In this section:

Overview

External Server Mode allows the Firewall Traversal system to serve connections from Remote Clients. It may also allow an Internal Server to connect to it.

  1. Choose Network > Firewall Traversal.

  2. Select the External Server radio button to activate External Client Mode configuration fields.

  3. Configure settings using the information in the following table as a guide. Click Submit to save your settings.

    Firewall Traversal - External Server Parameters

    ItemDescription

    Traversal Network

    Configure the subnet that the system uses to configure internal interfaces and Remote Clients. Any Remote Client connecting to this system is assigned an IP address from this pool of addresses.

    Traversal Network Subnet

    Enter the subnet IP address that the system uses for all clients connecting remotely. Each client connecting through the tunnel gets an IP address from this subnet. This subnet must be the same as the Traversal Network configured on the Internal Server.

    Refer to Configuring Internal Client Mode Settings. 

    Traversal Network Mask (bits)

    Enter the number of bits for the subnet mask. The subnet must be large enough to support all clients connecting to the server.

    Reserve Static Addresses

    Select the Reserve Static Addresses check-box to reserve available static IP addresses for add-on hardware.

    Number of Address to Reserve

    Enter the number of addresses to reserve.

    Remote Clients

    Enable Server for Remote Clients

    Select the Enable Server for Remote Clients check-box to allow remote clients to connect to this server.

    Server Listening Port

    Enter the port number to use when listening for client connections. Default is 1194.

    Bridge to LAN

    Configures remote bridging to the system LAN.

    Bridge to LAN

    Select the Bridge to LAN check-box if you want the clients to be bridged to the protected LAN network. The clients are seen on the same Ethernet segment as the LAN network and get DHCP addresses served by a configured DHCP server on the segment. If the box is not checked, clients are routed to the internal LAN network or the Internal Client.

    Internal Client fields are disabled when the Bridge to LAN settings are enabled.

    Transport Protocol

    Choose the Transport Protocol type by selecting either the IPv4 orIPv6 clients radio button:

    IPv4Configures the server to listen for IPv4 clients.
    IPv6Configures the server to listen for IPv6 clients.

    Internal Client

    If an internal client is configured, use this field to configure internal client server settings. If an Internal Client is not enabled, all traffic is routed to the directly attached internal network, or is bridged to the internal network if Bridge to LAN is enabled. Refer to Configure Internal Client Mode Settings.

    Enable Server for Internal Client

    Select the Enable Server for Internal Client checkbox to enable the Internal Client to connect to this server.

    Server Listening Port

    Enter the port number to which the Internal Client connects.

    Certificates

    In the Certificates field, select the certificates to use for the Firewall Traversal server. The server and all clients must have certificates signed by the same Certificate Authority (CA) to be able to connect.

    Tip: To configure certificates, click the Certificates link provided or choose Security > Certificates and refer to Managing Certificates.

    CA Certificate

    Selects the CA Certificate to use for the server.

    Choose the Default certificate or a certificate created for this purpose.

    Server Certificate

    Selects the Server Certificate to use for the server. Choose the Default certificate or a certificate created for this purpose.

    Cipher

    Choose the cipher to use for encrypted tunneled data from the Cipher drop-down list. All systems connecting together must use the same cipher.

    Cipher

    Choose the tunnel encryption cipher:

    Blowfish—Security with less resource usage

    AES-256—Higher security with higher resource usage

    Static Key

    Secures the tunnel from the Internal Client to the External Server. A Static Key must be generated when using Firewall Traversal. The new is created on the External Server and copied to the Internal Server.

    See Configuring the Static Key.

    Diffie-Hellman Parameters

    Sets Diffie-Hellman (DH) parameters.

    Default DH parameters should be replaced when using Firewall Traversal in production systems. Creating DH parameters is CPU intensive. See Configuring Diffie-Hellman Parameters.

Configuring the Static Key

The Static Key secures the tunnel from the Internal Client to the External Server. The system comes with a default key, but to prevent attackers from connecting to your External Server, it is recommended that you create a new Static Key when setting up VoIP Traversal. A Static Key is generated on the External Server and copied to the Internal Server.

  1. Choose Network > Firewall Traversal.
  2. Select an operating mode:
    • Internal Client
    • External Server
    Configuration fields for the selected operating mode become active.

  3. Scroll to Static Key.

  4. Add a static key file:

    • Browse—Locate a file key on your system. Or choose a file from the Choose File drop-down list and click Add Key File.

    • Generate New —Generates a new static key. The old static key is overwritten.

      1. Click Generate New.

      2. Follow system prompts and return to the Firewall Traversal - External Server page.

      3. The system prompts you to download your new file key: “The current static key was generated at Mon Aug 26 21:13:07 2013 (Download key)”

      4. Follow system prompts to open or save the generated key.

    • Click Restore Default—Restores the default static key to the system.

    • Delete Key—Deletes the static key on the system.

Configuring Diffie-Hellman Parameters

Diffie-Hellman (DH) Parameters are used for VoIP Traversal tunnels. The system comes with default DH parameters, but to prevent attackers from creating attacks specialized for the default DH parameters, it is recommended that you generate new DH parameters when setting up Firewall Traversal.

Note

Creating DH Parameters is CPU intensive and can take quite a long time. During creation, the system may be fully loaded for several minutes. It is therefore not recommended that you do this while the system is in service.

  1. Choose Network > Firewall Traversal.
  2. Select the External Server radio button to activate configuration fields.

  3. Scroll to Diffie-Hellman Parameters.

  4. Choose an action:

    • Generate New—Click to generate new DH Parameters. The old DH Parameters are overwritten. Once created, the DH Parameters do not need to be changed.

      The following message is displayed: “WARNING: Creating Diffie-Hellman Parameters requires a lot of CPU resources and should not be done while the system is in service. This will take quite some time.”

      Click OK to accept.

    • Restore Default—This button restores the default DH Parameters to the system.