Scribd
Upload
116 views

Manual Referenciav5.3 EN

Uploaded by

Mahmoud Ahmed
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
116 views

Manual Referenciav5.3 EN

Uploaded by

Mahmoud Ahmed
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 354

IPBRICK

Reference Guide
Version 5.3

IPBRICK International

August 2013
2

Copyright IPBRICK
c International
All rights reserved. August 2013.
The information in this manual is subject to change without prior notice. The
presented explanations, technical data, configurations and recommendations are
precise and trustful. Nevertheless, they have no expressed or implied guarantees.

Reference Guide - Version 5.3 IPBRICK International


Contents

1 Aim of this document 19

2 Before Starting 21

3 IPBrick.I 25
3.1 Machine Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2 Machine Management . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2.1 Mass Operations . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3 User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.4 Users Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.4.1 Mass Operations . . . . . . . . . . . . . . . . . . . . . . . . 37
3.4.2 XML-RPC management . . . . . . . . . . . . . . . . . . . . 39
3.4.3 User Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.5 Domain Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.5.1 Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.5.2 Users Management . . . . . . . . . . . . . . . . . . . . . . . 47
3.6 File Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.6.1 Individual Work Areas . . . . . . . . . . . . . . . . . . . . . 48
3.6.2 Group Work Areas . . . . . . . . . . . . . . . . . . . . . . . 50
3.6.3 Kaspersky . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.7 E-Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.7.1 Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.7.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.7.3 Queue Management . . . . . . . . . . . . . . . . . . . . . . . 63
3.7.4 Users management . . . . . . . . . . . . . . . . . . . . . . . 65
3.7.5 Mailing Lists . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.7.6 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.7.7 Anti-Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.7.8 Anti-Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
3.8 Print Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.9 Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
3.9.1 Remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
3.10 Terminal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3.10.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3.10.2 Client configuration . . . . . . . . . . . . . . . . . . . . . . . 90

IPBRICK International Reference Guide - Version 5.3


4 CONTENTS

4 IPBrick.C 93
4.1 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.1.1 Available Services . . . . . . . . . . . . . . . . . . . . . . . . 94
4.1.2 Block Services . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.2 Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.2.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.2.2 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
4.2.3 Kaspersky Proxy . . . . . . . . . . . . . . . . . . . . . . . . 106
4.2.4 Auto Discovery . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.3 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.3.1 PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.3.2 SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.3.3 IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
4.3.4 GRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.3.5 VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.4 E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.4.1 Advanced relay . . . . . . . . . . . . . . . . . . . . . . . . . 125
4.4.2 Get Mail from ISP . . . . . . . . . . . . . . . . . . . . . . . 125
4.4.3 Mail Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.5 SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.5.1 Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
4.5.2 Routes Management . . . . . . . . . . . . . . . . . . . . . . 129
4.5.3 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.5.4 Sending a SMS . . . . . . . . . . . . . . . . . . . . . . . . . 132
4.6 Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
4.6.1 Creating a new site . . . . . . . . . . . . . . . . . . . . . . . 134
4.6.2 Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.7 Webmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
4.8 FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4.8.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4.8.2 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
4.9 VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
4.9.1 Phone management . . . . . . . . . . . . . . . . . . . . . . . 150
4.9.2 Users Management . . . . . . . . . . . . . . . . . . . . . . . 151
4.9.3 Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
4.9.4 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
4.9.5 Routes Management . . . . . . . . . . . . . . . . . . . . . . 187
4.9.6 Music on Hold . . . . . . . . . . . . . . . . . . . . . . . . . . 196
4.9.7 Voice Prompts . . . . . . . . . . . . . . . . . . . . . . . . . 196
4.9.8 Dialplan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
4.10 IM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
4.10.1 Activating / Deactivating the IM server . . . . . . . . . . . 201

Reference Guide - Version 5.3 IPBRICK International


CONTENTS 5

5 IPBrick.GT 203
5.1 Fax Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
5.1.1 Fax2Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
5.1.2 Mail2Fax . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
5.1.3 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
5.1.4 Routes Management . . . . . . . . . . . . . . . . . . . . . . 213

6 IPBrick.KAV 215

7 Advanced Configurations 217


7.1 IPBRICK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
7.1.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
7.1.2 System Information . . . . . . . . . . . . . . . . . . . . . . . 219
7.1.3 Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
7.1.4 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 223
7.1.5 High Availability . . . . . . . . . . . . . . . . . . . . . . . . 226
7.1.6 Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
7.1.7 Remote Management . . . . . . . . . . . . . . . . . . . . . . 229
7.1.8 MyIPBrick Management . . . . . . . . . . . . . . . . . . . . 231
7.2 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
7.2.1 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
7.2.2 Route management . . . . . . . . . . . . . . . . . . . . . . . 236
7.2.3 QOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
7.2.4 Service Routing . . . . . . . . . . . . . . . . . . . . . . . . . 239
7.3 Support services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
7.3.1 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
7.3.2 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
7.3.3 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
7.3.4 ENUM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
7.3.5 DUNDi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
7.4 Disaster recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
7.4.1 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 265
7.4.2 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
7.5 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
7.5.1 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
7.5.2 Task Manager . . . . . . . . . . . . . . . . . . . . . . . . . . 269
7.5.3 Date and Hour . . . . . . . . . . . . . . . . . . . . . . . . . 270
7.5.4 System users . . . . . . . . . . . . . . . . . . . . . . . . . . 271
7.5.5 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
7.5.6 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
7.5.7 Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
7.5.8 Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
7.6 Telephony . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
7.6.1 Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
7.6.2 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
7.6.3 Failover Switches . . . . . . . . . . . . . . . . . . . . . . . . 283
7.6.4 Registered Phones . . . . . . . . . . . . . . . . . . . . . . . 284

IPBRICK International Reference Guide - Version 5.3


6 CONTENTS

7.6.5 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 286


7.6.6 SIP peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
7.6.7 IAX peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
7.6.8 Auto provisioning . . . . . . . . . . . . . . . . . . . . . . . . 301

8 Apply Configurations 305

9 Appendix A - Join in the domain 307


9.1 Windows XP Professional Workstation . . . . . . . . . . . . . . . . 307

10 Appendix B - Configuring a VPN connection 311

11 Appendix C - Configuration of a VPN SSL connection (Open


VPN) 313
11.1 Two or more SSL certificates . . . . . . . . . . . . . . . . . . . . . . 313
11.2 Configuration of a SSL Connection for MS Windows 2000/XP and
higher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

12 Appendix D - Backup Service - Arkeia 315


12.1 Advanced Administration . . . . . . . . . . . . . . . . . . . . . . . 318

13 Appendix E - High availability 321


13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
13.1.1 Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
13.2 HA Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
13.3 HA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

14 Appendix F - UCoIP 325

15 Appendix G - MyIPBrick 329

16 Appendix H - Contacts 335


16.1 IPBrick Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
16.1.1 Administration Tab . . . . . . . . . . . . . . . . . . . . . . . 336
16.1.2 Auxiliary Data Tab . . . . . . . . . . . . . . . . . . . . . . . 341
16.1.3 Private Contacts Tab . . . . . . . . . . . . . . . . . . . . . . 343
16.1.4 Public Contacts Tab . . . . . . . . . . . . . . . . . . . . . . 343
16.2 Creating an Entity . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
16.3 Creating a Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

17 Appendix I - Security 349


17.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
17.1.1 Basic security threats . . . . . . . . . . . . . . . . . . . . . . 349
17.2 Security Policies Overview . . . . . . . . . . . . . . . . . . . . . . . 350
17.2.1 Master/Slave and Master/Client . . . . . . . . . . . . . . . . 351
17.3 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
17.3.1 Remote phones cannot register. . . . . . . . . . . . . . . . . 351
17.3.2 Cannot make calls via a SIP route . . . . . . . . . . . . . . . 352

Reference Guide - Version 5.3 IPBRICK International


CONTENTS 7

17.3.3 Cannot send FAX over IP . . . . . . . . . . . . . . . . . . . 352


17.4 Practical examples - Adding a Firewall Rule . . . . . . . . . . . . . 352
17.4.1 Firewall rule for an IP . . . . . . . . . . . . . . . . . . . . . 352
17.4.2 Firewall rule for a Network . . . . . . . . . . . . . . . . . . . 353

IPBRICK International Reference Guide - Version 5.3


8 CONTENTS

Reference Guide - Version 5.3 IPBRICK International


List of Figures

2.1 IPBrick login interface . . . . . . . . . . . . . . . . . . . . . . . . . 21


2.2 IPBrick main interface . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.1 Machine Groups - List . . . . . . . . . . . . . . . . . . . . . . . . . 26


3.2 Machine Groups - Example . . . . . . . . . . . . . . . . . . . . . . 26
3.3 Machines Management - Machine registration . . . . . . . . . . . . 28
3.4 Machines Management - Options . . . . . . . . . . . . . . . . . . . 28
3.5 Machines Management - List . . . . . . . . . . . . . . . . . . . . . . 28
3.6 Machines Management - Search Window . . . . . . . . . . . . . . . 29
3.7 Machines Management - Search result . . . . . . . . . . . . . . . . . 29
3.8 Machine Management - Export . . . . . . . . . . . . . . . . . . . . 32
3.9 Machine Management - Mass Operations . . . . . . . . . . . . . . . 32
3.10 User Groups - Group creation . . . . . . . . . . . . . . . . . . . . . 33
3.11 User Groups - Groups List . . . . . . . . . . . . . . . . . . . . . . . 33
3.12 User Groups - Users . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.13 Users Management - Insert . . . . . . . . . . . . . . . . . . . . . . . 35
3.14 Users Management - Extra LDAP parameters . . . . . . . . . . . . 35
3.15 Users Management - List . . . . . . . . . . . . . . . . . . . . . . . . 36
3.16 Users Management - Operations . . . . . . . . . . . . . . . . . . . . 37
3.17 Users Management - Modify . . . . . . . . . . . . . . . . . . . . . . 37
3.18 Users Management - Password Policies . . . . . . . . . . . . . . . . 41
3.19 Users Management - User Policies - Modify . . . . . . . . . . . . . . 41
3.20 Users Management - Password Policies . . . . . . . . . . . . . . . . 42
3.21 Error Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.22 User Policies link . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.23 Error Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.24 Password Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.25 Password Validity - NO . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.26 Users List - User with no validity in his password . . . . . . . . . . 45
3.27 MyIPBrick Login Prompt . . . . . . . . . . . . . . . . . . . . . . . 46
3.28 Domain Server - Definitions . . . . . . . . . . . . . . . . . . . . . . 47
3.29 Domain server - Users Management . . . . . . . . . . . . . . . . . . 48
3.30 Work Areas - Summary . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.31 Work Areas - List . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.32 Work Areas - Summary of Individual Areas . . . . . . . . . . . . . 49
3.33 Work Areas - List . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.34 Work Areas - Group - Insert with recycle bin . . . . . . . . . . . . . 50

IPBRICK International Reference Guide - Version 5.3


10 LIST OF FIGURES

3.35 Work Areas - Group - Insert without recycle bin . . . . . . . . . . . 51


3.36 Work Areas - Group - Management . . . . . . . . . . . . . . . . . . 53
3.37 Work Areas - Group - Users Access . . . . . . . . . . . . . . . . . . 53
3.38 Workareas - Kaspersky Licence . . . . . . . . . . . . . . . . . . . . 54
3.39 Workareas - Kaspersky - Configure 1/2 . . . . . . . . . . . . . . . . 55
3.40 Workareas - Kaspersky - Configure 2/2 . . . . . . . . . . . . . . . . 56
3.41 Workareas - Kaspersky . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.42 Workareas - Kaspersky - Statistics 1/2 . . . . . . . . . . . . . . . . 57
3.43 Workareas - Kaspersky - Statistics 2/2 . . . . . . . . . . . . . . . . 57
3.44 E-mail - Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.45 E-Mail - Definitions 1/2 . . . . . . . . . . . . . . . . . . . . . . . . 62
3.46 E-Mail - Definitions 2/2 . . . . . . . . . . . . . . . . . . . . . . . . 63
3.47 E-Mail - Definitions - Valid internal recipients . . . . . . . . . . . . 63
3.48 E-Mail - Definitions - Invalid senders . . . . . . . . . . . . . . . . . 64
3.49 E-Mail - Queue Management . . . . . . . . . . . . . . . . . . . . . . 64
3.50 E-mail - Users Management . . . . . . . . . . . . . . . . . . . . . . 65
3.51 E-Mail - Alternative addresses, Forwarding and automatic reply . . 66
3.52 E-Mail - Mailing List - Insert . . . . . . . . . . . . . . . . . . . . . 68
3.53 E-Mail - Mailing List - Users . . . . . . . . . . . . . . . . . . . . . . 68
3.54 E-Mail - Mailing List - External users . . . . . . . . . . . . . . . . . 69
3.55 E-Mail - Kaspersky Anti-Virus . . . . . . . . . . . . . . . . . . . . . 70
3.56 E-Mail - Kasp. Anti-Virus - General Configurations . . . . . . . . . 70
3.57 E-Mail - Kasp. Anti-Virus - Groups Management . . . . . . . . . . 71
3.58 E-Mail - Kasp. Anti-Virus - Notification Rules . . . . . . . . . . . . 71
3.59 E-Mail - Kasp. Anti-Virus - Filter . . . . . . . . . . . . . . . . . . . 72
3.60 E-Mail - Kasp. Anti-Virus - Statistics 1/2 . . . . . . . . . . . . . . 73
3.61 E-Mail - Kasp. Anti-Virus - Statistics 2/2 . . . . . . . . . . . . . . 74
3.62 E-Mail - AntiVirus - ClamAV - Main menu . . . . . . . . . . . . . . 74
3.63 E-Mail - AntiVirus - ClamAV - Definitions . . . . . . . . . . . . . . 74
3.64 E-Mail - Kasp. Anti-Spam - Protected Domains . . . . . . . . . . . 75
3.65 E-Mail - Kasp. Anti-Spam - Actions . . . . . . . . . . . . . . . . . 76
3.66 E-Mail - Kasp. Anti-Spam - Rules . . . . . . . . . . . . . . . . . . . 77
3.67 E-Mail - Kasp. Anti-Spam - Statistics . . . . . . . . . . . . . . . . . 78
3.68 E-Mail - AntiSpam - SpamAssassin - Main Menu . . . . . . . . . . 79
3.69 E-Mail - AntiSpam - SpamAssassin - General Options - Reject . . . 79
3.70 E-Mail - AntiSpam - SpamAssassin - General Options - Mark . . . 79
3.71 E-Mail - AntiSpam - SpamAssassin - Created rules . . . . . . . . . 80
3.72 E-Mail - AntiSpam - SpamAssassin - Whitelist . . . . . . . . . . . . 80
3.73 Print Server - Inserting a network printer at IPBrick . . . . . . . . 81
3.74 Print Server - Printer configurations . . . . . . . . . . . . . . . . . . 82
3.75 Backup - Task insertion . . . . . . . . . . . . . . . . . . . . . . . . 83
3.76 Backup - Task list . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
3.77 Terminal Server - General Configuration - 1/2 . . . . . . . . . . . . 88
3.78 Terminal Server - General Configuration - 2/2 . . . . . . . . . . . . 89
3.79 Terminal Server - Boot System configuration . . . . . . . . . . . . . 89
3.80 Terminal Server - Boot Loader configuration . . . . . . . . . . . . . 90

Reference Guide - Version 5.3 IPBRICK International


LIST OF FIGURES 11

3.81 Terminal Server - Operating System . . . . . . . . . . . . . . . . . . 90


3.82 Terminal Server - Configuration for PXE boot . . . . . . . . . . . . 90
3.83 Terminal Server - Machines . . . . . . . . . . . . . . . . . . . . . . 91

4.1 Firewall - Available Services . . . . . . . . . . . . . . . . . . . . . . 94


4.2 Firewall - Block Services . . . . . . . . . . . . . . . . . . . . . . . . 95
4.3 Firewall - MSN Exceptions . . . . . . . . . . . . . . . . . . . . . . . 95
4.4 Proxy - Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.5 Proxy - Rules 1/2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4.6 Proxy - Rules 2/2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4.7 Proxy - Source groups . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.8 Proxy - Source groups - LDAP filter . . . . . . . . . . . . . . . . . . 99
4.9 Proxy - Destination groups . . . . . . . . . . . . . . . . . . . . . . . 101
4.10 Proxy - Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . 102
4.11 Proxy - Remote Proxy . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.12 Proxy - Other configurations 1/2 . . . . . . . . . . . . . . . . . . . 105
4.13 Proxy - Other configurations 1/2 . . . . . . . . . . . . . . . . . . . 105
4.14 Proxy - Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.15 Proxy - Kaspersky - Licence . . . . . . . . . . . . . . . . . . . . . . 107
4.16 Proxy - Kaspersky - General Settings . . . . . . . . . . . . . . . . . 108
4.17 Proxy - Kaspersky - Statistics . . . . . . . . . . . . . . . . . . . . . 109
4.18 Proxy - Autodiscovery . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.19 Proxy - Autodiscovery - Domains . . . . . . . . . . . . . . . . . . . 110
4.20 Proxy - Autodiscovery - Networks . . . . . . . . . . . . . . . . . . . 110
4.21 Proxy - Autodiscovery Words in URL . . . . . . . . . . . . . . . . . 111
4.22 Proxy - Autodiscovery - Changes . . . . . . . . . . . . . . . . . . . 111
4.23 VPN - PPTP - Users . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.24 VPN - SSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.25 VPN SSL - Client certificate configuration . . . . . . . . . . . . . . 115
4.26 VPN SSL - Access policies list . . . . . . . . . . . . . . . . . . . . . 116
4.27 VPN SSL - Access policy configuration . . . . . . . . . . . . . . . . 117
4.28 VPN - IPSec Configuration 1/2 . . . . . . . . . . . . . . . . . . . . 120
4.29 VPN - IPSec Configuration 2/2 . . . . . . . . . . . . . . . . . . . . 120
4.30 VPN - GRE Configuration . . . . . . . . . . . . . . . . . . . . . . . 122
4.31 VPC - General Configurations . . . . . . . . . . . . . . . . . . . . . 123
4.32 VPC - Internet Key Exchange Configuration . . . . . . . . . . . . . 123
4.33 VPC - IPsec Configuration . . . . . . . . . . . . . . . . . . . . . . . 123
4.34 VPC - Tunnel interface configuration . . . . . . . . . . . . . . . . . 124
4.35 VPC - BGP configuration . . . . . . . . . . . . . . . . . . . . . . . 124
4.36 E-Mail - Advanced relay . . . . . . . . . . . . . . . . . . . . . . . . 125
4.37 E-Mail - Get Mail from ISP - Base menu . . . . . . . . . . . . . . . 126
4.38 E-Mail - Get mail from ISP - Servers Management . . . . . . . . . . 127
4.39 E-Mail - Get mail from ISP - Add Account . . . . . . . . . . . . . . 127
4.40 E-Mail - Mail copy . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.41 SMS - Enable configuration . . . . . . . . . . . . . . . . . . . . . . 129
4.42 SMS Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

IPBRICK International Reference Guide - Version 5.3


12 LIST OF FIGURES

4.43 GSM Gateway Route Example . . . . . . . . . . . . . . . . . . . . . 130


4.44 SMS - Routes management . . . . . . . . . . . . . . . . . . . . . . . 130
4.45 Web Server - Adding sites . . . . . . . . . . . . . . . . . . . . . . . 134
4.46 Web Server - Features . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.47 Web Server - Alias 1 . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.48 Web Server - Alias 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.49 Web Server - Alias List . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.50 Web Server - Redirect - Example 1 . . . . . . . . . . . . . . . . . . 137
4.51 Web Server - Redirect - Example 2 . . . . . . . . . . . . . . . . . . 138
4.52 Web Server - Redirections List . . . . . . . . . . . . . . . . . . . . . 138
4.53 Web Server - Reverse Proxy - Example 1 - Empty site created . . . 139
4.54 Web Server - Reverse Proxy - Example 1 - Add . . . . . . . . . . . 139
4.55 Web Server - Reverse Proxy - Example 2 - Add . . . . . . . . . . . 139
4.56 Web Server - Reverse Proxy - Example 2 - List . . . . . . . . . . . . 140
4.57 Web Server - Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 140
4.58 WebMail Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 141
4.59 Global Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
4.60 Adding Groupware Administrators . . . . . . . . . . . . . . . . . . 143
4.61 Selecting the Groupware Administrator . . . . . . . . . . . . . . . . 143
4.62 No records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
4.63 Address Book Options with new settings . . . . . . . . . . . . . . . 143
4.64 Groupware Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
4.65 Address Book Options . . . . . . . . . . . . . . . . . . . . . . . . . 144
4.66 FTP Server - Definitions . . . . . . . . . . . . . . . . . . . . . . . . 145
4.67 FTP Server - Insert page . . . . . . . . . . . . . . . . . . . . . . . . 146
4.68 FTP Server - Access Log . . . . . . . . . . . . . . . . . . . . . . . . 147
4.69 FTP Server - Access log filter . . . . . . . . . . . . . . . . . . . . . 147
4.70 FTP Server - Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 148
4.71 FTP Server - General Statistics . . . . . . . . . . . . . . . . . . . . 148
4.72 FTP Server - User Statistics . . . . . . . . . . . . . . . . . . . . . . 149
4.73 VoIP - Phones management . . . . . . . . . . . . . . . . . . . . . . 150
4.74 VoIP - Adding alternative addresses . . . . . . . . . . . . . . . . . . 151
4.75 VoIP - Phone Management Search window . . . . . . . . . . . . . . 151
4.76 VoIP - Users Management . . . . . . . . . . . . . . . . . . . . . . . 153
4.77 VoIP - Users Management - User VoIP settings . . . . . . . . . . . 153
4.78 VoIP - Users Management - Access classes and call queues . . . . . 154
4.79 VoIP - Call groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
4.80 VoIP - Sequence definitions . . . . . . . . . . . . . . . . . . . . . . 157
4.81 VoIP - Attendance sequences list . . . . . . . . . . . . . . . . . . . 158
4.82 VoIP - IVR attendance configuration . . . . . . . . . . . . . . . . . 160
4.83 VoIP - Simple IVR . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
4.84 VoIP - Call conference insertion . . . . . . . . . . . . . . . . . . . . 161
4.85 VoIP - Call conference list . . . . . . . . . . . . . . . . . . . . . . . 161
4.86 VoIP - Dynamic call conferences . . . . . . . . . . . . . . . . . . . . 162
4.87 VoIP - Call Parking . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
4.88 VoIP - Call Parking - Modify . . . . . . . . . . . . . . . . . . . . . 162

Reference Guide - Version 5.3 IPBRICK International


LIST OF FIGURES 13

4.89 VoIP - Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163


4.90 VoIP - Scheduling - Insert rules . . . . . . . . . . . . . . . . . . . . 164
4.91 VoIP - Scheduling - Rules list . . . . . . . . . . . . . . . . . . . . . 165
4.92 VoIP - DISA - Insert . . . . . . . . . . . . . . . . . . . . . . . . . . 166
4.93 VoIP - Callback any number . . . . . . . . . . . . . . . . . . . . . . 167
4.94 VoIP - Callback authorized numbers or hangup . . . . . . . . . . . 168
4.95 VoIP - Callback authorized numbers or redirect . . . . . . . . . . . 168
4.96 VoIP - Call queue definitions . . . . . . . . . . . . . . . . . . . . . . 171
4.97 VoIP - Call queue members . . . . . . . . . . . . . . . . . . . . . . 172
4.98 VoIP - Call Queues - Current Users . . . . . . . . . . . . . . . . . . 172
4.99 VoIP - Boss/Secretary Group - Insert . . . . . . . . . . . . . . . . . 173
4.100VoIP - Boss/Secretary Group - Options . . . . . . . . . . . . . . . . 173
4.101VoIP - Boss/Secretary Group - Example . . . . . . . . . . . . . . . 174
4.102VoIP - Boss/Secretary Group - Settings Saved . . . . . . . . . . . . 175
4.103VoIP - Access Classes - Insert . . . . . . . . . . . . . . . . . . . . . 176
4.104VoIP - Access Classes - Members . . . . . . . . . . . . . . . . . . . 176
4.105VoIP - Speed Dial . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
4.106VoIP - Online phones . . . . . . . . . . . . . . . . . . . . . . . . . . 177
4.107VoIP - Call Statistics - Access Management . . . . . . . . . . . . . 179
4.108Finished Call statistics . . . . . . . . . . . . . . . . . . . . . . . . . 180
4.109VoIP - Statistics filter . . . . . . . . . . . . . . . . . . . . . . . . . 180
4.110VoIP - Call recording definitions . . . . . . . . . . . . . . . . . . . . 181
4.111VoIP - Call recording - Phones configuration . . . . . . . . . . . . . 182
4.112VoIP - Call recording - Phone Management/Additional numbers links182
4.113VoIP - Call recording - Phone Management page . . . . . . . . . . . 183
4.114VoIP - Call recording - Additional Numbers page . . . . . . . . . . 183
4.115VoIP - Call Supervision Group . . . . . . . . . . . . . . . . . . . . . 184
4.116VoIP - Call Supervision - Supervisioned phones . . . . . . . . . . . 184
4.117VoIP - Call Supervision Group members . . . . . . . . . . . . . . . 185
4.118VoIP - Call Manager configuration . . . . . . . . . . . . . . . . . . 185
4.119VoIP - Call Manager . . . . . . . . . . . . . . . . . . . . . . . . . . 186
4.120VoIP - Routes Management . . . . . . . . . . . . . . . . . . . . . . 187
4.121VoIP - Local Routes . . . . . . . . . . . . . . . . . . . . . . . . . . 188
4.122VoIP - Outbound route definition . . . . . . . . . . . . . . . . . . . 191
4.123VoIP - Local - Basic Options . . . . . . . . . . . . . . . . . . . . . . 192
4.124VoIP - Local - Advanced Options . . . . . . . . . . . . . . . . . . . 193
4.125VoIP - Prefix definition . . . . . . . . . . . . . . . . . . . . . . . . . 194
4.126VoIP - Codecs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
4.127VoIP - SIP server for registering . . . . . . . . . . . . . . . . . . . . 196
4.128VoIP - Music on hold . . . . . . . . . . . . . . . . . . . . . . . . . . 196
4.129VoIP - Voice Prompts . . . . . . . . . . . . . . . . . . . . . . . . . 197
4.130VoIP - Voice Prompts by default . . . . . . . . . . . . . . . . . . . 197
4.131VoIP - Insert Voice Prompts . . . . . . . . . . . . . . . . . . . . . . 198
4.132VoIP - Dialplan - Filter . . . . . . . . . . . . . . . . . . . . . . . . . 198
4.133VoIP - Dialplan - Internal . . . . . . . . . . . . . . . . . . . . . . . 199
4.134VoIP - Dialplan - Inbound . . . . . . . . . . . . . . . . . . . . . . . 199

IPBRICK International Reference Guide - Version 5.3


14 LIST OF FIGURES

4.135VoIP - Dialplan - Outbound Routes . . . . . . . . . . . . . . . . . . 199


4.136Add - Edit - Delete Icons . . . . . . . . . . . . . . . . . . . . . . . . 200
4.137IM - Enabling Instant Messaging Server . . . . . . . . . . . . . . . 202
4.138IM - Blocking MSN applications . . . . . . . . . . . . . . . . . . . . 202
4.139IM - Web messenger sites blocking in firewall . . . . . . . . . . . . . 202

5.1 Fax Server - Configure . . . . . . . . . . . . . . . . . . . . . . . . . 203


5.2 Fax Server - FAX at telephony card . . . . . . . . . . . . . . . . . . 204
5.3 Fax Server - Fax Users . . . . . . . . . . . . . . . . . . . . . . . . . 206
5.4 Fax Server - Fax Interfaces page . . . . . . . . . . . . . . . . . . . . 206
5.5 Fax Server - Fax Interfaces Insert page . . . . . . . . . . . . . . . . 207
5.6 T38 - Fax Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
5.7 T38 - Fax Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 209
5.8 T38 - FAX Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
5.9 T38 - Outbound Routes . . . . . . . . . . . . . . . . . . . . . . . . 209
5.10 T38 - Inbound Routes . . . . . . . . . . . . . . . . . . . . . . . . . 210
5.11 T38 - Final result . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
5.12 Fax Server - Sent Faxes . . . . . . . . . . . . . . . . . . . . . . . . . 212
5.13 Fax Server - Received Faxes . . . . . . . . . . . . . . . . . . . . . . 212
5.14 Fax Server - Current Faxes . . . . . . . . . . . . . . . . . . . . . . . 213
5.15 Routes Management . . . . . . . . . . . . . . . . . . . . . . . . . . 213

7.1 Advanced Configurations - Definitions . . . . . . . . . . . . . . . . 220


7.2 Advanced Configurations - Bonding . . . . . . . . . . . . . . . . . . 220
7.3 Advanced Configurations - System Information - 1/2 . . . . . . . . 221
7.4 Advanced Configurations - System Information - 2/2 . . . . . . . . 222
7.5 Advanced Configurations - Web Access . . . . . . . . . . . . . . . . 223
7.6 Advanced Configurations - Language . . . . . . . . . . . . . . . . . 223
7.7 Advanced Configuration - Authentication modes . . . . . . . . . . . 225
7.8 Advanced Configuration - Authentication - IPBrick Slave . . . . . . 225
7.9 Advanced Configuration - Authentication - IPBrick Client . . . . . 225
7.10 Advanced Configuration - Authentication - Servers list . . . . . . . 226
7.11 Advanced Configuration - IPBrick - High Availability . . . . . . . . 227
7.12 High Availability - Modify . . . . . . . . . . . . . . . . . . . . . . . 227
7.13 High Availability - Alert Definitions . . . . . . . . . . . . . . . . . . 228
7.14 High Availability - Alert Definitions - Address definitions . . . . . . 229
7.15 Advanced Configurations - Update . . . . . . . . . . . . . . . . . . 229
7.16 Remote Management . . . . . . . . . . . . . . . . . . . . . . . . . . 230
7.17 Remote Management Insert page . . . . . . . . . . . . . . . . . . . 230
7.18 Test Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
7.19 MyIPBrick Management page . . . . . . . . . . . . . . . . . . . . . 231
7.20 MyIPBrick Management page . . . . . . . . . . . . . . . . . . . . . 231
7.21 MyIPBrick Management page - Changing the order . . . . . . . . . 232
7.22 MyIPBrick Management page - Additional . . . . . . . . . . . . . . 232
7.23 MyIPBrick Management page - Additional fields . . . . . . . . . . . 232
7.24 MyIPBrick Management changes prompt . . . . . . . . . . . . . . . 232
7.25 Network - Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Reference Guide - Version 5.3 IPBRICK International


LIST OF FIGURES 15

7.26 Network - Firewall - General settings rule . . . . . . . . . . . . . . . 235


7.27 Network - Firewall - Disable access rule . . . . . . . . . . . . . . . . 235
7.28 Network - Firewall - DNAT rule . . . . . . . . . . . . . . . . . . . . 236
7.29 Network - Firewall - Order . . . . . . . . . . . . . . . . . . . . . . . 236
7.30 Network - Route management . . . . . . . . . . . . . . . . . . . . . 237
7.31 Network - QoS management . . . . . . . . . . . . . . . . . . . . . . 237
7.32 Network - QOS - General Configurations . . . . . . . . . . . . . . . 238
7.33 Network - Service Routing . . . . . . . . . . . . . . . . . . . . . . . 239
7.34 Support Services - LDAP . . . . . . . . . . . . . . . . . . . . . . . . 246
7.35 Support Services - DNS - Name resolution zones . . . . . . . . . . . 249
7.36 Support Services - DNS - SPF basic options . . . . . . . . . . . . . 252
7.37 Support Services - DNS - SPF advanced options . . . . . . . . . . . 252
7.38 Support Services - DNS - Zone Management 1/2 . . . . . . . . . . . 253
7.39 Support Services - DNS - Zone Management 2/2 . . . . . . . . . . . 254
7.40 Support Services - DNS - Reverse zone . . . . . . . . . . . . . . . . 254
7.41 Support Services - DNS - Forwarders . . . . . . . . . . . . . . . . . 255
7.42 Support Services - DNS - Name resolution . . . . . . . . . . . . . . 256
7.43 Support Services - DHCP - Subnets . . . . . . . . . . . . . . . . . . 257
7.44 Support Services - DHCP - Subnets Definition . . . . . . . . . . . . 257
7.45 Remote DHCP server form . . . . . . . . . . . . . . . . . . . . . . . 258
7.46 Support Services - DHCP - Redundancy . . . . . . . . . . . . . . . 260
7.47 Support Services - DHCP - General Options . . . . . . . . . . . . . 260
7.48 Support Services - DHCP - Dynamic DNS updates (Yes) . . . . . . 261
7.49 Support Services - DHCP - Machines . . . . . . . . . . . . . . . . . 262
7.50 Support Services - DHCP - DHCP Leases . . . . . . . . . . . . . . 263
7.51 Support Services - ENUM . . . . . . . . . . . . . . . . . . . . . . . 264
7.52 Support Services - DUNDi . . . . . . . . . . . . . . . . . . . . . . . 264
7.53 Support Services - DUNDi Insert . . . . . . . . . . . . . . . . . . . 264
7.54 Disaster Recovery - Replace configuration . . . . . . . . . . . . . . 266
7.55 Disaster Recovery - Download configuration . . . . . . . . . . . . . 266
7.56 Disaster Recovery - Upload configuration . . . . . . . . . . . . . . . 267
7.57 Disaster Recovery - Applications - Data backups list . . . . . . . . . 268
7.58 Disaster Recovery - Applications - Data restore confirmation . . . . 268
7.59 System - Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
7.60 System - Task Manager . . . . . . . . . . . . . . . . . . . . . . . . . 270
7.61 System - Date and Hour . . . . . . . . . . . . . . . . . . . . . . . . 271
7.62 System - Date and Hour - NTP . . . . . . . . . . . . . . . . . . . . 271
7.63 System - System users . . . . . . . . . . . . . . . . . . . . . . . . . 272
7.64 System - Monitoring - System Logs . . . . . . . . . . . . . . . . . . 273
7.65 System - Monitoring - System Logs - Remote server . . . . . . . . . 273
7.66 System - Monitoring - IPBrick logs list . . . . . . . . . . . . . . . . 273
7.67 System - Monitoring - IPBrick current log . . . . . . . . . . . . . . 274
7.68 System - Monitoring - Accesses - Management . . . . . . . . . . . . 275
7.69 System - Monitoring - Accesses - Entries . . . . . . . . . . . . . . . 275
7.70 System - Monitoring - Traffic . . . . . . . . . . . . . . . . . . . . . 276
7.71 System - Monitoring - Alerts . . . . . . . . . . . . . . . . . . . . . . 277

IPBRICK International Reference Guide - Version 5.3


16 LIST OF FIGURES

7.72 System - SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277


7.73 System - Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
7.74 System - Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
7.75 Telephony - Cards - Insert . . . . . . . . . . . . . . . . . . . . . . . 280
7.76 Telephony - Card definitions . . . . . . . . . . . . . . . . . . . . . . 280
7.77 Telephony - Cards list . . . . . . . . . . . . . . . . . . . . . . . . . 281
7.78 Telephony - Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 281
7.79 Telephony - Interface insertion . . . . . . . . . . . . . . . . . . . . . 282
7.80 Telephony - OCS interface . . . . . . . . . . . . . . . . . . . . . . . 283
7.81 Telephony - Failover Switches . . . . . . . . . . . . . . . . . . . . . 283
7.82 Telephony - Failover Switches Insert . . . . . . . . . . . . . . . . . . 284
7.83 Telephony - Simple phone register . . . . . . . . . . . . . . . . . . . 285
7.84 Telephony - Configurations . . . . . . . . . . . . . . . . . . . . . . . 287
7.85 Telephony - Configurations - Voicemail Options . . . . . . . . . . . 291
7.86 Telephony - Configurations - Voicemail Options . . . . . . . . . . . 292
7.87 Telephony - Configurations - Agent Mobility . . . . . . . . . . . . . 292
7.88 Telephony - Configurations . . . . . . . . . . . . . . . . . . . . . . . 293
7.89 Telephony - Analog and ISDN PRI options . . . . . . . . . . . . . . 294
7.90 Telephony - ISDN BRI options . . . . . . . . . . . . . . . . . . . . 296
7.91 Telephony - Configurations - Codecs . . . . . . . . . . . . . . . . . 297
7.92 Telephony - Configurations - Codecs with g729 . . . . . . . . . . . . 297
7.93 Telephony - Configurations - g729 licence . . . . . . . . . . . . . . . 298
7.94 Telephony - IP PBX remote managers . . . . . . . . . . . . . . . . 298
7.95 Telephony - IP PBX remote managers - Configuration . . . . . . . . 299
7.96 Telephony - VoIP domain alias . . . . . . . . . . . . . . . . . . . . . 299
7.97 Telephony - SIP peers . . . . . . . . . . . . . . . . . . . . . . . . . 300
7.98 Telephony - IAX Peers . . . . . . . . . . . . . . . . . . . . . . . . . 301
7.99 Auto provisioning - Template list . . . . . . . . . . . . . . . . . . . 302
7.100Auto provisioning - Phone with a specific template . . . . . . . . . 302
7.101Auto provisioning - Insert a new configuration for a phone . . . . . 303
7.102Auto provisioning - Full template list . . . . . . . . . . . . . . . . . 303

8.1 Apply Configurations and reboot . . . . . . . . . . . . . . . . . . . 306


8.2 Apply Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . 306

12.1 Backup - Arkeia - Main Menu . . . . . . . . . . . . . . . . . . . . . 316


12.2 Backup - Arkeia - Running Jobs . . . . . . . . . . . . . . . . . . . . 317
12.3 Backup - Arkeia - Backups confirmation . . . . . . . . . . . . . . . 317
12.4 Backup - Arkeia - Add Users . . . . . . . . . . . . . . . . . . . . . . 318
12.5 Backup - Arkeia - Directories to save . . . . . . . . . . . . . . . . . 319
12.6 Backup - Arkeia - Levels . . . . . . . . . . . . . . . . . . . . . . . . 320

13.1 HA Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

14.1 Web Server - UCoIP site . . . . . . . . . . . . . . . . . . . . . . . . 326

15.1 Web Server - MyIPBrick site - Login . . . . . . . . . . . . . . . . . 329


15.2 Web Server - MyIPBrick site - Available options . . . . . . . . . . . 330

Reference Guide - Version 5.3 IPBRICK International


LIST OF FIGURES 17

15.3 Web Server - MyIPBrick site - Change settings . . . . . . . . . . . . 331


15.4 Web Server - MyIPBrick site - Personal area . . . . . . . . . . . . . 332
15.5 MyIPBrick - Voicemail . . . . . . . . . . . . . . . . . . . . . . . . . 333
15.6 MyIPBrick - Voicemail Message . . . . . . . . . . . . . . . . . . . . 333
15.7 MyIPBrick - Voicemail Message . . . . . . . . . . . . . . . . . . . . 334

16.1 Contacts login interface . . . . . . . . . . . . . . . . . . . . . . . . . 335


16.2 Contacts index page . . . . . . . . . . . . . . . . . . . . . . . . . . 336
16.3 Contacts index page . . . . . . . . . . . . . . . . . . . . . . . . . . 336
16.4 Rebuild Contacts prompt . . . . . . . . . . . . . . . . . . . . . . . . 337
16.5 Import Entities prompt . . . . . . . . . . . . . . . . . . . . . . . . . 337
16.6 Spreadsheet containing the Entities to be inserted . . . . . . . . . . 337
16.7 Administration Tab - Users Management . . . . . . . . . . . . . . . 338
16.8 Users Management - User Selection . . . . . . . . . . . . . . . . . . 338
16.9 Users Management - User Insertion . . . . . . . . . . . . . . . . . . 339
16.10Users Management - User Profile pop-down list . . . . . . . . . . . 339
16.11Profiles management page . . . . . . . . . . . . . . . . . . . . . . . 340
16.12Profiles Management - New profile creation . . . . . . . . . . . . . . 341
16.13Auxiliary Data Page . . . . . . . . . . . . . . . . . . . . . . . . . . 342
16.14New Entity Type button . . . . . . . . . . . . . . . . . . . . . . . . 342
16.15Entity Type prompt . . . . . . . . . . . . . . . . . . . . . . . . . . 342
16.16Public Contacts Tab . . . . . . . . . . . . . . . . . . . . . . . . . . 343
16.17Public Contacts Tab - Entity Creation - General tab . . . . . . . . 344
16.18Public Contacts Tab - Entity Creation - Classification Tab . . . . . 345
16.19Public Contacts - Contacts tab . . . . . . . . . . . . . . . . . . . . 346
16.20New Contact button . . . . . . . . . . . . . . . . . . . . . . . . . . 346
16.21Contact General tab . . . . . . . . . . . . . . . . . . . . . . . . . . 347

17.1 Slave/Client Installation Warning . . . . . . . . . . . . . . . . . . . 351


17.2 Example 1 - Firewall rule insertion - For an IP . . . . . . . . . . . . 353
17.3 Example 2 - Firewall rule insertion - For a Network . . . . . . . . . 354

IPBRICK International Reference Guide - Version 5.3


18 LIST OF FIGURES

Reference Guide - Version 5.3 IPBRICK International


Chapter 1

Aim of this document

This reference guide gives you a detailed description of the following IPBRICK
menus:

• IPBrick.I configuration;

• IPBrick.C configuration;

• IPBrick.GT configuration;

• IPBrick.KAV configuration;

• Advanced Configurations.

In the appendix we present the procedure to deal with the Workstation con-
figurations. You will find there, the following configurations

• Process of joining a workstation (MS Windows) to a domain;

• Procedures for the establishment of a virtual private network (VPN) PPTP


and SSL.

IPBRICK International Reference Guide - Version 5.3


20 Aim of this document

Reference Guide - Version 5.3 IPBRICK International


Chapter 2

Before Starting

IPBrick is a complete integrated server system based on a Linux distribution.


When installed you can access IPBRICK with an Internet browser. The IPBRICK
IP address by default is 192.168.69.199. The address to be inserted on the
browser is https://192.168.69.199 (Figure 2.1).

Figure 2.1: IPBrick login interface

When you open a WEB session with IPBRICK you will see a login web page.
After a correct validation, IPBRICK allows you access to the main configuration

IPBRICK International Reference Guide - Version 5.3


22 Before Starting

page. Here you can change the domain and the IP network of the private and
public server interfaces.
Attention: If the communication network, where you are trying to install IP-
BRICK has already a DHCP server you should deactivate this in order to avoid
conflicts.

For more information about installing IPBRICK and configuring a worksta-


tion, please consult the Installation Manual.

IPBRICK web interface management is divided into five main menus (Figure
2.2):

• IPBrick.I : For the configuration of specific Intranet services;

• IPBrick.C : For the configuration of specific Communication services outside


the LAN;

• IPBrick.GT : Permits an easy way to configure the services normally active


at the IPBrick.GT appliance1 ;

• IPBrick.KAV : Permits an easy way to configure the services normally active


at the IPBrick.KAV appliance2 ;

• Advanced Configurations.

All configurations done by the IPBrick administrator are stored in a Post-


greSQL database. Only when the option Apply Configurations is clicked, will the
database generate all the new system configuration files. Changing the configura-
tions in the following menus:

• Advanced Configurations  IPBRICK  Definitions;

• Advanced Configurations  IPBRICK  Authentication;

• Advanced Configurations  System  Date and Hour  Time zone;

causes a restart of IPBRICK (IPBRICK needs approximately 1 minute to


restart, depending on the hardware where it is installed).

IPBrick provides an efficient configuration management where, whenever changes


are made to the system, by the web interface, a new configuration will be locally
saved or automatically stored in an USB pen. This way the Disaster Recovery
is guaranteed, this is just one of the surplus values of IPBRICK. For example, if
the hard drive crashes down, you can quickly restore the configurations with the
1
It’s an IPBrick hardware appliance for IP telephony with analogic/ISDN telephony cards
integration
2
It’s an IPBrick hardware appliance acting as a security gateway, including Kaspersky licensed
software.

Reference Guide - Version 5.3 IPBRICK International


23

IPBRICK Installation CD and the USB pen.

On the management interface there are some links that allow you to manage
the services:

• Back : Allows you to turn back to the previous page without saving changes;

• Insert: Allows you to insert new items;

• Modify: Allows you to change item settings;

• Delete: Allows you to delete an item;

Figure 2.2: IPBrick main interface

IPBRICK International Reference Guide - Version 5.3


24 Before Starting

Reference Guide - Version 5.3 IPBRICK International


Chapter 3

IPBrick.I

This chapter describes the IPBrick.I menus used to manage the main Intranet
services.
It is divided into the following main sections:

• Machine Groups

• Machines Management;

• User Groups;

• Users Management;

• Domain server;

• File Server;

• E-mail;

• Print Server;

• Backup;

• Terminal Server.

3.1 Machine Groups


In this menu you can manage groups of machines, it lets you create groups
and assign machines to each group. For instance, machine groups can be used to
configure web proxy accesses. To insert a group of machines you have set:

• Group name: The name assigned to the group of machines;

• Group type

– Machines Subnets: Depending on the used IP address, these groups


of machines can be split into defined sizes;

IPBRICK International Reference Guide - Version 5.3


26 IPBrick.I

– Machines: If you choose this option and Insert, it’s possible to assign
existing network machines to the group;
• Machine count: If the group is a subnet of machines, you can choose the
number of machines for the group;
• Subnet: This field defines the subnet for the group of machines. It represents
the range of IP addresses concerning the defined group.
By clicking Insert, the group is created and its settings are displayed. On
that screen you can see three links: Back to go back to the list; Modify to change
the name of the present group; Delete to remove the machine group. We can see
an example of a machine group at Figure 3.2 and the general list at Figure 3.1

Figure 3.1: Machine Groups - List

Figure 3.2: Machine Groups - Example

3.2 Machine Management


This section deals with adding or changing machine registrations in LDAP (e.g.
PC, laptop, printer). A machine is represented by the type, name, group, IP ad-
dress and MAC address, as you can see in Figure 3.3.

These are the available machines types:


• Workstation: Workstation in LAN running a Windows operating system;
• Workstation + SoftPhone: Windows workstation in LAN with a softphone
association;

Reference Guide - Version 5.3 IPBRICK International


3.2 Machine Management 27

• Linux Workstation: Workstation in LAN running a Linux distribution, so


it will be possible to export the user’s home account by NFS to that Linux
clients;

• Linux Workstation + SoftPhone: Linux workstation in LAN with a soft-


phone association. The name will be the SIP username and it will always be
associated to the IP address;

• Printer: Network printer. Location is a description about the printer loca-


tion. Port will be the port where the print server is running. e.g.: 9100 for
HP’s;

• Set-top Box: A device connected to a displaying apparatus and to an exter-


nal source of signal, turning the signal into content which is then displayed
on a TV screen or any other display device.

• IP Phone: Hardware IP SIP phone in LAN. The name will be the SIP
username and it will always be associated to the IP address. Note that,
the phone’s password must comply with with the strong password policies,
unless you choose to disable them at Telephony - Configurations. ;

• IP Camera: This type of digital video camera is commonly used for surveil-
lance purposes, and can send and receive data via a computer network and
the Internet.

• Linux Terminal: Thinclient with remote session to a Linux machine that


will be used with the Terminal Server in IPBrick;

• Windows Terminal: Thinclient with remote session to a Windows machine


that will be used with the Terminal Server in IPBrick;

• Radio base Station: This machine is used to maintain contact with a fleet
of hand-held or mobile radios. The base station is one end of a communica-
tions link solution offered by IPBrick Radio.

• Set Top Box IPBrick: Our very own set top box, tailor-made for Corporate
TV

• Radio Control Station: The controller of the Radio Base Station. This
machine enables the IPBrick to manage and control the transmissions in up
to 8 Base Stations.

In order to insert a machine you only have to define the type, introduce the
name and IP Address. In this way the machine is registered in the LDAP and
the DNS server. If you fill in the MAC Address field with the MAC adddress of
the machine to be registered then a record is also created for this machine in the
DHCP server.
Note: The machine MAC address can be obtained from the network connection
icon in Windows XP or by executing the order ipconfig /all in the command line.

IPBRICK International Reference Guide - Version 5.3


28 IPBrick.I

Figure 3.3: Machines Management - Machine registration

You can manage a specific machine clicking over its name in the list. You will
get the screen present at Figure 3.4. If you click the link Modify, the form from
Figure 3.3 is displayed and enables you to redefine the machine parameters. If you
click Delete, the machine will be deleted. When all the machines are registered
you can get the list at the main menu (Figure 3.5).

Figure 3.4: Machines Management - Options

Figure 3.5: Machines Management - List

NOTE: If the inserted machines have become far too numerous to be displayed
or searched efficiently, it’s possible to retrieve a machine by using the various
search links displayed on the Machines Management page. There’s alphabetical

Reference Guide - Version 5.3 IPBRICK International


3.2 Machine Management 29

and numerical quick links, as well as the possibility to open a Search window
Figure 3.6 or to display all machines on one page (List all link).

Figure 3.6: Machines Management - Search Window

Figure 3.7: Machines Management - Search result

3.2.1 Mass Operations


The Export feature will let you save all data to a .csv file (Figure 3.8). The
Mass operations option enables you to import of a .csv file (Figure 3.9). You can
edit a .csv file in a spreadsheet application, choosing ; to split the columns.
Mandatory fields:

• action: Options available:

– I: To insert a machine in IPBrick;


– U: To update machine information in IPBrick;
– D: To delete a machine in IPBrick;
– N: No change is done to the line.

• machinetype: Options available:

– 1: For Workstation;
– 3: For Workstation + Softphone;
– 14: For Linux Workstation;

IPBRICK International Reference Guide - Version 5.3


30 IPBrick.I

– 15: For Linux Workstation + Softphone;


– 16: For Printer;
– 2: For IP Phone;
– 7: For Linux Terminal;
– 4: For Windows Terminal.

• name: Machine single name;

• ip: Machine IP. The format is xxx.xxx.xxx.xxx;

Other fields:

• mac: Machine NIC MAC address. The format is xx:xx:xx:xx:xx:xx;

• password: Password to use if a SIP phone is selected. e.g.: 123;

• computernumber: Machine LDAP ID;

• groupnumber: Machine group number if associated to some group;

• rdpsrvaddress: Remote server IP if a terminal is selected;

• rdpsrvdomain: Remote server domain if a Windows terminal is selected;

• callerid;

• voip_nat;

• voip_disallow;

• voip_allow;

• voip_dtmfmode;

• voip_subscribecontext;

• voip_pickupgroup;

• voip_callgroup;

• voip_canreinvite;

• voip_insecure;

• voip_athuser;

• voip_fromuser;

• voip_fromdomain;

• voip_mailbox;

• voip_quality;

Reference Guide - Version 5.3 IPBRICK International


3.3 User Groups 31

• voip_call_limit;

• phonedescription;

• idphonetemplate;

• printerdescription;

• printerlocation;

• printerport.

Example of a .cvs file content for mass operations import option:

action;computernumber;machinetype;name;groupnumber;ip;mac;password
I;;1;wrk03;;172.29.1.52;00:E0:98:9B:45:06;
I;;1;wrk04;;172.29.1.54;00:E0:98:9B:45:04;
I;;3;softphone04;;172.29.1.57;00:E0:98:9B:45:54;1234

! Attention !:

• The computer’s name has to be alphanumerical. The exception is the char-


acter ’hyphen’ -;

• The computer’s name shouldn’t contain spaces nor diacritical marks on char-
acters neither punctuation. Its maximum length should be 15 characters;

• It is not allowed to register neither machines with the same name nor ma-
chines whose names are identical with a registered user log in;

• For a registration of a Windows station, the name as to be always in small


letters and if necessary change the Computer name to small letters, too.

3.3 User Groups


A group is a set of users generally created when you wish that all people in that
group share the same permissions to a set of files. In this section you’ll manage
IPBRICK user groups.

• To create a new group:

– Click on Insert (Figure 3.10);


– Choose the group name.

• To add or remove users from a group:

– Click on the group name (Figure 3.11);

IPBRICK International Reference Guide - Version 5.3


32 IPBrick.I

Figure 3.8: Machine Management - Export

Figure 3.9: Machine Management - Mass Operations

– In the generated page (Figure 3.12) choose the users that should be
added or removed from the defined group.

There are two pre-defined groups that cannot be deleted or changed. These
groups are:

• Administrators;

• General.

Users that belong to the Administrators group have administrator permissions


in the domain served by IPBRICK. You may add or remove users of this group
with the exception of the pre-defined Administrator. The General group is a
common group for all users created in IPBRICK.
! Attention !:

• When inserting new groups their name can be in capital and/or small letters.

Reference Guide - Version 5.3 IPBRICK International


3.4 Users Management 33

• The group name can contain spaces, but can’t have more than 32 alphanu-
merical characters without accents.
• When the user is created, there shouldn’t be other group with the same
name, including domains.

Figure 3.10: User Groups - Group creation

Figure 3.11: User Groups - Groups List

Figure 3.12: User Groups - Users

3.4 Users Management


In this section you learn how to register new users, change the information of
already existing users and delete users. When creating a new user, IPBRICK cre-

IPBRICK International Reference Guide - Version 5.3


34 IPBrick.I

ates automatically an e-mail account and an individual work area (user drive space
in the server) and a net logon in order to identify the user in the domain. After
being installed, IPBRICK creates by default one user and two groups. The created
user has the login Administrator, this login can’t be altered and the two groups
are the Administrators and the General. The user with the Administrator
login has a work area created in the Work Area 1. This user has special charac-
teristics because he belongs to the Administrators group and is responsible for
the management of some of the system’s included sites and functions. Therefore
he can never be removed.

The user registration is composed of the following fields:

• Name: User’s name. Usually it’s his first and last name;

• Login: User’s identification to be used for any IPBRICK authentication


process.

• Server: Selection of the server where the user account shall be created. The
user account stands for the hard drive space in the server where various
user contents are stored, including an email folder, Windows profile and
documents. If there are slave servers they are also listed.

• Work Areas: Partition of the server drive selected to create the account.
The users should be distributed in an equitable way, in order to efficiently
use the available space.

• Password: Password definition;

• Retype Password: Confirmation of the password;

• Quota: Value that limits the user hard drive space in the system. The unit
os measurement is kilobytes. If you don’t indicate a limit value, the user will
have unlimited space to occupy.

At option Extra Options we can define other LDAP parameters for the users
like :

• Employee Number;

• Department Number;

• Room Number;

• Phone extension;

• Employee type;

• Business category.

Reference Guide - Version 5.3 IPBRICK International


3.4 Users Management 35

An example is present at Figure 3.13 and Figure 3.14

Figure 3.13: Users Management - Insert

Figure 3.14: Users Management - Extra LDAP parameters

! Attention:
• When inserting users, only use characters without accents for their name,
login and e-mail address.
• Spaces, brackets, full stops, small and capital letters are possible in the Name
field.
• You are not allowed to use spaces in the Login field. Avoid using capital
letters.

IPBRICK International Reference Guide - Version 5.3


36 IPBrick.I

• Every login has to be unique. There cannot be a login with the same name
of a machine registered in IPBRICK.

In order to modify some user information you have to click over the name (Fig-
ure 3.15).

Figure 3.15: Users Management - List

In the form where you change the user (Figure 3.17) you can see all fields
that were defined when the user account was created. The only exception is the
uidNumber which is an IPBRICK user identification number. The password is
not shown. All defined fields are editable with the exception of the login and
uidNumber.

To remove a IPBRICK user record:

• Click on the user name;

• In the generated page, besides from displaying user properties, you can also
delete the user (Figure 3.16).

⇒ Note: The user’s contents (personal files, profile, e-mails) are not elimi-
nated when deleting his registration. They are moved to an administrative share
called BackupX (X representing the number of the work area where the user was
registered, 1 or 2). Only members of the Administrators group have access to
this share from any Windows station. Therefore they have to do the following:

• Press the keys [Win]+[R] at the same time

• Write \\ipbrick\backup1 and press the ”OK” button.

All folders and files deleted in these administrative shares are finally eliminated
in IPBRICK.

Reference Guide - Version 5.3 IPBRICK International


3.4 Users Management 37

Figure 3.16: Users Management - Operations

Figure 3.17: Users Management - Modify

3.4.1 Mass Operations


The Export feature will export all the data to a .csv file. The Mass operations
option permits an import of a .csv file. You can edit a .csv file in a spreadsheet
application.
Mandatory fields:
• actionuser: Options available:

– I: To insert a user in IPBrick;


– U: To update user information in IPBrick;
– D: To delete a user in IPBrick;
– N: Make no action to that user;

• usernumber: User LDAP ID. It begins at 10000 to administrator, so the


value can be incremented in 1 for the other LDAP users;

• login: User login;

IPBRICK International Reference Guide - Version 5.3


38 IPBrick.I

• name: User name. If more than one word is used the " is necessary;
• email: User email;
• accountquota: Quota for the user account. The 0 is unlimited;
• idworkarea: User work area number;
• password: Insert a user password. Later the user can change it at the
myipbrick site. Note that this field is not present when we export a .cvs file,
so it must be created;
Other fields:
• groupnumber: Group LDAP ID of user;
• idserver: Slave server IP where to create the account. The 0 is for local;
• randompassword: Used to generate random password’s for users;
• sipurl: User’s SIP url, representing the phone near the user;
• mailaccountstatus: 1 for active, 2 for inactive;
• mailalias: User alternative mail address;
• mailquota: Maximum mail account quota in MBytes;
• mailmaxsize: Maximum received message size in MBytes;
• mailforward: It’s a forward mail for the user;
• mailoutoreply: It’s the automatic reply message. The use of " is needed;
• homedrive: Represents the account network drive. The default is Z;
• roamingprofile: 1 for a roaming profile, 2 for a local profile.
• employeenumber: Field that represents the employee number;
• departmentnumber: Represents the employee department number;
• roomnumber: User’s room number;
• pager: User’s pager number;
• employeetype: Represents the category for the employee;
• businesscategory: This field represents the employee’s business category
Example of a .cvs file content for mass operations import option:

actionuser;usernumber;login;name;email;accountquota;idworkarea;password
I;10001;jdomingues;"Joao Domingues";[email protected];0;;2;123456
I;10002;jsmith;"John Smith";[email protected];0;;1;123456

Reference Guide - Version 5.3 IPBRICK International


3.4 Users Management 39

3.4.2 XML-RPC management


It’s possible to manage the IPBrick LDAP users using XML-RPC. So using a
client and calling the url:

https://IPBRICK_IP/xmlrpc/server.php

You can send specific .xml messages to:

• Add users;

• Modify users;

• Delete users.

Add user message

<?xml version="1.0" encoding="UTF-8"?>


<methodCall>
<methodName>adduser</methodName>
<params>
<param>
<value><string>login</string></value>
</param>
<param>
<value><string>md5_password</string></value>
</param>
<param>
<value><string>login:userlogin</string></value>
</param>
<param>
<value><string>name:username</string></value>
</param>
<param>
<value><string>email:[email protected]</string></value>
</param>
<param>
<value><string>password:12345</string></value>
</param>
<param>
<value><string>mailalias:[email protected];[email protected]
</string></value>
</param>
</params>
</methodCall>

IPBRICK International Reference Guide - Version 5.3


40 IPBrick.I

Modify user message


<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>modifyuser</methodName>
<params>
<param>
<value><string>login</string></value>
</param>
<param>
<value><string>md5_password</string></value>
</param>
<param>
<value><string>login:userlogin</string></value>
</param>
<param>
<value><string>name:username</string></value>
</param>
<param>
<value><string>email:[email protected]</string></value>
</param>
<param>
<value><string>password:12345</string></value>
</param>
<param>
<value><string>mailalias:[email protected];[email protected]
</string></value>
</param>
</params>
</methodCall>

Delete user message


<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>deluser</methodName>
<params>
<param>
<value><string>login</string></value>
</param>
<param>
<value><string>md5_password</string></value>
</param>
<param>
<value><string>login:userlogin</string></value>
</param>
</params>

Reference Guide - Version 5.3 IPBRICK International


3.4 Users Management 41

</methodCall>

Note: The first two parameters must be replaced with the IPBrick web inter-
face credentials.

3.4.3 User Policies


By default, the password policies are inactive. To enable them click on the
Modify link.

Figure 3.18: Users Management - Password Policies

At the new page you will be presented with these options:

• Use strong passwords: By default NO;

• Lock account after password failed: By default, NO;

• Password Validity: By default NO.

Figure 3.19: Users Management - User Policies - Modify

By selecting YES on the presented options you will access more settings.

IPBRICK International Reference Guide - Version 5.3


42 IPBrick.I

Figure 3.20: Users Management - Password Policies

These are the presented options:

• Use strong passwords: By default, this option is set to NO. Select YES to
configure your password’s length and remember that:

The password can not be equal to that which is in use.

Can not contain the login or the name.

Must contain elements of at least three of the following four groups


of characters:
Uppercase letters (A through Z)
Lowercase letters (a through z)
Numbers (0 through 9)
Special characters (such as !,$,%,#)

Again, this will affect all users!

Reference Guide - Version 5.3 IPBRICK International


3.4 Users Management 43

Figure 3.21: Error Warning

– Minimum number of characters: Enter the password’s minimum num-


ber of characters (by default 8);

• Lock account after password failed: By default, this option is set to NO. The
user’s account will be locked for a determined amount of time, after a set
number of unsuccessful login attempts.

– Number of attempts before locking the account: By default 5;

– Time period where the account is locked: The time period should set
in minutes. By default, 15m

• Password Validity: By default this option is set to NO this means that the
password will never expire. Select YES to set the number of days:

NOTE: If you select YES all users will have an expiration date on their
passwords, but, a new option will appear, at Users List, when you click on
an individual user Name.

Figure 3.22: User Policies link

This new link (User Policies) will enable you to deactivate the password
validity for that particular user.

IPBRICK International Reference Guide - Version 5.3


44 IPBrick.I

Figure 3.23: Error Warning

Click on Modify and then select NO at Password Validity

Figure 3.24: Password Validity

Click on Modify to confirm the changes.

Figure 3.25: Password Validity - NO

Reference Guide - Version 5.3 IPBRICK International


3.4 Users Management 45

If you return to the Users List page you will now notice that this partiular
user has no validity in his password.

Figure 3.26: Users List - User with no validity in his password

– Expires in: Number of days the password will be valid (by default, 30
days);

• Block account: If the password expires, the account will be blocked (by
default, NO). If you select Yes you will have available an option to set the
number of days where your user will be able to access his account until it’s
finally locked:

– Lock account after the password expires: Set the number of days until
(by default, 0 days)

• Send notification: By default, the user will not be notified of the end of his
password’s validity. Select YES to set how many days before expiration will
the system notify him;

– Send notification before password expires: Set how many days before
expiration will the user receive a warning (by default, 1 day)
– Notification: By default, the notification’s subject and message is al-
ready set, but if you wish, you may modify it as you see fit.

To confirm the changes click on the Modify button at the bottom of the page.

The user will be able to alter his password at MyIPBrick. The login page will
prompt him to alter his authentication credential.

IPBRICK International Reference Guide - Version 5.3


46 IPBrick.I

Figure 3.27: MyIPBrick Login Prompt

3.5 Domain Server


IPBrick, as a Intranet server, manages all the network resources belonging to
a certain domain and provides important network support services as DNS and
DHCP. A relevant feature to consider in the domain server 1 is that it works with
the authentication server, where all the users have a username/password match
defined in the LDAP database of IPBrick. PDC is checked whenever there is a
authentication demand in a workstation.

3.5.1 Configure
In this section you define the name of the domain served by IPBRICK as well
as this fields (Figure 3.28):

• Domain Login:

– YES: IPBRICK will be a Primary Domain Controller in the chosen


domain;
– NO: IPBRICK will not operate as a domain server.

• Default account network drive: The workstation drive where the user account
will be mapped. Users with large volumes of data should store them there
and not at the profile folders. The default setting is Z;

• Default type of profile: The profile in a Windows workstation is a group of


folders that are stored normally at c:\Documents and Settings\user_login;

– Roaming: In this case, when the user logs out from the workstation,
all the profile folders are synchronized to the user personal account in
IPBrick, located at \\ipbrick\user_login\.profiles. When he logs
1
Primary Domain Controller

Reference Guide - Version 5.3 IPBRICK International


3.6 File Server 47

in again at the same workstation or at a different one, the profile will


be synchronized back to the workstation;

IMPORTANT NOTE: The system administrator should warn users


not to accumulate big amounts of data, since, every time they login, that
huge profile will have to be re-synced back to the user’s workstation of
choice.
– Local: The profile will never be synchronized to IPBrick, all the user’s
document folders will remain at his local workstation.

⇒ Note: The information on this section is only valid for the MS Windows
environment. The IPBRICK Domain Name field is related to the Workgroup or
Domain Name in the MS Windows environment.

Figure 3.28: Domain Server - Definitions

3.5.2 Users Management


For each user it’s possible to specify:

• Account network drive: Z: by default (check the previous section 3.5.1 Con-
figure, for more information);

• Type of profile: Roaming or local (check the previous section 3.5.1 Configure,
for more information);

Clicking on that option the user’s list is presented. Choosing a specific user as
shown at Figure 3.29, we can configure the domain server definitions for him.

3.6 File Server


A work area corresponds to a physical partition in the drive with the denomi-
nation /home1 or /home2. When a new user is created, the system also creates its
personal account that represents a folder structure that supports the user account.

IPBRICK International Reference Guide - Version 5.3


48 IPBrick.I

Figure 3.29: Domain server - Users Management

1. Personal Accounts: Located in the MS Windows environment, it contains


e-mail files and the user profile;

2. Group Sharing: Responsible for storing user group files

3. Administrative Sharing: Responsible for sharing user accounts and elim-


inated group sharings. These areas are only available for Administrators.

IPBRICK has two Work Areas by default: Work Area 1 and Work Area 2.
When you click on Work Areas you are given a list of all users and sharing groups
classified by Work Area as well as information about the occupied space in the
system of each individual Work Areas (Figure 3.30).

Figure 3.30: Work Areas - Summary

3.6.1 Individual Work Areas


When you select Individual Work Areas, IPBRICK shows you a list with
the existing Work Areas and a schedule of the occupation rate for each Work Area

Reference Guide - Version 5.3 IPBRICK International


3.6 File Server 49

(Figure 3.31). These Work Areas correspond to the hard drive space where the
users data is stored. At Configurations we can enable or disable the recycle bin
folder for the users. It’s possible to enable for all or to disable for all.

Figure 3.31: Work Areas - List

Figure 3.32: Work Areas - Summary of Individual Areas

When you click on a Work Area, e.g.: Work Area 1, you are given a list of all
users introduced in this area as well as the occupied space of each user (Figure
3.32). Each user area is created in the moment you make the IPBRICK registra-
tion in IPBrick.I  Users Management. In individual workareas we also have the
list of FTP accounts created in FTP menu at IPBrick.C.

! Attention !: If the occupied space in the Work Areas reaches 100%, users
can longer save their data in IPBRICK. More over, e-mails are no more delivered to
the users. They stay in the queue until some space is released in the Work Areas.
It is recommended to keep the occupation rate of each Work Areas under 95%.

! Attention !: Enabling the recycle bin for the users is not recommended in
case of small disk capacity.

IPBRICK International Reference Guide - Version 5.3


50 IPBrick.I

3.6.2 Group Work Areas


The group work areas are network shares that can be accessed by SMB or by
NFS clients. You can create network shares in any Work Area. After creating a
network share you have to define the correspondent access permissions.
When inserting a Group Work Area you have to first choose the workarea were
the share will be created (Figure 3.33) and fill in the following fields:

• Name: Name of the share folder. Try to avoid spaces, characters with accents
and punctuation;

• Description: Share description. It’s an optional field;

• Administrator: Share administrator’s email. It’s a optional field;

• Browseable: If Yes it will appear in the server browse list. If No the share
will became hidden;

• Recycle bin: Enables the use of a recycle bin;

• Name of the recycle bin folder: If you have chosen to enable the pre-
vious option, you can set in here the folder that will be used as a recycle
bin.

Figure 3.33: Work Areas - List

Two examples can be viewed at (Figure 3.34) and (Figure 3.35).

Figure 3.34: Work Areas - Group - Insert with recycle bin

Reference Guide - Version 5.3 IPBRICK International


3.6 File Server 51

Figure 3.35: Work Areas - Group - Insert without recycle bin

Mapping with NFS


The IPBrick server, by default, is setup to block NFS clients connections that
are not from other IPBrick servers (MASTER, SLAVE or CLIENT).

The new share may be accessed via a windows machine (Network Neighbor-
hood, \\server\share) but it can also be accessed by NFS (to be used/mapped
by Linux Machines).

Note: Windows 7 already includes an NFS client.

In order to allow other linux clients to work in the same way, by using NFS, it
is neccessary to follow both these procedures;

At the Server:
1. Register the desired Linux workstations at IPBrick.I -> Machines Management
as Linux Workstation

2. Configure the shares (usually at home1 or home2)


At the Workstation:
1. Map the folder /home1/_shares (and/or /home2/_shares) nin the local
structure, eg: /nfsshares/h1 (and/or /nfsshares/h2)

Note: This could be done via the local fstab by typing these commands:

su - root
mkdir /nfsshares
mkdir /nfsshares/h1 /nfsshares/h2
vi /etc/fstab
(...)
/nfsshares/h1 SERVER_IP:/home1/_shares nfs defaults 0 2
/nfsshares/h2 SERVER_IP:/home2/_shares nfs defaults 0 2

IPBRICK International Reference Guide - Version 5.3


52 IPBrick.I

2. After authenticating themselves, at the workstation (LDAP client), users


may access the shares by browsing through the /nfsshares folders.

Access Permissions
After creating a Group Work Area you have to give permissions to the users
in order to have access to the network share. This is done by first clicking at the
share name as shown at Figure 3.36.
There are 3 different types of permissions:

• None: No access to the share. Users have no access to open a share folder
on a workstation;

• Read Only: Users have access to share folders and its files. Nevertheless,
they are not allowed to change these files;

• Read/Write: Users have access to share folders and its files and are allowed
to change files and save changes.

Permissions are given to individual users or user groups (Figure 3.37). Users
groups are defined in IPBrick.I  Group Management.
For example, in order to create a share folder for users belonging to a commer-
cial department you have to take the following steps:

• Create group ”Dept Financeiro”, in Group Management and add the users
of this department to the group.

• Create an area called ”Financeiro” in Work Areas  Group Work Areas.

• Give read and write permissions to the group ”Dept Financeiro”. The other
groups have either reading permissions or no access to this area.

⇒ Note: When defining user group permissions any change in the General
group leads to changes for all the other groups. This happens because all users
introduced in IPBRICK are part of General group.

⇒ Note: A deleted share is no longer available to users. All files in this share
are moved to an administrative share called BackupX (X representing the number
of the work area where the share was created, 1 or 2) that you can find in the
same Work Area. Only users belonging to the IPBRICK Administrators group
can access this folder. It’s possible to access this share from a Windows station, if
you take the following steps:

• Press the keys [Win]+[R] at the same time

• Write \\ipbrick\backup1 and press ”OK” (share that exist in Workarea 1)

All files and folders deleted in these administrative share are permanently
deleted in IPBRICK.

Reference Guide - Version 5.3 IPBRICK International


3.6 File Server 53

Figure 3.36: Work Areas - Group - Management

Figure 3.37: Work Areas - Group - Users Access

3.6.3 Kaspersky
Kaspersky Antivirus for Samba Server (file server) is already installed in IP-
Brick. After inserting a valid license (Figure 3.38), Kaspersky Antivirus for Samba
Server is activated and displays the interface with the following links:

• Update: After the license expires you should renew it with a new license file;

• Delete: Removes the license;

• Configure: It provides you a general Anti-Virus configuration option;

• Work areas: Antivirus behavior in work areas;

• Statistics: Interface with specific statistics about the file server’s Anti-
Virus.

IPBRICK International Reference Guide - Version 5.3


54 IPBrick.I

Figure 3.38: Workareas - Kaspersky Licence

Configuration
General settings:

• Notify from the address: Sender that will make the notifications;

• Notify to the address: Email address that will receive notifications.

Object settings:

• Directory exclusion mask: Directories that will be analyzed;

• File exclusion mask: Files that will be analyzed;

• Packed Files: If you choose this item, this type of file will be analyzed;

• Archives: If you choose this item, this type of file will be analyzed;

• Auto-extraction files: If you choose this item, this type of file will be
analyzed;

• Email database: If you choose this item, this type of file will be analyzed;

• Text format email: If you choose this item, this type of file will be ana-
lyzed.

Scan settings:

• Cure: If activated, detected virus will be automatically removed;

• Use heuristic: If activated, virus can be detected through the analysis of


the code with characteristics and behavior similar to a virus;

• Usar IChecker: If the file was not modified since the last time that was
checked, there will be no new analysis for this file.

Actions Settings: Defines what the Anti-Virus will do with infected and sus-
pecting files or with warnings

Reference Guide - Version 5.3 IPBRICK International


3.6 File Server 55

• Remove: Removes the file;

• Inalterable: Doesn’t make any action on the file;

• Move: Moves the file.

Notification settings: Defines what notifications the Anti-Virus will do about


infected and suspecting files or with warnings.

• Notify user through winpopup: Notification using the Windows net send
command;

• Notify user through email;

• Notify administrator through email.

To change settings click on Modify. You can see the configuration interface at
Figure 3.39 and Figure 3.40.

Figure 3.39: Workareas - Kaspersky - Configure 1/2

Workareas
By default, work areas are verified when they are opened and closed. You can
set for each share if it will be protected, or not, and if it will be verified when users
open and/or close files, like shown at Figure 3.41.

IPBRICK International Reference Guide - Version 5.3


56 IPBrick.I

Figure 3.40: Workareas - Kaspersky - Configure 2/2

Figure 3.41: Workareas - Kaspersky

Statistics
Several statistics are displayed in this interface:

• Virus Statistics in period: Options of displaying Virus Statistics (Fig-


ure 3.42):

– Start: The starting date for statistics;


– View: Can be set to hours, days, months or years;
– Repetition: Scale of the graph’s horizontal axis;
– Group: It enables you to group data, depending on the chosen view

Reference Guide - Version 5.3 IPBRICK International


3.6 File Server 57

• Vı́rus statistics: The display can be filtered by: Infected files, protected,
corrupted, errors and files where disinfection failed;
• Virus list: Can be organized by Virus name/Number of occurrences (Fig-
ure 3.43).

Figure 3.42: Workareas - Kaspersky - Statistics 1/2

Figure 3.43: Workareas - Kaspersky - Statistics 2/2

IPBRICK International Reference Guide - Version 5.3


58 IPBrick.I

3.7 E-Mail
Email is the most used network service in Internet, gradually replacing tradi-
tional mail and fax. The protocol used to send electronic messages is SMTP (Sim-
ple Mail Transfer Protocol) that runs on gate 25 TCP. It enables email sending
for one or several recipients and is implemented by MTA (Mail Transfer Agents).
IPBrick’s MTA is Qmail2 .
SMTP is only capable of sending messages, therefore, users need the POP3/IMAP
protocol to retrieve messages from the servers, these protocols are supported by
all email clients.

IPBrick’s Email section is composed of:

• Configure;

• Queue Management;

• Users Management;

• Mailing Lists;

• Statistics;

• Kaspersky Anti-Virus;

• Kaspersky Anti-Spam.

3.7.1 Configure
An important concept about the email server configuration is open relay. A
server that works in open relay processes messages between senders and recipients
out of the server’s domain, that actually can even be non-existent. Obviously,
IPBrick doesn’t work as an open relay, it only forwards Internet emails to domains
that are explicitly indicated.

It is important to mention four very simple and decisive concepts in E-mail


configuration:

1. Locally delivered domains: E-mail addresses with destination to the IP-


BRICK server itself, that is, the associated e-mail accounts are in the local
network. E-mails that are in the queue and whose recipient is one of these
domains are not sent to another server in order to be delivered. The domains
served by the machine have to be correctly configured in each DNS domain
server. That is, the ”E-mail servers” of these domains have to be configured
to this machine.
2
http://cr.yp.to/qmail.html

Reference Guide - Version 5.3 IPBRICK International


3.7 E-Mail 59

2. Authorized relay domains: IPBrick forwards all the messages that have
their domains in this list and will be accepted by the server to a queue list.
Messages to other recipients that don’t belong to this domains won’t be
accepted by the server (please see 3 ).

3. Relay networks definitions: IPBRICK relays to any domain as long


as the e-mail is sent from his corresponding internal network. If there are
different internal IP networks it is necessary to add these networks to the
list. This way all machines in the networks are able to send e-mails to other
domains using IPBRICK as a relay server. The Other networks (Internet
IP’s) could use this SMTP server but only with TLS authentication. So
someone in Internet that want to use the IPBrick’s SMTP to send email is
forced to authenticate with his LDAP username/password;

4. SMTP Routes: SMTP routes are configured when you want e-mails to follow
a certain way (server) in order to find their recipient. Normally, a SMTP
route is defined by default (showing the SMTP route and leaving the Domain
empty).When the server is not correctly registered with the IP name in the
Internet DNS, you have to define a SMTP route. In this route it should be
either the server responsible for the forward of company e-mails or the SMTP
server of the ISP used by firms to access the Internet. This configuration is
necessary because certain e-mail servers make additional verifications of the
sending server authenticity. If they can’t resolve the server name into the
corresponding IP address (reverse DNS check), the mail may be deleted or
sent back as SPAM. In case no SMTP route is used the server tries to send
the mails in the queue by his own. With the help of the DNS registrations
he tries to find the recipients directly in the Internet.

Each e-mail configuration option has a link to Insert new entries (Figure 3.44).

The domains for local delivery (domains with IPBRICK serves) and relay (do-
mains which IPBRICK forwards) can be edited and/or deleted. The exception is
the domain whose name is the same as that of the machine in the local networks
or that of the local domain in the relay.

⇒ Note: To make IPBRICK relay e-mails to another server holding the


accounts, the firm base domain has to be retreated from the domains served by
IPBRICK, since it is a domain served by IPBRICK by default.
By default IPBrick only forwards email messages that come from its private
network. If there are different internal IP networks, they should be added to allow
them to send messages.

There are two different types of SMTP routes:


3
Only e-mails from the Internet respecting these rules are processed. IPBRICK is not con-
figured as open-relay.

IPBRICK International Reference Guide - Version 5.3


60 IPBrick.I

Figure 3.44: E-mail - Configure

1. FQDN4 of the route server. For example: smtp.exchange.telepac.pt.

2. IP address of the route server. Please give attention to the brackets 195.22.133.45.

In the following you are given two examples of configurations, one with an
IP for a specific domain and another configuration for the same domain with the
FQDN:

First Example:
Domain : abzas.miz
SMTP route : 195.22.133.45
Second Example:
Domain : abzas.miz
SMTP route : smtp.exchange.telepac.pt

An important configuration is that of a machine relaying e-mails. Whenever


you add in this situation a SMTP route by default (without indicating the domain)
you have to add another SMTP route to forward e-mails do the internal e-mail
server. In the following you can see an example of such a configuration.

In this configuration IPBRICK is relaying all the e-mails comming to an in-


ternal e-mail server called accounts. IPBRICK have a second route to deliver all
the mail to the Internet by the smarthost smtp.isp.pt:
4
Fully Qualified Domain Name

Reference Guide - Version 5.3 IPBRICK International


3.7 E-Mail 61

Domain: domain.com
SMTP route: accounts.domain.com

Domain:
SMTP route: smtp.isp.pt

3.7.2 Definitions
There is a link called Definitions (see Figure 3.45 and Figure 3.46) to define
characteristics of the e-mail server:

• Message maximum size: It’s the global message maximum size of a send-
ing/receiving message
Value by default: unlimited.

• Maximum time to hold the message in the server: Maximum time the
message will be in mail queue
Value by default: 604800 seconds (7 days)

• Maximum number for simultaneous SMTP connections: Number of con-


nections that the server can support
Value by default: 20

• Incoming message timeout: Maximum time to receive a single message in


server. If reached it will timeout
Value by default: 1200 seconds

• Outgoing message timeout: Maximum time to send a single message. If


reached it will timeout
Value by default: 1200 seconds

• Reject emails from invalid domains: The server will reject incoming
mail if the sender’s domain MX record don’t exist, so it will be invalid.
Default value: Yes

• Reject emails from invalid servers: The server will reject incoming
mail if the sender’s FQDN don’t have a reverse DNS record.
Default value: No

• Approaching quota limit warning message: Message to send to the user


when the mail quota is approaching the limit. The default is Quota Warning!;

• SPF (Sender Policy Framework): It’s disabled by default. If active, for


each incoming mail, the sender will be asked about the mail authenticity.
The mail rejection will depend of the sender answer and protection level de-
fined here. The SPF mechanisms, qualifiers and modifiers can be found at
SPF site (http://www.openspf.org/SPF_Record_Syntax).

These are the protection levels defined at IPBrick mail server:

IPBRICK International Reference Guide - Version 5.3


62 IPBrick.I

– Standard protection: The mails will be rejected if the answer is Fail;


– Medium protection: The mails will be rejected if the answer is Fail or
SoftFail;
– High protection: The mails will be rejected if the answer is Fail,
SoftFail or Neutral;

• Blacklist (RBL): Enable or disable the RBL (Realtime blacklist) or DNSBL


verification. That verification is made to all incoming mails from the Internet
and before the KAV filter. The following are used by default:
– http://www.spamhaus.org/SBL
– http://0spam.fusionzero.com
– http://www.uceprotect.net/en
– http://www.spamsources.fabel.dk/

Figure 3.45: E-Mail - Definitions 1/2

In this interface it is even possible to define permissions of sending and receiving


e-mails:
• Valid internal recipients: This list is important to fill in order to pro-
tect the server from a mailbomb attack. Here should be listed all the internal
valid email addresses. If the list is empty all the internal recipients will be
accepted (Figure 3.47);
• Invalid senders: A list with e-mail addresses that are not allowed to send
email (Figure 3.48).

Reference Guide - Version 5.3 IPBRICK International


3.7 E-Mail 63

Figure 3.46: E-Mail - Definitions 2/2

Figure 3.47: E-Mail - Definitions - Valid internal recipients

3.7.3 Queue Management


The Queue Management (Figure 3.49) allows you to manage and visualize e-
mails that are in the e-mail server queue waiting to be delivered to their local or
remote recipient.
You can see the number of e-mails that are in the queue waiting to be delivered
to their local or remote recipient as well as the total number of e-mails in the queue.
The list presents the following fields:

IPBRICK International Reference Guide - Version 5.3


64 IPBrick.I

Figure 3.48: E-Mail - Definitions - Invalid senders

Figure 3.49: E-Mail - Queue Management

• ID: The only message identification added by IPBRICK ;

• Date: E-mail sending date;

• From: E-mail sender;

• To: e-mail recipient;

• Subject: Message subject;

• Size: Message size displayed in Kbytes.

You can delete several e-mails at the same time by selecting the corresponding
checkboxes and clicking in the Delete Mails option. You have to confirm this
action in order to eliminate the chosen mails.
When selecting a mail you can see its complete source. This operation is done
in real time. Therefore is not necessary to Apply Configurations.
! Attention !: E-mails deleted in the queue are eliminated definitely. A email
can stand in queue for a default value of 7 days.
! Attention !: When a message in queue is deleted the qmail service is restarted.

Reference Guide - Version 5.3 IPBRICK International


3.7 E-Mail 65

3.7.4 Users management


This option provides a centralized management for each user email account of
the system and it’s possible to configure:

• State: The user email account can be enable or disabled;

• Default mail: The user default mail address. It’s not mandatory to be equal
to login@domain;

• Alternative addresses;

• Mail quota;

• Message maximum size: Maximum size of a received message;

• Forward to;

• Automatic reply message.

Configuration example at Figure 3.51.

Figure 3.50: E-mail - Users Management

IPBRICK International Reference Guide - Version 5.3


66 IPBrick.I

Alternative Addresses
Alternative addresses (Figure 3.51) allows you to on the one hand to have
practical logins which are easy to manage and on the other hand the confort in
using more personalized e-mail addresses. This way the user can have an e-mail
address with which he identifies himself more.
All mails that are sent to any defined alternative e-mail user address are deliv-
ered to the inbox respectively.
Example: name : John Smith
login : jsmith
email : [email protected]

Alternative Addresses:
[email protected]
[email protected]
[email protected]

Figure 3.51: E-Mail - Alternative addresses, Forwarding and automatic reply

To Insert a new email address:

• Select the account (user);

• In the Alternative Addresses field: Set the alternative email address(es).

Whenever you want to you can access the e-mail address list (IPBRICK user
e-mail address arranged in groups) and change the names or the user of an e-mail

Reference Guide - Version 5.3 IPBRICK International


3.7 E-Mail 67

address. Is it obvious that when you change the user of an alternative e-mail
address new mails will be delivered to the new user while the other alternative
addresses stay with the old user.

Mail Forward
Mail forward allows delivered mails to be sent to the user’s email and other
internal or external e-mail addresses.
To insert a new mail forward (Figure 3.51):

• Select the account (user);

• In the Forward to field: Set the recipient email address(es).

Automatic reply message


An automatic reply message is an e-mail automatically sent by IPBRICK to
answer other e-mails. When an e-mail arrives at mailaccount with auto reply con-
figured, IPBRICK send a mail to sender with the personalized message.

In order to Insert a new auto reply you need to (Figure 3.51):

• Select the account (user);

• Insert in the Automatic reply message text area, insert the content you
want. Ex: I’m not at office. Please contact my coleague John Smith.

3.7.5 Mailing Lists


A mailing list provides the feature of sending email from one to many.
To add a mailing list:

• Click on Insert;

• Write the address you want in the mail field (Figure 3.52);

• Click on Insert.

After you add a mailing list (Figure 3.53), you have to configure:

• Internal Users List: Set the IPBrick Users that will be part of the mailing
list;

• IPBrick Contacts address list: Set if any contact present at IPBrick


Contacts site will be part of the mailing list;

• External Users List: Set the email addresses that don’t belong to the
LAN (Figure 3.54).

In both cases you only have to click Modify to add members to the list.

IPBRICK International Reference Guide - Version 5.3


68 IPBrick.I

Figure 3.52: E-Mail - Mailing List - Insert

Figure 3.53: E-Mail - Mailing List - Users

3.7.6 Statistics
Like proxy and web service, the Advanced Web Statistics are used for mail ser-
vice too. They generate helpful and important data for the network administrator:

• Time statistics: Sent mail by month, week, days or even hours;

• Senders statistics: By top level domain, hosts, sended mail and incoming
mail;

• Other information like SMTP errors;

Reference Guide - Version 5.3 IPBRICK International


3.7 E-Mail 69

Figure 3.54: E-Mail - Mailing List - External users

3.7.7 Anti-Virus
Kaspersky
The Kaspersky Anti-Virus is already installed in the Email section. You only
have to acquire a license from Kaspersky to activate its management interface.
After inserting the license, the interface displays the following links (Figure 3.55):

• Update: After the license expiration, you need to renew with a new license
file;

• Delete: Removes the licence;

• Configure: Provides a general configuration of notifications;

• Groups Management: Provides personalization of Kaspersky Antivirus con-


figuration and filtering;

• Statistics: Interface with specific statistics about the Anti-Virus use.

General configurations

Click on Modify to configure the notifications email address (Figure 3.56).


General Settings:
• Notify from address: Sender will make the notifications;

• Notify to address: Email address that will receive notifications.


Limits:
• Do not send notification to: Address that won’t be able to receive no-
tifications (the notification sender).

IPBRICK International Reference Guide - Version 5.3


70 IPBrick.I

Figure 3.55: E-Mail - Kaspersky Anti-Virus

Figure 3.56: E-Mail - Kasp. Anti-Virus - General Configurations

Groups Management

The group default is already created. If you click on the group, the default
general settings are displayed. If you click on Modify, you can personalize the
following options (Figure 3.57):

• Enable: Kaspersky Anti-Virus State;

• Group administrator address: Group administrator email;

• Quarantine path: The files in the quarantine state are stored in this direc-
tories;

• Sender mask: You may add this item if a new group is created;

• Recipient mask: You may add this item if a new group is created;

Reference Guide - Version 5.3 IPBRICK International


3.7 E-Mail 71

Figure 3.57: E-Mail - Kasp. Anti-Virus - Groups Management

The notification rules for any type of object can be changed in Notification Rules
menu, as you can see in Figure 3.58.

Figure 3.58: E-Mail - Kasp. Anti-Virus - Notification Rules

In the Filter menu (Figure 3.59), you may set the filter rules/exceptions by
the name of the files or by mime-type.
Statistics

Several statistics are displayed in this interface:

• Virus Statistics in period: Options of displaying the graphic in Virus


Statistics:

– Start: The starting date for statistics;


– View: Can be set in hours, days, months or years;
– Repetition: Scale of the graphic horizontal axis;
– Group: It enables you to group data, depending on the chosen view

IPBRICK International Reference Guide - Version 5.3


72 IPBrick.I

Figure 3.59: E-Mail - Kasp. Anti-Virus - Filter

• Virus statistics: The display can be filtered by: Infected files, protected,
corrupted, errors and files where disinfection failed;

• Virus List: Can be organized by Virus name/Number of occurrences;

• List of email senders: Shows some statistics about files by sender ad-
dresses;

• List of email recipients: Shows some statistics about files by IPBrick


recipients addresses;

An example can be seen at Figure 3.60 and Figure 3.61.

ClamAV
ClamAV5 is included in IPBrick. By default the service is inactive (Figure
3.62), to activate it just hit Modify and choose Yes at Enable configuration.
When activated, ClamAV will filter all he incoming mail through its engine. When
ClamAV detects a virus one of these possibilities may occur, and you can configure
what to do (Figure 3.63):

• Reject E-Mail: The message is rejected and will not enter the mail queue.
The sender will receive a notification;

• Mark E-Mail as virus: The message is marked and enter the mail queue
normally;

• Mark and Redirect E-Mail: The message is marked and redirected to a


mail address;

• Delete E-Mail: The message is deleted, will not enter the mail queue and
no notification is sended.
5
http://www.clamav.net

Reference Guide - Version 5.3 IPBRICK International


3.7 E-Mail 73

Figure 3.60: E-Mail - Kasp. Anti-Virus - Statistics 1/2

Note: ClamAV will automatically update its database in a transparent way to


the user.

3.7.8 Anti-Spam
Kaspersky
Like Kaspersky Anti-Virus, Anti-Spam is already installed, you only need to
apply a license to activate this feature at the communications IPBrick. After the
activation, the following options are displayed:

• Update: After the license expiration, you need to renew with a new license
file;

• Delete: Removes the licence;

• Configure: Provides a general configuration of notifications;

• Statistics: Interface with specific statistics about the Anti-Spam use.

The most important Anti-Spam configuration features are:

• To add every email domains of the company that the Anti-Spam should filter
(Figure 3.64);

IPBRICK International Reference Guide - Version 5.3


74 IPBrick.I

Figure 3.61: E-Mail - Kasp. Anti-Virus - Statistics 2/2

Figure 3.62: E-Mail - AntiVirus - ClamAV - Main menu

• To set Kaspersky Anti-Spam detection level. Standard is the default level.


If the spam reception rate is high, the level of detection should be increased
(Figure 3.66);

Figure 3.63: E-Mail - AntiVirus - ClamAV - Definitions

Reference Guide - Version 5.3 IPBRICK International


3.7 E-Mail 75

• To redirect all the emails classified by KaspersKy Anti-Spam to a email


account (At Figure 3.65: [email protected]). This enables the network
administrator to analyze all the emails classified as Spam - if there is any
misclassified email, the administrator may forward this email to his recipient.
In a Intranet and a Communications IPBrick topology we can use a local
mailbox from the Communications IPBrick (ex: [email protected]),
because all the spam must stay at the com. server;

• Email and IP addresses Whitelists and Blacklists should be added - if there


is any (menu on Figure 3.64).

Figure 3.64: E-Mail - Kasp. Anti-Spam - Protected Domains

Statistics

Several statistics are displayed in this interface:

• Spam Statistics in period: Options to display present graphic in Spam


Statistics:

– Start: The starting date for statistics;


– View: Can be set in hours, days, months or years;
– Repetition: Scale of the graphic horizontal axis;
– Group: It enables you to group data, depending on the chosen view.

IPBRICK International Reference Guide - Version 5.3


76 IPBrick.I

Figure 3.65: E-Mail - Kasp. Anti-Spam - Actions

• Spam statistics: The display can be filtered by: Clean files, Spam, prob-
able and blacklists;

• List of email recipients: Shows some statistics about files by IPBrick


recipients addresses.

An example is present at Figure 3.67.

SpamAssassin
SpamAssassin6 is included in IPBrick. By default the service is inactive (Fig-
ure 3.68), to activate it just hit Modify and choose Yes at Enable configuration.

Note: SpamAssassin will keep its database automatically updated in a transpar-


ent way to the user.
The General Options (Figure 3.69) are:

• Required Score: For each message arriving, the SpamAssassin filter will
apply rules in order to know if it’s spam or not. The final value will be a
score number. In this field we are going to define the required general score.
The default is 10, so only mail messages that match >= 10 will be considered
SPAM;
6
http://spamassassin.apache.org

Reference Guide - Version 5.3 IPBRICK International


3.7 E-Mail 77

Figure 3.66: E-Mail - Kasp. Anti-Spam - Rules

• Action when it is detected SPAM:

– Reject E-Mail: The message is rejected and will not enter the mail
queue. The sender will receive a notification;
– Mark E-Mail as SPAM: The message is marked and enter the mail queue
normally;
– Mark and Redirect E-Mail: The message is marked and redirected to
the mail address [email protected] (Figure 3.70);
– Delete E-Mail: The message is deleted, will not enter the mail queue
and no notification is sended.

• Body Message Structure: Active for mark’s only. The original message
can be keeped or we can choose to send the original message in attachment,
as .txt or .eml. If it goes in attachment it’s possible to define a specific
description at Body Message Description.

After configuring the General Options, no further alterations are mandatory.

These following definitions, regarding specific score rules, are completely op-
tional.

To insert a score rule, we need to hit Insert. The following options are avail-
able:

IPBRICK International Reference Guide - Version 5.3


78 IPBrick.I

Figure 3.67: E-Mail - Kasp. Anti-Spam - Statistics

• Rule name: Name that will identify the rule;

• E-Mail Field: Specific e-mail field to filter. Options:

– Body;
– From;
– Subject;

• Filter: Type of filter and what word or expression to filter. Options:

– Contains this word/phrase: It filters the choosed field containing


the word/phrase defined;
– Exactly match this word/phrase: It filters the choosed field when
exactly match the word/phrase defined;

• Score: Score number to attribute to the rule. Let’s imagine that Required Score
is set to default (10). A rule for example defined with score -1 will be a pass
result. A rule defined with score 20 will be considered SPAM. An example
is presented at Figure 3.71.

At top menu the options Whitelist and Blacklist are presented. At whitelist
we can define authorized domains and emails (example at Figure 3.72). Mail
comming from these origins have a score of -100. At blacklist we can define
forbidden domains and emails. Mail comming from these origins have a score of
100.

Reference Guide - Version 5.3 IPBRICK International


3.8 Print Server 79

Figure 3.68: E-Mail - AntiSpam - SpamAssassin - Main Menu

Figure 3.69: E-Mail - AntiSpam - SpamAssassin - General Options - Reject

3.8 Print Server


This section deals with the interface management of printers intended to be
available in the network. When you define a printer you are asked to define this
fields (Figure3.73):

1. Name: Printer name;

2. Description: Simple description about the printer. This field is not manda-
tory;

3. Location: Physical location in the company. This field is not mandatory;

Figure 3.70: E-Mail - AntiSpam - SpamAssassin - General Options - Mark

IPBRICK International Reference Guide - Version 5.3


80 IPBrick.I

Figure 3.71: E-Mail - AntiSpam - SpamAssassin - Created rules

Figure 3.72: E-Mail - AntiSpam - SpamAssassin - Whitelist

4. Interface: Interface type used between the printer and the server. There
are 4 options:

• Parallel port;
• Serial port;
• USB port;

Reference Guide - Version 5.3 IPBRICK International


3.8 Print Server 81

• Network printer: Connected to a LAN switch.

5. Device: Used by the printer. This is directly related to the interface. (This
option is only available for interfaces with parallel port, series port and USB
port) (e.g. Interface–>Parallel Port, Hardware ->Parallel Port 1)

6. In case of a network printer, the following information is necessary:

• Address: Network printer address. (this option is only available for


network printers) (e.g. 192.168.1.1)
• Port: The network printer’s port. This field is not obligatory. (This
option is only available for network printers) (e.g. for a HP printer:
9100)

Figure 3.73: Print Server - Inserting a network printer at IPBrick

After inserting a printer, IPBRICK has to put the drivers available for the
client stations in order to finish the configuration. Therefore the printer drivers
have to be transferred to the server:

1. Log on in a Windows station with a user of the Administrators group (the


workstation has to be already registered in the IPBRICK domain);

2. Press the keys [Win]+[R] at the same time and type \\ipbrick;

3. Select Printers and Faxes


Verify if the added printer to the IPBRICK Web interface is shown.

4. Right click inside the window Printers and Faxes and select Server Properties;

5. Select the Drivers option in the presented window.

6. Choose ”Add”, set the manufacturer and the printer model and click Next;

7. Select the Windows version which the drivers have to correspond with.

IPBRICK International Reference Guide - Version 5.3


82 IPBrick.I

8. Click Finish

Now the printer’s drivers are transferred to IPBRICK.

9. At share named Printers and Faxes on IPBRICK, right click at the printer
and choose Printer Properties. You’ll be prompted with a message like
the one in Figure3.74. Choose ”No”.

10. Enter in ”Advanced”, select the new driver just added and click ”Apply”.

Figure 3.74: Print Server - Printer configurations

To configure the printer on the client side, you must:

• Press the keys [Win]+[R] at the same time;

• Type \\ipbrick at the new window;

• Right click on the printer and choose ”Connect”.

Now the printer is listed at ”Printers and fax’s” on the client side.

3.9 Backup
Backup consists of copying data from one device to another so that these ad-
ditional copies may be used to restore the original after a data loss event. Usually
this is made from hard disk to tape, DVD or to another disk. Nowadays, paper
is being rapidly replaced by digital files, so organizations need to be aware of the
importance of having a reliable backup system.

3.9.1 Remote
This option enables the possibility of configuring scheduled backups to a NAS7
device or to a rsync server. Rsync is a powerful backup tool included in IPBrick,
that does incremental copies of files/directories to another rsync server.

7
Network Attached Storage

Reference Guide - Version 5.3 IPBRICK International


3.9 Backup 83

To add a backup task you must click Insert (Figure 3.75). You will have the
following fields:
Backup definitions:

• Backup Name: It’s the backup’s name.

• Notification E-mail: Recipient that will receive all the backup notifications;

• Job to do: There are two options:

– Copy: It will copy all work areas to the backup device(/home1, /home2,
/home3...);
– Restore: It will restore all work areas from the backup device;

• Periodicity: The backup is always made daily;

• Time to start: Time when the ’Copy’ will start;

Figure 3.75: Backup - Task insertion

Destination Data Definitions:

• Data Location: The only option is remote. It will always be to a remote


machine.

• Backup Device

– NAS (SMB): The backup device is a NAS8 with a SMB share created.
The backup method is done using the archiving utility tar. Options
available:
∗ IP address: Backup device’s IP address;
8
Network-attached Storage

IPBRICK International Reference Guide - Version 5.3


84 IPBrick.I

∗ Login: Username that has access to the share;


∗ Password: Share password;
∗ Share Name: Name of the share created in the NAS.
– NAS (NFS): The backup device is a NAS9 with a NFS share created.
The backup method is done using the incremental backup utility rsync.
Options available:
∗ IP address: Backup device’s IP address:
∗ Share Name: Name of the share created in the NAS.
– Rsync Server: The backup device is a machine running a rsync server.
You can see an example of a rsync server configuration in the next
section;
∗ IP address: The rsync server’s IP address.

When a backup task is inserted, we have a Backups List with the following
options (Figure 3.76):

• Name: Clicking on the Backup Name you will have access to these options:

– Back: Go to backups list;


– Modify: Modify the current backup task definitions;
– Delete: Delete the current backup task;

• Start copy: Starts the backup immediately;

• Statistics: Backup statistics;

• LOG: Backup log messages.

Note: If using the NAS(SMB) backup, the restore option will restore all the
files included, but from the beggining. Note: If using NAS(NFS) or rsync server,
the remote filesystem should be the same that IPBrick is using (E.g.: ext3);

Figure 3.76: Backup - Task list

9
Network-attached Storage

Reference Guide - Version 5.3 IPBRICK International


3.10 Terminal Server 85

Rsync server configuration


If the backup device is another IPBrick, the server must be prepared to act
as a rsync server. First let’s suppose that the client IPBrick machine has that
configurations:
• IP: 192.168.69.199;
• FQDN: ipbrick.domain.com;
At the IPBrick rsync server we need to:
1. Create a group workarea (share) using the Workarea 1, with the FQDN as
the share name: ipbrick.domain.com;
2. Connect by SSH to the IPBrick server and type the following command in
order to put rsync allways running when the server reboots:

update-rc.d rsync defaults 20

3. Create the configuration file for rsync by typing: nano /etc/rsyncd.conf


4. Fill the following content:

uid = root
gid = root
use chroot = yes
[ipbrick.domain.com]
path = /home1/_shares/ipbrick.domain.com
hosts allow = 192.168.69.199
read only = false
write only = false

5. Save the file and exit from the file editor nano;
6. Start rsync using this command: /etc/init.d/rsync start
Note: A complete network backup solution is also included at IPBrick, sup-
porting tape and disk backup. Link: http://www.bacula.org.

3.10 Terminal Server


IPBrick’s terminal server provides an Operating System to terminal stations
that have no disk (thin clients). Usually a thin client is a low-end computer
terminal which only provides a graphical user interface (GUI) to the end-user.
The operating system is loaded through the network and provided to the terminal,
that will have available, for example, a browser or the login console of a Windows
server. ⇒ Note: IPBrick must be working as a DHCP in the network (and has
to be the only DHCP server). The client of terminal server receives from IPBrick
the necessary information to boot from the network.

IPBRICK International Reference Guide - Version 5.3


86 IPBrick.I

3.10.1 Configuration
First, you have to activate Terminal Server in IPBrick’s web interface. To
proceed with this operation go to IPBrick.I - Terminal Server. To activate,
click Modify and choose Yes;
After the activation, you may configure terminal server in this fields:

• Display [2 to 5]:

– Server Remote Desktop: The connection is made by the terminals to


IPBrick. IPBrick is responsible for the connection with the Windows
Server:
∗ Server: Address to connect by remote desktop;
∗ Domain: Indicate the Windows domain that is going to connect (ex:
iportal2003).
– Terminal Remote Desktop: The connection to the server is directly
made by the terminal:
∗ Server: IP Address of the server to connect by remote desktop;
∗ Domain: Indicate the Windows domain that is going to connect (ex:
iportal2003).
– Mozilla-Firefox: Open a Firefox browser session;
– Telnet Session:
∗ Server: IP Address of the telnet server. It is possible to connect to
other service by indicating a specific gate. Syntax: ip_address:port;
– Linux Remote Desktop: Remote connection to a Linux machine;
– Others: It presents a command line

• Keyboard model: It depends on the number of keys. These are the available
options:

– pc101;
– pc102;
– pc103;
– pc104;
– pc105.

• Keyboard layout:

– de: german;
– es: spanish;
– fr: french;
– pt: portuguese;
– us: english.

Reference Guide - Version 5.3 IPBRICK International


3.10 Terminal Server 87

• Mouse protocol: Type of protocol used by the mouse in the client station;

• Mouse device: System Device that will be used (/dev/...);

• Mouse resolution: The Resolution mode used by the mouse;

• Mouse buttons: Number of mouse buttons;

• X Server: Specific commands to run the graphic environment. auto is the


default mode;

• Printer [0...1] type: Sets the printer type you want to use;

• Printer [0...1] device: Specific device for the printer (/dev/...);

• Local Device [0...2]: Other devices you want to use (/dev/...);

• Mode [0...2]: Possible image resolutions..

– 1768x1024;
– 1024x768;
– 800x600;
– 640x480;

• Module 01...02: Makes possible the loading of two Kernel modules.


You can see a first configuration example in Figure 3.77 and Figure 3.78

Boot and Operating System


If using thin clients, after the first terminal configuration here, IPBrick will
need a LTSP boot system and an operating system. The boot system (kernel) will
be loaded into the thin clients memory.

Boot Systems
To load Boot systems (Kernel) click on kernel link (Figure 3.79). The following
fields are displayed:
Boot system configuration:
• Description: Kernel text description;

• Boot loader: It will be selected later;

• Kernel: If you click Archive you should select the Kernel file from the above
link.
In the next step you have to choose the boot loader. If the thin clients support
PXE boot, choose the following boot loader /pxelinux.0 (Figure 3.80).
Operating Systems
To load the Operating System you have to click in top menu on OS (Figure
3.81), and after that click insert to display the following options:

IPBRICK International Reference Guide - Version 5.3


88 IPBrick.I

Figure 3.77: Terminal Server - General Configuration - 1/2

• Description: Description of the operating system;

• Operating system: If you click Archive you should select the OS version
to run.

The Kernel and Operating System files can be downloaded at our eshop:

http://eshop.ipbrick.com/eshop/

At: Downloads -> Software -> IPBrick Related Software -> IPBrick 5.x
(5.2, 5.1, 5.0.1, 5.0)

Note: You have to be registered at our eshop for the Download section to be
available.

For IPBrick 5.x you will need to download the following files:

ipbrick5-ltps5-kernel_1.0.tgz
ipbrick5-ltps5-OS_1.0.tgz

For older versions of IPBrick you need the files root.tgz (OS) and 2.6.9-ltsp-3.tgz
(Boot system). A full configuration example to boot from a PXE thinclient can
be viewed at Figure 3.82.

Reference Guide - Version 5.3 IPBRICK International


3.10 Terminal Server 89

Figure 3.78: Terminal Server - General Configuration - 2/2

Figure 3.79: Terminal Server - Boot System configuration

Machines

If the terminals are registered in IPBrick (IPBrick.I - Machines Management)


you may personalize configurations for a terminal in the machines link (Figure
3.83) by selecting if the default options set in the top menu of configuration are
going to be used.

After loading the boot system(s) and the operating system(s), you should click
Back and Terminal OS and choose the Kernel and the Operating System you want
to use.

IPBRICK International Reference Guide - Version 5.3


90 IPBrick.I

Figure 3.80: Terminal Server - Boot Loader configuration

Figure 3.81: Terminal Server - Operating System

3.10.2 Client configuration


You should boot from network to make available for the clients the Terminal
Server. For example if you use a Book PC, the machine should be booted and the

Figure 3.82: Terminal Server - Configuration for PXE boot

Reference Guide - Version 5.3 IPBRICK International


3.10 Terminal Server 91

Figure 3.83: Terminal Server - Machines

access to BIOS is made with the keys Shift + F10. The configuration should be
(it is possible to modify the values through the directional keys (<- and ->)):

Network Boot Protocol : PXE


Boot Order : Int 19h
Show Config Message : Enable
Show Message Time : 3 Seconds

After this configuration, an orange window appears with this message:

Always boot network first, the local devices.

After making these changes you have to confirm them by clicking the F4 key.
This procedure makes sure that the client machine will boot from the network.
After the client machine rebooting, this machine will boot through IPBrick.
Note: If the login screen of Linux graphic interface appears after the booting
, you have to restart X Server with the keys [CTRL] + [ALT] + [BACKSPACE].
If the same window appears even after the restart, it is possible to validate with
user ltsp and password ltsp.

Several screens may be active for the same client (depending on what was set
in the Number of Displays field of IPBrick). Browsing across screens can be made
with these key combinations: [CTRL] + [ALT] + [F2] for screen 1, [CTRL] +
[ALT] + [F3] for the screen 2, and so on.

IPBRICK International Reference Guide - Version 5.3


92 IPBrick.I

Reference Guide - Version 5.3 IPBRICK International


Chapter 4

IPBrick.C

This chapter describes the IPBRICK menus used to manage the main com-
munication services between your organization and the Internet. The menu IP-
Brick.C like the one in IPBrick.I is a menu of functional configuration. The
IPBRICK Administrator ’says’ what he wants and the software makes the con-
figurations accordingly and maintains their consistence. This chapter is divided
into the following sections:

• Firewall;

• Proxy;

• VPN;

• E-Mail;

• SMS;

• Web Server;

• FTP Server;

• Webmail;

• VoIP;

• IM.

4.1 Firewall
Note: Any rule change done to the firewall implies its reactivation. Even if
the firewall has been expressively stopped a change in one of its rules implies the
restart of the firewall.

IPBRICK International Reference Guide - Version 5.3


94 IPBrick.C

4.1.1 Available Services


IPBRICK firewall is controlled by a user-friendly interface that permits, based
upon a list of rules and other criteria, to deny unauthorized access while accepting
authorized communications. Traffic to or from any of the more common services
accessed via Internet, listed below, is supervised by the firewall and configured in
a simple way, by just activating or deactivating the service. For more in depth
changes please access the Advanced Configurations menu.
These are the services:

• Web Server;

• E-mail server;

• SSH;

• FTP.

The list, Firewall -> Available Services (Figure 4.1), indicates the ser-
vice status - whether the firewall is configured to let that service work (Active)
or it is configured to block those service ports (Inactive).

Note that defining here a service as active doesn’t start the service or stops
it. The single change implemented in the Apply Configurations option will only
affect the firewall service (first it stops, reconfigures and then restarts). In other
words, here you can only configure the firewall to open or to shut the Internet
port for a defined service (whether the service is working is another configuration
besides this section).

Figure 4.1: Firewall - Available Services

Reference Guide - Version 5.3 IPBRICK International


4.2 Proxy 95

4.1.2 Block Services


Like the situation mentioned before, the option to block services only Enable
(unlocked) or Disable (locked) the normal operation of MSN, ICQ and mIRC
services, so LAN users can have or not Internet access to that services (Figure
4.2). For MSN Messenger it’s possible to make exceptions for some specific IP’s or
subnets. In the example at Figure 4.3 the machine 192.168.1.150 and machines
from 192.168.1.96 to 192.168.1.110 will have MSN access.

Figure 4.2: Firewall - Block Services

Figure 4.3: Firewall - MSN Exceptions

4.2 Proxy
The proxy service acts as an intermediary for requests from clients seeking re-
sources in other servers. A client connects to the proxy, requesting a file, a web
page or any other resource. A Proxy is commonly used as way to achieve a better
network management; it caches web pages, providing a better bandwidth manage-
ment and enforces an access policy to network services or content, e.g. to block
undesired sites, the possibility to customize web access, etc.

The software that implements the IPBrick proxy service is named squid and
runs on gate 3128.
The section is subdivided into three parts, namely:

• Configuration;

IPBRICK International Reference Guide - Version 5.3


96 IPBrick.C

• Statistics;

• Kaspersky Proxy.

4.2.1 Configuration
The presented main proxy configuration (Figure 4.4) determines the normal
operation of the Internet browsers. Therefore it is recommendable to define each
Proxy type first:

Figure 4.4: Proxy - Configuration

1. Standard Proxy: It is not obligatory to use the proxy to access the Inter-
net. The proxy is only used by those who configure the browser to use the
proxy from the IPBRICK port 3128. Users without any additional browser
configurations continue to access the Internet without any problems. The
web accesses are registered by IP’s for statistical purposes.

2. Transparent Proxy: Every Internet access is done through the proxy. The
firewall has to be activated. Users may configure their browsers to use the
indicated proxy. They may also continue to access the Internet without any
proxy configurations in their browsers. Here the firewall makes the traffic
routing to the proxy. The web accesses are registered by IP’s for statistical
aims.

3. Proxy with Authentication: Internet access is only possible by using this


proxy. In order to have access to the web, users have to configure their
browser with this proxy. Once the browsers are configured, a valid authenti-
cation is asked whenever a user opens the browser. The user authentication
is done by login and password. The firewall has to be activated. All web
accesses are registered for each user purely for statistical purposes (NOTE:
You have to select this option, if you want to create access permissions by
using LDAP users and groups).

Configurations
Link to the proxy rules settings. This interface (Figure 4.5) has the following
options:

Reference Guide - Version 5.3 IPBRICK International


4.2 Proxy 97

• Source groups list: Sets an origin group with access to proxy. After this
group creation, the accesses can be set by: Machine group, Machine, IP
Subnets, IP Machines and IP ranges.By default IPBrick has a LAN group
with its own defined IP Subnet.

• Destination groups list: Sets destination groups (Web servers). You


can set Domains, Extensions or Words in the URL each created destination
group. By default the created group is named INVALID;

• Blacklists: Displays the set of blacklists that were configured at Other


configurations;

• List of time spaces: Sets specific periods based on hours and week days;

• Access Lists: Sets access permissions from the created origin and desti-
nation groups, as well as defined blacklists and periods. For instance, you
can set that all destinations can be accessed by the LAN group, with the
exception of INVALID destination group and blacklist porn, in an undefined
period (always).

Figure 4.5: Proxy - Rules 1/2

IPBRICK International Reference Guide - Version 5.3


98 IPBrick.C

Figure 4.6: Proxy - Rules 2/2

Source groups list

To modify the LAN group you just have to click on the name. You can insert
a new origin group clicking on Insert link.

Settings:

• Machine groups: You can associate to this group an existing machine group;

• Machines: Lists the machines that are registered in IPBrick and provides
direct association to the origin group;

• IP subnets: Provides subnets association, defining the network IP and its


mask;

• IP machines: Provides machine association to the group by IP;

• IP ranges: You can set IP ranges with proxy access.

By default the proxy has a source group called LAN where only the IP Subnet
is used (Figure 4.7).

Reference Guide - Version 5.3 IPBRICK International


4.2 Proxy 99

Figure 4.7: Proxy - Source groups

If you choose the proxy with authentication mode, it’s possible to filter the
web access’s not only by the machines IP but also using LDAP. In Figure 4.8 we
can see an example of a source group represented only by a LDAP group.

Figure 4.8: Proxy - Source groups - LDAP filter

Destination groups
Destination groups (Figure 4.9) are groups of web content (e.g. domains, file
extensions, etc.) that will be defined to be blocked or allowed. This destinations
are configurable by:

IPBRICK International Reference Guide - Version 5.3


100 IPBrick.C

• Domains: You may configure FQDN1 access, by domain or by TLD2 access-


ing a record to each line. Some possible denial examples:

FQDN example:
www.sapo.pt
www.marca.es

Domain example:
sapo.pt
marca.es

TLD example:
pt
es

• Extensions: In order to prevent certain files download through web pages you
need to deny access to some file extensions. The following example shows
that the download of three file extensions won’t be possible.

Example of extensions denial:


mp3
mov
mpg

• Words in URL: You can deny in this field the access to pages that contain
certain words after the domain (after the slash). An example for two words:

Denial example for word in the URL:


video
jokes

The following sites would be denied:


http://www.mtv.com/music/video/
http://en.wikipedia.org/wiki/Video
http://kids.yahoo.com/jokes

1
Fully Qualified Domain Name
2
Top Level Domains

Reference Guide - Version 5.3 IPBRICK International


4.2 Proxy 101

Figure 4.9: Proxy - Destination groups

List of time spaces


This option lets you specify periods to be used afterwards in Access Lists. This
periods could be week days or hours.

Access Lists
There’s already a pre-configured access list in IPBrick specifying this: Attempts
to access sites made from LAN’s origin which aim sites not included in the desti-
nation group INVALID nor the porn blacklist, in an undefined period (24 hours)
are accepted. Because there are no more lines created, all the remaining will be
blocked (Figure 4.10).

Access lists have the following structure:

• Source: Identification of the origin group that is governed by the rule (i.e.:
a group of users or a list of machines by IP);

• Destination: Identification of the Destination Groups that are governed by


the rule (i.e.: name of the configured group of sites, domains, file extensions
and words in an URL);

– Available Groups: For the created destination groups you can enforce
a certain set of rules:
∗ ONLY ON - Access is granted exclusively to the contents included
in a given destination group, access to any other web content is
denied;
∗ NOT IN - Access is denied to that designated destination group;

IPBRICK International Reference Guide - Version 5.3


102 IPBrick.C

∗ ALLOW IN - This is used in special cases, for example, you can


authorize an exception to a blacklisted word that you may find in
a site or any other content that has no innapropriate content, (e.g.
The site www.testdomain.com is in a blacklist named ”gambling”,
this blacklist is active. Even so, you can create an exception to
that blacklist by creating a destination group called, for example,
”BLBYPASS” and typing in Domains the URL, www.testdomain.com);
– Blacklists: Lets you select which blacklists are going to be activated
(e.g: If the porn list is selected, all sites that are out of the porn list
can be accessed).
• Period: The time period (already inserted) that the rule is active;
• Policy: This is not configurable, the value is always to deny all that is not
set in the access lists.

Access lists should be ordered by rules from generic to specific. The generic
rules should be placed at the top and more specific rules should be placed at the
bottom (as in the firewall case). If there are several access lists you can order them
clicking on Order by.

Figure 4.10: Proxy - Access Lists

Remote Proxy
In this option you can indicate a list of remote proxy servers. These servers
should provide web access because they usually have a huge cache, increasing the
speed of web access (Figure 4.11).

• List of remote proxy servers: You can use several web proxy’s and after
that order that list;
• Dont use remote proxy for the following sites: If you don’t want to
use remote proxy for certain sites, you must indicate them here.

Reference Guide - Version 5.3 IPBRICK International


4.2 Proxy 103

Figure 4.11: Proxy - Remote Proxy

Other configurations
Redirect page in case of denied access
If the access for some site is blocked, the user can be automatically redirected
to the web site configured at URL address;
Blacklists
In this context, blacklists are set as site lists organized by several categories
that are considered inconvenient. You can find here the following options (Figure
4.12):

• Url for update: That URL provides a default blacklist base file that is au-
tomatically decompressed by IPBrick. Each category will have a list of sites
that is automaticaly updated, but it’s possible to do a update clicking at
Update. The proxy service can use other blacklist bases, some with other cat-
egories. Some blacklists can be found here: http://www.squidguard.org/blacklists.html.

• Current file MD5SUM: MD5 Hash of the file if it’s calculated. It lets you
check file integrity;

• Available categories: Categories list present in that compilation (usually


they are considered unsuited to LAN use)

– ads: List of advertisement sites;


– aggressive: List of violent content sites;
– audio-video: List of music and video content sites;
– drugs: List of drug related content sites;
– gambling: List of gambling sites;
– hacking: List of hacking sites;
– mail: List of sites that provide free webmail services;
– phishing: List of sites about phishing;
– porn: List of sites with pornographic content;

IPBRICK International Reference Guide - Version 5.3


104 IPBrick.C

– proxy: List of sites that provide anonymous proxy service;

– warez: List of sites with pirate software content.

Content access management


Sets the number of simultaneous filtering processes that depends on the ma-
chine performance and the present CPU load. The default is five processes.

Proxy cache options

• Cache enabled: Activates the Proxy cache service. If the cache is activated,
every page accessed by the origin groups are stored in the server. Example:
If the page www.google.com is in the cache, the browser will only access to
IPBrick, instead of accessing the google web server, providing a better band
width management.

• Cache size: Maximum cache size. If the limit is reached, the older cache
files are removed.

• Cache location: The default is the /var partition. If you choose a big
cache size it’s a good option to choose the /home1 or /home2 partition.

Allowed connections
This list presents all the ports that are accepted by proxy. So all traffic com-
ming from LAN machines with destination ports in Internet listed here will match
proxy defined ACL’s. It’s possible to configure witch ports are accepted or not by
proxy with Remove and Add option.
Ignore rules for the following destinations
In this section we can define whitelists for any destinations, including domains
and networks. So for that destinations no proxy ACL’s will be matched.
All this settings can be viewed at Figure 4.12 and Figure 4.13.

Reference Guide - Version 5.3 IPBRICK International


4.2 Proxy 105

Figure 4.12: Proxy - Other configurations 1/2

Figure 4.13: Proxy - Other configurations 1/2

4.2.2 Statistics
Advanced Web Statistics is the software that generates several important statis-
tics for the network administrator, like detailed cache statistics, accesses (Figure
4.14).

There are different statistics types:


• Global statistics: Global network statistics;
• Statistics by machine: You have to select the machine you want from a
list of LAN machines. The purpose is to give individual statistics for each
machine;

IPBRICK International Reference Guide - Version 5.3


106 IPBrick.C

• User statistics: If proxy configuration has authentication, it’s displayed


here a user list. You have to select the user from this list to have their
individual statistics.

Figure 4.14: Proxy - Statistics

4.2.3 Kaspersky Proxy


In this section you may activate Kasperky license for the proxy. With this
procedure all the web accesses made from the browser are filtered by the Anti-Virus
that is running on the proxy to provide an effective protection against Trojans,
Spyware, Dialers, etc.
After inserting the license, the interface displays the following links (Figure
4.15):

• Update: After the license expiration you should renew with a new license
file;

• Delete: Removes the license;

• Configure: It provides you a general Anti-Virus configuration option;

• Statistics: Interface with specific statistics about proxy Anti-Virus.

Reference Guide - Version 5.3 IPBRICK International


4.2 Proxy 107

Figure 4.15: Proxy - Kaspersky - Licence

Configure

General settings:

• Notify from the address: Sender that will make the notifications;

• Notify to the address: Email address that will receive notifications.

Object settings:

• Objects to analyse:

– Compressed files;

– Archives;

– Mail databases;

– Plain mail format.

Scan settings:

• Cure: If activated, detected virus will be automatically removed;

• Use heuristic: If activated, virus can be detected through the analysis of


the code with characteristics and behavior similar to a virus.

To modify that configurations (Figure 4.16) you need to click Modify.

IPBRICK International Reference Guide - Version 5.3


108 IPBrick.C

Figure 4.16: Proxy - Kaspersky - General Settings

Statistics

Several statistics are displayed in this interface:

• Virus Statistics in period: Options to display present graphic in Virus


Statistics:

– Start: The starting date for statistics;

– View: Can be set in hours, days, months or years;

– Repetition: Scale of the graphic horizontal axis;

– Group: It enables you to group data, depending on the chosen view

• Vı́rus statistics: The display can be filtered by: Infected files or pro-
tected;

• Virus list: Can be organized by Virus name/Number of occurrences.

An example can be viewed at Figure 4.17

Reference Guide - Version 5.3 IPBRICK International


4.2 Proxy 109

Figure 4.17: Proxy - Kaspersky - Statistics

4.2.4 Auto Discovery


It’s possible to configure the proxy via a wpad file. You can add exceptions
that will not use the proxy when accessing to that particular domain, network or
word in url. For each there is a dedicated Modify link.

Figure 4.18: Proxy - Autodiscovery

IPBRICK International Reference Guide - Version 5.3


110 IPBrick.C

If you click on Modify for Domains you will open a new page were you may
type which domains you wish that will ignore the proxy. Please type one per line.

Figure 4.19: Proxy - Autodiscovery - Domains

If you click on Modify for Networks you will open a new page were you may
type which network IP you wish that will ignore the proxy. Please type one per
line.

Figure 4.20: Proxy - Autodiscovery - Networks

If you click on Modify for Words in URL you will open a new page were you
may type which word contained in the URL you wish that will ignore the proxy.
Please type just one word per line.

Reference Guide - Version 5.3 IPBRICK International


4.3 VPN 111

Figure 4.21: Proxy - Autodiscovery Words in URL

When you click on the Modify button you will be able to visualize the imple-
mented changes at the initial page. To edit the settings, just click again on the
corresponding Modify link.

Figure 4.22: Proxy - Autodiscovery - Changes

4.3 VPN
VPN3 is a way of extending any network by providing a remote access (usually
via Internet) to a network’s resources.

4.3.1 PPTP
A PPTP4 VPN type works by providing a PPP session with the recipient
through the tunneling GRE protocol. It needs another network connection to
start and manage PPP session that runs on port 1723 TCP. In IPBrick’s case, you
have to indicate who are the users that access VPN-PPTP connections, as well as
the address range that will be used by clients.

Configurations
The link configurations gives you access to a form where you define the range
of IP addresses chosen for VPN connections. Remote clients will get an IP in this
group when they make an IPBRICK connection. It is as if they were connected
3
Virtual Private Networks
4
Point-to-Point Tunneling Protocol

IPBRICK International Reference Guide - Version 5.3


112 IPBrick.C

Figure 4.23: VPN - PPTP - Users

to the network server with an IP from this range. The user list shown on the left
side in Figure 4.23 presents the selected VPN users. On the right side you find
the users registered in IPBRICK.

Access log
The access log option permits the visualization of all PPTP accesses. It’s
possible to filter by:

• IP;

• User;

• Notes:

– Connected;
– Disconnected;
– Wrong password;
– Illegal user;
– Locked;
– Timeout.

• Date;

Options available:

• Clean filters: Will clean all the chosen filters;

• Export PDF: Exports all the information to a .pdf;

• Back: Go back to the top menu;

Reference Guide - Version 5.3 IPBRICK International


4.3 VPN 113

4.3.2 SSL
A VPN-SSL uses the SSL encryption protocol to insure data privacy and in-
tegrity between the two parts because the protocol provides data encryption and
authentication. SSL is based on TCP protocol and uses the Public key cryptogra-
phy concept (introduced by Diffie-Hellman in the 1970 decade).

This concept specifies that each part has a Private Key and a Public Key that
can be distributed by people that want to have encrypted communication. En-
crypted data with the Public Key are only decrypted by the corresponding Private
Key. Encrypted data with the Private Key are only decrypted by the correspond-
ing Public Key.

After clicking on SSL, the list of VPN SSL servers is shown. To configure the
tunnel you must click on it (Figure 4.24).

Figure 4.24: VPN - SSL Settings

Definitions In this section you can configure the definitions of the VPN-SSL
network.

• Name/IP: Name or public IP address of the network;

• Port: The port of the VPN server. The default for SSL is 1194;

• Protocol: The transport protocol used in the communication. TCP is more


reliable buy will add an extra overhead;

• VPN Network: The IP network which will be given to the clients. When a
user connects to this vpn server, he will get an IP address in this IP network.
This network should be different from any other IP network in the company;

• Domain: The domain offered to the clients;

IPBRICK International Reference Guide - Version 5.3


114 IPBrick.C

• DNS Servers: The DNS server passed to the clients;

• NetBios Servers: The netbios server passed to the clients;

• Routes for clients: Sets all the networks that client must have access
through the tunnel.

NOTE: If you want to use a VPN SSL and use the same email client with
the internal mail server configurations, you need to add the VPN Network to the
Relay networks definitions at the Email option;

Certificates After the Definitions configuration its necessary to create SSL dig-
ital certificates. A digital certificate has the following informations:

• Identification of the titular entity;

• Public Key for the titular entity;

• Serial number Certificate;

• Valid date Certificate;

• Identification of the Certifying Authority (The Certificate issuing entity);

• Digital signature of the Certifying Authority.

It will be generated a Digital Certificate for the server and for each of the clients
using the VPN SSL connection. Clicking on Insert will start the generation of
the server’s Certificate. You will then have to insert data in the following fields:

• Country Code;

• Country;

• City;

• Company;

• Nome: Certificate name;

• Email: Company’s email.

The next certificates shall be for the clients, and it is necessary to fill the
following fields (Figure 4.25):

• Name: Certificate name. Normally the single name of the person/entity that
will connect;

• E-Mail: Client e-mail address;

• Password: A password (PSK) with six characters minimum;

Reference Guide - Version 5.3 IPBRICK International


4.3 VPN 115

Figure 4.25: VPN SSL - Client certificate configuration

• Associated access policies: The specific client certificate can be associated to


a policy, so we can control to what LAN machines the client will have access
to. If none, access will be granted to all the defined network routes.

Afterwards, it is necessary to download the certificate and send it to the cus-


tomer who shall establish the VPN connection. The .zip file contains:

• Server public key: ca-server-domain.crt;

• Client private key: certificate_name.key;

• Client public key: certificate_name.crt;

• VPN configuration: certificate_name.ovpn;

Client
In the client side you have to install the specific software to create the VPN
SSL connection- OpenVPN5 . Then you must uncompress the certificate file to a
new directory in
c:\Program Files\OpenVPN\config.
To start VPN connection you have to click on the OpenVPN icon located in the
tool bar with the right button, choose the connection you want and click Connect.

The option Delete All should only be used to restart the all process.

5
Software: openvpn.net — Windows GUI: openvpn.se

IPBRICK International Reference Guide - Version 5.3


116 IPBrick.C

State
This interface shows you the active tunnels and their respective traffic, users
and IP

After configuring this service you have to activate it in section Advanced


Configurations  System  Services. The procedure to configure VPN client
is described in detail at Appendix C - Chapter 11.

Access policies
At main menu of SSL it’s possible to create two types of access policies (Figure
4.26):

• Permission policies: Making a certificate association to a permission policy


will give permission only to the configured destinations;

• Restriction policies: Making a certificate association to a restriction policy


will give permission to all except the configured destinations;

After clicking on Insert and choosing the name, clicking on it will open a
window when it’s possible to choose the destinations (Figure 4.27). The destination
options include:

• Machine groups;

• Machines;

• IP Subnets;

• IP Machines;

• IP Ranges.

Figure 4.26: VPN SSL - Access policies list

Reference Guide - Version 5.3 IPBRICK International


4.3 VPN 117

Figure 4.27: VPN SSL - Access policy configuration

Access log
The access log option permits the visualization of all VPN-SSL accesses. It’s
possible to filter by:

• IP;

• User;

• Notes:

– Connected;
– Terminated/Timeout;
– Blocked.

• Date;

Options available:

• Clean filters: Will clean all the chosen filters;

• Export PDF: Exports all the information to a .pdf;

• Back: Go back to the top menu;

IPBRICK International Reference Guide - Version 5.3


118 IPBrick.C

4.3.3 IPSec
IPSec (IP security) technology is a suite of protocols that ensures confiden-
tiality, integrity and authenticity to data transmission on an IP network. SSL
protocol works at the transport layer level - IPSec operates at the network layer
and consequently provides data encryption in this level.

VPN through PPTP or SSL provides a connection between a defined machine


and the network (road warrior type). On the contrary VPN IPSec allows two net-
works to communicate permanently and in a transparent way (LAN to LAN type).
This is accomplished with an IPSec configured between two IPBrick’s or between
an IPBrick and a router, providing full configuration transparency to users from
the two networks.

Example: 192.168.2.0 network that belongs to the Company X headquarters


in Oporto, Portugal and network 192.168.4.0 belongs to its office branch located
in Japan. Both networks should have Internet connection to make possible the
communication between their machines through a VPN IPSec tunnel. With this
feature two networks can behave as if they where one.

To configure a VPN connection between two networks you need to have the
appropriate configuration on both origin and destination IPBrick’s for the IPSec
tunnel.

The main menu presents the configured IPSec tunnels. To insert a new IPSec
tunnel click Insert. In that page we are going to configure the IPSec connection
(as you may see in Figure 4.28). The following data is necessary:

• General settings

– Name: VPN IPSec name;


– Description: Description of the IPSec connection;
– State: VPN IPSec state - enable or disable;

• Local Network Definitions

– Local IP: IPBrick external interface address (eth1);


– Local network: Local network address and respective IPBrick network
mask;
– Local Gateway: Router internal interface address;
– Local Identification: Identification field. Can be used the public
network IP or if the network dont’t have fixed public IP, a dynamic
DNS address;
– Server IP in local network: IPBrick internal interface address (eth0).

• Remote network definitions

Reference Guide - Version 5.3 IPBRICK International


4.3 VPN 119

– Remote IP: Remote public address;


– Remote network: Remote network address and mask;
– Remote Gateway: Remote network router internal interface address
(this field is not mandatory);
– Remote identifier: Remote identification field (this field is not manda-
tory);

• Keys Management

– Password: A Pre-Shared Key is a shared key that the VPN service


expects as a first credential (before username and password). In order
that the VPN server allows the authentication process to continue, it is
necessary to pass the correct PSK;
– Type: The IPSec supplies two operation methods specified in this field,
which are Tunnel (where the original IP pack is encrypted) and Trans-
port (the data (payload) are encrypted, but the original IP heading is
not changed);
– IKE Encryption: IKE stands for Internet Key Exchange, a protocol
used to set up a security association (SA) in the IPsec protocol. By
default Auto-negotiation.
– Authentication: IPSec adds two extra headers to the IP package -
AH and ESP. The AH (Authentication Header) insures integrity and
authenticity, but not confidentiality. ESP provides data integrity, au-
thenticity and confidentiality;
– ESP Encryption: ESP stands for Encapsulating Security Payload, it
provides origin authenticity, integrity, and confidentiality protection of
packets. By default Auto-negotiation.
– PFS6 : Allows PFS protocol that adds additional security in the keys
exchange;
– Start: Only automatic is available.

Router configuration
In case of a VPN IPSec not between two IPBrick’s but between a IPBrick and
a router, at the router side it’s important to know all parameters used by the
IPBrick that are transparent to the web interface. Here are the most important
ones:

• Negotiation key protocol: IKE;

• Negotiation mode: Normal;

• Fase 1 encryption Algorithm: 3DES;


6
Perfect Forward Secrecy

IPBRICK International Reference Guide - Version 5.3


120 IPBrick.C

Figure 4.28: VPN - IPSec Configuration 1/2

Figure 4.29: VPN - IPSec Configuration 2/2

• Fase 1 authentication Algorithm: MD5;

• Fase 2 encryption Algorithm: 3DES;

• Fase 2 authentication Algorithm: SHA1;

• Key Group: DH2;

⇒ Note: Before configuring a VPN connection, PPTP, IPSec or SSL, you


have to know what is the addressing system used by the local network where the
client connects and what is the destination’s network addressing system. If the

Reference Guide - Version 5.3 IPBRICK International


4.3 VPN 121

addressing systems in both networks are exactly the same, the VPN connection
will be not possible.

4.3.4 GRE
The GRE7 protocol was developed by Cisco to encapsulate a multi variety of
network layer protocols inside a specific IP tunnel. So the main idea was to create
a link between Cisco routers, so two networks can stay interconnected (company
headquarters and branches for example). In these days the GRE protocol is Linux
supported, so with GRE active at IPBrick, it’s possible to create tunnels between
IPBricks or between IPBricks and Cisco routers.

To set up a new GRE tunnel click Insert. The following options are available:

• General settings

– Name: GRE tunnel name;


– Description: Description of the GRE connection;
– State: GRE state - enable or disable.

• Local Network Definitions

– Local IP: IPBrick external interface address (eth1);


– Server IP in local network: IPBrick internal interface address (eth0).

• Remote network definitions

– Remote IP: Remote IP address. Normally a public one because the


tunnel is being established by Internet;
– Remote subnet: Remote network address and mask;

A configuration example is shown at Figure 4.35


NOTE: When configuring a GRE tunnel between an IPBrick and a Cisco
router, the Server IP in local network may need to be the local IP address
of a GRE tunnel network, e.g.: GRE tunnel with specific network 10.0.0.0/24.
IPBrick will have IP 10.0.0.1 and Cisco IP 10.0.0.2.

4.3.5 VPC
Amazon Virtual Private Cloud (VPC) is a cloud computing service providing
a virtual private cloud over an IPsec based virtual private network.

The Amazon VPC lets you prepare an isolated section of the Amazon Web
Services (AWS) Cloud, where you may use its resources and have control over
your virtual network, including your own IP range, subnets, and also configure
7
Generic Routing Encapsulation

IPBRICK International Reference Guide - Version 5.3


122 IPBrick.C

Figure 4.30: VPN - GRE Configuration

route tables and network gateways, extending your data center into a cloud.

To use this feature you will have to register and request the Amazon Web Ser-
vices VPC.

For more information please access:

http://aws.amazon.com/vpc/

General settings
• Name: Name your VPC
• Description: Merely as a reference type a brief description of your VPC
• State: Enable or disable your VPC. By default it’s Enabled.

Internet Key Exchange Configuration


Internet Key Exchange (IKE or IKEv2) is used to configure a security associ-
ation (SA) in IPsec.

NOTE: Only the Pre-shared key field is editable.


• Pre-shared key: Type the pre-shared key that Amazon has provided you.

IPSec Configuration
At the IPsec configuration there are no editable fields.

Reference Guide - Version 5.3 IPBRICK International


4.3 VPN 123

Figure 4.31: VPC - General Configurations

Figure 4.32: VPC - Internet Key Exchange Configuration

Tunnel interface configuration


As the name suggests here you may configure tour VPN tunnel by filling the
following fields with the necessary data:

• Outside IP address of the customer gateway: Type the appropriate IP;

• Outside IP address of the VPN gateway: Type the appropriate IP;

• Inside IP address of the customer gateway: Type the appropriate IP;

• Inside IP address of the VPN gateway: Type the appropriate IP;

Figure 4.33: VPC - IPsec Configuration

IPBRICK International Reference Guide - Version 5.3


124 IPBrick.C

• VPC subnet: Type the value for your VPC subnet. You may insert more
subnets by clicking on the Add button.

Figure 4.34: VPC - Tunnel interface configuration

Border Gateway Protocol (BGP) configuration


Border Gateway Protocol (BGP) is a protocol used to make routing decisions
on the Internet.//
These routing decisions are based on path, network policies and/or rule-sets.
For this reason bear in mind your Amazon routing definitions.

• Customer Gateway ASN: Your customer’s ASN (Access Service Network)


Gateway. By default 65000

• VPN Gateway ASN: Your Gateway ASN. By default 7224 Neighbor IP Ad-
dress: Insert her you neighbor’s IP.

• Neighbor Hold Time: Non editable. Set to 30 seconds.

Figure 4.35: VPC - BGP configuration

When you have finished inserting all necessary data please click on the Insert
button at the bottom of the page.

Reference Guide - Version 5.3 IPBRICK International


4.4 E-mail 125

4.4 E-mail
This E-mail section is repeated in both IPBrick.I and .C modules. IPBrick.I
provides Intranet services: Base Configuration, Queue Management, User Man-
agement, Distribution Lists and Kaspersky Anti-Virus and Anti-Spam. IPBrick.C
provides additional services:

• Advanced relay;

• Get Mail from ISP;

• Mail copy.

4.4.1 Advanced relay


The advanced relay option makes possible to forward emails based on non-
existent recipients and also to forward all the mail that comes to a domain. This
last feature is also known as catchall (Figure 4.36).
Relay definitions:

• Email/Domain

– Email: Insert a invalid recipient that doesn’t have any LDAP account
created and the desired internal domain;
– Domain: Choose for each domain you want to relay all the messages
(catchall option);

• Relay to: Destination email. Can be an internal or external destination;

Figure 4.36: E-Mail - Advanced relay

4.4.2 Get Mail from ISP


If company mails are not delivered to an internal firm server, being therefore
only available via POP8 , you can configure IPBRICK in order to unload these
mails from the ISP9 periodically to a local server. Once they are in this local
server the mails are associated respectively to the previously configured accounts.
8
Post Office Protocol: Used to access inboxes and transfer mails.
9
Internet Service Provider

IPBRICK International Reference Guide - Version 5.3


126 IPBrick.C

In this way you can configure a server for internal E-mails, even if you only have
one, to automate and centralize all firm e-mails (from the Internet and internal).

This feature normally called fetchmail is useful when the MX from the enter-
prise domain points to another server.

Figure 4.37: E-Mail - Get Mail from ISP - Base menu

Click on Insert (Figure 4.37) to configure a external server that you want to
connect to download email and deliver it in the local server. You have to insert
data in the following fields:
• Server: Server identification. It could be FQDN and IP address;
• Protocol: Protocol that is used by the server - POP3 or IMAP;
• Remote domains: Domains that deliver email to the server. It is commonly
used in volume email boxes.
To access server definitions, you must click on its name (Figure 4.37):
• Modify: To change the account data;
• Delete: Deletes the selected account;
• Back: Goes back to email servers list.
To access the management interface of remote mailboxes, you must click insert
and fill in the following fields (Figure 4.39):
1. Mailbox type: Select individual mailbox or volume box. A volume mailbox
refers to boxes that are not assigned externally to any user, so all mail to all
users is delivered in just one public mailbox. In that fetchmail case, IPBrick
will get all mail and analyse the to field, delivering mail to the respective
local mailboxes;
2. Login: Used username to access the email remote box;
3. Password: Needed to validate login;
4. Retype password: Confirm the previous password;
5. Local server email: If the individual mailbox is chosen, this field is the
local email account where the downloaded emails will be delivered;
6. Drop ’Delivered-To’: If the email address in ISP is the same as the email
address in local server, this field must be active.

Reference Guide - Version 5.3 IPBRICK International


4.4 E-mail 127

Figure 4.38: E-Mail - Get mail from ISP - Servers Management

Figure 4.39: E-Mail - Get mail from ISP - Add Account

4.4.3 Mail Copy


This feature (Figure 4.40) aims to save all the incoming and outgoing email
messages in two accounts: sentmail and receivedmail.

Figure 4.40: E-Mail - Mail copy

Note: It is necessary to pay attention to the management of these Mail Copies,

IPBRICK International Reference Guide - Version 5.3


128 IPBrick.C

especially in places with a lot of e-mail traffic. It is very important to control the
development of the occupied server hard drive space. These e-mail inboxes may
quickly reach the full size of the partition. By reaching this size they may cause
some trouble either with interferences with other server applications or to the ones
responsible for these e-mail inboxes that at a certain stage will loose a series of
mails because no copy could have been made.
When you activate this service (Yes) the mails are copied to the corresponding
account, that is:

1. Sent: YES, all mails that get through this SMTP server and whose sender
is from the server domain(s) will be copied to the Sent Mails local account;

2. Received: YES, all mails that get through this SMTP server and whose
sender is not from the server domain(s) will be copied to the Received Mails
local account.

When you activate the option (Yes) the system shows the Delete Automatically
the Copies field. This field allows defining whether the mail copies that are in
the server are to be deleted or not. The Delete Copies With More Than field
allows specifying the days after which mail copies are to be deleted in the server.

4.5 SMS
IPBrick provides now an SMS10 functionality to send SMS by using a specific
account at Ficom, Vipvoz or by using an IPBrick GSM gateway. The idea is to
send one or multiple SMS using an email client and a special FQDN created just
for that. So the method can be called Mail2SMS.
Important Note: The GSM Gateway route has only been tested with IP-
Brick GSM Gateways. Therefore, we do not guarantee that the feature will be
operational if you use another manufacturer’s gateway.

4.5.1 Configure
At the web interface access textttIPBrick .GT -¿ SMS

Click on Modify, and then choosing Yes will enable the service configuration.
At Mail2SMS definitions we should define the specific domain to use for SMS send-
ing. Normally it’s used this FQDN: sms.domain.com, replacing the domain.com
with the actual IPBrick’s domain (Figure 4.41).

In IPBrick .GT -> SMS -> SMS Users, you can control the user’s access to
the Mail2SMS service.

Click on Modify, A list with all IPBrick users will appear (Figure 4.42). You
can now check which ones you wish to grant access to this feature.
10
Short message service

Reference Guide - Version 5.3 IPBRICK International


4.5 SMS 129

Figure 4.41: SMS - Enable configuration

Figure 4.42: SMS Users

4.5.2 Routes Management


Clicking on Insert will create a new route:

• Operator: Three options are available:

– Ficom: The SMS will be sent using XML-RPC method. Contact iPor-
talMais ([email protected]) to create an account;
– GSM gateway: The SMS will be sent using the telnet protocol;
– VipVoz: The SMS will be sent to a VipVoz mail account using SSL.
Contact iPortalMais ([email protected]) to create an account;

Depending on the selected operator option, the following fields will appear:

• Route name: A name just for route identification;

• Email for notification reception: It’s the email account that will receive the
notifications with the send result (only for VipVoz);

• Gateway IP address: The IP Address of the GSM Gateway (Only for GSM
Gateway) (Figure 4.43);

IPBRICK International Reference Guide - Version 5.3


130 IPBrick.C

• SIM card: Select which SIM card to use (Only for GSM Gateway);

• User (VipVoz and Ficom): Username of the account already created (in GSM
Gateway mode, please type the web interface Username);

• Password (VipVoz and Ficom): Password from the account already created
(in GSM Gateway mode, please type the web interface Password);

Figure 4.43: GSM Gateway Route Example

After the created route, we need to click at the route name to define a prefix
in order to use that specific route. That choosed prefix will be later part of the
number and will match only that route (Figure 4.44).

Figure 4.44: SMS - Routes management

4.5.3 Statistics
Displays statistics about the sent and outgoing SMS.

Reference Guide - Version 5.3 IPBRICK International


4.5 SMS 131

Sent SMS

For sent SMS these are the fields available:

• Id;

• Send date;

• Sender;

• Destination;

• Order;

• Attempts;

• Route;

• Operator;

• State;

• File.

Outgoing SMS

For outgoing SMS that are pending, the following fields are presented:

• Id;

• Sender;

• Destination;

• Order;

• Attempts;

• Route;

• Operator;

• State.

IPBRICK International Reference Guide - Version 5.3


132 IPBrick.C

4.5.4 Sending a SMS


With everything configured at IPBrick, we can send a SMS(s) using a mail
client or webmail using the syntax:
<prefix + number>@<mail2sms domain>
E.g.: We are using the domain sms.domain.com and a VipVoz account acti-
vated with prefix 00. To send a SMS to the Portuguese mobile number 946666666
saying ’Hello, party at 23:00 - Bar XYZ’.
To: [email protected]
Subject: Party
Body: Hello, party at 23:00 - Bar XYZ
Note that you can create a mailing list at IPBrick and insert all the mobile
numbers you want. E.g.: Create a mailing list named [email protected]
and insert at External users list some costumers mobile numbers:
[email protected]
[email protected]
[email protected]
...
So at the client side you just need to send a email to [email protected],
with the text you want.

CSV file
Another method to send SMS is to attach a CSV file created in a spreadsheet
program with the columns number and message splited by a ;.
E.g.:
number;message
003519191919191; Hello John
003519696969696; Merry christmas Mike
003519191919191; Meeting at 15:00.
00339696969696; Bonjour David.
00344233333333; Feliz navidad Juan.
To send it, we just need to create a new email message with the destination of
the specific mail account smslist@<mail2sms domain>.
E.g.:
To: [email protected]
Subject: SMS CSV List
Body:
Attach: sms_list.csv
If at the CSV file the message column is empty, the considered SMS text will
be the email message body (if present).

Reference Guide - Version 5.3 IPBRICK International


4.6 Web Server 133

4.6 Web Server


A web server, through the HTTP11 and/or HTTPS protocols, is responsible
for answering user requests, concerning the web pages lodged in it, and each server
may lodge several sites. The IPBRICK web server running in IPBrick is Apache
12
. The base virtual hosts registered in IPBRICK are displayed after clicking on
Web Server.
IPBrick hosts the following sites by default:

• calendar.domain.com: Intranet LDAP agenda. Always a useful tool, the


calendar can be used to save events and share them with others. By clicking
on Calendar at MyIPBrick, the user will be redirected to this site;

• callmanager.domain.com: Flash callmanager application for VoIP;

• callstatistics.domain.com: Specific site with VoIP call detailed statistics. It’s


the same menu present in IPBrick.GT - VoIP - Monitoring - Call Statistics,
but now it’s possible to give access to LDAP users;

• contacts.domain.com: Intranet LDAP contacts management; An in depth


look is provided at Appendix H;

• ipbrick.domain.com: IPBrick web management interface;

• jwchat.domain.com: A web-based Jabber (XMPP) client for the IPBrick


LDAP users;

• myipbrick.domain.com: A site for internal users. It’s possible to change


personal settings, check the personal area and go to other internal websites.
A detailed description is done at Appendix G;

• pgsqladmin.domain.com: PostgreSQL database web management;

• ucoip.domain.com: UCoIP (Unified Communications over IP) site for LDAP


users. It’s described in Appendix F;

• webmail.domain.com: Horde webmail client. By clicking on Webmail at


MyIPBrick, the user will be redirected to this site;;

• webphone.domain.com: It’s a IAX webphone example. The idea is to view


the page source code and include it in a real website. This webphone can
be configured to call directly any number you want or to match some direct
access for a VoIP funcionality (sequence, groups, IVR etc). To specify that,
the variable called url must be changed.

11
HyperText Transfer Protocol
12
For more information please visit http://www.apache.org

IPBRICK International Reference Guide - Version 5.3


134 IPBrick.C

4.6.1 Creating a new site


By clicking on Insert it’s possible to create a new site. A new form is displayed
(Figure 4.45) with the following fields:

Figure 4.45: Web Server - Adding sites

1. URL address: It’s the FQDN13 of the new site that will be hosted in the
server. It’s possible to use SSL too. Example: www.domain.com;

2. Alternative URL address: Alternative name(s) for the URL address that
was previously set. This field is not mandatory;

3. Site administrator email: E-Mail of the user that is responsible for the
site management;

4. FTP User: A new user login that will access to the site folder through FTP.
This should be the only login and shouldn’t be equal to another IPBrick
LDAP user. The site maintenance will be made through this protocol.

5. Password: Password of the FTP user.

6. Retype Password: Confirmation of Password.

7. Site folder location: Folder to be created in the server filesystem that


will be automatically created on /home1/_sites/. Usually it’s used the
name of the site;
13
Fully Qualified Domain Name

Reference Guide - Version 5.3 IPBRICK International


4.6 Web Server 135

8. Internet Availability: Choosing Yes we say that the virtualhost will be


created from this site to the IPBrick external IP - if this is the case the
created site will be available in the Internet;

9. Safe mode: If the site is php based, it deny’s the access of files outside the
site folder location, so it will interfer too with the global variables. It’s the
reason that the default mode is Disabled;

10. Access authorized only to the directories: By default the php have
access to the site folder location and to /tmp but it’s possible to add more
locations;

11. Character encoding: It’s the encoding that Apache will use for the website
depending of the content language;

12. Always keep the typed URL: Allows to keep always the requested URL;

If the created site is internet available, it is also necessary to create a DNS


record in the company’s external DNS server pointing to the company’s network
public IP (A or CNAME). If IPBrick have public IP at eth1, it will point directly
to that IP and not for the router IP.

4.6.2 Management
When the site is created if you click on it as we can see at Figure 4.46, you’ll
have these options to choose from:

• Back: Allows you to go back to the main webserver menu;

• Alias;

• Redirect;

• Reverse Proxy;

• Modify: Allows to modify the site fields;

• Delete: Remove the site from the web server. After clicking on Apply Con-
figurations the site is no longer available online. The files of the site are not
eliminated but moved to the share sites_bk1. This share is the file location
of the removed sites. When IPBrick removes these sites only the services
that are affected are reconfigured and the contents removed to an own share
accessible only to LDAP Administrators. It is like in the user accounts and
group shares;

IPBRICK International Reference Guide - Version 5.3


136 IPBrick.C

Figure 4.46: Web Server - Features

Alias
Alias or Host Header is a simple form of having access to certain contents that
are physically dislocated from the main directory of the site. Next, we’ll present
these two examples:
In Figure 4.47 we create a web alias for the folder /home1/_sites/www/site/img.
So, going to www.domain.com/es/img or www.domain.com/img will be the same.
HeartBeat linux

Figure 4.47: Web Server - Alias 1

Figure 4.48: Web Server - Alias 2

Reference Guide - Version 5.3 IPBRICK International


4.6 Web Server 137

In Figure 4.48 we have a subsite called www.domain.com/forum that is present


in filesystem at /home1/_sites/www/site/forum.
You can manage each alias if you click on it (Figure 4.49).

Figure 4.49: Web Server - Alias List

Redirect

Redirect allows you to be redirected to a new URL when you type a first URL
in the browser. Some examples:

• In Figure 4.50’s example if someone tries to access www.domain.com/index.htm


and the index.htm file doesn’t exist, he will be automatically redirected to
www.domain.com
/index.htm;

• In Figure 4.51’s example if someone tries to access www.domain.com/index.html,


he will be automatically redirected to www.domain.com/web/index.htm. Please
note that in the source field you can insert only /index.html or www.domain.com/index.html,
which is the same.

Figure 4.50: Web Server - Redirect - Example 1

IPBRICK International Reference Guide - Version 5.3


138 IPBrick.C

Figure 4.51: Web Server - Redirect - Example 2

Figure 4.52: Web Server - Redirections List

You can manage each redirection if you click on it (Figure 4.52).

Reverse Proxy

The reverse proxy is used in front of the Webserver and has the main objective
of redirecting all connections addressed to various Webservers to be routed through
the proxy server. A reverse proxy has the function of dispatching incoming network
traffic to various servers and is totally transparent to the user (he will not know
that a proxy is being used).

• The first example stands for this situation: When someone enters the URL
http://estore.domainx.com they will be transfered to a internal site run-
ning in another server. So the first step is the site creation (Figure 4.53),
and after that the reverse proxy definition (Figure 4.54);

• In the second example the idea is for someone in the Internet that wants to ac-
cess a site running in a internal machine (http://192.168.1.4:85/cgi/site).
To do this we just need to add a new reverse proxy definition at the base
domain (Figure 4.55 and Figure 4.56);

Reference Guide - Version 5.3 IPBRICK International


4.6 Web Server 139

Figure 4.53: Web Server - Reverse Proxy - Example 1 - Empty site created

Figure 4.54: Web Server - Reverse Proxy - Example 1 - Add

Figure 4.55: Web Server - Reverse Proxy - Example 2 - Add

IPBRICK International Reference Guide - Version 5.3


140 IPBrick.C

Figure 4.56: Web Server - Reverse Proxy - Example 2 - List

Statistics
Each site in IPBrick uses Advanced Web Statistics to display many statistics
about the site accesses, the same software used for proxy statistics. To access the
statistics just go to IPBrick.C - Web Server, click in the desired site and after
that go to statistics.

You can get some useful information like you can at left side of Figure 4.57.

Figure 4.57: Web Server - Statistics

4.7 Webmail
The Webmail installed in IPBRICK is Horde’s Groupware and can be config-
ured to deal with other e-mail or calendar servers that are not IPBRICK. Therefore

Reference Guide - Version 5.3 IPBRICK International


4.7 Webmail 141

you will have to specify in this section which IMAP14 and SMTP15 (sending) and
calendar servers that will be used (Figure 4.58).

Figure 4.58: WebMail Definitions

To change all settings click Modify. The servers may be identified by their
FQDN16 or their IP address.

If we got a Intranet IPBrick (or another intranet mail server) and a Communi-
cations IPBrick, you need to point the IMAP (the server responsible for receiving
mails) and SMTP (the server responsible for sending mails) to the internal mail
server address. To use the IPBrick webmail at Internet you just need to:

• Register a A record or CNAME called webmail at the public DNS server of


the company domain, pointing to the IPBrick public IP;

• If the IPBrick doesn’t have a public IP at eth1, configure a DNAT rule in


router to the port 443 and to the eth1 IPBrick IP.

So, at Webmail Definitions you have:

• IMAP Server: Type the FQDN or the IP address of the server that will
handle the authentication and that will access emails;

• SMTP Server: Type the FQDN or the IP address of the server that will send
your emails;

• IPBrick Calendar Address: Type your calendar’s URL, by default:


http://calendar.domain.com

• Default View: There are three graphic options to visualize the application
(Traditional, Dynamic and Minimalist);

• Default entity type: Select the default entity type that will be available at
the Groupware application and in IPBrick Contacts;
14
Internet Message Access Protocol
15
Simple Mail Transfer Protocol
16
Fully Qualified Domain Name

IPBRICK International Reference Guide - Version 5.3


142 IPBrick.C

• Default entity: Select the default entity that will be available at the Group-
ware application and in IPBrick Contacts.

IPBRICK’s web interface has now even more configurable Groupware options,
blocking certain features to users here is simpler and faster than accessing Group-
ware’s administrative interface.

On the same page you may also configure the Global Options:

Figure 4.59: Global Options

• Login Image: Upload the logo you wish to display at the Groupware app,
supports: JPG; PNG; GIF.;

• Login image url: The URL of the logo image, by default: http://www.ipbrick.com

• Groupware Server: Type you Groupware server, by default the native: localhost

• Login Message: Type the welcome message to be displayed at login, by


default: Welcome to IPBrick Groupware

• Administrators users: This acts as a uni-directional sync between Group-


ware and IPBrick. An important change in settings done by the Groupware
administration, that has relevance to all users, will be presented at this page
according to its type.

To import changes done by the Groupware administrator or administrators,


simply select the administrator that implemented the changes (if there are
more than one) from the pop-down list and click on the Import button.

NOTE: To add another Groupware administrator login at the Groupware


app as an administrator and at: Administration > Setup > Authentication
and add more users.

Reference Guide - Version 5.3 IPBRICK International


4.7 Webmail 143

Figure 4.60: Adding Groupware Administrators

The new users will then be available at the pop-down list.

Figure 4.61: Selecting the Groupware Administrator

Each group of options presents you with a record of various settings done
at IPBRICK Groupware. When you click on the Import button any new
changes will be presented according to its type with the Block option to
prevent users to access the corresponding features. If there no record of any
configuration it will be displayed as No Records

Figure 4.62: No records

Figure 4.63: Address Book Options with new settings

IPBRICK International Reference Guide - Version 5.3


144 IPBrick.C

The IPBrick Groupware settings presents this options:

Figure 4.64: Groupware Options

• Select your color scheme: Select your preferred color scheme, by default
silver. You may also choose to block this setting, making impossible for
normal users to alter the color scheme.

These are the editable Mail Options:

• Display Virtual Inbox?: You may choose to block this setting, making im-
possible for normal users to view the Virtual Inbox.

• Messages per page in the mailbox view: Select the number of mails per page,
by default 20. Users may choose other number of pages but you may choose
to block this setting, making impossible for normal users to alter the default
20 mails per page.

• Compose messages with an HTML GUI by default (if browser supports the
feature)?: You may tick the Blocked box, making impossible for normal users
to access the GUI.

The Address Book can also be edited according to these available options:

Figure 4.65: Address Book Options

• Maximum number of pages: By default 10. Users may choose other number
of pages but you may choose to block this setting, making impossible for
normal users to alter the default 10 pages.

• Number of items per page: By default 20. Users may choose other number of
items per page but you may choose to block this setting, making impossible
for normal users to alter the default 20 value.

Reference Guide - Version 5.3 IPBRICK International


4.8 FTP Server 145

• View to display by default: Non-editable, at the moment. The Groupware’s


main page, by default search.php.

4.8 FTP Server


In FTP Server it’s possible to manage single FTP accounts. The accounts can
be associated to simple Unix system users or to IPBrick websites.

Figure 4.66: FTP Server - Definitions

4.8.1 Definitions
Clicking on Insert will present this fields (Figure 4.67):

• Login: FTP account login;

• Password: FTP account password;

• Retype Password;

• Account location: It’s possible to choose a individual FTP work area or


associate the account to a virtualhost;

• Create folder account: Create a new folder account at /home1/_ftp or


/home2/_ftp. Choosing No, no folder will be created. This options is useful
when we want to create a FTP login to the same account but with different
permissions;

• If account location was changed: You may keep the current folder and
create a new one or choose other options, such as:

– Keep current folder;


– Copy current account folder to a new one;
– Move current account folder to a new one;
– Remove current account folder and create a new one.

• Access permissions: Can have only read permission or read and write
permissions.

IPBRICK International Reference Guide - Version 5.3


146 IPBrick.C

Figure 4.67: FTP Server - Insert page

Access log

The access log option permits the visualization of all FTP accesses. It’s possible
to filter them by:

• Date (Start and End);

• Duration;

• User;

• IP;

• Notes:

– Upload

– Connected;

– Disconnected;

– Wrong password;

– Illegal user;

– Timeout/Locked.

• File

Reference Guide - Version 5.3 IPBRICK International


4.8 FTP Server 147

Figure 4.68: FTP Server - Access Log

Available options:

• Filter: Will present a filter with various search criteria;

Figure 4.69: FTP Server - Access log filter

• Export PDF: Exports all the information to a .pdf;

• Back: Go back to the top menu;

4.8.2 Statistics
The FTP statistics page presents you with the global and individual user statis-
tics.

IPBRICK International Reference Guide - Version 5.3


148 IPBrick.C

Figure 4.70: FTP Server - Statistics

To access them just click on the corresponding show link.

The FTP statistics presented here are based in AWStats 17 . AWStats is power-
ful log analyzer which creates ftp server statistics reports based on data contained
in server logs. Data is then graphically presented in easy to read web pages.

For more information, please consult the following URL:

http://awstats.sourceforge.net/

The general Statistics page, as the name suggests presents the totality of up-
load and download traffic statistics in a multitude of forms (Graphic, tables, lists).

You may check when the FTP server has been accessed, who had access to the
FTP server, the FTP traffic (download/upload) and also the executed operations.

Figure 4.71: FTP Server - General Statistics

17
Advanced Web Statistics

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 149

The User Statistics displays FTP statistics of a particular user.

Figure 4.72: FTP Server - User Statistics

4.9 VoIP
This section deals with the management interface of the VoIP18 service available
in IPBRICK.
The VoIP (Voice Over IP) technology allows phone calls through an IP network,
thus enabling phone calls through the Internet. The main advantages for the use
of VoIP are: reduction of expenses because the rates don’t follow the conventional
telephony model; better service quality, since commutation by packs does a better
use of the existing network resources, different from the circuit commutation.

The IP Telephony concept sometimes mixes up with VoIP, but they are not
exactly the same thing. The IP Telephony uses VoIP service and defines itself
as the group of services and applications that allow companies to reduce phone
expenditures.

Signalling VoIP service needs a protocol to signal the calls. The signalling
protocol used by IPBrick is SIP, but there are others such as H.323, MGCP,
Jingle, IAX, H.248/MEGACO etc. SIP19 allows calls and conferences through IP,
and those calls may include audio, video, images, etc. This way, the SIP protocol
is responsible for all the processed calls between users, regardless the content of the
call itself. The IPBrick.GT acts as an authentic PBX IP and it can route the calls
to/from a traditional PBX, Internet, LAN and PSTN. All the PBX management is
made by a software called Asterisk. Asterisk is compatible with several signalling
protocols, including SIP. The routing work is made by another software that is
acting as SIP proxy - OpenSER.
18
Voice over IP
19
Session Initiation Protocol

IPBRICK International Reference Guide - Version 5.3


150 IPBrick.C

The VoIP features accessible through the web interface are presented next.

4.9.1 Phone management


This menu (Figure 4.73) allows you to get the list of registered IPBRICK
VoIP clients (IP telephones, workstations + softphone) that where registered from
the IPBrick.I - Machines Management and to manage some configurations. By
clicking on a phone name it’s possible to modify the following fields:

• Phone: Phone username;


• Password: Phone password that can be changed;
• Alternative Phone Addresses: In that field we can have alternative ad-
dresses to the phone. An alternative address is another name (or number)
to reach the telephone. This functionality is very useful when there are
telephones from which you can only dial numbers. It’s a good policy to reg-
ister phones by names and after that define a numeric alternative address
(example at Figure 4.74)
• Caller ID: If you want to mask the caller ID insert the full number;
• Phone Location
– Local: It’s the default, for a LAN phone;
– Remote: For a remote phone that is connected behind a NAT. Usually
this option is used when the idea is register the phone from the Internet,
using the IPBrick network public IP.
• Auto provisioning: The auto provisioning option permits the automatic
configuration of SIP hardphones, so here we just need to choose the phone
model. To work, it’s mandatory when registering the phone at Machines
Management, to insert the MAC address.
• Description: This field should have a text description about the phone;

Figure 4.73: VoIP - Phones management

Note that it’s also possible to register phones in:

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 151

Figure 4.74: VoIP - Adding alternative addresses

Advanced Configurations - Telephony - Registered Phones

This option is only valid, if it isn’t necessary to attribute a specific IP address


to the phone’s, DNS, DHCP and LDAP record. It is possible to add a phone just
by filling the field relating to the name and the access password.

NOTE: If the inserted phones have become far too numerous to be displayed or
searched efficiently, it’s possible to retrieve a phone by its name, simply by using
the various search links displayed on the Machines Management page. There’s
alphabetical and numerical quick links, as well as the possibility to open a Search
pop-up window or to display all machines on one page (List all link).

Figure 4.75: VoIP - Phone Management Search window

4.9.2 Users Management


This option provides a VoIP centralized management for each LDAP user.

IPBRICK International Reference Guide - Version 5.3


152 IPBrick.C

User VoIP settings


The main screen presents the users list with SIP address and associated phone
address if any (Figure 4.76). When clicking on a user name (Figure 4.77), we can
manage:

• SIP address: It’s the default user email and can’t be changed here;

• Alternative addresses: It’s possible to define multiple SIP addresses for a


user. Persons can call user using the default SIP address or the alternatives
(click on the + icon to add alternative addresses);

• User PIN: Defines the user PIN and must be numeric. This PIN can be used
for multi functions: Phone locking, access classes, voicemail and call queues.
User can’t change PIN;

• Password: Defines a password and must be numeric. The password can be


used for phone locking, access classes, voicemail and call queues. A user can
change the password too from the myipbrick site;

• User access validation: For authentication it can be used only PIN or PIN and
password. When the authentication process begins for some funcionality, the
user will listen one Asterisk message to enter the User ID (PIN) and another
one to enter the Password.

• Caller ID: The caller’s ID message that will appear at the destination’s phone
display;

• Follow Me: This is a important field. Here we can associate users to a specific
internal phone or external. So when someone in the LAN or Internet make
a call to the user SIP address, it will ring the phone that is defined here.
Off course it will work if internal/public DNS zone is properly configured. A
user can change the phone address at myipbrick site.

– Phone: The user will be associated to an internal SIP phone registered


in IPBrick;
– User: You may associate another user’s phone by selecting this option;
– Agent: The user will be associated to an Agent registered in IPBrick
– External: The user will be associated to another phone. It can be a
external SIP account, PSTN number, PBX extension, mobile number
etc. When somebody in Internet or from the user UCoIP site make
a call, if IPBrick have routes to make the call it will call the external
number specified here.

• Follow Me Mode: It can be Group or Sequence. If it is Group the call will


ring on all phones configured in Phone Address. If it is the latter the call
will ring in sequence, according to the order of insertion;

• Voicemail enabled: By default, YES;

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 153

• Personalized voicemail: By default, NO. If you select yes a new field will
appear that will enable you to upload a personalized voicemail file (mp3/wav
only);

Figure 4.76: VoIP - Users Management

NOTE: As in IPBRICK.I - Users Management it is possible to Export and


Import (via Mass Operations) VoIP users via a CSV file editable in a spreadsheet
application, please consult the 3.4.1 - Mass Operations subsection of this document.

Figure 4.77: VoIP - Users Management - User VoIP settings

User Access Class


• Access class: A user can be part of an access class, not just phones. A user
access class should be less restricted than a phone’s access class;

IPBRICK International Reference Guide - Version 5.3


154 IPBrick.C

• Unlock mode: The unlock mode by default is done using always the PIN or
PIN and password and the desired number to dial. The second mode uses
authentication only at the first time (Figure 4.78);

E.g.: For a user with PIN 111 and password 1234 that need to call 003512255443322:

• PIN: 111#003512255443322

• PIN and Password:111#1234#003512255443322

Call queues
If some call queues are configured, a user can be associated as an agent (Figure
4.78). The waiting mode can be as:

• Music on hold: The phone will be immediately part of the call queue. The
user will listen to music until a call is received;

• Callback: Only if the agent receives a call from the call queue, the phone
will ring;

Figure 4.78: VoIP - Users Management - Access classes and call queues

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 155

4.9.3 Functions
This section allows you to configure all the IP PBX functionalities splitted into
inbound and outbound services.

Inbound
Call Groups

In this interface (Figure 4.79) it’s possible to define answering groups, (i.e., a
group of telephones which shall ring simultaneously when the access to the group
is made). To define a group it is necessary to fill these fields:

• Name: Name for the group;

• Caller ID (Inbound): Possibility to use a specific inbound caller ID for


this service;

• Caller ID (Outbound): Possibility to use a specific outbound caller ID for


this service;

• Direct access: List of numbers/addresses that will call this service. We


have three options and the possibility to use many direct accesses, it’s also
possible to choose one of the PSTN interfaces defined at: Telephony ->
Interfaces;

– DID: If the IPBrick has a ISDN telephony card, the PSTN DID (Direct
Inward Dial) that will call this service needs to be inserted;
– ANA: If the IPBrick has a analogic telephony card, will be the direct
PSTN number that will call this service;
– SIP: It’s the specific SIP address that will call this service;

• Caller IDs restriction: Will restrict the route only for the listed caller
ID’s;

• Group Members A user can be part of an access class if the configurations


are made correctly.

– Internal: Internal SIP phones that belong to the group;


– External: External phones (SIP, PSTN number, etc) that belong to
the group.

• Voicemail enabled: Active by default (YES)

• Personalized voicemail: Deactivated by default, this option enables the


user to record a customized voicemail message.

IPBRICK International Reference Guide - Version 5.3


156 IPBrick.C

Figure 4.79: VoIP - Call groups

Attendance seq.

In this section it is possible to define an answering sequence, or see/change/remove


the already defined sequences. To add a new sequence it is necessary to click In-
sert, define a name for the sequence, select if the voicemail is active or not and
in Direct Access add the addresses DID/SIP/ANA of the telephones by which the
sequence shall be activated.

If you intend to add a Direct Access for an extension defined in IPBrick, it


is possible to choose SIP and select the extension in the address. In Sequence is
possible to add the telephones which shall ring by the desired order and the time
in which each one of them plays till the next one.

To define a attendance seq. it is necessary to fill (Figure 4.80):

• Name: Name for the attendance seq;

• Caller ID (Inbound): Possibility to use a specific inbound caller ID for


this service (this field is optional);

• Caller ID (Outbound): Possibility to use a specific outbound caller ID for


this service (this field is optional);

• Voicemail enabled: Enables the voicemail for the sequence;

• Direct access:List of numbers/addresses that will call this service. We


have three options and the possibility to use many direct accesses, it’s also

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 157

possible to choose one of the PSTN interfaces defined at: Telephony ->
Interfaces;

– DID: If the IPBrick has a ISDN telephony card, the PSTN DID (Direct
Inward Dial) that will call this service needs to be inserted;
– ANA: If the IPBrick has a analogic telephony card, will be the direct
PSTN number that will call this service;
– SIP: It’s the specific SIP address that will call this service;

• Caller IDs restriction: Will restrict the route only for the listed caller
ID’s;

• Sequence positions

– Location Internal: Internal SIP phones that belong to the sequence;


– Location External: External phones (SIP, PSTN number etc) that
belong to the sequence;
– Timeout: Timeout in seconds, be default 25.

• Voicemail enabled: Active by default (YES)

• Personalized voicemail: Deactivated by default. If active this option


enables the user to upload a customized voicemail message.

Figure 4.80: VoIP - Sequence definitions

A attendance sequences list can be viewed at Figure 4.81.

IPBRICK International Reference Guide - Version 5.3


158 IPBrick.C

Figure 4.81: VoIP - Attendance sequences list

IVR Attendance

In this section it’s possible to define interactive answering menus (Figure 4.82).
You need to click Insert to add a new one:

• Name: Choose a name for IVR;

• Type: Choose between, Normal, Strategy entry point or Validation module

• Direct access: List of numbers/addresses that will call this service. We


have three options and the possibility to use many direct accesses, it’s also
possible to choose one of the PSTN interfaces defined at: Telephony ->
Interfaces;

– DID: If the IPBrick has a ISDN telephony card, the PSTN DID (Direct
Inward Dial) that will call this service needs to be inserted;
– ANA: If the IPBrick has a analogic telephony card, will be the direct
PSTN number that will call this service;
– SIP: It’s the specific SIP address that will call this service;

• Caller IDs restriction: Will restrict the route only for the listed caller
ID’s;

• Number of desired shortcuts: Choose how many options does the menu
have;

• Shortcuts: What type of destiny to give (according to the pressed key):

– Phone: To call an internal telephone;


– IVR: To go to an interactive answering sub-menu;
– Conference: To connect to a conference;
– Scheduler: To connect to a scheduler;
– Group: To ring the telephones of a group;
– Sequence: To activate an answering sequence;
– SIP address: To call a SIP telephone;

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 159

– DISA: It allows someone outside the central to connect as if he/she is


directly connected to the central;
– Call queue: To make the call enter a waiting line;
– Callback: To make the call in the most cost-efficient method. For more
information check the Callback section of this document.
– IPBRConference: Type the key shortcut to access the IPBrick radio
conference. You will need the Radio4IPBrick package in order for this
feature to be operational.

• Attendance message: It allows the selection of an answering message. It


can be a .mp3 or .wav file;

• Number of message repetitions: Number of times the attendance mes-


sage is replayed;

• Response timeout: Time that the user has to choose an option, after they
heard the message. By default 10 seconds

• Redirect automatically when no option has been dialed: As Yes if


no DTMF pressed it can redirect the call directly to:

– Phone: To call to an internal telephone;


– IVR: To go to an interactive answering sub-menu;
– Conference: To connect to a conference;
– Scheduler: To connect to a scheduler;
– Group: To ring the telephones of a group;
– Sequence: To activate an answering sequence;
– SIP address: To call a SIP telephone;
– DISA: It allows someone outside the central to connect as if he/she is
directly connected to the central;
– Call queue: To make the call enter a waiting line;
– Callback: To make the call in the most cost-efficient method. For more
information check the Callback section of this document.

An IVR can have only an attendance message without any shortcut or direct
access, e,g.: A message just saying that the company is closed, so that IVR can
be used at the scheduling, for example (Figure 4.83).
Call Conference

In this interface (Figure 4.84) is possible to create conferences. To create a


simple static conference just click Insert:

• Name: The conference name;

IPBRICK International Reference Guide - Version 5.3


160 IPBrick.C

Figure 4.82: VoIP - IVR attendance configuration

Figure 4.83: VoIP - Simple IVR

• Numeric identifier: Numeric identifier for the conference. It’s only a


internal identifier for the VoIP server;

• PIN: Code which shall allow the users to connect to the conference;

• Administrator PIN: Conference code for the administrator;

• Direct access: List of numbers/addresses that will call this service. We


have three options and the possibility to use many direct accesses, it’s also
possible to choose one of the PSTN interfaces defined at: Telephony ->
Interfaces;

– DID: If the IPBrick has a ISDN telephony card, the PSTN DID (Direct
Inward Dial) that will call this service needs to be inserted;
– ANA: If the IPBrick has a analogic telephony card, will be the direct
PSTN number that will call this service;
– SIP: It’s the specific SIP address that will call this service.

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 161

• Caller IDs restriction: Will restrict the route only for the listed caller
ID’s;

Figure 4.84: VoIP - Call conference insertion

Figure 4.85: VoIP - Call conference list

It is also possible to allow the creation of dynamic conferences. For that, it is


necessary to click Dynamic Conferences (Figure 4.85), modify the option Active
to Yes and insert the address(es) and/or number(s) for the Direct Accesses (Figure
4.86). At dynamic conferences, when someone calls to the direct access it’s possible
to enter automatically an existant conference or to create a new one.
Call Parking

Here (Figure 4.87) it’s possible to activate or deactivate the option of calls on
hold.
If this option is activated, it is necessary to define an extension to place the
calls on hold, as well as the virtual extensions in which calls are going to be placed
(Figure 4.88). To access these calls later it’s necessary to press on the telephone
keypad the ”#” plus the virtual extension were the call was parked.

Scheduling

IPBRICK International Reference Guide - Version 5.3


162 IPBrick.C

Figure 4.86: VoIP - Dynamic call conferences

Figure 4.87: VoIP - Call Parking

This option (Figure 4.89) allows you to define the daily behavior of the IP
PBX. Usually this is the most important inbound service because from here, we
are able to call all the other configured services.
It is necessary to click option Insert (Figure 4.90) and configure the first
parameters:
• Name: The name for the scheduler;
• Direct access: List of numbers/addresses that will call this service. We
have three options and the possibility to use many direct accesses, it’s also
possible to choose one of the PSTN interfaces defined at: Telephony ->
Interfaces;

Figure 4.88: VoIP - Call Parking - Modify

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 163

Figure 4.89: VoIP - Scheduling

– DID: If the IPBrick has a ISDN telephony card, the PSTN DID (Direct
Inward Dial) that will call this service needs to be inserted;
– ANA: If the IPBrick has a analogic telephony card, will be the direct
PSTN number that will call this service;
– SIP: It’s the specific SIP address that will call this service.

• Caller IDs restriction: Will restrict the route only for the listed caller
ID’s;

Next, it is necessary to add rules for this scheduler. For that:

• Click in the scheduler name;

• Click Insert;

• Choose the type of action to be executed;

• Choose the period to be executed.

Fields explanation:

• Destination type: Where shall the call be routed if the rule defined next
is equalled. Options:

– Phone: To call to a internal telephone;


– IVR: To go to an interactive answering sub-menu;
– Conference: To connect to a conference;
– Scheduler: To connect to a scheduler;
– Group: To ring the telephones of a group;
– Sequence: To activate an answering sequence;
– SIP address: To call a SIP telephone;

IPBRICK International Reference Guide - Version 5.3


164 IPBrick.C

– DISA: It allows someone outside the central to connect as if he/she is


directly connected to the central;
– Call queue: To make the call enter a waiting line;

• Destination: Telephone address or specific service name were the call shall
be routed;

• Hours: Beginning and end hour, from the timetable in which the rule shall
be valid (format hh:mm at each field);

• Weekdays: Weekdays in which the rule shall be valid. If not chosen it will
use all days;

• Month days: Days of the month in which rule shall be verified. If not chosen
it will use all;

• Months: Months in which the rule shall be valid. If not chosen it will use all
months;

Figure 4.90: VoIP - Scheduling - Insert rules

NOTE: If you don’t select any hour or days of the week/month, hour or
months, the rule shall be valid respectively for all the day. A rule like this one is
called the default rule;

At Figure 4.91 we can see an example of a scheduling implementation. You


can see that the rule 4 is used from 19:01 to 08:59, because is the default time. It
will call a simple IVR with a voice message telling that nobody is at the company
to answer the phone.
DISA

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 165

Figure 4.91: VoIP - Scheduling - Rules list

DISA20 (Figure 4.92) is a service that allows that someone that is not directly
connected to IPBrick or the PBX central, to obtain an internal call sign and
execute calls as if he/she was directly connected to the internal network. The user
calls the access number to DISA and he/she should type a password followed by
the key ”#”. If the password is correct, the user shall hear the sign indicating that
he/she may dial the number. You can also enjoy this service without a password
if you want to. The fields necessary to configure a DISA are:

• Name: Name for DISA;

• Direct access: List of numbers/addresses that will call this service. We


have three options and the possibility to use many direct accesses, it’s also
possible to choose one of the PSTN interfaces defined at: Telephony ->
Interfaces;

– DID: If the IPBrick has a ISDN telephony card, the PSTN DID (Direct
Inward Dial) that will call this service needs to be inserted;
– ANA: If the IPBrick has a analogic telephony card, will be the direct
PSTN number that will call this service;
– SIP: It’s the specific SIP address that will call this service.

• Caller IDs restriction: Will restrict the route only for the listed caller
ID’s;

• PIN authentication: It allows the introduction of a password to enable the


dialling through DISA;

• Password: PIN password;

• Allowed caller ID’s: Callers identifiers list which may accede to this ser-
vice. Insert only one by line.

IPBRICK International Reference Guide - Version 5.3


166 IPBrick.C

Figure 4.92: VoIP - DISA - Insert

Callback

Callback feature have the main objective to save costs on internacional calls.
It allows people to call to the IPBrick callback service, the IPBrick will hangup
the call and call back to that number that made the call. That callback usually
will be made using a VoIP operator SIP account, so with a low cost.

When inserting a callback, the available options are:

• Name: Name for the Callback;

• Direct access: List of numbers/addresses that will call this service. We


have three options and the possibility to use many direct accesses, it’s also
possible to choose one of the PSTN interfaces defined at: Telephony ->
Interfaces;

– DID: If the IPBrick has a ISDN telephony card, the PSTN DID (Direct
Inward Dial) that will call this service needs to be inserted;
– ANA: If the IPBrick has a analogic telephony card, will be the direct
PSTN number that will call this service;
– SIP: It’s the specific SIP address that will call this service.

• Caller IDs restriction: Will restrict the route only for the listed caller
ID’s;

• Callback type:

1. Callback any number: No matter the number that made the call, the
call will be finished, will ring a defined internal phone and when someone
20
Direct Inward System Access

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 167

answer the phone will be made automatically a callback to the origin


number (Figure 4.93);
2. Callback authorized numbers. Hangup non authorized numbers: For
authorized origin numbers, the call will be finished, will ring a defined
internal phone and when someone answer the phone will be made auto-
matically a callback to the origin number. For unauthorized numbers,
the call will be just finished (Figure 4.94);
3. Callback authorized numbers. Redirect non authorized numbers:
For authorized origin numbers, the call will be finished, will ring a de-
fined internal phone and when someone answer the phone will be made
automatically a callback to the origin number. For unauthorized num-
bers, the call will be redirected to a internal phone (Figure 4.95).
• Originate Callback calls from: It’s the internal phone that will ring and
callback the origin number;
• Redirect non authorized numbers to: Internal phone where the calls will
be redirected. Used only for callback type 3;
• Callback timeout: Pause in seconds from the momment tha call is termined
and called back, so the person that makes the call can have time to hangup
the phone. The default is 5 seconds;
• Allowed caller id’s: Will be the authorized origin numbers list. Used for
callback type 2 and 3.

Figure 4.93: VoIP - Callback any number

Call queues

Here (Figure 4.96) it is possible to define waiting queues. When calling to the
telephone defined in Direct Access the caller shall be placed on hold if there is
another call to be answered. An answering message may be defined which shall be
heard when the call is on hold. It is also possible to choose messages by default in
Select queue information from the line which may inform the caller about his/her
position in the line and the time interval between those messages.

IPBRICK International Reference Guide - Version 5.3


168 IPBrick.C

Figure 4.94: VoIP - Callback authorized numbers or hangup

Figure 4.95: VoIP - Callback authorized numbers or redirect

The visible settings when we hit insert are these:

• Name: Name of queue;

• Phone Display Message: You may opt to display several messages: Incoming
number, Incoming number and Queue name, Queue name and Incoming number
and finally you may create a Custom message;

• Caller ID (Inbound): Possibility to use a specific inbound caller ID for


this service;

• Caller ID (Outbound): Possibility to use a specific outbound caller ID for


this service;

• Direct access: List of numbers/addresses that will call this service. We


have three options and the possibility to use many direct accesses, it’s also
possible to choose one of the PSTN interfaces defined at: Telephony ->
Interfaces;

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 169

– DID: If the IPBrick has a ISDN telephony card, the PSTN DID (Direct
Inward Dial) that will call this service needs to be inserted;
– ANA: If the IPBrick has a analogic telephony card, will be the direct
PSTN number that will call this service;
– SIP: It’s the specific SIP address that will call this service.

• Caller IDs restriction: Will restrict the route only for the listed caller
ID’s;

• Queue weight: Queue’s priority.

• Maximum number of queued calls: Maximum number defined of calls on


hold. ’0’ defines an unlimited number;

• Define maximum waiting time: It is possible to define the maximum wait-


ing time. For that it is necessary to click option Yes, select the maximum
time in seconds and the type of routing to do if the time is exceeded as well
as the final destiny;

• Allow new calls in queue when there aren’t any logged users: Even
if there’s an empty queue you may Forward the call and select its Destination

• Leave queue when there are no logged users: The call wil leave the
queue if there’s no users available. By default, this option is inactive;

• Leave queue when press key: By default, NO. If you select YES a new
option to create a Shortcut will appear. Please insert the Key, select the
Destination Type and Destination. The Remove button enables you to
delete the Shortcut;

• Current welcome message file: Visualizes the current message to be pre-


sented when someone enters the waiting line;

• New welcome message: Select the message to be presented when someone


enters the waiting line, choose the Type and click on Browse to select it;

• Select queue information message: Select some of these messages to in-


form about the position in the waiting line or the estimated waiting time.
Messages: ”You are now first in line”, ”There are”, ”calls waiting”, ”The
current estimated holdtime is”, ”minutes”, ”seconds”, ”Thank you for your
patience”, ”less than” ,”hold time” ,”All phones busy / wait for next”;

• Time interval between queue information messages: If some informa-


tive message is selected, is possible to select the time (seconds) between
messages;

• Periodic notification message: This option helps you to define a cus-


tom periodic message on voip call queues. By default, NONE. Other options
include: All phones busy/wait for next (the default message), the abil-
ity to upload a new periodic notification message file (mp3 or wav only) and

IPBRICK International Reference Guide - Version 5.3


170 IPBrick.C

the time interval between this periodic messages, by default, 60 seconds ;


Time interval between periodic notification messages:

• Attendance timeout: Period of time (seconds) at the end of which the caller
shall be put on hold if the call is not answered, even if there is no one else
on hold;

• Attendance policy: How the waiting line answering telephones should an-
swer the calls:

– Ring all: All available telephones ring until one of them answers;
– Random: One of the available telephones rings by chance;
– Round Robin: Each telephone rings at the time;
– Round Robin with memory: Each telephone rings at the time, but it
remembers which was the last one to ring;
– Least recently called phone: The call goes to the member that for
the longest time hasn’t answered;
– Phone with fewest completed calls: Will ring the telephone with
less answered calls.

• Wrap up time after call received After the call is answered this option
sets the time By default, 0 seconds;

• Pause users when they fail to answer a call: By default, this option
is set to No. If enabled the user who can’t answer a call will be paused;

• Listen to new call tone when user is with a call This option will
change the call tone if the user is busy. By default this otion is set to
Yes;

• Play message when call is answered: If Yes a message will be played


before the call is answered;

• Automatic Answer: By default No. If active it enables auto-answer for


agents in callqueues

• Service Level: Service level describes, usually in measurable terms, the


services a call center service provider furnishes a customer within a given
time period. In call center metric, service level measures the percentage of
incoming calls that an agent answers in an established amount of time. By
default 60 seconds.

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 171

Figure 4.96: VoIP - Call queue definitions

When a call queue is inserted there are the following options at the top: Back,
Modify, Delete and Members. So the next step is to define what IP phones or/and
LDAP users will be associated to the call queue. Clicking Members you will get a

IPBRICK International Reference Guide - Version 5.3


172 IPBrick.C

list of phones and users, like shown at Figure 4.97.

Figure 4.97: VoIP - Call queue members

Current Users

At this page (Figure 4.98) you will be able to visualize a table with all the
current users by Name, Login, State and Extension.

Figure 4.98: VoIP - Call Queues - Current Users

Boss/Secretary Group

This feature enables you to configure important aspects in the Boss/Secretary


communications.

You will be able to set which users, or phones, will be ’bosses’ or ’secretaries’
and add priority numbers (numbers who will ring in the same manner on both the
secretary and boss’ phones).

At the Boss/Secretary Group page (Figure 4.99) click on Insert.

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 173

Figure 4.99: VoIP - Boss/Secretary Group - Insert

At the new Insert page (Figure 4.100) you will have these options available:

Figure 4.100: VoIP - Boss/Secretary Group - Options

• Name: For your reference, name your Boss/Secretary group;

• Boss: Clicking on the + icon will open the boss’ options into two pop-down
lists:

– The first let’s you select the type of ’boss’, if it will be a Phone or a
User. If you select phone you will assign a particular phone to a boss.
If you select user you will assign all the user’s associated phone settings
(ie: phones, aliases) configured at the VoIP user’s management;
– The second pop-down list presents you all the available phones or users
(depending on the choice made on the previous pop-down list);

• Secretary: Clicking on the + icon will open the Secretary’s options into two
pop-down lists:

– The first let’s you select the type of ’secretary’, if it will be a Phone or
a User. If you select phone you will assign a particular phone to a sec-

IPBRICK International Reference Guide - Version 5.3


174 IPBrick.C

retary. If you select user you will assign all the user’s associated phone
settings (ie: phones, aliases) configured at the VoIP user’s management;

– The second pop-down list presents you all the available phones or users
(depending on the choice made on the previous pop-down list);

• Priority Numbers: Usually, when a call is made to a boss, the ringtone on


his phone will be different than the one at his secretary. At this text box
you will be able to add phone numbers that you wish to ring in the same
way. Please bear in mind to add only one per line.

The example on Figure 4.101 shows a Boss/Secretary Group named Group1


configured in a way that, the boss’ phone will be the ipphone1 and his secretary
will be the user Liliana Monteiro. The secretary’s phone(s) will depend of the
settings made at:

VoIP > Users Management

The number 40100 will be a priority number, ringing in the same manner on
both phones.

Figure 4.101: VoIP - Boss/Secretary Group - Example

Click on the Insert button to save the Boss/Secretary group settings (Figure
4.102).

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 175

Figure 4.102: VoIP - Boss/Secretary Group - Settings Saved

Outbound
Access Classes

It is possible to define access rules for the existing telephones. For that it’s
necessary to click on the connection Insert and fulfil the following fields (Figure
4.103):

• Name: The access class name;

• Unlock code: Code to deactivate temporarily a access class;

• Prefixes: It allows to add to the authorized prefixes list the prefixes which
may be used in the telephones under the access rules. By default all the calls
are blocked except the Authorized prefixes;

• Numbers: In Politics by default it is possible to block the traffic for any


number or let it pass by default (Block/Authorize, respectively) and then, if
there are some exceptions, it is possible to indicate an exception number by
line. You can use wildcards at the exceptions;

• Domains: In the same way it is possible to authorize or block the access to


certain numbers, it is also possible with VoIP domains at Internet.

To confirm and create a defined rule, click Insert. Now it is possible to add
the members under that rule, clicking the name of the rule and then Members
(Figure 4.104). To remove or add SIP phones to the access class you only have to
click the buttons  or  respectively.

Speed Dial

The speed dial allows the association between an internal address and a tele-
phone external to the organization. That is to say, the users call an internal

IPBRICK International Reference Guide - Version 5.3


176 IPBrick.C

Figure 4.103: VoIP - Access Classes - Insert

Figure 4.104: VoIP - Access Classes - Members

number (or address) and this is associated to a telephone external to the organiza-
tion. Example: An external alternative address of the telephone [email protected] is
created for the destiny address [email protected]. This way, when-
ever you dial internally 44, the call shall be re-addressed to john.smith@another-
domain.com.

Choosing Speed Dial and clicking Insert we have two fields (Figure 4.105):

• Phone Address: Will be the external number or address to call;

• Speed Dial: The extension for speed dial.

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 177

Note: If you wish you may add another speed dial, simply click on the Add
button. Click on the Remove button to erase the speed dial.

If the IPBrick has routes, it’s possible to insert in speed dial field legacy PBX
extensions, GSM and PSTN numbers etc.

Figure 4.105: VoIP - Speed Dial

4.9.4 Monitoring
Online Phones

The VoIP clients who are actually active and ready to execute and receive calls
can be visualized here (Figure 4.106).

Figure 4.106: VoIP - Online phones

The information made available about each telephone is:

• Phone: Name of the telephone and the respective user;

• Request location: It indicates the IP address of the telephone;

• Port: Port where the telephone is registered.

IPBRICK International Reference Guide - Version 5.3


178 IPBrick.C

Call Statistics
Finished Calls

Detailed statistics about all the finished calls. At the main menu we have:
General statistics relating to the filter criteria:

• Call number: Total number of calls;

• Total call time;

• Maximum call time;

• Average call time;

• Total RTP packets: Total of RTP (voice/video) packets;

• Lost RTP packets:

• Average lag: Average packet delay;

• Maximum lag: Maximum packet delay;

• Average jitter21 ;

• Maximum jitter.

Clicking at Insert it is possible to filter the result of the list be specific fields:

• Source IP;

• Source address;

• Destination address;

• Used route: SIP routes and internal routes;

• Result: ANSWERED, NO ANSWER, BUSY, FAILED;

• Time periods.

The option Export CSV will export the list to a .csv file.

At Access Management (Figure 4.107) we can manage the LDAP users that
will have access to callstatistics website.

You may select the users who access to Call Statistics from the System users
by simply clicking on the desired username and then on the arrow button pointing
to the desired box.

21
Is the measure of the variability over time of the latency across a network

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 179

Figure 4.107: VoIP - Call Statistics - Access Management

In the call list we have specific statistics (Figure 4.108) relating to the filter
criteria (Figure 4.109):

• #: Call identification;

• User: Username

• Source Address: Name of origin telephone/number;

• Destination Address: Number or name of destination telephone;

• Final Destination Address: Number or name of the final destination tele-


phone

• Source IP: Source IP phone address;

• Route: Route used to make the call;

• Fallback: If it was a fallback route;

• Result: Result of the call (ANSWERED, NO ANSWER, BUSY or FAILED);

• Start: Call start time;

• Ring time: Time that the destination telephone rang;

• Duration: Call duration.

Clicking at one of this check boxes will order the calls by that field.

IPBRICK International Reference Guide - Version 5.3


180 IPBrick.C

Figure 4.108: Finished Call statistics

Figure 4.109: VoIP - Statistics filter

Current calls

In this menu we have statistics about the current calls, with this fields:

• Source: Name of origin telephone/number;

• Destination: Number or name of destination telephone;

• Duration: Call duration.

• State: The current state;

• Route: Route used to make the call;

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 181

Call Recording

It’s possible in IPBrick to enable the recording of all calls, placing the archived
records in the Document Management and Workflow System, iPortalDoc. Users
with higher privileges may listen to calls as they happen. Enabling configuration,
two other options will appear (Figure 4.110):

• Record format: MP3 or WAV;

• iPortalDoc URL: Specify the existant URL(s) for the iPortalDoc server(s).
If iPortalDoc is not installed, it’s not possible to use this feature.

The next step is to define which SIP phones will have their calls recorded. This
can be defined at Advanced Configurations - Telephony - Registered Phones.
A new field called Call Recording is now present with the following options (Fig-
ure 4.111):

• None: The phone will not have its calls recorded;

• Incoming: Only the incoming calls will be recorded;

• Outgoing: Only the outoing calls will be recorded;

• All: All the calls will be recorded.

The high privileged iPortalDoc users can now listen to the calls at the workflow
calls;

Figure 4.110: VoIP - Call recording definitions

At the top right corner of the Call Recording page there’s two additional links
(Figure 4.112)

• Phones Management

• Additional Numbers

IPBRICK International Reference Guide - Version 5.3


182 IPBrick.C

Figure 4.111: VoIP - Call recording - Phones configuration

Figure 4.112: VoIP - Call recording - Phone Management/Additional numbers


links

Phones Management

This feature enables you to manage the call recording on the internal phones.

If you click on the phone’s name a new page will be visualized (Figure 4.113)
where you will be able to select from the following options:

• None: No calls will be recorded;

• Incoming: Only the incoming calls will be recorded;

• Outgoing: Only the outgoing calls will be recorded;

• All: All calls to and from that phone will be recorded.

Confirm your choice by clicking on the Modify button.

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 183

Figure 4.113: VoIP - Call recording - Phone Management page

Additional Numbers

By clicking on this link you will be redirected to a new page where you will
visualize the list of added numbers, if you click on Insert you will be able to add
a new number or prefix (Figure 4.114). These are the available fields:
• Number: To add a prefix select begins with. To add a number select is
and type the number (or prefix) on the following box.
• Call Recording: This let’s you choose which calls to record. As in Phone Management
select from None, Incoming, Outgoing or All.

Figure 4.114: VoIP - Call recording - Additional Numbers page

Call Supervision
The call supervision permits to supervise some specific IP phones. The idea is
to guide the person answering a call in a super-visioned phone. It’s a functionality
that can be useful for technical support departments.

The first step to use call supervision is the feature activation. This is done at
Advanced Configurations - Telephony - Configurations - Call Supervision
(Figure 4.115).

When enabled, a supervision group should be created by clicking Insert.


Three fields are presented:

IPBRICK International Reference Guide - Version 5.3


184 IPBrick.C

• Name: A description for the supervision group. Example: technical support;

• Unlock code: A code for members authentication. Example: 444;

• Supervision mode: There are three modes available:

– Only Spy: The supervisor will only be able to listen to the call;
– Only Whisper: The supervisor will be able to speak, but only to the
person who’s answering the phone. The supervisor will not be able to
listen to the call;
– Spy and Whisper: The supervisor will be able to speak (only to the
person who’s answering the phone) and listen to the conversation.

Figure 4.115: VoIP - Call Supervision Group

Clicking at the supervision group name, it’s possible to define:

• Call Supervision Group Members: To define what phones are able to lis-
ten/supervise calls (Figure 4.117);

• Supervisioned phones: To define what phones will be supervised (Figure


4.116);

Figure 4.116: VoIP - Call Supervision - Supervisioned phones

After the configuration we can supervise a call by following that steps:

• Dial the prefix+supervised_phone from a phone that is member of super-


vision group;

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 185

Figure 4.117: VoIP - Call Supervision Group members

• Insert the unlock code and press # when asked;

• After that a beep will be listened and the supervision will start, so the call
will be listened and you can talk only to the person that is at the supervised
phone. The remote person can’t hear the supervision.

Call manager
The Call Manager (Figure 4.118) is a Flash application that allows to visualize:
the state of each extension, if it is online and if it is doing calls, state of the lines
and SIP servers. You can also end calls through this interface when authenticated.

Figure 4.118: VoIP - Call Manager configuration

The configuration of the call manager (Figure 4.119) is made from the IPBrick
web interface in IPBrick.C - Voip - Call Manager, and it is necessary to click the
connection Change. By default are shown the state of all registered telephones,
ports of each RDIS and analogic plate, state of the waiting lines, conferences and
SIP servers. Some of these fields cannot be shown if we remove them in Show fields.

To define an administration password which allows to end the calls, it is nec-


essary to change the value of the field Administration password. To allow other
LDAP users to use the call manager it’s possible to control the permissions at

IPBRICK International Reference Guide - Version 5.3


186 IPBrick.C

Figure 4.119: VoIP - Call Manager

Access Management option.

In the configuration page you have the link to the call manager which may be
acceded from the LAN. It might be necessary to define the alias call manager in
the DNS server of the network.

If it is not possible to visualize all the extensions, lines and servers of the call
manager, it is necessary to move the mouse to the right side of the page and the
remaining ones shall be visible. In this version of Call Manager we can do some
operations when the administrator password is inserted:

• Call transfer: Drag and drop the active phone to another;

• Call termination: Double click in a phone;

• Call generation: Drag and drop one phone to another;

In the screen appear all the telephones, routes, interfaces, etc., which shall be
registered in IPBrick. However, there are differences, if the telephone has a visible
IP address, it means that it is active, otherwise it will be deactivated. If the tele-
phone is represented in red, it means that a call is in progress and its duration is
indicated.

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 187

4.9.5 Routes Management


In order for IPBrick to execute the routing of calls between the several network
interfaces, it is necessary to define the specific routes according to a telephony
numbering.

As you can see in Figure 4.120 we have this options:

• Local Routes: Represents all the local interfaces available in IPBrick by


default;

• Outbound routes: Represents all the outbound routes, so it will be possible


to make calls using SIP/IAX accounts;

• SIP servers list for registering: Allow to receive calls for SIP numbers asso-
ciated to SIP accounts;

Figure 4.120: VoIP - Routes Management

Local routes

Local routes (Figure 4.121) allow the configuration of an interconnection be-


tween LAN, PSTN, PBX or INTERNET.
The possible options by default are:

• PSTN-LAN: It allows the call routing from the telephone network to the
VoIP phones of local network. So it’s a internal IPBrick route than can
redirect the received calls from the PSTN to VoIP phones;

IPBRICK International Reference Guide - Version 5.3


188 IPBrick.C

• PBX-LAN: It allows the call routing between the telephones connected to


the PBX and the VoIP telephones of local network;

• LAN-PBX: It allows the call routing from the VoIP telephones in local net-
work to the telephones of the PBX;

• LAN-PSTN: It allows the call routing from VoIP phones to telephone net-
work;

• INTERNET-PBX: It allows to accept VoIP calls from the Internet and route
them to PBX phones. It’s a IPBrick internal route only for call redirection;

• INTERNET-PSTN: It allows to accept VoIP calls from the Internet and


route them to the telephone network network. It’s a IPBrick internal route
only for call redirection;

• PBX-PSTN: This is a default internal route. It allows the call routing from
the PBX to telephone network. 22

• PSTN-PBX: This is a default internal route. It allows the call routing from
the telephone network to the PBX.

If there are other configured interfaces (acting like trunks), they may be added
to the list of routes, and for that it is necessary to click the connection Available
Local Routes (Figure 4.121) and then add the necessary routes.

Figure 4.121: VoIP - Local Routes

The Insert in the top menu allows to insert one of the routes mentioned. After
insertion, each type of route has a connection that allows its configuration. When
acceding to this interface it is possible to choose one of these options:

• Back

• Modify: To change the type of local route;


22
It’s possible to call from phones connected to PBX and, if IPBrick is connected to PSTN
and to a PBX, you can also answer calls. IPBrick will work in a transparent mode, switching all
the traffic from PBX to PSTN and vice-versa.

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 189

• Delete: Remove the local route;


• Insert: It allows to add the prefixes that must be added to this route. When
you indicate a prefix, all the calls whose initial digits coincide with that digit
are routed by that route. Choosing Advanced Options we have this options
(Figure 4.125):
– Prefix: The numeric prefix to use to make calls using that route;
– Include prefix in address: If Yes the prefix will be part of the
destination number, so the prefix will be maintained when the call is
routed. If No the prefix will be used only to identify the route. Example:
To enable the use of number 6 to route a call to the Portuguese PSTN
network, it is necessary to remove this prefix in order that the number
stays with the correct format (the format 2XXXXXXXX instead of
62XXXXXXXX).
– Postrouting prefix: It’s a prefix added by the IPBrick when the
number is received. Example: For the Portuguese PSTN network we
use the format 2XXXXXXXX. If we use has main route a SIP account
route it’s necessary to use prefix 2, include prefix in address and use
a postrouting prefix with 00351 (351 is the portuguese international
code);
– Caller IDs restriction: Will restrict the route only for the listed
caller ID’s;
– Fallback routes: It’s a backup route to use if the present one fails;
– Generate local ringing tone: Will generate a local ringing tone.
Can be used when it can’t ring at the destination phone;
– Priority: Define the prefix priority level.
Outbound routes

This option enables you to configure which calls shall be routed to a external
server which, in turn, shall be responsible for routing them to their destination
(Figure 4.122). This routing is made through prefixes that may be inserted clicking
the name of the route and then the link Insert above the prefixes table. To change
or remove a route you only have to click its name and then the option Modify or
Delete, respectively.
To add a new outbound route click Insert. The Basic Options are:
• Type: Type of signalling protocol to use: Can be SIP, SIP with TLS, IAX
or Local;
• Name: Outbound server name;
• Server Address: Server IP/name address;
• Authentication: If authentication is necessary at the server, you will have
to choose the option User/Password and fill the users name and respective
password;

IPBRICK International Reference Guide - Version 5.3


190 IPBrick.C

Choosing Advanced Options the following parameters will be presented:


• Server Port: Server port to use;
• Video support: If the VoIP server supports video, you can enable that
option;
• Caller identifier: Outbound caller ID masking;
• Registration realm: Realm is usually the SIP server FQDN but some SIP
servers have different server address and registration realm;
• Outbound proxy: Usually not used but is a server that passes the SIP mes-
sages between the SIP client and the SIP proxy server;
• Available to Internet: With this option selected, the route shall be avail-
able for VoIP telephones outside the LAN;
• Simetric signalling: It allows to define if signalling is sent and received
through the same port (5060);
• Enable ENUM lookup: It allows IPBrick to search through ENUM.23
• Enable DUNDi lookup: It allows IPBrick to search through DUNDi.24
• DTMF type: Type of DTMF25 to use. Options: RFC2833 (default), Inband,
Info and Auto;
• Call limit: Number of possible simultaneous calls using that route, that
can be useful for bandwidth control. With 0 we can disable it;
• State check: This feature permits you to verify if the entity is online or not,
i.e.: on a phone it will check if there’s online activity, if wether by accident
or deliberate the IPBrick will know that the entity is no longer available. By
default this field is set to No;
• No far-end NAT detection by provider: This option applies in a context
where there’s a route to a operator that also sends calls, i.e. not just a an
outbound operator.
• P-Asserted-Identity: Some servers are now requiring that packets include
P-Asserted-Identity in the header of SIP packets. If this is the case, please
activate this option.

NOTE: At Authentication you will have to choose User/Password in or-


der for this option to be available.
23
Group of protocols that aims to associate the telephonic numbering to a new register in
DNS. This way, a telephone number shall correspond to a SIP address.
24
A peer-to-peer system for locating Internet gateways to telephony services. Unlike traditional
centralized services (such as the remarkably simple and concise ENUM standard), DUNDi is fully
distributed with no centralized authority whatsoever.
25
Dual-tone multi-frequency

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 191

• Caller ID on blind tranfers: Support for configuring the caller ID on


blind transfers. Available options are:

– Use the caller ID of the phone that transfers


– Use the caller ID of the transfered phone

Figure 4.122: VoIP - Outbound route definition

If the outbound route type is IAX, the only parameters are:


• Name;

• Server Address;

• Server Port;

• Available to Internet;

• Call limit.

IPBRICK International Reference Guide - Version 5.3


192 IPBrick.C

If the outbound route type Local, the basic parameters are:

• Type: Local

• Name: Type your local server’s name

Figure 4.123: VoIP - Local - Basic Options

But if you click on Advanced Options a new set of fields will appear:

• Caller identifier: Outbound caller ID masking;

• Available to internet: By default, NO;

• Call limit: (by default, 0 to disable)

• Mandatory Route: A mandatory VoIP route will have priority over any
other. Dialed numbers (including prefixes) associated to a mandatory route
will overlap any other match, even if this match is with a local phone, an alias
or any other direct access (including IVRs, Attendances Sequences, queues,
etc.);

• Caller ID on blind tranfers: Support for configuring the caller ID on


blind transfers. Available options are:

– Use the caller ID of the phone that transfers

– Use the caller ID of the transfered phone

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 193

Figure 4.124: VoIP - Local - Advanced Options

Click on the Insert button to create the route.

Prefixes
The prefixes inserted in any of these outbound routes shall be available auto-
matically for the SIP telephones and the telephones connected to PBX.

These are all the available options (advanced):

• Route name: Type your route’s name

• Prefix-Number Pattern: Both fields define the destination’s number format


that enables you to make calls by using this route. Prefix will be a number
and for the Number Pattern you may use this syntax:

X matches any digit from 0-9


Z matches any digit from 1-9
N matches any digit from 2-9
[1237-9] matches any digit or letter in the brackets
(in this example, 1,2,3,7,8,9)
[a-z] matches any lower case letter
[A-Z] matches any UPPER case letter
. wildcard, matches one or more characters
! wildcard, matches zero (none) or more characters immediately

• Include prefix in address: By default YES

• Postrouting prefix: It’s a prefix added by the IPBrick when the num-
ber is received. e.g: For the Portuguese PSTN network we use the format

IPBRICK International Reference Guide - Version 5.3


194 IPBrick.C

2XXXXXXXX. If we use has main route a SIP account route it’s necessary
to use prefix 2, include prefix in address and use a postrouting prefix with
00351 (351 is the portuguese international code);

• Caller IDs restriction: Will restrict the route only for the listed caller
ID’s. Click on the ADD button to insert a restriction;

• Fallback routes: Should any failure occur, you may set an alternative
route. Click on the ADD button to insert a fallback route;

• Generate local ringing tone: It generates a ringing tone to the calling


party. By default, NO

Figure 4.125: VoIP - Prefix definition

Codecs

For each outbound route it’s possible to set which codecs are going to be used
(click on Modify) as well as their priority (Order option).

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 195

Figure 4.126: VoIP - Codecs

SIP servers list for registering

Here it’s possible to visualize the SIP26 address list which have already been
configured (Figure 4.127). When inserting a new one, the page generated asks for
the following data:

• Name: Server name;

• SIP server address: SIP server IP or address. It is possible to specify the


port number along with the SIP IP address as: <server address>:<port
number> (e.g: 212.12.34.1:5090)

After typing in the data, it is necessary to click the button Insert to confirm
the address. The next step is to register accounts to the local SIP server. Pressing
Insert we have this options:

• Login: SIP account login. Normally it’s the nomadic SIP number;

• Authentication user: Usually the same as the login;

• Password: SIP account password;

Note: To configure the internal number to where the operator will transfer the
incoming calls from the Internet to that nomadic number, just create a Phone at
Phones Management, IVR, Call Group etc. at Functions > Inbound.
Note: In order to define the destination of the received calls, you should con-
figure a Speed Dial or use a function to that purpose.
26
Session Initiation Protocol

IPBRICK International Reference Guide - Version 5.3


196 IPBrick.C

Figure 4.127: VoIP - SIP server for registering

4.9.6 Music on Hold


In this section (Figure 4.128) you can see the list of songs which shall be heard
if the call is placed on hold. It is also possible to add more mp3 files to the list,
clicking the connection Insert and after searching the localization of the music file
(by clicking on the button Browse...), write a brief description of the file in the
field Name. To add the mp3 after all fields have been fulfilled, click the button
Insert. You can also remove or modify the songs from the list clicking on the name
of the song and clicking on Change or Delete.

Figure 4.128: VoIP - Music on hold

4.9.7 Voice Prompts


The Voicemail prompts are now divided by .tgz files according to language and
with a structure compatible with the system of Asterisk 1.4.x.
The AsteriskSounds4IPBrick voice prompts packages (.tgz files) are available
on IPBrick e-shop at:

Downloads  Software  IPBrick Related Software  IPBrick 5.3

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 197

Figure 4.129: VoIP - Voice Prompts

The available languages are:

• Spanish: asterisksounds4ipbrick_es.tgz

• French: asterisksounds4ipbrick_fr.tgz

• Dutch: asterisksounds4ipbrick_nl.tgz

• German: asterisksounds4ipbrick_de.tgz

• Portuguese: asterisksounds4ipbrick_pt.tgz

By default, IPBrick comes with just the English voice prompts already installed
and ready to use (Figure 4.130). But as soon as you add more packages you will
be able to select them as default.

Figure 4.130: VoIP - Voice Prompts by default

To add another language, please download the package at our eshop (or use any
other compatible packages you have in your possession) and install it, by clicking
on the Insert link, at the Voice Prompts page (Figure 4.129).

IPBRICK International Reference Guide - Version 5.3


198 IPBrick.C

At the new page (Figure 4.131) name the voice prompt package and select the
language, this is a double-check procedure in order to ensure that you are adding
the correct file. Click on Browse... to select the .tgz voice package.

Figure 4.131: VoIP - Insert Voice Prompts

When you have finished, please click on the Insert button.

4.9.8 Dialplan

At Dialplan you will be able to check the information tables for the internal,
Inbound and Outbound routes. It will also be possible to do quick modifications,
simply by clicking on the corresponding icons.

At the top of the page there’s a Filter (Figure 4.132) where you will be able to
select if you want to visualize All or just the Internal (Figure 4.133), Inbound
(Figure 4.134), Outbound routes (Figure 4.135), simply select which one you wish
to see.

Figure 4.132: VoIP - Dialplan - Filter

Reference Guide - Version 5.3 IPBRICK International


4.9 VoIP 199

Figure 4.133: VoIP - Dialplan - Internal

Figure 4.134: VoIP - Dialplan - Inbound

Figure 4.135: VoIP - Dialplan - Outbound Routes

These tables are arranged by Number, Type and Interface for the source and
destination. On all of them, you will be able to select the number of entries to be

IPBRICK International Reference Guide - Version 5.3


200 IPBrick.C

visualized (10, 25, 50, 100, 250), order the table by column, read the Description
to each row and there’s also a search box so you can make your queries.

It is also important to note that besides each row showing one element of the
table, there’s a dedicated All row for the inbound and outbound routes.

There are also three types of icons (Figure 4.136) with different results depend-
ing of their location:

Figure 4.136: Add - Edit - Delete Icons

• Add: Clicking on this icon will open a new window: VoIP  Routes Management
 Prefixes, enabling you to add prefixes.

• Edit: This will open a new window where you’ll be able to alter the corre-
sponding settings.

– At the Internal table the edit icon will open the Telephony  Configurations
 Modify page.

– At the Inbound table the edit icon will open the VoIP  Functions
 Inbound  Call queues  <The respective queue>  Modify page.

– At the Outbound Routes table the edit icon will open the Telephony
 Configurations  Modify page.

• Delete: Clicking on this icon will erase the corresponding route or call queue.
At the new window simply click on the Delete button to confirm or the Close
button to cancel the action.

4.10 IM
IM (Instant Messaging) is a service that lets you exchange text messages at
near-real-time speed. IPBrick’s IM server is ejabberd, an IM server based on the
Jabber (XMPP) protocol.

With this server you can communicate both using the Jabber protocol and the
MSN protocol through a MSN gateway. Access to MSN contacts is controlled by
this web interface. By default, the IM service, when enabled, blocks access to all
MSN contacts, except the ones explicitly authorized in this web interface.

It is also possible to record all chat conversations, this will require the ucoip4iportaldoc
v2.1 package, available at our eshop in:

Reference Guide - Version 5.3 IPBRICK International


4.10 IM 201

4.10.1 Activating / Deactivating the IM server


Enable Instant Messaging  Modify (Figure 4.137):

• No: The ejabberd server is stopped and all access to the MSN IM network
is unblocked.

• Yes: The ejabberd server is running. The access to the MSN IM network
is blocked. The MSN client programs will be blocked, (Figure 4.138) so
will the web messenger sites, as we can see in Firewall (Figure 7.29). At
Authorized domains we can define witch domains will be authorized to use
the IM service.

When the Instant Messaging server is enabled, you’ll have the following fea-
tures:

• List of authorized MSN users from IPBrick Contacts:

– Insert: Clicking the checkboxes you can choose which MSN contacts,
from IPBrick Contacts, are reachable through the Instant Messaging
server.
– Delete: Clicking the checkboxes you can choose the contacts from IP-
Brick Contacts that you no longer want to be reachable from accounts
logged on the server.

• List of authorized MSN users:

– Modify: Add, one per line, the MSN contacts that you want to be
reachable through the Instant Messaging server. All users will be able to
reach only the authorized MSN contacts. To remove the authorization
you just need to remove them from the text box.

It is possible to use both these features simultaneously, that is, you can be
using IPBrick Contacts to allow MSN contacts, and add other contacts in the List
of authorized users.

IPBRICK International Reference Guide - Version 5.3


202 IPBrick.C

Figure 4.137: IM - Enabling Instant Messaging Server

Figure 4.138: IM - Blocking MSN applications

Figure 4.139: IM - Web messenger sites blocking in firewall

Reference Guide - Version 5.3 IPBRICK International


Chapter 5

IPBrick.GT

All the services except Fax are presented at IPBrick.C menu:

• VoIP;

• IM;

• Fax Server;

• E-Mail;

• SMS;

• Web Server;

• Webmail.

5.1 Fax Server


The fax server is integrated at IPBrick from version 4.1 onwards. It works
with a serial modem/fax or integrated in the PBX IP server. Incoming faxes are
automatically forwarded trough email.

The FAX Server configurations are implemented through the web interface in
IPBrick.GT - FAX Server (Figure 5.1).

Figure 5.1: Fax Server - Configure

IPBrick provides you these two services: FAX2Mail e Mail2FAX. With the
FAX2Mail service, a FAX sent by an external FAX device is received by the FAX

IPBRICK International Reference Guide - Version 5.3


204 IPBrick.GT

connected to IPBrick and then is forwarded to a defined email address.


With Mail2FAX you can send from an email an attached pdf file to a defined FAX
number. to enable this task you have to configure the email client with the SMTP
server where the FAX service is running and add the configured fax domain to the
domain list that is allowed to be forwarded by the email server.

5.1.1 Fax2Mail
To configure this service you have to click on the Modify link and select Yes to
Enable Configuration. The following options are displayed:

Figure 5.2: Fax Server - FAX at telephony card

• Main Fax Number: The PSTN Fax number to be present when a FAX is
sended;

• Company identification: Company name to be present when a FAX is sended;

• Country Code: Country phone number code to be present when a FAX is


sended;

• Area Code: Area phone number code to be present when a FAX is sended;

• Long distance prefix: 0 by default;

Reference Guide - Version 5.3 IPBRICK International


5.1 Fax Server 205

• International prefix: 0 by default;


• Rings Before Answer: Number of rings before IPBrick answers to Fax. Can
be useful if another FAX equipment is connected. For example, if the FAX
equipment can’t receive the FAX, IPBrick FAX server can answer at the 5th
ring;
• Speaker volume: FAX sound volume;
• Enable delay: Should be active by default;
• Sender of notifications: It’s a internal email account that will send notifica-
tions to users that are using the Mail2FAX. Examples: Error sending fax,
task completed etc. By default we use IPBrick Fax Server that will use
the current domain;
• Sender of received fax notifications: Identification of the reception warnings
sender. By default we use IPBrick Fax Server;
• Attach Original File in the notification: Choose YES if you wish to attach
the file in the notification (by default this option is set to NO)
• Fax resolution: Define the vertical resolution of the fax. There are two
resolution modes, a normal resolution of 98 lines/inch and a high resolution
of 196 lines/inch;
• Number of attempts to send the fax: Number of tries attempts to send the
FAX. By default will terminate a job if 3 consecutive attempts to send a
particular page fail;
• Maximum time to send the fax: Sets the time that a fax have to be sent.
Stop the process if it does not complete in the indicated time.
To activate configuration, click Modify

If you access the menu again, there will be two new options near the link
Modify: Fax Users and Fax Interfaces

Fax users
In Fax users (Figure 5.3), you can set which users may be authenticated in the
Fax client application and which will have permissions to manage Fax queue lists.

The FAX client can be WinPrintHylafax that is available for download at:

http://winprinthylafax.sourceforge.net

The benefit in using a FAX client at the workstations side is the possibily
to print any document directly to HylaFax, so it’s an alternative to Mail2FAX
explained down.

IPBRICK International Reference Guide - Version 5.3


206 IPBrick.GT

Figure 5.3: Fax Server - Fax Users

Fax Interfaces
In this page (Figure 5.4) you will insert any number of interfaces that you deem
necessary.

Figure 5.4: Fax Server - Fax Interfaces page

Click on Insert, a new page will be presented (Figure 5.5)


Depending on the choices you make, these are the presented fields:

• Name: The name you will give to the interface, e.g: fax1

• Type: The interface’s typology, these are the available types:

– Foip - SIP: FoIP stands for Fax over IP and refers to the process of
sending and receiving faxes via a VOIP network.
Server address: The server’s url (eg:voipbuster.sip.com)
Authentication: There are two options:
-Fixed IP: A static IP
-User/Password:

Reference Guide - Version 5.3 IPBRICK International


5.1 Fax Server 207

Figure 5.5: Fax Server - Fax Interfaces Insert page

–User: Type the user’s name


–Password: Insert the desired password
–Retype Password: Confirm the password by re-typing it.
– Telefony Card: Choose the type of Interface:
-PSTN
-PBX
– Foip - T38: Fax over IP works via T381 and requires a T38 capable
VOIP gateway as well as a T38 capable fax machine, fax card or fax
software. Fax server software that can talk ’T38’ allows sending and
receiving faxes directly via a VOIP gateway and, consequently, does not
need any additional fax hardware. As with FoIP SIP you will have two
modes of Authentication:
-Fixed IP: A static IP
-User/Password:
–User: Type the user’s name
–Password: Insert the desired password
–Retype Password: Confirm the password by re-typing it.
– Serial Fax Modem: If the modem is connected to the server serial port
you should choose the port that connects to the the modem in the
Serial Ports list (S0 to S7), the Baud rate (1200 to 38400) and Class of
the modem (Class1 to Class2.1). To know the appropriate values you
should read the modem manual

• Number of virtual fax machines: Define the number of virtual FAX’s to use;
1
T38 is a protocol that describes how to send a fax over a computer data network. T38 is
needed because fax data can not be sent over a computer data network in the same way as voice
communication.

IPBRICK International Reference Guide - Version 5.3


208 IPBrick.GT

By default, notifications and reception warnings are delivered by email to


fax@<domain>. That’s why you have to create an email account with this name
or an alternative email with the same name for other existing accounts.

Note: You have to activate the Fax service in Advanced Configurations


- System - Services and click in FAX. Enable Active and Automatic start.

T38

We will present next, the necessary steps in order to configure the T38 protocol.

Note: The presented configurations should serve merely as an example.

At IPBrick.GT > Fax Server you will activate the FAX service. As soon
as that is done there will appear three links on the top right corner of the page
Modify, Fax interfaces and Fax Users

Figure 5.6: T38 - Fax Server

Click on Fax Interfaces and there will be two types of interfaces FoIP-SIP
and FoIP-T38. Select the latter and create a new interface for your T38 operator.

Reference Guide - Version 5.3 IPBRICK International


5.1 Fax Server 209

Figure 5.7: T38 - Fax Interfaces

At Routes Management (IPBrick.GT > Fax Server > Routes Management)


create the FAX routes in the same fashion as for the SIP routes.

Figure 5.8: T38 - FAX Routes

Click on Insert at Outbound Routes and add a route using the previously
created interface. You may configure it as default gateway or as prefix.

Figure 5.9: T38 - Outbound Routes

You should now insert an inbound route.

IPBRICK International Reference Guide - Version 5.3


210 IPBrick.GT

Figure 5.10: T38 - Inbound Routes

The final result should be something like in the following figure:

Figure 5.11: T38 - Final result

In this example, the FAX default gateway is the T38 operator and the DDI
22XXXXXXX as an entry in T38.

5.1.2 Mail2Fax
In Mail2Fax definitions we have two options:

• Domain for fax sending: It’s a internal domain used just to send FAXES. You
can choose any domain you want, but the recommended one is fax.domain.com.
When the email server receives one message for that FQDN, the message at-
tachment will be forwarded to the FAX server that sends the FAX by the
PSTN;

• Presented source fax number: For each LDAP group it’s possible to define
what would be the source fax number field when someone sends a FAX to
the PSTN (public network, outside, etc.);

After updating the configurations you will be able to send Faxes from a work-
station using a simple email client. At the workstation side just:

Reference Guide - Version 5.3 IPBRICK International


5.1 Fax Server 211

• Map an email account pointing the SMTP to the IPBrick or use webmail;

• At the To: field insert number@fax_domain, e.g.: [email protected];

• The subject is optional, so the next step is to attach a .pdf or a .tiff file
that will be the FAX;

Note that you can create a mailing list at IPBrick and insert all the FAX
numbers you want, e.g.: Create a mailing list named [email protected]
and insert at External users list some costumers FAX’s:

[email protected]
[email protected]
[email protected]
...

So at the client side you just need to send an email to [email protected],


attaching only the .pdf or .tiff file.

5.1.3 Statistics
This menu displays the statistics about Sent Faxes, Incoming Faxes and in
course tasks.

Sent Faxes
Visible fields (Figure 5.12):

• ID: Fax identification;

• Date: Sending date;

• Owner: Fax Sender;

• Pages: Number of Pages;

• Origin: Origin email address;

• Number: Fax number;

• Attempts: Number of attempts;

• State: Fax sending status.

• File: Type of file.

IPBRICK International Reference Guide - Version 5.3


212 IPBrick.GT

Figure 5.12: Fax Server - Sent Faxes

Received Faxes
Visible fields (Figure 5.13):

• Sender: Sender name;

• Destination: Receiver number;

• Pages: Number of pages;

• Reception date;

• File: Fax file.

Figure 5.13: Fax Server - Received Faxes

Running
Visible fields (Figure 5.14):

• Delete: Deletes Fax;

• ID: Fax identification;

Reference Guide - Version 5.3 IPBRICK International


5.1 Fax Server 213

• Owner: Fax sender;

• Number: Fax number;

• Pages: Number of pages;

• Attempts: Number of attempts;

• State: Fax sending status.

In this menu you can visualize statistics and Delete Tasks.

Figure 5.14: Fax Server - Current Faxes

The monthly FAX statistics are automatically sended to the Sender of notifications
email.

5.1.4 Routes Management


In this page (Figure 5.14) you will be able to define outbound and inbound
routes, just click on the corresponding Insert link.

Figure 5.15: Routes Management

IPBRICK International Reference Guide - Version 5.3


214 IPBrick.GT

Outbound
The prefix definitions are as follows:

• Fax interface:

• Prefix:

• Default gateway: If you check this field. the next options will obviously be
unavailable:

– Include prefix in address: By default: YES


– Postrouting prefix: Type the Post routing prefix

Inbound
These are the available inbound number definitions:

• Fax interface: Select the desired interface, you have inserted, from the pop-
down list

• Fax Number:

• Send to: At this moment the single option available is sending to email

• Destination: Is the email address where the IPBrick incoming faxes are for-
warded;

• File type: The faxes will be delivered in these formats: pdf, ps or tiff.

Reference Guide - Version 5.3 IPBRICK International


Chapter 6

IPBrick.KAV

All the services are presented at IPBrick.C menu:

• Firewall;

• Proxy;

• VPN;

• E-Mail;

• Webmail.

IPBRICK International Reference Guide - Version 5.3


216 IPBrick.KAV

Reference Guide - Version 5.3 IPBRICK International


Chapter 7

Advanced Configurations

Here you have the advanced interface for some services and configurations
present in the upper menus. This chapter is divided by the following main sections:

• IPBrick;

• Telephony;

• Network;

• Support services;

• Disaster recovery;

• System.

7.1 IPBRICK
7.1.1 Definitions
In this section will be treated some very essential IPBRICK server configura-
tions.

Domain Definitions
In Domain Definitions you configure the hostname and the server DNS do-
main. The Fully Qualified Domain Name is composed by the machine name and
the DNS domain. For example, if you have the hostname ipbrick and the DNS
domain company.com, the FQDN will be ipbrick.domain.com. In order to change
these definitions click on Modify.

Network Definitions
At network definitions it is possible to configure the following network interface
parameters:

• Interface: Interface name;

IPBRICK International Reference Guide - Version 5.3


218 Advanced Configurations

• Type: Private (for eth0) or public for the others;

• Mode: Inferface mode can be static or for the public interfaces it’s possible
to configure the interface as dynamic, so it will act as a DHCP client;

• IP: Interface IP address with the correspondent network bit mask;

• Network: Network address;

• Broadcast: Network broadcast IP;

• Aggregate network interface cards: If some addicional NIC’s are available,


the ethernet bonding can be configured;

• MAC Address: Physical address of NIC.

The parameter state will show the physical link state:

• Green: The link is OK;

• Red: The link is DOWN;

The Modify will change these parameters. The Insert will add a new IP alias
for the interface. Example: eth0:1, eth0:2.
If IPBrick works as an Intranet server (IPBrick.I), it is only necessary to config-
ure the private interface. The public interface may get all the default configurations
and it shall not have a network cable connected.

If the server has more network cards (ETH2, ETH3...), they are listed as private
but no rules will be added automatically to the firewall. This means that all traffic
for that new interfaces will be denied.
If IPBrick works like a Communications server (IPBrick.C) or if it accumulates
the Intranet and Communications functions (IPBrick.I + IPBrick.C), it is neces-
sary to configure the two network interfaces (in these two situations, the server
where IPBrick was installed, shall have two network cards).

To change the network interfaces definitions, it’s necessary to click ETH0 and
ETH1.

The network cards aggregation (bonding) option can provide failover, load-
balance and link speed increase. To get a good experience with bonding the switch
were the network cards are connected must support IEEE 802.3ad Dynamic link
aggregation (Figure 7.2).
For configuration this steps must be followed:

• Have one interface (ex: eth2) present but not configured yet;

• Click at the interface to bond (ex: eth0) and choose to aggregate network
interface cards;

Reference Guide - Version 5.3 IPBRICK International


7.1 IPBRICK 219

• Choose the NIC’s MAC addresses of eth0 and eth2 interfaces;

• Click Modify, so the eth0 will be bounded with eth2 and became only one
interface - eth0.

NOTE: The private interface is the first network card detected by IPBrick in
the server where it was installed. If the server has a second network card, this shall
be configured as a public interface. The firewall is already configured by default
with specific rules to recognize the ETH0 as a private interface and ETH1 as a
public interface. If the server has more network cards (ETH2, ETH3...), they shall
be considered as private;
NOTE: The ethernet cards MAC address should be associated to all the in-
terfaces, so when the server reboots the interfaces will be always associated to the
same NIC.

Default route
This menu allows to define the gateway of IPBrick.

If IPBrick works as an Intranet server (IPBrick.I), the address to put in this


field is the address of the equipment which makes the access to the Internet. This
equipment may be, for example, a Communications IPBrick or a router. The gate-
way IP address shall have to be the address of that same IP network configured
in the private interface, the ETH0. For instance, if the private interface has the
IP address 192.168.1.1, the gateway IP address shall have to be 192.168.1.x. The
interface to choose to configure the gateway is ETH0.

If IPBrick works as a Communications server (IPBrick.C) or if it accumulates


the Intranet and Communications functions (IPBrick.I + IPBrick.C), the address
to put in this field is the internal address of the equipment that accedes to the
Internet, for example, a router. In this case, the gateway IP address shall have to
be the address of that same IP network configured in the public interface, ETH1.
The interface to choose to configure the gateway is ETH1.

To change the Gateway definition is necessary to click Modify. An example


can be viewed at Figure 7.1

7.1.2 System Information


As you can see in Figure 7.3 , here you shall receive crucial information about
the system, from the use of the network, information of the hardware, use of
memory or archive systems.

7.1.3 Web Access


This section allows the access and license management of IPBrick (Figure 7.5).

IPBRICK International Reference Guide - Version 5.3


220 Advanced Configurations

Figure 7.1: Advanced Configurations - Definitions

Figure 7.2: Advanced Configurations - Bonding

Access definitions
• Login: admin;

• Password: 123456.

The login admin and respective password refer, uniquely and exclusively, to
the authentication used to access IPBrick through the web interface and both can
be altered. To edit them it’s necessary to click on Change.
Note: In contrast with the Administrator user this login has no work area
in IPBRICK.

Language definition
IPBRICK is currently available in five languages:

Reference Guide - Version 5.3 IPBRICK International


7.1 IPBRICK 221

Figure 7.3: Advanced Configurations - System Information - 1/2

• Portuguese;

• English;

• Spanish;

• French;

• German.

In this section it’s possible to change the language in IPBRICK (Figure 7.6). To
make this change, it is necessary to click on Modify, select the prefered language
and afterwards click on Apply Configurations so that the alterations become
effective.

External WEB access


To access the IPBrick configuration interface through the Internet (External
Web Access), is necessary to click Change and choose ”Yes” (Figure 7.5). You
should also activate the HTTPS service to the Internet. It is also necessary to do
this:

• Activate the HTTPS for Internet (IPBrick.C - Firewall - Services and


choose Active in the State;

IPBRICK International Reference Guide - Version 5.3


222 Advanced Configurations

Figure 7.4: Advanced Configurations - System Information - 2/2

• If the IPBrick is connected to the router internal interface (without public


address), is necessary in router to do a DNAT to the port 443 for the IPBrick;

IPBrick license
This section is about the licensing process of IPBrick. When installing IPBrick,
you will have a trial license of 30 days of use. When this license expires, the server
will remain reachable, since all network settings are kept, but the majority of ser-
vices will not be available until a permanent license is activated.

To install a permanent license it’s necessary to click on the option Download


server identification for license generation and send the file.dat to [email protected]
asking for license activation. You need to speciffy this information:

• Company name;

• Some information about the IPBrick server type (Intranet, Communication


or VoIP server);

After receiving the answer (with an attached file) from [email protected],


you will no longer need to cancel temporary license, just insert the file received (it
will be licence.dat), and the license will stay permanent.

Reference Guide - Version 5.3 IPBRICK International


7.1 IPBRICK 223

Figure 7.5: Advanced Configurations - Web Access

Figure 7.6: Advanced Configurations - Language

7.1.4 Authentication
From the moment the user is created in IPBrick, there shall be a register in
the database of the authentication server - LDAP1 . LDAP is defined as a directory
service where the information, relating to the computer resources of the company
and its users, is kept. Whenever an user intends to authenticate in a certain service
with his/her username and password, the IPBrick LDAP database is consulted to
validate or not the access.

Modify

IPBrick allows several authentication modes and it is configured by default for


all the users to authenticate themselves in their own IPBrick (Figure 7.7):
1
Lightweight Directory Access Protocol

IPBRICK International Reference Guide - Version 5.3


224 Advanced Configurations

• IPBrick Master: Default Mode. All the services in the server shall use the
LDAP server;

• Secondary Master IPBrick: Used only under High availability license. See
Appendix E for details.

• IPBrick Slave: LDAP server shall be a synchronized replica of the indi-


cated IPBrick Master server, and this mode is used in a scenery with several
servers. The users may authenticate themselves in this server, once there is a
temporized synchronization of the LDAP database with the IPBrick Master,
but there is no possibility to add users. In networks with a high number
of users where there are several authentications, it is useful the use of slave
authentication servers thus avoiding a congestion in the IPBrick Master net-
work segment. This scenery is also of a great use in networks geographically
distributed (Figure 7.8);

• IPBrick Client: The services authenticate remotely in the indicated LDAP


IPBrick server. In this case, there is no local database copy, and it is nec-
essary to specify the IPBrick Master/Slave server. Normally, this way of
authentication is used in a IPBrick.c in the extent of VPN, PPTP and Proxy
services (Figure 7.9);

• Netbios Client: It is possible to IPBrick to become a part of the domain


managed by a server previous to Windows 200x to use the NetBIOS protocol.
In a network like this, the users continue to authenticate themselves normally
in the Windows machine.

• AD Domain Member (IPBrick Master): IPBrick is a member of a domain


managed by a Windows Active Directory server. The users of the network
need, as always, to authenticate in AD;

• AD Domain Member (IPBrick Slave): The IPBrick Slave is also going to


be a member of a AD domain, acting as a secondary IPBrick server. The use
of a Slave IPBrick as a member of a AD domain may be particularly useful in
the case of secondary email servers, always implying the existence of another
IPBrick server configured as a member of the AD domain - Master IPBrick .

NOTE: After changing the IPBrick authentication mode, during the Apply
Configurations, the IPBrick will reboot automatically.

NOTE: At a Slave/Client IPBrick, the myipbrick virtualhost will be automat-


ically configured with reverse proxy to the Master IPBrick.

Distributed Filesystem
The users nay be physically distributed by the Master/Slave servers. Mean-
while, the centralized information system - LDAP has the information about the
physical location of each account. A NFS (Network File System) service makes
available the accounts of the users through the network. The Automount service

Reference Guide - Version 5.3 IPBRICK International


7.1 IPBRICK 225

Figure 7.7: Advanced Configuration - Authentication modes

Figure 7.8: Advanced Configuration - Authentication - IPBrick Slave

combines the LDAP information with NFS and makes automatically available the
accounts of the users virtually in any other Master/Slave server. IPBrick allows
the integration with authentication servers running in Windows operating sys-
tems, namely previous Windows 200x machines (NetBIOS authentication) and
after Windows 200x machines (authentication via Active Directory).

Figure 7.9: Advanced Configuration - Authentication - IPBrick Client

IPBRICK International Reference Guide - Version 5.3


226 Advanced Configurations

Automount
LDAP is a directory service where the relevant information of a company is
kept: Users, computer resources, contacts, etc. The Automount service combines
the LDAP information with NFS and makes automatically available the accounts
of the users virtually in any Master/Slave server.

In the Netbios authentication, the authentication server has not as a base a


LDAP service. In this configuration, IPBrick uses its own LDAP server as an
auxiliary member for the other services. In the authentication mode member
of the AD domain, the authentication server is a LDAP implementation. All
IPBrick services are configured to use this LDAP server. However, it is necessary
to extend the structure of this LDAP server to support the requisites of IPBrick
server, namely the UNIX/Linux credentials and the Automount information.
NOTE: At www.eshop.ipbrick.com - Downloads  Documentation  Other
documentation there is a document about the integration of IPBrick as a member
of an AD domain as well as necessary files for this procedure (you will have to be
registered at our eshop for the Download section to be available).

Servers

In that option all the servers registered at Master LDAP are presented by the
IP, FQDN and the authentication type (Figure 7.10).

Figure 7.10: Advanced Configuration - Authentication - Servers list

7.1.5 High Availability


At the High Availability (HA) page you can check straight away your system’s
status, this is where you will be able to configure the HA definitions and check
both the System State and connected Interfaces (Figure 7.11). For more informa-
tion regarding High Availability please consult Appendix E of this document.

To alter the settings please click on Modify. A new page will appear (Figure
7.12)

Reference Guide - Version 5.3 IPBRICK International


7.1 IPBRICK 227

Figure 7.11: Advanced Configuration - IPBrick - High Availability

Figure 7.12: High Availability - Modify

• Authentication type (eg IPBrick Master, Secondary Master IPBrick, ...);


• Mode: ’Active/Passive’, ’Active/Active’ or ’N/A’
– ’Active/Passive’: when there is only an HA interface on one server;
– ’Active/Active’: when there are at least two HA interfaces configured
on different servers (note: that this mode is not possible to use failover
switches! );
– N/A - Not applicable or Not available
• Keep-Alive interfaces: interface through which the HA service will commu-
nicate between servers (by default will set the eth0 and eth1, if the latter
exists).

IPBRICK International Reference Guide - Version 5.3


228 Advanced Configurations

• Auto Failback: With this option enabled, after a failure, the HA interface
that changed server, will return to the original server;
• Fail detection timeout: By default: 10 seconds;
• Initial fail detection timeout: By default: 120 seconds;
• Connectivity nodes: Click on Add to insert a node’s IP address. You will
also be able to Remove it;
• High availability state (eg. Disabled, Enabled or N/A) says the state of
the heartbeat in the system (even when the active HA, for any reason the
heartbeat may be giving error)
• Server state (eg. Standby, Active or N/A) - Depending on the state it’s
possible to acquire or free resources (note that if you are in Active/Active
mode it will be possible that two buttons are visible)
• High Availability Interfaces - Table showing the HA interfaces
• Failover switches available - Table showing the failover switches available
Note: At Advanced Configurations > Telephony > Failover switches you
may also visualize the switches available.

Alert Definitions
At the top right corner you will have available the Alert Definitions link.
These ’alerts’ are warnings that will be submitted to you should any HA IP fluc-
tuation has occurred, whether by machine failure or human hand.

IP fluctuation basically means that should one machine fail, another one will
assume its virtual IP. If you click on the Alert Definitions link a new page will
appear (Figure 7.13) where you will visualize the Source and Destination email
addresses. By default, no address is set. You should click on Modify to add both
email addresses. (Figure 7.14)

NOTE: The mechanism for failure detection is based on network and service
failure (valid only for the VoIP service).

Figure 7.13: High Availability - Alert Definitions

Reference Guide - Version 5.3 IPBRICK International


7.1 IPBRICK 229

Figure 7.14: High Availability - Alert Definitions - Address definitions

7.1.6 Update
All available updates in the Downloads section of our eshop should be installed
here. All you have to do is click on Insert, choose the update file (.deb) by clicking
on Browse confirm the package by clicking on the Insert button. The package
will then be installed in the system (Figure 7.15).

Figure 7.15: Advanced Configurations - Update

7.1.7 Remote Management


The remote management feature enables you to install updates, perform mass
operations (insert users, phones, prefixes and routes) and monitor the IPBricks
status, via the Remote Manager Server web interface.
Choose an IPBrick to install the ipbmanager.deb file. The procedure is exactly
the same as installing an IPBrick update (please consult the 7.1.6 section of this
document for more information).

NOTE: Please don’t forget to apply configurations!

To add the URL of the IPBrick Remote Manager server click on Insert (Figure
7.16).

IPBRICK International Reference Guide - Version 5.3


230 Advanced Configurations

Figure 7.16: Remote Management

Add the IPBrick Manager Server URL (eg: ipbmanager.domain.com). At


URL Address it’s also possible to select between http and https protocol (Figure
7.17).

NOTE: Repeat this procedure on ALL IPBricks you wish to remotely manage,
including the one where you have installed the ipbmanager.deb package

Figure 7.17: Remote Management Insert page

Confirm the changes by clicking on the Apply button.

Click on the Test Connection button to check the connectivity.

Figure 7.18: Test Connectivity

Reference Guide - Version 5.3 IPBRICK International


7.1 IPBRICK 231

7.1.8 MyIPBrick Management


At MyIPBrick Management the administrator my alter the general presenta-
tion of the MyIPBrick page (for more information regarding MyIPBrick, please
consult Chapter 15 Appendix G - MyIPBrick).

At the MyIPBrick Management initial page you will be able check the editable
options, to alter them please click on the Modify link.

Figure 7.19: MyIPBrick Management page

At the Modify page you will be able to alter menu names, choose if they are
visible or not, by simply removing the tick from the Visible box and also replace
the IPBRICK logo, both on the login page and interface page, with your own
customized image, be it on your company’s logo or any other image in JPG, PNG
or GIF.

Figure 7.20: MyIPBrick Management page

To alter a menu name simply click on the field you wish to change and type a
new name. It is also possible to change the order, in the example presented in the
following figure, Voicemail will now be visible first than Calendar.

IPBRICK International Reference Guide - Version 5.3


232 Advanced Configurations

Figure 7.21: MyIPBrick Management page - Changing the order

If yu wish to add an additional page to your users MyIPBrick, simply click on


the plus icon. You may repeat the procedure to add more additional fields

Figure 7.22: MyIPBrick Management page - Additional

A new field will appear. Type the name, order, URL and tick or not the
Visible box. If you wish to delete the entry simply click on the red X icon.

Figure 7.23: MyIPBrick Management page - Additional fields

Click on the Modify button at the bottom of the page. A new prompt will
appear asking you to confirm the changes. Please click on OK.

Figure 7.24: MyIPBrick Management changes prompt

7.2 Network
In this section we’ll address the advanced configuration of services related to
the structure of the organization’s network. It will be possible to define specific
rules at firewall, to add static routes for other internal networks (or external), to
define rules and priorities in the QoS service as well the configuration of service
routing at firewall.

Reference Guide - Version 5.3 IPBRICK International


7.2 Network 233

7.2.1 Firewall
This section deals with the IPBRICK firewall management. Some of the pre-
defined rules were already mentioned in the section Firewall in the chapter IP-
Brick.C (rules that can’t be changed by the user, only deactivated). In the mean-
time the configuration of some other services demands some other rules. These
rules can only be managed in part by the user in the Order section. Nevertheless,
IPBRICK offers the administrator an advanced interface for the firewall manage-
ment. There, he can define a group of rules with high personalization (Figure
7.25).

Figure 7.25: Network - Firewall

Here you have links to:

• Insert new rules in advanced mode;

• Delete already inserted rules

• Order: Interface to order all the rules that exist in the firewall (Figure 7.29).
This option is particularly important when new rules are created. Because
the first rules the firewall does the matching will be the first to use. Then,
more specific rules should be at the top and general should be at the bottom.

You can insert three types of rules:

• DNAT Rule: Redirects the traffic that comes to a port to another port/machine
of the internal network. That rule here is only for TCP traffic (example at
Figure 7.28);

• Disable machine access: It defines the denial of access to a port of defined


network machine (example at Figure 7.27);

• General settings: Here you can add a completely personalized rule (ex-
ample at Figure 7.26). These are the affected fields:

IPBRICK International Reference Guide - Version 5.3


234 Advanced Configurations

– Rule:
INPUT: Data received by the firewall that aim the recipient
interface no matter their origin;
OUTPUT: Data sent by the firewall;
FORWARD: Redirects traffic from an interface to another;
PREROUTING: Is used to change IP packets arriving to the
machine before the routing decision;
POSTROUTING: Is used to change IP packets arriving to the
machine after the routing decision;
– Interface: You should choose which interface to apply the rule (eth0,
eth1, eth2... and the loopback interface - lo);
– Protocol: Protocol(s) to which you want to apply the rule;
– Module: Shows the list of iptables modules available for use;
– Source MAC Address: The packet source’s MAC Address;
– Source IP: Source IP Address of the packet;
– Origin port: Source port of the packet;
– Destination IP: Destination IP address of the packet;
– Destination port: Destination port of the packet;
– Parameters: 16 bits field that exists in the original IP packet - it is
used to identify the type of packet to filter. Examples:
! --syn
--state INVALID
--state ESTABLISHED,RELATED
--icmp-type echo-request
– Policy:
ACCEPT: To accept a packet and let it pass the firewall rules;
DROP: Doesn’t accept the packet and eliminates it;
MARK: Saves a mark in the packet. These marks can be used to make
decisions at the forwarding level;
LOG: Saves a log of every packet that folows the rule.

– If the PREROUTING rule is used, there are the following extra policies:
REDIRECT: Used to redirect the traffic arriving from a port to
another port;
DNAT: it allows to redirect the traffic arriving at a certain
port to another machine and port belonging to the internal
network
– If the POSTROUTING rule is used, there are the following extra poli-
cies:

Reference Guide - Version 5.3 IPBRICK International


7.2 Network 235

MASQUERADE: It allows to ’mask’ the traffic


SNAT: It allows to redirect the traffic generated in a certain
port to another machine and port.
TCPMSS: It changes the MSS field (maximum packet size) from the
TCP header. It just can be used to TCP SYN or SYN/ACK
packets because is just used in the beginning of
conections.

The rules that are defined by default can’t be eliminated, but can be deactivated
by clicking in the state of the rule and change the Deactivate option.

Figure 7.26: Network - Firewall - General settings rule

Figure 7.27: Network - Firewall - Disable access rule

IPBRICK International Reference Guide - Version 5.3


236 Advanced Configurations

Figure 7.28: Network - Firewall - DNAT rule

Figure 7.29: Network - Firewall - Order

At body there’s a list of all the rules controled by the user (Figure 7.25). A
rule can be switched between enabled and disable state. To eliminate rules is
necessary to click Delete, select the rule or rules that you want to remove and
click the button Delete. The rules defined by default cannot be deleted, however
they can be deactivated, all you have to do is click the state of the rule and change
the option to disable.

7.2.2 Route management


When there are several distributed networks separated by some routers in an
organization, and if you want to give IPBrick access to all of them, you must
indicate the gateway for that network (Figure 7.30).
The following fields are present:

• Destination network: Network to access;

• Mask: Mask of the destination network;

Reference Guide - Version 5.3 IPBRICK International


7.2 Network 237

Figure 7.30: Network - Route management

• Interface: IPBrick interface with connectivity to the destination network;

• Gateway: Router/server IP with connectivity to the destination network.

7.2.3 QOS
The QoS service2 (Figure 7.31) in IPBrick allows the customization of traffic
priority levels, oriented to the external interface, thus assuring a certain level of
quality of the service for the final user. It is importnt to indicate immediately the
value of the band width available in the connection for the internet. From these
data we can establish priority rules among the several types of traffic in a network.
for example: instead of the internet connection being entirely occupied by the
email service, limit the band width given to that service and assure a minimum
value for the web traffic.

At the Body we have the list of the available Public Interfaces (normally
ETH1) and the state of the service for each network card. Clicking the state allows
to move between active and inactive. Clicking the network plate allows to
accede the management formulary of that service (Figure 7.31).

Figure 7.31: Network - QoS management

In Generic Configurations (Figure 7.32) is possible to define which maxi-


mum band width is allowed for download and upload.
2
Quality of Service

IPBRICK International Reference Guide - Version 5.3


238 Advanced Configurations

In section Structure there are three classes of defined priorities, each one of
them already with predefined filters. It is possible to define new filters for each
priority class, specifying the following fields:

• Types of filter: ACK type (confirmation of packets reception) or General;

• ToS3 :

– Minimizes the delay;


– Maximizes debit;
– Maximizes reliability;
– Minimizes the cost;
– Minimizes the cost;

• Protocol: Type of protocol to apply in the filter;

• Source IP;

• Source Port;

• Destination IP;;

• Destination Port.

The Priority Class 1 has always maximum priority, and the traffic is defined in
Priority Class 3, the less importnt.

Figure 7.32: Network - QOS - General Configurations

3
Type of Service

Reference Guide - Version 5.3 IPBRICK International


7.2 Network 239

7.2.4 Service Routing


IPBrick allows to route the traffic of several network services to different output
interfaces. A communication server may be routing the SMTP traffic to a certain
ISP router and the web traffic to another (example at Figure 7.33). The definition
of gateways is made through the following fields:

• Name: The name of the new access to the internet;

• IP address: Internal router IP responsible for that access - Gateway;

• Tag in the firewall: Automatically attributed.

After defining a Destination, it’s necessary to add specific rules in the firewall so
that the routing of desired services becomes a reality. It will be presented firewall
configuration examples for:

• Using the new access to send and receive email;

• Using the new access for web traffic;

Figure 7.33: Network - Service Routing

Mail service example


In this case, the new Internet Access (eth2) will be used for the mail service,
including incoming and sending (port 25). This rules should by inserted:

1. Rule to masquerade the outgoing traffic for the eth2 interface;

• Type: General configuration;


• Rule: POSTROUTING;
• Interface: eth2;
• Protocol: ALL;
• Module: Leave blank;

IPBRICK International Reference Guide - Version 5.3


240 Advanced Configurations

• Source IP: Leave blank;


• Origin port: Leave blank;
• Destination IP: Leave blank;
• Destination port: Leave blank;
• Parameters: Leave blank;
• Politics: SNAT;
• Value: eth2 IP;

2. Rule that accepts incoming traffic for the port 25:

• Type: General configuration;


• Rule: INPUT;
• Interface: eth2;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: Leave blank;
• Origin port: Leave blank;
• Destination IP: Leave blank;
• Destination port: 25;
• Parameters: Leave blank;
• Politics: ACCEPT

3. Rule to allow the replies for port 25 by the Internet mail servers:

• Type: General configuration;


• Rule: INPUT;
• Interface: eth2;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: Leave blank;
• Origin port: 25;
• Destination IP: Leave blank;
• Destination port: Leave blank;
• Parameters: ! --syn;
• Politics: ACCEPT

4. Rules to forward outgoing Internet SMTP traffic for eth2

• Type: General configuration;

Reference Guide - Version 5.3 IPBRICK International


7.2 Network 241

• Rule: OUTPUT;
• Interface: eth1;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: eth1 IP;
• Origin port: Leave blank;
• Destination IP: ! eth1 IP;
• Destination port: 25;
• Parameters: Leave blank;
• Politics: MARK;
• Value: 1 (firewall tag);

5. Rules to forward outgoing SMTP traffic with origin in IPBrick for the new
interface (eth2);

• Type: General configuration;


• Rule: OUTPUT;
• Interface: eth1;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: eth2 IP;
• Origin port: 25;
• Destination IP: ! eth1 IP;
• Destination port: Leave blank;
• Parameters: Leave blank;
• Politics: MARK;
• Value: 1 (firewall tag);

6. Rule to forward traffic with origin in LAN and destination the port 25 in
Internet (only when is used a external SMTP account)

• Type: General configuration;


• Rule: PREROUTING;
• Interface: eth0;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: LAN IP;
• Origin port: Leave blank;

IPBRICK International Reference Guide - Version 5.3


242 Advanced Configurations

• Destination IP: ! eth1 IP;


• Destination port: 25;
• Parameters: Leave blank;
• Politics: MARK;
• Value: 1 (firewall tag);

Web access example


In this case, the new Internet Access (eth2) will be used for the LAN web access
that will be redirected to the new interface:

1. Rule to masquerade the outgoing traffic for the eth2 interface;

• Type: General configuration;


• Rule: POSTROUTING;
• Interface: eth2;
• Protocol: ALL;
• Module: Leave blank;
• Source IP: Leave blank;
• Origin port: Leave blank;
• Destination IP: Leave blank;
• Destination port: Leave blank;
• Parameters: Leave blank;
• Politics: SNAT;
• Value: eth2 IP;

2. Rule to allow the replies for port 80 by the Internet web servers:

• Type: General configuration;


• Rule: INPUT;
• Interface: eth2;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: Leave blank;
• Origin port: 80;
• Destination IP: Leave blank;
• Destination port: Leave blank;
• Parameters: ! --syn;
• Politics: ACCEPT

Reference Guide - Version 5.3 IPBRICK International


7.2 Network 243

3. Rule to allow the replys for port 443 by the Internet web servers:

• Type: General configuration;


• Rule: INPUT;
• Interface: eth2;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: Leave blank;
• Origin port: 443;
• Destination IP: Leave blank;
• Destination port: Leave blank;
• Parameters: ! --syn;
• Politics: ACCEPT

4. Rule to forward traffic with origin in LAN and destination the port 80 in
Internet (only when the proxy is not used!)

• Type: General configuration;


• Rule: PREROUTING;
• Interface: eth0;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: LAN ip;
• Origin port: Leave blank;
• Destination IP: ! eth1 IP;
• Destination port: 80;
• Parameters: Leave blank;
• Politics: MARK;
• Value: 1 (firewall tag);

5. Rule to forward traffic with origin in LAN and destination the port 443 in
Internet (only when the proxy is not used!)

• Type: General configuration;


• Rule: PREROUTING;
• Interface: eth0;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: LAN network;

IPBRICK International Reference Guide - Version 5.3


244 Advanced Configurations

• Origin port: Leave blank;


• Destination IP: ! eth1 IP;
• Destination port: 443;
• Parameters: Leave blank;
• Politics: MARK;
• Value: 1 (firewall tag);

6. Rule to forward traffic with origin in a machine conected to the LAN using
VPN PPTP and destination the port 80 in Internet (only when the proxy is
not used!)

• Type: General configuration;


• Rule: PREROUTING;
• Interface: ppp+;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: LAN IP;
• Origin port: Leave blank;
• Destination IP: ! eth1 IP;
• Destination port: 80;
• Parameters: Leave blank;
• Politics: MARK;
• Value: 1 (firewall tag);

7. Rule to forward traffic with origin in a machine conected to the LAN using
VPN PPTP and destination the port 443 in Internet (only when the proxy
is not used!)

• Type: General configuration;


• Rule: PREROUTING;
• Interface: ppp+;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: LAN IP;
• Origin port: Leave blank;
• Destination IP: ! eth1 IP;
• Destination port: 443;
• Parameters: Leave blank;

Reference Guide - Version 5.3 IPBRICK International


7.3 Support services 245

• Politics: MARK;
• Value: 1 (firewall tag);

8. Rules to forward outgoing Internet web http traffic for eth2:

• Type: General configuration;


• Rule: OUTPUT;
• Interface: eth1;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: eth1 IP;
• Origin port: Leave blank;
• Destination IP: ! eth1 IP;
• Destination port: 80;
• Parameters: Leave blank;
• Politics: MARK;
• Value: 1 (firewall tag);

9. Rules to forward outgoing Internet web https traffic for eth2:

• Type: General configuration;


• Rule: OUTPUT;
• Interface: eth1;
• Protocol: TCP;
• Module: Leave blank;
• Source IP: eth1 IP;
• Origin port: Leave blank;
• Destination IP: ! eth1 IP;
• Destination port: 443;
• Parameters: Leave blank;
• Politics: MARK;
• Value: 1 (firewall tag);

NOTE: To route other services for the new internet access (local and remote
port), the idea is the same.

IPBRICK International Reference Guide - Version 5.3


246 Advanced Configurations

Figure 7.34: Support Services - LDAP

7.3 Support services


7.3.1 LDAP
In this section a list is presented of the machines registered in the LDAP service
of IPBrick. To insert a new machine in the LDAP domain of IPBrick it’s necessary
to click Insert. It is also possible to Modify or Delete LDAP registers.

The insertion of machines in LDAP from here can be very useful, when there
are IP networks different from the internal interface of IPBrick, since there is no
need to indicate the IP.
Mass Operations for machines
The Export feature will export all the data to a .csv file. The Mass operations
option permits an import of a .csv file. You can edit a .csv file in a spreadsheet
application, choosing the ; to split the columns. When doing an export we can
see all this fields present:

• action: Options available:

– I: To insert a machine record in LDAP;


– U: To update a machine record in LDAP;
– D: To delete a machine record in LDAP;

• uidnumber: LDAP field that identifies the resource. Usually machines begin
with UID 50000.

• name: Machine name;

Example of a .cvs file content for mass operations import option:

action;uidnumber;name
N;50000;pc01
N;50001;pc02
I;50002;pc03
I;50003;pc04
I;50004;pc05

Reference Guide - Version 5.3 IPBRICK International


7.3 Support services 247

7.3.2 DNS
DNS4 is a name resolution service that translates domain names into IP ad-
dresses and vice-versa, and it is implemented in IPBrick by the software Bind using
port 53 UDP/TCP. The majority of queries consists of a simple UDP request by
the client, followed by a UDP answer of the server. There are two situations where
the TCP is used: when the data to be sent by the user exceed 512 bytes or at
the transference of zones. Some operating systems like HP-UX, for example, even
adopt DNS implementations always using TCP, thus increasing reliability.

The service acts like a database with information about the connections of a
IP network, and that information is organized into domains. The used notation
represents FQDN5 :

servername.company.region

Being the ”servername.company.region” the FQDN, the ”company.region” des-


ignated as the domain, ”company” the sub-domain and ”region” the top domain
(Top Level Domain), which is administrated by an entity denominated ICANN6 .
A DNS server generates a database about a certain part of the domain, what is
normally designated by zone, and there are two different types of servers that:

• master: It obtains the data from a zone which it manages from its own
database;

• slave: It obtains the data from the primary master, existing one or more
in a network. Whenever there are changes in the configuration of the areas
served by the master, this server is always notified, proceeding to the update
of database.

So we can have master DNS servers, also called primary, and slave DNS servers
that can be named as secondary too. Regardless of being master or slave in a zone,
a server can have different purposes:

• internal DNS server: A internal DNS server (master or slave) serves pri-
vate domains and resolve names at private IP’s. They stay inside the LAN
and normally the service is running at the same server that is PDC. Example:
pc01.domain.com -¿ 192.168.0.25. At IPBrick context, it will be a IPBrick.I;

• public DNS server: A public DNS (master or slave) serves only public do-
mains and resolve names at public IP’s that are well known at the Internet.
They can stay at company’s network DMZ, but usually the public DNS server
of a domain is managed by the company ISP or some hosting company in
Internet. Example: www.ipbrick.com -¿ 80.251.163.69. At IPBrick context,
a IPBrick.G/KAV/GT can be as public DNS server of some domain. It’s
4
Domain Name System
5
Fully Qualified Domain Name
6
Internet Corporation For Assigned Names and Numbers

IPBRICK International Reference Guide - Version 5.3


248 Advanced Configurations

not a good policy to have a unique server managing the same domain with
internal records and public records.

The DNS server also allows the resolution of names in a reverse mode, that is,
answer with the name (FQDN) from a certain IP address. This device allows the
confirmation of the authenticity of an IP address, important aspect in the email
service.

Domains
This is the main section of DNS configuration. Here you can handle the do-
mains managed by the server and their respective DNS records like, machines,
alias, mail exchange records etc. By default the following zones are presented:

• Forward zone: This type of zones have the name-¿IP address mapping,
and are the most used ones. By default, IPBrick serves the forward zone
domain.com;

• Reverse zones: This type of zones can map IP address-¿ names and are
mostly used by public e-mail servers, for authenticity verification. By defaut
IPBrick serves the reverse zone 192.168.69.0/24;

You can access the interface management of these zones by clicking on one of
them. (Figure 7.38 and Figure 7.39)

Clicking on the Insert link a new domain will be served by IPBrick (Figure
7.35)

Insert a new zone At top menu you have a link to get Back to the previous
list and cancel the current process of introducing a new zone. At body you see a
register form for forward and/or reverse name (Figure 7.40) resolution zones. You
find the following definitions:

1. Domain: Name of the new zone to create; e.g. companyx.com; porto.companyx.com;


easylinux.com;

2. Network: The associated IP network for which you are going to create reg-
istrations. This is used only for reverse name resolution records (PTR7 );

3. Zone type: Field that allows you to create a master or secondary zone. A
secondary zone is a copy of another DNS server master zone;

4. Server: Name of the machine that will serve8 this domain (e.g. ipbrick.domain.com)
(this field is only applied on master zones);
7
Pointer
8
SOA - Start of Authority

Reference Guide - Version 5.3 IPBRICK International


7.3 Support services 249

5. Email: E-mail of the responsible for this domain. This e-mail is registered
in the DNS under the name of the administrator for this domain (this field
is only applied on master zones);

6. Refresh time: The time of a secondary zone to see if there are any changes
in the master zone (this field is only applied on master zones);

7. Transfer retry time: The time a secondary zone has to wait to retry the
connection to the master zone, that is, if the last refresh was unsuccessfully
(this field is only applied on master zones);

8. Expiry time: The time a secondary zone has to consider the dates of a zone
as valid since the last successful refresh (this field is only applied on master
zones);

9. Default time-to-live the time in which the other DNS servers have to
consider the dates of this zone as valid (this field is only applied on master
zones);

10. Master servers: IP address of the master server for that zone (this field is
only applied on secondary zones);

11. Visible in the management of machines: If selected, all these defini-


tions will appear too under domain management.

Figure 7.35: Support Services - DNS - Name resolution zones

If the idea is to create a sub-zone these are the necessary steps (Example:
porto.companyx.com):

• Insert a new zone at the present main menu. At domain type porto.companyx.com;

• Go to domain management of main zone companyx.com and at Name Servers


insert:

IPBRICK International Reference Guide - Version 5.3


250 Advanced Configurations

Domain: porto.companyx.com
Server: ipbrick.domain.com (no need to change that default field

• Go to domain management of sub-zone and start populating it (machines,


alias, MX record...)

Domains Management To manage a domain simply click on the domain name


in the zone’s list. So in this section you control all DNS records of a selected zone.
At top you have a link to get Back to the zones list and a Domain link that guide us
to zone definitions. At body you have a list of all possible DNS records to configure,
each one with a Insert button. Now all records will be presented supposing that
we are managing the forward zone of domain.com:

• Machines: This is called the A record (address record). It’s used to map
hostnames to IP’s. E.g.:

pc01 192.168.69.96
ipbrick 192.168.69.1
slave01 192.168.69.2

So pc01.domain.com will resolve to 192.168.69.199. In order to get the


base domain domain.com associated to some IP you need to insert a machine
record like that:

domain.com. 192.168.69.1

• Aliases: This is called the CNAME record (canonical name record). It’s
an alternative name for some existing machine record (this option is only
available for a forward name resolution zone). E.g.:

webmail ipbrick
im ipbrick
contacts ipbrick
voip ipbrick
mailsrv2 slave01

• Name Servers: It’s the NS record (name server record). Here we manage the
list of DNS servers for the zone. If a zone has master and slave servers, the
master should have that information defined here. E.g.:

domain.com ipbrick.domain.com
domain.com slave01.domain.com

Let’s suppose that the same IPBrick’s are serving other zone called easylinux.com.
So the configuration would be:

Reference Guide - Version 5.3 IPBRICK International


7.3 Support services 251

easylinux.com ipbrick.domain.com
easylinux.com slave01.domain.com

• Mail Servers: This is called the MX record (mail exchange record) and it’s
a crucial record. We can say what server or servers are the mail servers for
the present domain. You can have several registrations each with different
internal positive values. The values indicate which registration to use first.
The registration with the lowest value is always the first one to be used. The
names to be introduced here must always be the e-mail server FQDN (this
option is only available for a forward name resolution zone). For example:

10 ipbrick.domain.com
20 mailsrv2.domain.com

• VoIP Servers: It’s one SRV record (service locator) for new protocols, in-
cluding VoIP (SIP). The value to be introduced here is the FQDN of the VoIP
server (this option is only available for a forward name resolution zone). For
example:

voip.domain.com

• Instant Message Server: It’s also a SRV record for Jabber protocol and by
default the address is im.domain.com. The alias im exist by default;

The SRV records for VoIP and IM are very easy to configure if IPBrick is
the DNS server, because we only need to type the FQDN of the server. If
the private/public zones are managed by different DNS servers and we want
to use that services in IPBrick you need to really specify all the SRV records
that are being used, and pointing them to IPBrick.

Example for VoIP:

_sips._tcp.domain.com. IN SRV 1 0 5061 voip.domain.com.


_sip._tcp.domain.com. IN SRV 1 0 5060 voip.domain.com.
_sip._udp.domain.com. IN SRV 1 0 5060 voip.domain.com.

Example for IM:

_jabber._tcp.domain.com. 86400 IN SRV 5 0 5269 voip.domain.com.


_xmpp-server._tcp.domain.com. 86400 IN SRV 5 0 5269 voip.domain.com.
_xmpp-client._tcp.domain.com. 86400 IN SRV 5 0 5222 voip.domain.com.

• Valid records for sending mail (SPF): In this field we can use the SPF
in order to specify what records are valid for mail sending. So this config-
uration here will be the IPBrick’s mail server answer to the external mail
servers that are using the SPF protection. The configuration can be done at
Basic Options (Figure 7.36):

IPBRICK International Reference Guide - Version 5.3


252 Advanced Configurations

– Registered mail servers: The domain MX records can be valid (pass),


invalid (fail) or undefined (not present at TXT record)
– Registered machines: The domain A records can be valid, invalid or
undefined;
– Domains: Other domains that are valid (corresponding to the senders
address);
– Networks: Valid sender networks;

All the rest is invalidated (mechanism -all).

Figure 7.36: Support Services - DNS - SPF basic options

After the configuration, from the Basic Options, going to Advanced Options
will present the TXT record. There it’s possible to edit directly the TXT
record, so other specific SPF mechanisms and qualifiers can be used (Figure
7.37).

Figure 7.37: Support Services - DNS - SPF advanced options

TXT record example:

domain.com. IN TXT "v=spf1 a mx -all"

Reference Guide - Version 5.3 IPBRICK International


7.3 Support services 253

In that configuration, if someone in Internet asks for the mail authenticity,


only the mail sended by the domain MX and A records will be valid. The
rest will be invalidated.

Figure 7.38: Support Services - DNS - Zone Management 1/2

Mass Operations for machine record


The Export feature will export all the data to a .csv file. The Mass operations
option permit an import of a .csv file. You can edit a .csv file in a spreadsheet
application, choosing the ; to split the columns. When doing a export we can see
all the fields present:

• action: Options available:

– I: To insert a machine record in DNS;


– U: To update a machine record in DNS;
– D: To delete a machine record in DNS;

• idzone: Zone identifier;

• zonename: Zone name;

• iddnsina: A record identifier;

• name: A record name;

IPBRICK International Reference Guide - Version 5.3


254 Advanced Configurations

Figure 7.39: Support Services - DNS - Zone Management 2/2

Figure 7.40: Support Services - DNS - Reverse zone

• ip: A record IP;

• addtorev: Option to add the record or not to reverse DNS zone. Value 1
yes, 0 no.

Reference Guide - Version 5.3 IPBRICK International


7.3 Support services 255

Example of a .cvs file content for mass operations import option:

action;idzone;zonename;iddnsina;name;ip;addtorev
N;1;domain.com;1;ipbrick;172.29.1.154;1
N;1;domain.com;2;pc2;172.29.1.32;1
I;1;domain.com;3;pc3;172.29.1.33;1
I;1;domain.com;4;pc4;172.29.1.34;1

Note: The private reverse zones can exist at DNS LAN servers, but the public
reverse zones are maintained at .arpa9 . The configuration of that public zones
are configured at ISP DNS servers, so all the costumers public IP’s can be mapped
to the respective FQDN. It’s called a PTR record and actually they became very
important, because the number of mail servers that make that reverse zone ver-
ification is increasing. Example: Mapping the IP 195.23.45.33 with name ip-
brick.companyx.com. The ISP will insert a record like that:

33.45.23.195.in-addr.arpa. IN PTR 195.23.45.33

Forwarders
If a DNS server receives a request for a domain which he neither serves nor has
in cache, then the server has to forward this request to other DNS servers in the
Internet. The forwarders should be the nearest ones, normally the DNS servers
of ISP. If the forwarders field is empty the DNS still working because the server
use the internet gateway to do the DNS search. If in the same network exists a
IPBrick.I and a IPBrick.C, the IPBrick.I must have the IPBrick.C eth0 address in
the forwarder field. Here you have the most appropriate interface to register the
nearest DNS servers (Figure 7.41).

Note: It is now possible to create areas that are of type forward.


Advanced Configurations -> Support service -> DNS

Figure 7.41: Support Services - DNS - Forwarders

9
Internet Address and Routing Parameter Area

IPBRICK International Reference Guide - Version 5.3


256 Advanced Configurations

Name Resolution
Regardless of the DNS service is being executed or not in this server, you can
configure the server to handle its DNS requests in another server. You can apply
this configuration to all server services (with the obvious exception of the DNS
server which uses its forwarders for requests he does not know). In order to make
the server use its own DNS you have to configure the IP address of the localhost10 ,
127.0.0.1 - by the way, its the default configuration. (Figure 7.42).

Note that if IPBrick is not resolving in its own DNS service and if we dont have
machines using IPBrick as DNS server or as a forwarder, the service is not being
used at all. In that case all zones presented at DNS - Domains submenu may even
be deleted;

Figure 7.42: Support Services - DNS - Name resolution

7.3.3 DHCP
The DHCP11 service may be defined as a protocol of dynamic attribution of
parameters for configuration of network and workstations (door 67 and 68 UDP),
an evolution of the BOOTP protocol. Basically, a DHCP client sends a broadcast
packet to a network asking an IP address, and it obtains an answer if there is a
DHCP server active in the network. The server not only attributes it an IP but
also: Network mask, route by default, DNS server and WINS server.

DHCP allows two ways of attributing the IP addresses:

• Address manual or reserve: there an association between the MAC address


of a client machine and the IP address to supply, and that machine stays
with that same IP address;

• Dynamic: the client obtains the address from a range of address previously
defined by the IPBrick administrator, for a defined period of time;

NOTE: There is a mechanism that allows to have the DHCP server in a IP


network distinct from the clients, this mechanism is known by DHCP relay. The
10
local server
11
Dynamic Host Configuration Protocol

Reference Guide - Version 5.3 IPBRICK International


7.3 Support services 257

DHCP relay is assured by an agent installed in the post(s) present in the remote
network(s), this agent receives the DHCP clients requests and routes them to the
configured DHCP server.

Subnets
This menu permits the definition of subnets to be served and the parameters
of the network configurations to attribute to the workstations. (Figure 7.43)

Figure 7.43: Support Services - DHCP - Subnets

At the top menu you have links to Insert new subnets, configure Redundancy
parameters and define the General Options. You also have a list of the inserted
subnets. Each IP is a link that displays the configuration options in each one
(Figure 7.44).

Figure 7.44: Support Services - DHCP - Subnets Definition

Insert

IPBRICK International Reference Guide - Version 5.3


258 Advanced Configurations

The Insert links allows you to introduce subnet parameters, which shall be
attributed to the clients:

• DHCP Type: Select if your DHCP server is Local or Remote.

– Local: By default, IPBRICK’s DHCP server is set to local, if you


wish to centralize a database of available IP addresses and networks
for various servers it is advised to configure the Master server as Local
DHCP and its Slave(s) as Remote.
– Remote: At the Slave server you will have to delete the local DHCP
settings and insert a remote DHCP server that will fetch its network
settings from the local DHCP server, avoiding thus the arduous task of
configuring independently a new network.

– When you select Remote new form options will appear, where you will
have to insert the Network address, the address of your network and
the Master Server that hosts the Local DHCP server.

Figure 7.45: Remote DHCP server form

• Network Address: It allows you to indicate the address of the network and
the respective mask;

• Dynamic addresses range: Which range of addresses is reserved to at-


tribute the clients;

• Clients mask: Mask of the network to attribute the clients;

• Broadcast address: Address of broadcast to attribute the clients;

• Default lease time: Default lease time during which the address can be
lent;

• Max lease time: Max lease time of an IP address for the machines. This
value surpassed, the IP address is renewed;

• Default Gateway: Address of the gateway which will serve as the default
route (by default 192.168.69.199);

Reference Guide - Version 5.3 IPBRICK International


7.3 Support services 259

• DNS Servers: List (one per line) of the DNS servers to be used by the clients
(by default ipbrick.domain.com);

• WINS servers: List (one per line) of the WINS servers to be used by the
clients (by default ipbrick.domain.com);

• TFTP server: Define the TFTP server to be used by DHCP clients. Can be
used for example for IP phones auto provisioning;

• Image Server: This server hosts the image replication service for Linux
user stations. This way every machine can be updated without the need for
individual and manual OS updates.

• Boot File: The boot file enables the user machine to restart via the image
server. It is the individual boot file in every Linux machine, including data
such as its MAC address. Each machine is thus identified by the image
server, which in turn will proceed with the appropriate updating procedure.
By default, the Linux boot file is: pxelinux.0

• DNS domain: Name of the domain indicated to the clients (by default do-
main.com).

Redundancy
It is possible for an IP network to configure two DHCP servers, one as main
(primary) server and the other as secondary. Normally, only the primary server
answers the requests, while the secondary one synchronizes its DB with the pri-
mary, if the primary fails the secondary shall assume its service. Communication
between the servers is made from the network ports which may be customized.
One of the ports shall be attending the connections from the secondary server and
the other one shall be attending the connections from the main server. (Figure
7.46)

Top Menu Here you have a link to get Back and Insert a new connection.
The following fields are presented in the insertion of redundancy and fault:

• Name: Name of the redundant connection;

• Settings: here you can see if the server is the primary or secondary DHCP;

• Local IP: Servers internal IP address;

• Local port: Local port where the service is running;

• Remote IP: Remote IP address from the server of the other extreme;

• Remote port: Remote port where the service in the other extreme is running;

• Max response Delay: Max time that the DHCP server can wait for a mes-
sage from the other peer. When that is out, the server assumes that the
other has failed and assumes itself as the network DHCP server;

IPBRICK International Reference Guide - Version 5.3


260 Advanced Configurations

• Max Unpacked Updates: Max Unpacked Updates (BNDUPD) non-confirmed


that the server can receive from other peer.

Figure 7.46: Support Services - DHCP - Redundancy

General Options
This option (Figure 7.47) allows the insertion of general DHCP parameters,
which shall be attributed by default to the clients:

Figure 7.47: Support Services - DHCP - General Options

• Base domain: Domain where the DHCP is operating;

• DNS servers: DNS servers to be used by the DHCP server;

• WINS servers: WINS servers to be used by the DHCP server;

• Clients mask: Mask to be used by the clients of the DHCP service;

Reference Guide - Version 5.3 IPBRICK International


7.3 Support services 261

• Default lease time: Default lease time during which the ’lease’ of the
address is valid for the clients;

• Max lease time: Max lease time of an IP address for the machines. When
this value is surpassed, the IP address is renewed.

• Interfaces with DHCP: eth0 - By default, YES

• Dynamic DNS updates: Update DNS dynamically - By default, NO If you


want the DNS Dynamic Update, it is necessary to choose ”Yes” in the re-
spective box. This feature is used to update dynamically a machine’s IP in
the DNS record (if that machine is not registered with its MAC address) at
Figure 7.47 you may visualize the Dynamic DNS update ’Yes’ form.

Figure 7.48: Support Services - DHCP - Dynamic DNS updates (Yes)

Note: It is possible to visualize the leases of the DHCP at:


Advanced Configurations -> Support services -> DHCP -> DHCP Leases

• DNS Server Key: Your DNS local or remote server key;

• Local DNS Server: By default this box is ticked, If it is a remote DNS


server remove the tick on this box;

• Forward zone: Click on the add button to add a Forward zone and fill with
the domain name and server IP;

• Reverse zone: Click on the add button to add your network and server IP.

Machines
Here you see a list of the registered machines with their MAC addresses in
the DHCP service. You can register the machines in Machines Management (see
section 3.2, page 26) or directly in this section (Figure 7.49).

Mass Operations for machines

The Export feature will export all the data to a .csv file. The Mass operations
option permit an import of a .csv file. You can edit a .csv file in a spreadsheet
application, choosing the ; to split the columns. When doing a export we can see
all the fields present:

IPBRICK International Reference Guide - Version 5.3


262 Advanced Configurations

Figure 7.49: Support Services - DHCP - Machines

• action: Options available:

– I: To insert a machine in DHCP;


– U: To update a machine in DHCP;
– D: To delete a machine in DHCP;

• iddhcpmachine: DHCP machine identifier;

• name: Machine name;

• ip: Machine IP address;

• mac: Machine NIC’s MAC address;

Example of a .cvs file content for mass operations import option:

action;iddhcpmachine;name;ip;mac
N;1;maq1;172.29.1.66;AA:55:43:4A:AA:A1
I;2;maq1;172.29.1.67;AA:55:43:4A:AA:A2
I;3;maq1;172.29.1.68;AA:55:43:4A:AA:A3

DHCP leases
This page presents you with a list of all the DHCP leases (Figure 7.50).

7.3.4 ENUM
The ENUM12 service allows the mapping of telephone numbers (Rule E.164)
in names associated to IP addresses, using an architecture based on the DNS ser-
vice. Those names may be from the protocol SIP, H.323, Email etc. In order to
consult the DNS, ENUM inverts the telephone numbers, giving them the prefix
e164.arpa. which is the root of the tree. This tree is delegated to all countries of
the world taking into account their codes E.164. this way, the Portuguese delega-
tion shall be the inverted 351 - 1.5.3.e164.arpa.

12
Telephone Number Mapping

Reference Guide - Version 5.3 IPBRICK International


7.3 Support services 263

Figure 7.50: Support Services - DHCP - DHCP Leases

In IPBrick, you can define the ENUM zones where a number search can be
made. For that you’ll have to click on the connection Insert and input the ENUM
zone domain. In Order it’s possible to define which are the priority zones where
the number search shall be made. In Figure 7.53 a list of the ENUM zones may
be visualized.
Once the list of the ENUM zones is defined, where to search numbers, the
ENUM may be used in VoIP routes. Next, an example is given:

1. In IPBrick.C - VoIP - Routes Management, there is a Output Route for


Sip Servers - VoIPBuster.
There it is necessary to activate the option Activate ENUM Search in the
Route Definitions;

2. A certain user of the network calls through the SIP/PBX to number +351 253 59 31 12;

3. Automatically, a research is made in the ENUM zones specified in the present


menu for 2.1.1.3.9.5.3.5.2.1.5.3.e164.arpa, in order to obtain the cor-
respondence of that number in a certain IP address/name;

4. Supposing that the research results in the SIP address [email protected],


a SIP call is made to the address [email protected];

7.3.5 DUNDi
DUNDi is a peer to peer system for locating Internet gateways to telephony
services. Unlike traditional centralized services (such as the remarkably simple
and concise ENUM standard), DUNDi is fully distributed with no centralized au-
thority whatsoever.

IPBRICK International Reference Guide - Version 5.3


264 Advanced Configurations

Figure 7.51: Support Services - ENUM

Add the DUNDi servers at:


Advanced configurationsSupport ServicesDUNDi

Figure 7.52: Support Services - DUNDi

Click on Insert and type your DUNDi server’s name, MAC and IP.

Figure 7.53: Support Services - DUNDi Insert

On Outbound Routes select YES for the DUNDi lookup. The DUNDi will tell
you which extensions are on each server. When a call is placed on a server, if the
look up is active, the search is made before the call. If the reply is a different
server from the one configured in the route, the call is made to that new server.

Reference Guide - Version 5.3 IPBRICK International


7.4 Disaster recovery 265

7.4 Disaster recovery


7.4.1 Configurations
All configurations done in IPBRICK through the web interface are saved in a
Postgres database. This way any changes done will only be effective in the system
after clicking on Apply Configurations.

IPBrick allows the time tracking of all configurations, because when you modify
something in the web interface and Apply Configurations, a new configuration is
locally saved. It is possible to store these configuration files in an USB pen and ad-
ditionally send them to a configurable email address. In the configuration filename
we have the date and the exact hour when a configuration was created. In short,
this configuration management allows a fast disaster recovery, in case of hardware
problems. When applying configurations if for some reason the configuation can’t
be saved, a warning message will be presented.
There is a configuration called default which is the IPBrick’s base configura-
tion immediately after install.

Clicking on Definitions there are the following fields that can be modified on
the link Modify:

• Source address: Source address to send the notifications (by default admin-
[email protected]);
• Destination address: Email address (internal or external) were the config-
urations are delivered (by default [email protected]). You can
add multiple destinations separated by a ;
• Message Subject: By default is Backup IPBrick ;
• Message body: Should have a description about the IPBrick server type. By
default is empty.

! Attention !: After the IPBrick installation you should always insert a USB
pen connected to server. The pen must be labeled with the name IPBRICK-D and
must be FAT32 formated.

Replace
In this section you see a list of all saved copies on the USB pen. In order to
replace a setting you just have to click over it (Figure 7.54).
⇒ Note: All services will be reconfigured when replacing a copy of the set-
tings. After the configuration of all services IPBRICK restarts automatically.

When the authentication type is IPBrick Master the replacement of configu-


rations is done normally, (ie. the configuration is replaced and the server goes into
reboot) but when the authentication type is other than IPBrick Master, a two
step procedure takes place:

IPBRICK International Reference Guide - Version 5.3


266 Advanced Configurations

Figure 7.54: Disaster Recovery - Replace configuration

• First Step: IPBrick will detect if there is connectivity with the master
at the time of the replacement of the settings. If there is, the setting is
replaced and the server reboots, ending the replacement process. If not, the
replacement process enters its first stage and the server goes into reboot, the
process will now enter its second step.

• Second Step: If at the boot process connectivity is found, the restore


procedure enters its final stage and the server goes into reboot. If not, the
administrator receives a warning on the IPBrick’s web interface stating that
the settings were not fully restored, due to the lack of connectivity, and the
administrator is prompted to complete or cancel the replacement by clicking
on the corresponding button.

Download
This section allows you to download the copies of the configurations done to a
local computer (Figure 7.55).

Figure 7.55: Disaster Recovery - Download configuration

With this useful option you can save IPBRICK settings on another place.

Upload
In this section it is possible to upload a previously downloaded configuration
file to the server (Figure 7.56).

Reference Guide - Version 5.3 IPBRICK International


7.4 Disaster recovery 267

Figure 7.56: Disaster Recovery - Upload configuration

! Attention !: It is not possible to use setting copies in different IPBRICK


versions. The configuration files are not compatible with the different IPBRICK
versions.

7.4.2 Applications
This is a useful disaster recovering feature. When upgrading IPBrick from
version A to version B, if an old installation is detected, the following applications
will be backed up:

• PostgreSQL: All the Postgres databases will be dumped, including the sites
databases;

• Mail: The emails that were in the queue will be saved;

• Kaspersky: All the Kaspersky applications statistics will be saved;

• VoIP: It will save all the VoIP statistics;

• IM: The Instant Messaging data and configuration will be saved.

So, all these application files are packed and saved in a folder.
Choosing the option Applications - Restore the list of available application
data backups will be shown (Figure 7.57). To restore the desired application data
backup, click on the file and then on Restore. At this moment the backup will be
restored for the new IPBrick version (Figure 7.58).

Databases
It is possible to manage the daily backups of databases. There is an interface to
configure the mail admin to give notice that the backup is not made successfully.
The login postgres refers to the database that runs on port 5432.

Advanced Configurations -> Disaster recovery -> Applications -> Databases

IPBRICK International Reference Guide - Version 5.3


268 Advanced Configurations

Figure 7.57: Disaster Recovery - Applications - Data backups list

Figure 7.58: Disaster Recovery - Applications - Data restore confirmation

7.5 System
Inside the System menu, we can find the options indicated in these following
points.

7.5.1 Services
In Services (Figure 7.59) you’ll find a list of several services available in IP-
BRICK. The State column shows you if the service is enabled or disabled. It is
possible to restart any service without having to restart IPBRICK.
In order to restart any service you have to:

• Change the State from Enable to Disable;

• Change the State from Disable to Enable;

The Start column defines the way in which each service has to start with the
server (whether after a reboot or after a period while the server was disconnected).
If you see Automatic in the Start column of a service then the service will start
automatically with the server. On the other hand, if you see Manual on the
column then the service will not start with the server. Nevertheless it can be
started manually in this menu by changing its State from Disable to Enable.

Reference Guide - Version 5.3 IPBRICK International


7.5 System 269

Figure 7.59: System - Services

⇒ Note: Any changes in the Start column of a service will not have imme-
diate effects on the service start. The changed start will only be valid for the next
server start. On the other hand, a change in the State column has immediate
effects. That is, by changing the service state from Enable to Disable IPBRICK
stops this service.

7.5.2 Task Manager


The Task Manager shows you a list of all executed processes in IPBRICK. It
gives you information about:

• Identifier: It’s the PID13 ;

• Owner: The system user name that started the process;

• Start: The date of the process start;

• Memory: The memory percentage used by the process;

• Processor: The processor percentage used by the process;

• Process: The process that is running.


13
Process Identifier

IPBRICK International Reference Guide - Version 5.3


270 Advanced Configurations

In this section it is possible to stop a certain process. Therefore you only have
to click over the option Kill Task (Figure 7.60).

Figure 7.60: System - Task Manager

! Attention !: Speaking in general, the running processes should not be


stopped in this manner. To stop a process in this interface may cause instability
in IPBRICK. In order to correctly stop services use the Services menu.

7.5.3 Date and Hour


In this menu (Figure 7.61) you can see and change the server date/hour and
the time zone. When clicking Modify this fields are presented:

• Synchronization: If Manual the date/hour will be managed by the own server.


If Automatic IPBrick will use a NTP server to remotely synchronize the
data/hour. The default one is pool.ntp.org14 (Figure 7.62);

• Date: Only active in manual mode;

• Hour: Only active in manual mode;

• Time Zone: Choose the correct time zone.

14
Big virtual cluster of Network Time Protocol timeservers

Reference Guide - Version 5.3 IPBRICK International


7.5 System 271

Figure 7.61: System - Date and Hour

Figure 7.62: System - Date and Hour - NTP

7.5.4 System users


This menu (Figure 7.63) lists the System users (name and its login). If you
select one of them, it is possible to change its password as long as you know the
existing password. This is the list:
• root: Linux console superuser;
• operator: Linux console operator;
• Received Mail: User for the received mail copy functionality. The idea is
to map a IMAP account from a email client;
• Sent Mail: User for the sent mail copy functionality. The idea is to map a
IMAP account from a email client;
• kaspersky: User to receive the Kaspersky Applications notifications for ex-
ample. The idea is to map an IMAP account from a email client;
• spam: User to receive the mails from Kaspersky Anti-Spam. The idea is to
map a IMAP account from an email client;
• VoIPCDR: User for FTP access, to get the asterisk full call statistics.
The password for all of them except root is L1opardo.
⇒ Note: Do not mistake System Users for LDAP Users. A System User is
not registered in LDAP.

IPBRICK International Reference Guide - Version 5.3


272 Advanced Configurations

Figure 7.63: System - System users

7.5.5 Monitoring
This section stands only for monitoring features. Main options:

• Logs: IPBrick and system logs management;

• Accesses: Monitoring for some TCP protocols;

• Traffic: Can manage all the active TCP connections;

• Alerts: Options for disk partitions and services with problems alerts;

Logs
The logs are an important tool for troubleshooting. In this menu we can:

• IPBrick Logs: Logs generated by the IPBrick. Useful in detecting any prob-
lem at the web interface layer. The most recent information is available
in Current Log (Figure7.67). In case there are other log registrations then
each of them provides information generated by IPBRICK till their indicated
date (Figure7.66);

• System Logs: Can manage some system logs (syslog, daemon.log,auth.log,


mail.*). Figure7.64:

– State: The default is disable;


– Server: If enable we can say if logs will be written locally or in a remote
machine that supports syslog daemon (Figure7.65);
– Authorize logs from remote servers: If enable, authorize servers to
write system logs in IPBrick;

Reference Guide - Version 5.3 IPBRICK International


7.5 System 273

Figure 7.64: System - Monitoring - System Logs

Figure 7.65: System - Monitoring - System Logs - Remote server

Accesses
At Management clicking on the service name we can enable the accesses moni-
toring for SSH, FTP, VPN PPTP and SSL. By default the state is disabled (Fig-
ure7.68).
The Entries option permits the visualization of all accesses (Figure7.69). It’s
possible to filter by:

• IP;
• User;
• Notes:

Figure 7.66: System - Monitoring - IPBrick logs list

IPBRICK International Reference Guide - Version 5.3


274 Advanced Configurations

Figure 7.67: System - Monitoring - IPBrick current log

– Connected;
– Disconnected;
– Wrong password;
– Illegal user;
– Locked;
– Timeout;
– Timeout/Locked;
– Log in attempt with root user;
– Disconnected/Timeout.

• Date;

Options available:

• Clean filters: Will clean all the chosen filters;

• Export PDF: Exports all the information to a .pdf file;

Reference Guide - Version 5.3 IPBRICK International


7.5 System 275

Figure 7.68: System - Monitoring - Accesses - Management

Figure 7.69: System - Monitoring - Accesses - Entries

Traffic
Here all the active TCP connections are listed by this fields:

• Source IP: Remote machine that has a connection to the server;

• Source port: Port used by the source machine;

• Destination IP: Server IP;

• Destination port: Port where the source machine is connected;

• State: The default is enabled.

In Action, choose the option Block connection to finish a specific connection.


After blocking one connection it’s possible to unblock it hiting the option Unblock
connection (Figure7.70).

Alerts
At this page you can define if the Full partition alerts definitions and
the Send alerts of services with problems will be enabled or disabled (both
are enabled by default).

IPBRICK International Reference Guide - Version 5.3


276 Advanced Configurations

Figure 7.70: System - Monitoring - Traffic

The full partition alerts will act if the partition reaches 85%. An email alert
will be delivered to the email present at Destination address. Changing the
source address notifier is possible too (Figure7.71).

The monitored services with problems are:

• Web server
• Internal system database
• Fax server
• Voice server

There’s also a protection to the VoIP service that uses the same email to notify
the system’s administrator of attacks to the VoIP service.

If more than 300 requests of an IP are made in 10 seconds, that same IP will
be blocked for 120 seconds.

Note: The same e-mail address is used regardless if the ”Send alerts of services
with problems” option is active or not.

7.5.6 SSH
The SSH menu implements a secure connection to the IPBRICKś shell, showed
in Figure 7.72.
The SSH (Secure Shell) is similar to the known Telnet application but more
secure because of the protocol SSL used.

Note: This function needs the installation of Java Virtual Machine. The
software is available in www.java.com. After the connection it’s necessary to make
an authentication. Therefore, you’ll need to input the following data:

Reference Guide - Version 5.3 IPBRICK International


7.5 System 277

Figure 7.71: System - Monitoring - Alerts

Figure 7.72: System - SSH

• Username: operator;

• Password: L1opardo.

After that first authentication, you can enter su to login as superuser;

IPBRICK International Reference Guide - Version 5.3


278 Advanced Configurations

7.5.7 Reboot
This option allows you to reboot IPBRICK (Figure 7.73). After confirming
the reboot option, the web connection with the server is automatically stopped.
When IPBRICK restarts it is possible to establish a new https connection with
the server.

Figure 7.73: System - Reboot

7.5.8 Shutdown
This option is to clearly shutdown IPBRICK (Figure 7.74), assuring that all
the services are terminated correctly. You should use this option, whenever it
is necessary to shutdown IPBRICK. Do not shutdown the server directly in the
power supply.

Figure 7.74: System - Shutdown

7.6 Telephony
To make possible the IPBrick’s interaction with telephone systems, you need
to install specific hardware. This hardware includes PCI cards that can be ana-
logic, RDIS BRI or RDIS PRI. Analogic cards provide the connection to telephone
networks working in analogic mode. If telephone networks are working in digital
mode (RDIS), cards may be BRI or PRI. A BRI (Basic Rate Interface) access
has three channels: Two 64kbit/s (B) for data/voice and one 16 kbits/s (D) for
control. The PRI (Primary Rate Interface) access corresponds to 30 B channels

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 279

plus one D channel in Europe - can also be designated as E1 circuit.

7.6.1 Cards
After physical configuration and installation in the machine you have to con-
figure IPBrick. To make this step you have to know how the card was physically
configured, i.e., each port configuration. After the physical installation of the
hardware, you can configure cards in the IPBrick web interface in the menu:

Advanced Configurations - Telephony - Cards

To insert click on Insert, and then indicate (as shown on Figure 7.75):

• Card type: Can be analogic, ISDN BRI or ISDN PRI;

• Manufacturer: Depending of the card type can be:

– ISDN BRI: Beronet compatible (chipset HFC);


– ISDN PRI: Digium compatible (default), Open Vox, Sangoma;
– Analog: Digium compatible (default), Open Vox.

• Port count: Number of ports;

• Port configuration: Each port can be configured to connect to the pre-


setted interfaces: PBX or PSTN. For analogic, ISDN BRI/PRI the settings
are automatically configured like this:

Analogic: Connecting to a PBX, so the card port will act as fxs


Connecting to PSTN, so the card port will act as fxo
ISDN BRI: Connecting to a PBX, so the card port will act as NT PtP or NT PtMP
Connecting to PSTN, so the card port will act as TE PtP or TE PtMP
(PtMP = 1 to N possible terminals. Contact the PSTN operator)
ISDN PRI: Connecting to a PBX, so the card port will act as NET
Connecting to PSTN, so the card port will act as CPE

The actual status of each port is presented as shown on Figure 7.76. Detailed
explanation:

• Green: The layer 1 (physical) and layer 2 (signalling) are UP. So the port is
ready;

• Yellow: The layer 1 is UP and layer 2 is DOWN. It means a sync problem,


so probably you need to check the tx or rx settings (ISDN PRI) or the card
jumpers (ISDN BRI);

IPBRICK International Reference Guide - Version 5.3


280 Advanced Configurations

• Red: The layer 1 and layer 2 are DOWN. It means that we have a connection
problem (bad cable or no cable) or the port is damaged. Note that for a
PSTN BRI - PTMP mode, usually when no calls are active, the standby
status can be allways red;

• Red blinking: Hardware problem. You need to verify the card integrity /
jumpers configuration. It’s very rare to happen.

If no card is present or if it’s not detected, the message will be NA.

Figure 7.75: Telephony - Cards - Insert

For each card inserted there are three options: Back, Modify and Delete (Fig-
ure 7.76).

Figure 7.76: Telephony - Card definitions

If the port is connected to the landline (PSTN) you need to configure the
setting as TE. If the port is connected to the PBX gateway you have to configure
the PBX port and configure the setting as NT. A ISDN FAX usually behaves like a

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 281

PBX requiring the port configuration as FAX (to show this option requires a FAX
interface configuration) and configure the setting as NT. If there is a GSM interface
configured in one of the ports you have to choose it on the list and configure the
setting as TE. To configure a ISDN PRI you have to indicate if the line uses R2
protocol (protocol used for example in Brazil) and if the CRC4 is active on the
line. The PtP or PtMP depends of the telephone operator line type.
After the configuration, we can see a list with the configured cards, as visible
in Figure 7.77.

Figure 7.77: Telephony - Cards list

7.6.2 Interfaces
Interfaces represent trunks normally to non-IP world. I’ts possible to create
more interfaces than the default ones (PBX and PSTN) (Figure 7.78. Examples:
GSM ISDN or FAX’s interface. You can create them at:

Advanced Configurations - Telephony - Interfaces

Figure 7.78: Telephony - Interfaces

Menu to insert interfaces (Figure 7.79):

• Interface Name: When created, the interface will appear by that choosed
name at Local Routes and Telephony Cards port configuration;

• Interface Type: Represents the associated trunk:

– BRI PSTN: Represents the PSTN side using a ISDN BRI connection;

IPBRICK International Reference Guide - Version 5.3


282 Advanced Configurations

– BRI PBX: Represents the PBX side using a ISDN BRI connection;
– PRI PSTN: Represents the PSTN side using a ISDN PRI/E1 connec-
tion;
– PRI PBX: Represents the PBX side using a ISDN PRI/E1 connection;
– ANALOG PSTN: Represents the PSTN side using a ANALOG connec-
tion;
– ANALOG PBX: Represents the PBX side using a ANALOG connec-
tion;
– OCS: Represents the Microsoft Office Communications Server. That
interface will be used only for Local Routes (Figure 7.80). For that
interface type two extra fields are present:
∗ FQDN: OCS fully qualified domain dame;
∗ Mediation Server IP: Mediation Server IP address;
• SIP Peering: The Open Peer option provides that any incoming call from the
Internet can use this interface. The Closed Peer option sets that only peers
defined in SIP Peers can use the interface(this is the best option connect to
PSTN or GSM). So peers are public IP’s authorized to use certain interface,
for instance a peer can be another IPBrick. They can be inserted at:
Advanced Configurations - Telephony - SIP Peers
• Receive gain: Receive gain in dB. Can be useful to increase it if we are
talking about the PSTN interface and at the IPBrick side we are listening
with low volume;
• Transmission gain: Transmission gain in dB. Can be useful to increase it
if we are talking about the PSTN interface and at the PSTN side they are
listening with low volume;
This operation is necessary if you want to connect a FAX to a card port, a GSM
gateway or another additional interface. If there is a GSM gateway, you may add
here a GSM interface (as an interface name). Choose a card type (analogic, PRI or
BRI) in the Interface Type, and the Closed Peer option in the SIP Peering.

Figure 7.79: Telephony - Interface insertion

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 283

Figure 7.80: Telephony - OCS interface

7.6.3 Failover Switches

At this page (Figure 7.81) you may insert failover switches.

Figure 7.81: Telephony - Failover Switches

Click on Insert and fill in with the necessary information (Figure 7.82):

• Name: The failover switch name;

• IP: Its IP address;

• MAC Address: Its MAC address

• Keep-alive interval: A keep-alive signal is sent at predefined intervals (by


default 5 seconds). If there’s reply no change is done to the routing. If
there’s no reply the connection is assumed to be down and future data will
be routed via another path until the link is up again.

IPBRICK International Reference Guide - Version 5.3


284 Advanced Configurations

Figure 7.82: Telephony - Failover Switches Insert

7.6.4 Registered Phones


The phones should be inserted by the IPBrick.I - Machines Management so the
main goal of this option is to modify some specific SIP phones attributes.

Inserting a phone here is valid too if there is no need to attribute a specific IP


address to the telephone and we don’t want that LDAP stores information about
that machine. You can add a telephone simply by filling the field relating the
name and the access password to the telephone. Note that, the phone’s password
must comply with with the strong password policies, unless you choose to disable
them at Telephony - Configurations.

• Phone: Insert the name of the telephone to register;

• Password: Insert the access password to the telephone;

• Retype Password: Reinsert password;

• Caller ID: If you want to mask the caller ID insert one;

• Phone Location

– Local: It’s the default, for a LAN phone;


– Remote: For a remote phone that is connected behind a NAT. Usually
this option is used when the idea is register the phone from the Internet,
using the IPBrick network public IP.

• Auto provisioning: The auto provisioning option permit the automatic


configuration of SIP hardphones, so here we just need to choose the phone
model. To work, it’s mandatory when registering the phone at Machines
Management, to insert the MAC address.

• Description: This field should have a text phone description;

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 285

Example at Figure 7.83.

Figure 7.83: Telephony - Simple phone register

Mass Operations
As in the Mass Operations link found in IPBrick.I > Machines Management,
it’s possible to use a .csv file to insert, more rapidly, a greater number of phones.
If you click on the Export link, you will be able to save a .csv file with all your
registered phones or, if you have none, the file will serve as a template for insertion.

You can edit the .csv file in a spreadsheet application, choosing ; to split the
columns. The Registered Phones .csv field structure is as follows:

• action: Mandatory field. Options available:

– I: To Insert a phone;
– U: To Update phone information;
– D: To Delete a phone;
– N: No change is done to the phone’s settings.

• idvoipphone: A number identifying the VoIP phone;

• name: The phone’s name (mandatory field);

• password: The phone’s password (mandatory field);

• callerid: The phone’s caller ID;

• voip_nat: The phone’s location. Insert 0 if it’s local or 1 if it is a remote


phone;

• phonedescription: A free text field. For your reference only, insert a simple
description of the phone;

IPBRICK International Reference Guide - Version 5.3


286 Advanced Configurations

• idphonetemplate: the numeric value for your phone’s auto-provisioning


template. By default, these are the available templates and their respec-
tive id’s:

Name id Template
Aastra 6731i 513
Aastra 6755i 500
Atcom 530 501
Cisco SPA303 421
Cisco SPA504G 422
Cisco SPA525G2 423
Grandstream BT200 510
Grandstream BT201 511
Grandstream GXP1200 508
Grandstream GXP2000 505
Grandstream GXP2010 506
Grandstream GXP2020 507
Grandstream GXP280 509
Snom 300 514
Snom 320 503
Snom 360 504
Snom 370 515
Snom 870 516
Thomson ST2030s 502
Yealink T20P 417
Yealink T26P 419
Yealink T28P 420

7.6.5 Configurations
In this menu it’s possible to adjust several configurations for VoIP and PBX/PSTN
integration. This are the options:

• General options;
• Voicemail Options;
• Agent Mobility;
• Analog and ISDN PRI options - R2 Signaling options ;
• ISDN BRI options;
• List of enable codecs;
• IP PBX remote managers;
• VoIP domain alias;
• Authorized internal networks for SIP registration.

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 287

General options
You will find the following fields in Options (Figure 7.84):

Figure 7.84: Telephony - Configurations

• Router with full DNAT?: If IPBrick is connected to a router, responsible


for the access to the exterior (in terms of VoIP) and allowing the ’passage’
of all traffic, it is necessary to select Yes and indicate the external address
of that same router in Router public IP address;

• IP address of the IPBrick public interface used by the VoIP service:


IP address of the public interface of IPBrick responsible for the VoIP service;

• Enable direct voice traffic: It allows to route the network traffic only
in a interface and not in two interfaces, as usual;

• Remove default national prefix (0): It removes national prefix nor-


mally used;

• IPBrick Contacts Server IP address: The IPBrick Contacts IP address.

IPBRICK International Reference Guide - Version 5.3


288 Advanced Configurations

• IPBrick Contacts Server DNS domain: The IPBrick Contacts DNS do-
main.

• Get call source address from IPBrick Contacts: If activated, it goes


to the Contacts’ LDAP database and, if it finds the calling number, it will
replace it by the name of the entity associated to that number (this option
can also be used on internal calls).

• Restrict Follow Me Addresses on MyIPBrick to IPBrick Contacts: By


default NO;

• Mask call source address on internal calls: By default NO;

• Immediate answer on calls originated in a PBX: It is advisable to have


this option enabled if you are using connections to SIP servers (ex: VoIP-
Buster, NetCall), in order to avoid timeouts in the PBX central. If, for
example, you intend to define rates for the calls from the PBX, this option
shall have to be deactivated to avoid that the user starts paying as soon as
he dials the number.

• Attendance Timeout: Time (seconds) during which the call is sent to the
destiny phone, before being sent or routed to another phone;

• Call Timeout: Time (seconds) during which the connection is trying to be


established. If it expires, the attempt will be ended;

• Timeout to hangup calls without sound;

• Timeout to hangup calls on hold without sound;

• Default register time: The time by which you request the operator a
register (by default, 3600 seconds);

• Maximum register time: The duration of your register (by default, 3600
seconds);

• Number of register attempts: The number of times you attempt a regis-


ter (by default, 0);

• Enable SIP video support: Enables the support for SIP video. The sig-
nalling protocols doesn’t support only voice but also video.

• Attended transfer: If yes is chosen, you can define a key activation se-
quence to do a attended transfer. So you can stop using this feature from
the SIP phone and use it from the VoIP server;

• Blind transfer: If it’s on yes you can define a key activation sequence to
do a blind transfer. So you can stop using this feature from the SIP phone
and use it from the VoIP server;

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 289

• Call pickup: If it’s on yes it will enable the call pickup. If a phone is
ringing and the idea is to answer the call by using another phone, we can
use the key activation sequence (*8 by default) plus the phone number to
pickup the call. Example: *8111, will pickup a call from the phone 111 that
is ringing;

• Call pickup key activation sequence: Change here the default activa-
tion sequence (*8)

• Group call pickup: With this option active, it’s possible to pickup a call
from a ringing phone, member of the same group, by using the defined key
activation sequence (*7 by default), If the phone belongs to more than one
call group, the last call to be ringing on any of those call groups will be the
one to be picked up;

• Global call pickup: If you choose yes it will enable the global call pickup.
If a phone is ringing and the idea is to answer the call by using another phone,
we can simply use the key activation sequence (*8 by default) to pickup the
call. Example: *8, will pickup a call from a phone that is ringing. If we have
two or more calls at the same time, will be picked always the last arrived
call;

• Global call pickup key activation sequence: Change here the default
activation sequence (*8)

• Phone lock: Permits to lock a internal phone, so it will be not able to make
calls (it will still be able to receive them). To lock a phone you need to enter
the key activation sequence and wait for a message. After that message you
need to type the user PIN or PIN and password defined at IPBrick.GT -
Users Management, depending of choosed user access validation. To unlock
the phone the process is the same. If the option Allow phone unlocking by
any valid user is set to NO, only the user that locked the phone or the defined
Administrator unlock password will unlock the phone;

• Do not disturb: If enabled the phone will be unable to receive calls. By


default use *73 to activate DND on a phone, and *74 to deactivate;

• Unconditional forwarding: Can be used to do unconditional call forwarn-


ing at a phone and by default uses key sequence *70. Example: Calls for
phone 201 will be unconditional forwarded to phone 202. So we just need
to do a *70202 at phone 201. To deactivate we type only *70;

• Forward when busy: Can be used to forward a call when some phone is
busy and by default uses key sequence *72. Example: If phone 201 is busy,
calls will be forwarded to phone 202. So we just need to do a *72202 at
phone 201. To deactivate we type only *72;

• Forward when not answer: Can be used to forward a call when some phone
do not answer and by default uses key sequence *71. Example: If phone 201

IPBRICK International Reference Guide - Version 5.3


290 Advanced Configurations

is not answering, calls will be forwarded to phone 202. So we just need to


do a *71202 at phone 201. To deactivate we type only *71;

• Retry Dial when busy: If someone is calling a number and that phone
is busy, the caller will be notified and asked to activate the retry dial, if
he decides to activate it, this option will run an availability check on that
number. When it finally is available, the system will establish a connection
between both numbers and both phones will ring. By default this option is
Disabled. If you activate it these options will appear:

– Retry Dial when busy key activation sequence: Change here the
default activation sequence (5)
– Timeout: The amount of time (in minutes, by default: 60) that the
system will continue to run the availability check. When this period
ends, the retry dial function will be stopped.
– Restrict access to: Choose the addresses that may activate the
retry dial function.

• Call Supervision: If yes is active, it will only enable the call supervision
feature. By default the key activation sequence is *9;

• Call’s prioritization: If enabled it will be possible to define priority


levels for each route prefix defined in Routes Management. The level can be
set from 1 (highest), to 10 (lowest). Example: In a LAN-PSTN route all the
BRI lines are full. If a emergency call prefix (911) have maximum priority
defined, when someone dials 911 some current call can be disconnected;

• Enable advanced call statistics: If active will enable some fields at call
statistics like: Total packets, codec, lag, lost packets, signaling and jitter.
Note that CPU/memory load will be increased;

• Store calls details records in csv file: All the call history in the
default asterisk format will be saved to a file called Master.csv. This file
can be downloaded acceding by ftp with username voipcdr and password
L1opardo;

• IP of server-signalling different from the media server: If a re-


mote signalling service is running in one server, and the remote media server
is running in a different one, this option must be activated;

• Boss/secretary forward: This feature, when active, permits to more ef-


ficiently address the issue of call forwarding between boss and secretary, it
assigns *79 as the key activation/deactivation sequence for the direct trans-
fer between phones. You may alter it to another sequence if you so wish. By
default this option is inactive.

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 291

NOTE: Disabling this option will not deactivate the feature Boss/secretary
group in:

VoIP > Functions > Inbound

Both features are autonomous.

• Secretary disabled: This feature enables the secretary to enable/disable


her availability to answer calls from her ’Boss’. By default, Disabled. When
enabled the Secretary key activation sequence is, by default *55;

• Play call forwarding message: When a call is forwarded the user will
hear a message stating this fact (by default, YES)

• Use strong passwords: By default Yes. Whenever you insert a phone,


its password will have to comply with the minimum number of characters
(preconfigured as 8) but you my increase this number. Bear in mind that
you cannot decrease the minimum value of 8 characters!

Voicemail Options
At this menu (Figure 7.85) you will be able to configure your Voicemail settings,
simply click on Modify to access the options.

Figure 7.85: Telephony - Configurations - Voicemail Options

• Voicemail: Enable or Disable the Voicemail service for, Phones, Users, Call
Groups and Attendance sequences (by default, Enabled);

• Location: Choose if the Voicemail server will be Local or External (by


default, Local). If you choose External a new field will appear:

– Server: Please type you external voicemail server’s name;

• Access voicemail by telephone: It’s possible to access your Voicemail


via telephone, to activate this feature select Enabled (by default, Disabled)
a new field will appear:

IPBRICK International Reference Guide - Version 5.3


292 Advanced Configurations

– Key combination to access voicemail: Insert the key combination


to access your voicemail (by default, *75)

• Send Voicemail by email: This option will be visible only if you select
Local at the Location field. Select NO if you do not wish to receive emails
with your voicemail messages as attachments (by default this option is set
to YES).

• Servers to notify new messages: Indicate here the server(s) to notify


(add only one per line).

Figure 7.86: Telephony - Configurations - Voicemail Options

Agent Mobility
As the name suggests, this feature (Figure 7.87) enables the user to log on as
agent on any phone he wishes to use, simply by using his PIN number. Any session
on a previous phone will be terminated. By default, the Agent Mobility feature is
disabled. To enable it, click on the Modify link.

Figure 7.87: Telephony - Configurations - Agent Mobility

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 293

At State, select Enabled, and insert the VoIP server’s IP(s) where it will be
possible for users to register themselves as agents (Figure 7.88).

NOTE: Insert only one per line!

Figure 7.88: Telephony - Configurations

When you have finished, please click on the Modify button at the bottom of
the page.

Analog and ISDN PRI options


Parameters only for the analog/ISDN PRI cards, that will be adjusted at the
driver configuration files used for that cards - dahdi (Figure 7.89):

• Channel tone zone: Country tone zone. Frequencies may vary from country
to country. Select the appropriate tone zone for your location;

• Echo cancel: Minimizes echo during calls;

• Type of Number (ISDN TON): Type of Number (TON) indicates the scope
of the address value, such as whether it is an international number (i.e.
including the country code), a ”national” number (i.e. without country
code), and other formats such as ”local” format (i.e. without an area code).
This types of number are then presented to the operator if, for example, you
leave the default option (Unknown) the operator will identify the type of
number.

IPBRICK International Reference Guide - Version 5.3


294 Advanced Configurations

– These are the available options both for the Callee (Calling Number)
and Caller (Caller Number):
∗ Unknown - The default option. The most common setting, when
unknown is configured your telephony operator will handle the
number’s TON;
∗ Local - The number will be without area code;
∗ Private - The number will not be displayed it will not be possible
to redial or callback;
∗ National - The number is presented without country code;
∗ International - The number will include the country code;
∗ Dynamic - This option will permit the TON’s auto detection and
is based on the prefix configured at the next field (Prefixes based
on ISDN TON);
– Prefixes based on ISDN TON: This option is related to the card’s call
reception and the Dynamic TON, in such a way that, if you receive a
PSTN incoming call, with an international or national type of number,
the corresponding prefix will be added to the incoming numbers. This
feature is important to facilitate the call redial function;

• R2 signalling options: If the R2 signaling protocol is used (old ISDN protocol)


you can define here the R2 parameters:
– DNIS: Dialed Number Identification Service value;
– ANI: Automatic Number Identification value;
– Zone/Country;

Figure 7.89: Telephony - Analog and ISDN PRI options

ISDN BRI options


Parameters only for the ISDN BRI cards, that will be adjusted at the driver
configuration files used for that cards - misdn (Figure 7.90):

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 295

• Echo cancel: The default is High. Other options: Disabled, minimum, low
and maximum (requires more CPU processing);

• DTMF detection threshold: Permit to change the DTMF sensibility from 50


to 400 (less sensibility);

• Disable DTMF on voice audio: This option disables DTMF detection of


voice audio on calls from BRI Cards. By default, this option is set to NO

• Immediate digit capture: The immediate capture of digits changes the way
how the numbers sent from a PBX central are read in IPBrick. When this
option is deactivated, the routine capture of digits is changed to solve prob-
lems in the reading of numbers in some central stations, for example, when
the dialled number is wrongly identified in IPBrick (repeated digits or lack
of digits). Attention: This option should be placed No by default;

• PSTN digit reception timeout: Timeout in seconds;

• Jitter Buffer: Permit the change of Jitter Buffer15 ;

• Digit timeout: Time (seconds) from the dialling of the last number from
which IPBrick considers the dialling as ended;

• Response timeout: Time (seconds) counted from the moment the receiver is
hung up and at its end IPBrick shall cancel the channel;

• Type of Number (ISDN TON): Low level signalling options

– Outgoing number (onumplan): Unknown is the default, other options


are national, international and subscriber;
– Caller id (dnumplan): Unknown is the default, other options are na-
tional, international and subscriber;
– CPN (cpnnumplan): Unknown is the default, other options are national,
international and subscriber.

• Prefixes based on ISDN TON: This option is related to the card’s call re-
ception, in such a way that, if you receive a PSTN incoming call, with an
international or national type of number, the corresponding prefix will be
added to the incoming numbers. This feature is important to facilitate the
call redial function. At BRI card options you will also be able to set the
country code;

• CLIP no screening: Available only in some countries, such as Germany and


Austria, this option permits you to mask your Caller ID number with a
number out of bounds of its assigned number space. By default, this option
is set to NO
15
Shared data area where voice packets can be collected, stored, and sent to the VoIP server
in evenly spaced intervals

IPBRICK International Reference Guide - Version 5.3


296 Advanced Configurations

Figure 7.90: Telephony - ISDN BRI options

List of enable codecs


In this table are listed the codecs used in IPBrick and the preference order by
which they are chosen in communications. To add or remove codecs to the list, you
just have to follow the option Modify, select the codec and press the button add
() or remove () (Figure 7.91). In the same way, to change the order by which
the codecs are used, you should select the codec and clicking on the arrows on the
right of the list, making it going up or down in the list according the necessary
priority.
It is possible to select among the following codecs, knowing that the bandwidth
used for each one in a call is approximately:

• GSM: 13 Kbps;

• iLBC: 15 Kbps;

• Speex: Configurable 4-48 Kbps;

• G.726: 32 Kbps;

• LPC10: 2.5 Kbps (not recommended);

• G.711 ulaw: 64 Kbps;

• G.711 alaw: 64 Kbps, used in Europe;

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 297

• G.722: 64 Kbps;

• G.729: 8 Kbps. You may have to buy a license to make calls with this codec
at Digium website. If this codec is enabled a link called Licence Activation
will appear, so with a valid key a G729 licence will be generated. See Figure
7.92 and Figure 7.93.

NOTE: In the Country field use only your country’s two letter code (e.g.:
Portugal-pt, France-fr, Angola-ao, etc.). For a complete list of all countries,
please check ISO 3166 Country Codes.

http://www.acronymsearch.com/documents/country_ISO_country_codes.
htm

Of course the bigger the required bandwidth, the smaller the number of possible
simultaneous calls. For each of the selected codec we can include an average of
more 15 Kbps of overhead.

Figure 7.91: Telephony - Configurations - Codecs

Figure 7.92: Telephony - Configurations - Codecs with g729

IPBRICK International Reference Guide - Version 5.3


298 Advanced Configurations

Figure 7.93: Telephony - Configurations - g729 licence

IP PBX remote managers


This option allow other programs to connect to the asterisk, normally programs
running at LAN servers. Some examples: Mail plugin for calls generation, external
asterisk monitoring tools, call center for calls generation etc.

By default the IP PBX remote management is disabled. To enable click Modify


and next Insert IP PBX remote manager (Figure 7.94)
Configuration options:
• Login: Login to use;
• Password;
• Network: Network range or specific IP that will got access;
• Network mask;
An example is shown at Figure 7.95.

Figure 7.94: Telephony - IP PBX remote managers

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 299

Figure 7.95: Telephony - IP PBX remote managers - Configuration

VoIP domain alias


The VoIP server can accept calls not only for the main domain but for different
ones as well. To add domains just click Modify and insert the domains one per
line. (Example at Figure 7.96).

Figure 7.96: Telephony - VoIP domain alias

Functions available for phones


Call transfer
Besides supporting the transference of calls made by the terminal equipment,
telephones SIP, PBX’s or softphones, IPBrick also makes transfers in any tele-
phone, even if it does not support transfers from origin. The two types of trans-
ference allowed by IPBrick are:

• Assisted transfer: When receiving a call, the person receiving it dials an


extension, asks the person in that extension if he/she accepts the call or not,

IPBRICK International Reference Guide - Version 5.3


300 Advanced Configurations

disconnects it and the call is transferred. To execute an assisted transference


during the call, it is necessary to dial * (by default) and the name of the
extension or alternative address. Example: To transfer a call into a telephone
registered as ipbrick1 which has as alternative address the 480 extension, dial
*480 during conversation.
• No-assisted transfer: when receiving a call, the person receiving it dials
an extension and the call is immediately transferred to that extension. To
execute a non-assisted transference during a call, dial # (by default) and
the name of the extension or alternative address. Example: Non-assisted
transference to the above telephone: #480.
To cancel a transference, you just have to dial again the number you have
dialled to transfer. Example: you wanted to transfer a call to extension 481
but you have dialled *482. To recapture the call you shall have to dial again
*482 and then it is possible to transfer to the correct number dialling *481.
Calls capture
To capture a call ringing in another extension, dial *8 followed by the name
with which the telephone was registered or the name of the group of telephones
ringing.

7.6.6 SIP peers


You may add here IP addresses to let remote known gateways to use interfaces
defined as Closed Peers in IPBrick. For instance, you have two IPBrick’s connected
to each other through the Internet and one is connected to the PSTN. If you want
that remote IPBrick connects to PSTN interface, you need to add your IP to this
list by clicking on Modify. Example at Figure 7.97.

Figure 7.97: Telephony - SIP peers

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 301

7.6.7 IAX peers


By clicking insert we define the IAX servers that are authorized to forward
the calls using that IPBrick. The IPBrick will accept inbound routes from other
servers that will be specified in that list. Example at Figure 7.98.

Figure 7.98: Telephony - IAX Peers

7.6.8 Auto provisioning


Here is presented the full auto provisioning template list. The list shows the
template name, phone brand and model and the specific firmware version (Figure
7.99). We can manage existant templates clicking at the template name or clicking
Insert in the main menu to create a new template. The fiels are:

• Name: Name for the template. Usually is the complete phone brand and
model;

• Brand: Phone brand. Available: Aastra, Atcom, Grandstream, Snom and


Thomson;

• Model: Shows the supported models;

• Firmware version: Supported firmware for that choosed model;

• Configuration files: Here the idea is to insert the desired configuration file.

It’s possible to have various auto provisioning configurations for the same phone
model. So we can change only some configuration parameters like ringtone, LCD
logo information, codecs etc. An example of a new template insertion is present
at Figure 7.101. A new list with some customized templates is shown at Figure
7.102

IPBRICK International Reference Guide - Version 5.3


302 Advanced Configurations

Figure 7.99: Auto provisioning - Template list

Necessary steps to use auto provisioning:

• If needed adjust the template for some specific configuration;

• Register a phone in IPBrick;

• Go to Advanced Configurations - Telephony - Registered Phones and


associate the desired template to a phone (Figure 7.100);

• Go to DHCP server and enable the option 66 (TFTP server) pointing the
IP to IPBrick;

• Get ready the SIP phone and connect it to the network (read next section)

Figure 7.100: Auto provisioning - Phone with a specific template

The LAN DHCP server must have the option 66 active and pointing to the IP-
Brick IP. That option represents the TFTP server that will be always the IPBrick
were the auto provisioning is configured, because all the supported phones will get
the configuration stored in IPBrick using the TFTP server IP passed by DHCP. If

Reference Guide - Version 5.3 IPBRICK International


7.6 Telephony 303

the IPBrick is the DHCP server, the option TFTP server at Advanced Configurations
- Support services - DHCP - Subnets must point to the IPBrick IP. It’s impor-
tant too to check that the phone firmware is the same listed at auto provisioning
template list.

Figure 7.101: Auto provisioning - Insert a new configuration for a phone

Figure 7.102: Auto provisioning - Full template list

Supported phones
This is a list of all the supported models:

Name Firmware version


Aastra 6731i 2.6.0.66
Aastra 6755i 1.37
Atcom 530 1.6.79.68

IPBRICK International Reference Guide - Version 5.3


304 Advanced Configurations

Cisco SPA303 7.4.8


Cisco SPA504G 7.4.8
Cisco SPA525G2 7.4.8
Grandstream BT200 1.1.6.46
Grandstream BT201 1.1.6.46
Grandstream GXP1200 1.1.6.46
Grandstream GXP2000 1.1.6.46
Grandstream GXP2010 1.1.6.46
Grandstream GXP2020 1.1.6.46
Grandstream GXP280 1.1.6.46
Snom 300 7.3.14
Snom 320 7.3.14
Snom 360 7.3.14
Snom 370 7.3.14
Snom 870 7.3.14
Thomson ST2030s 2.67
Yealink T20P 9.60.0.100
Yealink T26P 6.60.0.100
Yealink T28P 2.60.0.100

Atcom 530
Because the auto provisioning parameters can’t be passed by DHCP in this
phone we need to do a initial configuration at ATCOM phone web interface. The
complete steps are:
• If not a new phone reset the configurations by default;
• Go to phone web interface using the defined IP passed by DHCP;
• Go to menu Update - Auto Provisioning and configure that:

Server address: IPBrick IP


Username: -
Password: -
Config File Name: MAC_ADDRESS.cfg
Config Encrypt Key: -
Protocol Type: TFTP
Update Interval Time: 1 hour
Update Mode: after reboot

• Save config and reboot;

Other supported phones


Just connect the phone to the LAN. You just need to check that the DHCP
is active. If they are new the DHCP is active by default, if it’s a used phone
please change the network mode from static to DHCP or reset the configurations
by default.

Reference Guide - Version 5.3 IPBRICK International


Chapter 8

Apply Configurations

The option Apply Configurations is crucial in IPBrick. All configurations


done in IPBRICK through the web interface, are saved in a Postgres database.
This way any changes the configuration will only be effective in the system after
clicking on Apply Configurations.

Most changes don’t make the IPBrick server go to reboot, so a screen like
Figure 8.2 will appear. IPBrick only needs to reboot in these cases:

• Network interfaces configuration;

• Domain name and server name configuration;

• Changes in authentication mode (LDAP).

NOTE: The IPBrick Administrator will be notified should the VoIP service re-
quires restart, in order to apply the configurations. This will imply the momentary
loss of VoIP service, thus terminating all current calls. Please bear in mind this
when deciding to apply the changes.

And a screen like Figure 8.1 will be shown. It’s important to inform that
IPBrick will go to reboot, so the administration has the option to apply configu-
rations in that momment or at non work hours.

As we can see, we only need to change this type of configurations to get the
server in production at the costumer network. From the momment IPBrick is in
production, is becames very rare to go to a reboot because we don’t need to change
anymore of the network definitions, domain/server name and LDAP mode.

When applying configurations two extra options are presented:

• Description: Each time we apply configurations we can make a description


of what we did;

• Cancel all changes: Choosing that option, instead of Apply, will rollback
all configurations that were made. So IPBrick will stay with the settings

IPBRICK International Reference Guide - Version 5.3


306 Apply Configurations

from the last time someone applied configurations, i.e. the last configura-
tion file that appears at Advanced Configurations - Disaster Recovery
- Configurations.

Figure 8.1: Apply Configurations and reboot

Figure 8.2: Apply Configurations

NOTE: Applying configurations on an IPBrick Master automatically forces


the apply configurations on its IPBrick Clients and Slaves.

Reference Guide - Version 5.3 IPBRICK International


Chapter 9

Appendix A
Join in the domain

This section describes the process of:

• Configuring a workstation with DHCP;


• Joining a workstation in a domain.
This process description presupposes the following:
• the domain controlling server is IPBrick.I ;
• the DNS domain is empresa.pt;
• the domain is EMPRESA.
In order to join a workstation in a domain you need to take the following steps:

1. Know the MAC address of the machine’s network interface card;


2. Choose a machine ”name”;
3. Have a machine IP address;
4. Create an entry for the machine in IPBrick.I ;
5. Update IPBrick.I.

9.1 Windows XP Professional Workstation


⇒ Note: Before starting the process of joining a machine in a domain you
have to know the username/password of the administrator of the XP machine.
Then you can start the migration process.

Therefore you have to:

IPBRICK International Reference Guide - Version 5.3


308 Appendix A - Join in the domain

1. Press [windows];

2. Select My Local Network ;

3. Select Network Connections;

4. Right click on the icon Local Network Connection and select Properties;

5. Choose TCP/IP in the open window and click on Properties;

6. Choose Get the IP Address Automatically in the open window and then
select Get the DNS server addresses automatically;

7. Close the network properties windows.

The next step is to confirm that the machine IP address is the same that was
introduced in IPBrick.I. Therefore you have to:

1. Press the keys [windows]+[R];

2. cmd [ENTER];

3. ipconfig /all;

4. Check the information in the IP Address field.

If the IP address is not the one introduced in IPBRICK you have to release it
and renew it with the following commands:

1. Press [windows]+[R] keys simultaneously;

2. cmd [ENTER];

3. ipconfig /release;

4. ipconfig /renew;

5. ipconfig /all.

If the machine IP address is right you can join the machine in the domain
EMPRESA:

1. Press the keys [windows]+[pause] and open the System Properties;

2. Select ”Computer Name”, click on ”Change...” and give the computer a name
(the name must have been created in IPBrick.I before);

3. Press button ”more..” and add the dns machine domain: empresa.pt. Do
not select the option Change the primary DNS suffix when the association
to the domain is changed ;

Reference Guide - Version 5.3 IPBRICK International


9.1 Windows XP Professional Workstation 309

4. Insert EMPRESA in the domain. The password of the domain EM-


PRESA or of the machine administrator may be requested;

5. Click OK and close ”System Properties”;

6. Restart the machine. While the machine is starting you can already login
the domain EMPRESA.

⇒ Note: The workstation must not be with the DHCP. It can be configured
with a fix IP address. In this case you don’t have to fill in the field MAC Address
while you register the machine in IPBRICK.

IPBRICK International Reference Guide - Version 5.3


310 Appendix A - Join in the domain

Reference Guide - Version 5.3 IPBRICK International


Chapter 10

Appendix B
Configuring a VPN connection

In order to create a VPN (PPTP) connection in a Windows XP Professional


workstation you have to take the following steps:

1. Press [windows]

2. Select Control Panel

3. Double click Network Connections

4. In the window Network Connections, select Create a New Connection

5. The Wizard appears to create a new connection. Select ”Connect to my work


area network” (refers to the VPN description), ”Virtual Private Network
Connection”. After that select a name for the connection to be created, for
example ”Enterprise connection”. Then you have to indicate the IP address
or the full name by which IPBRICK is known in the Internet. At last you
have to select who can use the VPN connection.

The VPN connection is configured. In order to establish a VPN you only have
to introduce the user name and password registered in IPBRICK. IPBRICK is
now working as a VPN-PPTP server.

IPBRICK International Reference Guide - Version 5.3


312 Appendix B - Configuring a VPN connection

Reference Guide - Version 5.3 IPBRICK International


Chapter 11

Appendix C
Configuration of a VPN SSL
connection (Open VPN)

To create a VPN connection (Open VPN) in a Windows 2000/XP and higher


workstation it is necessary to install the Open VPN GUI software:

• Open VPN - VPN Open Source Pack;

• Open VPN GUI - The Graphic Interface for Open VPN.

The installation of this pack should be executed without changing the default
definitions. This software is installed in directory C:\Program Files\OpenVPN.
The certificate generated by IPBRICK must be unpacked into directory C:\Program
Files\OpenVPN\config.
To start a VPN connection, press the right button on icon OpenVPN in the
toolbar, choose the intended connection and press Connect.
Insert the password used to create the certificate in IPBRICK and the VPN
shall be established.

11.1 Two or more SSL certificates


When it is intended to put more than one certificate in the same workstation
(create VPN connections for distinct places) it is necessary to create a new folder
into directory C:\Program
Files\OpenVPN\config. Extract all the files to that new folder.
To initiate VPN connection, press the right button on icon OpenVPN in the
toolbar, choose in the list the connection and press Connect.

IPBRICK International Reference Guide - Version 5.3


314Appendix C - Configuration of a VPN SSL connection (Open VPN)

11.2 Configuration of a SSL Connection for MS


Windows 2000/XP and higher
1. In http://openvpn.net/index.php/open-source/downloads.html down-
load the latest version of the Windows Installer file;

2. Install the openvpn;

3. Extract the IPBRICK zip file to the config folder of OpenVPN. Example:
c:\Programas
\OpenVPN\config;

4. If you are using Windows Vista or 7, run the file, openvpn-gui.exe as


Administrator;

5. In the Windows Vista tray, click on the OpenVPN icon and connect;

NOTE: If it’s not working you need to modify the *.ovpn file in
c:\Programas\OpenVPN\config and add the following lines at the end:

route-method exe
route-delay 2

Reference Guide - Version 5.3 IPBRICK International


Chapter 12

Appendix D
Backup Service - Arkeia

Arkeia Light is a freeware backup service utility. At IPBrick 5.0 and higher,
Arkeia Light is not included. You’ll need to download it at the Related Software
section at our eshop:

http://eshop.ipbrick.com/eshop/

At: Downloads -> Software -> IPBrick Related Software -> IPBrick 5.x
-> Arkeia Light 5.3.10

Note: You have to be registered at our eshop for the Download section to be
available.

Note: Arkeia Light is a very useful and simple backup utility tool, but our cos-
tumers are free to use, should they want it, a more robust and professional backup
service in their systems.

When selecting this option at IPBrickI - Backup - Arkeia, and after click-
ing the Open button, a session window by VNC is open. It is necessary to have
the JRE1 , which can be found at http://sun.java.com/ installed to execute the
connection. The authentication in this session is made with the IPBRICK Ad-
ministrator’s actual password. The Arkeia management interface is available after
validation.
In order to start the Arkeia configuration software it is necessary to submit
your validation by default:

login: root
password: (without password)

After the successful server connection the following menus are displayed (Figure
12.1):
1
Java Runtime Environment

IPBRICK International Reference Guide - Version 5.3


316 Appendix D - Backup Service - Arkeia

• Backup: Sets, configures and launches Arkeia’s backup, including savepacks

• Restoration: Sets, configures and launches Arkeia’s restore function;

• Hardware: Sets and configures the hardware (drives, tapes, libraries) con-
nected to the server;

• Running jobs: Displays the executing processes;

• Administration: Functions to configure Arkeia;

• Logs: Displays the logs that are generated by Arkeia.

Figure 12.1: Backup - Arkeia - Main Menu

Arkeia menus are easy to use. When you access a menu, new sub-menus show
up with new options, successively. Every time you pick a menu, its icon appears
in an upper bar. To move back in these menus you only have to click in the cor-
responding icon.

To administrate Arkeia executing processes you have to select the Running


Jobs menu (Figure 12.2).
Select the request line that will have more priority to backup execution (Figure
12.3).
Inside this menu, you can see the backup processes. These processes can have
two status:
• The process is pending waiting for confirmation, i.e., you have to click OK.
The user is alerted to replace the tape;

Reference Guide - Version 5.3 IPBRICK International


317

Figure 12.2: Backup - Arkeia - Running Jobs

Figure 12.3: Backup - Arkeia - Backups confirmation

• The jobs are waiting for the conclusion of the remaining processes.
Usually, if backup administration is normally processed, with the administra-
tor intervention in a daily basis, there will be only an execution process per day.

IPBRICK International Reference Guide - Version 5.3


318 Appendix D - Backup Service - Arkeia

In the power failure case, all this processes are eliminated.

12.1 Advanced Administration


• Add users (Administration Users (Figure 12.4))

Figure 12.4: Backup - Arkeia - Add Users

Arkeia sends email messages reporting several occurrences, like the need to
insert tapes, the details of a backup process, etc. You should create a user
that handles these messages (with an Administrator type role) to check if
the procedures are correctly done.

1. Insert:
(a) Name;
(b) Role;
(c) Email address.

• SavePacks (Backup  SavePacks)


This is an essential feature of Arkeia technology. A savepack is a set o paths
and files that are included in the backup.

1. Create a SavePack (usually named Data);


2. Add directories that will be included in the backup (name of SavePack
 Browse Trees) (Figure 12.5).

Reference Guide - Version 5.3 IPBRICK International


12.1 Advanced Administration 319

– /boot
– /etc
– /homeX (were 1 ≤ X ≤ number of homes)
– /opt/ipbox/backupDB
– /var/lib/ldap
– /var/lib/postgres
– /var/lib/postgres2
– /var/lib/samba
– sysinfo

Figure 12.5: Backup - Arkeia - Directories to save

• Configure the backups (Backup  Periodic) (Figure 12.6)

1. Create a new Periodic Backup


2. Create 3 levels:
(a) Level 1 - Archive
(b) Level 2 - Weekly
(c) Level 3 - Daily

• For each backup select:

IPBRICK International Reference Guide - Version 5.3


320 Appendix D - Backup Service - Arkeia

Figure 12.6: Backup - Arkeia - Levels

Level 1 Level 2 Level 3


SavePack
DrivePack
Pool Archive Weekly Daily
Type Total Backup Total Backup Incremental
Valid for 2 years 8 weeks 4 weeks
The available backup types are:

– Archive: Saves savepack data and keeps it indefinitely (requires addi-


tional license);
– Total: Saves all the savepack data and keeps them during the period
set in Valid For;
– Differencial: Only saves the files that were modified since the last
Total type backup;
– Incremental: This is the most complex backup type. It creates a list
with the modified files since last backup (both Total and Incremental)
and proceeds to do the backup of the files included in the list.

Reference Guide - Version 5.3 IPBRICK International


Chapter 13

Appendix E
High Availability

13.1 Introduction
Users want their systems to be ready at all times. Downtime (i.e.: periods of
time when your system is unavailable) affects your users, your customers, sales,
revenue, productivity, and just about every other aspect of your business.
High availability (HA) is a system design protocol that garantees an operational
continuity during a given period of time and is now a possibility at IPBrick, using
a service called Heartbeat. The main idea is to have a clustering solution with two
or more IPBricks that provides:

• Availability:

• Reliability;

• Serviceability.

Note: High Availability is available solely for VoIP and E-Mail relay services.

13.1.1 Advantages
The advantage of clustering servers for HA is seen if one node in the cluster
fails, another node can resume the task of the failed node, and users experience
no interruption of access.
The advantages of clustering servers for scalability include increased application
performance and a greater number of users that can be supported. You can imagine
a cluster of servers as a single computing resource. With the total redundancy of
multiple servers that will make the system work if other servers fail, the cluster
can help achieve greater system uptime (i.e.: periods of time when your system is
available).
Clustering can be implemented at different levels,

• Hardware

IPBRICK International Reference Guide - Version 5.3


322 Appendix E - High availability

• Operating systems

• Systems management and applications.

• Middleware

The more layers, the more reliable, scalable and manageable the cluster is.

13.2 HA Requirements
The minimum requirements to run an HA service in IPBrick are;

• At least two IPBricks (they can be more, it all depends on the client’s de-
mands, needs and expectations)

• All IPBricks have to be installed with the same IPBrick software version;

• Two NICs per server.

You can see in Figure 13.1 a diagram of an IPBricks HA service.

13.3 HA Configuration
To set up a high availability solution with two IPBrick’s:

• Install the HA update from Advanced Configurations - IPBrick - Update;

• Choose a secondary master server. At that IPBrick, the authentication type


must be changed at Advanced Configurations - IPBrick
- Authentication to Secondary Master IPBrick;

• At primary master (IPBrick Master), go to Advanced Configurations - IPBrick


- Authentication set Yes at High availability and choose the HA mem-
bers;

• There are two different types of High Availability configuration:

– Active-Passive: It’s a failover solution and only one virtual IP address


will be used. Configuration: At the primary master insert a virtual IP
for HA. To do that go to Advanced Configurations, click at interface,
Insert and choose HA Private Interface;
– Active-Active: It’s a load balancing solution and two virtual IP ad-
dresses will be used, one on each server. Configuration:

• At the primary master insert a virtual IP for HA. To do that go to Advanced


Configurations, click at interface, Insert and choose HA Private Interface;

• At the secondary master insert a virtual IP for HA. To do that go to


Advanced Configurations, click at interface, Insert and choose HA Private Interface;

Reference Guide - Version 5.3 IPBRICK International


13.3 HA Configuration 323

Figure 13.1: HA Diagram

• In both servers at Advanced Configurations - System - Services en-


able the service Heartbeat and set HA at the wanted services;

• In both servers insert a general settings firewall rule at Advanced Configurations


- Network - Firewall,

– Rule: INPUT;
– Interface: lo;
– Protocol: ICMP;
– Policy: ACCEPT;

• In both servers Apply Configurations. The servers will reboot;

Note: The services (VoIP/E-Mail) must have exactly the same configuration
in both servers. To use the high availability an addicional licence is needed.

IPBRICK International Reference Guide - Version 5.3


324 Appendix E - High availability

Reference Guide - Version 5.3 IPBRICK International


Chapter 14

Appendix F
UCoIP

All enterprise communications - Voice, Mail, Instant Messaging and Web - are
managed in an integrated way, (i.e. unified through a single individual or group
address). To reach this goal, IPBrick uses only Internet communications services
(SIP, SMTP/IMAP, XMPP and HTTP) integrating them with DNS and LDAP
support services.

The generic site is ucoip.domain.com but the idea is to have one site for each
LDAP user. The following options are included:

• A webphone for direct connection to the user SIP url;


• A SIP url link to call the user using a softphone previously installed at the
workstation;
• A web-based Jabber (XMPP) client to chat directly with the user;
• A SMTP link to mail the user using a email client at workstation;

As we can see, for SIP/SMTP/XMPP the user will be reached using the single
address [email protected]. Now we present all the necessary steps to configure a
UCoIP site for a specific LDAP user with username jsmith, with IPBrick FQDN
being ipbrick.domain.com:

• The user jsmith must go to https://myipbrick.domain.com and define a


phone (depending of the IPBrick.GT routes can be a SIP/PSTN/GSM num-
ber) at field SIP Address. Examples: [email protected], 00351221121112,
00351963322212;
• Activate the IM service at IPBrick.C - IM;
• Go to IPBrick.C - Web Server, click at ucoip.domain.com and define the
alternative address jsmith.domain.com;
• At private/public domain DNS server add a record named jsmith, pointing
to that IPBrick server;

IPBRICK International Reference Guide - Version 5.3


326 Appendix F - UCoIP

• Enter now the UCoIP site using http://jsmith.domain.com (Figure 14.1)

Figure 14.1: Web Server - UCoIP site

The UCoIP site design is simple but it can be improved. It’s possible to use
the site’s default FTP account for site management:

• username: ucoip

• password: uco1pp4ss

The integrated webphone by default call to the user SIP address, but it’s pos-
sible to call all internal SIP phones/features, by copying the webphone link and
paste it in a new browser tab.
Examples of url variable definition:

http://webphone.ipbrick.com/index2.php?user=jdomingues
http://webphone.ipbrick.com/index2.php?user=200
http://webphone.ipbrick.com/index2.php?user=IVR2

Reference Guide - Version 5.3 IPBRICK International


327

User Profile
To include a photo and profile at the user UCoIP site follow this steps:

• Save a photo with the format login.extension. The supported extensions


are .png, .jpg, .gif, .bmp. Example: jsmith.png;

• Access the server using the FTP account of UCoIP site and upload the file
to folder photos;

• Save a profile using html, with format login.html. Example: jsmith.html;

• Access the server using the FTP account of UCoIP site and upload the file
to folder descriptions

IPBRICK International Reference Guide - Version 5.3


328 Appendix F - UCoIP

Reference Guide - Version 5.3 IPBRICK International


Chapter 15

Appendix G
MyIPBrick

The MyIPBrick site is available at IPBrick with URL https://myipbrick.domain.com


(Figure 15.1). This site is only used by the internal LDAP users, so they can change
personal settings, check the personal area and go to other internal websites (Figure
15.2).

NOTE: It’s possible for the system administrator to change the presentation of
the MyIPBrick page to their users (for more informaion please consult Subsection
7.1.8 - MyIPBrick Manager of this document).

Figure 15.1: Web Server - MyIPBrick site - Login

IPBRICK International Reference Guide - Version 5.3


330 Appendix G - MyIPBrick

Figure 15.2: Web Server - MyIPBrick site - Available options

Personal Settings
User definitions:

• Name: User complete name. Not editable;

• Login: User login. Not editable;

• UidNumber: It’s the User ID used by LDAP to identify users. Not editable;

• Quota: User general quota if defined. If not defined it will show Unlimited.
Not editable;

• Password: When clicking Modify at top, the user LDAP password can be
changed too;

VoIP settings:

• Follow Me: Phone associated to the user. Represents the phone number
that the user is using at the moment. Multiple phone numbers can be used:
Internal SIP addresses (Ex.: 201, phone01), external SIP addresses (Ex.:
[email protected]), PSTN number (Ex.: 00351221121334), GSM num-
ber, etc. No matter where, the user will always be available, the person who
wants to call him, just needs to dial [email protected] and the selected
phone will ring;

User mail settings:

• State: Shows if mail account is active or not. Not editable;

Reference Guide - Version 5.3 IPBRICK International


331

• Mail: User mail address. Not editable;

• Alternative address: Shows the user alternative mail addresses list. Not
editable;

• Mail quota: User mail quota if defined. If not defined it will show Unlimited.
Not editable;

• Message maximum size: Message maximum size to receive, if defined. If not


defined it will show Unlimited. Not editable;

• Forward To: The user can define other email addresses. So when someone
send a mail to [email protected], the addresses defined here will receive
a copy too;

• Automatic reply message: If some message is defined, IPBrick will auto reply
with this message when someone send a mail to the useraccount. By default
of course no message is present.

The fields that are not editable, are only definedHeartBeat linux by the IPBrick
web interface. A configuration example is shown at Figure 15.3.

Figure 15.3: Web Server - MyIPBrick site - Change settings

IPBRICK International Reference Guide - Version 5.3


332 Appendix G - MyIPBrick

Personal area
The Personal Area is where the user can manage his directory of folders and
files (Figure 15.4). If the user wants to remotely access its personal area to re-
trieve a file or access a folder he doesn’t need to establish a VPN connection
to the organization’s intranet server, because his personal area is available at
https://myipbrick.domain.com.

These are the options in the personal area index page:

• New folder: Create a new folder. Click OK, insert the folder name and click
Ok again;

• New file (upload): Upload a file. Click OK, insert the file you want and click
Ok again;

• Delete selected items: The selected items will be deleted, when Ok is clicked;

• Rename selected items: The selected items will be renamed. Click Ok, re-
name the items and click Ok again;

• Download this folder (zip): The entire folder will be downloaded in .zip
format. Just click Ok to download;

Folder operations:

• Enter a folder: Just click on folder name;

• Go one folder back: Click Ok on WindoHeartBeat linuxws Network (Up);

• Select a folder: Click on folder - left side.

Figure 15.4: Web Server - MyIPBrick site - Personal area

Reference Guide - Version 5.3 IPBRICK International


333

Voicemail

At the Voicemail page you will be able to access your messages (Figure 15.5).

Figure 15.5: MyIPBrick - Voicemail

When someone leaves you a message at your voicemail, a record of that call is
made at this interface (Figure 15.6).

Figure 15.6: MyIPBrick - Voicemail Message

To save or open the message on your default media player, click on the message
link in the Date column.

IPBRICK International Reference Guide - Version 5.3


334 Appendix G - MyIPBrick

Figure 15.7: MyIPBrick - Voicemail Message

At the Custom voicemail message link you will be able to upload a person-
alized message.

Reference Guide - Version 5.3 IPBRICK International


Chapter 16

Appendix H
Contacts

We all know that human beings cannot coexist without communicating between
themselves.
But what is true in the natural world is also true in the world of business. An
organization cannot exist without relating to others. Managing your contacts is
something not to be taken lightly.
That’s why IPBrick offers a way to handle communications, in the business
world, by offering a special web interface dedicated to handle the management of
your firm’s contacts.

16.1 IPBrick Contacts


The web interface can be accessed by browsing this URL;

http://contacts.domain.com/

You will visualize the login interface (Figure 16.1)

Figure 16.1: Contacts login interface

The administrator’s default authentication credentials are:

• Name: administrator

IPBRICK International Reference Guide - Version 5.3


336 Appendix H - Contacts

• Password: 123

NOTE: For security reasons there’s an access time limit of 30m. When it ex-
pires anyone accessing Contacts will be automatically Logged out.

The IPBrick Contacts web interface will be supervised by the administrator, he


will have total clearance to create and edit any contacts he sees fit and to manage
access permissions by creating user profiles.
After authentication, the index page (Figure 16.2), presents a quick access
alphabetical list, a search box, logout link and four tabs.

Figure 16.2: Contacts index page

16.1.1 Administration Tab


This tab will only be visible to the system’s administrator.

Figure 16.3: Contacts index page

The Rebuild Contacts link has the sole purpose of synchronizing data between
the database and the LDAP service. If a new user is created in IPBrick and

Reference Guide - Version 5.3 IPBRICK International


16.1 IPBrick Contacts 337

it doesn’t appear at this interface, the Rebuild Contacts enables that any new
changes done at the LDAP is now replicated here.

Figure 16.4: Rebuild Contacts prompt

The Import button enables you to choose a .CSV file containing all the entities
you wish to add to IPBrick Contacts.

Figure 16.5: Import Entities prompt

.csv File Structure


Entities by Entity type insertion file

Figure 16.6: Spreadsheet containing the Entities to be inserted

NOTE: It’s not possible to import contacts! Via this interface you can only
import Entities.

The .csv file must obey the following requirements:

• The file must be structured exactly as in the previous image, even if some
columns are blank, you should not add or remove columns;

• Each sheet within the file will correspond to an entity type;

• All columns mus be formatted as such:

IPBRICK International Reference Guide - Version 5.3


338 Appendix H - Contacts

Format Cells
Numbers
Text

• The file must be saved in the .csv format. On the Edit Filter Settings
option define the following settings:

Western Europe (ISO-8859-15/EURO)


Field limited ;
Text limiter "

Users Management
This is where you can select which of the LDAP users can also be Contacts
users (Figure 16.7)

Figure 16.7: Administration Tab - Users Management

Simply select the user until he is highlighted in blue and click the arrow button
in the direction of the IPBrick Contacts Users box.

Figure 16.8: Users Management - User Selection

NOTE: You can also click on the button pointing to LDAP Users to remove
a LDAP user from being able to access the IPBrick’s Contacts management web
interface.

Reference Guide - Version 5.3 IPBRICK International


16.1 IPBrick Contacts 339

When the association is done successfully you will visualize a message, ’User
Successfully Inserted’

Figure 16.9: Users Management - User Insertion

The profile association pop-down list located next to the user’s name link serves
as a quick way to assign a certain user profile to the user in question.

Figure 16.10: Users Management - User Profile pop-down list

Profiles Management

This menu (Figure 16.11) manages the permissions granted to users, it also lets
you edit or create new user profiles.

IPBRICK International Reference Guide - Version 5.3


340 Appendix H - Contacts

Figure 16.11: Profiles management page

By default there are three basic non-editable profiles:

• Admin - The Administrator has complete control. He can Read, Create/Edit


and Erase.

• Editor - He Can only Read and Create/Edit.

• Reader - Only has permission to Read.

To create a new user profile simply click on New Profile

Reference Guide - Version 5.3 IPBRICK International


16.1 IPBrick Contacts 341

Figure 16.12: Profiles Management - New profile creation

• Input the Profile name.

• Check the permissions you want to concede.

• Click on Save to save the new profile.

16.1.2 Auxiliary Data Tab

NOTE: To create an Entity you must first create an Entity Type entry in the
Auxiliary Data tab. This procedure is mandatory. You can’t create an Entity if
you don’t have a type to classify it with.

Selecting this tab on the index page, displays a list of attributes (Figure 16.13)
that will serve to characterize any given Entity.

IPBRICK International Reference Guide - Version 5.3


342 Appendix H - Contacts

Figure 16.13: Auxiliary Data Page

This step is crucial, you’ll have to create at least an entry in any of these
attributes if you wish them to be available when you are creating entities. To do
so click on for example on New Entity Type (Figure 16.14)

Figure 16.14: New Entity Type button

Type the data e.g.: Suppliers and click on Save

Figure 16.15: Entity Type prompt

Reference Guide - Version 5.3 IPBRICK International


16.1 IPBrick Contacts 343

This is the full list of attributes:

• Entity Types - The mandatory attribute, a type of Entity (e.g. Suppliers,


Clients,etc...).

• Categories - An under-level Entity type (e.g. CeBite 2001).

• Sub-Categories - Bear in mind that before creating a sub-category it’s nec-


essary to create a Category.

• Countries - Create a Country.

• States - Create a State.

• Provinces - Create a Province.

• Regions - Create a Region.

• Economic Activities Classification - Identifies Entity by its E.A.C. number


and description.

• Associated Groups - Create an Associated Group (e.g. Consultant, Press,


Reseller, User, etc...).

• Additional Field - Any extra classification you wish to add.

• Groups of contacts - Creates a tag that identifies a group of contacts.

Follow the same procedure as when creating an Entity Type for the other
attributes.

16.1.3 Private Contacts Tab


Since IPBrick Contacts integrates with other IPBrick applications, the Private
Contacts tab will display all of the user’s private contacts created at the IPBrick
eGroupware application.

16.1.4 Public Contacts Tab


At this tab you will be able to create Entities and add Contacts to them.

Figure 16.16: Public Contacts Tab

IPBRICK International Reference Guide - Version 5.3


344 Appendix H - Contacts

16.2 Creating an Entity

As stated previously, in order to create an Entity you must first create at least
one Entity Type entry in the Auxiliary Data page.

NOTE: This procedure is mandatory.

Click on Insert.

At the General Tab, fill the available fields (Name, Address, Postal Code,
Country and Tax number)

NOTE: Some of these attributes are created in the Auxiliary Data tab and are
not mandatory.

Figure 16.17: Public Contacts Tab - Entity Creation - General tab

At the Classification tab select the type of Entity you are creating (this is where
the Entuties Types created in Auxiliary Data come into play)

Reference Guide - Version 5.3 IPBRICK International


16.2 Creating an Entity 345

Figure 16.18: Public Contacts Tab - Entity Creation - Classification Tab

To further enhance the entity’s attributes, there’s also two other tabs.

• Communications:
– Email.
– Phone: If you want to add several numbers please separate them by /
– Mobile Phone: If you want to add several numbers please separate them
by /
– Fax: If you want to add several numbers please separate them by /
– MSN Contact.
– IPBrick phone: Choose the Entity’s IPBrick phone registered in the
IPBrick server.
• Other:
– Location: Select from the previously created attributes
– Comments: Add any Comments you’d like.
– BIN: Type in the Bank Identification Number of the Entity.
– Web: The Entity’s webpage.
– Company Domain
– Mailing list: YES or NO
– Birthday: Please click on the calendar’s icon to select the entity/contact’s
birthday.
– State: To choose a State you’ll have to create an entry in Auxiliary
Data.
– Province: To choose a Province you’ll have to create an entry in Auxil-
iary Data.
– Region: To choose a Region you’ll have to create an entry in Auxiliary
Data.

IPBRICK International Reference Guide - Version 5.3


346 Appendix H - Contacts

– Presentation: fill in with what you need to show so that it can be


considered.
– Post: His position in the Entity’s hierarchy.
– Extra Field: Adds an extra field.

Click on Save

After creating an Entity you can check if all the data inserted is correctly and,
if not, just click on Modify or Delete if you wish to erase the entry.

16.3 Creating a Contact


Now that an Entity as been created you can add contacts to it.

At the Public Contacts tab, select the entity and click on the Contacts tab.

Figure 16.19: Public Contacts - Contacts tab

Click on New Contact.

Figure 16.20: New Contact button

Fill the presented fields with the repective information (Address, Postal Code,
Country, Tax Number).

Reference Guide - Version 5.3 IPBRICK International


16.3 Creating a Contact 347

Figure 16.21: Contact General tab

To further enhance the contact’s attributes, there’s also two other tabs.

• Communications:
– Email.
– Phone: If you want to add several numbers please separate them by /
– Mobile Phone: If you want to add several numbers please separate them
by /
– Fax: If you want to add several numbers please separate them by /
– MSN Contact.
– IPBrick phone: Choose the contact’s IPBrick phone registered in the
IPBrick server.
• Other:
– Location: Select from the previously created attributes
– Comments: Add any Comments you’d like.
– BIN: Type in the Bank Identification Number of the Entity.
– Web: The contact’s personal webpage.
– Company Domain
– Mailing list: YES or NO
– Birthday: Please click on the calendar’s icon to select the contact’s
birthday.
– State: To choose a State you’ll have to create an entry in Auxiliary
Data.
– Province: To choose a Province you’ll have to create an entry in Auxil-
iary Data.

IPBRICK International Reference Guide - Version 5.3


348 Appendix H - Contacts

– Region: To choose a Region you’ll have to create an entry in Auxiliary


Data.
– Presentation: fill in with what you need to show so that it can be
considered.
– Post: His position in the Entity’s hierarchy.
– Extra Field: Adds an extra field.

Click on Save.

After creating a contact you can verify if all the data inserted is accurate. If
not, click on Edit or Remove if you wish to erase the entry.

Reference Guide - Version 5.3 IPBRICK International


Chapter 17

Appendix I
Security

17.1 Introduction
IPBRICK International prides itself in providing the most cost-effective solu-
tions available. But IPBRICK has more than enough features to implement a
VoIP solution with full security for all our customers and partners.

Unfortunately, what we have seen in the past is that some of our customers
opt for a easy and carefree outlook on security and do not follow IPBRICK Inter-
national security guidelines.

These new security rules prevent this kind of reckless behavior and forces ev-
eryone to abide by IPBRICK’s security guidelines.

From now on, if you use IPBRICK, security is not an option it is mandatory!

17.1.1 Basic security threats


Threats on a daily basis are common; and it is up to IPBRICK International
to secure your private information, from unauthorized access and even misman-
agement, ensuring that this menace can be suppressed.

The basic risks to network security are:

• Denial-of-service (DoS) attacks: Attempts to make a machine or network


resource unavailable to its intended users;

• Eavesdropping: A network attack consisting of capturing packets and reading


the data content in search of any kind of confidential information;

• Packet spoofing: Data falsification by a person or program (e.g.: Caller ID).

IPBRICK International Reference Guide - Version 5.3


350 Appendix I - Security

IPBRICK’s update_11-v5.3 aims at solving these issues by protecting your


SIP trunks from unauthorized use. (Please consult section 17.2 Security Policies
Overview of this document).

17.2 Security Policies Overview


With our new update_11-v5.3, the SIP access via Internet is now more re-
stricted, since all unknown VoIP communications (not configured at IPBRICK) to
port UDP 5090 are blocked by the firewall.

Any access, by an unknown route, must be accounted for by creating new fire-
wall rules authorizing access to port 5090/UDP.

If all previous configured routes, at IPBRICK, are resolved by the DNS, they
will be authorized and don’t need any additional rule.

But if the DNS doesn’t resolve them you will have to add a firewall rule au-
thorizing access to port 5090/UDP (please check Figure 17.2).

Please bear in mind that, every remote phone access is permanently blocked
and you will need to create a firewall rule in order to open up port 5090/UDP.
Our recommendation is to use VPNs.

All Phone passwords must also comply with new security policies:

• Minimum number of characters: 8

• Cannot contain the phone’s name.

• Must contain elements of at least three of the following four groups of char-
acters:

– Uppercase letters (A through Z)


– Lowercase letters (a through z)
– Numbers (0 through 9)
– Special characters (such as !,$,%,#)

IMPORTANTE NOTE: If your phones are configured by auto-provisioning


all you need to do after altering the passwords is restart your phones. But if they
are not configured this way, you will have to individually alter the passwords and
restart your phones.

Reference Guide - Version 5.3 IPBRICK International


17.3 Troubleshooting 351

17.2.1 Master/Slave and Master/Client


If your machine operates under a master/slave or master/client typology you
must first install the update_11-v5.3 package at the master server.

If you install it first on the slave or client server you will get an error message
(Figure 17.1) stating that you must first install the deb package at the master
server, only after may you install it at the slave or client server.

Figure 17.1: Slave/Client Installation Warning

17.3 Troubleshooting
17.3.1 Remote phones cannot register.
After the update_11-v5.3 installation, port 5090/UDP is blocked by the fire-
wall. As Remote phones use this port to register, it’s expected that they will not
be able to register. To solve this, please choose one of the following options:

• If the remote phone is behind an internet access with a static IP address, a


firewall rule must be configured in order to accept incoming traffic from that
IP to destination port 5090/UDP (please check Figure 17.2).

• If the remote phone is behind an internet access with a dynamic IP address,


when possible, a VPN tunnel should be used. If the use of a VPN tunnel is
not possible you will need to add a firewall rule in order to accept incoming
traffic to port 5090/UDP from any location. In this case, you should ac-
cept only the provider’s network from where the remote phone is registering
(please check Figure 17.3).

IPBRICK International Reference Guide - Version 5.3


352 Appendix I - Security

17.3.2 Cannot make calls via a SIP route

If you cannot make calls via a SIP route, it will be necessary to verify if that
route’s IP address is allowed at the firewall.

If it is not allowed, you will have to insert a new firewall rule allowing access
to the UDP port 5090.

When the SIP route is set with a hostname, it will be necessary to identify
which IP address are assigned to it. These IP addresses have to have firewall rules
allowing access to UDP port 5090.

Every time you add a new SIP route make sure to allow access by adding a
firewall rule.

17.3.3 Cannot send FAX over IP

FoIP-SIP and FoIP-T38 routes

If you cannot send FAXES over IP, it will be necessary to verify if the route’s
IP address is allowed by the firewall.

If not insert a firewall rule allowing access to the UDP port 5090.

Every time you add a new FAX route make sure to allow access by adding a
firewall rule.

17.4 Practical examples - Adding a Firewall Rule

17.4.1 Firewall rule for an IP

At the IPBRICK’s web interface go to:

Advanced Configurations > Network > Firewall

Insert a new rule, as presented in Figure 17.2.

NOTE: The IP provided here is presented merely as an example. You must


replace it with the proper IP.

Reference Guide - Version 5.3 IPBRICK International


17.4 Practical examples - Adding a Firewall Rule 353

Figure 17.2: Example 1 - Firewall rule insertion - For an IP

17.4.2 Firewall rule for a Network

At the IPBRICK’s web interface go to:

Advanced Configurations > Network > Firewall

Insert a new rule, as presented in Figure 17.3.

NOTE: The network IP address provided here is presented merely as an ex-


ample. You must replace it with the one that fits your scenario.

IPBRICK International Reference Guide - Version 5.3


354 Appendix I - Security

Figure 17.3: Example 2 - Firewall rule insertion - For a Network

Reference Guide - Version 5.3 IPBRICK International

You might also like