|LANCOM Systems Support KnowledgeBase - Support Information|
Document No: 1605.1710.3340.RHOO
This document provides useful hints about what you need to consider when you configure or customize the LANCOM Public Spot for operation in large-scale scenarios such as at
1) Do not accept TLS connections from unauthenticated clients:
In particular mobile clients connecting to the hotspot Wi-Fi immediately try to set up TLS connections to web services such as Google, Facebook, messengers, and so on.
Because the clients are not yet authenticated with the Public Spot, these connection attempts will fail.
However, this TLS traffic places a considerable load on the LANCOM because as long as a client is not authenticated, the TLS terminates here.
1.1) Open the configuration of the LANCOM and switch to the menu item Public-Spot -> Server -> Operational settings.
1.2) Make sure that the option Accept TLS connections from unauthenticated clients is disabled.
With this switch deactivated, TLS connections from unauthenticated clients are rejected, which prevents an increase in load.
Once the clients are authenticated, TLS connections can be established as usual. These do not terminate at the LANCOM.
The captive portal detection, offered in particular by today's mobile devices, operates unencrypted via HTTP and so this is not restricted in any way.
2) Configure the idle timeout:
2.1) Open the configuration of the LANCOM and switch to the menu item Public-Spot -> Server -> Operational settings.
2.2) Set the Idle timeout field to a time value in seconds.
If a client does not send any data traffic within the configured time period (i.e. the client has logged out of the Wi-Fi or is out of range), the client is automatically logged off from the Public Spot to free up internal resources.
In following example the value is configured to 3600 seconds (60 minutes).
Setting an idle timeout value prevents the unnecessary use of resources for clients that are no longer present on the network.
3) Enable the cache for the Public Spot pages on the LANCOM:
3.1) Open the configuration of the LANCOM and switch to the menu item Public Spot -> Server -> Page table.
3.2) If you use customized Public Spot web pages, you need to activate the option cache page for each of the Public Spot web pages.
Please also make sure that the request type Template is selected.
These settings enable the LANCOM to cache the Public Spot pages and therefore deliver them faster to clients.
4) Relocate masking/NAT to a separate LANCOM:
In high-density scenarios, it may make sense to divide the WAN routing functions, such as the NAT/masking and the Public Spot gateway, between two physical devices.
This can be accomplished by using LAN-to-LAN routing to configure a transfer network between the Public Spot gateway and the NAT router.
By approaching the scenario in this way (see illustration), resource-intensive WAN routing with NAT/masking is performed by a separate device.