I n C o n t r o l 2 A p p l i a n c e S e t u p G u i d edownload.peplink.com/files/ica/InControl2ApplianceSetup... · 2020-06-04 · 1 . V i r t u a l A p p l i a n c e 1 . 1 I n

InControl 2 Appliance Setup Guide for Virtual and Hardware Appliance 2.8.4.2

(Last updated: 2020-06)

Contents

1. Virtual Appliance 1.1 Introduction 1.2 Hardware Requirements 1.3 Installation on VMware ESXi 6.0 and ESXi 5.5

Networking Creating InControl and DB VMs Uploading and adding data storage to the VMs

1.4 Installation on Hyper-V Windows 2012 R2 Networking Creating InControl and DB VMs Uploading and Adding data storage to the VMs

1.5 Powering up VMs 1.6 Accessing the Control Panel 1.7 IP Address Configuration and Password Reset Over the Console 1.8 Software License

2. Hardware Appliance 2.1 Accessing Control Panel 2.2 License Key

3. Input E-mail Delivery Settings

4. Map Settings Input Google Maps API Key OpenStreetMap Settings

5. Input FTP/SFTP Archive Server Settings

6. Facebook App Settings (for Captive Portal)

7. Setting up Devices to Report to InControl Method 1: By Configuring Devices Individually - for Internet Isolated Environments

Method 2: By Configuring or Redirecting Devices from the Peplink InControl - for Internet-Accessible Environments

8. Logging Into InControl Appliance Web Site

9. Importing Devices

10. Creating an Organization, Group, and Adding Devices

11. API Access

12. Settings on Your Firewall 12.1 For Hardware Appliance’s Management Port

13. Upgrading InControl Virtual Appliance 13.1 For VMware ESXi 13.2 For Microsoft Hyper-V

14. Upgrading InControl Hardware Appliance

15. Facebook App ID Creation Procedure

16. Release Notes Release notes for 2.8.4.2 Release notes for 2.8.4.1 Release notes for DB-20200522 Release notes for 2.8.4 Release notes for 2.8.3 (no appliance image released) Release notes for DB-20200512 Release notes for 2.8.2.6 Release notes for 2.8.2.5 Release notes for DB-20200220 and DB-20200305 Release notes for 2.8.2.4 Release notes for 2.8.2.3 and DB-20190312 Release notes for 2.8.2.2 Release notes for 2.8.2.1 Release notes for 2.8.2 Release notes for 2.8.1.2 Release notes for 2.8.1.1 Release notes for 2.8.1 Release notes for 2.8.0 (no appliance image released) Release notes for 2.7.3.7

Release notes for 2.7.3.6 Release notes for 2.7.3.5 Release notes for 2.7.3.2 Release notes for 2.7.3.1 Release notes for 2.7.3 Release notes for 2.7.1 Release notes for 2.6.2 Release notes for 2.6.1 (no appliance image released) Release notes for 2.6.0 (no appliance image released) Release notes for 2.5.2

1. Virtual Appliance

1.1 Introduction InControl 2 Virtual Appliance runs on top of a virtualization server. VMware ESXi and Microsoft Hyper-V are supported currently. It consists of two VMs (Virtual Machines). They are InControl VM and DB (database) VM. The setup requires two Virtual Switches in the virtualization server. One is for internal communication between the InControl VM and the DB VM. Another one is for web access and device communication from the outside.

1.2 Hardware Requirements For up to 100 devices

InControl VM Database VM

CPU Dual-core minimum. Quad-core preferred

Memory Size 8 GB 6 GB

System Disk Size 8 GB 2 GB

Data Disk Size 20 GB 100 GB

For up to 1000 devices


CPU Quad-core 3.4 GHz Xeon



Data Disk Size 30 GB 1 TB

For up to 5000 devices


CPU 16-core 3.4 GHz Xeon



Data Disk Size 40 GB 5 TB

Note: The actual system usage depends on not only the number of devices, but also the devices’ functionality and usage. E.g. GPS data availability, the number of cellular WANs, the number of client connections per hour, etc. Pepwave MAX tends to consume more resources than Peplink Balance and Pepwave AP One. The above requirement figures are for average usage. External archive server:

● An FTP or SFTP server: as much storage as possible. Please see chapter 5. Input FTP/SFTP Archive Server Settings for details.

1.3 Installation on VMware ESXi 6.0 and ESXi 5.5

Peplink distributes two tgz files: InControl-System-x.y.z-vmdk.tgz and DB-System-yyyymmdd-vmdk.tgz . They contain bootable systems of the InControl virtual appliance and a MySQL database respectively. You will use them to start one InControl Appliance and one MySQL DB VM.

Networking

Please create two vSwitches in ESXi host > Configuration > Networking. The first one is called "WAN " which is for connecting to the outside world and will need a physical network adapter attached. The first network adapter of the InControl VM shall be assigned to this network. The second one is called "Internal ". It is for inter-InControl-DB communication, no physical adapter is needed. The second network adapter of the InControl VM and the single network adapter on the Database VM shall be assigned to this network.

Note 1: A DHCP server is required on the WAN segment during the initial installation. The InControl VM will acquire an IP for its WAN from the DHCP server. You may configure the system with a static IP when you have access to the control panel. Note 2: As the “Internal” network segment is on the subnet 192.168.1.0/24 by default, the WAN interface cannot be on 192.168.1.0/24 too. You may change the subnet DB VM’s “Internal” interface’s IP on the console (see chapter 1.7) and change the IC VM’s Internal interface IP and the DB server setting on the control panel.

Creating InControl and DB VMs

In the vSphere Client, create 2 new Virtual Machines called “DB ” and “InControl ” for Ubuntu Linux (64 bit) guest operating systems. For the DB, you will need only one Network Connection on the Internal network. For InControl, you will need the WAN network on NIC1 and the Internal network on NIC2. (For the disk, just choose anything as we will remove it anyway.) DB VM:

InControl VM:

Uploading and adding data storage to the VMs

Extract .tgz files on a PC. “.tgz” is a shorthand of “.tar.gz”. Extract the files with a file extractor on your PC or Mac. (Note: Do not extract on the ESXi server’s command shell as its “tar” command is incompacould with the file.) Go to the VM’s Summary tab and right-click on your datastore to browse it. There you can upload the DB-System-flat.vmdk + DB-System.vmdk to the DB directory, and the InControl-System-flat.vmdk + InControl-System.vmdk to the InControl directory. You should see this as one file in the Datastore Browser. If you see two files, you will need to open the small vmdk file with a text editor and fix the name of the flat file.

Alternatively, you can activate the ssh function, and scp the 2 files to the corresponding directories (/vmfs/volumes/datastore1/DB & /vmfs/volumes/datastore1/InControl ). Now you can ‘Edit Settings’ of each VM. Remove the existing hard disk. For the InControl VM, add the InControl-System.vmdk on SCSI (0:0) and create an empty 20 GB disk on SCSI (0:1) . For the DB VM, follow the same but add 100 GB of disk for supporting 100 devices. See Introduction - Minimum Hardware Requirements

1.4 Installation on Hyper-V Windows 2012 R2

Peplink distributes two VMDK files: InControl-System.vhd and DB-System.vhd . They are bootable systems of the InControl virtual appliance and a MySQL database respectively. You will use them to start one InControl and one MySQL DB VM.

Networking

First of all, please create two networks on the Hyper-V host. The first one is called "WAN " which is for connecting to the outside world and will need a physical network adapter attached. The first network adapter of the InControl VM shall be assigned to this network. The second one is called "Internal ". It is for inter-InControl-DB communication, no physical adapter is needed. The second network adapter of the InControl VM and the single network adapter on the Database VM shall be assigned to this network.

Note 1: A DHCP server is required on the WAN segment during the initial installation. The InControl VM will acquire an IP for its WAN from the DHCP server. You may configure the system with a static IP when you have access to the control panel. Note 2: As the “Internal” network segment is on the subnet 192.168.1.0/24 by default, the WAN interface cannot be on 192.168.1.0/24 too. You may change the subnet DB VM’s “Internal” interface’s IP on the console (see chapter 1.7) and change the IC VM’s Internal interface IP and the DB server setting on the control panel.

Creating InControl and DB VMs

In the Hyper-V Manager, create 2 new Virtual Machines called DB and InControl for Ubuntu Linux (64 bit) guest operating systems. Our test was on first generation VMs. For the DB VM, you need only one network connection on the Internal network. For the InControl VM, you’ll need the WAN network and the Internal network.

DB VM:

InControl VM:

Uploading and Adding data storage to the VMs

For the InControl VM, add the InControl-System.vhd on IDE (0:0) and create an empty 10GB disk on IDE (0:1). For the DB VM, follow the same but add 100 GB of disk storage for supporting 100 devices. See Introduction - Minimum Hardware Requirements Choose VHD - fixed size data disks.

1.5 Powering up VMs Power up the DB VM first. After one minute, power up the InControl VM. They will initialize their attached data disk automatically. The InControl VM takes about 5-10 minutes to start up for the first time, 2 minutes for subsequent boot ups.

1.6 Accessing the Control Panel After the system is fully started up which typically takes about two minutes, you can access the Control Panel page on the InControl VM via your browser to configure the InControl virtual appliance. Check the InControl IP address from the VM console. You can access the control panel page at https://{incontrol.ip.address}:4443/. The default username and password are both “admin”.

1.7 IP Address Configuration and Password Reset Over the Console You may configure the InControl and Database VM’s IP address, and reset the InControl VM’s control panel password by logging in to the console. The username and password are “setup ” and “setup ” respectively. (Note: the console username and password cannot be changed)

InControl VM:

Database VM:

1.8 Software License A software license is required for the InControl hardware/virtual appliance to operate. To acquire an evaluation license, please email your Server Name shown on the Control Panel and your order number (if any) to [email protected]. Peplink will send you back a license key. Input it into the License Key field to activate. The device’s serial number will be assigned at the same time.

mailto:[email protected]

2. Hardware Appliance

2.1 Accessing Control Panel After the system is fully started up which typically takes about two minutes, you can access the Control Panel page from a browser on a PC to configure the InControl appliance. You can visit the control panel over its Management port or WAN port from a PC. The unit’s management port’s IP address is 192.168.5.10 by default. The WAN port IP address is acquired from a DHCP server by default. You could find its IP address from the LCD panel. (Note that the WAN subnet must not be 192.168.1.0/24, 192.168.5.0/24 and 192.168.30.0/24.) On your PC, assign it with a static IP address which is accessible to the port’s IP address. Connect it to the port with an Ethernet cable. For the management port, you can access the control panel page at http://192.168.5.10:8000/ . For WAN port, the page is at https://{wan.ip.address}:4443/ . The default username is “admin” and the password is “admin”

http://192.168.5.10:8000/

2.2 License Key A license has been pre-installed for managing a certain amount of devices. After you have purchased a new license, Peplink will send you back a license key. You can input it into the License Key field and activate the license.

3. Input E-mail Delivery Settings In order to create new accounts, the system has to be able to send confirmation emails to do account confirmation. So please configure the SMTP server settings, as well as the “Notification E-mail Sender Name” and “Notification Sender E-mail Address” in the System Settings above accordingly.

4. Map Settings

Input Google Maps API Key Since InControl Appliance 2.7.3, to conform to the latest Google Maps API policy, no API key comes with the InControl Appliance. Customers are required to apply one from Google, add billing information to it and input the API key to InControl Appliance’ control panel page. If a key is not provided, a screen like this may be displayed:

Please follow the instructions shown on the Google Maps API Key Settings panel to apply for an API key.

If you do not want to use Google Maps, you may choose to display maps with the OpenStreetMap. The setting is available at Organization Settings.

OpenStreetMap Settings When you choose to use OpenStreetMap, the mapping images and geocoding requests will be served by Peplink’s OpenStreetMap servers by default. You could change to use your own servers instead by inputting the server URLs to the OpenStreetMap Tile Server URL Prefix and Nominatim Server URL fields.

5. Input FTP/SFTP Archive Server Settings As a relational database is not good at storing bulky data, historical event log events, GPS locations, and cellular signal data are only kept in the MySQL database for 5 days. Before they are removed from the database, the system will archive the data to the archive server daily if an FTP or SFTP server is configured. When the data is requested over the web or API, the system will automatically choose to retrieve the data from the database or the archive server and return to the user or API client. So you are encouraged to set up an FTP/SFTP archive server for storing those historical data. Below are data retention periods of various types of data:

Data Retention period

without archive server with archive server

Per-minute device usage 14 days

Hourly device usage 2 days

Hourly client usage 1 month

Daily client/device usage 60 days

Monthly device usage 2 years

Device online/offline history 6 months

Social network user data 2 years

Operation log 2 years

Event log 30 days 1 year

GPS data 5 days 1 year

WAN Quality / Cellular reports 5 days 6 months

6. Facebook App Settings (for Captive Portal) Please refer to chapter 15 Facebook App ID Creation Procedure for how to acquire a Facebook app ID.

7. Setting up Devices to Report to InControl Unlike SNMP, Peplink/Pepwave devices initiate InControl management communication with the server. The device speaks to InControl at least every 28 secs to maintain a session. With such a design, devices could set up a two-way communication channel with InControl even if they are behind a NAT router. The communications are over UDP port 5246 (for general communication) and TCP port 5246 (for Remote Web Admin only).

There are two ways to tell your Peplink/Pepwave devices to report to your InControl appliance instead of the Peplink InControl in the public cloud.

Method 1: By Configuring Devices Individually - for Internet Isolated Environments Login to the devices’ web admin and put your InControl’s WAN IP address or hostname to it. If a hostname is used, please make sure a DNS record for it has been created so that devices could resolve the InControl Appliance’s IP address from it.

For Peplink Balance and Pepwave MAX devices, they will have to be loaded with the firmware 6.1.2 or above. Login to the web admin and navigate to System > InControl.

For Pepwave APs, you will need firmware 3.5.0 or above. Please navigate to System > Controller.

Input your InControl’s IP address to the first InControl Host field.

Method 2: By Configuring or Redirecting Devices from the Peplink InControl - for Internet-Accessible Environments If your devices are accessible to both the Internet and your InControl appliance, you can follow this method. First, sign in to https://incontrol2.peplink.com/ . Create an organization and a group by following the on-screen instructions. Add your devices to the group. Then go to the group-level Device System Management page and scroll down to the External InControl Appliance Settings section.

https://incontrol2.peplink.com/

You could choose to redirect or configure your devices to connect to your InControl appliance.

If you choose By Redirection, devices will also connect to Peplink InControl first every time they start up. This option allows you to change your InControl Appliance’s address easily in the future.

If you choose By Configuration, your InControl Appliance address(es) will be saved persistently to your devices. After your device receives the setting, they will connect to your InControl Appliance directly on startup without connecting to Peplink InControl. The appliance address will be lost if a device is reset to factory defaults.

You could configure devices to fail over to connect to Peplink InControl if they failed to connect your InControl Appliance.

8. Logging Into InControl Appliance Web Site

In order to access the InControl website, you must visit its hostname instead of its IP address. Your PC is required to resolve the hostname into the server IP address. You may add a local DNS record to your PC by editing its “hosts ” file. It is “%SystemRoot%\System32\drivers\etc\hosts ” for Windows or “/etc/hosts ” for Mac and Linux. Let’s say the InControl IP is 10.8.7.6. The hosts file shall contain:

10.8.7.6 incontrol.my.domain Now you can access the InControl website from the PC’s web browser. By default, the InControl's URL is https://incontrol.my.domain/ . The default username is [email protected] (note: do not replace “my.domain ” with anything else) and the password is 12345678. After logging into InControl, you will see an MSP (Managed Service Provider) administration page which is for managing the InControl system. To manage MSP administrator accounts, navigate to Settings > MSP Settings.

https://incontrol.my.domain/

Note for InControl Hardware Appliance: the appliance’s website is only accessible from the WAN port. (It is not accessible from the LAN or Management ports.)

9. Importing Devices Before organization administrators can add devices into their organizations, the InControl system administrator (in InControl 2, we call the administrator as MSP Administrator) must import the devices’ serial number in advance. After an MSP administrator logged into the InControl website, navigate to “Devices” > “Import Devices”. Input serial numbers in the text area, one serial number per line.

InControl Appliance will attempt to query Peplink server what products the serial numbers are. If successful, the devices will be imported. If not, you will be prompted to select each device’s product name. Organization administrators (i.e. non-system administrators) are able to add the devices now.

10. Creating an Organization, Group, and Adding Devices An organization is pre-created which is called “My Organization”. You can find it on the MSP Reports page. You may create more organizations by entering into an organization (e.g. “My Organization”). Then on the organization menu on the right of the screen, click “Create Organization”.

After you created an organization, you will be redirected to a group creation page. Devices are put into a group.

After creating a group, you will be redirected to “Add Devices Into Groups” page.

After the devices are added and the devices are powered up, you should see the devices become online in the InControl.

11. API Access An API is available for software developers to programmatically retrieve the data as you see on the InControl appliance’s website. You can visit https://{ incontrol.server.name}/api/restful_api for the API documentation and testing tool.

12. Settings on Your Firewall Please allow the following traffic to pass through if a firewall is set up in front of the appliance. Direction Protocol Purpose

Inbound UDP 5246 Device communication

TCP 5246 (if port 5246 is not reachable, port 1443 will be tried)

Remote Web Admin.

TCP 443 Web accesses

TCP 4443 Web accesses to control panel

UDP 53 Dynamic DNS service and automatic SSL certificate acquisition from letsencrypt.org (optional)

TCP 2222 Direct remote assistance (optional, needed by Peplink for troubleshooting only when outbound to ra.peplink.com on TCP 443 is not accessible)

Outbound ra.peplink.com on TCP 443 Remote assistance (optional, recommended)

download.peplink.com on TCP 443 Device firmware validation (optional)

api.ic.peplink.com on TCP 443 Product name lookup when importing devices Latest device firmware updates (optional, recommended)

push.ic.peplink.com on TCP 443 Push notifications for the InControl 2 mobile app (optional)

*.letsencrypt.org on TCP 443 Automatic SSL certificate acquisition from letsencrypt.org (optional)

*.peplink.com on UDP 5246 (details)

For transferring FusionHub licenses from InControl 2 (public cloud) to FusionHub units connected to the InControl Appliance (optional)

UDP 123 Network time sync

UDP 53 DNS resolutions

https://forum.peplink.com/t/connecting-devices-to-incontrol-through-a-firewall/8204

12.1 For Hardware Appliance’s Management Port Direction Protocol Purpose

Inbound TCP 8000 Non-secure web accesses to control panel (optional)

Outbound download.peplink.com on TCP 443 ICA firmware download

UDP 53 DNS resolution for ICA firmware download (not required since 2.8.2)

13. Upgrading InControl Virtual Appliance Peplink regularly releases InControl virtual appliance images. You could follow the following instructions to upgrade the system by replacing the InControl VM’s system disk. As long as the InControl VM’s data disk and Database VM are kept intact, all old settings (including IP address, admin password, etc.) and devices’ data will be seamlessly carried over. Before performing an upgrade, we encourage you to download the latest backup from the control panel first.

13.1 For VMware ESXi

Step 1. Download the latest Virtual Appliance and Database Server image files in

.tgz format from

https://www.peplink.com/support/downloads/incontrol-appliance-image-and-install

ation-guide/

Step 2. Extract .tgz files on a PC. “.tgz” is a shorthand of “.tar.gz”. Extract the

files with a file extractor on your PC or Mac. (Note: Do not extract on the ESXi

server’s command shell as its “tar” command is incompacould with the file.)

Take InControl 2.8.4.1 as an example. The extracted file names and sizes are as

follows:

InControl-System-2.8.4.1-vmdk.tgz:

File name Size (Bytes)

InControl-System-2.8.4.1-vmdk/InControl-System-2.8.4.1-flat.vmdk 10,739,515,392

https://www.peplink.com/support/downloads/incontrol-appliance-image-and-installation-guide/


InControl-System-2.8.4.1-vmdk/InControl-System-2.8.4.1.vmdk 574

DB-System-20200522-vmdk.tgz:


DB-System-20200522-vmdk/DB-System-20200522-flat.vmdk 10,737,418,240

DB-System-20200522-vmdk/DB-System-20200522.vmdk 568

Step 3. Start the Datastore Browser in the vSphere Client. Use it to upload the

InControl-System*.vmdk and DB-System-*.vmdk files to folders, say,

“InControl-System-2.8.4.1 ” and “DB-System-20200522 ” in the datastore

respectively. After finished uploading the two files, the two files will be shown as

one item in the Datastore Browser.

Step 4. Restart VMs in the following order:

1. Stop InControl VM. Wait until fully stopped

2. Stop DB VM. Wait until fully stopped

3. Open DB VM Properties,

● Identify and select the system hard disk (usually “Hard disk 1”)

● Select the “Remove from virtual machine” radio button (without

deleting it)

● Press “OK”

4. Open DB VM Properties again

● Select 'Add…” > “Existing virtual disk…” > Browse and select the disk

file “DB-System-xxx-yyyymmdd.vmdk”

● Select SCSI 0:0 Hard disk as the Virtual Device Node

5. Start DB VM

6. Open InControl VM Properties

● Identify and select the system hard disk (usually “Hard disk 1”)

● Select the “Remove from virtual machine” radio button (without

deleting it)

● Press “OK”

7. Open InControl VM properties again

● Select 'Add…” > “Existing virtual disk…” > Browse and select the disk

file “InControl-a.b.c/InControl-System-x.y.z.vmdk”

● Select SCSI 0:0 Hard disk as the Virtual Device Node

8. Inspect the DB VM’s console. When it has booted up completely, start the

InControl VM. Finished.

13.2 For Microsoft Hyper-V

Step 1. Download the latest Virtual Appliance and Database Server image files in

.vhd format from

https://www.peplink.com/support/downloads/incontrol-appliance-image-and-install

ation-guide/

Take InControl 2.8.4.1 as an example. The .vhd file names and sizes are as follow:


InControl-System-2.8.4.1.vhd 10,745,803,264

DB-System-20200522.vhd 6,328,979,968

Step 2. Deployment

1. Stop InControl VM. Wait until fully stopped

2. Stop DB VM. Wait until fully stopped

3. Open DB VM Settings. Identify and select the system hard disk. Replace

the virtual hard disk with the newly downloaded DB-System- yyyymmdd.vhd

file. The “Location” for IDE Controller should be 0.

4. Start DB VM.



5. Open InControl VM settings. Identify and select the system hard disk.

Replace the virtual hard disk with the newly downloaded

InControl-System- a.b.c.vhd file. The “Location” for IDE Controller should

be 0.

6. Inspect the DB VM’s console. When it has booted up completely, start the

InControl VM. Finished!

14. Upgrading InControl Hardware Appliance Peplink regularly releases InControl appliance firmware. When you receive a firmware URL from Peplink, you could upgrade your InControl Appliance by opening the Control Panel page and pasting the URL to the Firmware URL field in the InControl Upgrade section.

After clicking the Upgrade button, it will download the firmware from the URL and perform an upgrade. Excluding the download time, the process should typically take about 25 mins. Note: Before performing an upgrade, we encourage you to download the latest backup from the control panel first. IMPORTANT: Please note that the system downloads the firmware via the management port instead of its WAN port. So please make sure the management port’s gateway could route to the Internet. If the management had no Internet access, you may download the firmware file locally and put it to a local web server on the management network. Then you input the firmware’s local URL to the Firmware URL field.

15. Facebook App ID Creation Procedure

In order for the “Sign-in with Facebook” feature in the captive portal to work, a

Facebook app has to be created in Facebook’s developer console. Prior to InControl

2.6.2, Peplink shared their own Facebook App for all InControl appliance

installations. Since InControl 2.6.2, the Peplink’s App ID no longer shares with

InControl Appliance installations. Customers have to create their own Facebook

app and input their app’s ID and secret into the Control Panel.

Below is a procedure for Facebook app ID creation:

1. Login into https://developers.facebook.com/ and click Get Started:

2. Go through the wizard by following the on-screen instructions. Click the “Add Your First

Product” button on the final step.

https://developers.facebook.com/

3. Click the “Set Up” button on the “Facebook Login” control

4. Click “Web”

5. Input your InControl appliance’s URL into the Site URL field:

6. Click “Next”.

7. Input the following URLs into the “Valid OAuth Redirect URIs” field: https://[InControl_URL]/cp/fb_callback and https://[InControl_URL]/cp/fb_callback/

8. Fill in “Display Name”, “Contact Email”, “Privacy Policy URL” fields accordingly. Upload an App Icon in the dimension of 1024x1024. Press “Save Changes”.

9. Click the “Show” button to reveal the App Secret. Record the App ID and App Secret

and input into the InControl Control panel’s “Facebook App Settings” field.

10. Finally, click the OFF switch and click Confirm to make the app public.

16. Release Notes

Release notes for 2.8.4.2 Here are the changes since 2.8.4.1:

● Fixed: (software appliance) system backup files were not listed on the control panel. ● Fixed: Web CLI did not work ● Form fields on the control panel no longer accept backquote (`), double quote (") and the

dollar sign ($) characters. ● Fixed: After successfully finished saving the form on the control panel, no prompt was

displayed. ● Fixed: Cloned SIM pool did not display the no. of SIMs correctly. ● Fixed: When a tag filter was applied on Event Log, the filter was not also applied to the

downloaded CSV file. ● Fixed disk usage monitoring for DB VMs prior to DB-20200220.

Release notes for DB-20200602 Here are the changes since DB-20200522:

● Improve the reliability in upgrading MongoDB data when upgrading the DB VM from versions prior to DB-20200220.

Release notes for 2.8.4.1 Here are the changes since 2.8.4:

● Fixed: InControl may keep making configuration changes to PepVPN managed devices and cause their PepVPN connections to drop continuously.


● Fixed an IP setting issue when the DB instance has two Ethernet interfaces.

Release notes for 2.8.4

Here are the changes since 2.8.3: ● Fixed a vulnerability ● Added a Remote Assistance (RA) option on the control panel for allowing direct SSH

connection to the system on TCP port 2222 from Peplink authorized engineers. This option is typically enabled when the system cannot reach Peplink’s RA servers while needing to get Peplink’s remote technical support.

● Added email notifications for any error in reaching the DB VM, or the services on it. ● Added a setting for restarting the system core services daily or weekly. Restarting the

core services in off-peak hours could improve the system stability. ● Fixed IP subnet field validation in IP settings over the VM console. ● Fixed “Too many firmware update attempts” error. (Devices will download firmware

images from http://download.peplink.com/ instead of https://download.peplink.com/ .)

● Fixed: pending configuration changes may not be pushed to devices. ● DPI (Deep Packet Inspection) reports for Balance/MAX have been revamped.

Application protocols are categorized and shown in humanized names. (To enable, go to Device Details > Edit.)

● Device Details page ○ Added PepVPN status. Status types are clearly separated. ○ SD Switch’s status information now aligns with the web admin. ○ For Balance, MAX and SD Switch’s Ethernet port table, if there is no aggregated

port, it can now be sorted by any fields. ● Added WPA3 option and 802.11w Management Frame Protection setting to SSID profile

settings. ● SpeedFusion configuration: added support for selecting multiple WAN on remote

endpoints ● Cellular WANs’ carrier names will now be looked up if a device did not receive them over

the air. ● Scheduled reboot management option is now disabled by default when a group is newly

created. ● Improved the online client list loading speed when the list is large. ● Grouped Networks: Add a column "Referenced by" ● Fixed: data usage reports did not support figures in multi-TB of data size. ● Fixed: a warning for SD Switch’s access ports might be displayed unnecessarily.

Release notes for 2.8.3 (no appliance image released) Here are the changes since 2.8.2.6:

● Maps:

○ You can now choose the device marker on the device-level map from a set of transportation icons by navigating to the Device Details > Edit.

○ Added WAN and PepVPN event flags. ○ Geofences are now shown on the map of Group Overview and Device Details. ○ Fixed: When “Show Events” is enabled, some events (e.g. online, offline, etc.)

were not displayed. ● Captive portals:

○ Administrators may overwrite the “Powered by Peplink” logo with a custom message inputted in a new Footer Text field.

○ For Open Access mode, added an option for displaying the Terms and Conditions in a scrollable area.

○ For Email Access mode, added an option for not performing email address verification. I.e. guests will not be asked to open an email and click on a link.

○ Made the phone number input control for SMS access mode more user-friendly. ○ Introduced a “Captive Portal Dashboard” for Captive Portal Administrators,

Organization/Super Organization Administrators, and Group Administrators. It is the default page for Captive Portal Administrators. It is also accessible from the menu Reports > Captive Portal Reports.

○ Captive Portal Reports: added CSV download below the “Overview” and “Visits in Each Access Mode” tables.

● Device listing: ○ Added temperature (available on some products) and CPU load fields to the

device listing. See the column customization setting. ○ In the drop-down menu of the Search box, added a “Flags” filter. E.g. You can

now filter devices that are with GPS and Captive Portal. ○ Added red disconnected WAN icons. By clicking the gear icon above the device

list, you can configure when the icons should be displayed after WANs have disconnected.

○ On the column customization screen, you may now reset not only the column order but also the columns selection as well.

○ You can view and bulk change devices’ Remote Assistance and hardware watchdog’s status on the Device Management screen. See the device list’s Column Customization setting.

○ When a device list contains less than 51 devices, you may choose to show all devices on one page. (21455)

● PepVPN configuration ○ Added tunnel support within PepVPN connections. ○ Added advanced settings: Smoothing Cap, Receive Buffer, IP ToS, and Upload

Cap. They can be found from Profile Options > Show Advanced Settings > Advanced Link Settings > Edit.

○ Fixed: sometimes device-level PepVPN Status loads forever. ○ Fixed: for a cross-group star topology profile, if there is no endpoint in the same

group as the hub site, the hub site’s group-level PepVPN setting screen would not display the profile.

● Group creation: ○ When a group is created from now on, its Wi-Fi radio’s Operating Country is

automatically set according to the group’s location. ○ Added Firewall Rules and Outbound Policy cloning.

● Operation log: ○ Improved loading speed. ○ More details are logged for firewall rule set changes. ○ User login method is logged.

● SIM card reports: ○ Added carrier SIM pool cloning. A cloned carrier pool contains all

auto-maintained IMSIs of the carrier except some specified IMSIs. ○ Custom SIM Pools are now searchable by a device name or an IMSI.

● Device system management: ○ Added “Allowed Source IP Subnet” setting for controlling web admin accesses. ○ Added a password weakness indicator.

● AirProbe reports - Air Monitor: ○ Added channel utilization heatmap for visualizing the channel utilization over a

period of time. ○ Added peer details next to the Peer Utilization pie chart of a scanned AP node on

a specific radio channel. ○ Added an AP Distribution chart.

● InControl 2 API: ○ The experimental device API is now accessible through InControl’s API. See:

/rest/o/{organization_id}/g/{group_id}/d/{device_id}/devap

i/{api} ○ Added endpoints for device-level PepVPN status. See

/rest/o/{organization_id}/g/{group_id}/d/{device_id}/pepvp

n/status ● New: added Access Control List (ACL). You can find a menu item “Access Control List”

in the group-level “Network Settings” menu. It is available to groups that contain Balance, MAX, and AP One. Defined ACLs can be applied to “Firewall”, “SSID > MAC Filter”, and “Captive Portal and External Captive Portal” profile.

● Remote Web Admin service has been reimplemented. More responsive when both the web client and the device are close to each other.

● For users who are a user of multiple organizations and groups, the organization list showing after signing-in has been revamped. Groups and organizations are now searchable. Their order is also customizable.

● A diagnostic report can now be downloaded from the Device Details screen. Click the “Show All” link to reveal.

● Added “Firewall Log” under the device-level Reports menu. If you enable logging in a device’s firewall rule(s), the events will be shown here.

● Added IPsec VPN Up/Down History. See device-level Reports > Connection Up/Down History.

● Added an outbound policy option “When No Connections are Available”. ● Grouped networks can now be imported from a CSV file. ● SSID Settings table: added “VLAN” and “Portal” columns. ● Added a data size unit selector for Hourly, Daily and Monthly data usage reports. ● Added Wi-Fi WAN information (if any) to the CSV file of a group’s device list. ● The organization creation menu item is now hidden from users who are neither an

organization nor a group administrator. ● Added group-level settings for hiding the “Feedback” button on all pages in a group and

the “Default password” warning on device listing. ● Device Details of SD Switches: port details now include the port type and VLAN

information. ● Users could remove themselves from a group or organization in the corresponding

setting screen. ● When a user’s role has been changed, the user will receive an email notification. ● Geofencing: If a device is selected by more than one geofence, formerly all fences will

apply. Now, only the topmost one will. ● The address in the Location field on Device Details pages is now shown only when

hovering over the latitude/longitude values. ● Fixed: Clients with an unknown IP address were hidden from the Client List. Now they

are shown and their IPs are indicated as “Unknown”. ● Fixed: Wi-Fi clients might be shown concurrently connected to multiple access points. ● Fixed: when disabling or removing firewall or outbound policy rules with the Retain

Configurations option enable, Grouped Networks were not retained. ● Fixed: Sometimes some notifications may be sent in the wrong order (e.g. for WAN and

PepVPN up/down events). ● Fixed: No online message is sent when multiple online notification levels are defined. ● Fixed: MSP Settings > Idle Sessions: MSP users are not logged out after an idle timeout ● Add Azure AD sign-in support on InControl Appliance ● When password based authentication is disabled in MSP and/or org level, password

related settings are now not shown.

● When local user sign-in is disabled, all emails sent to users will also not include any password.


● Fixed IP subnet field validation in IP settings over the VM console ● Removed all unnecessary SSH keys


● Fixed (software appliance): If the DB VM runs DB-20200220 or above and the IC VM is able to reach Peplink’s API service (api.ic.peplink.com:443), after the system regularly updated products’ definitions from api.ic.peplink.com, you may not be able to import devices’ s/n’s of some products.

● Fixed availability reports. ● Added validity checks on SMTP Server and Port fields on the control panel.


● Fixed outbound policy support for module-support products. ● Removed “Authenticated with Password” setting on MSP Settings screen. In

Organization Settings, the “Authenticated with Password” setting is shown only when “Local User Sign-in” is enabled, and Google Client ID and Secret are defined in the “Authentication Settings” on the control panel.

● Fixed: In importing outbound policy from a configuration file, InControl managed PepVPN connections were not imported.

● Fixed operation log when updating organization administrators ● Fixed the month picker above the Online/Offline History table. ● Fixed: timeout in loading the Top Clients list in Device and Wi-Fi Reports when there are

many clients. ● Fixed: Wi-Fi radio bands were not correctly displayed ● Fixed: Wi-Fi Access Point On/Off switch may not function in some situations. ● Fixed: compatibility issue in sending emails via a Microsoft SMTP server because the

EHLO command was incorrectly set to “localhost”.

● Fixed: the start day on group-level monthly usage report was incorrectly set ● Fixed: “Download as CSV” for clients’ usage in a selected hour was not displayed. ● Improved system stability and availability

Release notes for DB-20200220 and DB-20200305 IMPORTANT: you MUST backup the DB VM data disk before upgrading to this release! When the system is booting up, the data on the DB VM data disk will be converted into newer formats automatically. The new formats are not compatible with the older DB VM system. We suggest you clone a copy of the existing DB VM and perform an upgrade on the cloned VM. In case you wanted to fall back to the original version, you could simply boot up the original DB VM with the old data in the old formats. You are recommended to upgrade to this release. But it is not a must. The system will still work with older DB VM releases. Here are the changes for DB-20200220 since DB-20190312 (software appliance):

● Reimplemented the entire DB VM based on Ubuntu 18.04. ● Overall stability and performance are also enhanced. ● MySQL community server is upgraded from 5.6.33 to 5.7.29. ● MongoDB server is upgraded from 3.0.15 to 4.2.3. ● Redis server is upgraded from 2.8.4 to 4.0.9. ● If you have changed the DB VM IP address previously, the change will be lost and the IP

address will be reset to 192.168.1.3/24 after upgrading to this release. Please change once again. The change you make in this release will remain persistent across future upgrades.

Here is the change for DB-20200305 since DB-20200220 (software appliance):

● Corrected the default IP to 192.168.1.3 ● Added configuration for gateway and name server IP addresses.


● Fixed: if some managed devices are with firewall logging enabled, the DB VM may run out of memory after a long run. When that happens, the InControl system will fail to operate.

● Enhanced (software appliance): supported to automatically resize InControl VM’s data disk partition and claim any enlarged disk space.

● Enhanced (software appliance): If the InControl VM’s data disk has more than 5 GB of free space, 2 GB of space will now be allocated for swap space. This will improve the overall system availability.

● Enhanced: If an SSL certificate with no line breaks was uploaded to the control panel, the system is now able to fix it so that the web servers will not stop functioning.

● Changed: API request rate limit removed (previously 10 requests per second per organization are allowed)

● Fixed: graphs in the captive portal reporting emails were missing ● Fixed: group-level captive portal reports for groups that contain no data did not load

Known issue:

● Devices do not download geo and SaaS databases if their warranty record on the ICA has expired.

Release notes for 2.8.2.3 and DB-20190312 Here are the changes since 2.8.2.2:

● Fixed: (software appliance) The disk usage figures on the control panel were not updated regularly after system boot up.

● Fixed: ICA license may not be loaded in some situation Here is the changes for DB-20190312 since DB-20190722 (software appliance):

● Fixed: When DB VM’s interface is set to an IP address outside 192.168.1.0/24, any incoming accesses to the DB VM are also blocked.

Known issue:



● Fixed: (software appliance) the “Local User Sign-In” option got incorrectly disabled upon saving the form on the control panel. (2.8.2 and 2.8.2.1)

● Fixed: group administrators were logged out immediately after logging in. (2.8.2.1) ● Fixed: SSL certificate updates on the control panel could not become effective until the

system is rebooted (2.8.2 and 2.8.2.1) ● Change for hardware appliance: When upgrading to future ICA firmware releases, the

firmware image will be downloaded over the WAN instead of the management interface. Known issue:



● Fixed: failed in sending email via a TLS enabled email server in 2.8.2. ● Fixed: database performance in 2.8.2 may be degraded when upgrading from ICA from

2.7.3.7 or earlier. (Upgrading from 2.8.1, 2.8.1.1 or 2.8.1.2 are not affected).

Release notes for 2.8.2 Here are the changes since 2.8.1.2:

● Added an option in the control panel for disabling local user sign-in and allow to sign-in with Google only.

● Improved system stability ● Firewall rules can be created and edited on InControl. ● You can now control outgoing traffic in outbound policy and firewall rules by a region or a

Software-As-A-Service. Firmware 8.0.1 or above is required. ● Added grouped networks support to outbound policy and firewall rules. ● On the “Group-wide Radio Settings” screen, a custom AP power value could be set for

supported devices. ● Captive Portal:

○ Added two options to the Landing Page setting: ■ Redirect to the URL the guest user had originally requested. In the

auto-login popup browser on iOS, redirect to a specified URL. ■ Pass guest user’s information to the specified redirected URL.

○ Added a search tool to the Access Token management screen. ○ Added back an option to display a marketing-opt-in option to guest users.

○ For a captive portal with multiple access modes enabled, if a guest user used up the quota offered by an access mode, he/she can no longer get Internet access again by logging in with another access mode before the quota is reset.

○ Removed “Sign-in with WeChat” support as WeChat discontinued their “WeChat Wi-Fi” service.

● PepVPN / SpeedFusion ○ Added layer-2 configuration in star topology ○ Added support for Forward Error Correction and Maximum Latency Difference

Cutoff. ○ Fixed “All Traffic to Remote Hub” validation should only require one DNS server

address. The second address is optional. ○ For the logical view, disconnected nodes are not displayed. ○ Added a visibility field with opened and closed eyeball icons to the profiles.

Clicking an icon will toggle whether to show the graph of the corresponding profile only or not.

● Device IP Settings (CSV upload) validation improved to detect when the header line is missing an S/N column.

● In 2.8.1, a device would rollback its configuration if it could not reach InControl after receiving Firewall or Outbound Policy changes from InControl. Since 2.8.2, a device would rollback if it could not reach InControl after receiving any type of setting change from InControl.

● For the device configuration locks introduced in 2.8.1, administrators can now unlock their devices.

● Fixed an underlying bug in Bulk Configuration which might trigger device configuration locks in a race condition.

● In SSID settings, added a “Fast Transition” option. ● The substring “####” in an SSID will be substituted with the last 4 digits of the serial

number of configured devices no matter where the substring is located in the SSID. Formerly, the substring is substituted only when it is located at the end of the SSID.

● Current Wi-Fi AP channel is included in the Device Details screen. When auto channel selection is enabled, channel selection events are added to the event log under the “WLAN” type.

● Monthly data usage records are now kept for two years (was six months). ● RSRQ is included in WAN Quality Reports. ● Added VLAN Network IP Settings under SD Switch’s device-level Settings menu. ● Multiple Allowed VLAN Networks could be selected for SD Switch’s web admin setting. ● When moving a lot of devices from one group to another, the progress is now displayed. ● Fixed: when Low Data Usage Mode was disabled in InControl Options, the "GPS

Location Collection" and "Minimum Communication Interval" settings will not be effective.

● Client list: clients on untagged LAN were not indicated consistently for different products. Now they are all indicated as “Untagged”.

● For “Find My Peplink” enabled devices, a dynamic DNS name is defined for the InControl-detected IP. See the InControl Detected IP field on device details pages.

● Renamed “SIM Pool Data Usage” to “SIM Card Reports”. Added a “Devices and SIM Cards” table. Updated the default usage alert message template.

● Moved "External ICA Settings" from “Group Settings” to "Device System Management" page.

● For group-level overview, the device and client counts are refreshed every 10 (with less than 500 devices) to 30 secs (with more than 1000 devices) (formerly 60 secs).

● In the device listing, added an Action for triggering devices to perform a cellular module firmware update.

● Device tags which are no longer applied to any device will still be available to choose in all device selection settings.

● In the organization-level Firmware Management table, added a column "Groups not following".

● When a device’s altitude is available, it is now displayed on the device details screen.


● Added support to activate PrimeCare devices via an InControl appliance that is able to communicate with Peplink InControl 2.


● Fixed: DDNS service was inaccessible ● Fixed: a few potential vulnerabilities on captive portals ● Improved stability and performance ● Added an option for disabling TLS to E-mail Delivery Settings on the control panel ● Upon system health check failures, a notification email will be sent to the system

administrator.

Release notes for 2.8.1 Here are the changes since 2.8.0:

● Added IP address configuration and control panel password reset on the InControl and Database VM console

● Added Certificate Chain field to the control panel ● Added SNMPv3 settings to the control panel ● Removed the Domain setting from the Control Panel. The web’s cookie domain now

changed to the Server Name. If you are logged out immediately after you sign in, please clear your browser cookies and try again.

● Whenever InControl makes any configuration changes to devices, a reason will also be given and recorded in the event log.

● If a device cannot reach InControl in 10 minutes after it receives configuration changes from InControl, the device will roll back the configuration automatically by default. You may disable this feature on the InControl Options page.

● In Outbound Policy and Firewall Management, when the “Preserve outbound policy/firewall rules on devices that receive no rules” option is enabled, InControl-generated rules will also be preserved now.

● Improved the speed in loading organization- and group-level device lists ● Cellular WANs’ frequency band is included in the WAN Quality Reports (firmware 8

required). ● In removing a device or a group, added an option to retain InControl managed settings. ● Cellular Modules' IMEI and CDF are displayed in Device Details page’s info pane ● Wi-Fi WAN information is also included in the downloaded device list in CSV format. ● Devices’ static location can be updated by a CSV file. On the group level dashboard

screen, click the Edit button and then the “Update device info by CSV file” link. ● Enhanced error messages in configuring Device IP Settings with a CSV file. ● Added device type selection to VLAN Networks. ● Improve the UI response time in applying firmware to many devices. ● Added Internet and Device Availability figures on Group Overview page. ● Added Saudi Arabia into the Wi-Fi AP Operating Country list. ● Device list > search tool: add a “Match all / any” option to the Tags field ● Captive Portal:

○ Fixed multiple logical bugs ○ Migrated to LinkedIn v2 API ○ Added a bypass sign-in option to WeChat sign-in settings

● In the group-level client list, a client’s connection type (i.e. Wi-Fi / Ethernet) will be Wi-Fi if the client has ever connected to any device in the organization using Wi-Fi. In device-level, a client’s connection type formerly follows the group level’s. Now the connection type reports what the device sees.

● In creating a group, Manage Scheduled Reboot is now disabled by default. ● Fixed: device level PepVPN status was not lively updated. ● Fixed: AP Controllers’ clients are not shown on InControl’s client list.

● Fixed: Low data usage mode did not function correctly in some situations ● Fixed: InControl reverts web admin password changes made on the web admin when

“Device Managed” is selected on the Device System Management page. ● Fixed: web admin read-only users’ shared password was not pushed devices

Release notes for 2.8.0 (no appliance image released) What’s new

● Creating organization out from groups: You can now select multiple groups in an existing organization and create a new organization out from the groups. The groups, their devices, configurations, and reports will all be moved to the new organization. The groups in the original organization will be removed.

● Device list enhancements: ○ Allow performing device actions on the Group Overview page by simply clicking

an Edit button. ○ Column visibility and order are now customizable on a per-user basis. ○ Support to search devices by their interfaces’ MAC address ○ In searching devices by tags, you can choose to search by all or any of the tags. ○ For the ease of troubleshooting, labels are displayed above group level device

lists for indicating which InControl options have been enabled. ○ Internet and Device Availability figures are introduced to Group Overview pages.

● On a Device Details page, labels are displayed to indicate what types of configuration are being managed by InControl.

● Outbound policy rules can be created and edited on InControl. ● Added a new group-level user role “Fleet Manager” who can only access the map on the

dashboard. ● WAN Quality Reports replaces Cellular Reports; added latency figures. ● Captive portal:

○ Captive portal reports could be emailed to specific addresses in PDF format weekly and/or monthly

○ Captive portal reports: Number of “Sessions” has been redefined. The former one is now called “Successful Sign-in’s”. The new Sessions figure now refers to the number of new sign-in sessions. Re-sign-in’s upon network reconnection are not counted.

○ For Open Access mode settings, when "Time based" is selected for the "Daily Quota" field, the quota timer does not stop when a client disconnected. Now, an option is added to stop the timer upon disconnection.

○ A shareable preview URL can now be found in a saved captive portal settings screen. External users with the URL could review the captive portal page without needing an InControl administrator account.

○ WeChat settings have been moved to the Captive Portals page. ● Clients’ names can now be modified. A note can be defined. ● Bulk configurations are now sorted by creation date in ascending order. ● In removing a device, you can choose to retain or clear the InControl managed

configurations ● Device online/offline history entries (on Event Log page) are now sorted by months, and

downloadable as CSV files.


● Maintenance update for GPS Week Rollover. Incorrect GPS dates reported from older device firmware on or after April 6, 2019 will be adjusted automatically.


● Google is shutting down the Google+ Sign-in API. It will cause earlier InControl releases’ Sign-in with Google to fail intermittently from January 29, 2019 and completely from March 7, 2019. This release will no longer depend on the “Google+ Sign-in” API.

● Security fix: disabled SSLv2 and SSLv3 support on the secure web server for the control panel.

● Cellular reports: fixed the date range selector.


● Added OpenStreetMap Server URL settings ● Improved system’s availability ● Read-only users can only retrieve some less sensitive data via the API. ● Control panel

○ When a pair of wrong or mismatched SSL private key and certificate is uploaded, a pair of default private key and certificate will be used instead so that the InControl web site and the control panel could remain accessible.

○ (Virtual appliance) Added a link for downloading a diagnostic report and a button for restarting system services.

● Fixed: EDNS compliance issue ● The DHCP Server setting for all VLAN profiles can now be set to “Unmanaged”.


● Fixed: (Hardware appliance) License information is not displayed correctly on the LCD panel.

● Fixed: (Software appliance) Configured Google Maps API key was not displayed. ● Fixed: A “loop error” was displayed after signing-in in some installations. ● Fixed: Firmware policy might not be applied to first-appeared devices. ● Fixed: In outbound policy management, with preserve rules upon policy removal

enabled, InControl applied rules were not preserved. ● PepVPN configuration wizard now supports very large star topologies.


● Fixed: for ICAs 2.7.3 upgrading from versions prior to 2.7.1, users are not able to add devices.

● Fixed: Google Maps API keys may not be activated effectively in some situations. ● Updated the instructions of how to generate a Google Maps API key. In the Google

Cloud Platform UI, you should enable not only “Maps JavaScript API”, but also “Geocoding API”.

● Included various UI bug fixes

Release notes for 2.7.3 IMPORTANT: since the release 2.7.3, InControl appliances’ license key no longer ties to a hardware dependent device ID but the server name. So after upgrading to 2.7.3, the existing license will turn into a 7-day evaluation license. So before upgrading your InControl Hardware or Virtual Appliance to 2.7.3, please get a new license key by emailing your InControl Appliance’s serial number and server name (aka “URL Host Name” which is showing on the control panel) to [email protected]. Peplink personnel will send you back a new license key. You will have to enter this key onto the Control Panel page after an upgrade.

Here are the changes since 2.7.1:

● Captive portal: text alignment of General Description is adjustable. ● Geo-fencing: added an option to perform enabled actions upon fence modification or

device addition ● Bulk Configurator: PepVPN profiles in configuration files can optionally be preserved. ● Fixed various issues in managing Pepwave Surf On-The-Go ● The licenses no longer tie to the hardware-dependent “device ID”. It now ties to the

server name. This will avoid the need of updating the license upon any virtual or physical hardware changes.

● Captive portal: guests no longer need to agree Peplink collect their personal data as Peplink has no access to the data on InControl appliances.

● Added a Google Maps API Key setting to the control panel. Please refer to chapter 4 Input Google Maps API Key for further details.

● Added SNMP service for monitoring the ICA. An SNMP read-only community setting is added to the control panel.

● Latest GA device firmware profiles were not synced from Peplink InControl 2 to ICA 2.7.1. Now they are synced again (if the ICA can communicate with Peplink InControl 2)

● The Linux kernel has been upgraded to 3.16.57.

Release notes for 2.7.1 Here are highlighted changes since 2.6.2:

● Daily backup archive of the InControl appliance is now downloadable from the Control Panel. It contains all essential data and configurations for restoring the system. It does not include reports, GPS location data, and event log. You are recommended to download a copy of the archive regularly. Note: Restoration of an InControl appliance from a backup archive has to performed by Peplink personnel in this stage.

● SpeedFusion configuration: added a “Suppress Endpoint IPs” option to Star Topology. Enabling it could maintain PepVPN connections uninterrupted for any potential endpoints’ IP address changes. This option is disabled for existing profiles and is enabled for newly created profiles.

● Captive Portal enhancements: ○ The Terms and Conditions and its checkbox label can be partially customizable. ○ Added skip sign-in (i.e. “No thanks”) option to e-mail and SMS access modes. ○ In token access mode, when concurrent login is allowed, data usage based quota

can no longer be chosen now. Any existing profile with both concurrent login and data usage based quota enabled, the data usage quota will be disabled.

○ In open access mode, the Terms and Conditions checkbox could now optionally be hidden. If the “Connect” button text is changed to “I Agree”, guests could accept the Terms and Conditions and submit the form with one click.

○ An additional message could be put on the signed-in (landing) page. Hyperlinks could be included in the message in markdown syntax.

○ By default, the first page of the captive portal is pre-cached on the router/AP for faster accesses. This feature could now be optionally disabled.

● Added NAS Identifier setting under WPA/WPA2 Enterprise mode of an SSID. ● Firmware setting for the same product but different hardware revisions can now be

customized individually. The system now could ensure firmware is applied to supported hardware revisions only.

● PepVPN: allow to activate/inactivate a PepVPN connection by device tags. ● Introduced a new geo-fencing action: device tagging, which is for controlling any tag

supported configuration (e.g. PepVPN, SSID, captive portal, etc.) ● When outbound policy and firewall rule management are enabled and a device is newly

added to a group, if the device receives no rules, the outbound policy and firewall rules on it were also cleared prior to this release. But now, you can choose to preserve the rules. For any groups created from now on, the rules on newly added devices will be preserved by default.

● Device Web Admin Authentication settings are moved to the group-level Device System Management page. The settings are split into sections for Balance/MAX, AP and SD Switch.

● Added notification for Web Admin Login and “SIM Card Switch Over” events ● Added silence period setting for geofencing notifications ● Added SIM lock setting to Device Details and Device Management pages (require

firmware 7.1.1 or above) ● Added ability to choose devices by tags to receive external InControl appliance settings. ● Added a badge to indicate an AP One unit is operating in router mode. ● Added a new authentication mode CoovaChilli to external captive portals. ● Added a Regenerate Key option to the “randomly generated key” field of an SSID. ● Introduced organization-level SpeedFusion Alliance FusionHub license (this type of

license will be available to purchase later) ● Included various UI enhancements and bug fixes.

Note: In rare situations, the control panel may display “License not available” in the first boot after the upgrade. In case you see the message even the system has been up for 10 minutes, please press the Reboot button on the control panel once to restart the system. The license shall display correctly after that. This problem will be fixed in the next release.

Release notes for 2.6.2 Here are highlighted changes since 2.6.1:

1. In anticipation for the new data protection laws that will take effect on 25th May in Europe, in this release, we have updated the types of information to be collected through the captive portal and our Privacy Policy. Please also read the revised Privacy Policy carefully as the Privacy Policy will be presented to your Wi-Fi users. In order for the Sign-in with Facebook in the captive portal to continue to work in your InControl appliance, you have to apply for an app ID and secret from Facebook and enter them into the control panel. For the details, please refer to chapter 11. Facebook App ID Creation Procedure. When your user decides to log in to the captive portal with social network access mode, the system will only collect the following personal data through social networks: ● E-mail address (if any); ● User ID of the Social Media Any other personal information or statistics will be deleted and no longer be available. If you let a user log in through e-mail or SMS access modes, the system will collect the following information according to your chosen configuration: ● email address ● phone number ● name ● gender ● country In addition, Wi-Fi usage duration, MAC Address, and IP address will be collected The retention period for user information will be two years.

2. Added license status to the top of the System Usage Report page.

3. [Virtual Appliance] Added support of an optional second WAN interface. It is

pre-configured to acquire an IP address from a DHCP server.

Release notes for 2.6.1 (no appliance image released) Here are highlighted changes since 2.6.0:

http://download.peplink.com/resources/privacy_policy_for_free_wi-fi_service.pdf

● All existing Organization Administrators are now promoted as Super Organization Administrators. A new role Organization Administrator is introduced.

○ Social user data in captive portal reports and client details are now only visible to Super Organization Administrators, Captive Portal Administrator, and Captive Portal Viewer. Any other roles, such as the new Organization Administrators or Group Administrators also could not see any social user data.

○ Super Organization Administrator is now able to remove social user data. ○ You may consider demoting some Super Organization Administrators to

Organization Administrator for those who should not have social user data access.

● Added a public API for creating Service Provider Default on devices. ● In moving a device from one group to another, you could choose to retain InControl

generated settings in the target group. ● In Cellular Reports > Signal Strength & Quality chart, carrier and cellular signal

information are now shown in the tooltip of the chart when hovering over a data point. ● In a captive portal profile’s Preview and Customization screen, for e-mail access mode,

added Phone Number, Gender and gender option text fields. ● For Balance/MAX’s switch port list, Port Type and VLAN fields are now populated. ● Warranty expiration notification e-mails now include which InControl organization and

group that devices reside in.

Release notes for 2.6.0 (no appliance image released) Here are highlighted changes since 2.5.2:

● Introduced “Low Data Usage Mode”. See the group-level “InControl Options” page. The mode is for reducing data usage on device-InControl communication and device locally generated traffic. A data usage calculator is also provided.

● Group creation page: allow to optionally clone SSID, VLAN, captive portal and schedule settings from an existing group.

● Notifications: ○ Added High Availability (HA) transition and Smart Reader

attachment/detachment notifications ○ Added tags and notes to device up/down e-mail content

● PepVPN configuration: ○ You may now create a profile for connecting to an externally managed device.

E.g. Suppose device A and B are managed in organization A and B respectively. Now you can create a PepVPN profile in organization A and B individually to connect them. (In End Point Device selection screen, select the “Show advanced settings” option and then click a new “Add Device” button.)

○ Added a path cost field to topologies

○ Add VLAN network selection for NAT mode in star topology profiles ● Group-level PepVPN status in tabular view revamped. Subnets of both ends are now

displayed ● Added organization level SIM Pool Data Usage reports ● Added Extended DHCP Options to VLAN networks’ default DHCP Server settings for

Balance and MAX. ● Data roaming for cellular WANs could be enabled from the Actions menu in Device

Management pages. ● API: added an endpoint for retrieving admin user list and their role in an organization ● Included various UI enhancements and bug fixes

Release notes for 2.5.2 Here are highlighted changes since 2.4.2-1:

● A SpeedFusion Alliance (SFA) FusionHub license could be applied to a FusionHub instance via an InControl Appliance release 2.5.2 (or above) instantly without requiring to reboot the FusionHub. (See chapter 12 for the network requirement.)

● Added support to send notifications from InControl Appliance to the InControl mobile app. (See chapter 12 for the network requirement.)

● When captive portal guests sign in with Facebook, their relationship information is no longer collected as Facebook has stopped to provide the information.

● Introduced group-level SIM Pool Bandwidth Usage reports: ○ Bandwidth usage reports can automatically be grouped by the carrier. ○ Custom SIM pools could be defined by inputting IMSI’s ○ Up to three usage alert levels could be defined.

(Requires Firmware 7.0.2 or above) ● Channel width can now be configured in “Radio Settings” page. ● Added Bandwidth Management and QoS settings to the “SSID Settings” page for

Pepwave AP devices. ● The routing mode (i.e. bridged or routed) of each AP Device can be changed on “Device

Management” page. ● For devices supporting High Availability (HA), HA status is now shown on “Device

Details” page. ● SpeedFusion configuration:

○ A device which is not managed under the same organization or not even managed by InControl can now be added to a star and point-to-point topology profile by its site ID. Enable the “Show advanced settings” option to unveil an “Add Device” button.

○ PepVPN connection (link) names can be customized.

○ Data port and path cost for each link can be customized on the “Advanced Link Settings” screen

○ Pre-shared Key (PSK) for existing profiles can be regenerated on “Advanced Link Settings” screen

○ Newly generated PSK’s length increased from 45 to 64 characters. ● Group level SpeedFusion status in tabular view has been revamped. ● Ethernet port status is displayed on devices’ details page for supported hardware

models. ● GPS enabled devices’ map UI on “Devices Details” and “Cellular Reports” have been

redesigned. ● Added an option to use OpenStreetMap for all map displays. The map data are hosted

by Peplink. It is useful for networks that have restricted access to google.com. See “Organization Settings” page for the option.

Documents

I n C o n t r o l 2 A p p l i a n c e S e t u p G u i d edownload.peplink.com/files/ica/InControl2ApplianceSetup... · 2020-06-04 · 1 . V i r t u a l A p p l i a n c e 1 . 1 I n