IPBrick Reference Manual

Transcription

IPBrick
Reference Guide
Version 5.0
iPortalMais
August 2008
2
c
Copyright iPortalMais
All rights reserved. August 2008.
The information in this manual is submitted to changes without previous communication. The presented explanations, technical data, configurations and recommendations are precise and trustful. Nevertheless they have no expressed or
implied guarantees.
Reference Guide - Version 5.0
iPortalMais - 2008
Contents
1 Aim of this document
13
2 Before Starting
15
3 IPBrick.I
3.1 Machines Groups . . . . . . .
3.2 Machine Management . . . .
3.2.1 Mass Operations . . .
3.3 User Groups . . . . . . . . . .
3.4 Users Management . . . . . .
3.4.1 Mass Operations . . .
3.5 Domain Server . . . . . . . .
3.5.1 Configure . . . . . . .
3.5.2 Users Management . .
3.6 File Server . . . . . . . . . . .
3.6.1 Individual Work Areas
3.6.2 Group Work Areas . .
3.6.3 Kaspersky . . . . . . .
3.7 E-Mail . . . . . . . . . . . . .
3.7.1 Configure . . . . . . .
3.7.2 Definitions . . . . . . .
3.7.3 Queue Management . .
3.7.4 Users management . .
3.7.5 Mailing Lists . . . . .
3.7.6 Kaspersky Anti-Vı́rus .
3.7.7 Kaspersky Anti-Spam
3.8 Print Server . . . . . . . . . .
3.9 Backup . . . . . . . . . . . . .
3.9.1 Bacula . . . . . . . . .
3.9.2 Remote . . . . . . . .
3.10 Fax Server . . . . . . . . . . .
3.10.1 Fax2Mail . . . . . . .
3.10.2 Mail2Fax . . . . . . .
3.10.3 Statistics . . . . . . . .
3.11 Terminal Server . . . . . . . .
3.11.1 Configuration . . . . .
17
17
18
20
23
25
28
31
32
32
32
33
34
37
41
42
47
48
49
53
54
59
62
65
66
66
69
70
74
74
76
77
iPortalMais - 2008
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4
CONTENTS
3.11.2 Client configuration . . . . . . . . . . . . . . . . . . . . . . . 81
4 IPBrick.C
4.1 Firewall . . . . . . . . . . . . . . . . . . .
4.1.1 Available Services . . . . . . . . . .
4.1.2 Block Services . . . . . . . . . . . .
4.2 Proxy . . . . . . . . . . . . . . . . . . . .
4.2.1 Configuration . . . . . . . . . . . .
4.2.2 Statistics . . . . . . . . . . . . . . .
4.2.3 Kaspersky Proxy . . . . . . . . . .
4.3 VPN . . . . . . . . . . . . . . . . . . . . .
4.3.1 PPTP . . . . . . . . . . . . . . . .
4.3.2 IPSec . . . . . . . . . . . . . . . .
4.3.3 SSL . . . . . . . . . . . . . . . . .
4.4 E-mail . . . . . . . . . . . . . . . . . . . .
4.4.1 Advanced relay . . . . . . . . . . .
4.4.2 Get Mail from ISP . . . . . . . . .
4.4.3 Mail Copy . . . . . . . . . . . . . .
4.5 Web Server . . . . . . . . . . . . . . . . .
4.5.1 Creating a new site . . . . . . . . .
4.5.2 Management . . . . . . . . . . . . .
4.6 Webmail . . . . . . . . . . . . . . . . . . .
4.7 FTP Server . . . . . . . . . . . . . . . . .
4.7.1 Access log . . . . . . . . . . . . . .
4.8 VoIP . . . . . . . . . . . . . . . . . . . . .
4.8.1 Phone management . . . . . . . . .
4.8.2 Services . . . . . . . . . . . . . . .
4.8.3 Monitoring . . . . . . . . . . . . .
4.8.4 Routes Management . . . . . . . .
4.8.5 Music on Hold . . . . . . . . . . . .
4.9 IM . . . . . . . . . . . . . . . . . . . . . .
4.9.1 Enabling / disabling the IM server
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
85
85
85
86
86
87
96
97
100
100
102
104
108
108
108
111
112
112
114
118
120
122
123
123
125
141
147
152
152
154
5 Advanced Configurations
5.1 IPBrick . . . . . . . . . .
5.1.1 Definitions . . . . .
5.1.2 System Information
5.1.3 Web Access . . . .
5.1.4 Authentication . .
5.1.5 Update . . . . . . .
5.2 Network . . . . . . . . . .
5.2.1 Firewall . . . . . .
5.2.2 Route management
5.2.3 QOS . . . . . . . .
5.2.4 Service Routing . .
5.3 Support services . . . . . .
5.3.1 LDAP . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
159
159
159
161
161
164
167
168
168
171
172
174
187
187
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
iPortalMais - 2008
CONTENTS
5.4
5.5
5.6
5.3.2 DNS . . . . . . . .
5.3.3 DHCP . . . . . . .
5.3.4 ENUM . . . . . . .
Disaster recovery . . . . .
5.4.1 Configurations . . .
5.4.2 Applications . . . .
System . . . . . . . . . . .
5.5.1 Services . . . . . .
5.5.2 Task Manager . . .
5.5.3 Date and Hour . .
5.5.4 System users . . .
5.5.5 Monitoring . . . .
5.5.6 SSH . . . . . . . .
5.5.7 Reboot . . . . . . .
5.5.8 Shutdown . . . . .
Telephony . . . . . . . . .
5.6.1 Cards . . . . . . .
5.6.2 Registered Phones
5.6.3 Configurations . . .
5.6.4 Interfaces . . . . .
5.6.5 SIP peers . . . . .
5.6.6 IAX peers . . . . .
5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
6 Apply Configurations
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
188
192
198
200
200
202
204
204
205
206
206
207
210
211
211
211
212
214
216
224
226
226
231
7 Appendix A - Join in the domain
233
7.1 Windows XP Professional Workstation . . . . . . . . . . . . . . . . 233
8 Appendix B - Configuring a VPN connection
237
9 Appendix C - Configuration of a VPN SSL connection (Open
VPN)
239
9.1 Two or more SSL certificates . . . . . . . . . . . . . . . . . . . . . . 239
9.2 Configuration of a SSL Connection for Windows Vista . . . . . . . 240
10 Appendix D - Backup Service - Arkeia
241
10.1 Advanced Administration . . . . . . . . . . . . . . . . . . . . . . . 242
iPortalMais - 2008
6
CONTENTS
iPortalMais - 2008
List of Figures
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
3.19
3.20
3.21
3.22
3.23
3.24
3.25
3.26
3.27
3.28
3.29
3.30
3.31
3.32
3.33
3.34
3.35
3.36
Machine Groups - List . . . . . . . . . . . . . .
Machine Groups - Example . . . . . . . . . . .
Machines Management - Machine registration .
Machines Management - Options . . . . . . . .
Machines Management - List . . . . . . . . . . .
Machine Management - Export . . . . . . . . .
Machine Management - Mass Operations . . . .
User Groups - Group creation . . . . . . . . . .
User Groups - Groups List . . . . . . . . . . . .
User Groups - Users . . . . . . . . . . . . . . .
Users Management - Insert . . . . . . . . . . . .
Users Management - List . . . . . . . . . . . . .
Users Management - Operations . . . . . . . . .
Users Management - Modify . . . . . . . . . . .
Domain Server - Definitions . . . . . . . . . . .
Domain server - Users Management . . . . . . .
Work Areas - Summary . . . . . . . . . . . . . .
Work Areas - List . . . . . . . . . . . . . . . . .
Work Areas - Summary of Individual Areas . .
Work Areas - List . . . . . . . . . . . . . . . . .
Work Areas - Group - Insert with recycle bin . .
Work Areas - Group - Insert without recycle bin
Work Areas - Group - Management . . . . . . .
Work Areas - Group - Users Access . . . . . . .
Workareas - Kaspersky Licence . . . . . . . . .
Workareas - Kaspersky - Configure 1/2 . . . . .
Workareas - Kaspersky - Configure 2/2 . . . . .
Workareas - Kaspersky . . . . . . . . . . . . . .
Workareas - Kaspersky - Statistics 1/2 . . . . .
Workareas - Kaspersky - Statistics 2/2 . . . . .
E-mail - Configure . . . . . . . . . . . . . . . .
E-Mail - Definitions 1/2 . . . . . . . . . . . . .
E-Mail - Definitions 2/2 . . . . . . . . . . . . .
E-Mail - Definitions - Valid internal recipients .
E-Mail - Definitions - Invalid senders . . . . . .
E-Mail - Queue Management . . . . . . . . . . .
iPortalMais - 2008
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
18
19
20
21
22
23
24
25
26
27
28
29
30
31
33
34
35
36
37
38
39
40
41
42
43
44
45
45
46
46
47
49
50
50
51
51
8
LIST OF FIGURES
3.37
3.38
3.39
3.40
3.41
3.42
3.43
3.44
3.45
3.46
3.47
3.48
3.49
3.50
3.51
3.52
3.53
3.54
3.55
3.56
3.57
3.58
3.59
3.60
3.61
3.62
3.63
3.64
3.65
3.66
3.67
3.68
3.69
3.70
3.71
E-mail - Users Management . . . . . . . . . . . . . . . . . . . .
E-Mail - Alternative addresses, Forwarding and automatic replys
E-Mail - Mailing List - Insert . . . . . . . . . . . . . . . . . . .
E-Mail - Mailing List - Users . . . . . . . . . . . . . . . . . . . .
E-Mail - Mailing List - External users . . . . . . . . . . . . . . .
E-Mail - Kaspersky Anti-Vı́rus . . . . . . . . . . . . . . . . . . .
E-Mail - Kasp. Anti-Vı́rus - General Configurations . . . . . . .
E-Mail - Kasp. Anti-Vı́rus - Groups Management . . . . . . . .
E-Mail - Kasp. Anti-Vı́rus - Notification Rules . . . . . . . . . .
E-Mail - Kasp. Anti-Vı́rus - Filter . . . . . . . . . . . . . . . . .
E-Mail - Kasp. Anti-Vı́rus - Statistics 1/2 . . . . . . . . . . . .
E-Mail - Kasp. Anti-Vı́rus - Statistics 2/2 . . . . . . . . . . . .
E-Mail - Kasp. Anti-Spam - Protected Domains . . . . . . . . .
E-Mail - Kasp. Anti-Spam - Actions . . . . . . . . . . . . . . .
E-Mail - Kasp. Anti-Spam - Rules . . . . . . . . . . . . . . . . .
E-Mail - Kasp. Anti-Spam - Statistics . . . . . . . . . . . . . . .
Print Server - Inserting a network printer at IPBrick . . . . . .
Print Server - Printer configurations . . . . . . . . . . . . . . . .
Backup - Task insertion . . . . . . . . . . . . . . . . . . . . . .
Backup - Task list . . . . . . . . . . . . . . . . . . . . . . . . . .
Fax Server - Configure . . . . . . . . . . . . . . . . . . . . . . .
Fax Server - FAX at telephony card . . . . . . . . . . . . . . . .
Fax Server - Serial Fax Modem . . . . . . . . . . . . . . . . . .
Fax Server - Fax Users . . . . . . . . . . . . . . . . . . . . . . .
Fax Server - Fax line definitions . . . . . . . . . . . . . . . . . .
Fax Server - Sent Faxes . . . . . . . . . . . . . . . . . . . . . . .
Fax Server - Received Faxes . . . . . . . . . . . . . . . . . . . .
Fax Server - Current Faxes . . . . . . . . . . . . . . . . . . . . .
Terminal Server - General Configuration - 1/2 . . . . . . . . . .
Terminal Server - General Configuration - 2/2 . . . . . . . . . .
Terminal Server - Boot System configuration . . . . . . . . . . .
Terminal Server - Boot Loader configuration . . . . . . . . . . .
Terminal Server - Operating System . . . . . . . . . . . . . . . .
Terminal Server - Configuration for PXE boot . . . . . . . . . .
Terminal Server - Machines . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
52
53
54
55
56
56
57
57
58
58
59
60
61
62
63
64
65
65
67
68
69
71
72
73
73
75
75
76
79
80
80
81
81
82
82
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
Firewall - Available Services . . . . .
Firewall - Block Services . . . . . . .
Proxy - Configuration . . . . . . . . .
Proxy - Rules 1/2 . . . . . . . . . . .
Proxy - Rules 2/2 . . . . . . . . . . .
Proxy - Source groups . . . . . . . .
Proxy - Source groups - LDAP filter .
Proxy - Destination groups . . . . . .
Proxy - Access Lists . . . . . . . . .
Proxy - Remote Proxy . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
87
88
89
90
91
92
92
93
94
95
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
iPortalMais - 2008
LIST OF FIGURES
4.11
4.12
4.13
4.14
4.15
4.16
4.17
4.18
4.19
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.27
4.28
4.29
4.30
4.31
4.32
4.33
4.34
4.35
4.36
4.37
4.38
4.39
4.40
4.41
4.42
4.43
4.44
4.45
4.46
4.47
4.48
4.49
4.50
4.51
4.52
4.53
4.54
4.55
4.56
9
Proxy - Other configurations . . . . . . . . . . . . . .
Proxy - Statistics . . . . . . . . . . . . . . . . . . . .
Proxy - Kaspersky - Licence . . . . . . . . . . . . . .
Proxy - Kaspersky - General Settings . . . . . . . . .
Proxy - Kaspersky - Statistics . . . . . . . . . . . . .
VPN - PPTP - Users . . . . . . . . . . . . . . . . . .
VPN - IPSec Configuration 1/2 . . . . . . . . . . . .
VPN - IPSec Configuration 2/2 . . . . . . . . . . . .
VPN - SSL Settings . . . . . . . . . . . . . . . . . . .
E-Mail - Advanced relay . . . . . . . . . . . . . . . .
E-Mail - Get Mail from ISP - Base menu . . . . . . .
E-Mail - Get mail from ISP - Servers Management . .
E-Mail - Get mail from ISP - Add Account . . . . . .
E-Mail - Mail copy . . . . . . . . . . . . . . . . . . .
Web Server - Hosted sites . . . . . . . . . . . . . . .
Web Server - Adding sites . . . . . . . . . . . . . . .
Web Server - Features . . . . . . . . . . . . . . . . .
Web Server - Alias 1 . . . . . . . . . . . . . . . . . .
Web Server - Alias 2 . . . . . . . . . . . . . . . . . .
Web Server - Alias List . . . . . . . . . . . . . . . . .
Web Server - Redirect - Example 1 . . . . . . . . . .
Web Server - Redirect - Example 2 . . . . . . . . . .
Web Server - Redirections List . . . . . . . . . . . . .
Web Server - Reverse Proxy - Example 1 - Empty site
Web Server - Reverse Proxy - Example 1 - Add . . .
Web Server - Reverse Proxy - Example 2 - Add . . .
Web Server - Reverse Proxy - Example 2 - List . . . .
Web Server - Statistics . . . . . . . . . . . . . . . . .
WebMail - Servers . . . . . . . . . . . . . . . . . . .
FTP Server - Account definitions . . . . . . . . . . .
VoIP - Registered Phones . . . . . . . . . . . . . . .
VoIP - Alternative Addresses . . . . . . . . . . . . .
VoIP - Call groups . . . . . . . . . . . . . . . . . . .
VoIP - Sequence definitions . . . . . . . . . . . . . .
VoIP - Attendance sequences list . . . . . . . . . . .
VoIP - IVR attendance configuration . . . . . . . . .
VoIP - Call conference insertion . . . . . . . . . . . .
VoIP - Call conference list . . . . . . . . . . . . . . .
VoIP - Dynamic call conferences . . . . . . . . . . . .
VoIP - Call Parking . . . . . . . . . . . . . . . . . . .
VoIP - Call Parking - Modify . . . . . . . . . . . . .
VoIP - Scheduling . . . . . . . . . . . . . . . . . . . .
VoIP - Scheduling - Insert rules . . . . . . . . . . . .
VoIP - Scheduling - Rules list . . . . . . . . . . . . .
VoIP - DISA - Insert . . . . . . . . . . . . . . . . . .
VoIP - Call queue definitions . . . . . . . . . . . . . .
iPortalMais - 2008
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
created
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
97
98
98
99
100
101
104
105
106
109
110
110
111
112
113
114
115
116
116
117
117
118
118
119
119
120
120
121
121
122
124
125
126
128
129
130
131
131
132
132
133
133
135
135
136
138
10
LIST OF FIGURES
4.57
4.58
4.59
4.60
4.61
4.62
4.63
4.64
4.65
4.66
4.67
4.68
4.69
4.70
4.71
4.72
4.73
4.74
VoIP - Call queue members . . . . . . . . .
VoIP - Call queue agents . . . . . . . . . . .
VoIP - Access Classes - Insert . . . . . . . .
VoIP - Access Classes - Members . . . . . .
VoIP - Speed Dial . . . . . . . . . . . . . . .
VoIP - Online phones . . . . . . . . . . . . .
VoIP - Statistics filter . . . . . . . . . . . .
VoIP - Call Manager configuration . . . . .
VoIP - Call Manager . . . . . . . . . . . . .
VoIP - Routes Management . . . . . . . . .
VoIP - Local Routes . . . . . . . . . . . . .
VoIP - Outbound route definition . . . . . .
VoIP - Prefix definition . . . . . . . . . . . .
VoIP - SIP server for registering . . . . . . .
VoIP - Music on hold . . . . . . . . . . . . .
IM - Enabling Instant Messaging Server . .
IM - Blocking MSN applications . . . . . . .
IM - Web messenger sites blocking in firewall
5.1
5.2
5.3
5.4
5.5
5.6
5.7
5.8
5.9
5.10
5.11
5.12
5.13
5.14
5.15
5.16
5.17
5.18
5.19
5.20
5.21
5.22
5.23
5.24
5.25
5.26
5.27
Advanced Configurations - Definitions . . . . .
Advanced Configurations - System Information Advanced Configurations - System Information Advanced Configurations - Web Access . . . . .
Advanced Configurations - Language . . . . . .
Advanced Configuration - Authentication . . . .
Advanced Configurations - Update . . . . . . .
Network - Firewall . . . . . . . . . . . . . . . .
Network - Firewall - General settings rule . . . .
Network - Firewall - Disable access rule . . . . .
Network - Firewall - DNAT rule . . . . . . . . .
Network - Firewall - Order . . . . . . . . . . . .
Network - Route management . . . . . . . . . .
Network - QoS management . . . . . . . . . . .
Network - QOS - General Configurations . . . .
Network - Service Routing . . . . . . . . . . . .
Support Services - LDAP . . . . . . . . . . . . .
Support Services - DNS - Name resolution zones
Support Services - DNS - Zone Management 1/2
Support Services - DNS - Zone Management 2/2
Support Services - DNS - Forwarders . . . . . .
Support Services - DNS - Name resolution . . .
Support Services - DHCP - Subnets . . . . . . .
Support Services - DHCP - General Options . .
Support Services - DHCP - Subnets Definition .
Support Services - DHCP - Redundancy . . . .
Support Services - DHCP - Machines . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
139
140
141
142
143
143
145
145
146
147
149
151
152
153
153
155
156
157
. . .
1/2
2/2
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
161
162
163
164
165
166
168
169
171
172
173
174
175
176
177
178
187
189
192
193
194
195
196
197
198
198
199
iPortalMais - 2008
LIST OF FIGURES
11
5.28
5.29
5.30
5.31
5.32
5.33
5.34
5.35
5.36
5.37
5.38
5.39
5.40
5.41
5.42
5.43
5.44
5.45
5.46
5.47
5.48
5.49
5.50
5.51
5.52
5.53
5.54
5.55
5.56
5.57
5.58
Support Services - ENUM . . . . . . . . . . . . . . . . . . .
Disaster Recovery - Replace configuration . . . . . . . . . .
Disaster Recovery - Download configuration . . . . . . . . .
Disaster Recovery - Upload configuration . . . . . . . . . . .
Disaster Recovery - Applications - Data backups list . . . . .
Disaster Recovery - Applications - Data restore confirmation
System - Services . . . . . . . . . . . . . . . . . . . . . . . .
System - Task Manager . . . . . . . . . . . . . . . . . . . . .
System - Date and Hour . . . . . . . . . . . . . . . . . . . .
System - System users . . . . . . . . . . . . . . . . . . . . .
System - Monitoring - System Logs . . . . . . . . . . . . . .
System - SSH . . . . . . . . . . . . . . . . . . . . . . . . . .
System - Reboot . . . . . . . . . . . . . . . . . . . . . . . .
System - Shutdown . . . . . . . . . . . . . . . . . . . . . . .
Telephony - Cards - Insert . . . . . . . . . . . . . . . . . . .
Telephony - Card definitions . . . . . . . . . . . . . . . . . .
Telephony - Cards list . . . . . . . . . . . . . . . . . . . . .
Telephony - Simple phone register . . . . . . . . . . . . . . .
Telephony - Configurations . . . . . . . . . . . . . . . . . . .
Telephony - Analog and ISDN PRI options . . . . . . . . . .
Telephony - ISDN BRI options . . . . . . . . . . . . . . . .
Telephony - Configurations - Codecs . . . . . . . . . . . . .
Telephony - Configurations - Codecs with g729 . . . . . . . .
Telephony - Configurations - g729 licence . . . . . . . . . . .
Telephony - IP PBX remote managers . . . . . . . . . . . .
Telephony - IP PBX remote managers - Configuration . . . .
Telephony - VoIP domain alias . . . . . . . . . . . . . . . . .
Telephony - Interfaces . . . . . . . . . . . . . . . . . . . . .
Telephony - Interface insertion . . . . . . . . . . . . . . . . .
Telephony - SIP peers . . . . . . . . . . . . . . . . . . . . .
Telephony - IAX Peers . . . . . . . . . . . . . . . . . . . . .
6.1
Apply Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 231
10.1
10.2
10.3
10.4
10.5
10.6
Backup
Backup
Backup
Backup
Backup
Backup
-
Arkeia
Arkeia
Arkeia
Arkeia
Arkeia
Arkeia
iPortalMais - 2008
-
Main Menu . . . . . .
Running Jobs . . . . .
Backups confirmation
Add Users . . . . . . .
Directories to save . .
Levels . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
200
201
202
203
203
204
205
206
207
208
209
211
212
213
214
215
215
216
217
219
221
222
222
223
224
225
226
227
228
229
229
242
243
243
244
245
245
12
LIST OF FIGURES
iPortalMais - 2008
Chapter 1
Aim of this document
This reference guide give you a detailed description of the following IPBrick
menus:
• IPBrick.I configuration;
• IPBrick.C configuration;
• IPBrick.GT configuration;
• IPBrick.KAV configuration;
• Advanced Configurations.
In appendix we present the procedure to deal with the Workstation configurations. You will find the following configurations
• Process of joining a workstation (MS Windows) in a domain;
• Procedures for the establishment of a virtual private network (VPN) PPTP
and SSL.
iPortalMais - 2008
14
Aim of this document
iPortalMais - 2008
Chapter 2
Before Starting
IPBrick is a complete integrated server system based in a Linux distribution.
When installed you can access IPBrick with a Internet browser. The IPBrick IP
address by default is 192.168.69.199. The address to write on the browser bar
is https://192.168.69.199.
When you open a WEB session with IPBrick you will see a web page authentication. After a correct validation IPBrick allows you to change the domain and
the IP networks of the private and public server interfaces.
Attention: If the communication network where you are trying to install IPBrick has already a DHCP server you should deactivate this in order to avoid
conflicts.
For more information about installing IPBrick and configuring a workstation,
please consult the Installation Manual.
IPBrick web interface management is divided into five main menus:
• IPBrick.I : For configuration of specific Intranet services;
• IPBrick.C : For configuration of specific Communication services outside the
LAN;
• IPBrick.GT : Permit an easy configuration of services normally active at the
IPBrick.GT appliance1 ;
• IPBrick.KAV : Permit an easy configuration of services normally active at
the IPBrick.KAV appliance2 ;
• Advanced Configurations.
All configurations done by the IPBrick administrator are stored in a PostgreSQL database. Only when the option Apply Configurations is clicked, the
1
It’s a IPBrick hardware appliance for telephony gateway. Can have analogic/ISDN telephony
cards
2
It’s a IPBrick hardware appliance acting as a security gateway, including Kaspersky licences
iPortalMais - 2008
16
Before Starting
database will generate all the new system configurations files. Changing configurations in the following menus:
• Advanced Configurations
IPBrick
Definitions;
IPBrick
Authentication;
System
Date and Hour
Time zone;
causes a restart of IPBrick (IPBrick needs approximately 1 minute to restart,
depending on the hardware where it is installed).
IPBrick allows an efficient management of configurations where, whenever
changes are made in the system by the web interface, a new configuration is locally
recorded or automatically stored in an USB pen if one is plugged. This way the
Disaster Recovery is guaranteed, one of the surplus values of IPBrick. For example, if the hard drive crashes down you can quickly restore the configurations with
the IPBrick Installation CD and the Pen Drive.
On the management interface there are some links that allow you to manage
the services. You will find links like:
• Back : Allows you to turn back to the previous page without saving changes;
• Insert: Allows you to insert new items;
• Modify: Allows you to change item settings;
• Delete: Allows you to delete an item;
iPortalMais - 2008
Chapter 3
IPBrick.I
This chapter describes the IPBrick.I menus used to manage the main Intranet
services.
It is divided into the following main sections:
• Machine Groups
• Machines Management;
• User Groups;
• Users Management;
• Domain server;
• File Server;
• E-mail;
• Print Server;
• Backup;
• Fax Server;
• Terminal Server.
3.1
Machines Groups
In this menu you can manage groups of machines that lets you create groups
and assign machines to each group. For instance, machine groups can be used to
configure web proxy accesses. To insert a group of machines you have to set:
• Group name: The name assigned to the group of machines;
• Group type
– Machines Subnets: Depending on the used IP address, the groups of
machines can be split into defined sizes.
iPortalMais - 2008
18
IPBrick.I
– Machines: If you choose this option and Insert, it’s possible to assign
existing network machines to the group;
• Machine count: If the group is a subnet of machines, you can choose the
number of machines for the group;
• Subnet: This field defines the subnet for the group of machines. It represents
the range of IP addresses concerning the defined group.
By clicking Insert, the group is created and its settings are displayed. In that
screen you can see three links: Back to go back to the list; Modify to change the
name of the present group; Delete to remove the group of machines. We can see
an example of a machine group at Figure 3.2 and the general list at Figure 3.1
Figure 3.1: Machine Groups - List
3.2
Machine Management
This section deals with adding or changing machine registrations in LDAP (e.g.
PC, laptop, printer). A machine is represented by the type, name, group, IP address and MAC address, as you can see in Figure 3.3.
There are these machines types:
iPortalMais - 2008
3.2 Machine Management
19
Figure 3.2: Machine Groups - Example
• Workstation: Workstation in LAN running a Windows operating system;
• Workstation + SoftPhone: Windows workstation in LAN with a softphone
association;
• Linux Workstation: Workstation in LAN running a Linux distribution, so
it will be possible to export the user’s home account by NFS to that Linux
clients;
• Linux Workstation + SoftPhone: Linux workstation in LAN with a softphone association. The name will be the SIP username and it will always be
associated to the IP address;
• Printer: Network printer. Location is a description about the printer location. Port will be the port where the print server is running. Example: 9100
for HP’s;
• IP Phone: Hardware IP SIP phone in LAN. The name will be the SIP
username and it will always be associated to the IP address;
• Linux Terminal: Thinclient with remote session to a Linux machine that will
be used with the Terminal Server in IPBrick;
iPortalMais - 2008
20
IPBrick.I
• Windows Terminal: Thinclient with remote session to a Windows machine
that will be used with the Terminal Server in IPBrick;
In order to insert a machine you only have to define the type, introduce the
name and IP Address. In this way the machine is registered in the LDAP and
the DNS server. If you fill in the MAC Address field with the MAC adddress of
the machine to be registered then a record is also created for this machine in the
DHCP server.
Note: The machine MAC address can be obtained from the network connection
icon in Windows XP or by executing the order ipconfig /all in the command line.
Figure 3.3: Machines Management - Machine registration
You can manage a specific machine clicking over its name in the list. You will
get the screen present at Figure 3.4. If you click the link Modify, the form from
Figure 3.3 is displayed and enables you to redefine the machine parameters. If you
click Delete, the machine will be deleted. When all the machines are registered
you can get the list at the main menu (Figure 3.5).
3.2.1
Mass Operations
The Export feature will export all the data to a .csv file (Figure 3.6). The
Mass operations option permit an import of a .csv file (Figure 3.7). You can edit
iPortalMais - 2008
3.2 Machine Management
21
Figure 3.4: Machines Management - Options
a .csv file in a spreadsheet application, choosing the ; to split the columns. The
fields are:
Mandatory fields:
• actionmachine: Options available:
– I: To insert a machine in IPBrick;
– U: To update machine information in IPBrick;
– D: To delete a machine in IPBrick;
• machinetype: Options available:
– 1: For Workstation;
– 3: For Workstation + Softphone;
– 14: For Linux Workstation;
– 15: For Linux Workstation + Softphone;
– 16: For Printer;
– 2: For IP Phone;
– 7: For Linux Terminal;
– 4: For Windows Terminal.
iPortalMais - 2008
22
IPBrick.I
Figure 3.5: Machines Management - List
• name: Machine single name;
• ip: Machine IP. The format is xxx.xxx.xxx.xxx;
• mac: Machine NIC MAC address. The format is xx:xx:xx:xx:xx:xx;
• password: Password to use if a SIP phone is selected. Example: 123;
Other fields:
• computernumber: Machine LDAP ID;
• groupnumber: Machine group number if associated to some group;
• rdpsrvaddress: Remote server IP if a terminal is selected;
• rdpsrvdomain: Remote server domain if a Windows terminal is selected.
Example of a .cvs file content for mass operations import option:
"actionmachine";"machinetype";"name";"ip";"mac";"password"
"I";"1";"wrk01";"192.168.69.100";"00:E0:98:9C:49:03";""
"I";"1";"wrk02";"192.168.69.101";"00:E0:98:4D:23:12";""
"I";"1";"wrk03";"192.168.69.102";"00:E0:98:9B:45:04";""
"I";"3";"softphone01";"192.168.69.102";"00:E0:98:9B:45:04";"1234"
iPortalMais - 2008
3.3 User Groups
23
! Attention:
• The computer name has to be an alphanumerical name. Exceptions are the
characters _ and -;
• The computer name shouldn’t have spaces nor diacritical marks on characters
neither punctuation. Its maximum size should be 15 characters;
• Is is not allowed to register neither machine with the same name nor machine
whose names are identical with a registered user log in;
• For a registration of a Windows station, the name as to be always in small
letters and if necessary change the Computer name to small letters, too.
Figure 3.6: Machine Management - Export
3.3
User Groups
A group is an set of users generally created when you wish that all people in
that group share the same permissions to a group of files. In this section you
manage IPBrick user groups.
• To create a new group:
iPortalMais - 2008
24
IPBrick.I
Figure 3.7: Machine Management - Mass Operations
– Click on Insert ((Figure 3.8);
– Choose the group name.
• To add or remove users from a group:
– Click on the group name (Figure 3.9);
– In the generated page (Figure 3.10) choose the users that should be
added or removed from the defined group.
There are two pre-defined groups that cannot be deleted or changed. These
groups are:
• Administrators;
• General.
Users that belong to the Administrators group have administrator permissions
in the domain served by IPBrick. You may add or remove users of this group with
the exception of the pre-defined Administrator. The General group is a common
group for all users created in IPBrick.
! Attention:
• When inserting new groups their name can be in capital and/or small letters.
iPortalMais - 2008
3.4 Users Management
25
• The group name can contain spaces, but can’t have more than 32 only alphanumerical characters without accents.
• When the user is created, there shouldn’t be other group with the same
name, including domains.
Figure 3.8: User Groups - Group creation
3.4
Users Management
In this section you learn how to register new users, change the information of
already existing users and delete users. When creating a new user IPBrick creates
automatically an e-mail account, and individual work area (user drive space in the
server) and a net logon in order to identify the user in the domain.
After being installed, IPBrick creates by default one user and two groups.
The created user have the login Administrator and the two groups are the
Administrators and the General. The user with Administrator login has a work
area created in the Work Area 1. This user has special characteristics because he
belongs to the Administrators group and is responsible for the management of
some system functions. Therefore he can never be removed.
The user registration is composed of the following fields:
• Name: User’s name. Normally is the first and last name;
• Login: User’s identification to be used for any IPBrick authentication process.
iPortalMais - 2008
26
IPBrick.I
Figure 3.9: User Groups - Groups List
• Server: Selection of the server where the user account shall be created. The
user account stands for the hard drive space in the server where various user
contents are stored, including email folder, Windows profile and documents.
If there are slaves servers they are also listed.
• Work Areas: Partition of the server drive selected to create the account.
The users should be distributed the fairest way in order to use the available
space most efficiently.
• Password: Password definition;
• Retype Password: Confirmation of the password;
• Quota: Value that limits the user hard drive space in the system. The unit
os measurement is kilobytes. If you don’t indicate a limit value, the user will
have unlimited space to occupy.
An example is present at Figure 3.11.
! Attention:
• When inserting users only use characters without accents for their name,
login and e-mail address.
iPortalMais - 2008
27
Figure 3.10: User Groups - Users
• Spaces, brackets, full stops, small and capital letters are possible in the Name
field.
• You are not allowed to use spaces in the Login field. Avoid using capital
letters.
• Every login has to be unique. There cannot be a login with the same name
of a machine registered in IPBrick.
In order to modify some user information you have to click over the name (Figure 3.12).
In the form where you change the user (Figure 3.14) you can see all fields
that were defined when the user account was created. The only exception is the
uidNumber which is an IPBrick user identification number. The password is
not shown. All defined fields are editable with the exception of the login and
uidNumber.
To remove a IPBrick user record:
• Click on the user name;
iPortalMais - 2008
28
IPBrick.I
Figure 3.11: Users Management - Insert
• In the generated page, besides from displaying user properties, you can also
delete the user (Figure 3.13).
⇒ Note: The user contents (personal files, profile, e-mails) are not eliminated
when deleting his registration. They are moved to an administrative share called
BackupX (X representing the number of the work area where the user was registered, 1 or 2). Only members of the Administrators group have access to this
share from any Windows station. Therefore they have to do the following:
• Press the keys [Win]+[R] at the same time
• Write \\ipbrick\backup1 and press the button ”OK”
All folders and files deleted in these administrative shares are finally eliminated
in IPBrick.
3.4.1
Mass Operations
The Export feature will export all the data to a .csv file. The Mass operations
option permit an import of a .csv file. You can edit a .csv file in a spreadsheet
application.
Mandatory fields:
iPortalMais - 2008
29
Figure 3.12: Users Management - List
• actionuser: Options available:
– I: To insert a user in IPBrick;
– U: To update user information in IPBrick;
– D: To delete a user in IPBrick;
• login: User login;
• name: User name. If more than one word is used the " is necessary;
• email: User email;
• accountquota: Quota for the user account. The 0 is unlimited;
• idworkarea: User workarea number;
• password: Insert a user password. Later the user can change it by the
myipbrick site. Note that this field is not present when we export a .cvs file,
so you must create it;
• mailalias: User email alias.
Other fields:
iPortalMais - 2008
30
IPBrick.I
Figure 3.13: Users Management - Operations
• usernumber: User LDAP ID;
• groupnumber: Group LDAP ID of user;
• idserver: Slave server IP where to create the account. The 0 is for local;
• passwordtype: 1 for normal, 2 for biometric mode;
• randompassword: Used to generate random password’s for users;
• sipurl: User’s SIP url, representing the phone near the user;
• mailaccountstatus: 1 for active, 2 for inactive;
• mailquota: Maximum mail account quota in MBytes;
• mailmaxsize: Maximum received message size in MBytes;
• mailforward: It’s a forward mail for the user;
• mailoutoreply: It’s the automatic reply message. The use of " is needed;
• homedrive: Represents the account network drive. The default is Z;
• roamingprofile: 1 for a roaming profile, 2 for a local profile.
iPortalMais - 2008
3.5 Domain Server
31
Figure 3.14: Users Management - Modify
Example of a .cvs file content for mass operations import option:
”actionuser”;”login”;”name”;”email”;”accountquota”;”idworkarea”;”password”;”mailalias”
”I”;”jsmith”;”John Smith”;”jsmith@domain.com”;”0”;”1”;”123456”;”john.smith@domain.com”
”I”;”bjones”;”Bill Jones”;”bjones@domain.com”;”0”;”2”;”123456”;”bill.jones@domain.com”
”I”;”shamilton”;”Sara Hamilton”;”shamilton@domain.com”;”0”;”2”;”123456”;”sara.hamilton@domain.com”
3.5
Domain Server
IPBrick as a Intranet server manages all the network resources belonging to
a certain domain and provides important network support services as DNS and
DHCP. A relevant feature to consider in the domain server 1 is that it works with
the authentication server, where all the users have a username/password match
defined in the LDAP database of IPBrick. PDC is checked whenever there is a
authentication demand in a workstation.
1
Primary Domain Controller
iPortalMais - 2008
32
IPBrick.I
3.5.1
Configure
In this section you define the name of the domain served by IPBrick as well as
this fields (Figure 3.15):
• Domain Login:
– YES: IPBrick will be a Primary Domain Controller in the chosen domain;
– NO: IPBrick will not operate as a domain server.
• Default account network drive: Will be the drive where the users account
will be mapped in the workstations side. The default is Z;
• Default type of profile: The profile is a Windows workstation is a group of
folders that are stored normally at c:\Documents and Settings\user_login;
– Roaming: In this case when the user logout at workstation, all the profile
folders are synchronized to the user personal account in IPBrick, located
at \\ipbrick\user_login\.profiles. When he logins again in the
same workstation or a different one, the profile will be synchronized
back to the workstation;
– Local: The profile will never be synchronized to IPBrick.
⇒ Note: The information on this page is only valid for the MS Windows
environment. The IPBrick Domain Name field is related to the Workgroup or
Domain Name in the MS Windows environment.
3.5.2
Users Management
For each user it’s possible to specify:
• Account network drive: Z: by default;
• Type of profile: Roaming or local;
Clicking at that option the user’s list is presented. Choosing a specific user as
shown at Figure 3.16, we can configure the domain server definitions for him.
3.6
File Server
A workarea corresponds to a physical partition in the drive with the denomination /home1 or /home2. When a new user is created, the system also creates its
personal account that represents a folder structure that supports the user account.
1. Personal Accounts: Located in the MS Windows environment, containing
e-mails files and the user profile;
2. Group Sharing: Responsible for storing user group files
iPortalMais - 2008
3.6 File Server
33
Figure 3.15: Domain Server - Definitions
3. Administrative Sharing: Responsible for sharing user accounts and eliminated group sharings. These areas are only available for Administrators.
IPBrick has two Work Areas by default: Work Area 1 and Work Area 2.
When you click on Work Areas you are given a list of all users and sharing groups
classified by Work Area as well as information about the occupied space in the
system of each individual Work Areas (Figure 3.17).
3.6.1
Individual Work Areas
When you select Individual Work Areas, IPBrick shows you a list with the
existing Work Areas and a schedule of the occupation rate for each Work Area
(Figure 3.18). These Work Areas correspond to the hard drive space where the
users data is stored.
When you click on a Work Area, e.g. Work Area 1, you are given a list with
all users introduced in this area as well as the occupied space of each user (Figure
3.19). Each user area is created in the moment you make the IPBrick registration
in IPBrick.I Users Management. In individual workareas we have too the list
of FTP accounts created in FTP menu at IPBrick.C.
! Attention: If the occupied space in the Work Areas reaches 100% users can
longer save their data in IPBrick. More over, e-mails are no more delivered to the
iPortalMais - 2008
34
IPBrick.I
Figure 3.16: Domain server - Users Management
users. They stay in the queue till some space is released in the Work Areas. It is
recommended to keep the occupation rate of each Work Areas under 95%.
3.6.2
Group Work Areas
The group work areas are network shares that can be acceded by SMB or by
NFS clients. You can create network shares in any Work Area. After creating a
network share you have to define the correspondent access permissions.
When inserting a Group Work Area you have to first choose the workarea were
the share will be created (Figure 3.20) and fill in the following fields:
• Name: Name of the share folder. Try to avoid spaces, characters with accents
and punctuation;
• Description: Share description. It’s a optional field;
• Administrator: Share administrator’s email. It’s a optional field;
• Browseable: If Yes it will appear in the server browse list. If No the share
will became hidden;
• Recycle bin: Enables the use of a recycle bin;
iPortalMais - 2008
3.6 File Server
35
Figure 3.17: Work Areas - Summary
• Name of the recycle bin folder: If you choose to enable the previous
option, you can set in this field the folder that will be used as a recycle bin.
Two examples can be viewed at (Figure 3.21) and (Figure 3.22).
Access Permissions
After creating a Group Work Area you have to give permissions to the users
in order to have access to the network share. This is done by first clicking at the
share name as shown at Figure 3.23.
There are 3 different types of permissions:
• None: No access to the share. Users have no access to open a share folder of
a workstation;
• Read Only: Users have access to share folders and its files. Nevertheless,
they are not allowed to change these files;
• Read/Write: Users have access to share folders and its files and are allowed
to change files and save changes.
Permissions are given to individual users or user groups (Figure 3.24). Users
groups are defined in IPBrick.I Group Management.
For example, in order to create a share folder for users belonging to a commercial department you have to do the following steps:
iPortalMais - 2008
36
IPBrick.I
Figure 3.18: Work Areas - List
• Create group ”Dept Financeiro”, in Group Management and add the users
of this department to the group.
• Create an area called ”Financeiro” in Work Areas
Group Work Areas.
• Give read and write permissions to the group ”Dept Financeiro”. The other
groups have either reading permissions or no access to this area.
⇒ Note: When defining user group permissions any change in the General
group leads to changes for all the other groups. This happens because all users
introduced in IPBrick are part of General group.
⇒ Note: A deleted share is no more available for users. All files in this share
are moved to an administrative share called BackupX (X representing the number
of the work area where the share was created, 1 or 2) that you find in the same
Work Area. Only useres belonging to the IPBrick Administrators group have
access to this administrative folder. You can access this share from a Windows
station. Therefore you have to do the following steps:
• Press the keys [Win]+[R] at the same time
• Write \\ipbrick\backup1 and press ”OK” (share that exist in Workarea 1)
All files and folders deleted in these administrative share are definitively deleted
in IPBrick.
iPortalMais - 2008
3.6 File Server
37
Figure 3.19: Work Areas - Summary of Individual Areas
3.6.3
Kaspersky
Kaspersky Antivirus for Samba Server (file server) is already installed in IPBrick. After inserting a valid license (Figure 3.25), Kaspersky Antivirus for Samba
Server is activated and displays the interface with the following links:
• Update: After the license expiration you should renew with a new license
file;
• Delete: Removes the license;
• Configure: It provides you a general Anti-Virus configuration option;
• Work areas: Antivirus behavior in work areas;
• Statistics: Interface with specific statistics about the file server AntiVirus.
Configuration
General settings:
• Notify from the address: Sender that will make the notifications;
iPortalMais - 2008
38
IPBrick.I
Figure 3.20: Work Areas - List
• Notify to the address: Email address that will receive notifications.
Object settings:
• Directory exclusion mask: Directories that will be analyzed;
• File exclusion mask: Files that will be analyzed;
• Packed Files: If you choose this item, this type of file will be analyzed;
• Archives: If you choose this item, this type of file will be analyzed;
• Auto-extraction files: If you choose this item, this type of file will be
analyzed;
• Email database: If you choose this item, this type of file will be analyzed;
• Text format email: If you choose this item, this type of file will be analyzed.
Scan settings:
• Cure: If activated, detected virus will be automatically removed;
• Use heuristic: If activated, virus can be detected through the analysis of
the code with characteristics and behavior similar to a virus;
iPortalMais - 2008
3.6 File Server
39
Figure 3.21: Work Areas - Group - Insert with recycle bin
• Usar IChecker: If the file was not modified since the last time that was
checked, there will be no new analysis for this file.
Actions Settings: Defines what the Anti-Virus will do with infected and suspecting files or with warnings
• Remove: Removes the file;
• Inalterable: Doesn’t make any action on the file;
• Move: Moves the file.
Notification settings: Defines what notifications the Anti-Virus will do about
infected and suspecting files or with warnings.
• Notify user through winpopup: Notification using the Windows net send
command;
• Notify user through email;
• Notify administrator through email.
To change settings click on Modify. You can see the configuration interface at
Figure 3.26 and Figure 3.27.
iPortalMais - 2008
40
IPBrick.I
Figure 3.22: Work Areas - Group - Insert without recycle bin
Workareas
By default, work areas are verified when they are opened and closed. You can
set for each share if it will be protected, or not, and if it will be verified when users
open and/or close files, like shown at Figure 3.28.
Statistics
Several statistics are displayed in this interface:
• Virus Statistics in period: Options to display present graphic in Virus
Statistics (Figure 3.29):
– Start: The starting date for statistics;
– View: Can be set in hours, days, months or years;
– Repetition: Scale of the graphic horizontal axis;
– Group: It enables you to group data, depending on the chosen view
• Vı́rus statistics: The display can be filtered by: Infected files, protected,
corrupted, errors and files where disinfection failed;
• Virus list: Can be organized by Virus name/Number of occurrences (Figure 3.30).
iPortalMais - 2008
3.7 E-Mail
41
Figure 3.23: Work Areas - Group - Management
3.7
E-Mail
Email is the most used network service in Internet, increasingly replacing traditional mail and fax. The protocol that is used to send electronic messages is SMTP
(Simple Mail Transfer Protocol) that runs on gate 25 TCP. It enables email sending
for one or several recipients and is implemented by MTA (Mail Transfer Agents).
IPBrick MTA is Qmail2 .
SMTP is only capable of sending messages, being necessary to users the use
of an email client that supports the protocols aiming to download messages from
servers POP3/IMAP.
IPBrick’s Email section is composed by:
• Configure;
• Queue Management;
• Users Management;
• Mailing Lists;
• Kaspersky Anti-Virus;
2
http://cr.yp.to/qmail.html
iPortalMais - 2008
42
IPBrick.I
Figure 3.24: Work Areas - Group - Users Access
• Kaspersky Anti-Spam.
3.7.1
Configure
An important concept about the email server configuration is open relay. A
server that works in open relay processes messages between senders and recipients
out of the server domain, that actually can even be non-existent. Obviously, IPBrick doesn’t work as open relay, only forwarding Internet emails to domains that
are explicitly indicated.
Is is important to mention four very simple and decisive concepts in the E-mail
configuration:
1. Locally delivered domains: E-mail addresses with destination to the IPBrick server itself, that is, the associated e-mail accounts are in the local
network. E-mails that are in the queue and whose recipient is one of these
domains are not sent to another server in order to be delivered. The domains
served by the machine have to be correctly configured in each DNS domain
server. That is, the ”E-mail servers” of these domains have to be configured
to this machine.
2. Authorized relay domains: IPBrick forwards all the messages that have
iPortalMais - 2008
3.7 E-Mail
43
Figure 3.25: Workareas - Kaspersky Licence
their domains in this list and will be accepted by the server to a queue list.
Messages to other recipients that don’t belong to this domains won’t be
accepted by the server (please see 3 .
3. Relay networks definitions: IPBrick relays to any domain as long as the
e-mail is sent from his corresponding internal network. If there are different
internal IP networks it is necessary to add these networks to the list. This
way all machines in the networks are able to send e-mails to other domains
using IPBrick as a relay server. The Other networks (Internet IP’s) could
use this SMTP server but only with TLS authentication. So someone in
Internet that want to use the IPBrick’s SMTP to send email is forced to
authenticate with his LDAP username/password;
4. SMTP Routes: SMTP routes are configured when you want e-mails to follow
a certain way (server) in order to find their recipient. Normally, a SMTP
route is defined by default (showing the SMTP route and leaving the Domain
empty).When the server is not correctly registered with the IP name in the
Internet DNS, you have to define a SMTP route. In this route it should be
either the server responsible for the forward of company e-mails or the SMTP
server of the ISP used by firms to access the Internet. This configuration is
3
Only e-mails from the Internet respecting these rules are processed. IPBrick is not configured
as open-relay.
iPortalMais - 2008
44
IPBrick.I
Figure 3.26: Workareas - Kaspersky - Configure 1/2
necessary because certain e-mail servers make additional verifications of the
sending server authenticity. If they can’t resolve the server name into the
corresponding IP address (reverse DNS check), the mail may be deleted or
sent back as SPAM. In case no SMTP route is used the server tries to send
the mails in the queue by his own. With the help of the DNS registrations
he tries to find the recipients directly in the Internet.
Each e-mail configuration option has a link to Insert new entries (Figure 3.31).
The domains for local delivery (domains with IPBrick serves) and relay (domains which IPBrick forwards) can be edited and/or deleted. The exception is
the domain whose name is the same as that of the machine in the local networks
or that of the local domain in the relay.
⇒ Note: To make IPBrick relay e-mails to another server that has the accounts, the firm base domain has to be retreated from the domains served by
IPBrick, since it is a domain served by IPBrick by default.
By default IPBrick only forwards email messages that come from is private
network. If there are different internal IP networks, they should be added to let
them send messages.
There are two different types of SMTP routes:
iPortalMais - 2008
3.7 E-Mail
45
Figure 3.27: Workareas - Kaspersky - Configure 2/2
Figure 3.28: Workareas - Kaspersky
1. FQDN4 of the route server. For example: smtp.exchange.telepac.pt.
2. IP address of the route server. Please give attention to the brackets 195.22.133.45.
In the following you are given two examples of configurations, one with an
IP for a specific domain and another configuration for the same domain with the
FQDN:
4
Fully Qualified Domain Name
iPortalMais - 2008
46
IPBrick.I
Figure 3.29: Workareas - Kaspersky - Statistics 1/2
Figure 3.30: Workareas - Kaspersky - Statistics 2/2
First Example:
Domain
: abzas.miz
SMTP route : 195.22.133.45
Second Example:
Domain
: abzas.miz
SMTP route : smtp.exchange.telepac.pt
iPortalMais - 2008
3.7 E-Mail
47
Figure 3.31: E-mail - Configure
An important configuration is that of a machine relaying e-mails. Whenever
you add in this situation a SMTP route by default (without indicating the domain)
you have to add another SMTP route to forward e-mails do the internal e-mail
server. In the following you can see an example of such a configuration.
In this configuration IPBrick is relaying all the e-mails comming to an internal
e-mail server called accounts. IPBrick have a second route to deliver all the mail
to the Internet by the smarthost smtp.isp.pt:
Domain: domain.com
SMTP route: accounts.domain.com
Domain:
SMTP route: smtp.isp.pt
3.7.2
Definitions
There is a link called Definitions (see Figure 3.32 and Figure 3.33) to define
characteristics of the e-mail server:
• Message maximum size: It’s the global message maximum size of a sending
message
Value by default: unlimited.
iPortalMais - 2008
48
IPBrick.I
• Maximum time to hold the message in the server: Maximum time the
message will be in mail queue
Value by default: 604800 seconds (7 days)
• Maximum number for simultaneous SMTP connections: Number of connections that the server can support
Value by default: 20
• Incoming message timeout: Maximum time to receive a single message in
server. If reached it will timeout
Value by default: 1200 seconds
• Outgoing message timeout: Maximum time to send a single message. If
reached it will timeout
Value by default: 1200 seconds
• Reject emails from invalid domains: The server will reject incoming
mail if the sender’s domain MX record don’t exist, so it will be invalid.
Default value: Yes
• Reject emails from invalid servers: The server will reject incoming
mail if the sender’s FQDN don’t have a reverse DNS record.
Default value: No
In this interface it is even possible to define permissions of sending and receiving
e-mails:
• Valid internal recipients: This list is important to fill in order to protect the server from a mailbomb attack. Here should be listed all the internal
valid email addresses. If the list is empty all the internal recipients will be
accepted (Figure 3.34);
• Invalid senders: A list with e-mail addresses that are not allowed to send
email ((Figure 3.35).
3.7.3
Queue Management
The Queue Management (Figure 3.36) allows you to manage and visualize emails that are in the e-mail server queue waiting to be delivered to their local or
remote recipient.
You can see the number of e-mails that are in the queue waiting to be delivered
to their local or remote recipient as well as the total number of e-mails in the queue.
The list presents the following fields:
• ID: The only message identification added by IPBrick ;
• Date: E-mail sending date;
• From: E-mail sender;
iPortalMais - 2008
3.7 E-Mail
49
Figure 3.32: E-Mail - Definitions 1/2
• To: e-mail recipient;
• Subject: Message subject;
• Size: Message size displayed in Kbytes.
You can delete several e-mails at the same time by selecting the corresponding
checkboxes and clicking in the Delete Mails option. You have to confirm this
action in order to eliminate the chosen mails.
When selecting a mail you can see its complete source. This operation is done
in real time. Therefore is not necessary to Apply Configurations.
! Attention: E-mails deleted in the queue are eliminated definitely. A email
can stand in queue for a default value of 7 days.
! Attention: When a message in queue is deleted the qmail service is restarted.
3.7.4
Users management
This option provides a centralized management for each user email account of
the system and it’s possible to configure:
• State: The user email account can be enable or disabled;
• Default mail: The user default mail address. It’s not mandatory to be equal
to login@domain;
iPortalMais - 2008
50
IPBrick.I
Figure 3.33: E-Mail - Definitions 2/2
Figure 3.34: E-Mail - Definitions - Valid internal recipients
• Alternative addresses;
• Mail quota;
• Message maximum site;
iPortalMais - 2008
3.7 E-Mail
51
Figure 3.35: E-Mail - Definitions - Invalid senders
Figure 3.36: E-Mail - Queue Management
• Forward to;
• Automatic reply message.
Configuration example at Figure 3.38.
Alternative Addresses
Alternative addresses (Figure 3.38) allow you on the one hand to have practical
logins which are easily to manage and on the other hand the confort to use more
personalized e-mail addresses. This way the user can have an e-mail address with
which he identifies himself more.
iPortalMais - 2008
52
IPBrick.I
Figure 3.37: E-mail - Users Management
All mails that are sent to any defined alternative e-mail user address are delivered to the inbox respectively.
Example:
name : John Smith
login : jsmith
email : jsmith@domain.com
Alternative Addresses:
john_smith@domain.com
john.smith@domain.com
john@domain.com
To Insert a new email address:
• Select the account (user);
• In the Alternative Addresses field: Set the alternative email address(es).
Whenever you want to you can access the e-mail address list (IPBrick user
e-mail address arranged in groups) and change the names or the user of an e-mail
address. Is it obvious that when you change the user of an alternative e-mail
address new mails will be delivered to the new user while the other alternative
addresses stay with the old user.
iPortalMais - 2008
3.7 E-Mail
53
Figure 3.38: E-Mail - Alternative addresses, Forwarding and automatic replys
Mail Forward
Mail forward allows delivered mails to be sent to the user’s email and other
internal or external e-mail addresses.
To insert a new mail forward (Figure 3.38):
• In the Forward to field: Set the recipient email address(es).
Automatic reply message
A automatic reply message is an e-mail automatically send by IPBrick to answer other e-mails. When a e-mail arrives at a user account with Auto Response
configured, IPBrick send a mail to this send with the personalized user contents.
In order to Insert a new Auto Respond you need to (Figure 3.38):
• Insert in the Automatic reply message text area, insert the content you
want. Ex: Vacations
3.7.5
Mailing Lists
A mailing list provides the feature of sending email from one to many.
To add a mailing list:
iPortalMais - 2008
54
IPBrick.I
• Click on Insert;
• Write the address you want in the mail field (Figure 3.39);
• Click on Insert.
After you add a mailing list (Figure 3.40), you have to configure:
• Internal Users List: Set the IPBrick Users that will be part of the mailing
list;
• IPBrick Contacts address list: Set if any contact present at IPBrick
Contacts site will be part of the mailing list;
• External Users List: Set the email addresses that don’t belong to the
LAN ((Figure 3.41)).
In both cases you only have to click Modify to add members to the list.
Figure 3.39: E-Mail - Mailing List - Insert
3.7.6
Kaspersky Anti-Vı́rus
The Anti-Virus is already installed in the Email section. You only have to
acquire a license to activate its management interface. After inserting the license,
the interface displays the following links (Figure 3.42):
iPortalMais - 2008
3.7 E-Mail
55
Figure 3.40: E-Mail - Mailing List - Users
• Update: After the license expiration, you need to renew with a new license
file;
• Delete: Removes the licence;
• Configure: Provides a general configuration of notifications;
• Groups Management: Provides personalization of Kaspersky Antivirus configuration and filtering;
• Statistics: Interface with specific statistics about the Anti-Virus use.
General configurations
Click in Modify to configure email address of notifications (Figure 3.43).
General Settings:
• Notify from address: Sender will make the notifications;
• Notify to address: Email address that will receive notifications.
Limits:
• Do not send notification to: Address that won’t be able to receive notifications (the notification sender).
iPortalMais - 2008
56
IPBrick.I
Figure 3.41: E-Mail - Mailing List - External users
Figure 3.42: E-Mail - Kaspersky Anti-Vı́rus
Groups Management
The group default is already created. If you click on the group, the default
general settings are displayed. If you click on Modify, you can personalize the
iPortalMais - 2008
3.7 E-Mail
57
Figure 3.43: E-Mail - Kasp. Anti-Vı́rus - General Configurations
following options (Figure 3.44):
• Enable: Kaspersky Anti-Vı́rus State;
• Group administrator address: Group administrator email;
• Quarantine path: The files in the quarantine state are stored in this directories;
• Sender mask: You may add this item if a new group is created;
• Recipient mask: You may add this item if a new group is created;
Figure 3.44: E-Mail - Kasp. Anti-Vı́rus - Groups Management
iPortalMais - 2008
58
IPBrick.I
The notification rules for any type of object can be changed in Notification Rules
menu, as you can see in Figure 3.45.
Figure 3.45: E-Mail - Kasp. Anti-Vı́rus - Notification Rules
In the Filter menu (Figure 3.46), you may set the filter rules/exceptions by the
name of the files or by mime-type.
Figure 3.46: E-Mail - Kasp. Anti-Vı́rus - Filter
Statistics
Statistics:
iPortalMais - 2008
3.7 E-Mail
59
• Virus statistics: The display can be filtered by: Infected files, protected,
corrupted, errors and files where disinfection failed;
• Virus List: Can be organized by Virus name/Number of occurrences;
• List of email senders: Shows some statistics about files by sender addresses;
• List of email recipients: Shows some statistics about files by IPBrick
recipients addresses;
An example can be seen at Figure 3.47 and Figure 3.48.
Figure 3.47: E-Mail - Kasp. Anti-Vı́rus - Statistics 1/2
3.7.7
Kaspersky Anti-Spam
Like Kaspersky Anti-Virus, Anti-Spam is already installed, you only need to
apply a license to activate this feature at the communications IPBrick. After the
activation, the following options are displayed:
iPortalMais - 2008
60
IPBrick.I
Figure 3.48: E-Mail - Kasp. Anti-Vı́rus - Statistics 2/2
• Update: After the license expiration, you need to renew with a new license
file;
• Delete: Removes the licence;
• Configure: Provides a general configuration of notifications;
• Statistics: Interface with specific statistics about the Anti-Spam use.
The most important Anti-Spam configuration features are:
• To add every email domains of the company that the Anti-Spam should filter
(Figure 3.49);
• To set Kaspersky Anti-Spam detection level. Standard is the default level.
If the spam reception rate is high, the level of detection should be increased
(Figure 3.51);
• To redirect all the emails classified by KaspersKy Anti-Spam to a email
account (At Figure 3.50: kaspersky@domain.com). This enables the network
administrator to analyze all the emails classified as Spam - if there is any
misclassified email, the administrator may forward this email to his recipient.
In a Intranet and a Communications IPBrick topology we can use a local
mailbox from the Communications IPBrick (ex: spam@com.domain.com),
because all the spam must stay at the com. server;
iPortalMais - 2008
3.7 E-Mail
61
• Email and IP addresses Whitelists and Blacklists should be added - if there
is any (menu on Figure 3.49).
Figure 3.49: E-Mail - Kasp. Anti-Spam - Protected Domains
Statistics
• Spam Statistics in period: Options to display present graphic in Spam
Statistics:
• Spam statistics: The display can be filtered by: Clean files, Spam, probable and blacklists;
• List of email recipients: Shows some statistics about files by IPBrick
recipients addresses.
An example is present at Figure 3.52.
iPortalMais - 2008
62
IPBrick.I
Figure 3.50: E-Mail - Kasp. Anti-Spam - Actions
3.8
Print Server
This section deals with the interface management of the printers intended to
be available in the network. When you define a printer you are asked to define
that fields (Figure3.53):
1. Name: Printer name;
2. Description: Simple description about the printer. This field is not mandatory;
3. Location: Physical location in the company. This field is not mandatory;
4. Interface: Interface type used between the printer and the server. There
are 4 options:
• Parallel port;
• Serial port;
• USB port;
• Network printer: Connected to a LAN switch.
5. Device: Used by the printer. This is directly related to the interface. (This
option is only available for interfaces with parallel port, series port and USB
port) (e.g. Interface–>Parallel Port, Hardware ->Parallel Port 1)
iPortalMais - 2008
3.8 Print Server
63
Figure 3.51: E-Mail - Kasp. Anti-Spam - Rules
6. In case of a network printer, the following information is necessary:
• Address: Network printer address. (this option is only available for
network printers) (e.g. 192.168.1.1)
• Port: Used by the network printer. This field is not obligatory. (This
option is only available for network printers) (e.g. for a HP printer:
9100)
After inserting a printer IPBrick has to put the drivers available for the client
stations in order to finish the configuration. Therefore the printer drivers have to
be transferred to the server:
1. Log on in a Windows station with a user of the Administrators group (the
workstation has to be already registered in the IPBrick domain);
2. Press the keys [Win]+[R] at the same time and type \\ipbrick;
3. Select Printers and Faxes
Verify if the added printer to the IPBrick Web interface is shown.
4. Right click inside the window Printers and Faxes and select Server Properties;
5. Select the Drivers option in the presented window.
6. Choose ”Add”, set the manufacturer and the printer model and click Next;
iPortalMais - 2008
64
IPBrick.I
Figure 3.52: E-Mail - Kasp. Anti-Spam - Statistics
7. Select the Windows version which the drivers have to correspond with.
8. Click Finish
Now the printer’s drivers are transferred to IPBrick.
9. At share named Printers and Faxes on IPBrick, right click at the printer
and choose Printer Properties. You’ll be prompted with a message like
the one in Figure3.54. Choose ”No”.
10. Enter in ”Advanced”, select the new driver just added and click ”Apply”.
To configure the printer on the client side, you must:
• Press the keys [Win]+[R] at the same time;
• Type \\ipbrick at the new window;
• Right click on the printer and choose ”Connect”.
Now the printer is listed at ”Printers and fax’s” on the client side.
iPortalMais - 2008
3.9 Backup
65
Figure 3.53: Print Server - Inserting a network printer at IPBrick
Figure 3.54: Print Server - Printer configurations
3.9
Backup
Backup consists of copying data from one device to another with the aim of
preserving the data in case of future problems. Usually this copy is made from the
hard disk to tapes, DVD or other disks. Nowadays paper is increasingly replaced
by digital files, bringing companies to the importance of having a reliable backup
system.
iPortalMais - 2008
66
IPBrick.I
3.9.1
Bacula
In IPBrick 5.0 we include Bacula that is a complete network backup solution.
Link: http://www.bacula.org.
3.9.2
Remote
This option enables the possibility of configuring scheduled backups to a NAS5
device or to a rsync server. Rsync is a powerful backup tool included in IPBrick,
that does incremental copies of files/directories to another rsync server.
To add a backup task you must click Insert (Figure 3.55). You will have the
following fields:
Backup definitions:
• Backup Name: It’s the backup name.
• Notification E-mail: Recipient that will receive all the backup notifications;
• Job to do: There are two options:
– Copy: It will copy all work areas to the backup device(/home1, /home2,
/home3...);
– Restore: It will restore all work areas from the backup device;
• Periodicity: The backup will be allways daily;
• Time to start: Time when the copy will start;
Destination Data Definitions:
• Data Location: The only option is remote. It will always be a remote machine.
• Backup Device
– NAS (SMB): The backup device is a NAS6 with a SMB share created.
The backup method is done using the archiving utility tar. Options
available:
∗
∗
∗
∗
IP address: Backup device’s IP address;
Login: Username that has access to the share;
Password: Share password;
Share Name: Name of the share created in the NAS.
– NAS (NFS): The backup device is a NAS7 with a NFS share created.
The backup method is done using the incremental backup utility rsync.
Options available:
5
Network Attached Storage
Network-attached Storage
7
Network-attached Storage
6
iPortalMais - 2008
3.9 Backup
67
Figure 3.55: Backup - Task insertion
∗ IP address: Backup device’s IP address:
∗ Share Name: Name of the share created in the NAS.
– Rsync Server: The backup device is a machine running a rsync server.
You can see an example of a rsync server configuration in the next
section;
∗ IP address: The rsync server’s IP address.
When a backup task is inserted, we have a Backups List with the following
options (Figure 3.56):
• Name: Clicking in the Backup Name you will have access to these options:
– Back: Go to backups list;
– Modify: Modify the current backup task definitions;
– Delete: Delete the current backup task;
• Start copy: Starts the backup immediately;
• Statistics: Backup statistics;
• LOG: Backup log messages.
iPortalMais - 2008
68
IPBrick.I
Figure 3.56: Backup - Task list
Rsync server configuration
If the backup device is another IPBrick, the server must be prepared to act
as a rsync server. First let’s suppose that the client IPBrick machine has that
configurations:
• IP: 192.168.69.199;
• FQDN: ipbrick.domain.com;
At IPBrick rsync server we need to:
1. Create a group workarea (share) using the Workarea 1, with the FQDN as
the share name: ipbrick.domain.com;
2. Connect by SSH to the IPBrick server and type the following command in
order to put rsync allways running when the server reboots:
update-rc.d rsync defaults 20
3. Create the configuration file for rsync by typing: nano /etc/rsyncd.conf
4. Fill the following content:
iPortalMais - 2008
3.10 Fax Server
69
uid = root
[ipbrick.domain.com]
path = /home1/_shares/ipbrick.domain.com
hosts allow = 192.168.69.199
read only = false
write only = false
5. Save the file and exit from the file editor nano;
6. Start rsync using this command: /etc/init.d/rsync start
3.10
Fax Server
The fax server is integrated at IPBrick from version 4.1. It works with serial
modem/fax or integrated in the PBX IP server. Incoming faxes are automatically
forwarded trough email.
The FAX Server configurations are implemented through the web interface in
IPBrick.I - FAX Server (Figure 3.57).
Figure 3.57: Fax Server - Configure
IPBrick provides you the use of two services: FAX2Mail e Mail2FAX. With the
FAX2Mail service, a FAX sent by an external FAX device is received by the FAX
iPortalMais - 2008
70
IPBrick.I
connected to IPBrick and then is forwarded to a defined email address.
With Mail2FAX you can send from an email an attached pdf file to a defined
FAX number. to enable this task you have to configure the email client with the
SMTP server where the FAX service is running and add the configured fax domain
to the domain list that is allowed to be forwarded by the email server.
3.10.1
Fax2Mail
To configure the service you have to click on Modify link and select Yes to
Enable Configuration. The following options are displayed:
• Fax Device: Type of physical connection/FAX hardware.
– Line type: When the server has a telephony PCI card acting as Fax.
The type of line could be ISDN or ANALOG in the case of an analogic
telephony access (Figure 3.58);
– Serial Fax Modem: If the modem is connected to the server serial port
you should choose the port that connects to the the modem in the Serial
Ports list (COM1 to COM8), the Baud rate (1200 to 38400) and Class
of the modem (Class1 to Class2.1). To know the appropriate values you
should read the modem manual (Figure 3.59).
• Number of virtual fax machines: You can use more that one virtual fax
machine;
• Main Fax Number: The PSTN Fax number to be present when a FAX is
sended;
• Company identification: Company name to be present when a FAX is sended;
• Country Code: Country phone number code to be present when a FAX is
sended;
• Area Code: Area phone number code to be present when a FAX is sended;
• Long distance prefix: 0 by default;
• International prefix: 0 by default;
• Rings Before Answer: Number of rings before IPBrick answers to Fax. Can
be useful if another FAX equipment is connected. For example, if the FAX
equipment can’t receive the FAX, IPBrick FAX server can answer at the 5th
ring;
• Speaker volume: FAX sound volume;
• Enable delay: Should be active by default;
iPortalMais - 2008
3.10 Fax Server
71
Figure 3.58: Fax Server - FAX at telephony card
• Sender of notifications: It’s a internal email account that will send the notifications to users that are using the Mail2FAX. Examples: Error sending the
fax, successfully task completed etc. By default we use IPBrick Fax Server
that will use the current domain;
• Sender of received fax notifications: Identification of the reception warnings
sender. By default we use IPBrick Fax Server.
If the inserted Fax is connected to a serial port, there are some options:
• Send to: At this moment the single option available is sending to email;
• Destination: Is the email address where the IPBrick incoming faxes are
forwarded;
• File type: The format faxes will be delivered (pdf, ps or tiff);
To activate configuration, click Modify
If you access the menu again, there will two new options near the link Modify:
Fax Users e Fax Lines (if the Fax is connected to an analogic telephony/ISDN
card).
iPortalMais - 2008
72
IPBrick.I
Figure 3.59: Fax Server - Serial Fax Modem
In Fax users (Figure 3.60), you can set which users may be authenticated in
the Fax client application and which will have permissions to manage Fax queue
lists. The FAX client is WHFC that is available for download in http://whfc.
uli-eckhardt.de/. The advantage of using a FAX client at the workstations side
Fax Line
The fax line settings are (Figure 3.61):
• Line Type: ISDN is the only option. The FAX arrives by the PSTN at a
ISDN line;
• Fax Interface: By default we can use the PSTN. It’s possible too to specify a
trunk only for FAX at Advanced Configurations - Telephony - Interfaces,
option Insert;
• Fax number: It could be represented by its DDI, by the complete fax number
or after a 0;
• Send to: Email. It’s the only option;
• Destination: Recipient email address for the Faxes;
• File type: The FAX can be received in attachment by .pdf, .ps or .tif.
iPortalMais - 2008
3.10 Fax Server
73
Figure 3.60: Fax Server - Fax Users
Figure 3.61: Fax Server - Fax line definitions
By default, notifications and reception warnings are delivered to email fax@<domain>.
That’s why you have to create an email account with this name or an alternative
email with the same name for other existing account.
Note: You have to activate the Fax service in Advanced Configurations - System - Services
and click in FAX. Enable Active and Automatic start.
iPortalMais - 2008
74
IPBrick.I
3.10.2
Mail2Fax
In Mail2Fax definitions we have two options:
• Domain for fax sending: It’s a internal domain used just to send FAX’s. You
can choose any domain you want, but the recommended one is fax.domain.com.
When the email server receives one message for that FQDN, the message attachment will be forwarded to the FAX server that sends the FAX by the
PSTN;
• Presented source fax number: For each LDAP group it’s possible to define
what would be the source fax number field when someone sends a FAX to
the PSTN;
After update configurations you will be able to send Faxes from a workstation
using a simple email client. At the workstation side just:
• Map a email account pointing the SMTP to the IPBrick or use webmail;
• At the To: field insert number@fax_domain. Example 221121112@fax.domain.com;
• The subject is optional, so the next step is to attach a .pdf file that will be
the FAX;
3.10.3
Statistics
This menu displays statistics about Sent Faxes, Incoming Faxes and in course
tasks.
Sent Faxes
Visible fields (Figure 3.62):
• ID: Fax identification;
• Date: Sending date;
• Owner: Fax Sender;
• Pages: Number of Pages;
• Origin: Origin email address;
• Number: Fax number;
• Attempts: Number of attempts;
• State: Fax sending status.
iPortalMais - 2008
3.10 Fax Server
75
Figure 3.62: Fax Server - Sent Faxes
Received Faxes
• Sender: Sender name;
• Destination: Receiver number;
• Pages: Number of pages;
• Reception date;
• File: Fax file.
Figure 3.63: Fax Server - Received Faxes
iPortalMais - 2008
76
IPBrick.I
Current faxes
• Delete: Deletes Fax;
• ID: Fax identification;
• Owner: Fax sender;
• Number: Fax number;
• Pages: Number of pages;
• Attempts: Number of attempts;
• State: Fax sending status.
In this menu you can visualize statistics and Delete Tasks.
Figure 3.64: Fax Server - Current Faxes
3.11
Terminal Server
IPBrick terminal server provides an Operating System loading through the
network for the terminal stations, that can operate only with browsers, and for
Windows machines through remote desktop. ⇒ Note: IPBrick must be working
as a DHCP in the network (and has to be the only DHCP server). The client of
terminal server receives from IPBrick the necessary information to boot from the
network.
iPortalMais - 2008
3.11 Terminal Server
3.11.1
77
Configuration
First, you have to activate Terminal Server in IPBrick’s web interface. To
proceed with this operation go to IPBrick.I - Terminal Server. To activate,
click Modify and choose Yes;
After the activation, you may configure terminal server in this fields:
• Display [2 to 5]:
– Server Remote Desktop: The connection is made by the terminals to
IPBrick. IPBrick is responsible for the connection with the Windows
Server:
∗ Server: Address to connect by remote desktop;
∗ Domain: Indicate the Windows domain that is going to connect (ex:
iportal2003).
– Terminal Remote Desktop: The connection to the server is directly
made by the terminal:
∗ Server: IP Address of the server to connect by remote desktop;
∗ Domain: Indicate the Windows domain that is going to connect (ex:
iportal2003).
– Mozilla-Firefox: Open a Firefox browser session;
– Telnet Session:
∗ Server: IP Address of the telnet server. It is possible to connect to
other service by indicating a specific gate. Syntax: ip_address:port;
– Linux Remote Desktop: Remote connection to a Linux machine;
– Others: It presents a command line
• Keyboard model: It depends on the number of keys. There are the following
options:
– pc101;
– pc102;
– pc103;
– pc104;
– pc105.
• Keyboard layout:
– de: german;
– es: spanish;
– fr: french;
– pt: portuguese;
– us: english.
iPortalMais - 2008
78
IPBrick.I
• Mouse protocol: Type of protocol used by the mouse in the client station;
• Mouse device: System Device that will be used (/dev/...);
• Mouse resolution: Resolution mode that is used by the mouse;
• Mouse buttons: Number of mouse buttons;
• X Server: Specific commands to run the graphic environment. auto is the
default mode;
• Printer [0...1] type: Sets the printer type you want to use;
• Printer
[0...1] device: Specific device for the printer (/dev/...);
• Local Device [0...2]: Other devices you want to use (/dev/...);
• Mode [0...2]: Possible image resolutions..
– 1768x1024;
– 1024x768;
– 800x600;
– 640x480;
• Module 01...02: Makes possible the loading of two Kernel modules.
You can see a first configuration example in Figure 3.65 and Figure 3.66
Boot and Operating System
If using thinclients, after the first terminal configuration here, IPBrick will need
a LTSP boot system and a operating system. The boot system (kernel) will be
loaded into the thinclients memory.
Boot Systems
To load Boot systems (Kernel) click on kernel link (Figure 3.67). The following
fields are displayed:
Boot system configuration:
• Description: Kernel text description;
• Boot loader: It will be selected later;
• Kernel: If you click Archive you should select the Kernel file from the above
link.
In the next step you have to choose the boot loader. If the thinclients support
PXE boot, choose the following boot loader /pxelinux.0 (Figure 3.68).
Operating Systems
To load the Operating System you have to click in top menu on OS (Figure
3.69), and after that click insert to display the following options:
iPortalMais - 2008
79
Figure 3.65: Terminal Server - General Configuration - 1/2
• Description: Description of the operating system;
• Operating system: If you click Archive you should select the OS version
to run.
The Kernel and Operating System files should be downloaded at:
http://downloads.ipbrick.com/IPBrick/download/ltsp/
For IPBrick 5.0 you need to download the files:
debian_ltsp5_BOOT_final.tgz
debian_ltsp5_OS_final.tgz
For older versions of IPBrick you need the files root.tgz (OS) and 2.6.9-ltsp-3.tgz
(Boot system). A full configuration example to boot from a PXE thinclient can
be viewed at Figure 3.70.
Machines
If the terminals are registered in IPBrick (IPBrick.I - Machines Management)
you may personalize configurations for a terminal in the machines link (Figure
3.71) by selecting if the default options set in the top menu of configuration are
going to be used.
iPortalMais - 2008
80
IPBrick.I
Figure 3.66: Terminal Server - General Configuration - 2/2
Figure 3.67: Terminal Server - Boot System configuration
After loading the boot system(s) and the operating system(s), you should click
Back and Terminal OS and choose the Kernel and the Operating System you want
to use.
iPortalMais - 2008
81
Figure 3.68: Terminal Server - Boot Loader configuration
Figure 3.69: Terminal Server - Operating System
3.11.2
Client configuration
You should boot from network to make available for the clients the Terminal
Server. For example if you use a Book PC, the machine should be booted and the
access to BIOS is made with the keys Shift + F10. The configuration should be
(it is possible to modify the values through the directional keys (<- and ->)):
Network Boot Protocol : PXE
Boot Order : Int 19h
Show Config Message : Enable
Show Message Time : 3 Seconds
After this configuration, it appears a orange window with this message:
Always boot network first, the local devices.
iPortalMais - 2008
82
IPBrick.I
Figure 3.70: Terminal Server - Configuration for PXE boot
Figure 3.71: Terminal Server - Machines
After these changes you have to confirm them by clicking the key F4. This
procedure makes sure that the client machine will boot from the network.
After the client machine rebooting, this machine will boot through IPBrick.
Note: If the login screen of Linux graphic interface appears after the booting
, you have to restart X Server with the keys [CTRL] + [ALT] + [BACKSPACE].
If the same window appears even after the restart, it is possible to validate with
user ltsp and password ltsp.
iPortalMais - 2008
83
Several screens may be active for the same client (depending on what was set
in the Number of Displays field of IPBrick). Browsing across screens can be made
with keys combination [CTRL] + [ALT] + [F1] for screen 1, [CTRL] + [ALT] +
[F2] for the screen 2, and so on.
iPortalMais - 2008
84
IPBrick.I
iPortalMais - 2008
Chapter 4
IPBrick.C
This chapter describes the IPBrick menus that are used to manage the main
communication services between the company and the Internet. The menu IPBrick.C like the menu IPBrick.I is a menu of functional configuration. The IPBrick Administrator says what he pretends and the software makes the configurations according to the given indications and maintains the consistence of them.
This chapter is divided into the following sections:
• Firewall;
• Proxy;
• VPN;
• E-Mail;
• Web Server;
• FTP Server;
• Webmail;
• VoIP;
• IM.
4.1
Firewall
Note: Any rule change of the firewall implies the activation of the firewall.
Even if the firewall has been expressively stopped the change of one of its rules
implies the restart of the firewall.
4.1.1
Available Services
Presentation
IPBrick has a number of installed services. Part of them is enabled and part
of them is stopped. Part of them is for the Intranet and (some) others are wanted
iPortalMais - 2008
86
IPBrick.C
to be available for the Internet, too. In this interface you give indication to the
firewall concerning the services related with the Internet that have to be available
from the external world.
These services are:
• Web Server;
• E-mail server;
• SSH;
• FTP.
Body
The list (Firewall ¿ Available Services (Figure 4.1), indicates the service status
- whether the firewall is configured to let that service work (Active) or it is configured to block those service ports (Inactive).
Note that defining here a service as active doesn’t start the service or stops it.
The single change implemented in the Definitions Update only affects the firewall
service (first it stops, reconfigures and then restarts). In other words, here you can
only configure the firewall to open or to shut the Internet port for a defined service
(whether the service is working is another configuration besides this section).
4.1.2
Block Services
Like the situation before the option to block services only Enables (unlocked)
or Disable (locked) the normal operation of the shown applications (Figure 4.2).
4.2
Proxy
The proxy service aims the Web access to network users and is commonly used
to get a better network management. It makes cache from the accessed site files,
providing a better band width management and the personalization of parameters
like who’s allowed to access the web and in what time and kind of pages can be
visited.
The software that implements the IPBrick proxy service is named squid and
runs on gate 3128.
The section is subdivided into three parts, namely:
• Configuration;
• Statistics;
• Kaspersky Proxy.
iPortalMais - 2008
4.2 Proxy
87
Figure 4.1: Firewall - Available Services
4.2.1
Configuration
Presentation The presented main proxy configuration (Figure 4.3) determines
the normal operation of the Internet browsers. Therefore it is recommendable to
define each Proxy type first:
1. Standard Proxy: It is not obligatory to use the proxy to access the Internet.
The proxy is only used by those who configure the browser to use the proxy
from the IPBrick port 3128. Users without any additional browser configurations continue to access the Internet without any problems.The web accesses
are registered by IP’s for statistical aims.
2. Transparent Proxy: Every Internet access is done through the proxy. The
firewall has to be activated. Users may configure their browsers to use the
indicated proxy. They may also continue to access the Internet without any
proxy configurations in their browsers. Here the firewall makes the traffic
routing to the proxy. The web accesses are registered by IP’s for statistical
aims.
3. Proxy with authentication: The Internet access is only possible by using
this proxy. In order to have a web access users have to configure their browser
with this proxy. Once the browsers are configured a valid authentication is
asked whenever the users open the browser to access the Internet. The user
iPortalMais - 2008
88
IPBrick.C
Figure 4.2: Firewall - Block Services
authentication is done with logins and passwords. The firewall has to be
activated. All web accesses are registered for each user for statistical aim.
Configurations
Link to the proxy rules settings. This interface (Figure 4.4) has the following
options:
• Source groups list: Sets an origin group with access to proxy. After this
group creation, the accesses can be set by: Machine group, Machine, IP
Subnets, IP Machines and IP ranges.By default IPBrick has a LAN group
with its own defined IP Subnet;
• Destination groups list: Sets destination groups (Web servers). You
can set Domains, Extensions or Words in the URL each created destination
group. By default the created group is named INVALID;
• Blacklists: Displays the set of blacklists that were configured at Other
configurations;
• List of time spaces: Sets specific periods based on hours and week days;
• Access Lists: Sets access permissions from the created origin and destination groups, as well as defined blacklists and periods. For instance, you
iPortalMais - 2008
4.2 Proxy
89
Figure 4.3: Proxy - Configuration
can set that all destinations can be accessed by the LAN group, with the
exception of INVALID destination group and blacklist porn, in an undefined
period (always).
Source groups list
To modify the LAN group you just have to click on the name. You can insert
a new origin group clicking on Insert link. Settings:
• Machine groups: You can associate to this group an existing machine group;
• Machines: Lists the machines that are registered in IPBrick and provides
direct association to the origin group;
• IP subnets: Provides subnets association, defining the network IP and its
mask;
• IP machines: Provides machine association to the group by IP;
• IP ranges: You can set IP ranges with proxy access.
By default the proxy have a source group called LAN where only the IP Subnet
is used (Figure 4.6).
iPortalMais - 2008
90
IPBrick.C
Figure 4.4: Proxy - Rules 1/2
If you choose the proxy with authentication mode, it’s possible to filter the
web access’s not only by machines IP but using LDAP too. In Figure 4.7 we can
see an example of a source group represented only by a LDAP group.
Destination groups
Destination groups (Figure 4.8) are like a group (identified by name) of access
web servers. This destinations are configurable with their definitions in:
• Domains: You may configure FQDN1 access, by domain or by TLD2 accessadding a record to each line. Some possible denial examples:
FQDN example:
www.sapo.pt
www.marca.es
Domain example:
sapo.pt
marca.es
1
2
Top Level Domains
iPortalMais - 2008
4.2 Proxy
91
Figure 4.5: Proxy - Rules 2/2
TLD example:
pt
es
• Extensions: In order to prevent certain files download through web pages you
need to deny access to some file extensions. The following example shows
that the download of three file extensions won’t be possible.
Example of extensions denial:
mp3
mov
mpg
• Words in URL: You can deny in this field the access to pages that contain
certain words after the domain (after the slash). An example for two words:
Denial example for word in the URL:
video
jokes
The following sites would be denied:
http://www.mtv.com/music/video/
iPortalMais - 2008
92
IPBrick.C
Figure 4.6: Proxy - Source groups
Figure 4.7: Proxy - Source groups - LDAP filter
http://en.wikipedia.org/wiki/Video
http://kids.yahoo.com/jokes
iPortalMais - 2008
4.2 Proxy
93
Figure 4.8: Proxy - Destination groups
List of time spaces
This option lets you specify periods to be used afterwards in Access Lists. This
periods could be week days or hours.
Access Lists
There is already a pre-configured access list in IPBrick specifying this: Attempts to access sites made from LAN origin which aim sites not included in the
destination group INVALID nor the porn blacklist, in an undefined period (24
hours) are accepted. Because there are no more lines created, all the remaining
will be blocked (Figure 4.9).
Access lists have the following structure:
• Source: Origin group identification that is aimed by the rule;
• Destination: Destination groups identification that are aimed by the rule;
– Available Groups: You can make for the created destination groups
the following rules: Access to included sites ONLY IN destination group
x; Access to sites NOT IN destination group x; Access to sites ALLOW
IN destination group x;
iPortalMais - 2008
94
IPBrick.C
– Blacklists: Lets you select which blacklists are activated. Example:
If the porn list is selected, every sites that are out of the list can be
accessed.
• Period: The time period (already inserted) that the rule is active;
• Policy: This is not configurable, the value is always to deny all that is not
set in the access lists.
Access lists should be ordered by rules from generic to specific. The generic
rules should be placed at the top and more specific rules should be placed at the
bottom (as in the firewall case). If there are several access lists you can order them
clicking on Order by.
Figure 4.9: Proxy - Access Lists
Remote Proxy
In this option you can indicate a list of remote proxy servers. These servers
should provide web access because they usually have a huge cache, increasing the
speed of web access (Figure 4.10).
• List of remote proxy servers: You can use several web proxy’s and after
that order that list;
iPortalMais - 2008
4.2 Proxy
95
• Dont use remote proxy for the following sites: If you don’t want to
use remote proxy for certain sites, you must indicate them here.
Figure 4.10: Proxy - Remote Proxy
Other configurations
Blacklists
In this context, blacklists are set as site lists organized by several categories
that are considered inconvenient. You can find here the following options (Figure
4.11):
• Url for update: Address that provides the file download with the list of
sites to block - by default this is the squidGuard URL. The file is automatically uncompressed to the system. To update the list immediately click
Update;
• Current file MD5SUM: MD5 Hash of the file if it’s calculated. It lets you
check file integrity;
• Available categories: Categories list present in the compilation (usually
they are considered unsuited to LAN use)
– ads: List of advertisement sites;
iPortalMais - 2008
96
IPBrick.C
–
–
–
–
–
–
–
–
–
–
aggressive: List of violent content sites;
audio-video: List of music and video content sites;
drugs: List of drug related content sites;
gambling: List of gambling sites;
hacking: List of hacking sites;
mail: List of sites that provide free webmail services;
phishing: List of sites about phishing;
porn: List of sites with pornographic content;
proxy: List of sites that provide anonymous proxy service;
warez: List of sites with pirate software content.
Content access management
Sets the number of simultaneous filtering processes that depends on the machine performance and the present CPU load. The default is five processes.
Proxy cache options
• Cache enabled: Activates the Proxy cache service. If the cache is activated,
every page accessed by the origin groups are stored in the server. Example:
If the page www.google.com is in the cache, the browser will only access to
IPBrick, instead of accessing the google web server, providing a better band
width management.
• Cache size: Maximum cache size. If the limit is reached, the older cache
files are removed.
• Cache location: The default is the /var partition. If you choose a big
cache size it’s a good option to choose the /home1 or /home2 partition.
All this settings can be viewed at Figure 4.11.
4.2.2
Statistics
Advanced Web Statistics 6.4 is the software that generates several important
statistics for the network administrator, like detailed cache statistics, accesses (Figure 4.12).
There are different statistics types:
• Global statistics: Global network statistics;
• Statistics by machine: You have to select the machine you want from a
list of LAN machines. The purpose is to give individual statistics for each
machine;
• User statistics: If proxy configuration has authentication, it’s displayed
here a user list. You have to select the user from this list to have their
individual statistics.
iPortalMais - 2008
4.2 Proxy
97
Figure 4.11: Proxy - Other configurations
4.2.3
Kaspersky Proxy
In this section you may activate Kasperky license for the proxy. With this
procedure all the web accesses made from the browser are filtered by the Anti-Virus
that is running on the proxy to provide an effective protection against Trojans,
Spyware, Dialers, etc.
After inserting the license, the interface displays the following links (Figure
4.13):
• Update: After the license expiration you should renew with a new license
file;
• Delete: Removes the license;
• Configure: It provides you a general Anti-Virus configuration option;
• Statistics: Interface with specific statistics about proxy Anti-Virus.
Configure
General settings:
• Notify from the address: Sender that will make the notifications;
iPortalMais - 2008
98
IPBrick.C
Figure 4.12: Proxy - Statistics
Figure 4.13: Proxy - Kaspersky - Licence
• Notify to the address: Email address that will receive notifications.
Object settings:
• Objects to analyse:
– Compressed files;
– Archives;
iPortalMais - 2008
4.2 Proxy
99
– Mail databases;
– Plain mail format.
Scan settings:
• Cure: If activated, detected virus will be automatically removed;
• Use heuristic: If activated, virus can be detected through the analysis of
the code with characteristics and behavior similar to a virus.
To modify that configurations (Figure 4.14) you need to click Modify.
Figure 4.14: Proxy - Kaspersky - General Settings
Statistics
Statistics:
• Vı́rus statistics: The display can be filtered by: Infected files or protected;
• Virus list: Can be organized by Virus name/Number of occurrences.
An example can be viewed at Figure 4.15
iPortalMais - 2008
100
IPBrick.C
Figure 4.15: Proxy - Kaspersky - Statistics
4.3
VPN
VPN3 provide remote access from the exterior (ex. Internet) to the network
resources of a defined network.
4.3.1
PPTP
A PPTP4 VPN type works by providing a PPP session with the recipient
through the tunneling GRE protocol. It needs another network connection to
start and manage PPP session that runs on port 1723 TCP. In IPBrick case, you
have to indicate who are the users that access VPN-PPTP connections, as well as
the address range that will be used by clients.
Configurations
Top Menu Here you have a link to Configurations. This link gives you access
to a form where you define the range of IP addresses chosen for VPN connections.
3
4
Virtual Private Networks
Point-to-Point Tunneling Protocol
iPortalMais - 2008
4.3 VPN
101
Figure 4.16: VPN - PPTP - Users
Remote clients will get an IP in this group when they make an IPBrick connection.
It is as if they were connected to the network server with an IP from this range.
Body The user list shown on the left side in Figure 4.16 presents the selected
VPN users. On the right side you find the users registered in IPBrick.
Access log
The access log option permit the visualization of all PPTP accesses. It’s possible to filter by:
• IP;
• User;
• Notes:
– Connected;
– Disconnected;
– Wrong password;
– Illegal user;
– Locked;
iPortalMais - 2008
102
IPBrick.C
– Timeout.
• Date;
Options available:
• Clean filters: Will clean all the chosen filters;
• Export PDF: Exports all the information to a .pdf;
• Back: Go back to the top menu;
4.3.2
IPSec
IPSec (IP security) technology is a suite of protocols that ensure confidentiality, integrity, authenticity to data transmission on an IP network. SSL protocol
works at the transport layer level - IPSec operates at the network layer level and
consequently provides data encryption in this level.
VPN through PPTP or SSL provides a connection between a defined machine
and the network. On the contrary VPN IPSec allows two networks to communicate permanently and in a transparent way. This is accomplished with an IPSec
configured between two IPBrick’s or between an IPBrick and a router, providing
full configuration transparency to users from the two networks.
Example: 192.168.2.0 network that belongs to the Company X headquarters
in Oporto, Portugal and network 192.168.4.0 belongs to its office branch located
in Japan. Both networks should have Internet connection to make possible the
communication between their machines through a VPN IPSec tunnel. With this
feature two networks can behave as if they where one.
To configure a VPN connection between two networks you need to have the
appropriate configuration in origin and destination IPBrick’s for the IPSec tunnel.
Body After clicking the IPSec, the configured IPSec tunnels are displayed in
that section body.
Top Menu There is a connection named Insert that allows to insert a new IPSec
tunnel.
Body In this page we have configured the IPSec connection (as you may see in
Figure 4.17). The following data are necessary:
• General settings
– Name: VPN IPSec name;
– Description: Description of the IPSec connection;
iPortalMais - 2008
4.3 VPN
103
– State: VPN IPSec state - enable or disable;
• Local Network Definitions
– Local IP: IPBrick external interface address;
– Local network: Local network address and respective IPBrick network
mask;
– Local Gateway: Router internal interface address;
– Local Identification: Dynamic DNS address (by default, this field
should be empty. It’s used if the network don’t have fixed public IP);
– Server IP in local network: IPBrick internal interface address.
• Remote network definitions
– Remote IP: Remote public address;
– Remote network: Remote network address and mask;
– Remote Gateway: Remote network router internal interface address (by
default, this field should be empty);
– Remote identifier: Dynamic DNS address (by default, this field should
be empty. It’s used if the network don’t have fixed public IP).
• Keys Management
– Password: A Pre-Shared Key is a shared key that the VPN service
expects as a first credential (before username and password). In order
that the VPN server allows the authentication process to continue, it is
necessary to pass the correct PSK;
– Type: The IPSec supplies two operation methods specified in this field,
which are Tunnel (where the original IP pack is encrypted) and Transport (the data (payload) are encrypted, but the original IP heading is
not changed);
– Authentication: IPSec adds two extra headers to the IP package AH and ESP. The AH (Authentication Header) insures integrity and
authenticity, but not confidentiality. ESP provides data integrity, authenticity and confidentiality;
– PFS5 : Allows PFS protocol that adds additional security in the keys
exchange;
– Start: Only automatic is available.
NOTE: When a IPSec tunnel is configured, the MTU for the public IPBrick
interface is changed to 1400 because of the additional header overhead added by
the IPSec. If you found some LAN problems with web access, change again the
MTU to 1500 bytes.
5
Perfect Forward Secrecy
iPortalMais - 2008
104
IPBrick.C
Figure 4.17: VPN - IPSec Configuration 1/2
Router configuration
In case of a VPN IPSec not between two IPBrick’s but between a IPBrick and
a router, at the router side it’s important to know all parameters used by the
IPBrick that are transparent to the web interface. Here are the most important
ones:
• Negotiation key protocol: IDE;
• Negotiation mode: Normal;
• Fase 1 encryption Algorithm: 3DES;
• Fase 1 authentication Algorithm: MD5;
• Fase 2 encryption Algorithm: 3DES;
• Fase 2 authentication Algorithm: SHA1;
• Key Group: DH2;
4.3.3
SSL
A VPN-SSL uses the SSL encryption protocol to insure data privacy and integrity between the two parts because the protocol provides data encryption and
iPortalMais - 2008
4.3 VPN
105
Figure 4.18: VPN - IPSec Configuration 2/2
authentication. SSL is based on TCP protocol and uses the Public key cryptography concept (introduced by Diffie-Hellman in the 1970 decade).
This concept specifies that each part has a Private Key and a Public Key that can
be distributed by people that want to have encrypted communication. Encrypted
data with the Public Key are only decrypted by the corresponding Private Key.
Encrypted data with the Private Key are only decrypted by the corresponding
Public Key.
After clicking on SSL the list of VPN SSL servers is shown. To configure the
tunnel you must click on it (Figure 4.19).
Definitions In this section you can configure the definitions of the VPN-SSL
network.
• Name/IP: Name or public IP address of the network;
• Port: The port of the VPN server. The default for SSL is 1194;
• Protocol: The transport protocol used in the communication. TCP is more
reliable buy will add an extra overhead;
• VPN Network: The IP network which will be given to the clients. When a
user connects to this vpn server, he will get an IP address in this IP network.
iPortalMais - 2008
106
IPBrick.C
Figure 4.19: VPN - SSL Settings
This network should be different from any other IP network in the company;
• Domain: The domain offered to the clients;
• DNS Servers: The DNS server passed to the clients;
• NetBios Servers: The netbios server passed to the clients;
• Routes for clients: Sets all the networks that client must have access
through the tunnel.
NOTE: If you want to use a VPN SSL and use the same email client with
the internal mail server configurations, you need to add the VPN Network to the
Relay networks definitions at email;
Certificates After Definitions configuration its necessary to create SSL digital
certificates. A digital certificate has the following informations:
• Identification of the titular entity;
• Public Key for the titular entity;
• Serial number Certificate;
iPortalMais - 2008
4.3 VPN
107
• Valid date Certificate;
• Identification of the Certifying Authority (The Certificate issuing entity);
• Digital signature of the Certifying Authority.
It will be generated a Digital Certificate for the server and for each of the
clients using the VPN SSL connection. Clicking on Insert you start by the server
Certificate generation. You have to insert data in the following fields:
• Country Code;
• Country;
• City;
• Company;
• Nome: Certificate name;
• Email: Company’s email.
Then you generate the client certificates - you have to insert Certificate name,
Client email and Password. The next step consists in downloading the certificate
and sending it to the client that will make the VPN connection. The .zip file
contains: Server and client public key, client private key and the VPN tunnel configuration that will be implemented.
Client
In the client side you have to install the specific software to create the VPN
SSL connection- OpenVPN6 . Then you must uncompress the certificate file to a
new directory in
c:\Program Files\OpenVPN\config.
To start VPN connection you have to click on the OpenVPN icon located in the
tool bar with the right button, choose the connection you want and click Connect.
The option Delete All should only be used to restart the all process.
State
This interface shows you the active tunnels and their respective traffic, users
and IP
After configuring this service you have to activate it in section Advanced
Configurations System Services. The procedure to configure VPN client
is described in detail at Appendix B.
6
Software: openvpn.net — Windows GUI: openvpn.se
iPortalMais - 2008
108
IPBrick.C
⇒ Note: Before configuring a VPN connection, PPTP, IPSec or SSL, you
have to know what is the addressing system used by the local network where the
client connects and what is the destination network addressing system. If there is
the same addressing system in both networks, obviously the VPN connection will
be impossible.
4.4
E-mail
The E-mail section is repeated in the two IPBrick modules. IPBrick.I provides
services oriented to Intranet: Base Configuration, Queue Management, User Management, Distribution Lists and Kaspersky Anti-Virus and Anti-Spam. IPBrick.C
provides additional services:
• Advanced relay;
• Get Mail from ISP;
• Mail copy.
4.4.1
Advanced relay
The advanced relay option makes possible to forward emails based on nonexistent recipients and also to forward all the mail that come to a domain. This
last feature is also known as catchall (Figure 4.20).
Relay definitions:
• Email/Domain
– Email: Insert a invalid recipient that don’t have any LDAP account
created and the internal domain;
– Domain: Choose for each domain you want to relay all the messages;
• Relay to: Destination email. Can be an internal or a external one;
4.4.2
Get Mail from ISP
If company mails are not delivered to an internal firm server, being therefore
only available via POP7 , you can configure IPBrick in order to unload these mails
from the ISP8 periodically to a local server. Once they are in this local server the
mails are associated respectively to the previously configured accounts. In this
way you can configure a server for internal E-mails, even if you only have one, to
automate and centralize all firm e-mails (from the Internet and internal).
This feature normally called fetchmail is useful when the MX from the enterprise domain points to another server.
7
8
Post Office Protocol: Used to access inboxes and transfer mails.
Internet Service Provider
iPortalMais - 2008
4.4 E-mail
109
Figure 4.20: E-Mail - Advanced relay
Top Menu
Click Insert (Figure 4.21) external servers that you want to connect to download email and deliver it in the local server. You have to insert data in the following
fields:
• Server: Server identification. It could be FQDN and IP address;
• Protocol: Protocol that is used by the server - POP3 or IMAP;
• Remote domains: Domains that deliver email to the server. It is commonly
used in volume email boxes.
Body
To access server definitions, you must click on its name (Figure 4.21):
• Modify: To change the account data;
• Delete: Deletes the selected account;
• Back: Goes back to email servers list.
To access the management interface of remote mailboxes, you must click insert
and fill in the following fields (Figure 4.23):
iPortalMais - 2008
110
IPBrick.C
Figure 4.21: E-Mail - Get Mail from ISP - Base menu
Figure 4.22: E-Mail - Get mail from ISP - Servers Management
1. Mailbox type: Select individual mailbox or volume box, the last one refers
to boxes that are not assigned to any user;
2. Login: Used username to access the email remote box;
iPortalMais - 2008
4.4 E-mail
111
3. Password: Needed to validate login;
4. Retype password: Confirm the previous password;
5. Local server email: If the individual mailbox is chosen, this field is the
local email account where the downloaded emails will be delivered;
6. Drop ’Delivered-To’: If the email address in ISP is the same as the email
address in local server, this field must be active.
Figure 4.23: E-Mail - Get mail from ISP - Add Account
4.4.3
Mail Copy
This feature ((Figure 4.24)) aims to save all the incoming and outgoing email
messages in two accounts: sentmail and receivedmail.
Note: It is necessary to pay attention to the management of these Mail Copies,
especially in places with a lot of e-mail traffic. It is very important to control the
development of the occupied server hard drive space. These e-mail inboxes may
quickly reach the full size of the partition. By reaching this size they may cause
some trouble either with interferences with other server applications or to the ones
responsible for these e-mail inboxes that at a certain stage will loose a series of
mails because no copy could have been made.
When you activate this service (Yes) the mails are copied to the corresponding
account, that is:
1. Sent: YES, all mails that get through this SMTP server and whose sender
is from the server domain(s) will be copied to the Sent Mails local account.
2. Received: YES, all mails that get through this SMTP server and whose
sender is not from the server domain(s) will be copied to the Received Mails
local account.
iPortalMais - 2008
112
IPBrick.C
Figure 4.24: E-Mail - Mail copy
When you activate the option (Yes) the system shows the Delete Automatically
the Copies field. This field allows defining whether the mail copies that are in
the server are to be deleted or not. The Delete Copies With More Than field
allows specifying the days after which mail copies are to be deleted in the server.
4.5
Web Server
A web server, through the HTTP9 and/or HTTPS protocols, is responsible for
the answers to users requests, concerning the web pages lodged in it, and each
server may lodge several sites. The IPBrick web server running in IPBrick 5.0 is
Apache 2.2.310 . The base virtual hosts registered in IPBrick are displayed after
clicking on Web Server and may be seen in Figure 4.25.
IPBrick hosts the following sites by default:
• ipbrick.domain.com: IPBrick web management interface;
• myipbrick.domain.com: Site for LDAP users configuration reaching general
and email definitions;
• calendar.domain.com: Intranet LDAP agenda;
9
10
HyperText Transfer Protocol
For more information please visit http://www.apache.org
iPortalMais - 2008
4.5 Web Server
113
Figure 4.25: Web Server - Hosted sites
• callmanager.domain.com: Flash application for VoIP;
• contacts.domain.com: Intranet LDAP contacts management;
• jwchat.domain.com: A web-based Jabber (XMPP) client for the IPBrick
LDAP users;
• mysqladmin.domain.com: MySQL database web management;
• pgsqladmin.domain.com: PostgreSQL database web management;
• ucoip.domain.com: UCoIP (Unified Communications over IP) site for LDAP
users. All enterprise communications - Voice, Mail, Instant Messaging and
Web - are managed in an integrated way, i.e. unified through a single individual or group address. To reach this goal, IPBrick uses only Internet
communications services (SIP, SMTP/IMAP, XMPP and HTTP) integrating with DNS and LDAP support services.
The generic site is ucoip.domain.com but the idea is to have one site for
each LDAP user. The following options are included:
– A IAX webphone for direct connection to the user SIP url;
iPortalMais - 2008
114
IPBrick.C
– A SIP url link to call the user using a softphone previously installed at
workstation;
– A web-based Jabber (XMPP) client to chat directly with the user;
– A SMTP link to mail the user using a email client at workstation;
Like we can see, for SIP/SMTP/XMPP the user will be reached using the
single address user@domain.com. The UCoIP site design is simply but it can
be improved. It’s possible to use a specific FTP account for site management:
– username: ucoip;
– password: 123456.
Now we present all the necessary steps to configure a UCoIP site for a specific
LDAP user with username jsmith, with IPBrick FQDN being ipbrick.domain.com:
– The user jsmith must go to https://myipbrick.domain.com and define a phone (depending of the IPBrick.GT routes can be a SIP/PSTN/GSM
number) at field SIP Address. Examples: 101@domain.com, 00351221121112,
00351963322212;
– Activate the IM service at IPBrick.C - IM;
– Go to IPBrick.C - Web Server, click at ucoip.domain.com and define the alternative address jsmith.domain.com;
– At private/public DNS server add a record named jsmith, pointing to
that IPBrick server;
• webacula.domain.com: Bacula backup server web administration;
• webmail.domain.com: Horde webmail client;
• webphone.domain.com: It’s a IAX webphone example. The idea is to view
the page source code and include it in a real website. This webphone can
be configured to call directly any number you want or to match some direct
access for a VoIP funcionality (sequence, groups, IVR etc). To specify that,
the variable called url must be changed.
The source code of this page is presented next:
<script language="JavaScript">
function webphone() {
var day = new Date();
var id = day.getTime();
var url = ’index2.php’;
eval("page" + id + " = window.open(’" + url +"’ , ’" + id + "’, ’toolba
}
</script>
iPortalMais - 2008
4.5 Web Server
115
<h1>Example Link</h1>
<a href="javascript:webphone()"><img alt="IPBrick.GT high versability working
for the New Internet" src="webphone.jpg"></a>
Examples of url variable definition:
var url = ’index2.php?user=jdomingues’;
var url = ’index2.php?user=200’;
var url = ’index2.php?user=IVR2’;
NOTE: From now, this webphone can be used only with Internet Explorer.
4.5.1
Creating a new site
By clicking in Insert it’s possible to create a new site. A new form is displayed
(Figure 4.26) with the following fields:
Figure 4.26: Web Server - Adding sites
1. URL address: It’s the FQDN11 of the new site that will be hosted in the
server. It’s possible to use SSL too. Example: www.domain.com;
11
iPortalMais - 2008
116
IPBrick.C
2. Alternative URL address: Alternative name(s) for the URL address that
was previously set. This field is not mandatory;
3. Site administrator email: E-Mail of the user that is responsible for the
site management;
4. FTP User: A new user login that will access to the site folder through FTP.
This should be the only login and shouldn’t be equal to another IPBrick
LDAP user. The site maintenance will be made through this protocol.
5. Password: Password of the FTP user.
6. Retype Password: Confirmation of Password.
7. Site folder location: Folder to be created in the server filesystem that
will be automatically created on /home1/_sites/. Usually it’s used the
name of the site;
8. Internet Availability: Choosing Yes we say that the virtualhost will be
created from this site to the IPBrick external IP - if this is the case the
created site will be available in the Internet;
9. Safe mode: If the site is php based, it deny’s the access of files outside the
site folder location, so it will interfer too with the global variables. It’s the
reason that the default mode is Disabled;
10. Access authorized only to the directories: By default the php have
access to the site folder location and to /tmp but it’s possible to add more
locations;
11. Character encoding: It’s the encoding that Apache will use for the website
depending of the content language;
12. Always keep the typed URL: Allows to keep always the requested URL;
It is also necessary to create a DNS register in the company’s external DNS
server forwarding to the company’s network public IP (register A or CNAME).
4.5.2
Management
When the site is created if you click on it as we can see at Figure 4.27, you
have many options presented:
• Back: Allows you to go back to the main webserver menu;
• Alias;
• Redirect;
• Reverse Proxy;
iPortalMais - 2008
4.5 Web Server
117
• Modify: Allows to modify the site fields;
• Delete: Remove the site from the web server. After clicking on Apply Configurations
the site is no longer available online. The files of the site are not eliminated
but moved to the share sites_bk1. This share is the file location of the
removed sites. When IPBrick removes these sites only the services that are
affected are reconfigured and the contents removed to an own share accessible only to LDAP Administrators. It is like in the user accounts and group
shares;
Figure 4.27: Web Server - Features
Alias
Alias or Host Header is a simple form of having access to certain contents that
are physically dislocated from the main directory of the site. Next we present two
examples:
In Figure 4.28 example we create a web alias for the folder /home1/_sites/www/site/img.
So going to www.domain.com/es/img or www.domain.com/img will be the same.
In Figure 4.29 example we have a subsite called www.domain.com/forum that
is present in filesystem at /home1/_sites/www/site/forum.
You can manage each alias if you click on it (Figure 4.30).
iPortalMais - 2008
118
IPBrick.C
Figure 4.28: Web Server - Alias 1
Figure 4.29: Web Server - Alias 2
Redirect
The redirect allows you to be redirected to a new URL when you type a first
URL in the browser. Some examples:
Figure 4.30: Web Server - Alias List
iPortalMais - 2008
4.5 Web Server
119
• In Figure 4.31 example when someone try to accede to www.domain.com/index.htm
(the file index.htm don’t exist), it will be automatically redirected to www.domain.com
/index.htm;
• In Figure 4.32 example when someone try to accede to www.domain.com/index.html,
it will be automatically redirected to www.domain.com/web/index.htm. Note
that in the source field you can insert only /index.html or www.domain.com/index.html,
it’s the same.
Figure 4.31: Web Server - Redirect - Example 1
Figure 4.32: Web Server - Redirect - Example 2
You can manage each redirection if you click on it (Figure 4.33).
Reverse Proxy
The reverse proxy is used in front of the webserver and have the main goal to
enable the webserver to provide content from another, in a transparent way for
the users.
iPortalMais - 2008
120
IPBrick.C
Figure 4.33: Web Server - Redirections List
• The first example stands for this situation: When LAN users enter the URL
http://estore.domainx.com they will be transfered to a internal site running in another server. So the first step is the site creation (Figure 4.34),
and after that the reverse proxy definition (Figure 4.35);
• In the second example the idea is for someone in Internet that wants to accede
a site running in a internal machine (http://192.168.1.4:85/cgi/site).
To do this we just need to add a new reverse proxy definition at the base
domain (Figure 4.36 and Figure 4.37);
Statistics
Each site in IPBrick uses Advanced Web Statistics to display many statistics
about the site accesses, the same software used for proxy statistics. To access the
statistics just go to IPBrick.C - Web Server, click in the desired site and after
that go to statistics.
Yo can get some useful information like you can at left side of Figure 4.38.
4.6
Webmail
The Webmail installed in IPBrick is Horde and can be configured to deal with
other e-mail servers that are not IPBrick. Therefore you only have to specify in
this section which IMAP12 and SMTP13 servers will be used (Figure 4.39).
To change the servers click Modify. The servers may be identified by their
FQDN14 or their IP address.
12
Internet Message Access Protocol
Simple Mail Transfer Protocol
14
13
iPortalMais - 2008
4.6 Webmail
121
Figure 4.34: Web Server - Reverse Proxy - Example 1 - Empty site created
Figure 4.35: Web Server - Reverse Proxy - Example 1 - Add
If we got a Intranet IPBrick (or another intranet mail server) and a Communications IPBrick, you need to point the IMAP and SMTP to the internal mail
server address. To use the IPBrick webmail at Internet you just need to:
• Register a A record or CNAME called webmail at the public DNS server of
the company domain, pointing to the IPBrick public IP;
• If the IPBrick don’t have a public IP at eth1, configure a DNAT rule in
router to the port 443 and eth1 IPBrick IP.
iPortalMais - 2008
122
IPBrick.C
Figure 4.36: Web Server - Reverse Proxy - Example 2 - Add
Figure 4.37: Web Server - Reverse Proxy - Example 2 - List
4.7
FTP Server
In FTP Server it’s possible to manage single FTP accounts. The accounts can
be associated to simple Unix system users or to IPBrick websites.
Clicking Insert this fields will be presented (Figure 4.40):
• Login: FTP account login;
• Password: FTP account password;
• Retype Password;
• Account location: It’s possible to choose a individual FTP work area or
associate the account to a virtualhost;
• Create folder account: Create a new folder account at /home1/_ftp or
/home2/_ftp if the chosen work area is 2;
• Access permissions: Can be only read permission or read and write permissions.
iPortalMais - 2008
4.7 FTP Server
123
Figure 4.38: Web Server - Statistics
Figure 4.39: WebMail - Servers
4.7.1
Access log
The access log option permit the visualization of all FTP accesses. It’s possible
to filter by:
• IP;
• User;
• Notes:
iPortalMais - 2008
124
IPBrick.C
Figure 4.40: FTP Server - Account definitions
– Connected;
– Disconnected;
– Wrong password;
– Illegal user;
– Timeout/Locked.
• Date;
Options available:
• Back: Go back to the top menu;
4.8
VoIP
This section deals with the management interface of the VoIP15 service available
in IPBrick.
15
Voice over IP
iPortalMais - 2008
4.8 VoIP
125
The VoIP (Voice Over IP) technology allows phone calls through an IP network, thus enabling phone calls through the Internet. The main advantages for
the use of VoIP are: reduction of expenses because the rates don’t follow the same
conventional telephony model; better service quality, since commutation by packs
does a better use of the existing network resources, different from the circuit commutation.
The IP Telephony concept sometimes mixes up with VoIP, but they are not
exactly the same thing. The IP Telephony uses VoIP service and defines itself as
the group of services and applications that allow the companies to a reduction of
phone costs.
Signalling VoIP service needs to use a protocol to signal the calls. The signalling
protocol used by IPBrick is SIP, but there are others such as H.323, MGCP, Jingle,
IAX, H.248/MEGACO etc. SIP16 allows calls and conferences through IP, and
those calls may include audio, video and images etc. This way, the SIP protocol
is responsible for all the process of calls between the users independently from the
type of contents of the call itself. The IPBrick.GT acts as an authentic PBX IP
and it can route the calls to/from a traditional PBX, Internet, LAN and PSTN.
All that management is made by a software called Asterisk. Asterisk is compatible
with the several signalling protocols, among which SIP.
The VoIP functionalities accessible through the web interface are next presented.
4.8.1
Phone management
Registered Phones
In (Figure 4.41) it is possible to see the registered IPBrick VoIP clients (IP
telephones, workstations + softphone). In section Machine Management you find
the description of the menu to insert the VoIP machines.
It is also possible to register phones in:
Advanced Configurations - Telephony - Registered Phones
This option is valid, if it isn’t necessary to attribute a specific IP address to
the phone. It is possible to add a phone just by filling the field relating the name
and the access password. This assuming that DNS is working correctly.
Alternative addresses
As you can see in Figure 4.42 , to each telephone (either a hardware telephone or a software telephone) may be associated several alternative addresses.
An alternative address is another name (or number) to reach the telephone. This
16
Session Initiation Protocol
iPortalMais - 2008
126
IPBrick.C
Figure 4.41: VoIP - Registered Phones
functionality is very useful when there are telephones from which you can only dial
numbers.
Figure 4.42: VoIP - Alternative Addresses
Example: There is an IP telephone with the name phone01. Through the
site myipbrick, an user called John Smith associates to this telephone, placing
iPortalMais - 2008
4.8 VoIP
127
in the SIP URL the address phone01. An alternative address is also created for
that telephone, with the name 5050. From that moment on, the user John Smith
may be reached either through the phone01 or 5050, but the main idea here is to
contact the user simply by jsmith@domain.com.
In top menu there is a option to insert new alternative addresses. As already
mentioned, these can have two types:
• Phone name: It is necessary to choose between the telephones in IPBrick,
which one do you want to associate to an alternative address;
• New phone alternative address: Insert the alternative address of the
telephone.
To confirm the insertion, it is necessary to click in the Insert button.
SIP URL’s
As already mentioned, it is also possible to associate a certain telephone (number or name) to an internal user of the network. The association is made from
the users email address in the field SIP URL. This operation is made through the
site https://myipbrick.domain.com. This way, to contact a certain user all you
have to do is call him/her through his/her email. The call shall be made, and
the one who’s calling knows which device the addressee shall use (mobile phone,
softphone, analogic/digital telephone).
4.8.2
Services
This section allows to configure all the IP PBX functionalities slitted into
inbound and outbound services.
Inbound
Call Groups
In this interface (Figure 4.43) is possible to define answering groups, i.e., a
group of telephones which shall ring simultaneously when the access to the group
is made. To define a group it is necessary to fulfil:
• Name: Name for the group;
• Caller ID: Possibility to use a specific caller ID for this service;
• Direct access: List of numbers/addresses that will call this service. We
have tree options and it’s possible to use many direct access’s;
– DID: If the IPBrick has a ISDN telephony card, the DID (Direct Inward
Dial) will be the direct PSTN number that will call this service;
– ANA: If the IPBrick has a analogic telephony card, will be the direct
PSTN number that will call this service;
iPortalMais - 2008
128
IPBrick.C
– SIP: It’s the specific SIP address that will call this service;
• Group Members
– Internal: Internal SIP phones that belong to the group;
– External: External phones (SIP, PSTN number etc) that belong to the
group.
Figure 4.43: VoIP - Call groups
Attendance seq.
In this section it is possible to define an answering sequence, or see/change/remove
the already defined sequences. To add a new sequence it is necessary to click Insert, define a name for the sequence, select if the voicemail is active or not and
in Direct Access add the addresses DID/SIP/ANA of the telephones by which the
sequence shall be activated.
If you intend to add a Direct Access for an extension defined in IPBrick, it
is possible to choose SIP and select the extension in the address. In Sequence is
possible to add the telephones which shall ring by the desired order and the time
in which each one of them plays till the next one.
To define a attendance seq. it is necessary to fill (Figure 4.44):
• Name: Name for the attendance seq;
iPortalMais - 2008
4.8 VoIP
129
• Caller ID: Possibility to use a specific caller ID for this service;
• Voicemail enabled: Enables the voicemail for the sequence;
• Sequence positions
– Location Internal: Internal SIP phones that belong to the sequence;
– Location External: External phones (SIP, PSTN number etc) that
belong to the sequence;
– Timeout: Timeout in seconds, be default 25.
Figure 4.44: VoIP - Sequence definitions
A attendance sequences list can be viewed at Figure 4.45.
IVR Attendance
In this section is possible to define interactive answering menus (Figure 4.46).
You need to click Insert to add a new one:
iPortalMais - 2008
130
IPBrick.C
Figure 4.45: VoIP - Attendance sequences list
• Name: Choose a name for IVR;
• Number of desired shortcuts: Choose how many options does the menu
have;
• Shortcuts: What type of destiny to give (according to the pressed key):
– Phone: To call to a internal telephone;
– IVR: To go to an interactive answering sub-menu;
– Conference: To connect to a conference;
– Scheduler: To connect to a scheduler;
– Group: To ring the telephones of a group;
– Sequence: To activate an answering sequence;
– SIP address: To call a SIP telephone;
iPortalMais - 2008
4.8 VoIP
131
– DISA: It allows someone outside the central to connect as if he/she is
directly connected to the central;
– Call queue: To make the call enter a waiting line;
• Attendance message: It allows the selection of an answering message. Can
be a .mp3 or .wav file;
• Number of message repetitions: Number of attendance messages replays;
• Redirect automatically when no option has been dialed: As Yes if
no DTMF pressed it can redirect the call directly to:
Figure 4.46: VoIP - IVR attendance configuration
Call Conference
iPortalMais - 2008
132
IPBrick.C
In this interface (Figure 4.47) is possible to create conferences. To create a
simple static conference just click Insert:
• Name: The conference name;
• Numeric identifier: Numeric identifier for the conference. It’s only a
internal identifier for the VoIP server;
• PIN: Code which shall allow the users to connect to the conference;
• Administrator PIN: Conference code for the administrator;
– SIP: It’s the specific SIP address that will call this service.
Figure 4.47: VoIP - Call conference insertion
It is also possible to allow the creation of dynamic conferences. For that, it is
necessary to click Dynamic Conferences (Figure 4.48), modify the option Active
to Yes and insert the address(es) and/or number(s) for the Direct Accesses (Figure
4.49). At dynamic conferences, when someone call to the direct access it’s possible
to enter automatically a existant conference or to create a new one.
iPortalMais - 2008
4.8 VoIP
133
Figure 4.48: VoIP - Call conference list
Figure 4.49: VoIP - Dynamic call conferences
Call Parking
Here (Figure 4.50) is possible to activate or deactivate the option of calls on
hold.
If this option is activated, it is necessary to define an extension to place the
calls on hold, as well the virtual extensions in which calls are going to be placed
(Figure 4.51). To accede to these calls later is necessary to insert in the telephone
keypad the ”#” plus the virtual extension were the call was parked.
iPortalMais - 2008
134
IPBrick.C
Figure 4.50: VoIP - Call Parking
Figure 4.51: VoIP - Call Parking - Modify
Scheduling
This option (Figure 4.52) allows to define the behavior of the IP PBX for all
the day. Usually this is the most important inbound service because from here,
we are able to call all the others configured services.
It is necessary to click option Insert (Figure 4.53) and configure the first
iPortalMais - 2008
4.8 VoIP
135
Figure 4.52: VoIP - Scheduling
parameters:
• Name: The name for the scheduler;
Next, it is necessary to add rules for this scheduler. For that:
• Click in the scheduler name;
• Click Insert;
• Choose the type of action to be executed;
• Choose the period to be executed.
Fields explanation:
• Destination type: Where shall the call be routed if the rule defined next
is equalled. Options:
iPortalMais - 2008
136
IPBrick.C
• Destination: Telephone address or specific service name were the call shall
be routed;
• Hours: Beginning and end hour, from the timetable in which the rule shall
be valid (format hh:mm at each field);
• Weekdays: Weekdays in which the rule shall be valid. If not chosed it will
use all days;
• Month days: Days of the month in which rule shall be verified. If not chosed
it will use all;
• Months: Months in which the rule shall be valid. If not chosed it will use all
months;
Figure 4.53: VoIP - Scheduling - Insert rules
NOTE: If you don’t select any hour or days of the week/month, hour or
months, the rule shall be valid respectively for all the day. A rule like this one is
iPortalMais - 2008
4.8 VoIP
137
called the default rule;
At Figure 4.54 we can see an example of a scheduling implementation. You
can see that the rule 4 is used from 19:01 to 08:59, because is the default time. It
will call a simple IVR with a voice message telling that nobody is at the company
to answer the phone.
Figure 4.54: VoIP - Scheduling - Rules list
DISA
DISA17 (Figure 4.55) is a service that allows that someone that is not directly
connected to IPBrick or the PBX central, to obtain an internal call sign and
execute calls as if he/she was directly connected to the internal network. The user
calls the access number to DISA and he/she should type a password followed by
the key ”#”. If the password is correct, the user shall hear the sign indicating that
he/she may dial the number. You can also enjoy this service without a password
if you want to. The fields necessary to configure a DISA are:
• Name: Name for DISA;
17
Direct Inward System Access
iPortalMais - 2008
138
IPBrick.C
• PIN authentication: It allows the introduction of a password to enable the
dialling through DISA;
• Password: PIN password;
• Allowed caller ID’s: Callers identifiers list which may accede to this service. Insert only one by line.
Figure 4.55: VoIP - DISA - Insert
Call queues
Here (Figure 4.56) it is possible to define waiting lines. When calling to the
telephone defined in Direct Access the caller shall be placed on hold if there is
another call to be answered. An answering message may be defined which shall be
heard when the call is on hold. It is also possible to choose messages by default in
Select queue information from the line which may inform the caller about his/her
position in the line and the time interval between those messages.
The settings where we hit insert are the following ones:
• Name: Name of queue;
iPortalMais - 2008
4.8 VoIP
139
• Queue weight: Queue’s priority.
• Maximum number of queued calls: Maximum number defined of calls on
hold. ’0’ defines an unlimited number;
• Define maximum waiting time: It is possible to define the maximum waiting time. For that it is necessary to click option Yes, select the maximum
time in seconds and the type of routing to do if the time is exceeded as well
as the final destiny;
• Phone attendance timeout: Period of time (seconds) at the end of which
the caller shall be put on hold if the call is not answered, even if there is no
one else on hold;
• Welcome message file: Select the message to be presented when someone
enters the waiting line;
• Select queue information message: Select some of these messages to inform about the position in the waiting line or the estimated waiting time.
Messages: ”You are now first in line”, ”There are”, ”calls waiting”, ”The
current estimated holdtime is”, ”minutes”, ”seconds”, ”Thank you for your
patience”, ”less than” ,”hold time” ,”All phones busy / wait for next”;
• Time interval between queue information messages: If some informative message is selected, is possible to select the time (seconds) between
messages;
• Attendance policy: How the waiting line answering telephones should answer the calls:
– Ring all: All available telephones ring until one of them answers;
– Random: One of the available telephones rings by chance;
– Round Robin: Each telephone rings at the time;
– Round Robin with memory: Each telephone rings at the time, but it
remembers which was the last one to ring;
– Least recently called phone: Will ring the telephone that rung a
long time ago;
– Phone with fewest completed calls: Will ring the telephone with
less answered calls.
iPortalMais - 2008
140
IPBrick.C
• Play message when call is answered: If Yes a message will be played
before the call is answered;
Figure 4.56: VoIP - Call queue definitions
When a call queue is inserted there are the following options at the top: Back,
Modify, Delete and Members. So the next step is to define what IP phones or/and
LDAP users will be associated to the call queue. Clicking Members you will get a
list of phones and users, like shown at Figure 4.57.
At Call queues - Agents, we have a list of IPBrick LDAP users. A user can
be defined as a call queue agent. To configure one agent click at one name, choose
Yes and configure:
• Login: Number used to enter dynamically a call queue;
• Waiting mode
– Music on hold: The phone will be immediately part of the call queue.
The user will listening music until a call is received;
– Callback: Only if the agent receive a call from the call queue, the
phone will ring;
• With PIN?: If Yes the user must enter a PIN after the login number;
iPortalMais - 2008
4.8 VoIP
141
Figure 4.57: VoIP - Call queue members
Outbound
Access Classes
It is possible to define access rules for the existing telephones. For that it is
necessary to click on the connection Insert and fulfil the following fields (Figure
4.59):
• Name: The access class name;
• Unlock code: Code to deactivate temporarily a access class;
• Prefixes: It allows to add to the authorized prefixes list the prefixes which
may be used in the telephones under the access rules. By default all the calls
are blocked except the Authorized prefixes;
• Numbers: In Politics by default it is possible to block the traffic for any
number or let it pass by default (Block/Authorize, respectively) and then, if
there are some exceptions, it is possible to indicate an exception number by
line. You can use wildcards at the exceptions;
• Domains: In the same way it is possible to authorize or block the access to
certain numbers, it is also possible with VoIP domains at Internet.
iPortalMais - 2008
142
IPBrick.C
Figure 4.58: VoIP - Call queue agents
To confirm and create a defined rule, click Insert. Now it is possible to add
the members under that rule, clicking the name of the rule and then Members
(Figure 4.60). To remove or add SIP phones to the access class you only have to
click the buttons or respectively.
Speed Dial
The speed dial allow the association between an internal address and a telephone external to the organization. That is, the users call an internal number (or
address) and this is associated to a telephone external to the organization. Example: An external alternative address of the telephone 44@domain.com is created for
the destiny address john.smith@another-domain.com. This way, whenever you dial
internally 44, the call shall be re-addressed to john.smith@another-domain.com.
Choosing Speed Dial and clicking Insert we have two fields (Figure 4.61):
• Phone Address: Will be the external number or address to call;
• Speed Dial: The extension for speed dial.
If the IPBrick have routes, it’s possible to insert in speed dial field legacy PBX
extensions, GSM and PSTN numbers etc.
iPortalMais - 2008
4.8 VoIP
143
Figure 4.59: VoIP - Access Classes - Insert
4.8.3
Monitoring
Online Phones
The VoIP clients who are actually active and ready to execute and receive calls
can be visualized here (Figure 4.62).
The information made available about each telephone are:
• Phone: Name of the telephone and the respective user;
• Request location: It indicates the IP address of the telephone;
• Port: Port where the telephone is registered.
Call Statistics
Finished Calls
Detailed statistics about all the finished calls. At the main menu we have:
General statistics relating to the filter criteria:
• Call number: Total number of calls;
• Total call time;
• Maximum call time;
iPortalMais - 2008
144
IPBrick.C
Figure 4.60: VoIP - Access Classes - Members
• Average call time;
• Total RTP packets: Total of RTP (voice/video) packets;
• Lost RTP packets:
• Average lag: Average packet delay;
• Maximum lag: Maximum packet delay;
• Average jitter18 ;
• Maximum jitter.
Clicking at Insert it is possible to filter the result of the list be specific fields:
• Source IP;
• Source address;
• Destination address;
• Used route: SIP routes and internal routes;
18
Is the measure of the variability over time of the latency across a network
iPortalMais - 2008
4.8 VoIP
145
Figure 4.61: VoIP - Speed Dial
Figure 4.62: VoIP - Online phones
• Result: ANSWERED, NO ANSWER, BUSY, FAILED;
• Time periods.
The option Export CSV will export all the list to a .csv file.
In the call list we have specific statistics relating to the filter criteria (Figure
iPortalMais - 2008
146
IPBrick.C
4.63):
• #: Call identification;
• Source IP: Source IP phone address;
• Source Address: Name of origin telephone/number;
• Destination Address: Number or name of destination telephone;
• Route: Route used to make the call;
• Fallback: If it was a fallback route;
• Result: Result of the call (ANSWERED, NO ANSWER, BUSY or FAILED);
• Start: Call start time;
• Ring time: Time that the destination telephone rang;
• Duration: Call duration.
Clicking at one of this fields, it will order the calls by that field.
Figure 4.63: VoIP - Statistics filter
Current calls
In this menu we have statistics about the current calls, with that fields:
• Source;
• Destination;
• Duration;
• State;
• Route.
iPortalMais - 2008
4.8 VoIP
147
Call manager
The Call Manager (Figure 4.64) is a Flash application that allows to visualize:
the state of each extension, if it is online and if it is doing calls, state of the lines
and SIP servers. You can also end calls through this interface when authenticated.
Figure 4.64: VoIP - Call Manager configuration
The configuration of the call manager (Figure 4.65) is made from the IPBrick
web interface in IPBrick.C ¿ Voip ¿ Call Manager, and it is necessary to click the
connection Change. By default are shown the state of all registered telephones,
ports of each RDIS and analogic plate, state of the waiting lines, conferences and
SIP servers. Some of these fields cannot be shown if we remove them in Show fields.
To define an administration password which allows to end the calls, it is necessary to change the value of the field Administration password. To allow other
LDAP users to use the call manager it’s possible to control the permissions at
Access Management option.
In the configuration page you have the link to the call manager which may be
acceded from the LAN. It might be necessary to define the alias call manager in
the DNS server of the network.
If it is not possible to visualize all the extensions, lines and servers of the call
manager, it is necessary to move the mouse to the right side of the page and the
remaining ones shall be visible. In this version of Call Manager we can do some
operations when the administrator password is inserted:
• Call transfer: Drag and drop the active phone to another;
• Call termination: Double click in a phone;
• Call generation: Drag and drop one phone to another;
iPortalMais - 2008
148
IPBrick.C
Figure 4.65: VoIP - Call Manager
In the screen appear all the telephones, routes, interfaces, etc., which shall be
registered in IPBrick. However, there are differences, if the telephone has a visible
IP address, it means that it is active, otherwise it will be deactivated. If the telephone is represented in red, it means that a call is in progress and its duration is
indicated.
4.8.4
Routes Management
So that IPBrick executes the routing of the calls between the several network
interfaces, it is necessary the definition of specific routes according to a telephony
numbering.
As you can see in Figure 4.66 we have this options:
• Local Routes: Represent all the local interfaces available in IPBrick by default;
• Outbound routes: Represent all the outbound routes, so it will be possible
to make calls using SIP/IAX accounts;
• SIP servers list for registering: Allow to receive calls for SIP numbers associated to SIP accounts;
iPortalMais - 2008
4.8 VoIP
149
Figure 4.66: VoIP - Routes Management
Local routes
Local routes (Figure 4.67) allow the configuration of an interconnection between
LAN, PSTN, PBX or INTERNET.
The possible options by default are:
• PSTN-LAN: It allows the call routing from the telephone network to the
VoIP phones of local network. So it’s a internal IPBrick route than can
redirect the received calls from the PSTN to VoIP phones;
• PBX-LAN: It allows the call routing between the telephones connected to
the PBX and the VoIP telephones of local network;
• LAN-PBX: It allows the call routing from the VoIP telephones in local network to the telephones of the PBX;
• LAN-PSTN: It allows the call routing from VoIP phones to telephone network;
• INTERNET-PBX: It allows to accept VoIP calls from the Internet and route
them to PBX phones. It’s a IPBrick internal route only for call redirection;
• INTERNET-PSTN: It allows to accept VoIP calls from the Internet and
route them to the telephone network network. It’s a IPBrick internal route
only for call redirection;
iPortalMais - 2008
150
IPBrick.C
• PBX-PSTN: This is a default internal route. It allows the call routing from
the PBX to telephone network. 19
• PSTN-PBX: This is a default internal route. It allows the call routing from
the telephone network to the PBX.
If there are other configured interfaces (acting like trunks), they may be added
to the list of routes, and for that it is necessary to click the connection Available
Local Routes (Figure 4.67) and then add the necessary routes.
Figure 4.67: VoIP - Local Routes
The Insert in the top menu allows to insert one of the routes mentioned. After
insertion, each type of route has a connection that allows its configuration. When
acceding to this interface it is possible to choose one of these options:
• Back
• Modify: To change the type of local route;
• Delete: Remove the local route;
19
It’s possible to call from phones connected to PBX and, if IPBrick is connected to PSTN
and to a PBX, you can also answer calls. IPBrick will work in a transparent mode, switching all
the traffic from PBX to PSTN and vice-versa.
iPortalMais - 2008
4.8 VoIP
151
• Insert: It allows to add the prefixes that must be added to this route. When
you indicate a prefix, all the calls whose initial digits coincide with that digit
are routed by that route. Choosing Advanced Options we have this options
(Figure 4.69):
– Prefix: The numeric prefix to use to make calls using that route;
– Include prefix in address: If Yes the prefix will be part of the
destination number, so the prefix will be maintained when the call is
routed. If No the prefix will be used only to identify the route. Example:
To enable the use of number 6 to route a call to the Portuguese PSTN
network, it is necessary to remove this prefix in order that the number
stays with the correct format (the format 2XXXXXXXX instead of
62XXXXXXXX).
– Postrouting prefix: It’s a prefix added by the IPBrick when the
number is received. Example: For the Portuguese PSTN network we
use the format 2XXXXXXXX. If we use has main route a SIP account
route it’s necessary to use prefix 2, include prefix in address and use
a postrouting prefix with 00351 (351 is the portuguese international
code);
– Caller IDs restriction: Will restrict the route only for the listed
caller ID’s;
– Fallback routes: It’s a backup route to use if the present one fails;
– Generate local ringing tone: Will generate a local ringing tone.
Can be used when it can’t ring at the destination phone;
– Priority: Define the prefix priority level.
Outbound routes
This option turns possible to configure which calls shall be routed to a external
server which shall be responsible for routing them to their destiny (Figure 4.68).
This routing is made through prefixes that may be inserted clicking the name of
the route and then the link Insert above the prefixes table. To change or remove
a route you only have to click its name and then the option Modify or Delete,
respectively.
To add a new outbound route click Insert. Choosing Advanced Options the
following parameters will be presented:
• Type: Type of signalling protocol to use: Can be SIP, SIP with TLS or IAX;
• Name: Outbound server name;
• Server Address: Server IP/name address;
• Server Port: Server port to use;
• Authentication: If it is necessary to make authentication in server, you
shall have to choose the option User/Password and fulfil the users name and
respective password;
iPortalMais - 2008
152
IPBrick.C
• Available to Internet: With this option selected, the route shall be available for VoIP telephones outside the LAN;
• Simetric signalling: It allows to define if signalling is sent and received
through the same door (port 5060);
• Activate ENUM search: It allows IPBrick to search through ENUM.20
• DTMF type: Type of DTMF21 to use. Options: RFC2833 (default), Inband,
Info and Auto;
• Call limit: Number of possible simultaneous calls using that route, that
can be useful for bandwidth control. With 0 we can disable it;
Figure 4.68: VoIP - Outbound route definition
If the outbound route type is IAX, the only parameters are:
• Name;
• Server Address;
• Server Port;
• Available to Internet;
• Call limit.
20
Group of protocols that aims to associate the telephonic numbering to a new register in
DNS. This way, a telephone number shall correspond to a SIP address.
21
Dual-tone multi-frequency
iPortalMais - 2008
4.8 VoIP
153
The prefixes inserted in this outbound routes shall be available automatically
for the SIP telephones and the telephones connected to PBX. If there are additional interfaces and you intend to use a outbound route, it is necessary to add the
route INTERFACE->INTERNET (for example PBX1->INTERNET or GSM->INTERNET),
include in that route a prefix matching the one of the route for the SIP server and
include the prefix (in option Include prefix choose Yes).
For each outbound route it’s possible to define witch codecs will be used (option Modify and theirs priority with option Order.
Figure 4.69: VoIP - Prefix definition
SIP servers list for registering
Here is possible to visualize the SIP22 address list which have already been
configured (Figure 4.70). When inserting a new one, the page generated asks for
the following data:
• Name: Server name;
• SIP server address: SIP server IP or address.
22
Session Initiation Protocol
iPortalMais - 2008
154
IPBrick.C
After inserting the data, it is necessary to click the button Insert to confirm
the insertion of the address. The next step is to register accounts to the local SIP
server. Pressing Insert we have this options:
• Login: SIP account login. Normally is the nomadic SIP number;
• Authentication user: Usually equal to login;
• Password: SIP account password;
• Local: Internal phone that will receive the calls comming from Internet to
that nomadic number.
Figure 4.70: VoIP - SIP server for registering
4.8.5
Music on Hold
In this section (Figure 4.71) you can see the list of songs which shall be heard
if the call is on hold. It is also possible to add more mp3 files to the list, clicking
the connection Insert and after searching the localization of the music file (clicking
the button Browse...), write a brief description of the file in the field Name. To
add the mp3 after all fields have been fulfilled, click the button Insert. You can
also remove or modify the songs from the list clicking the name of the song and
clicking Change or Delete.
iPortalMais - 2008
4.9 IM
155
Figure 4.71: VoIP - Music on hold
4.9
IM
IM (Instant Messaging) is a service that lets you exchange text messages in
near-real-time. IPBrick’s IM server is ejabberd, an IM server based on the Jabber
(XMPP) protocol. With this server you can communicate both using the Jabber
protocol and the MSN protocol through a MSN gateway. Access to MSN contacts
is controlled by this web interface. By default, the IM service, when enabled,
blocks access to all MSN contacts, except the ones explicitly authorized in this
web interface.
4.9.1
Enabling / disabling the IM server
Enable Instant Messaging
Modify (Figure 4.72):
• No: The ejabberd server is stopped and all access to the MSN IM network
is unblocked.
• Yes: The ejabberd server is running. The access to the MSN IM network is
blocked. The MSN client programs will be blocked, (Figure 4.73) so will the
web messenger sites, as we can see in Firewall (Figure 5.12);
When the Instant Messaging server is enabled, you’ll have the following features:
• List of authorized MSN users from IPBrick Contacts:
– Insert: Clicking the checkboxes you can choose which MSN contacts,
from IPBrick Contacts, are reachable through the Instant Messaging
server.
– Delete: Clicking the checkboxes you can choose the contacts from IPBrick Contacts that you no longer want to be reachable from accounts
logged on the server.
iPortalMais - 2008
156
IPBrick.C
• List of authorized MSN users:
– Modify: Add, one per line, the MSN contacts that you want to be
reachable through the Instant Messaging server. All users will be able to
reach only the authorized MSN contacts. To remove the authorization
you just need to remove them from the text box.
It is possible to use both these features simultaneously, that is, you can be
using IPBrick Contacts to allow MSN contacts, and add other contacts in the List
of authorized users.
Figure 4.72: IM - Enabling Instant Messaging Server
iPortalMais - 2008
4.9 IM
157
Figure 4.73: IM - Blocking MSN applications
iPortalMais - 2008
158
IPBrick.C
Figure 4.74: IM - Web messenger sites blocking in firewall
iPortalMais - 2008
Chapter 5
Advanced Configurations
Here you have advanced interfaces for some services present in the upper menus,
as well as other configurations. The chapter is divided in the following main
sections:
• IPBrick;
• Telephony;
• Network;
• Support Services;
• Disaster recovery;
• System.
5.1
5.1.1
IPBrick
Definitions
In this section will be treated some very essential IPBrick server configurations.
Domain Definitions
In Domain Definitions you configure the hostname and the server DNS domain. The Fully Qualified Domain Name is composed by the machine name and
the DNS domain. For example, if you have the hostname ipbrick and the DNS
domain company.com, the FQDN will be ipbrick.domain.com. In order to change
these definitions click on Modify.
Network Definitions
At network definitions is possible to configure the following network interfaces
parameters:
• Interface: Interface name;
iPortalMais - 2008
160
• Type: Private (for eth0) or public for the others;
• Mode: For the public interfaces it’s possible to configure the interface as
dynamic, so it will act as a DHCP client;
• IP: Interface IP address with the correspondent network bit mask;
• Network: Network address;
• Broadcast: Network broadcast IP;
• MAC Address: Physical address of NIC.
The Modify will change these parameters. The Insert will add a new IP alias
for the interface. Example: eth0:1, eth0:2.
If IPBrick works as an Intranet server (IPBrick.I), it is only necessary to configure the private interface. In this case, public interface (if the server where IPBrick
is installed has got 2 network cards) may get with all the default configurations
and it shall not have a network cable connected. If IPBrick works like a Communications server (IPBrick.C) or if it accumulates the Intranet and Communications
functions (IPBrick.I + IPBrick.C), it is necessary to configure the two network
interfaces (in these two situations, the server where IPBrick was installed, shall
have two network cards).
To change the network interfaces definitions, it is necessary to click ETH0 and
ETH1.
NOTE: The private interface is the first network card detected by IPBrick in
the server where it was installed. If the server has a second network plate, this
shall be configured as a public interface. The firewall is already configured by
default with specific rules to recognize the ETH0 as a private interface and ETH1
as a public interface. If the server has more network cards (ETH2, ETH3...), they
shall be considered as private;
NOTE: The ethernet cards MAC address should be associated to all the interfaces, so when the server reboots the interfaces will be always associated to the
same NIC.
Default route
This menu allows to define the gateway of IPBrick.
If IPBrick works as an Intranet server (IPBrick.I ), the address to put in this
field is the address of the equipment which makes the access to the Internet. This
equipment may be, for example, a Communications IPBrick or a router. The gateway IP address shall have to be the address of that same IP network configured
in the private interface, the ETH0. For instance, if the private interface has the
IP address 192.168.1.1, the gateway IP address shall have to be 192.168.1.x. The
interface to choose to configure the gateway is ETH0.
iPortalMais - 2008
5.1 IPBrick
161
If IPBrick works as a Communications server (IPBrick.C ) or if it accumulates
the Intranet and Communications functions (IPBrick.i + IPBrick.c ), the address
to put in this field is the internal address of the equipment that accedes to the
Internet, for example, a router. In this case, the gateway IP address shall have to
be the address of that same IP network configured in the public interface, ETH1.
The interface to choose to configure the gateway is ETH1.
To change the Gateway definition is necessary to click Modify. An example
can be viewed at Figure 5.1
Figure 5.1: Advanced Configurations - Definitions
5.1.2
System Information
As you can see in Figure 5.2 , here you shall receive crucial information about
the system, from the use of the network, information of the hardware, use of
memory or archive systems.
5.1.3
Web Access
This section allows the management of accesses and licenses of IPBrick (Figure
5.4).
iPortalMais - 2008
162
Figure 5.2: Advanced Configurations - System Information - 1/2
Access definitions
• Login: admin;
• Password: 123456.
The login admin and respective password refer, unique and exclusively, to the
authentication to use to accede to IPBrick through the web interface and both can
be changed. It is necessary to click Change to change them.
Note: In contrast to the Administrator user this login has no work area in
IPBrick.
Language definition
IPBrick is currently available in five languages:
• Portuguese;
• English;
• Spanish;
• French;
iPortalMais - 2008
5.1 IPBrick
163
Figure 5.3: Advanced Configurations - System Information - 2/2
• Dutch.
This section allows the alteration of language in IPBrick (Figure 5.5). To execute that alteration, it is only necessary to click Modify, select the intended
language and afterwards click in Apply Configurations so that the alterations
become effective.
External WEB access
To accede to the IPBrick configuration interface through the Internet (External
Web Access), is necessary to click Change and choose ”Yes” (Figure 5.4). You
should also activate the HTTPS service to the Internet. It is necessary to do this
too:
• Active the HTTPS for Internet (IPBrick.C - Firewall - Services e choose
Active in the State;
• If the IPBrick is connected to the router internal interface (without public
address), is necessary in router to do a DNAT to the port 443 for the IPBrick;
IPBrick licence
This section is about the licence process of IPBrick. When installing IPBrick,
you will have an experimental license of 30 days of use. When this license expires,
iPortalMais - 2008
164
Figure 5.4: Advanced Configurations - Web Access
the server is automatically reconfigured for the base configurations. The solution
is to install a permanent license.
To install a permanent licence is necessary to click in the option Download
server identification for licence generation and send the file.dat to support@ipbrick.com
asking for licence activation. You need to speciffy this information:
• Company name;
• Some information about the IPBrick server type (Intranet, Communication
or VoIP server);
After receiving the answer (with an attached file) from support@ipbrick.com,
it is necessary to select the option Cancel Temporary Licence in the page created,
insert the file received (will be licence.dat), and the licence will stay permanent.
5.1.4
Authentication
From the moment the user is created in IPBrick, there shall be a register in
the database of the authentication server - LDAP1 . LDAP is defined as a directory
1
Lightweight Directory Access Protocol
iPortalMais - 2008
5.1 IPBrick
165
Figure 5.5: Advanced Configurations - Language
service where is kept the information relating the computer resources of the company and its users. Whenever an user intends to authenticate in a certain service
with his/her username and password, the IPBrick LDAP database is consulted to
validate or not the access.
Modify
IPBrick allows several authentication modes, and it is configured by default,
so that all the users can authenticate themselves in IPBrick.
• IPBrick Master: Default Mode. All the services in the sever shall use the
LDAP server;
• IPBrick Slave: LDAP server shall be a synchronized replica of the indicated IPBrick Master server, and this mode is used in a scenery with several
servers. The users may authenticate themselves in this server, once there is a
temporized synchronization of the LDAP database with the IPBrick Master,
but there is no possibility to add users. In networks with a high number
of users where there are several authentications, it is useful the use of slave
authentication servers thus avoiding a congestion in the IPBrick Master network segment. This scenery is also of a great use in networks geographically
distributed;
iPortalMais - 2008
166
Figure 5.6: Advanced Configuration - Authentication
• IPBrick Client: The services authenticate remotely in the indicated LDAP
IPBrick server. In this case, there is no local database copy, and it is necessary to specify the IPBrick Master/Slave server. Normally, this way of
authentication is used in a IPBrick.c in the extent of VPN, PPTP and Proxy
services;
• Netbios Client: It is possible to IPBrick to become a part of the domain
managed by a server previous to Windows 200x to use the NetBIOS protocol.
In a network like this, the users continue to authenticate themselves normally
in the Windows machine.
• AD Domain Member (IPBrick Slave): IPBrick is a member of a domain
managed by a Windows Active Directory server. The users of the network
need, as always, to authenticate in AD;
• AD Domain Member (IPBrick Slave): The IPBrick Slave is also going to
be a member of a AD domain, acting as a secondary IPBrick server. The use
of a Slave IPBrick as a member of a AD domain may be particularly useful in
the case of secondary email servers, always implying the existence of another
IPBrick server configured as a member of the AD domain - Master IPBrick .
NOTE: After changing the IPBrick authentication mode, during the Apply
Configurations, IPBrick shall reboot automatically.
iPortalMais - 2008
5.1 IPBrick
167
Distributed Filesystem
The users nay be physically distributed by the Master/Slave servers. Meanwhile, the centralized information system - LDAP has the information about the
physical location of each account. A NFS (Network File System) service makes
available the accounts of the users through the network. The Automount service
combines the LDAP information with NFS and makes automatically available the
accounts of the users virtually in any other Master/Slave server. IPBrick allows
the integration with authentication servers running in Windows operating systems, namely previous Windows 200x machines (NetBIOS authentication) and
after Windows 200x machines(authentication via Active Directory).
Automount
LDAP is a directory service where the relevant information of a company is
kept: Users, computer resources, contacts, etc. The Automount service combines
the LDAP information with NFS and makes automatically available the accounts
of the users virtually in any Master/Slave server.
In the Netbios authentication, the authentication server has not as a base a
LDAP service. In this configuration, IPBrick uses its own LDAP server as an
auxiliary member for the other services. In the authentication mode member
of the AD domain, the authentication server is a LDAP implementation. All
IPBrick services are configured to use this LDAP server. However, it is necessary
to extend the structure of this LDAP server to support the requisites of IPBrick
server, namely the UNIX/Linux credentials and the Automount information.
NOTE: At www.ipbrick.com - Documentation Section, there is a document
about the integration of IPBrick as a member of an AD domain.
Slaves
If IPBrick is in a Master IPBrick authentication mode and there are other
servers which shall act in a Slave IPBrick authentication mode, it is necessary to
add the Slaves machines by IP. Only then can these machines change the authentication mode to Slave IPBrick.
Clients
If IPBrick is in the Master IPBrick authentication mode and there are other
servers which shall act in the Client IPBrick authentication mode, it is necessary
to add the Clients machines by IP. Only then can these machines change the
authentication mode to Client IPBrick..
5.1.5
Update
All available updates in the Downloads section of the IPBrick site should be
installed from here. All you have to do is click Archive, choose the update file (.deb)
and choose Insert. Next, the package shall be installed in the system (Figure 5.7).
iPortalMais - 2008
168
Figure 5.7: Advanced Configurations - Update
5.2
Network
At this section we have a advanced configuration of services related to the
structure of the institution network. Here is possible to define specific rules at
firewall, to add static routes for other internal networks (or external), to define
rules and priorities in the QoS service as well the configuration of service routing
at firewall.
5.2.1
Firewall
Presentation This section deals with the IPBrick firewall management. Some
of the pre-defined rules were already mentioned in the section Firewall in the
chapter IPBrick.C (rules that can’t be changed by the user, only deactivated).
In the meantime the configuration of some other services demands some other
rules. These rules can only by managed in part by the user in the Order section.
Nevertheless, IPBrick offers his administrator an advanced interface for the firewall
management. There he can define a group of rules with high personalization
((Figure 5.8).
Top Menu Here you have links to:
• Insert new rules in advanced mode;
iPortalMais - 2008
5.2 Network
169
Figure 5.8: Network - Firewall
• Delete already inserted rules
• Order: Interface to order all the rules that exist in the firewall (Figure 5.12).
This option is particularly important when new rules are created. Because
the first rules the firewall does the matching will be the first to use. Then,
more specific rules should be at the top and general should be at the bottom.
You can insert three types of rules:
• DNAT Rule: Redirects the traffic that comes to a port to another port/machine
of the internal network. That rule here is only for TCP traffic (example at
Figure 5.11);
• Disable machine access: It defines the denial of access to a port of defined
network machine (example at Figure 5.10);
• General settings: Here you can add a completaly personalized rule (example at Figure 5.9). These are the affected fields:
– Rule:
INPUT: Data received by the firewall that aim the recipient
interface no matter their origin;
OUTPUT: Data sent by the firewall;
iPortalMais - 2008
170
FORWARD: Redirects traffic from an interface to another;
PREROUTING: Is used to change IP packets arriving to the
machine before the routing decision;
POSTROUTING: Is used to change IP packets arriving to the
machine after the routing decision;
– Interface: You should choose which interface to apply the rule;
– Protocol: Protocol(s) to which you want to apply the rule;
– Module: Shows the list of iptables modems available for use;
– Source Ip: Source IP Address of the packet;
– Origin port: Source port of the packet;
– Destination IP: Destination IP address of the packet;
– Destination port: Destination port of the packet;
– Identifier: 16 bits field that exists in the original IP packet - it is
used to identify the type of packet to filter. Examples:
! --syn
--state INVALID
--icmp-type echo-request
– Politics:
ACCEPT: To accept a packet and let it pass the firewall rules;
DELETE: Doesn’t accept the packet and eliminates it;
MARK: Saves a mark in the packet. These marks can be used to make
decisions at the forwarding level;
LOG: Saves a log of every packet that folows the rule.
– If the PREROUTING rule is used, there are the following extra policies:
REDIRECT: Used to redirect the traffic arriving from a port to
another port;
DNAT: it allows to redirect the traffic arriving at a certain
port to another machine and port belonging to the internal
network
– If the POSTROUTING rule is used, there are the following extra policies:
MASQUERADE: It allows to ’mask’ the traffic
SNAT: It allows to redirect the traffic generated in a certain
port to another machine and port.
TCPMSS: It changes the MSS field (maximum packet size) from the
TCP header. It just can be used to TCP SYN or SYN/ACK
packets because is just used in the beginning of
conections.
The rules that are defined by default can’t be eliminated, but can be deactivated by clicking in the state of the rule and change the Deactivate option.
iPortalMais - 2008
5.2 Network
171
Figure 5.9: Network - Firewall - General settings rule
Body
At body there’s a list of all the rules controled by the user (Figure 5.8). A
rule can be switched between enabled and disable state. To eliminate rules is
necessary to click Delete, select the rule or rules that you want to remove and
click the button Delete. The rules defined by default cannot be deleted, however
they can be deactivated, all you have to do is click the state of the rule and change
the option to disable.
5.2.2
Route management
When there are several distributed networks separated by some routers in an
organization, if you want to give IPBrick access to all of them, you must indicate
the gateway for that network (Figure 5.13).
The following fields are present:
• Destination network: Network to access;
• Mask: Mask of the destination network;
• Interface: IPBrick interface with connectivity to the destination network;
• Gateway: Router/server IP with connectivity to the destination network.
iPortalMais - 2008
172
Figure 5.10: Network - Firewall - Disable access rule
5.2.3
QOS
Presentation
The QoS service2 (Figure 5.14) in IPBrick allows the customization of traffic
priority levels, oriented to the external interface, thus assuring a certain level of
quality of the service for the final user. It is importnt to indicate immediately the
value of the band width available in the connection for the internet. From these
data we can establish priority rules among the several types of traffic in a network.
for example: instead of the internet connection being entirely occupied by the
email service, limit the band width given to that service and assure a minimum
value for the web traffic.
Body
List of the available Public Interfaces (normally ETH1) and the state of the
service for each network card. Clicking the state allows to move between active
and inactive. Clicking the network plate allows to accede the management formulary of that service (Figure 5.14).
In Generic Configurations (Figure 5.15) is possible to define which maximum band width is allowed for download and upload.
In section Structure there are three classes of defined priorities, each one of
2
Quality of Service
iPortalMais - 2008
5.2 Network
173
Figure 5.11: Network - Firewall - DNAT rule
them already with predefined filters. It is possible to define new filters for each
priority class, specifying the following fields:
• Types of filter: ACK type (confirmation of packets reception) or General;
• ToS3 :
– Minimizes the delay;
– Maximizes debit;
– Maximizes reliability;
– Minimizes the cost;
– Minimizes the cost;
• Protocol: Type of protocol to apply in the filter;
• Source IP;
• Source Port;
• Destination IP;;
3
Type of Service
iPortalMais - 2008
174
Figure 5.12: Network - Firewall - Order
• Destination Port.
The Priority Class 1 has always maximum priority, and the traffic is defined in
Priority Class 3, the less importnt.
5.2.4
Service Routing
IPBrick allows to route the traffic relating to the several services of the network
to the different output interfaces. That is, a communication server may be routing
the SMTP traffic to a certain ISP router and the web traffic to another (example
at Figure 5.16). The definition of gateways is made through the following fields:
• Name: The name of the new access to the internet;
• IP address: Internal router IP responsible for that access - Gateway;
• Tag in the firewall: Automatically attributed.
After defining a Destination, is necessary to add specific rules in the firewall so
that the routing of desired services becomes a reality. It will be presented firewall
configuration examples for:
• Using the IPBrick VoIP service in the new internet access;
iPortalMais - 2008
5.2 Network
175
Figure 5.13: Network - Route management
• Using the new access to send and receive email;
• Using the new access for web traffic.
VoIP example
For instance, if the new Internet access (IPBrick interface eth2) aims VoIP
traffic (port 5060, 5090 and after the 35000 - UDP) you have to insert the following
rules in Advanced Configurations - Network - Firewall - Insert:
1. Rule to masquerade the outgoing traffic for the eth2 interface;
• Type: General configuration;
• Rule: POSTROUTING;
• Interface: eth2;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: Leave blank;
• Origin port: Leave blank;
iPortalMais - 2008
176
Figure 5.14: Network - QoS management
• Destination IP: Leave blank;
• Destination port: Leave blank;
• Identifier: Leave blank;
• Politics: SNAT;
• Value: eth2 IP;
2. Rules that accept incoming traffic for the IPBrick VoIP ports;
Port 5060 UDP:
• Rule: INPUT;
• Protocol: UDP;
• Destination port: 5060;
iPortalMais - 2008
5.2 Network
177
Figure 5.15: Network - QOS - General Configurations
• Politics: ACCEPT
Port 5060 TCP:
• Rule: INPUT;
• Protocol: TCP;
Port 5090 UDP:
iPortalMais - 2008
178
Figure 5.16: Network - Service Routing
• Rule: INPUT;
• Protocol: UDP;
Up to 35000 UDP:
• Rule: INPUT;
• Protocol: UDP;
iPortalMais - 2008
5.2 Network
179
• Destination port: 35000:
3. Rules to forward outgoing VoIP traffic for eth2
Port 5060 UDP:
• Rule: OUTPUT;
• Protocol: UDP;
• Source IP: eth1 IP;
• Origin port: 5060;
• Destination IP: ! eth1 IP;
• Politics: MARK;
• Value: 1 (firewall tag);
Port 5060 TCP:
• Rule: OUTPUT;
• Protocol: TCP;
• Politics: MARK;
iPortalMais - 2008
180
Port 5090 UDP:
• Rule: OUTPUT;
• Protocol: UDP;
• Politics: MARK;
Up to port 35000 UDP:
• Rule: OUTPUT;
• Protocol: UDP;
• Source IP: 35000: ;
• Politics: MARK;
4. In IPBrick Menu: VoIP - Registered Phones - Options, modify the 2o field
for the IPBrick’s eth2 IP;
iPortalMais - 2008
5.2 Network
181
Mail service example
In this case, the new Internet Access (eth2) will be used for the mail service,
including incoming and sending (port 25). This rules should by inserted:
• Protocol: ALL;
• Politics: SNAT;
• Value: eth2 IP;
2. Rules that accept incoming traffic for the port 25:
• Rule: INPUT;
• Protocol: TCP;
3. Rule to allow the replys for port 25 by the Internet mail servers:
• Rule: INPUT;
• Protocol: TCP;
iPortalMais - 2008
182
• Identifier: ! --syn;
4. Rules to forward outgoing Internet SMTP traffic for eth2
• Rule: OUTPUT;
• Protocol: TCP;
• Politics: MARK;
5. Rules to forward outgoing SMTP traffic with origin in IPBrick for the new
interface (eth2);
• Rule: OUTPUT;
• Protocol: TCP;
• Politics: MARK;
iPortalMais - 2008
5.2 Network
183
6. Rule to forward traffic with origin in LAN and destination the port 25 in
Internet (only when is used a external SMTP account)
• Rule: PREROUTING;
• Protocol: TCP;
• Source IP: LAN IP;
• Politics: MARK;
Web access example
In this case, the new Internet Access (eth2) will be used for the LAN web access
that will be redirected to the new interface:
• Protocol: ALL;
• Politics: SNAT;
• Value: eth2 IP;
2. Rule to allow the replys for port 80 by the Internet web servers:
• Rule: INPUT;
iPortalMais - 2008
184
• Protocol: TCP;
3. Rule to allow the replys for port 443 by the Internet web servers:
• Rule: INPUT;
• Protocol: TCP;
Internet (only when the proxy is not used!)
• Protocol: TCP;
• Source IP: LAN ip;
• Politics: MARK;
iPortalMais - 2008
5.2 Network
185
Internet (only when the proxy is not used!)
• Protocol: TCP;
• Source IP: LAN network;
• Politics: MARK;
6. Rule to forward traffic with origin in a machine conected to the LAN using
VPN PPTP and destination the port 80 in Internet (only when the proxy is
not used!)
• Interface: ppp+;
• Protocol: TCP;
• Politics: MARK;
7. Rule to forward traffic with origin in a machine conected to the LAN using
VPN PPTP and destination the port 443 in Internet (only when the proxy
is not used!)
iPortalMais - 2008
186
• Interface: ppp+;
• Protocol: TCP;
• Politics: MARK;
8. Rules to forward outgoing Internet web http traffic for eth2:
• Rule: OUTPUT;
• Protocol: TCP;
• Politics: MARK;
9. Rules to forward outgoing Internet web https traffic for eth2:
• Rule: OUTPUT;
• Protocol: TCP;
iPortalMais - 2008
5.3 Support services
187
• Politics: MARK;
NOTE: To route other services for the new internet access (local and remote
port), the idea is the same.
5.3
5.3.1
Support services
LDAP
Figure 5.17: Support Services - LDAP
In this section is presented a list of the machines registered in the LDAP service
of IPBrick. To insert a new machine in the LDAP domain of IPBrick is necessary
to click Insert. It is also possible to Modify or Delete LDAP registers.
The insertion of machines in LDAP from here is useful, when there are IP
networks different from the internal interface of IPBrick, since there is no need to
indicate the IP.
iPortalMais - 2008
188
5.3.2
DNS
DNS4 is a name resolution service in IP addresses and vice-versa, and it is implemented in IPBrick by the software Bind using door 53 UDP/TCP. The majority
of queries consists of a simple UDP request by the client, followed by a UDP answer of the server. There are two situations where the TCP is used: when the data
to be sent by the user exceed 512 bytes or at the transference of zones. Some operating systems (HP-UX, for ex:), even adopt DNS implementations always using
TCP, thus increasing reliability. The service acts like a database with information
about the connections of a IP network, and that information is organized into
domains. The used notation represents FQDN5 :
servername.company.region
Being the ”servername.company.region” the FQDN, the ”company.region” designated as the domain, ”company” the sub-domain and ”region” the top domain
(Top Level Domain), which is administrated by an entity denominated ICANN6 .
A DNS server generates a database about a certain part of the domain, what is
normally designated by zone, and there are two types of servers:
• master: It obtains the data from a zone which it manages from its own
database;
• slave: It obtains the data from the primary master, existing one or more
in a network. Whenever there are changes in the configuration of the areas
served by the master, this server is always notified, proceeding to the update
of database.
The DNS server allows the resolution of names in a reverse mode, that is, answer with the name - FQDN from a certain IP address. This device allows the
confirmation of the authenticity of an IP address, important aspect in the email
service.
Presentation This is the main section of DNS configuration. Here you can
manage the domains served by the machine and change the machines, alias (CNAME)
and the MX7 registrations.
Top Menu Here you have a link to Insert a new domain (Figure 5.18)
Body Here you have a list of several forward and reverse name resolution zones
registered in IPBrick. You can access the interface management of these areas by
clicking on one of them. (Figure 5.19 and Figure 5.20)
iPortalMais - 2008
189
Figure 5.18: Support Services - DNS - Name resolution zones
Domains
Insert Zones
Top Menu Here you have a link to get Back to the previous list and cancel the
current process of introducing a new zone.
Body Here you see a register form for forward and/or reverse name resolution
zones. You find the following fields:
1. Domain name of the new registration; e.g. empresa.pt; porto.empresa.pt;
acme.inc;
2. Network the associated IP network for which you are going to create registrations of reverse name resolution PTR8 ;
3. Zone type field that allows you to create a master or secondary zone. A
secondary zone is a copy of another DNS server master zone;
4
Domain Name System
6
Internet Corporation For Assigned Names and Numbers
7
Mail Exchange record - used to indicate the e-mail servers of a domain
8
Pointer
5
iPortalMais - 2008
190
4. Server name of the machine that will serve9 this domain (e.g. ipbrick.domain.com)
(this field is only applied on master zones);
5. Email e-mail of the responsible for this domain. This e-mail is registered in
the DNS under the name of the responsible technician for this domain (this
field is only applied on master zones);
6. Refresh time he time of a secondary zone to see if there are any changes in
the master zone (this field is only applied on master zones);
7. Transfer retry time the time a secondary zone has to wait to retry the
connection to the master zone, that is, if the last refresh was unsuccessfully
(this field is only applied on master zones);
8. Expiry time the time a secondary zone has to consider the dates of a zone
as valid since the last successful refresh (this field is only applied on master
zones);
9. Default time-to-live the time in which the other DNS servers have to
consider the dates of this zone as valid (this field is only applied on master
zones);
10. Master servers zone master server IP (this field is only applied on secondary zones)
11. Insert Button
Domains Management
Presentation In this section you control all DNS records of a selected zone.
Top Menu Here you have a link to get Back to the zones list and see dates of a
selected domain. Here you can change or delete a domain registration.
Body Here you have a list of several DNS sections
1. Machines: Machines addresses in the current domain (name associated to
an IP - machine). e.g.:
www
->
192.168.2.1
2. Aliases10 : Alias registration for domain machines (this option is only available for a forward name resolution zone) e.g.:
www2
9
10
->
www
SOA - Start of Authority
Alternative names
iPortalMais - 2008
191
3. Name Servers registration of FQDN addresses of machines that serve this
domain (DNS). e.g.:
domain.com
->
www.domain.com
4. Mail Servers e-mail server registration for this domain. You can have several registrations each with different internal positive values. The values indicate which registration to use first. The registration with the lowest value is
always the first one to be used. The value to be introduced here must always
be the e-mail server FQDN, no matter if it is a server of the domain itself, like
.domain.com., or an internet server, like mail.saturno.com.. This option
is only available for a forward name resolution zone. For example:
20 mail.saturno.com
10 ipbrick.domain.com
5. VoIP Servers registration of VoIP servers for this domain. The value to
be introduced here is the FQDN of the VoIP server, like for example voip.
domain.com. This option is only available for a forward name resolution
zone. For example:
voip.domain.com
6. Instant Message Server: Prefix of the address for the instant message
service.
Forwarders
If a DNS server receives a request for a domain which he neither serves nor has
in cache, then the server has to forward this request to other DNS servers in the
Internet. The forwarders should be the nearest ones, normally the DNS servers
of ISP. If the forwarders field is empty the DNS still working because the server
use the internet gateway to do the DNS search. If in the same network exists a
IPBrick.I and a IPBrick.C, the IPBrick.I must have the IPBrick.C eth0 address in
the forwarder field. Here you have the most appropriate interface to register the
nearest DNS servers. (Figure 5.21).
Name Resolution
No matter if the DNS service is being executed or not in this server you can
configure the server to handle its DNS requests in another server. You can apply
this configuration to all server services (with the obvious exception of the DNS
server which uses its forwarders for requests he does not know). In order to make
the server use its own DNS you have to configure the IP address of the localhost11 ,
127.0.0.1 - by the way, its the default configuration. (Figure 5.22).
11
local server
iPortalMais - 2008
192
Figure 5.19: Support Services - DNS - Zone Management 1/2
5.3.3
DHCP
The DHCP12 service may be defined as a protocol of dynamic attribution of
parameters for configuration of network and workstations (door 67 and 68 UDP),
an evolution of the BOOTP protocol. Basically, a DHCP client sends a broadcast
packet to a network asking an IP address, and it obtains an answer if there is a
DHCP server active in the network. The server not only attributes it an IP but
also: Network mask, route by default, DNS server and WINS server.
DHCP allows two ways of attributing the IP addresses:
• Address manual or reserve: there an association between the MAC address
of a client machine and the IP address to supply, and that machine stays
with that same IP address;
• Dynamic: the client obtains the address from a range of address previously
defined by the IPBrick administrator, for a defined period of time;
NOTE: There is a mechanism that allows to have the DHCP server in a IP
network distinct from the clients, this mechanism is known by DHCP relay. The
DHCP relay is assured by an agent installed in the post(s) present in the remote
12
Dynamic Host Configuration Protocol
iPortalMais - 2008
193
Figure 5.20: Support Services - DNS - Zone Management 2/2
network(s), this agent receives the DHCP clients requests and routes them to the
configured DHCP server.
Subnets
This menu permit the definition of subnets to be served and the parameters of
the network configurations to attribute to the workstations. (Figure 5.23)
At top menu you have a link to Insert new subnets, configure Redundancy
parameters and define General Options by default. (Figure 5.24)
At body you have a list of the inserted subnets. Each line is a link that opens
a configuration form with options for each subnet. (Figure 5.25)
It allows the insertion of the subnet parameters, which shall be attributed to
the clients:
• Network Address: It allows to indicate the address of the network and the
respective mask;
• Dynamic addresses range: Which range of addresses is reserved to attribute the clients;
iPortalMais - 2008
194
Figure 5.21: Support Services - DNS - Forwarders
• Clients mask: Mask of the network to attribute the clients;
• Broadcast address: Address of broadcast to attribute the clients;
• Default lease time: Default lease time during which the address can be
lent;
• Max lease time: Max lease time of an IP address for the machines. This
value surpassed, the IP address is renewed;
• Option Router: Address of the router which will serve as the default route
(by default 192.168.69.199);
• DNS Servers: List (one per line) of the DNS servers to be used by the clients
(by default ipbrick.domain.com);
• NetBios servers: List (one per line) of the NetBios servers to be used by
the clients (by default ipbrick.domain.com);
• DNS domain: Name of the domain indicated to the clients (by default domain.com).
iPortalMais - 2008
195
Figure 5.22: Support Services - DNS - Name resolution
It allows the insertion of general DHCP parameters, which shall be attributed
by default to the clients:
• Base domain: Domain where the DHCP is operating;
• DNS servers: DNS servers to be used by the DHCP server;
• NetBios servers: NetBios servers to be used by the DHCP server;
• Clients mask: Mask to be used by the clients of the DHCP service;
• Default lease time: Default lease time during which the ’lease’ of the address
is valid for the clients;
• Max lease time: Max lease time of an IP address for the machines. When
this value is surpassed, the IP address is renewed.
If you want the DNS Dynamic Update, it is necessary to choose ”Yes” in the
respective box. This feature is used to update dynamically a machine IP in the
DNS record if that machine is not registered with MAC address
iPortalMais - 2008
196
Figure 5.23: Support Services - DHCP - Subnets
Presentation It is possible for a IP network to configure two DHCP servers, one
as main (primary) server and the other as secondary. During the normal working
only the primary server answers the requests, while the secondary one synchronizes
its BD with the primary, if the primary fails the secondary shall assume its service.
Communication between the servers is made from the network ports which may
be customized. One of the ports shall be attending the connections from the
secondary server and the other one shall be attending the connections from the
main server. (Figure 5.26)
Top Menu Here you have a link to get Back and Insert a new connection.
Body
Body
The following fields are presented in the insertion of redundancy and fault:
• Name: Name of the redundant connection;
• Configuration: here you can see if the server is the primary or secondary
DHCP;
• Local IP: Servers internal IP address;
iPortalMais - 2008
197
Figure 5.24: Support Services - DHCP - General Options
• Local gate: Local gate where the service is running;
• Remote IP: Remote IP address from the server of the other extreme;
• Remote gate: Remote gate where the service in the other extreme is running;
• Max answering time: Max time that the DHCP server can wait for a message from the other peer. When that is out, the server assumes that the
other has failed and assumes itself as the network DHCP server;
• Max Unpacked Updates: Max Unpacked Updates (BNDUPD) non-confirmed
that the server can receive from other peer.
Machines
Presentation Here you see a list of the registered machines with their MAC addresses in the DHCP service. You can register the machines in Machines Management
(see section 3.2, page 18) or directly in this section (Figure 5.27).
iPortalMais - 2008
198
Figure 5.25: Support Services - DHCP - Subnets Definition
Figure 5.26: Support Services - DHCP - Redundancy
5.3.4
ENUM
The ENUM13 service allows the mapping of telephone numbers (Rule E.164)
in names associated to IP addresses, using an architecture based on the DNS ser13
Telephone Number Mapping
iPortalMais - 2008
199
Figure 5.27: Support Services - DHCP - Machines
vice. Those names may be from the protocol SIP, H.323, Email etc. In order to
consult the DNS, ENUM inverts the telephone numbers, giving them the prefix
e164.arpa. which is the root of the tree. This tree é delegated to all countries of
the world taking into account their codes E.164. this way, the Portuguese delegation shall be the inverted 351 - 1.5.3.e164.arpa.
The ENUM zones may be defined in IPBrick where the research shall be made.
For that you have to click the connection Insert and insert the ENUM zone domain.
In Order is possible to define which are the priority zones where the research of
numbers shall be made. In Figure 5.28 a list of the ENUM zones may be visualized.
Once the list of the ENUM zones is defined, where to search numbers, the
ENUM may be used in VoIP routes. Next, an example is given:
1. In IPBrick.C - VoIP - Routes Management, there is a Output Route for
Sip Servers - VoIPBuster.
There it is necessary to activate the option Activate ENUM Search in the
Route Definitions;
2. A certain user of the network calls through the SIP/PBX to number +351253593112;
3. Automatically, a research is made in the ENUM zones specified in the present
menu for 2.1.1.3.9.5.3.5.2.1.5.3.e164.arpa, in order to obtain the correspondence of that number in a certain IP address/name;
iPortalMais - 2008
200
4. Supposing that the research results in the SIP address joaod@domainx.com,
a SIP call is made to the address joaod@domainx.com;
Figure 5.28: Support Services - ENUM
5.4
5.4.1
Disaster recovery
Configurations
All configurations that are done in IPBrick through the web interface are saved
in a Postgres database. This way any changes done will only be effective in the
system after Apply Configurations.
IPBrick allows the time tracking of all configurations because when you modify
something in the web interface and Apply Configurations, a new configuration
is locally saved. It is possible to store these configuration files in an USB pen
and additionally send them to a configurable email address. In the configuration
filename we have the date and the exact hour when a configuration was created.
In short, this configuration management allows a fast disaster recovery, in case of
hardware problems.
There is a configuration called default which is the IPBrick’s base configuration immediately after install.
iPortalMais - 2008
5.4 Disaster recovery
201
Clicking in Definitions there are the following fields that can be modified in
the connection Modify:
• Email address: Email address (internal or external) were the configurations
are delivered (by default backup.ipbrick@iportalmais.pt);
• Message Subject: By default backup.ipbrick@iportalmais.pt;
• Message body: By default is empty.
! Attention: After the IPBrick installation you must always insert a USB
pen connected to server;
Replace
In this section you see a list of all saved copies on the USB pen. In order to
replace a setting you just have to click over it (Figure 5.29).
Figure 5.29: Disaster Recovery - Replace configuration
⇒ Note: All services will be reconfigured when replacing a copy of the settings. After the configuration of all services IPBrick restarts automatically.
iPortalMais - 2008
202
Figure 5.30: Disaster Recovery - Download configuration
Download
This section allows you to download the copies of the configurations done to a
local computer (Figure 5.30).
With this useful option you can save IPBrick settings on another place.
Upload
In this section it is possible to upload a previously downloaded configuration
file to the server (Figure 5.31).
! Attention: It is not possible to use setting copies in different IPBrick
versions. The configuration files are not compatible with the different IPBrick
versions.
5.4.2
Applications
This is an useful disaster recovering feature. When upgrading IPBrick from
version A to version B, if an old installation is detected, the following applications
will be backed up:
• PostgreSQL: All the Postgres databases will be dumped, including the sites
databases;
• MySQL: All the Mysql databases will be dumped, including the sites databases,
webmail contacts;
• Mail: The emails that were in the queue will be saved;
• Kaspersky: All the Kaspersky applications statistics will be saved;
• VoIP: It will save all the VoIP statistics;
• IM: The Instant Messaging data and configuration will be saved.
iPortalMais - 2008
5.4 Disaster recovery
203
Figure 5.31: Disaster Recovery - Upload configuration
So, all these application files are packed and saved in a folder.
Choosing the option Applications - Restore the list of available application
data backups will be shown (Figure 5.32). To restore the desired application data
backup, click on the file and then on Restore. At this moment the backup will be
restored for the new IPBrick version (Figure 5.33).
Figure 5.32: Disaster Recovery - Applications - Data backups list
iPortalMais - 2008
204
Figure 5.33: Disaster Recovery - Applications - Data restore confirmation
5.5
System
Inside the menu System, we can find the options indicated in the following
points.
5.5.1
Services
In Services (Figure 5.34) you find a list of several services available in IPBrick.
The State column shows you if the service is enable or disable. It is possible to
restart any service without having to restart IPBrick.
In order to restart any service you have to:
• Change the State from Enable to Disable;
• Apply Configurations;
• Change the State from Disable to Enable;
• Apply Configurations.
The Start column defines the way of how each service has to start with the
server (whether after a reboot or after a period while the server was disconnected).
If you see Automatic in the Start column of a service then the service will start
automatically with the server. On the other way, if you see Manual on the column
then the service will not start with the server. Nevertheless it can be started
manually in this menu by changing its State from Disable to Enable.
⇒ Note: Any changes in the Start column of a service will not have immediate effects on the service start. The changed start will only be valid for the
next server start. On the other way, a change in the State column has immediate
effects. That is, by changing the service state from Enable to Disable IPBrick
stops this service (after clicking on Apply Configurations).
iPortalMais - 2008
5.5 System
205
Figure 5.34: System - Services
5.5.2
Task Manager
The Task Manager shows you a list of all executed processes in IPBrick. It
gives you information about:
• Identifier: It’s the PID14 ;
• Owner: The system user name that started the process;
• Start: The date of the process start;
• Memory: The memory percentage used by the process;
• Processor: The processor percentage used by the process;
• Process: The process that is running.
In this section it is possible to stop a certain process. Therefore you only have
to click over the option Kill Task (Figure 5.35).
! Attention: Speaking in generally, the running processes should not be
stopped this way. To stop a process in this interface may cause instability in IPBrick. In order to stop services use the Services menu.
14
Process Identifier
iPortalMais - 2008
206
Figure 5.35: System - Task Manager
5.5.3
Date and Hour
In this menu (Figure 5.36) you can see and change the server date/hour and
the time zone. When clicking Modify this fields are presented:
• Synchronization: If Manual the date/hour will be managed by the own server.
If Automatic IPBrick will use a NTP server to remotely synchronize the
data/hour. The default one is pool.ntp.org15 ;
• Date: Only active in manual mode;
• Hour: Only active in manual mode;
• Time Zone: Choose the correct time zone.
5.5.4
System users
This menu (Figure 5.37) lists the System users (name and its login). If you
select one of them, it is possible to change its password as long as you know the
existing password. This is the list:
• root: Linux console superuser;
15
Big virtual cluster of Network Time Protocol timeservers
iPortalMais - 2008
5.5 System
207
Figure 5.36: System - Date and Hour
• operator: Linux console operator;
• Received Mail: User for the received mail copy functionality. The idea is
to map a IMAP account from a email client;
• Sent Mail: User for the sent mail copy functionality. The idea is to map a
IMAP account from a email client;
• kaspersky: User to receive the Kaspersky Applications notifications for example. The idea is to map a IMAP account from a email client;
• spam: User to receive the mails from Kaspersky Anti-Spam. The idea is to
map a IMAP account from a email client;
• VoIPCDR: User for FTP access, to get the asterisk full call statistics.
The password for all of them except root is L1opardo.
⇒ Note: Do not mistake System Users for LDAP Users. A System User is
not registered in LDAP.
5.5.5
Monitoring
This section stands only for monitoring features. Main options:
iPortalMais - 2008
208
Figure 5.37: System - System users
• Logs: IPBrick and system logs management;
• Accesses: Monitoring for some TCP protocols;
• Traffic: Can manage all the active TCP connections;
• Alerts: Options for disk partitions alerts;
Logs
The logs are an important tool for troubleshooting. In this menu we can:
• IPBrick Logs: Logs generated by the IPBrick. Important to detect any
problem at the web interface layer. The most recent information is available
in Current Log. In case there are other log registrations then each of them
provides information generated by IPBrick till their indicated date ;
• System Logs: Can manage some system logs (syslog, daemon.log,auth.log,
mysql.log, mail.*);
– State: The default is disable;
– Server: If enable we can say if logs will be written locally or in a remote
machine that supports syslog daemon;
iPortalMais - 2008
5.5 System
209
– Authorize logs from remote servers: If enable, authorize servers to
write system logs in IPBrick;
Figure 5.38: System - Monitoring - System Logs
Accesses
At Management clicking in service name we can enable the accesses monitoring
for SSH, FTP, VPN PPTP and SSL. By default the state is disabled.
The Entries option permit the visualization of all accesses. It’s possible to
filter by:
• IP;
• User;
• Notes:
– Connected;
– Disconnected;
– Wrong password;
– Illegal user;
– Locked;
– Timeout;
– Timeout/Locked;
– Log in attempt with root user;
– Disconnected/Timeout.
iPortalMais - 2008
210
• Date;
Options available:
Traffic
Here all the active TCP connections are listed by this fields:
• Source IP: Remote machine that have a connection to the server;
• Source port: Port used by the source machine;
• Destination IP: Server IP;
• Destination port: Port where the source machine is connected;
• State: The default is enabled.
In Action, choose the option Block connection to finish a specific connection.
After blocking one connection it’s possible to unblock it hiting the option Unblock
connection
Alerts
Define here if the full partition alerts definition will be active. So if the
partition reaches 85%, a email alert will be delivered to the email present at
Destination address. Changing the source address notifier is possible too.
5.5.6
SSH
The SSH menu implements a secure connection to the IPBrick shell, showned
in Figure 5.39.
The SSH (Secure Shell) is similar to the known Telnet application but more
secure because of the protocol SSL used.
Note: This function needs the installation of Java Virtual Machine. The
software is available in www.java.com. After the connection it is necessary to
make an authentication. Therefore you need the introduce the following data:
• Username: operator;
• Password: L1opardo.
After that first authentication, you can enter su to login as superuser;
iPortalMais - 2008
5.6 Telephony
211
Figure 5.39: System - SSH
5.5.7
Reboot
This option allows you to reboot IPBrick (Figure5.40). After confirming the
reboot option the web connection with the server is automatically stopped. When
IPBrick starts again it is possible to establish a new https connection with the
server.
5.5.8
Shutdown
This option is to clearly shutdown IPBrick (Figure 5.41), assuring that all the
services are correctly ended. You should use this option, whenever it is necessary
to shutdown IPBrick. Do not shutdown the server directly in power supply.
5.6
Telephony
To make possible IPBrick interaction with telephone systems, you need to install specific hardware. This hardware includes PCI cards that can be analogic,
RDIS BRI or RDIS PRI. Analogic cards provide the connection to telephone networks working in analogic mode. If telephone networks are working in digital mode
(RDIS), cards may be BRI or PRI. A BRI (Basic Rate Interface) access has three
channels: Two 64kbit/s (B) for data/voice and one 16 kbits/s (D) for control.
iPortalMais - 2008
212
Figure 5.40: System - Reboot
The PRI (Primary Rate Interface) access corresponds to 30 B channels plus one
D channel in Europe - can also be designated as E1 circuit.
5.6.1
Cards
After physical configuration and installation in the machine you have to configure IPBrick. To make this step you have to know how the card was physically
configured, i.e., each port configuration. After the physical installation of the
hardware, you can configure cards in the IPBrick web interface in the menu:
Advanced Configurations - Telephony - Cards
To insert click on Insert, and then indicate (as shown on Figure 5.42):
• Card type: Can be analogic, ISDN BRI or ISDN PRI;
• Port count: Number of ports;
• Port configuration: Each port can be configured to connect to the presetted interfaces: PBX or PSTN. For analogic and ISDN PRI the settings
are automatically configured like this:
iPortalMais - 2008
5.6 Telephony
213
Figure 5.41: System - Shutdown
Analogic: Connecting
Connecting
ISDN PRI: Connecting
Connecting
to
to
to
to
a PBX, so the card port will act as fxs
PSTN, so the card port will act as fxo
a PBX, so the card port will act as NET
PSTN, so the card port will act as CPE
For ISDN BRI the administrator must fill the settings:
– NT PtP (Point to Point);
– NT PtMP (Point to Multi-Point);
– TE PtP (Point to Point);
– TE PtMP (Point to Multi-Point).
For each card inserted there are three options: Back, Modify and Delete (Figure 5.43).
If the port is connected to the landline (PSTN) you need to configure the
setting as TE. If the port is connected to the PBX gateway you have to configure
the PBX port and configure the setting as NT. A ISDN FAX usually behaves like a
PBX requiring the port configuration as FAX (to show this option requires a FAX
interface configuration) and configure the setting as NT. If there is a GSM interface
configured in one of the ports you have to choose it on the list and configure the
setting as TE. To configure a ISDN PRI you have to indicate if the line uses R2
iPortalMais - 2008
214
Figure 5.42: Telephony - Cards - Insert
protocol (protocol used for example in Brazil) and if the CRC4 is active on the
line. The PtP or PtMP depends of the telephone operator line type.
After the configuration, we can see a list with the configured cards, as visible
in Figure 5.44.
5.6.2
Registered Phones
This option is valid if there is no need to attribute a specific IP address to the
telephone. You can add a telephone by fulfilling the field relating the name and
the access password to the telephone. This supposing the DNS is working correctly.
In this menu you can see a list of the registered SIP telephones. To register a
telephone:
• Click Insert;
• Phone: Insert the name of the telephone to register;
• Password: Insert the access password to the telephone;
• Retype Password: Reinsert password;
• Caller ID: If you want to mask the caller ID insert one.
iPortalMais - 2008
5.6 Telephony
215
Figure 5.43: Telephony - Card definitions
Figure 5.44: Telephony - Cards list
• Click Insert.
Example at Figure 5.45.
iPortalMais - 2008
216
Figure 5.45: Telephony - Simple phone register
5.6.3
Configurations
In this menu it’s possible to adjust several configurations for VoIP and PBX/PSTN
integration. This are the options:
• General options;
• Analog and ISDN PRI options;
• ISDN BRI options;
• List of enable codecs;
• IP PBX remote managers;
• VoIP domain alias.
General options
The following fields in Options (Figure 5.46):
• Router with full DNAT?: If IPBrick is connected to a router responsible
for the access to the exterior (in terms of VoIP) that allows the ’passage’ of
all traffic, it is necessary to select Yes and indicate the external address of
that same router in Router public IP address;
iPortalMais - 2008
5.6 Telephony
217
Figure 5.46: Telephony - Configurations
• IP address of the IPBrick public interface used by the VoIP service:
IP address of the public interface of IPBrick responsible for the VoIP service;
• Intranet VoIP Server only?: It allows to route the network traffic only
in a interface and not in two interfaces, as usual;
• Remove default national prefix (0): It removes national prefix normally used;
• Get call source address from IPBrick LDAP: If activated, it goes to the
database LDAP of IPBrick defined in IPBrick IP address and in IPBrick DNS
domain and, if it finds the calling number in the database, it will replace it
by the name of the entity associated to that number.
• Immediate answer on calls originated in a PBX: It is advisable to have
this option connected if you are using connections to SIP servers (ex: VoIPBuster, NetCall), in order to avoid timeouts in the PBX central. If, for
example, you intend to define rates for the calls from the PBX, this option
shall have to be deactivated to avoid that the user starts paying as soon as
he dials the number.
• Attendance Timeout: Time (seconds) during which the call is sent to the
destiny phone, before being sent or routed to another phone;
iPortalMais - 2008
218
• Call Timeout: Time (seconds) during which the connection is trying to be
established. If it expires, the attempt will be ended;
• Timeout to hangup calls without sound;
• Timeout to hangup calls on hold without sound;
• Enable SIP video support: Enables the support for SIP video;
• Attended transfer: If yes you can define a key activation sequence to do
a attended transfer. So you can stop using this feature from the SIP phone
and use it from the VoIP server;
• Blind transfer: If yes you can define a key activation sequence to do a
blind transfer. So you can stop using this feature from the SIP phone and
use it from the VoIP server;
• Voicemail: Enables general voicemail for VoIP;
• Call’s prioritization: If enabled it will be possible to define priority
levels for each route prefix defined in Routes Management. The level is from
1 (highest) to 10 (lowest). Example: In a LAN-PSTN route all the BRI lines
are full. If a emergency call prefix (911) have maximum priority defined,
when someone dial 911 some current call can be disconnected;
• Store calls details records in csv file: All the call history in the
default asterisk format will be saved to a file called Master.csv. This file
can be downloaded acceding by ftp with username voipcdr and password
L1opardo;
• IP of server-signalling different from the media server: If a remote signalling service is running in one server, and the remote media server
is running in a different one, this option must be activated;
Analog and ISDN PRI options
Parameters only for the analog/ISDN PRI cards, that will be adjusted at the
driver configuration files used for that cards - zaptel ((Figure 5.47):
• Channel tone zone: Country tone zone. The frequences may be different
from country to country;
• Echo cancel;
• Type of Number (ISDN TON): Low level signalling options
– Callee (Calling Number): Unknown is the default, other options are
local, private, national and international;
– Caller (Caller Number): Unknown is the default, other options are local,
private, national and international;
iPortalMais - 2008
5.6 Telephony
219
• R2 signalling options: If the R2 signalling protocol is used (old ISDN protocol) you can define here the R2 parameters:
– DNIS: Dialed Number Identification Service value;
– ANI: Automatic Number Identification value;
– Zone/Country;
Figure 5.47: Telephony - Analog and ISDN PRI options
ISDN BRI options
Parameters only for the ISDN BRI cards, that will be adjusted at the driver
configuration files used for that cards - misdn (Figure 5.48):
• Echo cancel: The default is High. Other options: Disabled, minimum, low
and maximum (requires more CPU processing);
• DTMF detection threshold: Permit to change the DTMF sensibility from 50
to 400 (less sensibility);
• Immediate digit capture: The immediate capture of digits changes the way
how the numbers sent from a PBX central are read in IPBrick. When this
iPortalMais - 2008
220
option is deactivated, the routine capture of digits is changed to solve problems in the reading of numbers in some central stations, for example, when
the dialled number is wrongly identified in IPBrick (repeated digits or lack
of digits). Attention: This option should be placed No by default;
• PSTN digit reception timeout: Timeout in seconds;
• Jitter Buffer: Permit the change of Jitter Buffer16 ;
• Digit timeout: Time (seconds) from the dialling of the last number from
which IPBrick considers the dialling as ended;
• Response timeout: Time (seconds) counted from the moment the receiver is
hung up and at its end IPBrick shall cancel the channel;
• Type of Number (ISDN TON): Low level signalling options
– Outgoing number (onumplan): Unknown is the default, other options
are national, international and subscriber;
– Caller id (dnumplan): Unknown is the default, other options are national, international and subscriber;
– CPN (cpnnumplan): Unknown is the default, other options are national,
international and subscriber.
List of enable codecs
In this table are listed the codecs used in IPBrick and the preference order by
which they are chosen in communications. To add or remove codecs to the list, you
just have to follow the option Modify, select the codec and press the button add
() or remove () (Figure 5.49). In the same way, to change the order by which
the codecs are used, you should select the codec and clicking on the arrows on the
right of the list, making it going up or down in the list according the necessary
priority.
It is possible to select among the following codecs, knowing that the bandwidth
used for each one in a call is approximately:
• GSM: 13 KBytes;
• iLBC: 15 KBytes;
• Speex: Configurable 4-48 KBytes;
• G.726: 32 KBytes;
• LPC10: 2.5 KBytes (not recommended);
• G.711 ulaw: 64 KBytes;
16
Shared data area where voice packets can be collected, stored, and sent to the VoIP server
in evenly spaced intervals
iPortalMais - 2008
5.6 Telephony
221
Figure 5.48: Telephony - ISDN BRI options
• G.711 alaw: 64 KBytes, used in Europe;
• G.729: 8 KBytes. You may have to buy a license to make calls with this codec
at Digium website. If this codec is enabled a link called Licence Activation
will appear, so with a valid key a G729 licence will be generated. See Figure
5.50 and Figure 5.51.
Of course the bigger the required bandwidth, the smaller the number of possible
simultaneous calls. For each of the selected codec we can include an average of
more 15 KBytes of overhead.
IP PBX remote managers
This option allow other programs to connect to the asterisk, normally programs
running at LAN servers. Some examples: Mail plugin for calls generation, external
asterisk monitoring tools, call center for calls generation etc.
By default the IP PBX remote management is disabled. To enable click Modify
and next Insert IP PBX remote manager (Figure 5.52)
Configuration options:
• Login: Login to use;
iPortalMais - 2008
222
Figure 5.49: Telephony - Configurations - Codecs
Figure 5.50: Telephony - Configurations - Codecs with g729
• Password;
• Network: Network range or specific IP that will got access;
• Network mask;
An example is shown at Figure 5.53.
iPortalMais - 2008
5.6 Telephony
223
Figure 5.51: Telephony - Configurations - g729 licence
VoIP domain alias
The VoIP server can accept calls not only for the main domain but for different
ones too. To add domains just click Modify and insert the domains one per line.
(Example at Figure 5.54).
Functions available for phones
Call transfer
Besides supporting the transference of calls made by the terminal equipment,
telephones SIP, PBX’s or softphones, IPBrick also makes transfers in any telephone, even if it does not support transfers from origin. The two types of transference allowed by IPBrick are:
• Assisted transfer: When receiving a call, the person receiving it dials an
extension, asks the person in that extension if he/she accepts the call or not,
disconnects it and the call is transferred. To execute an assisted transference
during the call, it is necessary to dial * (by default) and the name of the
extension or alternative address. Example: To transfer a call into a telephone
registered as ipbrick1 which has as alternative address the 480 extension, dial
*480 during conversation.
• No-assisted transfer: when receiving a call, the person receiving it dials
an extension and the call is immediately transferred to that extension. To
execute a non-assisted transference during a call, dial # (by default) and
the name of the extension or alternative address. Example: Non-assisted
transference to the above telephone: #480.
iPortalMais - 2008
224
Figure 5.52: Telephony - IP PBX remote managers
To cancel a transference, you just have to dial again the number you have
dialled to transfer. Example: you wanted to transfer a call to extension 481
but you have dialled *482. To recapture the call you shall have to dial again
*482 and then it is possible to transfer to the correct number dialling *481.
Calls capture
To capture a call ringing in another extension, dial *8 followed by the name
with which the telephone was registered or the name of the group of telephones
ringing.
5.6.4
Interfaces
IPBrick can create more interfaces than PBX and PSTN (Figure 5.55) like
GSM or FAX interface. You can create them in:
Advanced Configurations - Telephony - Interfaces
Menu to insert interfaces (Figure 5.56):
• Interface Name;
• Interface Type: To what interface is associated IPBrick card;
iPortalMais - 2008
5.6 Telephony
225
Figure 5.53: Telephony - IP PBX remote managers - Configuration
• SIP Peering: The Open Peer option provides that any incoming call from
the Internet uses this interface. The Closed Peer option sets that only Peers
defined in SIP Peers (this is the best option connect to PSTN or GSM).
The Peers are the IP from machines authorized to use certain interface, for
instance another IPBrick. Can be inserted in the menu:
Advanced Configurations - Telephony - SIP Peers
• Receive gain: Receive gain in dB. Can be useful to increase it if we are
talking about the PSTN interface and at the IPBrick side we are listening
with low volume;
• Transmission gain: Transmission gain in dB. Can be useful to increase it
if we are talking about the PSTN interface and at the PSTN side they are
listening with low volume;
This operation is necessary if you want to connect a FAX to a card port, a GSM
gateway or another additional interface. If there is a GSM gateway, you may add
here a GSM interface (as an interface name). Choose a card type (analogic, PRI or
BRI) in the Interface Type , and the Closed Peer option in the SIP Peering.
iPortalMais - 2008
226
Figure 5.54: Telephony - VoIP domain alias
5.6.5
SIP peers
You may add here IP addresses to let remote known gateways to use interfaces
defined as Closed Peers in IPBrick. For instance, you have two IPBrick’s connected
to each other through the Internet and one is connected to the PSTN. If you want
that remote IPBrick connects to PSTN interface, you need to add your IP to this
list by clicking on Modify. Example at Figure 5.57.
5.6.6
IAX peers
By clicking insert we define the IAX servers that are authorized to forward
the calls using that IPBrick. The IPBrick will accept inbound routes from other
servers that will be specified in that list. Example at Figure 5.58.
iPortalMais - 2008
5.6 Telephony
227
Figure 5.55: Telephony - Interfaces
iPortalMais - 2008
228
Figure 5.56: Telephony - Interface insertion
iPortalMais - 2008
5.6 Telephony
229
Figure 5.57: Telephony - SIP peers
Figure 5.58: Telephony - IAX Peers
iPortalMais - 2008
230
iPortalMais - 2008
Chapter 6
Apply Configurations
The option Apply Configurations allows you to make the configurations done
in IPBrick become effective in the system. In other words, any realized configurations become only effective in IPBrick after the IPBrick administrator clicks on
Apply Configurations.
Figure 6.1: Apply Configurations
iPortalMais - 2008
232
Apply Configurations
iPortalMais - 2008
Chapter 7
Appendix A
Join in the domain
This section describes the process of:
• Configuring a workstation with DHCP;
• Joining a workstation in a domain.
This process description presupposes the following:
• the domain controlling server is IPBrick.I ;
• the DNS domain is empresa.pt;
• the domain is EMPRESA.
In order to join a workstation in a domain you need to do the following steps:
1. Know the MAC address of the machine’s network interface card;
2. Chose a machine ”name”;
3. Have a machine IP address;
4. Create an entry for the machine in IPBrick.I ;
5. Update IPBrick.I.
7.1
Windows XP Professional Workstation
⇒ Note: Before starting the process of joining a machine in a domain you
have to know the username/password of a user who is administrator of the XP
machine. Then you can start the migration process.
Therefore you have to:
iPortalMais - 2008
234
Appendix A - Join in the domain
1. Press [windows];
2. Select My Local Network ;
3. Select Network Connections;
4. Right click the icon Local Network Connection and select Properties;
5. Chose TCP/IP in the open window and click on Properties;
6. Chose Get the IP Address Automatically in the open window and then
select Get the DNS server addresses automatically;
7. Close the network properties windows.
The next step is to confirm that the machine IP address is the same that was
introduced in IPBrick.I. Therefore you have to:
1. Press the keys [windows]+[R];
2. cmd [ENTER];
3. ipconfig /all;
4. Check the information in the IP Address field.
If the IP address is not the one introduced in IPBrick you have to release it
and renew it with the following commands:
1. Press the keys [windows]+[R];
2. cmd [ENTER];
3. ipconfig /release;
4. ipconfig /renew;
5. ipconfig /all.
If the machine IP address is right you can join the machine in the domain
EMPRESA:
1. Press the keys [windows]+[pause] and open the System Properties;
2. Select ”Computer Name”, click on ”Change...” and give the computer a name
(the name must have been created in IPBrick.I before);
3. Press button ”more..” and add the dns machine domain: empresa.pt. Do
not select the option Change the primary DNS suffix when the association
to the domain is changed ;
iPortalMais - 2008
7.1 Windows XP Professional Workstation
235
4. Insert EMPRESA in the domain. The password of the domain EMPRESA or of the machine administrator may be requested;
5. Click OK and close ”System Properties”;
6. Restart the machine. While the machine is starting you can already login
the domain EMPRESA.
⇒ Note: The workstation must not be with the DHCP. It can be configured
with a fix IP address. In this case you don’t have to fill in the field MAC Address
while you register the machine in IPBrick.
iPortalMais - 2008
236
Appendix A - Join in the domain
iPortalMais - 2008
Chapter 8
Appendix B
Configuring a VPN connection
In order to create a VPN (PPTP) connection in a Windows XP Professional
workstation you have to do the following steps:
1. Press [windows]
2. Select Control Panel
3. Double click Network Connections
4. In the window Network Connections, select Create a New Connection
5. The Wizard appears to create a new connection. Select ”Connect to my work
area network” (refers to the VPN description), ”Virtual Private Network
Connection”. After that select a name for the connection to be created, for
example ”Enterprise connection”. Then you have to indicate the IP address
or the full name by which IPBrick is known in the Internet. At last you have
to select who can use the VPN connection.
The VPN connection is configured. In order to establish a VPN you only have
to introduce the user name and password registered in IPBrick. IPBrick is now
working as a VPN-PPTP server.
iPortalMais - 2008
238
Appendix B - Configuring a VPN connection
iPortalMais - 2008
Chapter 9
Appendix C
Configuration of a VPN SSL
connection (Open VPN)
To create a VPN connection (Open VPN) in a Windows XP Professional workstation it is necessary to install the Open VPN GUI software::
• Open VPN - VPN Open Source Pack;
• Open VPN GUI - Graphic Interface for Open VPN.
The installation of this pack should be executed without changing the default
definitions. This software is installed in directory C:\Program Files\OpenVPN.
The certificate generated by IPBrick must be unpacked into directory C:\Program
Files\OpenVPN\config.
To start a VPN connection, press the right button on icon OpenVPN in the
toolbar, choose the intended connection and press Connect.
Insert the password used to create the certificate in IPBrick and the VPN shall
be established.
9.1
Two or more SSL certificates
When it is intended to put more than one certificate in the same workstation
(create VPN connections for distinct places) it is necessary to create a new folder
into directory C:\Program
Files\OpenVPN\config. Extract all the files to that new folder.
To initiate VPN connection, press the right button on icon OpenVPN in the
toolbar, choose in the list the connection and press Connect.
iPortalMais - 2008
240Appendix C - Configuration of a VPN SSL connection (Open VPN)
9.2
Configuration of a SSL Connection for Windows Vista
1. In http://openvpn.net/index.php/downloads.html download the last version (Windows Installer file). Example: openvpn-2.1_rc7-install.exe;
2. Install the openvpn;
3. Extract the zip file to the config folder of OpenVPN. Example: c:\Programas
\OpenVPN\config;
4. Run this file c:\Programas\OpenVPN\bin\openvpn-gui.exe, as Administrator;
5. In Windows Vista tray, click in the OpenVPN icon and connect;
NOTE: If it’s not working you need to modify the *.ovpn file present in
c:\Programas\OpenVPN\config, and add the following lines in the end:
route-method exe
route-delay 2
iPortalMais - 2008
Chapter 10
Appendix D
Backup Service - Arkeia
Arkeia is a full featured backup service. It allows accessing the Arkeia configuration interface, software for backup management installed in IPBrick by default.
When selecting this option, and after clicking the Open button, a session window by VNC is open. It is necessary to have the JRE1 , which can be found at
http://sun.java.com/ installed to execute the connection. The authentication
in this session is made with the IPBrick Administrator’s actual password. The
Arkeia management interface is available after validation.
At IPBrick 5.0 Arkeia is not included. You need to download the update 2
from the downloads section at IPBrick website.
In order to start the Arkeia configuration software it is necessary to submit
your validation by default:
login: root
password: (without password)
After the successful server connection the following menus are displayed (Figure
10.1):
• Backup: Sets, configures and launches Arkeia backup, including savepacks
• Restoration: Sets, configures and launches Arkeia restore function;
• Hardware: Sets and configures the hardware (drives, tapes, libraries) connected to the server;
• Running jobs: Displays the executing processes;
• Administration: Functions to configure Arkeia;
• Logs: Displays the logs that are generated by Arkeia.
iPortalMais - 2008
242
Appendix D - Backup Service - Arkeia
Figure 10.1: Backup - Arkeia - Main Menu
Arkeia menus are easy to use. When you access a menu, new sub-menus show
up with new options, successively. Every time you pick a menu, its icon appears
in a upper bar. To move back in these menus you only have to click in the corresponding icon.
To administrate Arkeia executing processes you have to select the Running
Jobs menu (Figure 10.2).
select the request line that will have more priority to backup execution (Figure
10.3).
Inside this menu, you can see the backup processes. These processes can have
two status:
• The process is pending waiting for confirmation, i.e., you have to click OK.
The user is alerted to replace the tape;
• The jobs are waiting for the conclusion of the remaining processes.
Usually, if backup administration is normally processed, with the administrator intervention in a daily basis, there will be only an execution process per day.
In the power failure case, all this processes are eliminated.
10.1
Advanced Administration
• Add users (Administration Â Users (Figure 10.4))
1
Java Runtime Environment
iPortalMais - 2008
10.1 Advanced Administration
243
Figure 10.2: Backup - Arkeia - Running Jobs
Figure 10.3: Backup - Arkeia - Backups confirmation
Arkeia sends email messages reporting several occurrences, like the need to
insert tapes, the details of a backup process, etc. You should create a user
that gets the email messages (with an Administrator type role) to check if
the procedures is well done.
iPortalMais - 2008
244
Figure 10.4: Backup - Arkeia - Add Users
1. Insert:
(a) Name;
(b) Role;
(c) Email address.
• SavePacks (Backup Â SavePacks)
This is an essential feature of Arkeia technology. A savepack is a set o paths
and files that are included in the backup.
1. Create a SavePack (usually named Data);
2. Add directories that will be include in the backup (name of SavePack
Â Browse Trees) (Figure 10.5).
– /boot
– /etc
– /homeX (were 1 ≤ X ≤ number of homes)
– /opt/ipbox/backupDB
– /var/lib/ldap
– /var/lib/mysql
– /var/lib/postgres
– /var/lib/postgres2
– /var/lib/samba
iPortalMais - 2008
10.1 Advanced Administration
245
Figure 10.5: Backup - Arkeia - Directories to save
– sysinfo
• Configure the backups (Backup Â Periodic) (Figure 10.6)
Figure 10.6: Backup - Arkeia - Levels
iPortalMais - 2008
246
1. Create a new Periodic Backup
2. Create 3 levels:
(a) Level 1 - Archive
(b) Level 2 - Weekly
(c) Level 3 - Daily
• For each backup select:
SavePack
DrivePack
Pool
Type
Valid for
Level 1
Level 2
Level 3
Archive
Total Backup
2 years
Weekly
Total Backup
8 weeks
Daily
Incremental
4 weeks
The available backup types are:
– Archive: Saves savepack data and keeps them indefinitely (requires
additional license);
– Total: Saves all the savepack data and keeps them during the period
set in Valid For;
– Differencial: Only saves the files that were modified since the last
Total type backup;
– Incremental: This is the most complex backup type. It creates a list
with the modified files since last backup (both Total and Incremental)
and proceeds to the backup of the files included in the list.
iPortalMais - 2008

IPBrick Reference Manual

Transcription

Similar documents

Free Gas InserT LIner KIT

Voip Inglés

Napoleon Container Terminal

Hajoca Corporation

Subcutaneous Port Catheter (Port, porta

January 17, 2011 - Village of Port Clements

PDF 1mb - Marina Adelaide

Scanned Document

SPECIALTY GLASS - OBSCURE glaztech.com - Glaz

GSM Cell Fax plus