Administrator User Guide SD-WAN PERMISSIONS, MONITORING & CONFIGURATION FOR WINDSTREAM SD-WAN

Table of Contents SD-WAN Network Management Tool in Windstream Online (WOL) SD-WAN Permissions. SD-WAN Permission Levels... 3.2 Permission Level Notifications... 3.3 Confirmation of Configuration Changes... 3 SD-WAN Monitor 2.. Monitoring Overview........................................................................................... 4 2.2 Monitoring Quality of Experience (QoE)... 5 2.3 Monitoring Transport... 6 2.4 Monitoring Applications... 8 2.5 Monitoring Sources... 9 2.6 Monitoring Destinations... 2.7 Monitoring Business Priority... 2 SD-WAN Configuration 3. Configure Edges Overview... 3 3.2 Configure Edges Device... 4 3.3 Configure Edges Business Policy... 8 3.4 Configure Edges Firewall... 20 3.5 Configure Profile Overview... 22 3.6 Configure Profile Device... 23 3.7 Configure Profile Business Policy... 27 3.8 Configure Profile Firewall... 29 3.9 Configure Network... 3 3.0 Configure Network Services... 33 NEED HELP? CONTACT SUPPORT -888-623-VOIP Support@Broadviewnet.com http://community.broadviewnet.com 2

SD-WAN PERMISSIONS. SETTING SD-WAN PERMISSION LEVELS Administrator grants permissions for SD-WAN to others in their company via the Admin area of the Windstream Online (WOL) portal. There are four (4) Levels of permission access defined for SD-WAN as shown below: Note: These permission levels are not cumulative, so only those checked are applicable. Product & Service Tools Allow this user to access the online tools to manage your Windstream services. You can provide access to only select tools by choosing Advanced. SD-WAN Configuration changes may cause, but are not limited to, service interruptions, networking issues, or security risks. Misconfigurations or service interruptions that result from Customer initiated configuration change are solely the responsibility of the Customer and are not covered as a part of the SD-WAN service level agreement. None View Manage Advanced View SD-WAN Monitor View SD-WAN Configure Manage (Limited) SD-WAN Configure Business Policy and Firewall only Manage (All) SD-WAN Configure Full access to manage configuration settings.2 PERMISSION LEVEL NOTIFICATIONS Users are informed if they do not have the level of permission to make changes for certain areas:! Note: You do not have permission to save any changes on this page..3 CONFIRMATION OF CONFIGURATION CHANGES Reminder: Administrators that are reluctant to make their own changes can always rely on the Windstream SD-WAN Concierge support team to implement changes. Note: It is recommended that a qualified network technician manage network configuration changes, as these updates may cause service interruptions, network issues, or security risks if not properly implemented. Are you sure you want to save these configuration changes? Configuration changes may cause, but are not limited to, service interruptions, networking issues, or security risks. Misconfigurations or service interruptions that result from Customer initiated configuration change are solely the responsibility of the Customer and are not covered as a part of the SD-WAN service level agreement. YES NO 3

SD-WAN MONITOR 2. MONITORING OVERVIEW Overview QoE Transport Applications Sources Destinations Business Priority Past 60 Minutes Site 0 Link Status Previous Next LINK STATUS INTERFACE (WAN TYPE) THROUGHPUT BANDWIDTH LATENCY JITTER PACKET LOSS AT&T U-verse INTERNET 2 (ETHERNET) 9.32 Kbps 753.00 Kbps 0.03 Kbps 6.96 Mbps 8 msec 8 msec 20 msec 20 msec msec msec 0 msec 0 msec 0% 0% 0% 0% Verizon Wireless INTERNET 3 (ETHERNET) 2.9 Kbps 2.09 Kbps 2.58 Kbps 5.2 Mbps 70 msec 70 msec 5 msec 5 msec 0 msec 0 msec 6 msec 6 msec 0% 0% 0% 0% Previous Next Bandwidth Usage Top Applications Top Categories Previous Next NAME VeloCloud Control VOLUME 9.0 MB VeloCloud Management.85 MB Previous Next Top Operating Systems Top Sources VeloCloud VeloCloud Edge 0.0.0.0. Overview displays information about your Edge WAN links, application bandwidth, and network usage for top operating systems, top categories, and the top sources. The Overview tab consists of two (2) areas: Link Status and Bandwidth Usage. 2. The Link Status area (WAN/LAN) is updated in real-time and displays a list of your links and their data (Cloud and VPN status, Interface, and Throughput Capacity). Cloud Status and VPN Status can display the following statuses: Green=Active, Yellow=Degraded, Red=Offline/Disconnected, Grey=Not Enabled. The Link Status area can also display the status of Backup links depending upon the WAN settings. 4

3. The Bandwidth Usage area displays your top applications, categories, operating systems and Sources along with their volume for a historical period of time. You can change the time frame by clicking the Time Duration drop down menu. Clicking on one of the arrow icons will allow you to drill down further into the details for each usage category. 4. The Top Applications area displays historical usage data for top applications and is connected to the Applications tab. To access the Applications tab, click the View Details arrow ( ) on the right side. 5. The Top Categories area displays categories as a color-coded Pie chart (with a corresponding Legend). The Top Categories area is also connected to the Applications tab. To access the Applications tab, click the View Details arrow ( ) on the right side. 6. The Top Operating Systems area displays top operating systems as a bar graph. Hover over a bar in the graph to display usage data for that system. The Top Operating Systems area is connected to the Sources tab. To access the Sources tab, click the View Details arrow ( ) on the right side. 7. The Top Sources section of the Bandwidth Usage area displays top sources as a bar graph. The Top Sources section is also connected to the Sources tab. You can access the Sources tab. To access the Sources tab, click the View Details arrow ( ) on the right side. 2.2 MONITORING QUALITY OF EXPERIENCE (QOE) Overview QoE Transport Applications Sources Destinations Business Priority Past 60 Minutes Site 0 Voice Network Enhancements QoE Score After 9.98 Test Communications Before Thurs Aug 7 206 3:05 9.6 Latency Jitter Pocket Loss Fair Good Good Downstream latency reported at 26 msec.. The SD-WAN Quality of Experience (QoE) tab shows the SD-WAN Quality Score (SQS) for different applications. The QS rates an application s quality of experience that a network can deliver for a period of time. 2. There are three different traffic types that you can monitor (Voice, Video, and Transactional) in the QoE tab. You can hover over a WAN network link, or the aggregate link provided by the SD-WAN to display a summary of Latency, Jitter, and Packet Loss. 5

3. The SD-WAN Quality Score (SQS) rates an application s quality of experience that a network can deliver for a given time frame. Some examples of applications are: video, voice, and transactional. QoE rating options are shown in the table below. RATING COLOR Green Yellow Red RATING OPTION Good Fair Poor DEFINITION All metrics are better than the objective thresholds. Application performance at or above SLA. Some or all metrics are between the objective and maximum values. Application performance may be impacted. Some or all metrics have reached or exceeded the maximum value. Application performance may be impacted. 4. Link Steering and Remediation enables dynamic, application aware per-packet link steering that is performed automatically based on the business priority of the application, embedded knowledge of network requirements of the application, and the real-time capacity and performance of each link. On-demand mitigation of individual link degradation through forward error correction, jitter buffering and negative acknowledgment proxy also protects the performance of priority and network sensitive applications. Both the dynamic per-packet link steering and on-demand mitigation combine to deliver robust, sub-second blackout and even brownout protection to improve application availability, performance and end user experience. 2.3 MONITORING TRANSPORT Overview QoE Transport Applications Sources Destinations Business Priority Past 60 Minutes Site 0 Average Throughout Links 60 Downstream 45 Bps 36 24 AT&T U-verse Verizon Wireless 2 0 April 8 3:59 pm April 8 4:03 pm April 8 4:24 pm April 8 4:48 pm April 8 4:53 pm April 8 5:02 pm Download as Excel (.csv) GO 6

Previous Next CLOUD STATUS VPN STATUS NAME INTERFACE (WAN TYPE) TOTAL BYTES DOWNSTREAM (BPS) UPSTREAM (BPS) AT&T U-verse 08.507.435.396 INTERNET 2 (ETHERNET) 3.59 MB 6.38 Kbps 4.28 Kbps Verizon Wireless 06.646.365.25 INTERNET 3 (ETHERNET) 2.39 MB 2.37 Kbsp 2.56 Kbsp. The Transport tab provides an overview of the bandwidth used across all of the WAN links. For any period of time including historical timeframes, you can view which Link or Transport Group was used for the traffic and how much data was sent. You can filter on the data by drilling down into various utilization types. 2. Using the chart tools you can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart. 3. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart. 4. The Cloud Status represents the ability for the Edge device to communicate to the gateway over the Internet cloud. The status values for both Cloud and VPN are (green: connected, red: disabled, gray: unavailable) 5. Descriptions for the options of Links Stats listed in the Links Stats drop menu are listed in the table below. LINK STAT ITEM Bandwidth Jitter Latency Packet Loss DEFINITION This parameter denotes the desired bandwidth allocation in Mbps for each flow. Based on these parameters, the total capacity is allocated in proportion to the bandwidth values of various flows. Jitter is calculated using the RFC 3550 Formula for calculating jitter that is used by RTP. Jitter metrics are measured between the edged device and the SD-WAN core gateway. Application performance may be impacted. For each packet, the latency is measured by subtracting the network send time (packet is time stamped immediately before being sent) from the network receive time (packet is time stamped immediately after being received). A lost packet is calculated when a path sequence number is missed and doesn t arrive within the re-sequencing window. A very late packet is counted as a lost packet in this regard. 7

2.4 MONITORING APPLICATIONS Overview QoE Transport Applications Sources Destinations Business Priority Past 60 Minutes Site 0 Bytes Received / Sent Applications Received 5.200M Bytes 9.60M 7.20M 4.50M 2.40M Google HTTP HTTPS LDAP YouTube Windows Live Yahoo Microsfot Office 365 Background Intelligent Transfer Services (BITS) VeloCloud Control Aug Aug 2 Aug 3 Aug 4 Aug 5 Aug 6 Aug 7 Aug 8 Aug 9 Aug 0 Aug Aug 2 Aug 3 Aug 4 Aug 5 Aug 6 Aug 7 Aug 8 Previous Next APPLICATION CATEGORY TOTAL BYTES BYTES RECEIVED BYTES SENT VeloCloud Control VeloCloud 5.4 GB 5.95 GB 9.46 GB Google Web 5.78 GB 5.46 GB 3.40 MB Microsoft Office 365 Business Collaboration 5.8 GB 4.56 GB.28 GB Top Applications by Bytes Received / Sent CLOSE VeloCloud Management Top Destinations velocloud.net Top Source Devices VeloCloud Edge OK 8

. The Applications tab displays network usage information about your applications or your application categories. You can hover over a segment of the graph to display network usage data for that segment. You can also choose which type of data is displayed from the Data drop down menu (Bytes Received/Sent, Total Bytes, Total Packets, or Packets Received/ Sent). 2. You can also click an application in the Applications column to open a dialog box, which displays the Top Destinations and Top Source Devices for the application. 3. Clicking on the arrow icon will take you to the associated page allowing you to drill down further into the data. 4. Chart tools: You can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart. 5. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart. 2.5 MONITORING SOURCES Overview QoE Transport Applications Sources Destinations Business Priority Past 30 Minutes Site 0 Active Edges Only Bytes Received / Sent Devices Received 90M Bytes 72M 54M 36M Andrew s Phone Lauren s Phone Mark s Phone April s AppleWatch 8M 0 Aug 7:37 pm Aug 7 9:24 pm Aug 0 :34 am Aug 3 3:44 pm Aug 9 9:25 am Aug 23 8:35 pm Download as Excel (.csv) GO Previous Next APPLICATION IP ADDRESS OPERATING SYSTEM TYPE TOTAL BYTES BYTES RECEIVED BYTES SENT Andrew s Phone 0.0.0.0 08.507.435.396 EDGE n/a 5.5 GB 2.79 GB 2.72 GB Lauren s Phone 0.0.0.23 06.646.365.25 IOS Smart Phone/Tablet 38.89 MB 36.55 MB 2.34 MB Mark s Phone 0.0.0.2 35.646.365.467 IOS Smart Phone/Tablet 82.92 KB 774.87 KB 73.56 KB 9

Top Sources by Bytes Received / Sent CLOSE VeloCloud Top Applications Facebook Instagram Twitter LinkedIn Top Destinations facebook.com fbcdn.net yimg.com yahoo.com OK. The Sources tab screen displays network usage data (operating system, device type) over a historical period of time. The data is displayed as two line graphs. You can change the data that is displayed in the graphs from the Data drop down menu (Bytes Received/Sent, Total Bytes, Total Packets, or Packets Received/Sent). You can also hover over a segment of the graph to display the source and its associated network usage. 2. You can also click a source in the Source column to open a dialog box, which displays the Top Destinations and Top applications. Friendly Name capability for Sources by clicking the pencil icon next to the source device in the grid view allows you to rename a source device for in portal reporting. 3. Clicking on the arrow icon will take you to the associated page allowing you to drill down further into the data. 4. Chart tools: You can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart. 5. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart. 0

2.6 MONITORING DESTINATIONS Overview QoE Transport Applications Sources Destinations Business Priority Past 30 Minutes Bytes Received / Sent Site 0 Domains Received Bytes 900M 720M 540M 360M 80M 0 sunn.edw.net pen.local e00.net google.com technologies.com expertcity.com 204.506.332 windstream.com yahoo.com facebook.com Aug 7:37 pm Aug 7 9:24 pm Aug 0 :34 am Aug 3 3:44 pm Aug 9 9:25 am Aug 23 8:35 pm Previous Next DESTINATION TOTAL BYTES BYTES RECEIVED BYTES SENT velocloud.net 7.43 GB 7.04 GB 0.43 GB expertcity.com 5.39 GB 4.3 GB.46 GB google.com 5.94 GB 4.04 GB.66 GB technologies.com 2.38 GB 2.55 GB 30.62 MB Top Destinations by Bytes Received / Sent CLOSE velocloud.net Top Applications Facebook Instagram Twitter LinkedIn Top Operating System Other/Unidentified OK

. The Edge Destinations tab screen displays network usage data (operating system, device type) over a historical period of time by the destination of the network traffic. If you hover over a segment of the graph, the destination and its associated network usage displays. There are three destination types (Domain, FQDN, IP) located on the right side of the screen. 2. For each type (Domain, FQDN, and IP), the Top Destinations dialog box displays by type when you click a destination from the Destination column. You can open the Applications and Sources tabs from the Top Destinations dialog box. Click the arrows next to the Top Applications and Top Operating sections of the dialog boxes (respectively) to open these tabs. 3. Clicking on the arrow icon will take you to the associated page allowing you to drill down further into the data. 4. Chart tools: You can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart. 5. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart. 2.7 MONITORING BUSINESS PRIORITY Overview QoE Transport Applications Sources Destinations Business Priority Past 60 Minutes Average Throughput Site 0 Domains 5K Downstream 4K High Bytes 3K 2K 2.46K 30.26 Normal Low Control K 8.33 0 Aug 7:37 pm Aug 7 9:24 pm Aug 0 :34 am Aug 3 3:44 pm Aug 6 :26 am Aug 9 9:25 am Aug 23 8:35 pm Aug 29 :50 pm Previous Next PRIORITY DOWNSTREAM (BPS) UPSTEAM (BPS) High 33.43 Mbps 32.8 Mbps Normal 86.43 Mbps 29.5 Mbps Low 0 Bps 0 Bps Control 4.8 Mbps 23.08 Mbps 2

. The Business Priority tab page displays the priority (High, Normal, and Low) of the network traffic over a historical period of time. If you mouse over a segment of the graph, the Business Policy characteristics and its associated Network usage displays. 2. Chart tools: You can easily zoom into any subset of data within the chart by clicking in the chart and holding down the mouse button while scrolling the area you wish to zoom into. Pin mode allows you to compare non-adjacent data sets. Just select the pin mode in the chart above, select a range and then drag it across the chart to compare it with the data anywhere else on the chart. 3. Using the interactive legend, you can selectively turn data plots individually on/off by clicking a data series to hide it and focus on the other series in the chart. 4. Quality of Experience (QoE), resource allocations, link/path steering, and error correction are automatically applied based on business policies and application priorities. Orchestrate traffic based on transport groups defined by private and public links, policy definition, and link characteristics. SD-WAN CONFIGURATION 3. CONFIGURE EDGES OVERVIEW ASSIGN PROFILE Previous Next NAME PROFILE HA DEVICE BIZ. POL FIREWALL STATUS MODEL SERIAL NUMBER TestEdge 0 Default Internet Network Activated Edge500 VC00002008 TestEdge 02 Default VPN Network Activated Edge000 VC00003948 TestEdge 03 VPN Network - Adtran 5355 Activated Edge500 VC00003958 TestEdge 04 VPN Network - Adtran 6355 Activated Edge 340 VC00002954. The color-coded icons will link you directly to the configuration areas for Device, Business Policy and Firewall. An icon color of Gray in one of the configuration columns, indicates all the rules in place are based on the Default Profile settings, any other color means at least one rule override is in place. 2. The Edge device settings are inherited from the Profile selected for the Edge and can be simple if the network configuration defined in the profile is used without modification. Overrides can be made to Network and Network Service configuration as part of Edge configuration but should be used sparingly and for scenarios that are temporary. 3

3.2 CONFIGURE EDGES DEVICE Edge Overview Device Business Policy Firewall Network Settings Network: VPN Network Assignable VLANs Corporate Network: - Corporate 3 - Management 4 - Office-West 3 - Office-East Guest Network: 64 - Guest 80 - GuestBackup Management VLANs Management VLANs: All VLANs High Availability Enabled This option is not available when the LAN interface is set to Routed Device Settings: Edge 500 VLAN Settings VLAN SETTINGS ACTIONS - Corporate Network IP Address Mgmt IP Interfaces 0.0.0.0 0.0.0. 0.0.0.2 LAN3 LAN4 3 - Management Network IP Address Mgmt IP Interfaces 0.0.0.0 0.0.0.3 0.0.0.4 LAN2 7 - Corp Office Network IP Address Mgmt IP Interfaces 0.0.0.0 0.0.0.5 0.0.0.6 LAN2 4

Interface Settings ADD WIFI SSID SWITCH PORT SETTINGS ROUTED INTERFACE SETTINGS INTERFACE OVERRIDE INTERFACE LAN MODE VLANS ADDRESSING WAN OVERLAY ACTIONS This interface is being used for High Availability LAN2 LAN3 LAN4 Trunk Access Access 7 - Corp Offsite 3 - Management - Corporate - Corporate INTERNET INTERNET2 Auto Detect Auto Detect SIFP USB PPP0E User Defined Disabled WLAN Wifi 7 - Corp Offsite Static Route Settings Subnet Source IP Next Hop Interface VLAN Cost Preferred Advertise Description 92.235..0/7 0.0.. 0.0.4. INTERNET 0 Common 92.235.2.0/7 0.0.3.55 0.0.4.20 INTERNET 0 VPN 92.235.3.0/7 N/A 0.0.3. INTERNET2 0 Web 92.235.4.0/7 0.0.2.33 0.0.8.9 USB 0 Backup Wi-Fi Radio Settings Enable Edge Override Radio Enabled: Country: Band: Channel: United States 49 2.4 GHz 5 GHz DNS Settings Enable Edge Override Private DNS: DNS Internal Primary DNS Internal Secondary - - + Public DNS: DNS Public 5

VLAN: Corporate CLOSE VLAN Edge LAN IP Address: Edge LAN Mangement IP Address: Cldr Prefix: Network: LAN Interfaces: 0.0.0. 0.0.0.2 8 0.0.0.0 LAN3 LAN4 Enable Edge Override Type: Enabled Static Addresses: 0 Lease Time: day Options: Option Code Data Type Value Select 2 integer 5 Select 5 Text 207.536.75.24.065 Select CANCEL OK. Network settings are inherited from the Profile selected for the Edge and can only be changed in the associated profile. In addition, Configuration overrides can be made to some settings that were configured in the Network, Network Services, and Profile assigned to an Edge. In most cases, an override must first be enabled then changes can be made. Overrides can be made to Interfaces and DNS. 2. Edges can be installed as a single standalone device or paired with another Edge to provide High Availability (HA) support. The HA configuration can be achieved with using L2 switches only or using a combination of L2 and L3 switches. The HA configuration is only for wired WAN connections. 3. VLAN Settings can be chosen for your LAN interfaces. The Edge LAN IP address, the Edge Management IP address, and CIDR Prefix. You can also specify Fixed IP addresses tied to specific MAC Addresses. The list of LAN interfaces and the SSID of any Wi-Fi interfaces that are configured for this VLAN are listed. Finally, a block for configuring is shown. can be enabled (where a start address, the number of addresses, the lease time, and optional parameters are entered), the address of one or more relay agents can be enabled, or can be disabled. 4. The list of Switch Ports with a summary of some of their settings (such as Access or Trunk mode and the VLANs for the interface). Switch Ports are highlighted with a light yellow background. 5. Static Route Settings are useful for special cases where statics routes are needed for existing network attached devices (such as printers). The + icon on the right of the dialog box can be used to add additional Static Route Settings. Perform these steps to specify the Static Route settings: Enter the subnet for the route. Enter the IP address for the route. Select the WAN interface where the Static Route will be bound. 6

Select the Broadcast checkbox to advertise this route over VPN and allow other Edges in the network to have access to this resource. Optionally, add a description for the route. 6. DNS is an optional service that allows you to create a configuration for DNS. The DNS Service can be for a public DNS service or a private DNS service provided by your company. A Primary and Backup server can be specified. The service is preconfigured to use Google and Open DNS servers. 7. The management IP address is used as the source address for local services (e.g. DNS) and as a destination for diagnostic tests (e.g. pinging from another edge). 8. Dynamic Host Configuration Protocol () dynamically assigns unique IP addresses to network devices. As a network device joins or leaves an IP-based network, automatically renews or releases an IP address. allows network administrators to centrally manage and automate the assignment of the IP addresses making network administration a lot easier to manage. 9. Refer to the snapshot below for hover text to appear at EACH Enable Edge Override field. The following text should appear with icon next to each occurrence of the Enable Edge Override field option: Enable Edge Override!! This option enables Edge specific edits to the displayed settings, and discontinues further automatic updates from the configuration profile for this module. For ongoing consistency and ease of updates it is recommended to set configurations at the Profile rather than Edge exception level. 0. The Wi-Fi radio Settings determine if the Wi-Fi radio is enabled, selects the country where the Edge is located, selects the band of the Wi-Fi radio, and the channel used by the Wi-Fi network. If a specific country is selected, a specific Wi-Fi channel can be selected. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive.. can be configured on a Routed Interface. The routed interface must be configured with a STATIC address at the Edge level. The usual Server settings can be specified, including Disabled (the default), Relay (configure as relay), and Enabled (configure as a server, with options). If an Edge Override is enabled, the Start IP must be a valid available IP within undefined/24 subnet. 7

3.3 CONFIGURE EDGES BUSINESS POLICY Edge Overview Device Business Policy Firewall ADD RULE IMPORT DELETE RULE Enlarge Match Action Rule Source Destination Application Net. Service Link Priority Edge Override 2 3 WAN Override Offsite remote Local apps Ports: 5800 VLAN: 7 - Corp Offsite Ports: 5800 Hostname: backup.us ftp (File Sharing) 46 - EF Direct Direct Direct Mandatory: Local ISP Wireless Preferred: INTERNET3, VLAN: 9 Available: Private Wired High Normal Low + x Rules from Profile 4 5 6 Speedtest VeloCloud LogMain Remote Protocol: TCP speedtest (File Sharing) Multi-Path Auto All VeloCloud Direct Auto LogMn (Remote Direct Auto Desktops) High Normal Normal Edit Rule CLOSE Edit Rule CLOSE Rule Name: Local apps DSCP: Select Match Action Source: None VLAN: Ports: Define... VLAN IP Address Select undefined Priority: High Normal Low Rate Limit 0 % Link bandwidth 0 % Link bandwidth Network Service: Direct Multi-Path Operating System: None Link Steering: Auto Transport Group Interface WAN Link Destination: Define... IP Address: Hostname: Ex: domain.com Local ISP Wireless Mandatory Preferred Available Protocol: Ports: Select undefined NAT: Disabled Enabled NAT: Real Time Transactional Bulk Application: Define... Application Anonymizers and Proxies All VeloCloud VeloCloud Control CANCEL SAVE CANCEL SAVE 8

3.4 CONFIGURE EDGES FIREWALL Edge Overview Device Business Policy Firewall Firewall Enabled Logging Enabled Outbound Firewall Rules ADD RULE IMPORT DELETE RULE Enlarge Match Action Rule Source Destination Application Action App Engine Ports: 40-049 Google App Engine (Business Application) Allow Edge Override 2 3 VPN Traffic Streaming Music IP: 294.54.24.5 Protocol - TCP VLAN - Corp All Tunneling and VPN 32 - CS4 AllMusic (Media) Allow Deny Rules from Profile 4 5 6 7 Allow DenyAll Business Apps Email Ports: 754 VLAN - Corp Protocol - TCP All Business Application All Email Deny Deny and log Allow Allow Inbound Port Forwarding Enlarge Port Forward Rule Allowed Traffic Source Name Rule Interface WAN Port(s) LAN IP LAN PORT Remote IP/Subnet Log Internal Web TCP INTERNET 80 29.05.3. 34576 29.05.335.3/03 Secure Web TCP INTERNET 334 29.05.8.2 54676 29.05.463.3/02 Local Storage UCP USB3 3546 29.46.2.0 4968 255.05.75.8/02 Inbound NAT Rules Enlarge : NAT Rule Allowed Traffic Source Name Outside IP Interface Inside IP Traffic Out Protocol Port(s) Remote IP Log VPN Traffic 29.05.3. INTERNET2 29.57.35. TCP 3546 29.05.335.3/03 Video Stream 29.05.8.2 INTERNET3 29.57.35.2 ICMP 77543 29.05.463.3/02 Remote Access 29.46.2.0 INTERNET3 29.57.35.3 TCP 3367 255.05.75.8/02 SAVE CHANGES 20

Add Rule CLOSE Rule Name: Streaming Music Match Define... Source: Define... None Destination: Define... VLAN None VLAN IP Address IP Address Ex. 0.0.2.0.24 Mac Address Ex: aa:bb:cc:dd VLAN: - Corporate Ports Ex: 2224-4456 Protocol: None Ports: Ex. 0.0.2.0.24 Application: Define... Media Network Service Peer to Peer Remote Desktop All Music Amazon MP3 Amazon Video AOL On CANCEL SAVE. Firewall rules are used to configure Allow or Deny Access Control List (ACL) rules. The rules are used to determine what traffic is allowed between VLANs or out from the LAN to the Internet. The rules can be based on applications, application categories, source IP address/port, destination IP address/port, DSCP tags or protocol. Network traffic is managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence. 2. Adding a new Firewall rule using the dialog, you can select Source, Destination, and Application characteristics to match. Given a match, the Firewall action defined in the rule will be applied. 3. When a Deny action is detected by the firewall, an Event is generated. The event can be seen in the list of events using Monitor -> Events. When a Deny and Log action is detected, the Firewall logs the event locally. 4. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, you click the (minus) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule. 5. Mac Address Filtering is another Source option available in the Match area of the dialog box shown below. You can use the Mac Address feature when you want a filtering rule to apply to a specific client no matter what subnet the client is associated with. (The filtering rule is independent of the client s subnet). 6. The Inbound Firewall Rules section provides Port Forwarding and : NAT rules that define how Internet traffic is filtered or routed to an Edge via the Gateway. Configure rules to redirect traffic from a specific WAN port to a device (LAN IP/ LAN Port) within the local subnet. Optionally restrict the inbound traffic by IP or subnet. Port Forwarding Rules are used to forward requests made on specific TCP or UDP ports to specific LAN IP addresses and ports on an Edge. The + icon on the right can be used to add additional Port Forwarding Rules. 7. : NAT Settings are used to map a public IP address to an Inside (LAN) IP address. A : NAT mapping can only be configured with IP addresses that do not belong to the Edge. It can also translate outside IP addresses in different subnets than the WAN interface address if the ISP routes traffic for the subnet towards the Edge. Each mapping is between one IP address outside the firewall and one LAN IP address inside the firewall. Within each mapping, you can specify which ports will be forwarded to the inside IP address. The + icon on the right can be used to add additional : NAT settings. 2

3.5 CONFIGURE PROFILE OVERVIEW Device Settings Business Policy Firewall Previous Next NAME USED BY JUMP TO Default Internet Network Default Internet Network 5 Edges Default VPN Network DUNNEDWARD 068.32 0 VPN Network - Adtran 5355 Profile to support Adtran 5355 when used as a Voice switch 0 Previous Next ADD PROFILE DUPLICATE PROFILE DELETE PROFILE Profile Overview Device Business Policy Firewall Name Description Default Internet Network Default Internet Network Profile Overview Networks Services Name VPN Network Dynamic Multi-Path Optimization Off Addressing Type Non Overlapping Addresses Business Policy TBD rules Corporate Addresses & VLANs Network 0.0.0.0.8 Firewall BGP TBD outbound rules On Assignable VLANs 6 OSPF On Edges 6 Cloud VPN On Quest Addresses & VLANs Network 92.564.4.2.64 Application Recognition Identity Off Off Assignable VLANs 5 Wireless On Edges 32 B02 x Off SNMP Off Neoflow Off ADD PROFILE 22

. The color-coded icons will link you directly to the configuration areas for Device, Business Policy and Firewall. An icon color of Gray in one of the configuration columns, indicates all the rules in place are based on the Default Profile settings, any other color means at least one rule override is in place 2. A Profile Overview page is display that provides a quick summary of all Networks and Services that are defined in the profile. The overview is divided into two categories (Networks and Services). After all settings have been entered for the Profile Device, Business Policy, and Firewall pages, the Profile Overview page should reflect the configurations you have performed. 3. Networks has the name of the Network configuration used, the type of addressing, and the Network addresses and VLANs assigned to the Corporate and Guest networks. 4. Services has a summary of the services provided by the Windstream SD-WAN system. 3.6 CONFIGURE PROFILE DEVICE Edge Overview Device Business Policy Firewall Network Settings Network Assignable VLANs Management VLANs VPN Network Change... Change... Select Management VLANs Select Management VLANs All VLANs (Recommended) All VLANs will be assigned a management IP address Customize Only selected VLANs will be assigned a management IP address All VLANs (Recommended) All VLANs will be assigned a management IP address Customize Only selected VLANs will be assigned a management IP address Available Corporate VLANs Selected VLANs Max 8 - Corporate > < >> << HELP OK Cancel HELP OK Cancel Device Settings Virtual Edge Edge 000 Edge 5X6 Edge 560 23

Edge500 Interface Settings ADD WIFI SSID Switch Port Settings Routed Interface Settings Actions Interface Mode VLANs Addressing WAN Overlay LAN Trunk All LAN2 Access 7 - Corp Office INTERNET - Corporate Auto Detect INTERNET2 - Corporate Auto Detect USB Disabled WifiSSID (disabled) Wifi 7 - Corporate Office Wi-Fi Radio Settings Radio Enabled: Country: Band: Channel: United States 2.4 GHz 49 5 GHz DNS Settings Private DNS: Public DNS: DNS Internal Primary DNS Internal Secondary DNS Public - - + Edge500: LAN CLOSE Interface: LAN Interface Enabled: Capability: Mode: VLANs: Untagged VLAN: Switched Trunk Post All 7 - Corporate Offsite 9 - Corp Failover - Corporate Drop Untagged L2 Settings Autonegotiate: Speed: Duplex: MTU: 00 Mbps Full duplex 500 CANCEL SAVE 24

Edge 500: INTERNET Edge 500: WLAN Interface: INTERNET Interface Enabled Capability Addressing Type Interface: WLAN Interface Enabled VLAN WAN Overlay OSPF NAT Direct Traffic L2 Settings Autonegotiate * MTU Routed Static/PPPoE addressing details must be configured individually per edge. Auto-Detect Overlay OSPF Not Enabled 500 SSID Security Passphrase - Corporate vc-wifi Broadcast WPA2 / Personal Use Captive Web Portal (disclaimer only) Update INTERNET Cancel Update WLAN Cancel. The device settings tab is used to select a Network, assign VLANs, configure Wired and Wired LAN connections and configure DNS settings. Device configuration allows you to associate a Network configuration with a Profile, configure Interfaces, and choose Network Services to be associated with a Profile. Choosing a Network and selecting Network Services can be performed from drop-down lists on this tab page. 2. This is the Network associated with the Profile, the list of Assignable VLANs, and the list of Management VLANs using the Network Settings section of the Device tab page. 3. The Select Assignable VLANs dialog is used to select the VLANs that will be supported by this Profile. 4. For the Management VLANs in a typical corporate VLAN definition, two IP addresses are preallocated. The first IP address in the subnet is assigned to address the subnet and the second IP address is used for a management function (such as Ping). These values can be seen and modified in the Subnet Addressing section of the Edge device tab. The default is All VLANs will be assigned a management IP address. 5. For VLAN definitions where the number of IP addresses must be tightly controlled, the creation of the Management IP address can be suppressed by customizing which VLANs have a Management IP address. The Select Management VLANs dialog is used to select which of the available corporate VLANs will be assigned a Management IP address (all VLANs in the Selected VLANs) list in the screen capture below. If you customize the list of VLANs, new VLANs that you add are not given a Management IP address. If you want a new VLAN to have a Management IP address, you will need to add the new VLAN to the list of Selected VLANs via the Select Management VLANs dialog. 6. Device Settings allows you configure the Interface Settings for one or more Edge models in a profile. Depending on the Edge Model, each interface can be a Switch Port (LAN) interface or a Routed (WAN) Interface. Depending on the Branch Model, a connection port is a dedicated LAN or WAN port, or ports can be configured to be either a LAN or WAN port. Branch ports can be Ethernet or SFP ports. Some Edge models may also support wireless LAN interfaces. It is assumed that a single public WAN link is attached to a single interface that only serves WAN traffic. If no WAN link is configured for a routed interface that is WAN capable, it is assumed that a single public WAN link should be automatically discovered. If one is discovered, it will be reported back and this auto-discovered WAN link can then be modified and the new configuration pushed back to the branch. 7. Actions you can perform on the network interface, such as Edit or Delete. 8. The Interface name. This name matches the Edge port label on the Edge device or is predetermined for wireless LANs. 25

9. The list of Switch Ports with a summary of some of their settings (such as Access or Trunk mode and the VLANs for the interface). Switch Ports are highlighted with a light yellow background. 0. The list of Routed Interfaces with a summary of their settings (such as the addressing type and if the interface was auto-detected or has an Auto Detected or User Defined WAN overlay). Routed Interfaces are highlighted with a light blue background.. The list of Wireless Interfaces (if available on the Edge device). You can add additional wireless networks by clicking the Add Wi-Fi SSID button. Wireless Interfaces are highlighted with a light gray background. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive. 2. You can configure Edge device LAN interfaces as Access Ports where you can choose a VLAN for the port and select L2 Settings for Autonegotiate (selected by default), Speed, Duplex type, and MTU size (default 500). You can also configure Edge device LAN interfaces as Trunk Ports where you can choose VLANs for the port, how Untagged VLAN data is handled (routed to a specific VLAN or Dropped) and select L2 Settings for Autonegotiate (selected by default), Speed, Duplex type, and MTU size (default 500). 3. WAN interfaces can be Routed (where the routing process is done between two networks using IP addresses) or Switched (In switching packets are transferred from source to destination using MAC address. Switching is done within the network). You can also choose Addressing Type (, PPPoE, or static), a WAN Overlay (Auto-detect, or User Defined), enable OSPF, enable NAT Direct Traffic, and select L2 Settings for Autonegotiate (selected by default), Speed, Duplex type, and MTU size (default 500). 4. Initially two Wi-Fi networks are defined for the Edge; one as a Corporate network and one as a Guest network that is initially disabled. Additional wireless networks can be defined, each with a specific VLAN, SSID, and security configuration. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive. 5. Security for your Wi-Fi connections can be one of three types: Open: No security is enforced. WPA2 / Personal: A password is used to authenticate a user. WPA2 / Enterprise: A server is used to authenticate a user. In this scenario, a Server must be configured in Network Services and the Server must be selected in the Profile Authentication Settings on the Device page. The default settings for Security can also be overridden on the Edge Device page. 6. The Wi-Fi radio Settings determine if the Wi-Fi radio is enabled, selects the country where the Edge is located, selects the band of the Wi-Fi radio, and the channel used by the Wi-Fi network. If a specific country is selected, a specific Wi-Fi channel can be selected. Note: Wi-Fi is an optional service, to add Wi-Fi to your existing service(s) Please contact your Account Executive. 7. The Device DNS Settings allow you to specify which Network Services DNS Service will be used. 26

3.7 CONFIGURE PROFILE BUSINESS POLICY Edge Overview Device Business Policy Firewall ADD RULE IMPORT DELETE RULE Enlarge Match Action Rule Source Destination Application Net. Service Link Priority Speed test Protocol: TCP speedtest (File Sharing) Multi-Path Auto High 2 VeloCloud All VeloCloud Direct Auto Normal 3 LogMain Remote LogMain (Remote Desktop) Direct Auto Normal + x 4 Netflow Management Cusco NetFlow (Mangement) Multi-Path Auto Normal 5 Default-Internet-UDP Ports: 5800 Protocol: UDP All Web Multi-Path Manadatory: Private Wired Normal 6 Management VLAN: 7 - Corp Offsite IP: 92.456.2.0/34 Direct Auto Low SAVE CHANGES Rule Name: Rule Name Rule Name: Rule Name Match Match Source: Define... Source: Define... None Destination: Define... VLAN Application: Define... IP Address Ex. 0.0.2.0.24 Ports Ex. 0.0.2.0.24 Action Operating System Destination: Define... Priority: High Normal Rate Limit Low IP Address: Ex. 0.0.2.0.24 Hostname: Ex: domain.com Protocol: Select Network Service: Link Steering: Direct Multi-Path Auto Transport Group Interface WAN Link Inner Packet DSCP Tag: Leave as is Ports: Ex. 0.0.2.0.24 Outer Packet DSCP Tag: 0 - CS0/DF Application: Define... NAT: Service Class: Disabled Enabled T Time Transactional Bulk Application Anonymizers and Proxies All VeloCloud VeloCloud Control Help OK Cancel Help OK Cancel 27

. Based on the business policy configuration, SD-WAN examines the traffic being used, identifies the Application behavior, the business service objective required for a given app (High, Med, or Low), and the Edge WAN Link conditions. Based on this, the Business Policy optimizes Application behavior driving queuing, bandwidth utilization, link steering, and the mitigation of network errors. 2. A number of rules are predefined and you can add your own rules to customize your network operation. Rules are listed in order of highest precedence. Network traffic is managed by identifying its characteristics then matching the characteristics to the rule with the highest precedence. You can move your configured rules up or down in the list of rules to establish precedence by hovering over the numeric value at the left side of the rule and moving the rule up or down. If you hover over the right side of a rule, click the (minus) sign next to the rule to remove it from the list or the + (plus) sign to add a new rule. 3. You can select Match choices for network traffic based on the Source of the traffic, the Destination of the traffic, and or the type of Application that generated the traffic. Given a match, the Actions defined in the lower part of the dialog for the rule will be applied. For each of the Match selections, the option is used to designate any traffic from a source, destination, or application. If the Match Source Define option is chosen, the source traffic can be narrowed to a specific VLAN, an IP Address, a Port, an Operating System or any combination of the selections. 4. If the Match Destination Define option is chosen, additional parameters can be specified to identify traffic destination (see the following screen capture). The destination can be first narrowed to a type (, Internet, Edge, or Non-SD-WAN Site). The destination can then be furthered defined by specifying an IP Address, Hostname, Protocol (GRE, ICMP, TCP, or UDP), and a port. Match Destination options are particularly useful if the same traffic match pattern needs to be assigned different QoS values depending on the route taken. As an example, you may want to assign a higher priority to traffic destined to a SD-WAN Site versus regular cloud-based internet traffic. This can be easily achieved using the Destination configuration value. 5. If the Match Application Define option is chosen, applications can be chosen first by category then by specific application. In addition, a DSCP value can be specified to match traffic coming in with a preset DSCP/TOS tag. Depending on your Match choices, some Actions may not be available. For example, if All Applications is chosen, Network Service and Link Actions are grayed out and are not available for selection. 6. The Action Priority parameter allows traffic to categorize as High, Normal, or Low. Percentage Rate Limits can also be applied in both the Outbound and Inbound direction. 7. The Action Network Service parameter can be set to Direct or Internet Multi-path. The Direct option explicitly sets the traffic to be sent to the destination directly, bypassing the SD-WAN Gateway - this option is only applicable for Destination = Internet. The Internet Multi-path option explicitly marks the traffic to be sent over the SD-WAN Gateway utilizing the benefits of per packet link steering, multipath redundancy, and error-correction. 8. The Action Link Steering parameter can be set to by Service Group, by Interface, or by WAN Link. A Transport Group represents WAN links bundled together based on similar characteristics and functionality. Defining a Transport Group allows business abstraction so that similar policy can apply across different Hardware types. For the Transport Group option, you select the Transport Group type of All, Public Wired, Public Wireless, or Private Wired. This option is allowed at both the Edge override level and Profile level. Mandatory indicates that traffic will be sent over the WAN link or link Service-group specified. If the link specified (or all links within the chosen service group) is inactive or if a multi-path gateway route is unavailable, the corresponding packet will be dropped. Preferred indicates the traffic should preferably be sent over the WAN link or link Service-group specified. If the link specified(or all links within the chosen service group) is inactive or if the multipath gateway route 28