Page 136 / 944
Scroll up to view Page 131 - 135
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
136
4
Turn on authentication policy and click
Apply
.
Figure 88
Configuration > Auth. Policy
The following figure shows an error message example when a user’s computer
does not meet an endpoint security object’s requirements. Click
Close
to return to
the login screen.
Figure 89
Example: Endpoint Security Error Message
7.8
How to Configure Service Control
Service control lets you configure rules that control HTTP and HTTPS management
access (to the Web Configurator) and separate rules that control HTTP and HTTPS
Page 137 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
137
user access (logging into SSL VPN for example). See
Chapter 45 on page 675
for
more on service control.
The To-ZyWALL firewall rules apply to any kind of HTTP or HTTPS connection to the
ZyWALL. They do not distinguish between administrator management access and
user access. If you configure service control to allow management or user HTTP or
HTTPS access, make sure the firewall is not configured to block that access.
7.8.1
Allow HTTPS Administrator Access Only From the LAN
This example configures service control to block administrator HTTPS access from
all zones except the LAN1.
1
Click
Configuration > System > WWW
.
2
In HTTPS
Admin Service Control,
click the
Add
icon.
Figure 90
Configuration > System > WWW
3
In the
Zone
field select
LAN1
and click
OK
.
Figure 91
Configuration > System > WWW > Service Control Rule Edit
Page 138 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
138
4
Select the new rule and click the
Add
icon.
Figure 92
Configuration > System > WWW (First Example Admin Service Rule
Configured)
5
In the
Zone
field select
ALL
and set the
Action
to
Deny
. Click
OK
.
Figure 93
Configuration > System > WWW > Service Control Rule Edit
Page 139 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
139
6
Click
Apply
.
Figure 94
Configuration > System > WWW (Second Example Admin Service Rule
Configured)
Now administrator access to the Web Configurator can only come from the LAN1
zone. Non-admin users can still use HTTPS to log into the ZyWALL from any of the
ZyWALL’s zones (to use SSL VPN for example).
7.9
How to Allow Incoming H.323 Peer-to-peer
Calls
Suppose you have a H.323 device on the LAN1 for VoIP calls and you want it to be
able to receive peer-to-peer calls from the WAN. Here is an example of how to
configure NAT and the firewall to have the ZyWALL forward H.323 traffic destined
Page 140 / 944
Chapter 7 Tutorials
ZyWALL USG 50 User’s Guide
140
for wan1 IP address 10.0.0.8 to a H.323 device located on the LAN and using IP
address 192.168.1.56.
Figure 95
WAN to LAN H.323 Peer-to-peer Calls Example
7.9.1
Turn On the ALG
Click
Configuration > Network > ALG
. Select
Enable H.323 ALG
and
Enable
H.323 transformations
and click
Apply
.
Figure 96
Configuration > Network > ALG
7.9.2
Set Up a NAT Policy For H.323
In this example, you need a NAT policy to forward H.323 (TCP port 1720) traffic
received on the ZyWALL’s 10.0.0.8 WAN IP address to LAN1 IP address
192.168.1.56.
10.0.0.8
192.168.1.56
19216811.live