EXgateway统一网关用户使用手册201012

门禁管理软件操作手册2004.3.15目录一、程序组中各个组件的介绍二、一般性操作1、启动和关闭程序组件的先后顺序2、操作员的权限设置3、配置系统的一般过程三、人员的授权与撤消四、各种记录的查询五、报警的设置一、程序组中各个组件的介绍◆eXguard explore该组件是eXgrard门禁管理软件的主操作程序，可以对出入人员进行登记，授权和监视出入情况等操作，以及对门进行直接控制等工作。

下面有详细说明。

◆eXguard Communications该组件是eXguard门禁管理软件的通讯程序，打开它，软件系统就开始与门禁控制主机开始通讯，门禁主机的实时信息就会传输至计算机，同时软件操作人员的操作指令也会下载到门禁控制主机。

如该组件是关闭的，则门禁主机的信息和操作人员的指令会分别暂存在主机和计算机内直到该组件被打开才会被传输。

◆eXguard Backup该组件主要进行数据库备份和恢复工作。

◆eXguard License Server软件的数据库引擎，在运行上面的程序前必须先运行该程序。

二、一般性操作1、启动和关闭程序组件的先后顺序在eXguard License Server未运行时，如果运行其它任何组件，均只会出现如下的等待窗口，这时只有立即运行eXguard License Server，程序才会关闭等待窗口，打开其主窗口。

同样，如果在所有软件都在运行时关闭eXguard License Server，其它所有的程序均将自动关闭。

2、操作员的权限设置门禁系统的操作员级别设置很重要，适当地限制一般操作人员的权限是非常有必要的。

虽然eXguard Lite门禁管理系统会忠实地记录所有操作员的操作记录并且无法删除这些记录，但还是应提前计划好操作员的权限，以使系统达到最大的保安效果。

操作员对eXguard explore中的每个项目均有无权限，查看权和使用权三个级别可选，这可以精确设定操作人员的权限。

Edge Gateway 服务手册计算机型号： Edge Gateway 3000 系列管制型号： N03G管制类型： N03G001注、小心和警告注: “注”表示帮助您更好地使用该产品的重要信息。

小心: “小心”表示可能会损坏硬件或导致数据丢失，并说明如何避免此类问题。

警告: “警告”表示可能会造成财产损失、人身伤害甚至死亡。

目录1 拆装 Edge Gateway 内部组件之前 (8)开始之前 (8)安全说明 (8)建议工具 (8)螺钉列表 (9)2 拆装 Edge Gateway 内部组件之后 (10)3 卸下前盖 (11)步骤 (11)4 装回前盖 (12)步骤 (12)5 卸下天线电缆支架 (13)前提条件 (13)步骤 (13)6 装回天线电缆支架 (16)步骤 (16)完成条件 (16)7 卸下 GPS 支架 (17)前提条件 (17)步骤 (17)8 装回 GPS 支架 (18)步骤 (18)完成条件 (18)9 卸下 WLAN 电缆 (19)前提条件 (19)步骤 (19)10 装回 WLAN 电缆 (20)步骤 (20)完成条件 (20)11 卸下右侧 I/O 护盖 (21)前提条件 (21)步骤 (21)12 装回右侧 I/O 护盖 (22)3步骤 (22)完成条件 (22)13 取出币形电池 (23)前提条件 (23)步骤 (23)14 装回币形电池 (24)步骤 (24)完成条件 (24)15 卸下左侧 I/O 支架 (25)前提条件 (25)步骤 (25)16 装回左侧 I/O 支架 (26)步骤 (26)完成条件 (26)17 卸下状态指示灯透镜罩 (27)前提条件 (27)步骤 (27)18 装回状态指示灯透镜罩 (28)步骤 (28)完成条件 (28)19 卸下右侧 I/O 支架 (29)前提条件 (29)步骤 (29)20 装回右侧 I/O 支架 (30)步骤 (30)完成条件 (30)21 卸下 ZigBee 电缆 (31)前提条件 (31)步骤 (31)22 装回 ZigBee 电缆 (32)步骤 (32)完成条件 (32)23 卸下 WWAN 卡 (33)前提条件 (33)步骤 (33)424 装回 WWAN 卡 (35)步骤 (35)完成条件 (35)25 卸下 WWAN 支架 (36)前提条件 (36)步骤 (36)26 装回 WWAN 支架 (37)步骤 (37)完成条件 (37)27 卸下右橡胶垫圈 (38)前提条件 (38)步骤 (38)28 装回右橡胶垫圈 (39)步骤 (39)完成条件 (39)29 卸下左橡胶垫圈 (40)前提条件 (40)步骤 (40)30 装回左橡胶垫圈 (42)步骤 (42)完成条件 (42)31 卸下系统板 (43)前提条件 (43)步骤 (43)32 装回系统板 (45)步骤 (45)完成条件 (45)33 卸下 WLAN 支架 (46)前提条件 (46)步骤 (46)34 装回 WLAN 支架 (48)步骤 (48)完成条件 (48)35 卸下左侧 I/O 护盖 (49)前提条件 (49)536 装回左侧 I/O 护盖 (50)步骤 (50)完成条件 (50)37 卸下检视门 (51)前提条件 (51)步骤 (51)38 装回检视门 (52)步骤 (52)完成条件 (52)39 卸下回环电缆 (53)前提条件 (53)步骤 (53)40 装回回环电缆 (56)步骤 (56)完成条件 (56)41 访问和更新 BIOS (57)访问 BIOS 设置 (57)在 POST 过程中输入 BIOS 设置 (57)更新 BIOS (57)使用 USB 调用脚本 (57)从 USB 闪存驱动器刷新 BIOS (58)在 Windows 系统上更新 BIOS (58)在 Ubuntu 系统上使用 UEFI 压缩包更新 (58)Dell Command | Configure (DCC) (59)Edge Device Manager (EDM) (59)默认 BIOS 设置 (60)常规（BIOS 级别 1） (60)系统配置（BIOS 级别 1） (61)安全性（BIOS 级别 1） (62)安全引导（BIOS 级别 1） (63)性能（BIOS 级别 1） (64)电源管理（BIOS 级别 1） (64)POST 行为（BIOS 级别 1） (64)虚拟化支持（ BIOS 级别1） (65)维护（BIOS 级别 1） (65)系统日志（BIOS 级别 1） (66)42 诊断程序 (67)43 附录 (69)6Windows 10 IoT Enterprise LTSB 2016 (69)Ubuntu Core 16 (70)71拆装 Edge Gateway 内部组件之前注: 根据您所订购的配置，本说明文件中的图片可能与您的 Edge Gateway 有所差异。

安全网关产品说明书介绍欢迎并感谢您选购联通网络信息安全产品，用以构筑您的实时网络防护系统。

ZXSECUS 统一威胁管理系统（安全网关）增强了网络的安全性，避免了网络资源的误用和滥用，帮助您更有效的使用通讯资源的同时不会降低网络性能。

ZXSECUS统一安全网关是致力于网络安全，易于管理的安全设备。

其功能齐备，包括：●应用层服务，例如病毒防护、入侵防护、垃圾邮件过滤、网页内容过滤以及IM/P2P过滤服务。

●网络层服务，例如防火墙、入侵防护、IPSec与SSLVPN，以及流量控制。

●管理服务，例如用户认证、发送日志与报告到USLA、设备管理设置、安全的web与CLI管理访问，以及SNMP。

ZXSECUS统一安全网关采用ZXSECUS动态威胁防护系统（DTPSTM）具有芯片设计、网络通信、安全防御及内容分析等方面诸多技术优势。

独特的基于ASIC上的网络安全构架能实时进行网络内容和状态分析，并及时启动部署在网络边界的防护关键应用程序，随时对您的网络进行最有效的安全保护。

ZXSECUS设备介绍所有的ZXSECUS统一安全网关可以对从soho到企业级别的用户提供基于网络的反病毒，网页内容过滤，防火墙，VPN以及入侵防护等防护功能。

ZXSECUS550ZXSECUS550设备的性能，可用性以及可靠性迎合了企业级别的需求。

ZXSECUS550同样也支持高可用性群集以及包括在HA设备主从设备切换时不会丢弃会话，该设备是关键任务系统的理想选择。

ZXSECUS350ZXSECUS350设备易于部署与管理，为soho以及子机构之间的应用提供了高附加值与可靠的性能。

ZXSECUS安装指南通过简单的步骤指导用户在几分钟之内运行设备。

ZXSECUS180ZXSECUS180为soho以及中小型企业设计。

ZXSECUS180支持的高级的性能例如802.1Q，虚拟域以及RIP与OSPF路由协议。

ZXSECUS120ZXSECUS120设计应用于远程办公以及零售店管理.具备模拟modem接口，能够作为与互联网连接的备份或单独与互联网连接。

家庭⽹关终端管理系统_操作⼿册_联创家庭⽹关终端管理系统（ITMS）操作⼿册⽂档信息⽂档变更记录审核批准⽬录⽬录 (3)1⽂档说明 (6)2系统管理 (1)2.1概述-⽤户、⾓⾊和权限 (1)2.2安全策略管理 (1)2.3⽤户管理 (1)2.3.1新建系统⽤户 (2)2.3.2系统⽤户列表 (3)2.4⾓⾊/权限管理 (3)2.4.1系统⾓⾊列表 (4)2.4.2⾓⾊与菜单关联管理 (5)2.5系统设置 (5)2.5.1修改登陆密码 (5)2.5.2定义快捷菜单 (6)2.6⽇志管理 (7)2.6.1⽇志查询 (7)2.6.2在线⽤户列表 (8)2.6.3登陆⽇志 (8)3资源管理 (10)3.1设备资源 (10)3.1.1家庭⽹关设备操作 (10)3.1.2家庭⽹关设备查询 (13) 3.1.3家庭⽹关设备列表 (13) 3.1.4家庭⽹关设备统计 (14) 3.1.5设备绑定情况列表 (15) 3.1.6设备账号对应列表 (15) 3.1.7未确认设备查询 (16) 3.1.8⽤户设备解绑 (16)3.2⽤户资源 (17)3.2.1家庭⽹关⽤户操作 (17) 3.2.2家庭⽹关⽤户列表 (19) 3.2.3家庭⽹关⽤户添加 (19) 3.2.4未绑定家庭⽹关⽤户 (20) 3.3基础资源 (21)3.3.1局向资源 (21)3.3.2区域资源 (22)3.3.3设备版本 (23)3.3.4属地资源 (24)3.3.5⼩区资源 (25)3.3.6设备⼚商 (25)3.4⽂件服务器 (28)3.4.1⽂件服务器查询 (28)4故障诊断 (29)4.1设备诊断 (29)4.1.1Ping诊断 (30)4.1.2ATMF5LOOP测试 (31) 4.1.3DSL测试 (33)4.1.4设备基本信息 (35)4.1.5故障诊断预配置检查 (40) 4.1.6设备诊断 (43)4.2系统命令 (48)4.2.1重启 (48)4.2.2恢复出⼚设置 (49)5业务管理 (49)5.1⼯单管理 (50)5.1.1BSS业务查询 (50)5.1.2iTV策略配置统计 (52)5.1.3iTV策略批量配置 (52)5.1.4iTV配置下发 (53)5.1.5变更上⽹⽅式 (54)5.1.6策略配置查询 (54)5.1.7策略配置历史查询 (55)5.1.8家庭⽹关⼯单视图 (55)5.1.9⼿⼯业务下发 (56)5.2现场安装 (56)5.2.1家庭⽹关⼿⼯安装 (57)5.2.2设备序列号烧制 (57)5.2.3现场安装统计 (58)5.2.4现场安装信息查询 (58)5.3业务查询 (59)5.3.1⾃主绑定查询 (59)5.3.2DSLAM侧MAC帐号查询 (60)6报表系统 (60)6.1报表统计 (60)6.2设备统计 (61)6.2.1不活跃设备统计 (61)6.2.2设备按版本统计 (61)6.2.3设备按⼚商统计 (62)6.2.4设备交互统计 (63)6.2.5最新版本统计 (64)6.3业务统计 (64)6.3.1iTV业务统计 (64)6.3.2⽼⽤户多PVC/VLAN部署考核 (65) 6.3.3新⽤户多PVC/VLAN部署考核 (66) 6.4客户统计 (66)6.4.1家庭⽹关按绑定率统计 (66)6.4.2⾃助绑定统计 (67)6.5其他 (68)6.5.1软件升级统计 (68)6.5.2设备上报账号⽇志查询 (69)6.5.3⽤户绑定⽅式统计 (69)7参数配置 (71)7.1参数属性管理 (71)7.1.1参数属性上报 (71)7.1.2配置⽤户可写属性 (72)7.2参数实例管理 (73)7.2.1参数实例管理 (73)7.2.2配置⽂件查询 (75)7.2.3批量下发配置 (76)7.2.4上传配置⽂件 (76)7.2.5设备配置恢复 (78)7.3配置⽇志管理 (80)7.3.1上传⽇志⽂件 (80)7.4设备维护视图 (82)7.4.1设备维护视图 (82)8软件升级 (82)8.1软件升级管理 (83)8.1.1软件简单升级 (83)8.1.2批量软件升级 (83)8.1.3⽂件备份升级 (84)8.2软件版本管理 (85)8.2.1版本实时查询 (85)8.2.2软件版本列表 (86)8.3版本⽂件管理 (87)8.3.1版本⽂件查询 (87)8.3.2版本⽂件添加 (88)1 ⽂档说明本⽂档为ITMS系统操作⼿册。

联网网关(NCG)使用说明书目录1．联网网关安装 (1)2．登陆联网网关管理模块 (2)3．网关配置 (3)3.1信令网关配置 (3)3.2媒体网关配置 (4)3.3网络设置 (5)3.4转码服务器 (5)4．联网配置 (7)5．资源管理 (8)5.1资源共享 (8)5.2资源检索 (9)5.3资源查询 (11)5.4转码配置 (12)6．系统设置 (13)6.1用户管理 (13)6.2日志下载 (13)7．运行状态 (14)7.1联网监控 (14)7.2统计分析 (14)1．联网网关安装联网网关安装程序可以集成在联网网关单独看门狗程序中，也可以集成到各平台的看门狗中。

安装后，联网网关看门狗服务界面如图1所示。

图1联网网关服务界面联网网关由两部分组成，一个是信令网关（cascade），负责级联相关信令发送、接收和处理，一个是媒体网关（media），负责视频流的转发，媒体网关支持负载均衡，可多台分布式部署。

2．登陆联网网关管理模块在浏览器地址栏输入：http://联网网关IP:7088，进入到联网网关的登陆界面。

联网网关登陆界面如图2所示。

图2联网网关登陆界面（1）首先要选择登陆系统的版本号，如果联网网关与IVMS-8200系统一起使用，则选择对应的IVMS-8200系统对应的版本号（V2.3，V2.0，V1.2.5），如果联网网关单独使用，或与其他行业系统一起使用，则选择通用系统。

（2）默认用户名：admin，输入默认的密码：12345，点击“进入网关”按钮，进入联网网关管理模块。

如图3所示。

图3联网网关管理模块3．网关配置3.1信令网关配置点击“信令网关”菜单，进入“信令网关配置信息”界面，如图4所示。

图4信令网关配置（1）若联网网关与IVMS-8200系统一起使用，上述配置信息不需要在联网网关管理模块中配置。

只需要在IVMS-8200系统中添加平台互联服务器，并填写对应信息即可。

如图5所示。

24连接工业网关24.1尝试连接工业网关.......................................................................................................24-224.2设置指南....................................................................................................................24-1124.3限制...........................................................................................................................24-1724.1尝试连接工业网关使用工业网关前，需事先通过“Factory Gateway Configuration Tool ”或“GP-PRO/PB III for Windows ”传输控制器/PLC 的协议。

协议传输完成后，可如同GP 一样注册节点。

[连接示例]将串行通讯方式下的工业网关(FGW)连接到控制器/PLC 。

本节介绍执行上述连接的设置步骤。

•协议一经传输，就不再需要激活“Factory Gateway Configuration Tool ”，除非需要更改设置。

[设置步骤]8传输网络工程文件此步将保存的网络工程文件传输到工业网关。

7保存网络工程文件此步将注册节点的内容保存为一个网络工程文件并重新载入。

6注册参与节点此步将PC 和工业网关注册为入口节点。

5传输协议此步将协议内容传输到工业网关。

3搜索工业网关此步搜索网络中连接的工业网关。

1启动Pro-Studio EX 此步启动Pro-Studio EX 。

2启动工业网关配置工具(Factory Gateway Configuration Tool)此步启动工业网关配置工具。

Unified Access Gateway Security GuideTechnical NoteUnified Access Gateway 2303You can find the most up-to-date technical documentation on the VMware website at: https:///VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304Copyright ©2023 VMware, Inc. All rights reserved. Copyright and trademark information.Unified Access Gateway Security GuideContents1About this book - Unified Access Gateway Security Guide4 Introduction4Product Updates5Security Settings for Unified Access Gateway6Frequently Asked Questions (FAQs) about Security8About this book - Unified Access Gateway Security Guide1This document serves as a guide for Unified Access Gateway administrators to understand the security practices.This chapter includes the following topics:n Introductionn Product Updatesn Security Settings for Unified Access Gatewayn Frequently Asked Questions (FAQs) about SecurityIntroductionUnified Access Gateway is a VMware hardened Linux based virtual security appliance designedto protect remote user access to end-user computing resources such as virtual desktops and applications. It is designed to operate with the following VMware solutions:n Desktop and App Virtualization with Horizon 7/8 and Horizon Cloudn Workspace ONE Accessn Workspace ONE UEMn Per-App Tunneln Content Gatewayn Secure Email GatewayA virtual appliance is a pre-configured software solution that makes it possible to combine the hardened Linux configuration with the application gateway and the security software so that itcan be managed as a singe appliance. Unified Access Gateway is delivered as a single imagefile that is pre-hardened and tested overall by VMware. All configuration settings can be pushed during deployment so that Unified Access Gateway is "production-ready on first boot" and using automated deployment, and take less than 2 minutes. There is no need to separately configureor harden the appliance after it is deployed. This functionality eliminates the need to separatelymanage the operating system and install application packages. It also means that there are no incompatibility issues that might be encountered by combining different application code versions with different operating system components and Java versions. Overall, all components of a released appliance image are tested by VMware prior to release.There is a full version of Unified Access Gateway and a limited FIPS version. Deployment of Unified Access Gateway is supported on:n vSphere (ESXi and vCenter)Note vCenter is mandatory for ESXi deployment.n Amazon AWS EC2 (Xen and KVM)n Microsoft Azuren Hyper-V (for Workspace ONE UEM only)n Google Compute Engine (GCE in Google Cloud).The same Unified Access Gateway appliance (standard or FIPS version) is used for all solutions, hypervisors, and VMware Cloud services such as Horizon Cloud.Virtual Appliance Operating SystemConsistent with many other modern VMware virtual appliances, Unified Access Gateway uses the Photon operating system. Photon OS, is an open-source minimalist Linux operating system from VMware. The latest Unified Access Gateway versions use Photon 3.0.Console access is supported to allow an administrator to log on as the root user. This is available through the virtualisation platform such as vCenter Console link and access can be restricted through a comprehensive Role-Based Access Control (RBAC) facility on vCenter to ensure only authorized administrators can gain access. SSH access to Unified Access Gateway is normally deactivated but can be activated using a password or the SSH key controls.Product UpdatesThis section covers about the various updates that are released for Unified Access Gateway.Every new version of Unified Access Gateway uses updated Photon, Java, and other components with all recent security updates applied. VMware strongly recommends you to stay up-to-date with Unified Access Gateway versions to take advantage of security updates and other improvements.Note Release Notes describes the product updates and published for every release in theUnified Access Gateway Documentation page. For more information about the release updates, see Release Notes on VMware Docs.Standard ReleasesCurrently, new versions of Unified Access Gateway are released every quarter (approximately 4 times in a year). New releases include functional updates, security updates, improvements, bug fixes, and updates to OS package versions.Version numbering of Unified Access Gateway uses a simple YYMM format indicating the year and month of release. For example, version 2207 indicates it was released in July 2022.Maintenance ReleasesVMware might also release an interim maintenance version to address a critical security vulnerability that applies to Unified Access Gateway, or to address a critical defect.Version numbering of Unified Access Gateway maintenance releases uses the YYMM format with a dot (.) and an incrementing number. For example, maintenance releases might be 2207.1, 2207.2, meaning it is a maintenance release for Unified Access Gateway 2207.Critical OS Patch UpdatesVMware might authorize the update of one or more OS packages to rectify a critical vulnerability that affects a specific version of Unified Access Gateway and for which no viable workaround is available.Configure Automatic CheckStarting with Unified Access Gateway version 2009, a new capability is available for the administrator to configure an automatic check for any authorized package updates. By default, this capability is deactivated. Administrator can activate this capability for dynamic package download and update at next boot time. Either set to check and apply required updates once at next boot time, or configure to check and apply required updates at every boot. For more informationabout these settings, see Configure Unified Access Gateway to Automatically Apply AuthorizedOS Updates section in the Deploying and Configuring VMware Unified Access Gateway Guide on VMware Docs. This allows the administrator to schedule this update for a time that would not involve disruption of the running services. Authorized updates are rare and only made availablefor Photon and application packages that would address critical security or stability issues that apply in the context of the particular Unified Access Gateway version.Note This feature is rarely used. Non critical updates and updates that are not required onUnified Access Gateway are not available for dynamic download but instead batched and released as part of the quarterly Unified Access Gateway releases or the next maintenance release.Security Settings for Unified Access GatewayThis section covers the security settings configured for Unified Access Gateway.The following table lists the TLS configuration for the main Unified Access Gateway HTTP Port 443 on the standard (non-FIPS) Unified Access Gateway. The FIPS version of Unified Access Gateway uses more limited set of ciphers and TLS versions. The TLS settings are configured in System Settings and are applicable to the Horizon Edge service and the Web Reverse Proxy Edge service.Note TLS settings for VMware Tunnel, Content Gateway, and Secure Email Gateway Edge services are configured separately in Workspace ONE UEM Console.Table 1-1. TLS Configuration for Unified Access Gateway HTTP Port 443SSHBy default, root console access to Unified Access Gateway using the SSH protocol is deactivated. You can activate SSH access using the password access or the SSH keys or both. If required, it can be limited to access on individual NICs.By restricting SSH access to specific NICs, it is also possible to use a jumpbox and ensure limited access to that jumpbox.ComplianceSecurity Technical Implementation Guides (STIGs)Unified Access Gateway supports configuration settings to allow Unified Access Gateway to comply with the Photon 3 DISA STIG. For this compliance, the FIPS version of Unified Access Gateway must be used and specific configuration settings are applied at deploy time. For more information about the configuration settings, see DISA STIG OS Compliance Guidelines for Unified Access Gateway in the Deploying and Configuring VMware Unified Access Gateway Guide at VMware Docs.FedRAMP ComplianceThe Federal Risk and Management Program (FedRAMP) is a cyber security risk management program for the use of cloud products and services used by U.S. federal agencies. FedRAMP uses the National Institute of Standards and Technology’s (NIST) guidelines and procedures to provide standardized security requirements for cloud services. Specifically, FedRAMP leverages NIST’s Special Publication [SP] 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations series, the baselines and test cases.VMware is seeking FedRAMP compliance and certification of Unified Access Gateway with Horizon on Azure GovCloud. This requires specific configuration. For more information about the configuration settings, see FedRAMP Guidelines for Unified Access Gateway in the Deploying and Configuring VMware Unified Access Gateway Guide at VMware Docs.Frequently Asked Questions (FAQs) about SecurityThis section covers security related questions and answers for VMware Unified Access Gateway. Can I install third party agents and/or Anti-virus software on Unified Access Gateway?No. Antivirus software or third party agents are not required on a Unified Access Gateway appliance and the use of such software is not supported and it applies to all VMware branded virtual appliances. For more information, see https:///s/article/80767 and https:// /s/article/2090839.Is Unified Access Gateway impacted by CVE-XXX-XXXX?Unified Access Gateway leverages industry leading code scanning, software composition analysis and vulnerability scanning tools, and monitors industry feeds for newly identified potential vulnerabilities. If vulnerabilities are detected, they are addressed per the VMware Security Response Policy.If required, customers can be notified according to responsible disclosure practices through a VMware Security Advisory (VMSA). You can subscribe to be notified about newly published advisories at https:///security/advisories.html. You are encouraged to apply product updates regularly to benefit from the latest security, reliability, and feature improvements.For more information about Unified Access Gateway releases, see Product Updates.It is inevitable that after VMware virtual appliances such as Unified Access Gateway are releasedby VMware, Photon security updates will become available between release dates. The severity of these security updates is generic and mostly do not affect the security of Unified Access Gateway itself. This might be because Unified Access Gateway does not use the affected componentor because the vulnerability is in a function of the component that Unified Access Gatewaydoes not support. Performing dynamic unauthorized updates of these Photon components might destabilize the appliance and might introduce a new vulnerability that cannot be detected in the testing prior to release.All VMware appliances are thoroughly tested and qualified based on the components and versions included with the original release. Updating or changing any components on a virtual appliance may therefore result in unexpected behavior of the system and hence unauthorized updates are not supported.Consistent with other VMware-branded virtual appliances, VMware does not support any modifications or customizations to the underlying operating system and packages included in a VMware-branded Virtual Appliance. This includes adding, updating, or removing of packages, and utilizing custom scripts within the operating system of the appliance. For more information about VMware's policy for virtual appliances, see https:///s/article/2090839.If a security vulnerability is identified by VMware, by a customer or by anyone else, there is a defined policy for reporting this and for VMware's response based on the severity as it applies to the particular product. For more information, see Security Response Policy.A critical security vulnerability in a Photon component that is not used by Unified Access Gateway or does not apply to any functionality of Unified Access Gateway has no security significance and is therefore not critical in the context of Unified Access Gateway.If a critical security vulnerability is determined to affect Unified Access Gateway, then VMware might release a patched version of the appliance in addition to providing the update in the next quarterly release. This can be for a critical issue that does apply to Unified Access Gatewayfor which there is no workaround. VMware publish security advisories from time to time to communicate such vulnerabilities.How frequently does VMware release new Unified Access Gateway versions?For more information, see Product Updates.When are Photon package updates applied to Unified Access Gateway?Every planned release of Unified Access Gateway contains up-to-date Photon and Java versions determined at the time the virtual appliance is built. Usually this is around 2 weeks prior tothe General Availability (GA) date to give an opportunity for final cross functional team andsecurity qualification to ensure the package version combinations work correctly together. Photon packages are updated even if the update was to address a vulnerability that does not apply to Unified Access Gateway.Is there a mechanism with Unified Access Gateway to automatically download and apply critical Photon vulnerability updates?Yes. This feature was added with version 2009. Occasionally, VMware might authorize the update of one or more OS packages to rectify a critical vulnerability that affects a specific version of Unified Access Gateway and for which no viable workaround is available. Starting from Unified Access Gateway version 2009 a new capability is available for the administrator to configurean automatic check for any authorized package updates. For more information, see Configure Automatic Check section in Product Updates.If a scanner reports an out-of-date Photon package, does this mean Unified Access Gateway is vulnerable?A scan report can sometimes indicate a vulnerability, but most times a report about a newer version of package being available is not applicable to Unified Access Gateway. This mightbe because the corrective action to mitigate the vulnerability has already been applied or the vulnerability is in a component not used or activated by Unified Access Gateway. Vulnerability scanners can be prone to false positives even if they are properly configured and kept up-to-date.If there is a “false positive” vulnerability scan report, would applying the package update for that package make Unified Access Gateway more secure?Applying the package update in these cases would make no difference as Unified Access Gateway is not vulnerable with "false positives" anyway. VMware does not support applying package updates to VMware branded virtual appliances. Updating or changing any components might result in unexpected behavior of the system.Why does VMware not support customer modification/update of Photon packages on VMware branded virtual appliances?n It could result in unexpected behavior of the system because of incompatibilities with other software on the appliance and backward compatibility issues with configuration.n Updating a package could introduce a new security vulnerability that would not be detected during security testing prior to the original appliance release.n For the "false positives", applying a package version update will make no security improvement.The tests performed by VMware are on the set of components that make up the virtual appliance image exactly as originally released.Unified Access Gateway Security GuideIf I am concerned about a scanner vulnerability report, can I request information about it from VMware?Most scanners work by identifying which product and version is running in the network and comparing that information to a list of publicly known vulnerabilities. Vulnerability scanners canbe prone to false positives even if they are properly configured and kept up-to-date. A support request can be raised by a customer and VMware support along with VMware Security Response Center (vSRC) will respond and explain why the update does not apply to the particular appliance.Does VMware regularly run scans on Unified Access Gateway appliances internally?Yes. The VMware Security Development Lifecycle includes regular and automatic scans of appliances so that early analysis can be performed by VMware.How often are Photon package versions updated?Several Photon kernel and package updates are released every month. In most cases, these are not released for Unified Access Gateway and are batched up for release in the next planned Unified Access Gateway release.If a critical Photon package or Unified Access Gateway software security vulnerability is identified that affects Unified Access Gateway, how can I get to know about it?Customers can subscribe to VMware security advisories which are published to inform customers of action they must take to protect products against known vulnerabilities that affect VMware products.What is VMware’s response if a Unified Access Gateway critical vulnerability is identified? Should I wait for the next planned version release?VMware publishes the security response policy which defines response times for security vulnerabilities identified. The response time is based on the severity as it applies to a particular product. For example, a critical security vulnerability detected in Unified Access Gateway requires VMware to begin work on a fix or corrective action immediately. VMware will provide the fix or corrective action to customers in the shortest commercially reasonable time. A fix is delivered as a patch image release and the customer must upgrade to that version as soon as possible. Do not wait for the next planned release of Unified Access Gateway. In this case, VMware also publishes a security advisory and might also make the update available as an automatic update. See Security Response Policy.VMware, Inc.11。

User ManualVersion 1.0.1 April 2019 GRP-540M-NBNB-IoT GatewayTable of Contents1.Introduction (5)1.1Features (6)1.2Applications (6)2.Hardware (7)2.1Specifications (7)2.2Appearance and pin assignments (8)2.3Dimensions (9)2.4LED indicators (10)2.5Rotary Switch (10)2.6Installing Device (11)3.Web Utility (12)3.1Login the Utility (12)3.2Information (13)3.2.1Device Information (13)3.2.2Network Information (13)3.2.3Storage Information (14)3.3Network (15)3.3.1Ethernet (15)3.4System (15)3.4.1Password (15)3.4.2Reboot (16)3.4.3Reboot Timer (16)3.4.4Backup & Restore (16)3.4.5Update (16)3.4.6Restore Factory (17)3.4.7Time (17)3.5NB-IoT Client (18)3.5.1NB-IoT Client (18)4.Example (28)4.1Data Collection and Remote Control (NB-DA Server) (28)4.2Data Collection and Remote Control (MQTT Broker) (36)Appendix A. Revision History (40)Appendix B. Traffic calculation for reference (41)Important InformationWarrantyAll products manufactured by ICP DAS are under warranty regarding defective materials for a period of one year, beginning from the date of delivery to the original purchaser.WarningICP DAS assumes no liability for any damage resulting from the use of this product. ICP DAS reserves the right to change this manual at any time without notice. The information furnished by ICP DAS is believed to be accurate and reliable. However, no responsibility is assumed by ICP DAS for its use, not for any infringements of patents or other rights of third parties resulting from its use.CopyrightCopyright @ 2018 by ICP DAS Co., Ltd. All rights are reserved.TrademarkNames are used for identification purpose only and may be registered trademarks of their respective companies.Contact us1.IntroductionThe GRP-540M-NB provided by ICP DAS is a NB-IoT gateway for Ethernet and serial port. It can be used in M2M application fields to transfer the remote I/O or Modbus data via NB-IoT. Within the high performance CPU, the GRP-540M-NB can handle a large of data and are suited for the hard industrial environment. When connecting with NB-DA Server or MQTT Broker, the user can also control the devices which connected to GRP-540M-NB from the remote control center.1.1Features◆Support NB-IoT◆10/100 Base-TX compatible Ethernet controller◆COM port: COM1 (3-wire RS232), COM2 (3-wire RS232), COM3 (RS-485)◆GPS: 32 channels with All-In-View tracking◆Support Modbus RTU/TCP◆Support MQTT◆Support Micro SD card◆High reliability in harsh environments◆DIN-Rail mountable1.2Applications◆ Home/Factory security◆ Energy Management◆ Temperature MonitoringApplication 1: Data CollectorApplication 2: Remote Control2.Hardware2.1Specifications2.2 Appearance and pin assignmentsCOM2 08 TxD2 07 RxD2 06 GNDCOM3 05 D+ 04 D-CAN 03 CAN.GND 02 CAN_H 01 CAN_L2.3Dimensions2.4LED indicatorsThere are three LED indicators to help users to judge the various conditions of device. The description is as follows:A.P WR(Green): Power LED to indicate whether the external power is input or not. Thedescription is as follows:B. RUN(Red): RUN LED indicates if the OS is normal or fail.C. L1(Green/Red): this Led indicates the status of NB-IoT Client.D. L2(Green/Red): reserve.E.NB-IoT (Green): The LED indicates the status of NB-IoT module.(the NB-IoT module need about 60 seconds to register network usually)2.5Rotary SwitchThere are some functions of rotary switch. The description is as follows:A.0: Normal mode, default position.B.9: Factory default IP. If you set as 9, and then reset the device, its Ethernet IP will be“192.168.255.1”. If you forgot your device IP, you can use this function to re-configureyour device IP.2.6Installing DeviceBefore using, please follow these steps to install the device below:A. Install the antenna.B. Plug in the normal SIM card.C. Plug the Ethernet cable if you need it.D.If you want to use the Micro SD card, please insert it into the slot.E. Connect the DC.+VS and DC.GND to the power supply.F. Need to wait about 20 ~ 30 seconds for OS booting. After finishing the process, GRP-540M-NBwould be in normal operation mode and the OS LED would blank as heart beat per 1 sec.G. It is needed to wait about 30 ~ 60 seconds to search the NB-IoT base and register to the ISP. Afterfinishing the process, the NB-IoT LED would blank per 3.333 secs.Install The AntennaInsert SIM CardLED IndicatorsInsert MicroSD CardPlug Ethernet cableConnect to Power3.Web UtilityYou must configure the device from web utility before using.3.1Login the UtilityPlease login before you use the web utility. The default username is “admin”, and the default password is “admin”.⚫Default IP = “192.168.255.1”⚫Default Mask = “255.255.0.0”⚫After login, the screenshot is showed as below:3.2InformationThe user can get the basic information of the device here.3.2.1D evice InformationThis page provides basic device information:(1) Product Name: the Name of your product.(2) Serial Number: only one number of ICPDAS product.(3) OS Kernel Version: Linux kernel version.3.2.2Network InformationThis page provides basic network information:(1)Ethernet: Ethernet information．Mode: static IP.．MAC address: a unique identifier assigned to network interfaces.．IP Address: a computer's address under the Internet Protocol.．Mask: Mask will be provided from Gateway provider.(2)Modem information:．IMEI: IMEI number of NB-IoT module.．PIN Code: the status of PIN Code. Please refer to below:◼READY: PIN Code is ready.◼SIM PIN: need PIN code of SIM card.◼SIM PUK: need PUK code of SIM card.◼SIM failure: Access SIM Card failure.．Register Status: Indicating machine connect to mobile network successful or not.．Signal Quality: the NB-IoT signal quality.Modem information will update frequently if NB-IoT client function not enable. If NB-IoT client function enable, Modem information only updates when sending message.3.2.3Storage InformationThis page provides information about “Micro SD card”, “USB Disk”:(1)USB Disk / SD card:．Size: total size of storage.．used: the size is used.．Available: free space in the storage.．Path: the mount point in file system.3.3NetworkThe user can configure the Network functions here.3.3.1EthernetThis page provides the basic settings of Ethernet:(1) IP Address: IP of Ethernet.(2) M ask: the Mask of the gateway.(3) G ateway: IP of the gateway.3.4SystemThe user can configure password, system parameter, reboot device and restore factory settings here.3.4.1PasswordThe user can change the password of the web utility here.(1) Password: new password.(2) Confirm: confirm the password again.3.4.2RebootThe user can reboot the device here.3.4.3Reboot TimerThe user can use this function to reboot system automatically.(1) Reboot Time (everyday): the time for rebooting system.(2) E nable: Enable Reboot Timer function.3.4.4Backup & RestoreThe user can backup the device settings and restore it here.(1) Backup: Press “Backup” button to backup settings into your PC.(2) Restore: Press “Browse”button to select file, and then press “Restore”button to store yoursettings.3.4.5UpdateThe user can update the device’s firmware by themselves. Need to go to the product page and download the update file (updateFile.tarc). Must put the update file into SD card and backup your config before update.3.4.6Restore FactoryThe user can restore the device setting to factory default.3.4.7TimeThis page provide information about the time of the device.(1) S et Time: set the time of device the same as your computer.(2) N TP Server: device will connect to the NTP Server to synchronize time.(3) Timezone: if you don't know your timezone, please click the link “check timezone” to find out.(4) Enable NTP Function: if you enable it, the device will update time automatically.(NTP function will work only when Ethernet can go through Internet)3.5NB-IoT ClientThe user can configure NB-IoT Client function here. The NB-IoT Client function will connect to NB-DA Server or MQTT Broker, please refer the website for more information.3.5.1N B-IoT ClientThe user can configure NB-IoT Client firmware function here. There are three tabs:(1) Main Info. (2) Modbus Device (3) I/O Mapping◼Main Info. Tab (UDP Mode with SMS4 security):(1) APN Config: Access Point Name, please ask your SIM Card provider.(2) Data Update Period (sec.): set report time interval. The device will report all data to NB-DAServer or MQTT Broker every time.(3) S end Mode: can choose UDP or MQTT.(4) S erver IP/Domain: the IP Address or Domain Name of NB-DA Server.(5) Server Port: the port of the server.(6) Enable Function: enable the NB-IoT Client function.(If SD Card exist, this function will also save log data to SD Card by date)◼Main Info. Tab (MQTT Mode):(1) APN Config: Access Point Name, please ask your SIM Card provider.(2) Data Update Period (sec.): set report time interval. The device will report all data to NB-DAServer or MQTT Broker every time.(3) S end Mode: can choose UDP or MQTT.(4) S erver IP/Domain: the IP Address or Domain Name of MQTT Broker.(5) Server Port: the port of the MQTT Broker. (default MQTT port is 1883)(6) Buffer Size: the buffer which is used to save the MQTT message. (include Topic and Data)(7) Keep Alive: the peroid of MQTT's PINGREQ message.(8) MQTT Version: set the MQTT version that will be used.(9) User Name: the user name for MQTT connection. (if have user name)(10) Password: the password for MQTT connection. (if have password)(11) Subscribe DO: the MQTT topic which will be used for receiving DO message.(12) Subscribe AO: the MQTT topic which will be used for receiving AO message.(13) Publish DEVINFO: the MQTT topic which will be used for sending DEVINFO message.(14) Publish DI: the MQTT topic which will be used for sending DI message.(15) Publish AI: the MQTT topic which will be used for sending AI message.(16) Publish GPS: the MQTT topic which will be used for sending GPS message. (GPRMC format)(17) Publish ACK: the MQTT topic which will be used for responding ACK when received DO orAO message.(18) Use CHT platform: enable if using CHT IoT Platform. (also need to set User Name, Password)(19) CHT Device ID: set the Device ID which gets from CHT IoT Platform.(20) CHT Sensor ID: set the Sensor ID which gets from CHT IoT Platform.(21) Enable Function: enable the NB-IoT Client function.MQTT Message Format:⚫Message format for normal MQTT Broker:⚫M essage format for CHT Platform:⚫D ata Type:⚫DEVINFO data:◼Modbus Device: the interface for adding Modbus I/O device.(1) Modbus Device Number: display the Modbus device number here. You can choose a model inthe list, and then use the “Add” button to add a new Modbus device.(2) D evice Name: the name of the Modbus device.(3) D evice ID: the Modbus ID.(4) IP: the IP of Modbus/TCP device. Keep it empty if using Modbus/RTU device.(5) Port: the Port number of Modbus/TCP device.(6) D I Number: the number of DI channel.(7) D O Number: the number of DO channel.(8) A I number: the number of AI channel.(9) AO number: the number of AO channel.(10) DI Address: the start address for reading DI value.(11) DO Address: the start address for reading DO value.(12) AI Address: the start address for reading AI value.(13) AO Address: the start address for reading AO value.(14) COM Port: can choose “COM2 (RS-232)” or “COM3 (RS-485)”.(15) Baud Rate: the baud rate of RS-485 or RS-232.(Notice that must set same Baud Rate for all RS-485 devices)(16) Data Bit: the data bit of RS-485 or RS-232.(17) Parity: the parity bit of RS-485 or RS-232.(18) Stop Bit: the stop bit of RS-485 or RS-232.(19) Read DO: enable if this device's DO is output data to GRP-540M-NB.(This will let DO data combine with this device's DI data, and DO will continue after DI) (20) Read AO: enable if this device's AO is output data to GRP-540M-NB.(This will let AO data combine with this device's AI data, and AO will continue after AI)◼I/O Mapping:(1) Auto Mapping: this will check all Modbus devices and auto mapping all I/O.(2) 1st / 2nd Session ID: the ID which used to identify this GRP-540M-NB device.(3) DO/DI/AO/AI mapping table:The mapping format is “[Device Number]-[I/O Number]”.⚫Device Number: the number of Modbus devices in “Modbus Device” page. (start from 1) (ex: the config of Modbus Device Number 0 is the 1st Modbus device) ⚫I/O Number: the number of this Modbus device's I/O. (start from 1)NOTICE: If enabled “Read DO” or “Read AO”, in addition to DO/AO’s mapping table, also need to set these DO/AO to DI/AI’s mapping table.Example:If the 1st Modbus Device (the config of Modbus Device Number 0 in “Modbus Device”page) have 2 AI and 5 AO, in addition to the “1-1” and “1-2” for AI, also need to set “1-3”, “1-4”, “1-5”, “1-6”, and “1-7”in AI table (for enable Read AO). In this case, the GRP-540M-NB will send DEVINFO, AO, AI (with 7 values--2 AI and 5 AO), and GPS messages.4.Example4.1Data Collection and Remote Control (NB-DA Server)This example shows data collection and remote control application via NB-DA Server.There are PM-3112 and SAR-713 in this system.(1) Please connect your device (PM-3112 and SAR-713) to serial port of GRP-540M-NB.Baud Rate of these devices is 115200 bps, data format is 8N1 (Data bits, Parity, Stop bits).(Must attention that Baud Rate of all Modbus devices must set same value when using RS-485)(2) If you never use NB-DA Server, please refer to NB-DA Server's website.(3) Add devices in “Modbus Device” tab.In this case, we want to use two AO values of SAR-713, but their Modbus address is not continuing. We split SAR-713’s setting to two Modbus settings like below:In the 1st setting, we set to read 1 AO on AO address 9, and the 2nd setting read 1 AO on address 11. Besides, the SAR-713’s AO is the values we want, so “Read AO” is needed too.The PM-3112’s setting is below, it has 4 AI need to be read:(4) Set I/O mapping table:The Session ID is used to let NB-DA Server identifies this GRP device, so must not set the same ID if using more than one device.Because SAR-713 enable “Read AO”, the AO of SAR-713 also need to be entered into AI table.There is no AI need to be read from SAR-713, so the AO become “1-1” and “2-1” to AI table and AI of PM-3112 are “3-1”, “3-2”, “3-3”, “3-4”.(5) Set APN of your SIM card, the IP and port for NB-DA Server, and Enable the function.Press “Modify”(6) Setting NB-DA Server:(a) The server port is set “5394” in GRP-540M-NB, so server must use “5394” to receive data.(b) Click “Add Server” after all settings are ready.(c) Choose the server and click “Start Server”.(d) After server start, if received data from GRP-540M-NB, we can see the Session live statuson the Sessions block.(7) After receiving data, if the server enables MQTT or Database, user can get data from access database or subscribe MQTT topic to receive data. The server also creates Modbus Server by default, user can connect Modbus Server with local IP and the port setting on server, then use Modbus TCP command to get data.(8) If user wants to control remote DO/AO, user can change the values on the Modbus Server or publish DO/AO MQTT message to the topic which NB-DA Server subscribed.⚫[Server Side] The MQTT control message for DO/AO like below:1 byte for every DO, hex format, and data length must be 32. (set 00 for empty DO)2 bytes for every AO, hex format, and data length must be 32. (set 0000 for empty AO)⚫[Server Side] The DEVINFO/DI/AI/GPS/ACK data like below:DEVINFO data include RSRP, ECL, SNR, and Battery level.1 byte for every DI, hex format, and data length must be 32. (empty DI will be 00)2 bytes for every AI, hex format, and data length must be 32. (empty AI will be 0000)GPS data is “$GPRMC” message of NMEA 0183 protocol.4.2Data Collection and Remote Control (MQTT Broker)This example shows data collection and remote control application via MQTT broker.There are PM-3112 and SAR-713 in this system.(1) Please connect your device (PM-3112 and SAR-713) to serial port of GRP-540M-NB.Baud Rate of these devices is 115200 bps, data format is 8N1 (Data bits, Parity, Stop bits).(Must attention that Baud Rate of all Modbus devices must set same value when using RS-485)(2) If you never use NB-DA Server, please refer to NB-DA Server's website.(3) Add devices in “Modbus Device” tab. (same as Example 4.1)(4) Set I/O mapping table. (same as Example 4.1)(5) Set APN of your SIM card, the IP/Domain and port for MQTT Broker. According to user’sapplication, set the topic for subscribe and publish. Enable the function and press “Modify”.(If using CHT IoT Platform, also need to set User Name, Password, Device ID, and Sensor ID, then enable “Use CHT platform”)When using normal MQTT Broker, the message will be:⚫[GRP-540-NB Side] The MQTT control message for DO/AO like below:1 byte for every DO, hex format, and max data length is 32.2 bytes for every AO, hex format, and max data length is 32.Must include “Session ID/Type” in the end of topic like “ER/0/0/DO”(Please check the numbers of DO/AO, don’t send more or less than real I/O numbers)⚫[GRP-540-NB Side] The DEVINFO/DI/AI/GPS/ACK data like below:DEVINFO data include RSRP, ECL, SNR, and Battery level.1 byte for every DI, hex format, and max data length is 32.2 bytes for every AI, hex format, and max data length is 32.GPS data is “$GPRMC” message of NMEA 0183 protocol.ACK data is published by GRP when it received DO/AO control message. (DO_ACK/ AO_ACK)When using CHT IoT Platform, the message will be:⚫[GRP-540-NB Side] The MQTT control message for DO/AO like below:(NOTICE: Need to send data with JSON format which defined by CHT platform)1 byte for every DO, hex format, and max data length is 32.2 bytes for every AO, hex format, and max data length is 32.(Please check the numbers of DO/AO, don’t send more or less than real I/O numbers)⚫[GRP-540-NB Side] The DEVINFO/DI/AI/GPS/ACK data like below:DEVINFO data include RSRP, ECL, SNR, and Battery level.1 byte for every DI, hex format, and max data length is 32.2 bytes for every AI, hex format, and max data length is 32.GPS data is “$GPRMC” message of NMEA 0183 protocol.ACK data is published by GRP when it received DO/AO control message. (DO_ACK/ AO_ACK)Appendix A. Revision HistoryThis chapter provides revision history information to this document. The table below shows the revision history.Appendix B. Traffic calculation for referenceThis chapter provides a reference for calculating traffic, but it only calculates the traffic of data (not include the header of packets). For the real usage of traffic, please check it from the SIM Card provider.➢UDP format:Data➢MQTT format:Data + Topic length (topic is set by user)➢MQTT format for CHT IoT Platform:JSON (77 bytes + Sensor ID length + Device ID length + Data) + Topic length (topic is set by user)Example:If only 1 Modbus device with 1 DI is connecting to GRP-540M-NB, assume that DEVINFO and GPS data have max length, the bytes that will be transmitted is: (1 character = 1 byte)⚫I f using UDP:Data: 112+ 64 + 160 = 336 bytesThe GRP will transmit 336 bytes in every transmission.⚫I f using MQTT:Data: 14 + 2 + 72 = 88 bytesThe GRP will transmit 88 bytes + DEVINFO topic length + DI topic length + GPS topic length in every transmission.⚫I f using MQTT (for CHT IoT Platform):Data: 14 + 7 + 72 = 93 bytes, also need to add 3 messages’ JSON format length (77 bytes + Sensor ID length + Device ID length).The GRP will transmit JSON data length + DEVINFO topic length + DI topic length + GPS topic length in every transmission.。