README.TXT

This file contains information about 833AS version 6.30 release not available 
at the time the manuals were printed. Additional information on the following existing features 
is also within this readme:

  * Manager 
  * IP Configuration
  * Apple Clients
  * LAN to LAN
  * Client Virtual Connection
  * User Callback
  * DHCP
  * SecureID
  * V.90 modems
  * Administration User Radius Authentication

This information is intended to be used with the information in the manual.

New in this release
===================
This release has the added supported feature of v.92 modem capability for the latest revision of HD modem
cards for the 833AS.

History in previous releases
============================

Version 6.20
Maintenance release including changes for lastest hardware revision


Version 6.19

Maintenance release which resolve outstanding issues regarding performance and T1
configuration.


Version 6.17

Support for E1 R2CAS India Digital Signal Type 1 and Digital Signal Type 3.

The following problems were fixed:
  * Channels would remain in 'Connected" state when certain R2 CAS MFC
    signaling errors occured. This channel would no longer accept calls.
  * When the 833AS is powered on it would accept calls before they could
    properly be accepted.
  * Occasionally users dialling into the 833AS via R2 CAS MFC would get
    connected but get no modem carrier.
  * Certain WIN modems sold in China would not successfully connect to the
    833AS.
  * Dial-in connection originating from a Windows 2000 client caused some
    invalid user IDs to be logged in the 833AS eventlog.

This information is intended to be used with the information in the manual.

Manager
=======

The Manager is not supported under Windows NT Server.  It is fully supported under Windows
NT Workstation.

IP Connection Through Routers:

The Manager can communicate to an 833AS through one or more routers.  The Manager can discover
the Servers using IP broadcasts.  However, if the routers do not pass IP broadcasts, you will 
need to explicitly define the 833AS in the Manager.  See the manual section "IP Connection
Through Routers" for details on this process.

You will have to explicitly define the 833AS in the Manager if the 833AS appears on a subnet
network as the format of the broadcast messages used for discovery will not be recognized 
across the subnet.  Previous releases attempted to discover an 833AS across a subnet,
but this would not always succeed as results were dependent on the network topology.

Overview - IP Configuration
===========================

For IP, the 833AS looks like a router between two networks.  The first network is 
comprised of the devices on the LAN.  The second network, referred to as the "Internal 
WAN network",  is comprised of all IP clients and routers that are dialed into the WAN 
ports.  Setting up a basic 833AS IP configuration requires the following:

  * Defining the network on the LAN side, and defining the address of the LAN router port. 
  * Defining the network on the WAN side, and defining the address of the WAN router port.  
    Note: All clients dialed into the WAN see the same address for this WAN router port. 
  * Each client dialing in requires a unique IP address.  The 833AS supports multiple 
    methods for defining and supplying IP addresses to clients. 

For the 833AS router to be able to route IP packets, it has to know how to reach the destination.  
The 833AS supports the following methods:

  * RIPV1 and RIPV2.   		
  * Default gateway.  
  * Static routes.  
  * Proxy ARPs.  

It may be desirable to restrict certain IP traffic.  The 833AS has the following features that 
can be used to do this:

  * Static routes.  
  * IP Packet filters.  

The 833AS has the ability to forward the address of a DNS or WINS server to a dial in client.  

In general, it is recommended to define the Internal WAN network distinct from the LAN 
network.  It is possible to define the Internal WAN network as a subnet of the LAN network, but 
there are limitations:

  * Routers on the LAN using RIP V1 cannot discover the Internal WAN network, and will not be 
    able to route to the dial in clients on the Internal WAN network.
  * DHCP is not supported for dial in clients in this mode.  

Defining the Internal WAN network as a subnet can still be useful if:

  * Routers on the LAN use RIP V2.  RIP V2 sends subnet information and any routers on the LAN 
    network using RIP2 will be learned.  
  * All WAN traffic uses the configured default gateway.
  * Static routes are defined.
  * The "Enable Proxy ARP" setting is used.  

Directed IP traffic from a dial in client will reach another dial in client in the same 833AS.  
However, IP broadcasts from a dial in client will not reach another dial in client. Most 
applications will work, but IP applications that rely on broadcast or multicast messages 
(such as NetBEUI over IP) are not supported.

If a router dials in to the WAN, the 833AS can route traffic from the dial in router to the LAN.  This 
feature is referred to as "LAN-to-LAN".  Note that it is not possible to route from this dial in 
router to a client or router on the Internal WAN network.

WAN Network Address:

All dial in IP devices that are dialed into the WAN appear as if they are on their own IP 
network.  This network is referred to as the "Internal WAN Network".  The 833AS also requires 
one address on this network for the router port.  This section defines the Internal WAN Network 
used by the 833AS and should be completed after consulting with your IP Network Administrator.  

In general, it is recommended to define the Internal WAN network distinct from the LAN network.
It is possible to define the Internal WAN network as a subnet of the LAN network, but there are 
limitations:

  * Routers on the LAN using RIP V1 cannot discover the Internal WAN network, and will not be 
    able to route to the dial in clients on the Internal WAN network.
  * DHCP is not supported for dial in clients in this mode.
  
Defining the Internal WAN network as a subnet can still be useful if:

  * Routers on the LAN use RIP V2.  RIP V2 sends subnet information and any routers on the 
    LAN network using RIP2 will learn about the Internal WAN network.  
  * Static routes are defined.
  * The "Enable Proxy ARP" setting is used.

To set the WAN Network Address, the following fields are used on the IP configuration screen:

  * IP Address

    Enter the IP address that will be used by the 833AS on the Internal WAN Network for its 
    router port.  Be careful to ensure that this address does not conflict with any dial-in 
    client IP addresses. 

  * Subnet Mask

    Enter the subnet mask for the internal WAN network

All dial-in client IP addresses, regardless of how they are acquired, must belong to the 
network defined by this IP Address and Subnet Mask.  

Enable Proxy ARP:

Devices that are connected on the same IP network discover each other by sending a message on 
the local network known as an ARP (Address Resolution Protocol).  On the 833AS, the Internal 
WAN network is usually defined as a different network from the LAN network, and ARPs are not 
used.  If the Internal WAN network is defined as a subnet of the same LAN network Proxy ARPs 
can be enabled so that a device on the LAN can discover a dial in client. There are some 
limitations associated with Proxy ARP:

  * IP broadcasts will not be forwarded in this mode. Most applications will work, but IP 
    applications that rely on broadcasts or multicasts (such as NetBEUI over IP) are not 
    supported.

  * There is a small performance penalty if Proxy ARPs are enabled.

The "Enable Proxy ARP" fields has been added to the IP configuration screen. When checked, 
Proxy ARP will be enabled.

Apple clients
=============

ARA:

The native protocol for the Apple Macintosh is AppleTalk.  AppleTalk is a transport layer 
protocol, providing similar functionality to IP.  This protocol is used for connecting to 
native Apple file servers (known as AppleShare), other Macintoshes, and to printers.  A remote 
Macintosh user connects using Apple Remote Access Protocol (ARAP), which provides similar 
functionality to PPP.  Unlike PPP, ARAP can transport only one protocol, namely AppleTalk.

Until recently, a Macintosh user that wished to use ARA would have to purchase Apple Remote 
Access client.  This is now bundled with PPP in a single client called "Remote Access Client", 
included with the Mac OS.  This client supports version 2.1 of ARA.

ARAP cannot be transported "as is" across a digital (ISDN) dial up connection but is supported 
using V.120 rate adoption.

PPP:

PPP was originally available on the Mac using freeware PPP stacks.  The two most popular were 
FreePPP and MacPPP.  In Mac OS 7.6, Apple introduced a PPP client which has evolved to the 
current Remote Access Client.
  
Recent versions of this client also supports PPP transport of AppleTalk, known as MacIP.  MacIP 
is not supported by the 833AS.

On connect, the 833AS will check with a dial in client to see if it wants to use Multilink PPP.  
MacPPP does not support this negotiation and will fail.  To resolve this, disable Multilink PPP 
on the PPP configuration screen.

LAN to LAN
==========

Overview:

The LAN to LAN features allows a router to dial in to the 833AS.  The network on the router's 
LAN can then communicate with the network on the 833AS LAN using IP or IPX.

Note that the communication is strictly between the router's LAN and the 833AS LAN for this 
connection.  If a second router dials into the same 833AS, it cannot communicate with the 
first router.

The 833AS provides flexibility in the connection:

  * The dial in router can originate the connection
  * The 833AS can originate the connection on power up or if it loses contact with the dial in 
    router
  * A "virtual connection" can be established between the dial in router and 833AS.  To save 
    toll charges, it may be desirable to keep the link established between the dial in router 
    and the 833AS only if there is data traffic.  You can configure a "virtual connection" in 
    the 833AS, which will keep the dial in session alive but drop the physical link if there is 
    no data traffic.  When there is data to be sent to the dial in router, it is dialed 
    automatically and the data is then sent.  This automatic reconnect is sometimes referred to 
    as "dial on demand".  Similarly, the dial in router can drop the connection, and reconnect 
    to the same session when it has data to send.

Routing Information:

The dial in router and the 833AS need to learn about each other's network.  This can be done by:

  * Using dynamic routing.  The routers exchange routing information (using RIPs for IP, or 
    RIPs and SAPs for IPX) when they connect, and periodically refresh their routing information 
    when they are connected.
  * Using static routing.  Static routes can be defined in the 833AS.  Note that routing 
    information can still be sent to the dial up router if static routes are defined.

If a virtual connection has been established, but the physical link has been dropped, the link 
is reestablished if the 833AS receives data that it knows that it has to send to the dial in 
router.  It makes this decision based on the routing information that it has for the dial in 
router.  With dynamic routing, the learned routes are stored for 12 hours.  If there is a 
possibility that the dial in router and the 833AS will be physically disconnected for greater 
than 12 hours, you should:

  * Use static routes, or
  * Enable auto reconnect.  This feature will force the 833AS to reconnect to the dial in router 
    based on the time set in the "Reconnect Every" field.

For IP, by default the 833AS will send RIP V2 with no multicasts so as to be RIP V1 compatible, 
and receive RIP V1 or RIP V2.  This can be changed in the LAN to LAN RIP Setup submenu.  For 
IPX, routing information is always sent for a LAN to LAN connection if IPX is enabled.  IPX (as 
well as other protocols) can be disabled for the LAN to LAN connection in the User Profile.

Note that no routing information is sent for a dial in client that is not defined as LAN to LAN.

It is strongly recommended that the dial in router use a fixed IP address.  If a dynamic IP 
address is supplied (for example, from the Internal IP pool) inconsistent behavior could
result after a physical disconnect/reconnect.

LAN to LAN Connection Timers:

There are timers that affect the LAN to LAN connection behavior, if virtual connection is not 
enabled:

  * Inactivity Timeout (User profile)

    If there is no data transfer on the link for the duration set in this timer, the LAN to LAN 
    session drops and the physical connection drops.  Note that any routing information exchanged
    between the 833AS and the dial up router will not be considered activity.

  * Connect Time (User profile)

    The dial up router will be disconnected after the time limit set in this timer, regardless 
    of activity.

If virtual connection is enabled, the Inactivity Timeout and Connect Time apply to the virtual 
session.  Timers that affect the LAN to LAN connection when virtual connection is enabled are:

  * Inactivity Timeout (User profile)

    If there is no data transfer on the link for the duration set in this timer, the LAN to LAN 
    session drops and the physical connection drops.  Time in the virtual connection state is 
    included.

  * Connect Time (User profile)

    The dial up router will be disconnected and the session will be dropped after the time limit 
    set in this timer, regardless of activity.  Time in the virtual connection state is included.

  * Disconnect If Inactive (LAN to LAN, Virtual Connection)

    If there is no data transfer on the link for the duration set in this timer, the physical 
    connection is dropped, but the LAN to LAN session is maintained.  This timer is in effect 
    only after the "Connect a Minimum of" timer expires.

  * Connect a Minimum of (LAN to LAN, Virtual Connection)

    When the physical connection is established, this timer sets the minimum duration that the 
    physical link stays active.  A minimum duration may be required if dynamic routing is used 
    (to allow the exchange of routing information).

  * Reconnect Every (LAN to LAN, Virtual Connection)

    This timer can be used to ensure that the physical link is periodically reestablished so 
    that routing information is exchanged.

If you are using Radius as your authentication server, you can configure the Radius server to set
the Inactivity Timeout and Connect Time.

Authentication:

A dial in router is authenticated in the same manner as any other dial in user.  The user ID and 
password must be set up in the authentication database that has been defined in the Security 
settings of the 833AS.  Authentication that relies on token security (SecureID, Axent) cannot be 
used with the LAN to LAN feature, as the dial in router has no mechanism for responding to the 
security challenge.  The 833AS will send out PAP and/or CHAP requests as defined in the security 
settings, and the dial in router PAP/CHAP settings must match.

If the 833AS is calling the dial up router, the dial up router may need to authenticate the 
833AS.  The login (user) ID and password for the dial in router are entered in the Remote System 
Login section of the LAN to LAN screen.  On connection the dial in router may request from the 
833AS:

  * A login ID 
  * A login ID and password
  * Neither a login ID and password

Fill in the fields as required by the dial in router.  The 833AS supports both PAP and CHAP 
authentication requests from the dial up router in this mode.

Some routers (for example, some Cisco routers) can be configured to request a login ID 
even if the router is calling the 833AS. If the router calls the 833AS and requests a User ID 
and Password, the 833AS will send a User ID of "P833" and a Password of "PERL".  This will
not compromise security, as the 833AS must still authenticate the remote router against the 
User ID and Password in the User Record before a connection can be established.

Dialing the router:

If the 833AS is configured to call the dial up router, the phone number of the router is 
configured in the "Primary Phone Number" field.  When the 833AS needs to dial out, it will use 
an available channel that is enabled for dial out.  You may wish to ensure that the 833AS always 
has a channel to dial the router.  This can be done by enabling "Reserve Channel" and selecting 
the reserved channel from the drop down menu.

If the call type is defined as analog, a modem enabled for call back will also be required.  If 
no modem is available, the dial out will not occur. 

If "Enable Multilink PPP" is enabled, the 833AS will use two channels to connect to the dial out 
router.  Enter the phone number for the second channel in the "Secondary Phone Number" field.  

Callback should not be used to have the 833AS call the dial in router.  If callback is used, the
router will be treated as a standard dialup client.  Routing information will not be
exchanged, and the LAN to LAN connection timers will not be used.  Always use the dial out 
parameters reserved for the LAN to LAN function.

Client Virtual Connection
=========================

This feature is can be used by remote IP or IPX dial in clients to save on connection charges.  
With client virtual connect enabled, the client can drop the physical connection, but the 833AS 
will keep the session active.  The client can then reconnect and the 833AS will reassign the 
same session, and client IP address.  

There are timers that affect the Client behavior.  If virtual connection is enabled:

  * Inactivity Timeout (User profile)

    If there is no data transfer on the link for the duration set in this timer, the client 
    session drops and the physical connection drops.  Time in the virtual connection state is 
    included.  If "disabled" is set for inactivity timeout, the session will be released after 
    10 minutes in the virtual state.  This is to prevent an unused session from being tied up 
    permanently.

  * Connect Time (User profile)

    The client will be disconnected and the session will be dropped after the time limit set in 
    this timer, regardless of activity.  Time in the virtual connection state is included. 

If you are using Radius as your authentication server, you can configure the Radius server to 
set the Inactivity Timeout and Connect Time.

To be effective, the dial in client should support virtual connect. It should have a mode that:

  * Drops the physical connection if inactive, but not notify the application of disconnect
  * Automatically reconnects if data is to be sent

Reconnect to the 833AS is driven solely by the client in this mode.  The 833AS cannot redial the 
client.  In practice this is not a real limitation, as servers will typically only send data in 
response to a request from the client.  However, if you are using a client application that 
supports unsolicited data from a server, you can configure the LAN to LAN feature for use with 
a dial in client.

E1/T1 Feature Cards
===================

Dual E1/T1 cards use the same settings for mode, line, and signaling for both lines.  Cards 
within the same 833AS are independent, so you can configure (for example) one card to support 
channelized T1 and the other ISDN PRI.

Mixed T1/PRI mode is no longer supported.

User Callbacks
==============

You can enable both roaming and fixed call back for a single user.  If both are enabled, the 
833AS will call back the roaming number if it is supplied at connect.  If it is not supplied, fixed 
call back will be done.  The dial in client must support both fixed and roaming call back for 
this to work.

DHCP
====

In DHCP a "scope" is defined as "An administrative grouping of computers running the DHCP 
client".  These computers are grouped according to a range of IP addresses.  Simply put, all 
dial in clients on an 833AS share the same scope, namely the range of addresses defined for the 
Internal WAN network.

On the DHCP server, you must define a scope that matches the IP address range for the dial in 
clients on Internal WAN network.  Ensure that the IP address of the Internal WAN network itself 
is excluded from the scope, so the DHCP server does not attempt to assign this address to a dial 
in client.

SecureID
========

For a client to use Secure ID on a ISDN digital connection the TA the client is using must be 
configured V120, Secure ID is not supported if the TA is using a Sync PPP connection.

V.90 Modems
===========

A V.90 modem obtains its high data rates by treating the analog data line as an 
imperfect digital line.  This "digital line" appears to the modem as having a number of 
impairments, and the modem during negotiation attempts to determine what impairments exist,
then compensate for them.  Certain connections (for example, some GSM modem connections)
can trick this negotiation.  If this occurs, either the modems will not negotiate, or they
will connect, but the data error rate will be so high as to make the connection impractical.

If these problems are encountered, it is necessary to prevent the modems from attempting
to negotiate V.90.  Modems have parameters that can be set to disable the V.90 modem. This can 
be done either in the client modem or by setting the Modem Initialization String in the 833AS
modem.  


Administration User Radius Authentication:
===========================================
In order to provide Radius with full authentication authority over the 833AS unit, the local 
data base no longer is used to authenticate "administration" users (users who are 
authorized to manage the 833AS) when the 833AS is communicating with either a primary or 
backup Radius server.  Customers using Radius as the authentication method will
need to ensure that they have configured a  user with "administrator" capabilities on their 
Radius server (Service-Type = Administrative).  

A record in the local database will only be used if the 833AS cannot communicate with a Radius 
Server.  Do not put a record in the local database if you want to ensure that Radius 
authentication is used under all conditions for administration.  

It is recommended that a local database record is used during initial setup to prevent being 
locked out because of a misconfigured Radius setup.