative addresses;
• Active email quota;
• Message maximum site;
• Forwarding;
• Automatic reply message.
iPortalMais - 2007
3.7 E-mail
43
Alternative Addresses
Alternative addresses (Figure 3.28) allow you on the one hand to have practical
logins which are easily to manage and on the other hand the confort to use more
personalized e-mail addresses. This way the user can have an e-mail address with
which he identifies himself more.
All mails that are sent to any defined alternative e-mail user address are delivered to the inbox respectively.
Ex.
name : Armindo Quintas
login : aquintas
email : [email protected]
Alternative Addresses:
[email protected]
[email protected]
[email protected]
[email protected]
Figure 3.28: E-Mail - Alternative addresses, Forwarding and automatic replys
To Insert a new email address (Figure 3.28):
• Select the account (user);
• In the Alternative Addresses field: set the alternative email address(es).
iPortalMais - 2007
44
IPBrick.I
Whenever you want to you can access the e-mail address list (IPBrick user
e-mail address arranged in groups) and change the names or the user of an e-mail
address. Is it obvious that when you change the user of an alternative e-mail
address new mails will be delivered to the new user while the other alternative
addresses stay with the old user.
Mail Forward
Mail forward allows delivered mails to be sent again to other internal or external
e-mail addresses. (Figure 3.28)
To Insert a new mail forward (Figure 3.28):
• In the Forward to field: Set the recipient email address(es).
Automatic Resp. Message
An Auto Respond is an e-mail automatically send by IPBrick to answer other
e-mails. When a e-mail arrives at a user account with Auto Response configured,
IPBrick send a mail to this send with the personalized user contents.
In order to Insert a new Auto Respond you need to (Figure 3.28):
• Insert in the Automatic reply message text area, insert the content you
want. Ex: Vacations
3.7.5
Mailing Lists
A mailing list provides the feature of sending email from one to many.
To add a mailing list::
• Click on Insert;
• Write the address you want in the mail field (Figure 3.29);
• Clicar on Insert.
After you add a mailing list (Figure 3.30), you have to configure:
• In the Internal Users List set the members of IPBrick Users that will be
part of the distribution list;
• In the External Users List (Figure 3.31), set the email addresses that
don’t belong to the network (Internet);
• In both cases you only have to click Modify to add members to the list.
iPortalMais - 2007
3.7 E-mail
45
Figure 3.29: E-mail - Insert
Figure 3.30: E-mail - Modify
iPortalMais - 2007
46
IPBrick.I
Figure 3.31: E-mail - Internal contacts
3.7.6
Kaspersky Anti-Vı́rus
The Anti-Virus is already installed in the Email section. You only have to
acquire a license to activate its management interface. After inserting the license,
the interface displays the following links (Figure 3.32):
• Update: After the license expiration, you need to renew with a new license
file;
• Delete: Removes the licence;
• Configure: Provides a general configuration of notifications;
• Groups Management: Provides personalization of Kaspersky Antivirus configuration and filtering;
• Statistics: Interface with specific statistics about the Anti-Virus use.
General configurations
Click in Modify to configure email address of notifications (Figure 3.32).
General Settings:
• Notify from address: Sender will make the notifications;
• Notify to address: Email address that will receive notifications.
iPortalMais - 2007
3.7 E-mail
47
Figure 3.32: E-Mail - Anti-vı́rus
Limits:
• Do not send notification to: Address that won’t be able to receive notifications (the notification sender).
Groups Management
The group default is already created. If you click on the group, the default
general settings are displayed. If you click on Modify, you can personalize the
following options (Figure 3.34):
• Enable: Kaspersky Anti-Vı́rus State;
• Group administrator address: Group administrator email;
• Quarantine path: The files in the quarantine state are stored in this directories;
• Sender mask: You may add this item if a new group is created;
• Recipient mask: You may add this item if a new group is created;
The notification rules for any type of object can be changed in Notification Rules
menu, as you can see in Figure 3.35.
In the Filter menu (Figure 3.36), you may set the filter rules/exceptions by the
name of the files or by mime-type.
iPortalMais - 2007
48
IPBrick.I
Figure 3.33: E-Mail - General configurations
Figure 3.34: Anti-virus - Groups Management
iPortalMais - 2007
3.7 E-mail
49
Figure 3.35: Anti-virus - Notification Rules
Figure 3.36: Anti-virus - Filter
iPortalMais - 2007
50
IPBrick.I
Statistics
Statistics:
• Virus statistics: The display can be filtered by: Infected files, protected,
corrupted, errors and files where disinfection failed;
• Virus List: Can be organized by Virus name/Number of occurrences;
• List of email senders: Shows some statistics about files by sender addresses;
• List of email recipients: Shows some statistics about files by IPBrick
recipients addresses;
Figure 3.37: Anti-virus - Statistics
iPortalMais - 2007
3.7 E-mail
3.7.7
51
Kaspersky Anti-Spam
Like Kaspersky Anti-Virus, Anti-Spam is already installed, you only need to
apply a license to activate this feature. After the activation, the following options
are displayed:
• Update: After the license expiration, you need to renew with a new license
file;
• Delete: Removes the licence;
• Configure: Provides a general configuration of notifications;
• Statistics: Interface with specific statistics about the Anti-Spam use.
The most important Anti-Spam configuration features are:
• To add every email domains of the company that the Anti-Spam should filter
(Figure 3.38);
• To set Kaspersky Anti-Spam detection level. Standard is the default level.
If the spam reception rate is high, the level of detection should be increased
to Maximum (Figure 3.40);
• To redirect all the emails classified by KaspersKy Anti-Spam to an email
account (Na Figure 3.39: [email protected]). This enables the network
administrator to analyse all the emails classified as Spam - if there is any
misclassified email, the administrator may forward this email to his recipient;
• Email and IP addresses Whitelists and Blacklists should be added - if there
is any (menu on Figure 3.38).
Statistics
• Spam Statistics in period: Options to display present graphic in Spam
Statistics:
• Spam statistics: The display can be filtered by: Clean files, Spam, probable and blacklists;
• List of email recipients: Shows some statistics about files by IPBrick
recipients addresses.
iPortalMais - 2007
52
IPBrick.I
Figure 3.38: Anti-Spam - Protected Domains
Figure 3.39: Anti-Spam - Actions
iPortalMais - 2007
3.7 E-mail
53
Figure 3.40: Anti-Spam - Rules
Figure 3.41: Anti-Spam - Statistics
iPortalMais - 2007
54
IPBrick.I
3.8
Print Server
This section deals with the interface management of the printers intended to
be available in the network. When you define a printer you are asked to define the
printer:
1. Name: (E.g. HP2200)
2. Description: This field is not obligatory (e.g. Network Printer HP 2200)
3. Location in the firm: This field is not obligatory (e.g. Room 1)
4. Interface: Used by the printer to communicate. There are 4 options:
• parallel port;
• series port;
• USB port;
• network printer.
5. Hardware: Used by the printer. This is directly related to the interface.
(This option is only available for interfaces with parallel port, series port
and USB port) (e.g. Interface–>Parallel Port, Hardware ->Parallel Port 1)
6. In case of a network printer, the following information is necessary:
• Address: Network printer address. (this option is only available for
network printers) (e.g. 192.168.1.1)
• Port: Used by the network printer. This field is not obligatory. (This
option is only available for network printers) (e.g. for a HP printer:
9100)
After inserting a printer IPBrick has to put the drivers available for the client
stations in order to finish the configuration. Therefore the printer drivers have to
be transferred to the server:
1. Log on in a Windows station with a user of the Administratives group (the
workstation has to be already registered in the IPBrick domain);
2. Press the keys [Win]+[R] at the same time and type \\ipbrick;
3. Select Printers and Faxes
Verify if the added printer to the IPBrick Web interface is shown.
4. Right click inside the window Printers and Faxes and select Server Properties;
5. Select the Drivers option in the presented window.
6. Choose ”Add”, set the manufacturer and the printer model and click Next;
7. Select the Windows version which the drivers have to correspond with.
iPortalMais - 2007
3.8 Print Server
55
Figure 3.42: Insert a network printer
iPortalMais - 2007
56
IPBrick.I
8. Click Finish
Now the printer’s drivers are transferred to IPBrick.
9. At share named Printers and Faxes on IPBrick, right click at the printer
and choose Printer Properties. You’ll be prompted with a message like
the one in Figure3.43. Choose ”No”.
10. Enter in ”Avanced”, select the new driver just added and click ”Apply”.
Figure 3.43: Inserting a network printer
To configure the printer on the cliend side, you must: Para configurar a impressora no cliente, deverá:
• Press the keys [Win]+[R] at the same time;
• Type \\ipbrick at the new window;
• Right click on the printer and choose ”Connect”.
Now the printer is listed at ”Printers and faxs” on the client side.
3.9
Backup
Backup consists of copying data from one device to another with the aim of
preserving the data in case of future problems. Usually this copy is made from the
hard disk to tapes, DVD or other disks. Nowadays paper is increasingly replaced
by digital files, bringing companies to the importance of having a reliable backup
system.
3.9.1
Arkeia
IPBrick includes Arkeia, a full featured backup service. It allows accessing
the Arkeia configuration interface, software for backup management installed in
IPBrick by default.
iPortalMais - 2007
3.9 Backup
57
When selecting this option, and after clicking the Open button, a session window by VNC is open. It is necessary to have the JRE5 installed to execute the
connection. The authentication in this session is made with the IPBrick Administrator’s actual password. The Arkeia management interface is available after
validation.
In order to start the Arkeia configuration software it is necessary to submit
your validation by default:
login: root
password: (without password)
After the successful server connection the following menus are displayed (Figure
3.44):
• Backup: Sets, configures and launches Arkeia backup, including savepacks
• Restoration: Sets, configures and launches Arkeia restore function;
• Hardware: Sets and configures the hardware (drives, tapes, libraries) connected to the server;
• Running jobs: Displays the executing processes;
• Administration: Functions to configure Arkeia
• Logs: Displays the logs that are generated by Arkeia.
Arkeia menus are easy to use. When you access a menu, new sub-menus show
up with new options, successively. Every time you pick a menu, its icon appears
in a upper bar. To move back in these menus you only have to click in the corresponding icon.
To administrate Arkeia executing processes you have to select the Running
Jobs menu (Figure 3.45).
select the request line that will have more priority to backup execution
5
Java Runtime Environment, which can be found at http://sun.java.com/.
iPortalMais - 2007
58
IPBrick.I
Figure 3.44: Arkeia - Main Menu
Figure 3.45: Arkeia - Running Jobs
iPortalMais - 2007
3.9 Backup
59
Figure 3.46: Arkeia - Backups confirmation
Inside this menu, you can see the backup processes. These processes can have
two status:
• The process is pending waiting for confirmation, i.e., you have to click OK.
The user is alerted to replace the tape;
• The jobs are waiting for the conclusion of the remaining processes.
Usually, if backup administration is normally processed, with the administrator intervention in a daily basis, there will be only an execution process per day.
In the power failure case, all this processes are eliminated.
Advanced Administration
• Add users (Administration
Users (Figure 3.47))
Arkeia sends email messages reporting several occurrences, like the need to
insert tapes, the details of a backup process, etc. You should create a user
that gets the email messages (with an Administrator type role) to check if
the procedures is well done.
1. Insert:
(a) Name;
(b) Role;
(c) Email address.
iPortalMais - 2007
60
IPBrick.I
Figure 3.47: Arkeia - Add Users
• SavePacks (Backup
SavePacks)
This is an essential feature of Arkeia technology. A savepack is a set o paths
and files that are included in the backup.
1. Create a SavePack (usually named Data);
2. Add directories that will be include in the backup (name of SavePack
Browse Trees)
– /boot
– /etc
– /homeX (onde 1 ≤ X ≤ number of homes)
– /opt/ipbox/backupDB
– /var/lib/ldap
– /var/lib/mysql
– /var/lib/postgres
– /var/lib/postgres2
– /var/lib/samba
– sysinfo
• Configure the backups (Backup
Periodic)
1. Create a new Periodic Backup
iPortalMais - 2007
3.9 Backup
61
Figure 3.48: Arkeia - Directories to save
Figure 3.49: Arkeia - Levels
iPortalMais - 2007
62
IPBrick.I
2. Create 3 levels:
(a) Level 1 - Archive
(b) Level 2 - Weekly
(c) Level 3 - Daily
• For each backup select:
SavePack
DrivePack
Pool
Type
Valid for
Level 1
Level 2
Level 3
Archive
Total Backup
2 years
Weekly
Total Backup
8 weeks
Daily
Incremental
4 weeks
The available backup types are:
– Archive: Saves savepack data and keeps them indefinitely (requires
additional license);
– Total: Saves all the savepack data and keeps them during the period
set in Valid For;
– Differencial: Only saves the files that were modified since the last
Total type backup;
– Incremental: This is the most complex backup type. It creates a list
with the modified files since last backup (both Total and Incremental)
and proceeds to the backup of the files included in the list.
3.9.2
Remote
This option enables the possibility of configuring scheduled backups to a NAS6
device or to a rsync server. Rsync is a powerful backup tool included in IPBrick,
that does incremental copies of files/directories to another rsync server.
To add a backup task you must click Insert. You will have the following fields:
Backup definitions:
• Backup Name: It’s the backup name.
• Notification E-mail: Recipient that will receive all the backup notifications;
• Job to do: There are two options:
– Copy: It will copy all work areas to the backup device(/home1, /home2,
/home3...);
– Restore: It will restore all work areas from the backup device;
Destination Data Definitions:
6
Network Attached Storage
iPortalMais - 2007
3.9 Backup
63
Figure 3.50: Backup task insertion
• Data Location: The only option is remote. It will always be a remote machine.
• Backup Device: NAS:
– IP address: Backup device’s IP address
– Login: Username that has access to the share
– Password
– Share Name: Name of the share created in the NAS
• Backup Device: Rsync Server:
– IP address: The rsync server’s IP address
When a backup task is inserted, clicking in the Backup Name you will have
access to these options:
• Back: Go to backups list;
• Modify: Modify the current backup task;
• Delete: Delete the current backup task;
• Schedule: Can define the backup task to be scheduled. These are the options
when you click Insert (Figure 3.53)
– Periodicity: Daily, weekly or monthly;
– Description: Schedule description;
iPortalMais - 2007
64
IPBrick.I
– Day of Month/Day of Week or Hour. It depends on the choosen periodicity.
Figure 3.51: Backup task options
3.10
Fax Server
The Fax server integrated IPBrick in version 4.1. It works with serial modem/fax or integrated in the PBX IP server. Incoming faxes are automatically
forwarded trough email.
The FAX Server configurations are implemented through the web interface in:
IPBrick.I - FAX Server
IPBrick provides you the use of two services: FAX2Mail e Mail2FAX.
With the FAX2Mail service, a FAX sent by an external FAX device is received
by the FAX connected to IPBrick and then is forwarded to a defined email address.
With Mail2FAX you can send from an email an attached pdf file to a defined
FAX number. to enable this task you have to configure the email client with the
SMTP server where the FAX service is running and add the configured fax domain
to the domain list that is allowed to be forwarded by the email server.
3.10.1
Fax2Mail
To configure the service you have to click on Modify link and select Yes to
Enable Configuration. The following options are displayed:
iPortalMais - 2007
3.10 Fax Server
65
Figure 3.52: Backup tasks list
Figure 3.53: Scheduling a task
iPortalMais - 2007
66
IPBrick.I
Figure 3.54: Fax Server - Configure
• Fax Device: Type of physical connection/FAX hardware.
– Line type (Figure 3.55): When the server has a telephony PCI card
connected to the Fax. The type of line could be ISDN for RDIS or
ANALOG in the case of an analogic phone;
– Serial Fax Modem (Figure 3.56): If the modem is connected to the
server serial gate you should choose the gate that connects to the the
modem in the Serial Gates list (COM1 to COM8), the Baud rate (1200
to 38400) and Class of the modem (Class1 to Class2.1). To know the
appropriate values you should read the modem manual.
• Main Fax Number; The PSTN Fax number;
• Company identification: Company name;
• Country Code: Country phone number code;
• Area Code: Area phone number code;
• Long distance prefix: 0 by default;
• International prefixl: 0 by default;
• Rings Before Answer: Number of rings before IPBrick answers to Fax;
• Speaker volume: Fax sound volume;
• Sender of notifications: Identification of sender notifications (IPBrick fax
server by default);
iPortalMais - 2007
3.10 Fax Server
67
Figure 3.55: Fax Server - Telefony Card
Figure 3.56: Fax Server - Serial Fax Modem
iPortalMais - 2007
68
IPBrick.I
• Sender of received fax notifications: Identification of the reception warnings
sender (IPBrick fax server by default)
If the inserted Fax is connected to a serial port, there are several options:
• Send to: At this moment the single option available is sending to mail;
• Destination: Indicate the email address to where the IPBrick incoming
faxes are forwarded;
• File type: The format faxes will be delivered (pdf, ps or tiff);
To activate configuration, click Modify
If you access the menu again, there will two new options near the link Modify:
Fax Users e Fax Lines (if the Fax is connected to an analogic telephony/RDIS
card).
In Fax users (Figure 3.57), you can set which users may be authenticated in the
Fax client application and which will have permissions to manage Fax queue lists.
The Fax client is WHFC that is available for download in http://whfc.uli-eckhardt.de/.
Figure 3.57: Fax Server - Fax Users
Fax Line
The Fax line settings are (Figure 3.58):
iPortalMais - 2007
3.10 Fax Server
69
• Line Type;
• Fax number: It could be represented by its DDI, by the complete fax number
or after a 0;
• Send to: Email;
• Destination: Recipient email address for the Faxes.
Figure 3.58: Fax Server - Fax line definitions
By default, notifications and reception warnings are delivered to email fax@<domain>.
That’s why you have to create an email account with this name or an alternative
email with the same name for other existing account.
Nota: You have to activate the Fax service in Advanced Settings > System > Services
and click in FAX. Enable Active and Automatic start.
3.10.2
Mail2Fax
In IPBrick.I > Fax Server > Configure, you can choose the Domain for
sending Faxes, by default fax. After defining that domain, you have to go to
IPBrick.I > E-Mail > Configure, in
Domains wich IPBrick allows to be forwarded to the destination server (relay)
and insert the chosen Fax domain. After updating settings you will be able to send
Faxes to the exterior from email client that belongs to the network inserting as
recipient: fax_number@fax_domain.
iPortalMais - 2007
70
IPBrick.I
3.10.3
Statistics
This menu displays statistics about Sent Faxes, Incoming Faxes and in course
tasks.
Sent Faxes
Visible fields (Figure 3.59):
• ID: Fax identification;
• Date: Sending date;
• Owner: Remetente do Fax;
• Owner: Fax Sender;
• Pages: Number of Pages;
• Origin: Origin email address;
• Number: Fax number;
• Attempts: Number of attempts;
• State: Fax sending status.
Figure 3.59: Fax Server - Sent Faxes
iPortalMais - 2007
3.10 Fax Server
71
Received Faxes
• Sender: Sender name;
• Receiver: Receiver number;
• Pages: number of pages;
• Reception date;
• File: Fax file.
Figure 3.60: Fax Server - Received Faxes
Current faxes
• Delete: Deletes Fax;
• ID: Fax identification;
• Owner: Fax sender;
• Number: Fax number;
• Pages: Number of pages;
iPortalMais - 2007
72
IPBrick.I
• Attempts: Number of attempts;
• State: Fax sending status.
In this menu you can visualize statistics and Delete Tasks.
Figure 3.61: Fax Server - Current Faxes
3.11
Terminal Server
IPBrick terminal server provides an Operating System loading through the
network for the terminal stations, that can operate only with browsers, and for
Windows machines through remote desktop. ⇒ Note: IPBrick must be working
as a DHCP in the network (and has to be the only DHCP server). The client of
terminal server receives from IPBrick the necessary information to boot from the
network.
3.11.1
Configuration
First, you have to activate Terminal Server in IPBrick’s web interface. To
proceed with this operation go to IPBrick.I > Terminal Server (Figure 3.62).
To activate, click Modify and choose Yes.
After the activation, you may configure terminal server in this fields:
• Display [1..4]:
iPortalMais - 2007
3.11 Terminal Server
73
Figure 3.62: Terminal Server
– Server Remote Desktop: The connection is made by the terminals to
IPBrick. IPBrick is responsible for the connection with the Windows
Server:
∗ Server: Address to connect by remote desktop;
∗ Domain: Indicate the Windows domain that is going to connect (ex:
iportal2003).
– Terminal Remote Desktop: The connection to the server is directly
made by the terminal:
∗ Server: IP Address of the server to connect by remote desktop;
∗ Domain: Indicate the Windows domain that is going to connect (ex:
iportal2003).
– Mozilla-Firefox: Opens a Firefox browser session;
– Telnet Session:
∗ Server: IP Address of the telnet server. It is possible to connect to
other service by indicating a specific gate. Sintax: ip_address:port;
• Keyboard model: It depends on the number of keys. There are the following
options:
– pc101;
– pc102;
– pc103;
– pc104;
iPortalMais - 2007
74
IPBrick.I
– pc105.
• Keyboard layout:
– de: german;
– es: spanish;
– fr: french;
– pt: portuguese;
– us: english.
• Mouse protocol: Type of protocol used by the mouse in the client station;
• Mouse device: System Device that will be used (/dev/...);
• Mouse resolution: Resolution mode that is used by the mouse;
• Mouse buttons: Number of mouse buttons;
• X Server: Specific commands to run the graphic environment. auto is the
default mode;
• Printer [0...1] type: Sets the printer type you want to use;
• Printer
[0...1] device: Specific device for the printer (/dev/...);
• Local Device [0...2]: Other devices you want to use (/dev/...);
• Mode [0...2]: Possible image resolutions..
– 1768x1024;
– 1024x768;
– 800x600;
– 640x480;
• Module 01/02: Makes possible the loading of two Kernel modules.
You can see a configuration example in Figure 3.63
Kernel and SO
After the first terminal configuration, IPBrick needs to load Kernel and Operating System versions that you want to make available for the terminal clients. To
load Kernel versions click on Kernel link. The following fields are displayed:
Start system configuration:
• Description: Kernel description;
• Boot loader: It will be selected afterwards;
iPortalMais - 2007
75
Figure 3.63: Terminal Server - Configuration
iPortalMais - 2007
76
IPBrick.I
• Kernel: If you click Archive you should select the ltsp7 Kernel version to
run. The file should be downloaded in the Downloads section of IPBrick
webpage.
In the next step you have to choose the following boot loader Boot loader:
/2.6.9-ltsp-3/pxelinux.0.
To load the Operating System in the Top menu you have to click on OS to
display the following options:
• Description: Description of kernel;
• Operating system: If you click Archive you should select the OS version
to run. The file should be downloaded in the Downloads section of IPBrick
webpage.
Machines
If the terminals are registered in IPBrick (IPBrick.I - Machines Management)
you may personalize configurations for a terminal in the Machines link by selecting if the Default options set in the Top menu of configuration are going to be used.
After loading the boot system(s) and the operating system(s), you should click
Back and Terminal OS and choose the Kernel and the Operating System you want
to use.
In the end, you need to Update Settings to activate them.
3.11.2
Client configuration
You should boot from network to make available for the clients the Terminal
Server. If you use a Book PC, the machine should be booted and the access to
BIOS is made with the keys Shift + F10. The configuration should be (it is
possible to modify the values through the directional keys (<- and ->)):
Network Boot Protocol : PXE
Boot Order : Int 19h
Show Config Message : Enable
Show Message Time : 3 Seconds
Afer this configuration, it appears a orange window with this message:
Always boot network first, the local devices.
7
http://LTSP.org
iPortalMais - 2007
77
After these changes you have to confirm them by clicking the key F4. This
procedure makes sure that the client machine will boot from the network.
After the client machine rebooting, this machine will boot through IPBrick.
⇒ Note: If the login screen of Linux graphic interface appears after the booting , you have to restart X Server with the keys [CTRL] + [ALT] + [BACKSPACE].
If the same window appears even after the restart, it is possible to validate with
user ltsp and password ltsp.
Several screens may be active for the same client (depending on what was set
in the Number of Displays field of IPBrick). Browsing across screens can be made
with keys combination [CTRL] + [ALT] + [F1] for screen 1, [CTRL] + [ALT] +
[F2] for the screen 2, and so on.
iPortalMais - 2007
78
IPBrick.I
iPortalMais - 2007
Chapter 4
IPBrick.C
This chapter describes the IPBrick menus that are used to manage the main
communication services between the firm and the Internet. The menu IPBrick.C
like the menu IPBrick.I is a menu of functional configuration. The IPBrick
Administrator says what he pretends and the software makes the configurations
according to the given indications and maintains the consistence of them. This
chapter is divided into the following sections:
• Firewall;
• Proxy;
• VPN;
• E-Mail;
• Web Server;
• Webmail;
• VoIP;
• IM.
4.1
Firewall
Note: Any rule change of the firewall implies the activation of the firewall.
Even if the firewall has been expressively stopped the change of one of its rules
implies the restart of the firewall.
4.1.1
Available Services
Presentation
IPBrick has a number of installed services. Part of them is enabled and part
of them is stopped. Part of them is for the Intranet and (some) others are wanted
to be available for the Internet, too. In this interface you give indication to the
iPortalMais - 2007
80
IPBrick.C
firewall concerning the services related with the Internet that have to be available
from the external world.
These services are:
• Web Server;
• E-mail server;
• SSH;
• FTP.
Body
The list (Firewall ¿ Available Services (Figure 4.1), indicates the service status whether the firewall is configured to let that service work (Active) or it is configured
to block those service gates (Inactive).
Note that defining here a service as Active doesn’t start the service nor stops it.
The single change implemented in the Definitions Update only affects the firewall
service (first it stops, reconfigures and then restarts). In other words, here you can
only configure the firewall to open or to shut the Internet gate for a defined service
(whether the service is working is another configuration besides this section).
Figure 4.1: Firewall - Available Services
iPortalMais - 2007
4.2 Proxy
4.1.2
81
Block Services
Presentation
Like the situation before the option to block services only Enables (unlocked)
or Disable (locked) the normal operation of the shown applications (Figure 4.2).
Figure 4.2: Firewall - Block Services
4.2
Proxy
The proxy service aims the Web access to network users and is commonly used
to get a better network management. It makes cache from the accessed site files,
providing a better band width management and the personalization of parameters
like who’s allowed to access the web and in what time and kind of pages can be
visited.
The software that implements the IPBrick proxy service is named squid and
runs on gate 3128.
The section is subdivided into three parts, namely:
• Configuration;
• Statistics;
• Kaspersky Proxy.
iPortalMais - 2007
82
IPBrick.C
4.2.1
Configuration
Presentation The presented main proxy configuration (Figure 4.3) determines
the normal operation of the Internet browsers. Therefore it is recommendable to
define each Proxy type first:
Figure 4.3: Proxy - Configuration
1. Standard Proxy: It is not obligatory to use the proxy to access the Internet.
The proxy is only used by those who configure the browser to use the proxy
from the IPBrick port 3128. Users without any additional browser configurations continue to access the Internet without any problems.The web accesses
are registered by IPs for statistical aims.
2. Transparent Proxy: Every Internet access is done through the proxy. The
firewall has to be activated. Users may configure their browsers to use the
indicated proxy. They may also continue to access the Internet without any
proxy configurations in their browsers. Here the firewall makes the traffic
routing to the proxy. The web accesses are registered by IPs for statistical
aims.
3. Proxy with authentication: The Internet access is only possible by using
this proxy. In order to have a web access users have to configure their browser
iPortalMais - 2007
4.2 Proxy
83
with this proxy. Once the browsers are configured a valid authentication is
asked whenever the users open the browser to access the Internet. The user
authentication is done with logins and passwords. The firewall has to be
activated. All web accesses are registered for each user for statistical aim.
Configurations
Link to the Proxy Rules Setting. This interface (Figure 4.4) has the following
options:
• Source groups list: Sets an origin group with access to proxy. After this
group creation, the accesses can be set by: Machine group, Machine, IP
SubNets, IP Machines and IP ranges.By default IPBrick has a LAN group
with its own defined IP SubNet;
• Destination groups list: Sets destination groups (Web servers). You
can set Domains, Extensions or Words in the URL each created destination
group. By default the created group is named INVALID;
• Blacklists: Displays the set of blacklists that were configured in Otherconfigurations;
• List of time spaces: Sets specific periods based on hours and week days;
• Access Lists: Sets access permissions from the created origin and destination groups, as well as defined blacklists and periods. For instance, you
can set that all destinations can be accessed by the LAN group, with the
exception of INVALID destination group and blacklist porn, in an undefined
period (always).
Source groups list
To modify the LAN group (Figure 4.5) you just have to click on the name. You
can insert a new origin group clicking on Insert link. Settings:
• Machine groups: You can associate to this group an existing machine group;
• Machines: Lists the machines that are registered in IPBrick and provides
direct association to the origin group;
• IP subnets: Provides subnets association, defining the network IP and its
mask;
• IP machines: Provides machine association to the group by IP;
• IP ranges: You can set IP ranges with proxy access.
iPortalMais - 2007
84
IPBrick.C
Figure 4.4: Proxy - Rules
iPortalMais - 2007
4.2 Proxy
85
Figure 4.5: Proxy - Source groups
Destination groups
Destination groups (Figure 4.6) are like a group (identified by name) of access
web servers. This destinations are configurable with their definitions in:
• Domı́nios: You may configure FQDN1 access, by domain or by TLD2 accessadding a record to each line. Some possible denial examples:
FQDN example:
www.sapo.pt
www.marca.es
Domain example:
sapo.pt
marca.es
TLD example:
pt
es
• Extensions: In order to prevent certain files download through web pages you
need to deny access to some file extensions. The following example shows
that the download of three file extensions won’t be possible.
1
2
Top Level Domains
iPortalMais - 2007
86
IPBrick.C
Example of extensions denial:
mp3
mov
mpg
• Words in URL: You can deny in this field the access to pages that contain
certain words after the domain (after the slash). An example for two words:
Denial example for word in the URL:
video
jokes
The following sites would be denied:
http://www.mtv.com/music/video/
http://en.wikipedia.org/wiki/Video
http://kids.yahoo.com/jokes
Figure 4.6: Proxy - Destination groups
List of time spaces
This option lets you specify periods to be used afterwards in Acess Lists. This
periods could be week days or hours.
iPortalMais - 2007
4.2 Proxy
87
Access Lists
There is already a pre-configured access list in IPBrick specifying this: Attempts to access sites made from LAN origin which aim sites not included in the
destination group INVALID nor the porn blacklist, in an undefined period (24
hours) are accepted. Because there are no more lines created, all the remaining
will be blocked (Figure 4.7).
Access lists have the following structure:
• Source: Origin group identification that is aimed by the rule;
• Destination: Destination groups identification that are aimed by the rule;
– Available Groups: You can make for the created destination groups
the following rules: Access to included sites ONLY IN destination group
x; Access to sites NOT IN destination group x; Access to sites ALLOW
IN destination group x;
– Blacklists: Lets you select which blacklists are activated. Example:
If the porn list is selected, every sites that are out of the list can be
accessed.
• Period: The time period (already inserted) that the rule is active;
• Policy: This is not configurable, the value is always to deny all that is not
set in the access lists.
Access lists should be ordered by rules from generic to specific. The generic
rules should be placed at the top and more specific rules should be placed at the
bottom (as in the firewall case). If there are several access lists you can order them
clicking on Order by.
Remote Proxy
In this option you can indicate a list of remote proxy servers. These servers
should provide web access because they usually have a huge cache, increasing the
speed of web access.
• List of remote proxy servers: Permite definir a lista de proxys remotos;
• Dont use remote proxy for the following sites:If you don’t want to
use remote proxy for certain sites, you must indicate them here.
iPortalMais - 2007
88
IPBrick.C
Figure 4.7: Proxy - Access Lists
Figure 4.8: Proxy - Remote Proxy
iPortalMais - 2007
4.2 Proxy
89
Other configurations
Blacklists
In this context, blacklists are set as site lists organized by several categories
that are considered inconvenient. You can find here the following options (Figure
4.9):
• Url for update: Address that provides the file download with the list of
sites to block - by default this is the squidGuard URL. The file is automatically uncompressed to the system. To update the list click Update;
• Current file MD5SUM: MD5 Hash of the file if it’s calculated. It lets you
check file integrity;
• Available categories: Categories list present in the compilation (usually
they are considered unsuited to LAN use)
– ads: List of advertisement sites;
– aggressive: List of violent content sites
– audio-video: List of music and video content sites;
– drugs: List of drug related content sites;
– gambling: List of gambling sites;
– hacking: List of hacking sites;
– mail: List of sites that provide free webmail services;
– phishing: List of sites about phishing;
– porn: List of sites with pornographic content;
– proxy: List of sites that provide anonymous proxy service;
– warez: List of sites with pirate software content
Content access management
Sets the number of simultaneous filtering processes that depends on the machine performance and the present CPU load. The default is five processes.
Proxy cache options
• Cache enabled: Activates the Proxy cache service. If the cache is activated,
every page accessed by the origin groups are stored in the server. Example:
If the page www.google.pt is in the cache, the browser will only access to
IPBrick, instead of accessing the google web server, providing a better band
width management.
• Cache size: Maximum cache size. If the limit is reached, the older cache
files are removed.
iPortalMais - 2007
90
IPBrick.C
Figure 4.9: Proxy - Other configurations
4.2.2
Statistics
Advanced Web Statistics 6.4 is the software that generates several important
statistics for the network administrator, like detailed cache statistics, accesses (Figure 4.10).
There are different statistics types:
• Global statistics: Global network statistcs;
• Statistics by machine: You have to select the machine you want from a
list of LAN machines. The purpose is to give individual statistics for each
machine;
• User statistics: If proxy configuration has authentication, it’s displayed
here a user list. You have to select the user from this list to have their
individual statistics.
4.2.3
Kaspersky Proxy
In this section you may activate Kasperky license for the proxy. With this
procedure all the web accesses made from the browser are filtered by the Anti-Virus
that is running on the proxy to provide an effective protection against Trojans,
Spyware, Dialers, etc.
After inserting the license, the interface displays the following links (Figure
4.11):
iPortalMais - 2007
4.2 Proxy
91
Figure 4.10: Proxy - Statistics
• Actualizar: Após a licença expirar, é necessário renova-la através da aplicação
de um novo ficheiro de licença;
• Apagar: Remove a licença;
• Configurar: Permite uma configuração geral das notificações;
• Estatı́sticas: Interface com estatı́sticas especı́ficas sobre o Anti-Vı́rus para
Proxy.
• Update: After the license expiration you should renew with a new license
file;
• Delete: Removes the license;
• Configure: It provides you a general Anti-Virus configuration option;
• Statistics: Interface with specific statistics about proxy Anti-Virus.
Configure
General settings:
• Notify from the address: Sender that will make the notifications;
• Notify to the address: Email address that will receive notifications.
iPortalMais - 2007
92
IPBrick.C
Figure 4.11: Proxy - Kaspersky - Licence
Object settings:
• Objects to analyse:
– Compressed files;
– Archives;
– Mail databases;
– Plain mail format.
Scan settings:
• Cure: If activated, detected virus will be automatically removed;
• Use heuristic: If activated, virus can be detected through the analysis of
the code with characteristics and behaviour similar to a virus.
To modify the configurations you need to click Modify.
Statistics
Statistics:
iPortalMais - 2007
4.3 VPN
93
Figure 4.12: Proxy - Kaspersky - General Settings
• Vı́rus statistics: The display can be filtered by: Infected files or protected;
• Virus list: Can be organized by Virus name/Number of occurrences.
4.3
VPN
Presentation VPN3 provide remote access from the exterior (ex. Internet) to
the network resources of a defined network.
4.3.1
PPTP
A PPTP4 VPN type works by providing a PPP session with the recipient
through the tunneling GRE protocol. It needs another network connection to
start and manage PPP session that runs on gate 1723 TCP. In IPBrick case, you
have to indicate who are the users that access VPN-PPTP connections, as well as
the address range that will be used by clients.
3
4
Virtual Private Networks
Point-to-Point Tunneling Protocol
iPortalMais - 2007
94
IPBrick.C
Figure 4.13: Proxy - Kaspersky - Statistics
Users Management
Top Menu Here you have a link to Configurations. This link gives you access
to a form where you define the range of IP addresses chosen for VPN connections.
Remote clients will get an IP in this group when they make an IPBrick connection.
It is as if they were connected to the network server with an IP from this range.
Body The user list shown on the left side in Figure 4.14 presents the selected
VPN users. On the right side you find the users registered in IPBrick.
4.3.2
IPSec
IPSec (IP security) technology is a suite of protocols that ensure confidentiality, integrity, authenticity to data transmission on an IP network. SSL protocol
works at the transport layer level - IPSec operates at the network layer level and
consequently provides data encryption in this level.
VPN through PPTP or SSL provides a connection between a defined machine
and the network. On the contrary VPN IPSec allows two networks to communicate
permanently and in a transparent way. This is accomplished with an IPSec configured between two IPBricks or between an IPBrick and a router, providing full
configuration transparency to users from the two networks. Example: 192.168.2.0
network that belongs to the Company X headquarters in Oporto, Portugal and
network 192.168.4.0 belongs to its office branch located in Japan. Both networks
should have Internet connection to make possible the communication between their
iPortalMais - 2007
4.3 VPN
95
Figure 4.14: VPN PPTP - Users
machines through a VPN IPSec tunnel. With this feature two networks can behave as if they where one.
To configure a VPN connection between two networks you need to have the
appropriate configuration in origin and destination IPBricks for the IPSec tunnel.
Body After clicking the IPSec, the configured IPSec tunnels are displayed in
that section body.
Top Menu There is a connection named Insert that allows to insert a new IPSec
tunnel.
Body In this page we have configured the IPSec connection (As you may see in
Figure 4.15). The following data are necessary:
• Local Network Definitions
– Local IP: Public address in local network;
– Local Network: Local network address and its network mask;
– Local Gateway: Router internal interface address from local network;
– Local Identifier: It could be an identifying string (by default, this
field must be empty!);
– Server IP in local network: IPBrick’s internal interface address.
iPortalMais - 2007
96
IPBrick.C
Figure 4.15: VPN - IPSec
• Remote Network Definitions
– Remote IP: Public address of the remote network;
– Remote Network: The remote network address and the respective network mask;
– Remote Gateway: Router internal interface address from remote network(by default, this field must be empty!);
– Remote identifier: It could be an identifying string (by default, this
field must be empty!).
• Keys Management
– Password: A Pre-Shared Key is a shared key that the VPN service
expects as a first credential (before username and password). In order
that the VPN server allows the authentication process to continue, it is
necessary to pass the correct PSK;
– Type: The IPSec supplies two operation methods specified in this field,
which are Tunnel (where the original IP pack is encrypted) and Transport (the data (payload) are encrypted, but the original IP heading is
not changed);
– Authentication: IPSec adds two extra headers to the IP package AH and ESP. The AH (Authentication Header) insures integrity and
authenticity, but not confidentiality. ESP provides data integrity, authenticity and confidentiality;
iPortalMais - 2007
4.3 VPN
97
– PFS5 : Allows to indicate if one intends or not to use PFS;
– Startup: Only automatic is available.
4.3.3
SSL
Presentation A VPN-SSL uses the SSL encryption protocol to insure data privacy and integrity between the two parts because the protocol provides data encryption and authentication. SSL is based on TCP protocol and uses the Public
key cryptography concept (introduced by Diffie-Hellman in the 1970 decade).
This concept specifies that each part has a Private Key and a Public Key that can
be distributed by people that want to have encrypted communication. Encrypted
data with the Public Key are only decrypted by the corresponding Private Key.
Encrypted data with the Private Key are only decrypted by the corresponding
Public Key.
After clicking on SSL the list of VPN SSL servers is shown. To configure the
tunnel you must click on it. (Figure 4.16)
Figure 4.16: VPN - SSL
5
Perfect Forward Secrecy
iPortalMais - 2007
98
IPBrick.C
Definitions In this section you can configure the definitions of the VPN-SSL
network.
• Name/IP: Name or public IP address of the vpn server;
• Port: The port of the vpn server;
• Protocol: The protocol used in the communication;
• VPN Network: The IP network which will be given to the clients. When a
user connects to this vpn server, he will get an ip address in this ip network.
This network should be different from any other ip network in the company;
• Domain: The domain offered to the clients;
• DNS Servers: The dns server that the clients must use;
• NetBios Servers: The netbios server that the clients must use;
• Routes for clients: Sets the network that the client must address through
the tunnel.
Certificates After Definitions configuration its necessary to create SSL digital
certificates. A digital certificate has the following informations:
• Identification of the titular entity;
• Public Key for the titular entity;
• Serial number Certificate;
• Valid date Certificate;
• Identification of the Certifying Authority (The Certificate issuing entity);
• Digital signature of the Certifying Authority.
It will be generated a Digital Certificate for the server and for each of the
clients using the VPN SSL connection. Clicking on Insert you start by the server
Certificate generation. You have to insert data in the following fields:
• Country Code
• Country
• City
• Company
• Nome: Certificate name
• Email: Company’s email
iPortalMais - 2007
4.4 E-mail
99
Then you generate the client certificates - you have to insert Certificate name,
Client email and Password. The next step consists in downloading the certificate
and sending it to the client that will make the VPN connection. The .zip file
contains: Server and client public key, client private key and the VPN tunnel
configuration that will be implemented.
Cliente
In the client side you have to install the specific software to create the VPN
SSL connection- OpenVPN6 . Then you must uncompress the certificate file to a
new directory in
c:\Program Files\OpenVPN\config.
To start VPN connection you have to click on the OpenVPN icon located in the
tool bar with the right button, choose the connection you want and click Connect.
The option Delete All should only be used to restart the all process.
Menu Estado
This interface shows you the active tunnels and their respective traffic, users
and IP
After configuring this service you have to activate it in section Advanced
Settings System Services.The procedure to configure VPN client is described in appendix 9.1
⇒ Note: Before configuring a VPN connection, PPTP, IPSec or SSL, you
have to know what is the addressing system used by the local network where the
client connects and what is the destination network addressing system. If there is
the same addressing system in both networks, obviously the VPN connection will
be impossible.
4.4
E-mail
The E-mail section is repeated in the two IPBrick modules. IPBrick.I provides
services oriented to Intranet: Base Configuration, Queu Management, User Management, Distribution Lists and Kaspersky Anti-Virus and Anti-Spam. IPBrick.C
provides two additional services:
• Get Mail from ISP;
• Mail Copy.
4.4.1
Get Mail from ISP
Presentation If firm mails are not delivered to an internal firm server, being
therefore only available via POP7 , you can configure IPBrick in order to unload
6
7
Software: openvpn.net — Windows GUI: openvpn.se
Post Office Protocol - used to access inboxes and transfer mails.
iPortalMais - 2007
100
IPBrick.C
these mails from the ISP8 periodically to a local server. Once they are in this local
server the mails are associated respectively to the previously configured accounts.
In this way you can configure a server for internal E-mails, even if you only have
one, to automatize and centralize all firm e-mails (from the Internet and internal).
This feature normally called fetchmail is useful when the MX from the enterprise domain points to another server.
Figure 4.17: Get Mail from ISP
Top Menu
Click Insert (Figure 4.17) external servers that you want to connect to download email and deliver it in the local server. You have to insert data in the following
fields:
• Server: Server identification. It could be FQDN and IP address;
• Protocolo: Protocol that is used by the server - POP3 or IMAP;
• Domı́nios remotos: Domains that deliver email to the server. It is commonly
used in volume email boxes.
Body
To access server definitions, you must click on its name (Figure 4.17):
• Modify: To change the account data;
8
Internet Service Provider
iPortalMais - 2007
4.4 E-mail
101
• Delete: Deletes the selected account;
• Back: Goes back to email servers list.
Figure 4.18: Get mail from ISP - Servers Management
To access the management interface of transferring Email Boxes, you must click
Insert and fill in the following fields (Figure 4.19):
1. Mailbox type: Select individual email box or volume box, the last one refers
to boxes that are not assigned to any user;
2. Login: Used username to access the email remote box;
3. Password: Needed to validate login;
4. Retype password: Confirm the previous password;
5. Local server email: Local email account where download emails will be
delivered;
6. Drop ’Delivered-To’: If the email address in ISP is the same as the email
address in local server, this field must be active.
iPortalMais - 2007
102
IPBrick.C
Figure 4.19: Get mail from ISP - Add Account
Figure 4.20: Mail copy
iPortalMais - 2007
4.5 Web Server
4.4.2
103
Mail Copy
This feature ((Figure 4.20)) aims to save all the incoming and outgoing email
messages in two accounts: sentmail and receivedmail.
⇒ Note: It is necessary to pay attention to the management of these Mail
Copies, especially in places with a lot of e-mail traffic. It is very important to
control the development of the occupied server hard drive space. These e-mail
inboxes may quickly reach the full size of the partition. By reaching this size they
may cause some trouble either with interferences with other server applications or
to the ones responsible for these e-mail inboxes that at a certain stage will loose a
series of mails because no copy could have been made.
When you activate this service (Yes) the mails are copied to the corresponding
account, that is:
1. Sent: YES, all mails that get through this SMTP server and whose sender
is from the server domain(s) will be copied to the Sent Mails local account.
2. Received: YES, all mails that get through this SMTP server and whose
sender is not from the server domain(s) will be copied to the Received Mails
local account.
When you activate the option (Yes) the system shows the Delete Automatically the Copies
field. This field allows defining whether the mail copies that are in the server are
to be deleted or not. The Delete Copies With More Than field allows specifying
the days after which mail copies are to be deleted in the server.
4.5
Web Server
Presentation A web server, through the HTTP9 and/or HTTPS protocols, is
responsible for the answers to users requests, concerning the web pages lodged
in it, and each server may lodge several sites. The IPBrick web server running
in IPBrick is the Apache 1.310 . The base virtual hosts registered in IPBrick are
displayed after clicking on Web Server and may be seen in Figure 4.21.
4.5.1
Creating a new site
By clicking in Insert it’s possible to create a new site. A new form is displayed(Figure 4.22) with the following fields:
1. URL address: It’s the FQDN11 of the new site that will be hosted in the
server. It’s possible to use SSL too. Example: www.domain.com;
2. Alternative URL address: Alternative name(s) for the URL address that
was previously set. This field is not mandatory;
9
HyperText Transfer Protocol
For more informations please visit http://www.apache.org
11
10
iPortalMais - 2007
104
IPBrick.C
Figure 4.21: Web Server - Hosted sites
Figure 4.22: Web Server - Adding sites
iPortalMais - 2007
4.5 Web Server
105
3. Site administrator email: E-Mail of the user that is responsible for the
site management;
4. FTP User: A new user login that will access to the site folder through FTP.
This should be the only login and shouldn’t be equal to another IPBrick
LDAP user. The site maintenance will be made through this protocol.
5. Password: Password of the FTP user.
6. Retype Password: Confirmation of Password.
7. Site folder location: Folder to be created in the server filesystem that
will be automatically created on /home1/_sites/. Usually it’s used the
name of the site;
8. Internet Availability: Choosing Yes we say that the virtualhost will be
created from this site to the IPBrick external IP - if this is the case the
created site will be available in the Internet;
9. Safe mode: If the site is php based, it denys the access of files outside the
site folder location, so it will interfer too with the global variables. It’s the
reason that the default mode is Disabled;
10. Access authorized only to the directories: By default the php have
access to the site folder location and to /tmp.
11. Character encoding:
12. Always keep the typed URL:
13. Insert Button: confirms the introduced site
It is also necessary to create a DNS register in the company’s external DNS
server forwarding to the company’s network public IP (register A or CNAME).
4.5.2
Management
List of several sites registered in IPBrick. Each line is a link to the site management form. (Figure 4.23)
Top Menu Here you have links to:
1. Change: the initial registration of the site (the responsible, site name,...)
2. Alias12 : from where you have access to the registration list of this site.
On the new page you can manage all Alias (Insert, Remove, Change and
Delete). (Figure 4.24)
12
Alias or Host Header is a simple form of having access to certain contents that are physically
dislocated from the main directory of the side. For more information please see the example
section.
iPortalMais - 2007
106
IPBrick.C
Figure 4.23: Web Server - Site Management
Figure 4.24: Web Server - Alias management
iPortalMais - 2007
4.6 Webmail
107
• Inserir;
• Remover;
• Alterar;
• Apagar.
3. Delete: or remove the site from the web server. After clicking on Update Settings
the site is no longer available online. The files of the site are not eliminated
but moved to the share sites_bk113 which is accessible to the Administrators.
Body Information list of the selected site
• URL Address;
• Alternative URL address;
• E-mail;
• FTP User;
• Site folter location: Folder that exist in server;
• Available for the internet.
4.6
Webmail
The Web Mail installed in IPBrick can be configured to deal with other e-mail
servers that are not IPBrick. Therefore you only have to indicate in this section
which IMAP14 and SMTP15 servers to use
4.6.1
Servers
Presentation Servers to be used by the Web Mail (Figure 4.25)
Top Menu Here you have a link to Change the configured servers
Body List of configured servers. The servers may be identified by their FQDN16
or their IP address.
13
This is the file location of the removed sites. When IPBrick removes these sites only the
services that are affected are reconfigured and the contents removed to an own share accessible
only to administrators. It is like in the user accounts and group shares. Other shares of this
kind are Backup1 and Backup2 which save the contents in the Work Area 1 and Work Area 2
respectively.
14
Internet Message Access Protocol
15
Simple Mail Transfer Protocol
16
iPortalMais - 2007
108
IPBrick.C
Figure 4.25: WebMail - Servers
4.7
VoIP
This section deals with the management interface of the VoIP17 service available
in IPBrick.
The VoIP (Voice Over IP) technology allows phone calls through an IP network, thus enabling phone calls through the Internet. The main advantages for
the use of VoIP are: reduction of expenses because the rates dont follow the same
conventional telephony model; better service quality, since commutation by packs
does a better use of the existing network resources, different from the circuit commutation.
The IP Telephony concept sometimes mixes up with VoIP, but they are not
exactly the same thing. The IP Telephony uses VoIP service and defines itself as
the group of services and applications that allow the companies to a reduction of
phone costs.
Signalling VoIP service needs to use a protocol to signal the calls. The signalling
protocol used by IPBrick is SIP, but there are others such as H.323, MGCP, Jingle,
IAX, H.248/MEGACO etc. SIP18 allows calls and conferences through IP, and
those calls may include audio, video and images etc. This way, the SIP protocol
is responsible for all the process of calls between the users independently from the
type of contents of the call itself. The IPBrick.GT acts as an authentic PBX IP
17
18
Voice over IP
Session Initiation Protocol
iPortalMais - 2007
4.7 VoIP
109
and it can route the calls to/from a traditional PBX, Internet, LAN and PSTN.
All that management is made by a software called Asterisk. Asterisk is compatible
with the several signalling protocols, among which SIP.
The VoIP functionalities accessible through the web interface are next presented.
4.7.1
Registered Phones
In (Figure 4.26) it is possible to see the registered IPBrick VoIP clients (IP
telephones, workstations + softphone). In section Machine Management you find
the description of the menu to insert the machines.
Figure 4.26: Registered Phones
It is also possible to register phones in:
Advanced Settings - Support services - Registered phones
This option is valid, if it isn’t necessary to attribute a specific IP address to
the phone. It is possible to add a phone just by filling the field relating the name
and the access password. This assuming that DNS is working correctly.
It is possible to configure the following field in Options (Figure 4.27):
General options:
• Router with full DNAT?: If IPBrick is connected to a router responsible
for the access to the exterior (in terms of VoIP) that allows the ’passage’ of
all traffic, it is necessary to select Yes and indicate the external address of
that same router in Router public IP address;
iPortalMais - 2007
110
IPBrick.C
Figure 4.27: VoIP - Options
• IP address of the IPBrick public interface used by the VoIP service:
IP address of the public interface of IPBrick responsible for the VoIP service;
• Intranet VoIP Server only?: : It allows to route the network traffic only
in a interface and not in two interfaces, as usual;
• Attendance Timeout: Time (seconds) during which the call is sent to the
destiny phone, before being sent or routed to another phone;
• Call Timeout: Time (seconds) during which the connection is trying to be
established. If it expires, the attempt will be ended;
• Digit Timeout: Time (seconds) from the dialling of the last number from
which IPBrick considers the dialling as ended;
• Reponse Timeout: Time (seconds) counted from the moment the receiver is
hung up and at its end IPBrick shall cancel the canal;
• Remove default national prefix (0): It removes national prefix normally used.
• Get call source address from IPBrick LDAP: If activated, it goes to the
database LDAP of IPBrick defined in IPBrick IP address and in IPBrick DNS
domain and, if it finds the calling number in the database, it will replace it
by the name of the entity associated to that number.
iPortalMais - 2007
4.7 VoIP
111
• Immediate answer on calls originated in a PBX: It is advisable to have
this option connected if you are using connections to SIP servers (ex: VoIPBuster, NetCall), in order to avoid timeouts in the PBX central. If, for
example, you intend to define rates for the calls from the PBX, this option
shall have to be deactivated to avoid that the user starts paying as soon as
he dials the number.
• Immediate digit capture (ISDN BRI): The immediate capture of digits
changes the way how the numbers sent from a PBX central are read in
IPBrick. When this option is deactivated, the routine capture of digits is
changed to solve problems in the reading of numbers in some central stations, for example, when the dialled number is wrongly identified in IPBrick
(repeated digits ou lack of digits). Attention: This option should be placed
No in 4.2 IPBrick version with BRI cards.
Options for R2 signalling:
If you are using an ISDN PRI plate in which the R2 protocol has been activated,
it is possible to verify and change its definitions in the table.
Active codecs list:
In this table are listed the codecs used in IPBrick and the preference order by
which they are chosen in communications. To add or remove codecs to the list, you
just have to follow the connection Change, select the codec and press the button
add () or remove (). In the same way, to change the order by which the codecs
are used, you should select the codec and clicking on the arrows on the right of
the list, making it going up or down in the list according the necessary priority.
It is possible to select among the following codecs, knowing that the band width
used for each one of them is:
• G.711 ulaw - 64 Kbps
• G.711 alaw - 64 Kbps, used in Europa
• G.726 - 32 Kbps
• G.729 - 8 Kbps (you may have to buy a license to make calls with this codec)
• GSM - 13 Kbps
• iLBC - 15Kbps
• LPC10 - 2.5 Kbps (não recommended)
• Speex - configurable 4-48kbps
The bigger the required band width, the smaller the number of possible simultaneous calls.
iPortalMais - 2007
112
IPBrick.C
Functions available for phones
Call transfer
Besides supporting the transference of calls made by the terminal equipment,
telephones SIP, PBXs or softphones, IPBrick also makes transferences in any telephone, even if it does not support transferences from origin. The two types of
transference allowed by IPBrick are:
• Assisted transfer: When receiving a call, the person receiving it dials an
extension, asks the person in that extension if he/she accepts the call or not,
disconnects it and the call is transferred. To execute an assisted transference
during the call, it is necessary to dial * (by default) and the name of the
extension or alternative address. Example: To transfer a call into a telephone
registered as ipbrick1 which has as alternative address the 480 extension, dial
*480 during conversation.
• No-assisted transfer: when receiving a call, the person receiving it dials
an extension and the call is immediately transferred to that extension. To
execute a non-assisted transference during a call, dial # (by default) and
the name of the extension or alternative address. Example: Non-assisted
transference to the above telephone: #480.
To cancel a transference, you just have to dial again the number you have
dialled to transfer. Example: you wanted to transfer a call to extension 481
but you have dialled *482. To recapture the call you shall have to dial again
*482 and then it is possible to transfer to the correct number dialling *481.
Calls capture
To capture a call ringing in another extension, dial *8 followed by the name
with which the telephone was registered or the name of the group of telephones
ringing.
NOTICE: At this moment it is not possible to capture the calls through the
alternative addresses.
4.7.2
Alternative Addresses
As you can see in Figure 4.28 , to each telephone (either a hardware telephone
or a software telephone) may be associated several alternative addresses (internal
or external). An alternative address is another name (or number) to reach the
telephone. This functionality is very useful when there are telephones from which
you can only dial numbers.
Internal alternative addresses allow the association of an internal telephone
(i.e., from the organisation itself) to a new alternative address for the telephone.
Example: there is an IP telephone with the name Telephone. Through the site
myipbrick, an user called Joao Silva associates to this telephone, placing in the
SIP URL the address [email protected]. An alternative address is also created
for that telephone, with the name [email protected]. from that moment on, the
iPortalMais - 2007
4.7 VoIP
113
Figure 4.28: Alternative Addresses
user Joao Silva may be reached either through the [email protected] and the
5050.
The external alternative addresses allow the association between an internal address and a telephone external to the organisation. That is, the users
call an internal number (or address) and this is associated to a telephone external to the organisation. Example: an external alternative address of the telephone [email protected] is created for the destiny address [email protected]. This way, whenever you dial internally 1010, the call shall be readdressed to [email protected].
In Menu Topo there is a connection to insert new alternative addresses. As
already mentioned, these can have two types:
• Internal
– Phone Location: Internal;
– Phone name: It is necessary to choose between the telephones in IPBrick, which one do you want to associate to an alternative address;
– New phone alternative address: Insert the alternative address of
the telephone.
• External
– Phone Location: External;
iPortalMais - 2007
114
IPBrick.C
– Phone name: Indicate which is the address of the external destiny telephone;
– New phone alternative address: Insert the address that you have to
digitise so that the call may be re-addressed to the telephone indicated
in the previous field.
To confirm the insertion, it is necessary to click in the Insert button.
SIP URL’s
As already mentioned, it is also possible to associate a certain telephone (number or name) to an internal user of the network. The association is made from
the users email address in the field SIP URL. This operation is made through the
site https://myipbrick.domain.com. This way, to contact a certain user all you
have to do is call him/her through his/her email. The call shall be made, and
the one who’s calling knows which device the addressee shall use (mobile phone,
softphone, analogic/digital telephone).
4.7.3
Online phones
The VoIP clients who are actually active and ready to execute and receive calls
can be visualised here. (Figure 4.29).
Figure 4.29: Online phones
The information made available about each telephone are:
• Phone: Name of the telephone and the respective user;
iPortalMais - 2007
4.7 VoIP
115
• Request location: It indicates the IP address of the telephone;
• Port: Port where the telephone is registered.
4.7.4
Access Classes
It is possible to define access rules for the existing telephones. For that it is
necessary to click on the connection Insert and fulfil the following fields (Figure
4.30):
• Name: The access class name;
• Unlock code: Code to deactivate temporarily the rule;
• Prefixos: It allows to add to the authorised Prefixes list the prefixes which
may be used in the telephones under the access rules;
• Numbers: In Politics by default it is possible to block the traffic for any
number or let it pass by default (Block/Authorise, respectively) and then, if
there are some exceptions, it is possible to indicate an exception number by
line.
• Domains: In the same way it is possible to authorise or block the access to
certain numbers, it is also possible with STP domains.
To confirm and create a defined rule, click Insert. Now it is possible to add
the numbers under that rule, clicking the name of the rule and then Members. To
remove or add telephones to the access class you only have to click the buttons
or respectively.
To modify or remove a rule:
• Click in the rule name;
• Choose Change (to modify) or Delete (to delete).
4.7.5
Call Statistics
To see the list of answered and not answered calls, you only have to click the
connection Finished Calls (Figure 4.31). Para ver as chamadas que estão a
decorrer, clicar na ligação Current Calls.
It is possible to Filter the result of the list, in order to visualise only the calls
executed from a certain IP Origin or Origin Address, by Destiny Address, Result
of a call (ANSWERED, NO ANSWER, BUSY, FAILED) e/or in a certain period
of time. It is also possible to filter the calls, clicking one of the underlined fields
of a call.
In the list of calls it is possible to visualise:
• Source IP: origin telephone IP;
• Source Address: Name of the origin telephone or origin number;
iPortalMais - 2007
116
IPBrick.C
Figure 4.30: Access Classes
Figure 4.31: Call statistics
iPortalMais - 2007
4.7 VoIP
117
• Destination Address: Number or name of the destiny telephone;
• Result: Result of the call (ANSWERED, NO ANSWER, BUSY or FAILED);
• Start: Hour when the call began;
• Ring time: Time (in seconds) that the destiny telephone rang;
• Duration: Time (in seconds) the call lasted.
4.7.6
Routes Management
So that IPBrick executes the routing of the calls between the several network
interfaces, it is necessary the definition of specific routes according to a telephonic
numbering.
As you can see in Figure 4.32 there are two types of routes: Local Routes and
Output Routes for SIP servers. There is also the possibility to register IPBrick in
the SIP servers.
Figure 4.32: VoIP - Routes Management
Local routes
Local routes (Figure 4.33) allow the configuration of an interconnection between
LAN, PSTN, PBX or INTERNET.
The possible options by default are:
• PSTN - LAN: it allows the routing of calls from the telephonic network
operator to the VoIP telephones of local network;
iPortalMais - 2007
118
IPBrick.C
• PBX - LAN: it allows the routing of calls between the telephones connected
to the central and the VoIP telephones of local network;
• LAN - PBX: it allows the routing of calls from the VoIP telephones in local
network to the telephones of the central PBX;
• LAN - PSTN: it allows the routing of VoIP calls from local network to the
telephonic operator network;
• INTERNET - PBX: it allows to accept VoIP calls from the Internet and
route them to the central;
• INTERNET - PSTN: it allows to accept VoIP calls from the Internet and
route them to the telephonic operator network;
• PBX - PSTN: it allows the routing of VoIP calls from the central to fixed
network.
If there are other configured interfaces, they may be added to the list of routes,
and for that it is necessary to click the connection Available Local Routes (Figure
4.33) and then add the necessary routes.
Figure 4.33: VoIP - Local Routes
Connection Insert in the Menu Top allows to insert one of the routes mentioned.
After insertion, each type of route has a connection that allows its configuration.
When acceding to this interface it is possible to choose one of these options:
• Back
iPortalMais - 2007
4.7 VoIP
119
• Modify: To change the type of local route;
• Delete: Remove the local route;
• Insert: It allows to add the prefixes that must be added to this route. When
you indicate a prefix, all the calls whose initial digits coincide with that digit
are routed by that route. If you want to keep the prefix indicated when
the call is routed, it is necessary to select Yes in Include prefix. Otherwise,
keep option No. In the field Prefix After-routing it is possible to indicate the
prefix to be added to the previous one, after the number dialled from the
telephone. In Fallback Routes is possible to define resource routings, if the
present route has problems.
Example: To enable the use of number 6 to route a call to the Portuguese PSTN
network, it is necessary to remove this prefix in order that the number stays with
the correct format (the format 2XXXXXXXX instead of 62XXXXXXXX).
Outbound routes to SIP servers
Here (Figure 4.34) is possible to configure which calls shall be routed to a SIP
server which shall be responsible for routing them to their destiny. This routing
is made through prefixes that may be inserted clicking the name of the route and
then the link Insert above the prefixes table. To change or remove a route you only
have to click its name and then the connection Modify or Delete, respectively.
To add a new SIP route click Insert and fulfil the following parameters:
• Name: SIP server name;
• Address: SIP server address;
• Authentication: If it is necessary to make the authentication in the SIP
server, you shall have to choose the option User/Password and fulfil the users
name and respective password;
• Proxy RTP19 : It allows IPBrick to act as a proxy RTP and there is a NAT
transposition. This option is automatically selected, if the route to be created
is available for VoIP telephones in Internet;
• Available to Internet: With this option selected, the route shall be available for VoIP telephones outside the LAN;
• Symmetrical signalling: It allows to define if signalling is sent and received through the same door (port 5060);
• Activate ENUM search: It allows IPBrick to search through ENUM.20
19
Real Time Protocol
Group of protocols that aims to associate the telephonic numbering to a new register in
DNS. This way, a telephone number shall correspond to a SIP address.
20
iPortalMais - 2007
120
IPBrick.C
RTP proxy is a functionality supplied by IPBrick that allows to intermediate
all the flow of RTP packets between tow VoIP terminals (or User agents in SIP
terminology). It is used to transpose the NAT, i.e., when some VoIP terminal is
”behind” a NAT. The prefixes inserted in this route shall be available automatically for the SIP telephones and the telephones connected to PBX. If there are
additional interfaces and you intend to use a SIP route, it is necessary to add
the route INTERFACE-¿INTERNET (for example PBX1-¿INTERNET or GSM¿INTERNET), and include in that route a prefix matching the one of the route
for the SIP server and include the prefix (in option Include prefix choose Yes).
Figure 4.34: VoIP - Outbound routes to SIP servers
SIP servers list for registering Here is possible to visualise the SIP21 address
list which have already been configured. When inserting a new one, the page
generated asks for the following data:
• Name: Server name;
• SIP server address: SIP server IP or address;
After inserting the data, it is necessary to click the button no Insert to confirm
the insertion of the address. The next step is to register accounts to the local SIP
server. Press Insert to do this;
iPortalMais - 2007
4.7 VoIP
121
Figure 4.35: VoIP - Sequence settings
4.7.7
Attendance sequence
In this section it is possible to define an answering sequence, or see/ change/
remove the already defined sequences. To add a new sequence it is necessary to
click Insert, define a name for the sequence, select if the voicemail is active or not
and in Direct Access add the addresses DID/SIP/ANA of the telephones by which
the sequence shall be activated.
If you intend to add a Direct Access for an extension defined in IPBrick, it
is possible to choose SIP and select the extension in the address. In Sequence is
possible to add the telephones which shall ring by the desired order and the time
in which each one of them plays till the next one.
4.7.8
Call groups
In this interface (Figure 4.37) is possible to define answering groups, i.e., a
group of telephones which shall ring simultaneously when the access to the group
is made. To define a group it is necessary to fulfil:
• Name: Name for the group;
• Direct access: List of numbers/addresses DID/SIP/ANA by which you shall
accede this group;
• Members of the Group: Internal telephones belonging to the group.
21
Session Initiation Protocol
iPortalMais - 2007
122
IPBrick.C
Figure 4.36: VoIP - Attendance sequences
Figure 4.37: VoIP - Call groups
iPortalMais - 2007
4.7 VoIP
4.7.9
123
IVR Attendance
In this section (Figure 4.38) is possible to define interactive answering menus.
It is necessary:
• Click Insert to add a new one;
• Name: Choose a name for IVR;
• Direct Access: Define the address(es) by which this menu may be acceded
(adding the desired addresses DID/SIP/ANA in direct Access);
• Número of desired shortcuts: Choose how many options does the menu
have;
• Destination type:What type of destiny to give (according to the pressed
key):
–
–
–
–
–
–
–
–
Phone: To call to a internal telephone;
IVR: To go to an interactive answering sub-menu;
Conference: To connect to a conference;
Scheduler: To connect to a scheduler;
Group: To ring the telephones of a group;
Sequence: To activate an answering sequence;
SIP address: To call a SIP telephone;
DISA: It allows someone outside the central to connect as if he/she is
directly connected to the central;
– Call queue: To make the call enter a waiting line.
• Attendance message: It allows the selection of an answering message. Can
be a .mp3 or .wav file. Click Browse....
4.7.10
Call Conference
In this interface (Figure 4.39) is possible to create conferences. For that it is
necessary to click the connection Insert and fulfil the fields:
• Name: The conference name;
• Numeric identifier: Numeric identifier for the conference;
• PIN: Code which shall allow the users to connect to the conference;
• Administrator PIN: Conference administrator code;
• Direct Access: Address(es)/number(s) by which you shall be able to accede
the conference.
It is also possible to allow the creation of dynamic conferences. For that, it is
necessary to click dynamic Conferences, Change, modify the option Active to Yes
and insert the address(es) and/or number(s) of Direct Access.
iPortalMais - 2007
124
IPBrick.C
Figure 4.38: VoIP - IVR attendance
Figure 4.39: VoIP - Call Conference
iPortalMais - 2007
4.7 VoIP
4.7.11
125
Call Parking
Here (Figure 4.40) is possible to activate or deactivate the option of calls on
hold.
Figure 4.40: VoIP - Call Parking
If this option is activated, it is necessary to define an extension to place the
calls on hold, as well the virtual extensions in which calls are going to be placed
(Figure 4.41). To accede to these calls is necessary to digitise in the telephone ”#”
plus the virtual extension of the call.
4.7.12
Scheduling
This option (Figure 4.42) allows to to define answering timetables.
It is necessary to click connection Insert (Figure 4.43), choose a name for the
scheduler and insert the address(es) and/or number(s) of Direct Access through
which you shall accede to this scheduler. Next, it is necessary to add rules for this
scheduler. For that:
• Click in the scheduler name;
• Clicar Insert;
• Choose the type of action to be executed;
• Choose the period to be executed.
• Destination type: Where shall the call be routed if the rule defined next
is equalled;
iPortalMais - 2007
126
IPBrick.C
Figure 4.41: VoIP - Call Parking - Modify
Figure 4.42: VoIP - Scheduling
iPortalMais - 2007
4.7 VoIP
127
• Destination: Telephone address or rule to which the call shall be routed;
• Hours: Beginning and end hour, from the timetable in which the rule shall
be valid; (format hh:mm)
• Weekdays: Weekdays in which the rule shall be valid;
• Month days: Days of the month in which rule shall be verified;
• Months: Months in which the rule shall be valid.
Figure 4.43: VoIP - Insert rules
If you dont select days of the week/month, hour or months, the rule shall be
valid respectively for all the days of the week, month, any hour or any month.
4.7.13
Music on hold
In this section (Figure 4.44) you can see the list of songs which shall be heard
if the call is on hold. It is also possible to add more mp3 files to the list, clicking
the connection Insert and after searching the localisation of the music file (clicking
the button Browse...), write a brief description of the file in the field Name. To
add the mp3 after all fields have been fulfilled, click the button Insert. You can
also remove or modify the songs from the list clicking the name of the song and
clicking Change or Delete.
iPortalMais - 2007
128
IPBrick.C
Figure 4.44: VoIP - Music on hold
4.7.14
DISA
DISA22 (Figure 4.45) is a service that allows that someone that is not directly
connected to IPBrick or the PBX central, to obtain an internal call sign and
execute calls as if he/she was directly connected to the internal network. The user
calls the access number to DISA and he/she should type a password followed by
the key ”#”. If the password is correct, the user shall hear the sign indicating that
he/she may dial the number. You can also enjoy this service without a password
if you want to. The fields necessary to configure a DISA are:
• Name: Name of DISA;
• Direct access: Address(es)/number(s) through which you may accede DISA.
• PIN authentication: It allows the introduction of a password to enable the
dialling through DISA;
• Password: Access password;
• Retype Password: Password confirmation;
• Allowed caller ID’s: Callers identifiers list which may accede to this service. Insert only one by line.
22
Direct Inward System Access
iPortalMais - 2007
4.7 VoIP
129
Figure 4.45: VoIP - DISA - Insert
4.7.15
Call queues
Here (Figure 4.46) it is possible to define waiting lines. When calling to the
telephone defined in Direct Access the caller shall be placed on hold if there is
another call to be answered. An answering message may be defined which shall be
heard when the call is on hold. It is also possible to choose messages by default in
Select queue information from the line which may inform the caller about his/her
position in the line and the time interval between those messages. The options are
the following ones:
• Name: Name of queue;
• Direct access: Numbers and/or addresses by which you can accede to the
queue;
• Queue weight: Priority of the queue;
• Maximum number of queued calls: Maximum number defined of calls on
hold. ’0’ defines an unlimited number;
• Define maximum waiting time: it is possible to define the maximum waiting time. For that it is necessary to click option Yes, select the maximum
time in seconds and the type of routing to do if the time is exceeded as well
as the final destiny;
• Phone attendance timeout: Period of time (seconds) at the end of which
the caller shall be put on hold if the call is not answered, even if there is no
one else on hold;
iPortalMais - 2007
130
IPBrick.C
• Welcome message file: Select the message to be presented when someone
enters the waiting line;
• Select queue information message: Select some of these messages to inform about the position in the waiting line or the estimated waiting time.
• Time interval between queue information messages: If some informative message is selected, is possible to select the time (seconds) between
messages;
• Attendance policy: How the waiting line answering telephones should answer the calls:
– Ring all: All available telephones ring until one of them answers;
– Random: One of the available telephones rings by chance;
– Round Robin: Each telephone rings at the time;
– Round Robin with memory: Each telephone rings at the time, but it
remembers which was the last one to ring;
– Least recently called phone: The telephone rung a long time ago;
– Phone with fewest completed calls: The telephone with less answered calls.
• Play message when call is answered: If a message shall or shall not be
played before the call is answered;
Figure 4.46: VoIP - Queue definitions
iPortalMais - 2007
4.7 VoIP
4.7.16
131
Call Manager
The call manager (Figure 4.47) is a Flash application that allows to visualise:
the state of each extension, if it is online and if it is doing calls, state of the lines
and SIP servers. You can also end calls through this interface when authenticated.
Figure 4.47: VoIP - Call Manager configuration
The configuration of the call manager (Figure 4.48) is made from the IPBrick
web interface in IPBrick.C ¿ Voip ¿ Call Manager, and it is necessary to click the
connection Change. By default are shown the state of all registered telephones,
ports of each RDIS and analogic plate, state of the waiting lines, conferences and
SIP servers. Some of these fields cannot be shown if we remove them in Show fields.
To define an administration password which allows to end the calls, it is necessary to change the value of the field Administration password. In the configuration
page you have the link to the call manager which may be acceded from the LAN.
It might be necessary to define the alias call manager in the DNS server of the
network.
If it is not possible to visualise all the extensions, lines and servers of the call
manager, it is necessary to move the mouse to the right side of the page and the
remaining ones shall be visible. It is possible to disconnect calls, clicking two times
the extension you are doing or receive and insert the password defined in ipbrick.
In the screen appear all the telephones, routes, interfaces, etc., which shall be
registered in IPBrick. However, there are differences, if the telephone has a visible
iPortalMais - 2007
132
IPBrick.C
Figure 4.48: VoIP - Call Manager
iPortalMais - 2007
4.8 IM
133
IP address, it means that it is active, otherwise it will be deactivated. If the telephone is represented in red, it means that a call is in progress and its duration is
indicated.
NOTICE: At this moment we cannot correctly transfer calls through the interface.
4.8
IM
Presentation IM (Instant Messaging) is a service that lets you exchange text
messages in near-real-time. IPBrick’s IM server is ejabberd, an IM server based on
the Jabber (XMPP) protocol. With this server you can communicate both using
the Jabber protocol and the MSN protocol through a MSN gateway. Access to
MSN contacts is controlled by this web interface. By default, the IM service, when
enbled, blocks access to all MSN contacts, except the ones explicitly authorized in
this web interface.
4.8.1
Enabling / disabling the IM server
Enable Instant Messaging
Modify:
• No: The ejabberd server is stopped and all access to the MSN IM network
is unblocked.
• Yes: The ejabberd server is running. The access to the MSN IM network is
blocked. The MSN client programs will be blocked, (Figure 4.50) so will the
web messenger sites, as we can see in Firewall - (Figure 4.51);
When the Instant Messaging server is enabled, you’ll have the following features:
• List of authorized MSN users from IPBrick Contacts:
– Insert: Clicking the checkboxes you can choose which MSN contacts,
from IPBrick Contacts, are reachable through the Instant Messaging
server.
– Delete: Clicking the checkboxes you can choose the contacts from IPBrick Contacts that you no longer want to be reachable from accounts
logged on the server.
• List of authorized MSN users:
– Modify: Add, one per line, the MSN contacts that you want to be
reachable through the Instant Messaging server. All users will be able to
reach only the authorized MSN contacts. To remove the authorization
you just need to remove them from the text box.
It is possible to use both these features simultaneously, that is, you can be
using IPBrick Contacts to allow MSN contacts, and add other contacts in the List
of authorized users.
iPortalMais - 2007
134
IPBrick.C
Figure 4.49: Enabling Instant Messaging Server
Figure 4.50: Blocking MSN applications
iPortalMais - 2007
4.8 IM
135
Figure 4.51: Web messenger sites blocking in firewall
iPortalMais - 2007
136
IPBrick.C
iPortalMais - 2007
Chapter 5
Advanced Configurations
You can configure several services in the menus of this chapter.
The chapter is divided in the following main sections:
• IPBrick;
• Telephony;
• Network;
• Support Services;
• Disaster recovery;
• System.
5.1
5.1.1
IPBrick
Definitions
In this section will be treated some very essential IPBrick server configurations.
Domain Definitions
In Domain Definitions you configure the hostname and the server DNS domain. The Fully Qualified Domain Name is composed by the machine name and
the DNS domain. For example, if you have the hostname ”ipbrick” and the DNS
domain empresa.pt the FQDN will be ”ipbrick.empresa.pt”. In order to change
these definitions click on Change.
Network Definitions
In Network Definitions is possible to configure the priorities of the interfaces
of the network, private and public, from IPBrick. These priorities are: mode, IP
address, mask, network address and broadcast address.
iPortalMais - 2007
138
If IPBrick works as an Intranet server (IPBrick.I ), it is only necessary to configure the private interface. In this case, public interface (if the server where IPBrick
is installed has got 2 network cards) may get with all the default configurations
and it shall not have a network cable connected. If IPBrick works like a Communications server (iPBrick.c ) or if it accumulates the Intranet and Communications
functions (iPBrick.i + iPBrick.c ), it is necessary to configure the two network
interfaces (in these two situations, the server where IPBrick was installed, shall
have two network cards).
To change the network interfaces definitions, it is necessary to click ETH0 and
ETH1.
Notice: The private interface is the first network plate detected by IPBrick in
the server where it was installed. If the server has a second network plate, this shall
be configured as a public interface. The firewall is already configured by default
with specific rules to recognise the ETH0 as a private interface and ETH1 as a
public interface. If the server has more network cards (ETH2, ETH3...), they shall
be considered as private. The ethernet cards MAC address should be associated
to all the interfaces.
Click on Change to modify the Gateway definitions.
Default route
This menu allows to define the gateway of IPBrick.
If IPBrick works as an Intranet server (IPBrick.I ), the address to put in this
field is the address of the equipment which makes the access to the Internet. This
equipment may be, for example, a Communications IPBrick or a router. The gateway IP address shall have to be the address of that same IP network configured
in the private interface, the ETH0. For instance, if the private interface has the
IP address 192.168.1.1, the gateway IP address shall have to be 192.168.1.x. The
interface to choose to configure the gateway is ETH0.
If IPBrick works as a Communications server (IPBrick.C ) or if it accumulates
the Intranet and Communications functions (iPBrick.i + iPBrick.c ), the address
to put in this field is the internal address of the equipment that accedes to the
Internet, for example, a router. In this case, the gateway IP address shall have to
be the address of that same IP network configured in the public interface, ETH1.
The interface to choose to configure the gateway is ETH1.
To change the Gateway definition is necessary to click Change.
5.1.2
System Information
As you can see in Figure 5.2 , here you shall receive crucial information about
the system, from the use of the network, information of the hardware, use of
memory or archive systems.
iPortalMais - 2007
5.1 IPBrick
139
Figure 5.1: IPBrick Advanced Settings
5.1.3
Web Access
This section allows the management of accesses and licenses of IPBrick.
Access definitions
• Login: admin
• Password: 123456
The login admin and respective password refer, unique and exclusively, to the
authentication to use to accede to IPBrick through the web interface and both can
be changed. It is necessary to click Change to change them.
⇒ Note: In contrast to the Administrator user this login has no work area
in IPBrick.
Language definition
IPBrick is currently available in five languages:
• Portuguese;
• English;
• Spanish;
• French;
iPortalMais - 2007
140
Figure 5.2: System Information
iPortalMais - 2007
5.1 IPBrick
141
Figure 5.3: Web Access
• Dutch.
This section allows the alteration of language in IPBrick. To execute that
alteration, it is only necessary to choose, click Change, select the intended language
and afterwards click in Update Settings so that the alterations become effective.
External WEB access
To accede to the IPBrick configuration interface through the Internet (External
Web Access), is necessary to click Change and choose ”Yes” (Figure 5.3). You
should also activate the HTTPS service to the Internet. It is necessary to do this
too:
• Active the HTTPS for Internet (IPBrick.C - Firewall - Services e choose
Active in the State;
• If the IPBrick is conected to the router internal interface (withount public
address), is necessary in router to do DNAT to the port 443 for the IPBrick;
IPBrick licence
This section is about the licence process of IPBrick. If IPBrick has an experimental licence, is necessary to click ”Download of the file to send and send it to
[email protected]. After receiving the answer (with an attached
file) from iPortalMais, it is necessary to select the option Cancel Temporary Licence in the page created, insert the file received, and the licence is permanent
from that moment on.
iPortalMais - 2007
142
Figure 5.4: Language
5.1.4
Authentication
From the moment the user is created in IPBrick, there shall be a register in
the database of the authentication server - LDAP1 . LDAP is defined as a directory
service where is kept the information relating the computer resources of the company and its users. Whenever an user intends to authenticate in a certain service
with his/her username and password, the IPBrick LDAP database is consulted to
validate or not the access.
Modify
IPBrick allows several authentication modes, and it is configured by default,
so that all the users can authenticate themselves in IPBrick.
• IPBrick Master: Default Mode. All the services in the sever shall use the
LDAP server.
• IPBrick Slave: LDAP server shall be a synchronised replica of the indicated IPBrick Master server, and this mode is used in a scenery with several
servers. The users may authenticate themselves in this server, once there is a
temporised synchronisation of the LDAP database with the IPBrick Master,
but there is no possibility to add users. In networks with a high number
of users where there are several authentications, it is useful the use of slave
1
Lightweight Directory Access Protocol
iPortalMais - 2007
5.1 IPBrick
143
Figure 5.5: Authentication
authentication servers thus avoiding a congestion in the IPBrick Master network segment. This scenery is also of a great use in networks geographically
distributed.
• IPBrick Client: The services authenticate remotely in the indicated LDAP
IPBrick server. In this case, there is no local database copy, and it is necessary to specify the IPBrick Master/Slave server. Normally, this way of
authentication is used in a iPBrick.c in the extent of VPN, PPTP and Proxy
services.
• Netbios Client: It is possible to IPBrick to become a part of the domain
managed by a server previous to Windows 200x to use the NetBIOS protocol.
In a network like this, the users continue to authenticate themselves normally
in the Windows machine.
• AD Domain Member (Master IPBrick): IPBrick is a member of a domain
managed by a Windows Active Directory server. The users of the network
need, as always, to authenticate in AD.
• AD Domain Member (Slave IPBrick): The IPBrick Slave is also going to
be a member of a AD domain, acting as a secondary IPBrick server. The use
of a Slave IPBrick as a member of a AD domain may be particularly useful in
the case of secondary email servers, always implying the existence of another
IPBrick server configured as a member of the AD domain - Master IPBrick .
Attention: After changing the IPBrick authentication mode, during the update
of Definitions, IPBrick shall reboot automatically.
iPortalMais - 2007
144
Distributed Filesystem
The users nay be physically distributed by the Master/Slave servers. Meanwhile, the centralised information system - LDAP has the information about the
physical location of each account. A NFS (Network File System) service makes
available the accounts of the users through the network. The Automount service
combines the LDAP information with NFS and makes automatically available the
accounts of the users virtually in any other Master/Slave server. IPBrick allows
the integration with authentication servers running in Windows operating systems, namely previous Windows 200x machines (NetBIOS authentication) and
after Windows 200x machines(authentication via Active Directory).
Automount
LDAP is a directory service where the relevant information of a company is
kept: Users, computer resources, contacts, etc. The Automount service combines
the LDAP information with NFS and makes automatically available the accounts
of the users virtually in any Master/Slave server.
In the Netbios authentication, the authentication server has not as a base a
LDAP service. In this configuration, IPBrick uses its own LDAP server as an
auxiliary member for the other services. In the authentication mode member
of the AD domain, the authentication server is a LDAP implementation. All
IPBrick services are configured to use this LDAP server. However, it is necessary
to extend the structure of this LDAP server to support the requisites of IPBrick
server, namely the UNIX/Linux credentials and the Automount information.
Note: In www.ipbrick.com - Documentation Section, there is a manual about
the integration of IPBrick as a member of an AD domain.
Slaves
If IPBrick is in a Master IPBrick authentication mode and there are other
servers which shall act in a Slave IPBrick authentication mode, it is necessary to
add the Slaves machines by IP. Only then can these machines change the authentication mode to Slave IPBrick.
Clients
If IPBrick is in the Master IPBrick authentication mode and there are other
servers which shall act in the Client IPBrick authentication mode, it is necessary
to add the Clients machines by IP. Only then can these machines change the
authentication mode to Client IPBrick..
Update
All available updates in the Downloads section of the IPBrick site may be
installed from here. All you have to do is click Archive, choose the file (.deb) and
choose Insert. Next, the packet shall be installed in the system.
iPortalMais - 2007
5.2 Network
145
Figure 5.6: Update
5.2
Network
Configuration of services related to the structure of the institution network.
Here is possible to define the customised rules of the firewall, to indicate routes
for other internal networks (or external), to define rules and priorities in the QoS1
service as well the configuration to route the services
5.2.1
Firewall
Presentation This section deals with the IPBrick firewall management. Some
of the pre-defined rules were already mentioned in the section Firewall in the
chapter IPBrick.C (rules that can’t be changed by the user, only deactivated).
In the meantime the configuration of some other services demands some other
rules. These rules can only by managed in part by the user in the Order section.
Nevertheless, IPBrick offers his administrator an advanced interface for the firewall
management. There he can define a group of rules with high personalisation.
Top Menu Here you have links to:
1. Insert: new rules in advanced mode
2. Delete: already inserted rules
3. Order: Interface to order all the rules that exist in the firewall (Figure 5.9).
This option is particularly importnt when new rules are created. Because
the first rules thet firewall does the matching will be the first to use. Then,
more specific rules should be at the top and gneral should be at the bottom.
iPortalMais - 2007
146
Figure 5.7: Rede - Firewall
You can insert three types of rules:
• DNAT Rule: Redirects the traffic that comes to a port to another port/machine
of the internal network;
• IP machine Restrition: It defines the denial of access to a port of defined
network machine;
• General Configuration: Here you can add a completaly personalized rule.
These are the affected fields:
– Rule:
INPUT: Data received by the firewall that aim the recipient interface
no matter their origin;
OUTPUT: Data sent by the firewall;
FORWARD: Redirects traffic from an interface to another;
PREROUTING: Is used to change IP packets arriving to the machine
before the routing decision;
POSTROUTING: Is used to change IP packets arriving to the machine
after the routing decision;
– Interface: You should choose which interface to apply the rule;
– Protocol: Protocol(s) to which you want to apply the rule;
– Modul: Shows the list of iptables modems available for use;
– Source Ip: Source IP Address of the packet;
iPortalMais - 2007
5.2 Network
147
– Origin port: Source port of the packet;
– Destination IP: Destination IP address of the packet;
– Destination port: Destination port of the packet;
– Identifier: 16 bits field that exists in the original IP packet - it
is used to identify the type of packet to filter. Examples: ! --syn,
--state INVALID;
– Politics:
ACCEPT: To accept a packet and let it pass the firewall rules;
DELETE: Doesn’t accept the packet and eliminates it;
MARK: Saves a mark in the packet. These marks can be used to make
decisions at the forwarding level;
LOG: Saves a log of every packet that folows the rule.
– If the PREROUTING rule is used, there are the following extra policies:
REDIRECT: Used to redirect the traffic arriving from a port to
another port;
DNAT: it allows to redirect the traffic arriving at a certain
port to another machine and port belonging to the internal
network
– If the POSTROUTING rule is used, there are the following extra policies:
MASQUERADE: It allows to ’mask’ the traffic
SNAT: It allows to redirect the traffic generated in a certain
port to another machine and port.
TCPMSS: It changes the MSS field (maximum packet size) from the
TCP header. It just can be used to TCP SYN or SYN/ACK
packets because is just used in the beginning of conections.
The rules that are defined by default can’t be eliminated, but can be deactivated by clicking in the state of the rule and change the Deactivate option.
Corpo
List all the rules controled by the user (Figure 5.7). A rule can be switched
between Active and Inactive state. To eliminate rules is necessary to click
Delete, select the rule or rules that you want to remove and click the button
Delete. The rules defined by default cannot be deleted, however they can be
deactivated, all you have to do is click the state of the rule and change the option
to Deactivate.
iPortalMais - 2007
148
Figure 5.8: Network - Firewall - Insert
Figure 5.9: Network - Firewall - Order
iPortalMais - 2007
5.2 Network
5.2.2
149
Route management
Apresentação
When there are several distributed networks separated by some routers in an
organization, if you want to give IPBrick access to all of them, you must indicate
the gateway for that network (Figure 5.10).
Figure 5.10: Network - Route management
The following fields are present:
• Destination network: Network to access;
• Mask: Mask of the destination network;
• Interface: IPBrick interface with connectivity to the destination network;
• Gateway: Router/PC IP with connectivity to the destination network.
5.2.3
QOS
Presentation
The QoS2 service2 (Figure 5.11) in IPBrick allows the customisation of traffic
priority levels, oriented to the external interface, thus assuring a certain level of
quality of the service for the final user. It is importnt to indicate immediately the
value of the band width available in the connection for the internet. From these
data we can establish priority rules among the several types of traffic in a network.
2
Quality of Service
iPortalMais - 2007
150
for example: instead of the internet connection being entirely occupied by the
email service, limit the band width given to that service and assure a minimum
value for the web traffic.
Body
List of the available Public Interfaces (normally ETH1) and the state of the
service for each network card. Clicking the state allows to move between active
and inactive. Clicking the network plate allows to accede the management formulary of that service (Figure 5.11).
Figure 5.11: Network - QoS management
In Generic Configurations (Figure 5.12) is possible to define which maximum band width is allowed for download and upload.
In section Structure there are three classes of defined priorities, each one of
them already with predefined filters. It is possible to define new filters for each
priority class, specifying the following fields:
• Types of filter: ACK type (confirmation of packets reception) or General;
• ToS3 :
– Minimises the delay;
– Maximises debit;
– Maximises reliability;
– Minimises the cost;
3
Type of Service
iPortalMais - 2007
5.2 Network
151
– Minimises the cost;
• Protocol: Type of protocol to apply in the filter;
• Source IP;
• Source Port;
• Destination IP;;
• Destination Port.
The Priority Class 1 has always maximum priority, and the traffic is defined in
Priority Class 3, the less importnt.
Figure 5.12: Network - QOS - General Configurations
5.2.4
Service Routing
IPBrick allows to route the traffic relating to the several services of the network
to the different output interfaces. That is, a communication server may be routing
the SMTP traffic to a certain ISP router and the WEB traffic to another. The
definition of gateways is made through the following fields:
• Name: The name of the new access to the internet;
• IP address: Internal router IP responsible for that access - Gateway;
• Tag in the firewall: Automatically attributed.
iPortalMais - 2007
152
Figure 5.13: Network - Service Routing
After defining a Destination, is necessary to add specific rules in the firewall so
that the routing of desired services becomes a reality. It will be presented firewall
configuration examples for:
• Using the IPBrick VoIP service in the new internet access;
• Using the new access to send and receive email;
• Using the new access for web traffic;
VoIP example
For instance, if the new Internet access (IPBrick interface eth2) aims VoIP
traffic (port 5060, 5090 and after the 35000 - UDP) you have to insert the following
rules in Advanced Configurations - Network - Firewall - Insert:
1. Rule to masquerade the outgoing traffic for the eth2 interface;
• Type: General configuration;
• Rule: POSTROUTING;
• Interface: eth2;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: Leave blank;
iPortalMais - 2007
5.2 Network
153
• Origin port: Leave blank;
• Destination IP: Leave blank;
• Destination port: Leave blank;
• Identifier: Leave blank;
• Politics: SNAT;
• Value: eth2 IP;
2. Rules that accept incoming traffic for the IPBrick VoIP ports;
Port 5060 UDP:
• Rule: INPUT;
• Protocol: UDP;
• Destination port: 5060;
• Politics: ACCEPT
Port 5060 TCP:
• Rule: INPUT;
• Protocol: TCP;
Port 5090 UDP:
iPortalMais - 2007
154
• Rule: INPUT;
• Protocol: UDP;
Up to 35000 UDP:
• Rule: INPUT;
• Protocol: UDP;
• Destination port: 35000:
3. Rules to forward outgoing VoIP traffic for eth2
Port 5060 UDP:
• Rule: OUTPUT;
• Protocol: UDP;
• Source IP: IP da eth1;
• Destination IP: ! IP da eth1;
iPortalMais - 2007
5.2 Network
155
• Politics: MARK;
• Value: 1 (firewall tag);
Port 5060 TCP:
• Rule: OUTPUT;
• Protocol: TCP;
• Politics: MARK;
Port 5090 UDP:
• Rule: OUTPUT;
• Protocol: UDP;
• Politics: MARK;
Up to port 35000 UDP:
• Rule: OUTPUT;
iPortalMais - 2007
156
• Protocol: UDP;
• Destination port: 35000:
• Politics: MARK;
4. In IPBrick Menu: VoIP - Registered Phones - Options, modify the 2o field
for the IPBrick’s eth2 IP;
5.3
Mail service example
In this case, the new Internet Access (eth2) will be used for the mail service,
including incoming and sending (port 25). This rules should by inserted:
• Protocol: ALL;
• Politics: SNAT;
• Value: IP da eth2 da IPBrick;
2. Rules that accept incoming traffic for the port 25:
• Rule: INPUT;
• Protocol: TCP;
iPortalMais - 2007
5.3 Mail service example
157
3. Rule to allow the replys for port 25 by the Internet mail servers:
• Rule: INPUT;
• Protocol: TCP;
• Origin port: 25;
• Identifier: ! --syn;
4. Rules to forward outgoing Internet SMTP traffic for eth2
• Rule: OUTPUT;
• Protocol: TCP;
• Politics: MARK;
5. Rules to forward outgoing SMTP traffic with origin in IPBrick for the new
interface (eth2);
iPortalMais - 2007
158
• Rule: OUTPUT;
• Protocol: TCP;
• Destination IP: ! eth1 da IPBrick;
• Politics: MARK;
5.4
Web access example
In this case, the new Internet Access (eth2) will be used for the LAN web access
that will be redirected to the new interface:
• Protocol: ALL;
• Politics: SNAT;
• Value: IP da eth2 da IPBrick;
2. Rule to allow the replys for port 80 by the Internet web servers:
• Rule: INPUT;
iPortalMais - 2007
5.4 Web access example
159
• Protocol: TCP;
3. Rule to allow the replys for port 443 by the Internet web servers:
• Rule: INPUT;
• Protocol: TCP;
4. Rule to forward traffic with origin in LAN and destination the port 80 in
Internet (only when the proxy is not used!)
• Rule: PREROUTING;
• Protocol: TCP;
• Source IP: rede da LAN;
• Politics: MARK;
iPortalMais - 2007
160
5. Rule to forward traffic with origin in LAN and destination the port 443 in
Internet (only when the proxy is not used!)
• Protocol: TCP;
• Politics: MARK;
6. Rule to forward traffic with origin in a machine conected to the LAN using
VPN PPTP and destination the port 80 in Internet (only when the proxy is
not used!)
• Interface: ppp+;
• Protocol: TCP;
• Politics: MARK;
7. Rule to forward traffic with origin in a machine conected to the LAN using
VPN PPTP and destination the port 443 in Internet (only when the proxy
is not used!)
iPortalMais - 2007
5.4 Web access example
161
• Interface: ppp+;
• Protocol: TCP;
• Politics: MARK;
8. Rules to forward outgoing Internet web http traffic for eth2:
• Rule: OUTPUT;
• Protocol: TCP;
• Politics: MARK;
9. Rules to forward outgoing Internet web https traffic for eth2:
• Rule: OUTPUT;
• Protocol: TCP;
iPortalMais - 2007
162
• Politics: MARK;
NOTE: To route other services for the new internet access (local and remote
port), the idea is the same.
5.5
5.5.1
Support Service
LDAP
Figure 5.14: LDAP
In this section is presented a list of the machines registered in the LDAP service
of IPBrick. To insert a new machine in the LDAP domain of IPBrick is necessary
to click Insert. It is also possible to Modify or Delete LDAP registers.
The insertion of machines in LDAP from here is useful, when there are IP
networks different from the internal interface of IPBrick, since there is no need to
indicate the IP.
5.5.2
DNS
DNS4 is a name resolution service in IP addresses and vice-versa, and it is implemented in IPBrick by the software Bind using door 53 UDP/TCP. The majority
4
Domain Name System
iPortalMais - 2007
5.5 Support Service
163
of queries consists of a simple UDP request by the client, followed by a UDP answer of the server. There are two situations where the TCP is used: when the data
to be sent by the user exceed 512 bytes or at the transference of zones. Some operating systems (HP-UX, for ex:), even adopt DNS implementations always using
TCP, thus increasing reliability. The service acts like a database with information
about the connections of a IP network, and that information is organised into
domains. The used notation represents FQDN5 :
servidor.empresa.regiao
Being the ”servidor.regiao” designated as the domain, ”empresa” the subdomain and ”regiao” the top domain (Top Level Domain), which is administrated
by an entity denominated ICANN6 . A DNS server generates a database about a
certain part of the domain, what is normally designated by zone, and there are
two types of servers:
• master: It obtains the data from a zone which it manages from its own
database;
• slave: It obtains the data from the primary master, existing one or more
in a network. Whenever there are changes in the configuration of the areas
served by the master, this server is always notified, proceeding to the update
of database.
The DNS server allows the resolution of names in a reverse mode, that is, answer with the name - FQDN from a certain IP address. This device allows the
confirmation of the authenticity of an IP address, important aspect in the email
service.
Presentation This is the main section of DNS configuration. Here you can
manage the domains served by the machine and change the machines, alias (CNAME)
and the MX7 registrations.
Top Menu Here you have a link to Insert a new domain (Figure 5.15)
Body Here you have a list of several forward and reverse name resolution zones
registered in IPBrick. You can access the interface management of these areas by
clicking on one of them. (Figure 5.16)
Domains
Insert Zones
5
Internet Corporation For Assigned Names and Numbers
7
Mail Exchange record - used to indicate the e-mail servers of a domain
6
iPortalMais - 2007
164
Figure 5.15: DNS - Insert forward and reverse name resolution zones
Top Menu Here you have a link to get Back to the previous list and cancel the
current process of introducing a new zone.
Body Here you see a register form for forward and/or reverse name resolution
zones. You find the following fields:
1. Domain ame of the new registration; e.g. empresa.pt; porto.empresa.pt;
acme.inc.
2. IP Network the associated IP network for which you are going to create
registrations of reverse name resolution PTR8 .
3. Zone type field that allows you to create a master or secondary zone. A
secondary zone is a copy of another DNS server master zone.
4. Server name of the machine that will serve9 this domain (e.g. ipbrick.domain.com)
(this field is only applied on master zones)
5. Email e-mail of the responsible for this domain. This e-mail is registered in
the DNS under the name of the responsible technician for this domain (this
field is only applied on master zones)
6. Refresh time he time of a secondary zone to see if there are any changes in
the master zone. (this field is only applied on master zones)
8
9
Pointer
SOA - Start of Authority
iPortalMais - 2007
5.5 Support Service
165
7. Transfer retry time the time a secondary zone has to wait to retry the
connection to the master zone, that is, if the last refresh was unsuccessfully.
(this field is only applied on master zones)
8. Expiry time the time a secondary zone has to consider the dates of a zone
as valid since the last successful refresh. (this field is only applied on master
zones)
9. Default time-to-live the time in which the other DNS servers have to
consider the dates of this zone as valid. (this field is only applied on master
zones)
10. Master servers he zone master server IP (this field is only applied on secondary zones)
11. Insert Button
Figure 5.16: DNS - Domains Management
Domains Management
Presentation In this section you control all DNS registrations of a selected zone.
Top Menu Here you have a link to get Back to the zones list and see dates of a
selected domain. Here you can change or delete a domain registration.
iPortalMais - 2007
166
Body Here you have a list of several DNS sections:
1. Machines, machines addresses in the current domain (name associated to an
IP - machine) e.g.:
www2
->
192.168.2.1
2. Aliases10 alias registration for domain machines (this option is only available for a forward name resolution zone) e.g.:
www
->
www2
3. Name Servers registration of FQDN addresses of machines that serve this
domain (DNS). e.g.:
domain.com
->
www2.domain.com
4. Mail Servers e-mail server registration for this domain. You can have several registrations each with different internal positive values. The values indicate which registration to use first. The registration with the lowest value is
always the first one to be used. The value to be introduced here must always
be the e-mail server FQDN, no matter if it is a server of the domain itself, like
.domain.com., or an internet server, like mail.saturno.com.. This option
is only available for a forward name resolution zone. For example:
20 mail.saturno.com
10 ipbrick.domain.com
5.
VoIP Servers registration of VoIP servers for this domain. The value to
be introduced here is the FQDN of the VoIP server, like for example voip.
domain.com. This option is only available for a forward name resolution
zone. For example:
voip.domain.com
6.
Instant Message Server Prefix of the address for the instant message
service.
Forwarders
Presentation If a DNS server receives a request for a domain which he neither
serves nor has in cache, then the server has to forward this request to other DNS
servers in the Internet. The forwarders should be the nearest ones, normally the
DNS servers of ISP. If the forwarders field is empty the DNS still working because
the server use the internet gateway to do the DNS search. If in the same network
exists a IPBrick.I and a IPBrick.C, the IPBrick.I must have the IPBrick.C eth0
address in the forwarder field. Here you have the most appropriate interface to
register the nearest DNS servers. (Figure 5.17).
10
Alternative names
iPortalMais - 2007
5.5 Support Service
167
Figure 5.17: DNS - Forwarders
Name Resolution
Presentation No matter if the DNS service is being executed or not in this
server you can configure the server to handle its DNS requests in another server.
You can apply this configuration to all server services (with the obvious exception
of the DNS server which uses its forwarders for requests he does not know). In
order to make the server use its own DNS you have to configure the IP address
of the localhost11 , 127.0.0.1 - by the way, its the default configuration. (Figure
5.18)
5.5.3
DHCP
Subnets
The DHCP12 service may be defined as a protocol of dynamic attribution of
parameters for configuration of network and workstations (door 67 and 68 UDP),
an evolution of the BOOTP protocol. Basically, a DHCP client sends a broadcast
packet to a network asking an IP address, and it obtains an answer if there is a
DHCP server active in the network. The server not only attributes it an IP but
also: Network mask, route by default, DNS server and WINS server.
DHCP allows two ways of attributing the IP addresses:
• Address manual or reserve: there an association between the MAC address
11
12
local server
Dynamic Host Configuration Protocol
iPortalMais - 2007
168
Figure 5.18: DNS - Name resolution
of a client machine and the IP address to supply, and that machine stays
with that same IP address;
• Dynamic: the client obtains the address from a range of address previously
defined by the IPBrick administrator, for a defined period of time;
NOTE: There is a mechanism that allows to have the DHCP server in a IP
network distinct from the clients, this mechanism is known by DHCP relay. The
DHCP relay is assured by an agent installed in the post(s) present in the remote
network(s), this agent receives the DHCP clients requests and routes them to the
configured DHCP server.
Sub-Nets
Presentation
Here you can define the sub-networks to be served and the parameters of the
network configurations to attribute to the machines. (Figure 5.19)
Top Menu Here you have a link to Insert new subnets, configure Redundancy
parameters and define General Options by default. (Figure 5.20)
Body Here you have a list of the inserted subnets. Each line is a link that opens
a configuration form with options for each subnet. (Figure 5.21)
iPortalMais - 2007
5.5 Support Service
169
Figure 5.19: DHCP - Subnets
Figure 5.20: DHCP - General Options
iPortalMais - 2007
170
Figure 5.21: DHCP - Subnets Definition
Insert
Presentation It allows the insertion of sub-networks.
Top Menu Connection to Back.
Body It allows the insertion of the sub-network data, which shall be attributed
to customers. These data are:
• Network Address: It allows to indicate the address of the network and the
respective mask;
• Dynamic addresses range: Which range of addresses is reserved to attribute the clients;
• Clients mask: Mask of the network to attribute the clients;
• Broadcast address: Address of broadcast to attribute the clients;
• Default lease time: Default lease time during which the address can be
lent;
• Max lease time: Max lease time of an IP address for the machines. This
value surpassed, the IP address is renewed;
• Option Router: Address of the router which will serve as the default route
(by default 192.168.69.199);
iPortalMais - 2007
5.5 Support Service
171
• DNS Servers: List (one per line) of the DNS servers to be used by the clients
(by default ipbrick.domain.com);
• NetBios servers: List (one per line) of the NetBios servers to be used by
the clients (by default ipbrick.domain.com);
• DNS domain: Name of the domain indicated to the clients (by default domain.com).
General Settings
Presentation It allows to insert data attributed by default.
Top Menu Connection to Back.
Body It allows the insertion of general network data, which shall be attributed
by default to the customers. These data are:
• Base domain: Domain where the DHCP is operating;
• DNS servers: DNS servers to be used by the DHCP server;
• NetBios servers: NetBios servers to be used by the DHCP server;
• Clients mask: Mask to be used by the clients of the DHCP service;
• Default lease time: Default lease time during which the ’lease’ of the address
is valid for the clients;
• Max lease time: Max lease time of an IP address for the machines. When
this value is surpassed, the IP address is renewed.
If you want the DNS Dynamic Update, it is necessary to choose ”Yes” in the
respective box.
Redundancy
Presentation It is possible for a IP network to configure two DHCP servers, one
as main (primary) server and the other as secondary. During the normal working
only the primary server answers the requests, while the secondary one synchronises
its BD with the primary, if the primary fails the secondary shall assume its service.
Communication between the servers is made from the network ports which may
be customised. One of the ports shall be attending the connections from the
secondary server and the other one shall be attending the connections from the
main server. (Figure 5.22)
Top Menu Here you have a link to get Back and Insert a new connection.
Body
iPortalMais - 2007
172
Body
The following fields are presented in the insertion of redundancy and fault:
• Name: Name of the redundant connection;
• Configuration: here you can see if the server is the primary or secondary
DHCP;
• Local IP: Servers internal IP address;
• Local gate: Local gate where the service is running;
• Remote IP: Remote IP address from the server of the other extreme;
• Remote gate: Remote gate where the service in the other extreme is running;
• Max answering time: Max time that the DHCP server can wait for a message from the other peer. When that is out, the server assumes that the
other has failed and assumes itself as the network DHCP server;
• Max Unpacked Updates: Max Unpacked Updates (BNDUPD) non-confirmed
that the server can receive from other peer. peer.
Figure 5.22: Redundancy
Machines
Presentation Here you see a list of the registered machines with their MAC addresses in the DHCP service. You can register the machines in Machines Management
(see section 3.2, page 16) or directly in this section.
iPortalMais - 2007
5.5 Support Service
173
Figure 5.23: DHCP - Machines
5.5.4
ENUM
The ENUM13 service allows the mapping of telephone numbers (Rule E.164)
in names associated to IP addresses, using an architecture based on the DNS service. Those names may be from the protocol SIP, H.323, Email etc. In order to
consult the DNS, ENUM inverts the telephone numbers, giving them the prefix
e164.arpa. which is the root of the tree. This tree é delegated to all countries of
the world taking into account their codes E.164. this way, the Portuguese delegation shall be the inverted 351 - 1.5.3.e164.arpa.
The ENUM zones may be defined in IPBrick where the research shall be made.
For that you have to click the connection Insert and insert the ENUM zone domain.
In Order is possible to define which are the priority zones where the research of
numbers shall be made. In Figure 5.24 a list of the ENUM zones may be visualised.
Once the list of the ENUM zones is defined, where to search numbers, the
ENUM may be used in VoIP routes. Next, an example is given:
1. In IPBrick.C - VoIP - Routes Management, there is a Output Route for
Sip Servers - VoIPBuster.
There it is necessary to activate the option Activate ENUM Search in the
Route Definitions;
2. A certain user of the network calls through the SIP/PBX to numbero +351253593112;
13
Telephone Number Mapping
iPortalMais - 2007
174
Figure 5.24: ENUM
3. Automatically, a research is made in the ENUM zones specified in the present
menu for 2.1.1.3.9.5.3.5.2.1.5.3.e164.arpa, in order to obtain the correspondence of that number in a certain IP address/name;
4. Supposing that the research results in the SIP address [email protected],
a SIP call is made to the address [email protected];
5.5.5
Images Server
This interface is related to the image replication service of Linux user stations.
Images Management
In this interface you can insert images of user stations from a cd. You can also
see information about the images that are currently in IPBrick as well as its size
on the hard disk.
Clients
Visualization of the in IPBrick registered machines and their associated images
(if there are any).
5.5.6
Registered Telephones
This option is valid if there is no need to attribute a specific IP address to the
telephone. You can add a telephone by fulfilling the field relating the name and
iPortalMais - 2007
5.6 Disaster recovery
175
the access password to the telephone. This supposing the DNS is working correctly.
In this menu you can see a list of the registered SIP telephones. To register a
telephone:
• Click Insert;
• Telephone: Insert the name of the telephone to register;
• Password: Insert the access password to the telephone;
• Retype Password: Reinsert password;
• Click Insert.
Figure 5.25: Registered Telephones
5.6
5.6.1
Disaster recovery
Configurations
All configurations that are done in IPBrick through the web interface are saved
in a Postgres database. This way any changes done will only be effective in the
system after Update Settings.
IPBrick allows the time tracking of all configurations because when you modify something in the web interface and Update Settings, a new configuration is
locally saved. It is possible to store these configuration files in an USB pen and
iPortalMais - 2007
176
additionally send them to a configurable email address. In the configuration filename we have the date and the exact hour when a configuration was created. In
short, this configuration management allows a fast disaster recovery, in case of
hardware problems.
There is a configuration called default which is the IPBrick’s base configuration immediately after install.
Clicking in Definitions there are the following fields that can be modified in
the conection Modify:
• Email address: Email address (internal or external) were the configurations
are delivered (by default [email protected]);
• Message Subject: By default [email protected];
• Message body: By default is empty.
⇒ Attention: After the IPBrick instalation you must always insert a USB
pen conected to server;
Replace
In this section you see a list of all saved copies on the USB pen. In order to
replace a setting you just have to click over it.
Figure 5.26: Replace Settings
⇒ Note: All services will be reconfigured when replacing a copy of the settings. After the configuration of all services IPBrick restarts automatically.
iPortalMais - 2007
5.6 Disaster recovery
177
Download
This section allows you to download the copies of the configurations done to a
local computer.
Figure 5.27: Download Configurations
With this useful option you can save IPBrick settings on another place.
Upload
In this section it is possible to upload a previously downloaded configuration
file to the server.
! Atention: It is not possible to use setting copies in different IPBrick versions. The configuration files are not compatible with the different IPBrick versions.
5.6.2
Applications
This is an useful disaster recovering feature. When upgrading IPBrick from
version A to version B, if an old installation is detected, the following applications
will be backed up:
• PostgreSQL: All the Postgres databases will be dumped, including the sites
databases;
iPortalMais - 2007
178
Figure 5.28: Upload remote configurations
• MySQL: All the Mysql databases will be dumped, including the sites databases,
webmail contacts;
• Mail: The emails that were in the queue will be saved;
• Kaspersky: All the Kaspersky applications statistics will be saved;
• VoIP: It will save all the VoIP statistics;
• IM: The Instant Messaging data and configuration will be saved.
So, all these applications’ files are packed and saved in a folder.
Choosing the option Applications - Restore the list of available application
data backups will be shown(Figure 5.29). To restore the desired application data
backup, click on the file and then on Restore. At this momment the backup will
be restored for the new IPBrick version (Figure 5.30.
5.7
System
Inside the menu System, we can find the options indicated in the following
points.
5.7.1
Services
In Services (Figure 5.31) you find a list of several services available in IPBrick.
The State column shows you if the service is enable or disable. It is possible to
restart any service without having to restart IPBrick.
iPortalMais - 2007
5.7 System
179
Figure 5.29: Application data backups list
Figure 5.30: Restore confirmation
iPortalMais - 2007
180
Figure 5.31: Services
In order to restart any service you have to:
• Change the State from Enable to Disable
• Update Settings
• Change the State from Disable to Enable
• Update Settings
The Start column defines the way of how each service has to start with the
server (whether after a reboot or after a period while the server was disconnected).
If you see Automatic in the Start column of a service then the service will start
automatically with the server. On the other way, if you see Manual on the column
then the service will not start with the server. Nevertheless it can be started
manually in this menu by changing its State from Disable to Enable
⇒ Note: Any changes in the Start column of a service will not have immediate effects on the service start. The changed start will only be valid for the
next server start. On the other way, a change in the State column has immediate
effects. That is, by changing the service state from Enable to Disable IPBrick
stops this service (after clicking on Update Settings).
5.7.2
Task Manager
The Task Manager shows you a list of all executed processes in IPBrick.
It gives you information about:
iPortalMais - 2007
5.7 System
181
• The system user name that started the process
• The date of the process start
• The memory and CPU percentage that the process is using
In this section it is possible to stop a certain process. Therefore you only have
to click over the process identifier.
! Attention: Speaking in generally, the executing processes should not be
stopped this way. To stop a process in this interface may cause instability in IPBrick. In order to stop services use the Services menu.
5.7.3
Date and Hour
In this menu (Figure 5.32) you can see and change the server date/hour and
the time zone. When this field is changed the IPBrick will reboot!
Figure 5.32: System Date and Hour
5.7.4
System users
This menu (Figure 5.33) lists the System users (name and its login). If you
select one of them, it is possible to change its password as long as you know the
existing password.
⇒ Note: Do not mistake System Users for LDAP Users. A System User is
not registered in LDAP.
iPortalMais - 2007
182
Figure 5.33: System users
5.7.5
System Logs
In this menu you can see the IPBrick logs. The logs are an important information source for the system work.
The most recent information is available in Current Log. In case there are
other log registrations then each of them provides information generated by IPBrick till their indicated date (Figure 5.34).
5.7.6
SSH
The SSH menu implements a save connection to the IPBrick shell, showned in
Figure 5.35.
The SSH (Secure Shell) is similar to the known Telnet application but only
saver.
⇒ Note: This function needs the installation of Java Virtual Machine. The
software is available in www.java.com.
Before making a connection it is necessary to make an authentication. Therefore you need the introduce the following data:
• Username: operador
• Password: L1opardo
iPortalMais - 2007
5.7 System
183
Figure 5.34: System Logs
Figure 5.35: SSH
iPortalMais - 2007
184
5.7.7
Reboot
This option allows you to reboot IPBrick (Figure5.35). After confirming the
reboot option the web connection with the server is automatically stopped. When
IPBrick starts again it is possible to establish a new https connection with the
server.
Figure 5.36: Server Reboot
5.7.8
Shutdown
This option is to shutdown IPBrick (Figure 5.37), assuring that all the services
are correctly concluded. You should resort to this menu, whenever it is necessary
to shutdown IPBrick.
5.8
Telephony
To make possible IPBrick interaction with telephone systems, you need to install specific hardware. This hardware includes PCI cards that can be analogic,
RDIS BRI or RDIS PRI. Analogic cards provide the connection to telephone networks working in analogic mode. If telephone networks are working in digital mode
(RDIS), cards may be BRI or PRI. A BRI (Basic Rate Interface) access has three
channels: Two 64kbit/s (B) for data/voice and one 16 kbits/s (D) for control.
The PRI (Primary Rate Interface) access corresponds to 30 B channels plus one
D channel in Europe - can also be designated as E1 circuit.
iPortalMais - 2007
5.8 Telephony
185
Figure 5.37: Shutdown server
5.8.1
Cards
After physical configuration and installation in the machine you have to configure IPBrick. To make this step you have to know how the card was physically
configured, i.e., each port configuration. After the physical installation of the
hardware, you can configure cards in the IPBrick web interface in the menu:
Advanced Settings - Telephony - Cards
To insert click on Insert, and then indicate (as shown on Figure 5.38):
Menu to insert cards:
• Type of card: Can be analogic, RDIS BRI or RDIS PRI;
• Number of ports: Number of ports in the card;
• ports configuration: Each port can be configured to connect to pre-setted
interfaces: PBX or PSTN (only for RDIS BRI cards). You can configure like
this:
– NT PtP (Point to Point);
– NT PtMP (Point to Multi-Point);
– TE PtP (Point to Point);
– TE PtMP (Point to Multi-Point).
If the port is connected to the landline (PSTN) you need to configure the setting as TE. If the port is connected to the PBX gateway you have to configure
iPortalMais - 2007
186
Figure 5.38: Telephony - Insert
the PBX port and configure the setting as NT. A RDIS FAX usually behaves like
a PBX requiring the port configuration as FAX (to show this option requires a
FAX interface configuration) and configure the setting as NT. If there is a GSM
interface configured in one of the ports you have to choose it on the list and
configure the setting as TE. To configure a ISDN PRI you have to indicate if the
line uses R2 protocol (protocol used in Brazil) and if the CRC4 is active on the line.
After the configuration, we can see a list with the configured cards,as visible
in Figure 5.39.
It’s possible to call from phones connected to landline PBX and, if IPBrick is
connected to PSTN and to a PBX, you can also answer calls. IPBrick will work in
a transparent mode, switching all the traffic from PBX to PSTN and vice-versa.
5.8.2
Interfaces
IPBrick can create more interfaces than PBX and PSTN (Figure 5.40) like
GSM or FAX interface. You can create them in:
Advanced Settings - Telephony - Interfaces
Menu to insert interfaces:
• Interface Name;
• Interface Type: To what interface is associated IPBrick card;
iPortalMais - 2007
5.8 Telephony
187
Figure 5.39: Telephony
Figure 5.40: Telephony - Interfaces
iPortalMais - 2007
188
• SIP Peering: The Open Peer option provides that any incoming call from
the Internet uses this interface. The Closed Peer option sets that only Peers
defined in SIP Peers (this is the best option connect to PSTN or GSM).
The Peers are the IP from machines authorized to use certain interface, for
instance another IPBrick. Can be inserted in the menu:
Advanced Settings - Telephony - SIP Peers
This operation is necessary if you want to connect a FAX to a card port, a GSM
gateway or another additional interface. If there is a GSM gateway, you may add
here a GSM interface (as an interface name). Choose a card type (analogic, PRI or
BRI) in the Interface Type , and the Closed Peer option in the SIP Peering.
5.8.3
SIP peers
You may add here (Figure 5.40) IP addresses to let remote known gateways
to use interfaces defined as Closed Peers in IPBrick. For instance, you have two
IPBricks connected to each other through the Internet and one is connected to the
PSTN. If you want that remote IPBrick connects to PSTN interface, you need to
add your IP to this list by clicking on Modify.
Figure 5.41: Telephony - SIP peers
iPortalMais - 2007
Chapter 6
Apply Configurations
The option Apply Configurations allows you to make the configurations done
in IPBrick become effective in the system. In other words, any realized configurations become only effective in IPBrick after the IPBrick administrator clicks on
Apply Configurations.
Figure 6.1: System update
iPortalMais - 2007
190
Apply Configurations
iPortalMais - 2007
Chapter 7
Appendix A
Join in the domain
7.1
Join in the domain
This section describes the process of:
• Configuring a workstation with DHCP;
• Joining a workstation in a domain.
This process description presupposes the following:
• the domain controlling server is IPBrick.I ;
• the DNS domain is empresa.pt;
• the domain is EMPRESA.
In order to join a workstation in a domain you need to do the following steps:
1. Know the MAC address of the machine’s network interface card;
2. Chose a machine ”name”;
3. Have a machine IP address;
4. Create an entry for the machine in IPBrick.I ;
5. Update IPBrick.I.
iPortalMais - 2007
192
7.1.1
Appendix A - Join in the domain
Windows XP Professional Workstation
⇒ Note: Before starting the process of joining a machine in a domain you
have to know the username/password of a user who is administrator of the XP
machine. Then you can start the migration process.
Therefore you have to:
1. Press [windows];
2. Select My Local Network ;
3. Select Network Connections;
4. Right click the icon Local Network Connection and select Properties;
5. Chose TCP/IP in the open window and click on Properties;
6. Chose Get the IP Address Automatically in the open window and then
select Get the DNS server addresses automatically;
7. Close the network properties windows.
The next step is to confirm that the machine IP address is the same that was
introduced in IPBrick.I. Therefore you have to:
1. Press the keys [windows]+[R];
2. cmd [ENTER];
3. ipconfig /all;
4. Check the information in the IP Address field.
If the IP address is not the one introduced in IPBrick you have to release it
and renew it with the following commands:
1. Press the keys [windows]+[R];
2. cmd [ENTER];
3. ipconfig /release;
4. ipconfig /renew;
5. ipconfig /all.
If the machine IP address is right you can join the machine in the domain
EMPRESA:
iPortalMais - 2007
7.1 Join in the domain
193
1. Press the keys [windows]+[pause] and open the System Properties;
2. Select ”Computer Name”, click on ”Change...” and give the computer a name
(the name must have been created in IPBrick.I before);
3. Press button ”more..” and add the dns machine domain: empresa.pt. Do
not select the option Change the primary dns suffix when the association to
the domain is changed ;
4. Insert EMPRESA in the domain. The password of the domain EMPRESA or of the machine administrator may be requested;
5. Click OK and close ”System Properties”;
6. Restart the machine. While the machine is starting you can already login
the domain EMPRESA.
⇒ Note: The workstation must not be with the DHCP. It can be configured
with a fix IP address. In this case you don’t have to fill in the field Mac Address
while you register the machine in IPBrick.
iPortalMais - 2007
194
Appendix A - Join in the domain
iPortalMais - 2007
Chapter 8
Appendix B
Configuring a VPN connection
8.1
Configuring a VPN connection (PPTP)
In order to create a VPN (PPTP) connection in a Windows XP Professional
workstation you have to do the following steps:
1. Press [windows]
2. Select Control Panel
3. Double click Network Connections
4. In the window Network Connections, select Create a New Connection
5. The Wizard appears to create a new connection. Select ”Connect to my work
area network” (refers to the VPN description), ”Virtual Private Network
Connection”. After that select a name for the connection to be created, for
example ”Enterprise connection”. Then you have to indicate the IP address
or the full name by which IPBrick is known in the Internet. At last you have
to select who can use the VPN connection.
The VPN connection is configured. In order to establish a VPN you only have
to introduce the user name and password registered in IPBrick. IPBrick is now
working as a VPN-PPTP server.
iPortalMais - 2007
196
Appendix B - Configuring a VPN connection
iPortalMais - 2007
Chapter 9
Appendix C
Configuration of a VPN SSL
connection (Open VPN)
9.1
Configuration of a VPN SSL Connection (Open
VPN)
To create a VPN connection (Open VPN) in a Windows XP Professional workstation it is necessary to install the Open VPN GUI software::
• Open VPN - VPN Open Source Pack;
• Open VPN GUI - Graphic Interface for Open VPN.
The installation of this pack should be executed without changing the default
definitions. This software is installed in directory C:\Program Files\OpenVPN.
The certificate generated by IPBrick must be unpacked into directory C:\Program Files\OpenVPN\conf
To initiate VPN connection, press the right button on icon OpenVPN in the
toolbar, choose the intended connection and press Connect.
Insert the password used to create the certificate in IPBrick and the VPN shall
be established.
9.1.1
Two or more SSL certificates
When it is intended to put more than one certificate in the same workstation
(create VPN connections for distinct places) it is necessary to create a new folder
into directory C:\Program
Files\OpenVPN\config. Extract all the files to that new folder.
To initiate VPN connection, press the right button on icon OpenVPN in the
toolbar, choose in the list the connection and press Connect.
iPortalMais - 2007
198Appendix C - Configuration of a VPN SSL connection (Open VPN)
9.1.2
Configuration of a SSL Connection for Windows Vista
1. In http://openvpn.net/index.php/downloads.html download the last version (Windows Installer file). Example: openvpn-2.1_rc7-install.exe;
2. Install the openvpn;
3. Extract the zip file to the config folder of OpenVPN. Example: c:\Programas
\OpenVPN\config;
4. Run this file c:\Programas\OpenVPN\bin\openvpn-gui.exe, as Administrator;
5. In Windows Vista tray, click in the OpenVPN icon and connect;
NOTE: If it’s not working you need to modify the *.ovpn file present in
c:\Programas\OpenVPN\config, and add the following lines in the end:
route-method exe
route-delay 2
iPortalMais - 2007

IPBrick Reference Manual

Transcription

Similar documents

Free Gas InserT LIner KIT

Napoleon Container Terminal

Subcutaneous Port Catheter (Port, porta

January 17, 2011 - Village of Port Clements

PDF 1mb - Marina Adelaide

Hajoca Corporation

Scanned Document

Eiffel Tower - University Games

GSM Cell Fax plus

SPECIALTY GLASS - OBSCURE glaztech.com - Glaz