WatchGuard Firebox SOHO 6 User Guide ® ® SOHO 6 - firmware version 6.
Certifications and Notices FCC Certification This appliance has been tested and found to comply with limits for a Class A digital appliance, pursuant to Part 15 of the FCC Rules. Operation is subject to the following two conditions: • This appliance may not cause harmful interference. • This appliance must accept any interference received, including interference that may cause undesired operation.
VCCI Notice Class A ITE User Guide iii
Declaration of Conformity iv WatchGuard Firebox SOHO 6
WATCHGUARD SOHO SOFTWARE END-USER LICENSE AGREEMENT WATCHGUARD SOHO SOFTWARE END-USER LICENSE AGREEMENT IMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE This WatchGuard SOHO Software End-User License Agreement ("EULA") is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc.
If you are accessing the SOFTWARE PRODUCT via a Web based installer program, you are granted the following additional rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any computer with an associated connection to the SOHO hardware product in accordance with the SOHO user documentation; (B) You may install and use the SOFTWARE PRODUCT on more than one computer at once without licensing an additional copy of the SOFTWARE PRODUCT for each additional computer on which you want
election. Disclaimer and Release.
Restricted Rights. Use, duplication or disclosure by the U.S Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 5th Ave. South, Suite 500,Seattle, WA 98104. 6.
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright© 1998 - 2003 WatchGuard Technologies, Inc. All rights reserved.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.
5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without prior written permission of Ralf S. Engelschall. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by Ralf S. Engelschall for use in the mod_ssl project (http://www.modssl.org/)." THIS SOFTWARE IS PROVIDED BY RALF S.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Abbreviations Used in this Guide 3DES Triple Data Encryption Standard DES Data Encryption Standard DNS Domain Name Service DHCP Dynamic Host Control Protocol DSL Digital Subscriber Line IP Internet Protocol IPSec Internet Protocol Security ISDN Integrated Services Digital Network ISP Internet Service Provider MAC Media Access Control MUVPN Mobile User Virtual Private Network NAT Network Address Translation PPP Point-to-Point Protocol PPPoE Point-to-Point Protocol over Ethernet TC
Contents CHAPTER 1 Introduction CHAPTER 2 Installation .................................................. 1 Package Contents ..................................................... 3 How a Firewall Works ................................................ 3 How Information Travels on the Internet .................. 4 IP addresses ............................................................ 5 Protocols ................................................................ 5 Port numbers ...........................
Examining and recording the current TCP/IP settings ................................................................. 12 Disabling the HTTP proxy setting of your Web browser .................................................... 14 Enabling your computer for DHCP .......................... 16 Physically Connecting to the SOHO 6 .................... 18 Cabling the SOHO 6 for one to four appliances ....... 19 Cabling the SOHO 6 for more than four appliances . 20 SOHO 6 Basics ...............................
Configuring additional computers on the trusted network ............................................................ 38 Configuring the trusted network with static addresses ......................................................... 39 Configuring Static Routes ....................................... 39 Viewing Network Statistics ...................................... 41 Configuring the Dynamic DNS Service ................... 42 Configuring the OPT Port Upgrades ......................
Denying FTP access to the trusted network interface ........................................................... 68 SOCKS implementation for the SOHO 6 ................. 68 Logging all allowed outbound traffic ....................... 70 Enabling the MAC Address Override for the External Network .............................................................. 70 Creating an Unrestricted Pass Through .................. 71 Configure Logging .................................... 73 Viewing SOHO 6 Log Messages ..
Creating a VPN Tunnel to a SOHO 6 with an IPSec-Compliant Appliance ................................ 99 Special considerations ........................................... 99 Configuring Split Tunneling .................................. 100 Using MUVPN Clients ........................................... 100 Viewing the VPN Statistics .................................... 101 Frequently Asked Questions ................................. 101 Why do I need a static external address? ...............
Connecting and Disconnecting the MUVPN Client .... 132 Connecting the MUVPN client .............................. 132 The MUVPN client icon ........................................ 133 Allowing the MUVPN client through the personal firewall ........................................................... 136 Disconnecting the MUVPN client .......................... 137 Monitoring the MUVPN Client Connection .......... 138 Using the Log Viewer ...........................................
Using VPNforce ....................................... 147 Using VPNforce to Connect to your Corporate Network ............................................................ 147 Configuring the Optional Network ........................ 148 Using VPNforce and the MUVPN Client Upgrades to Enforce Your Corporate Policy .......................... 151 Configuring the SOHO 6 ...................................... 151 Configuring the MUVPN client ..............................
xxii WatchGuard Firebox SOHO 6
CHAPTER 1 Introduction The purpose of this guide is to help users of the WatchGuard® Firebox® SOHO 6 and Firebox® SOHO 6tc set up and configure these appliances for secure access to the Internet.
Chapter 1: Introduction In this guide, the name SOHO 6 refers to both the SOHO 6 as well as the SOHO 6tc. The only difference between these two appliances is the VPN feature. VPN is available as an upgrade option for the SOHO 6. The SOHO 6tc includes the VPN upgrade option. The SOHO 6 provides security when your computer is connected to the Internet with a high-speed cable modem, DSL modem, leased line, or ISDN.
Package Contents Package Contents Make sure that the package contains all of these items: • SOHO 6 QuickStart Guide • User Guide • LiveSecurity Service® activation card • Hardware Warranty Card • AC adapter (12 V, 1.0-1.2 A) • Straight-through Ethernet cable • SOHO 6 security appliance How a Firewall Works The Internet connects your network to resources. Some examples of resources are the World Wide Web, email, and video/audio conferencing.
Chapter 1: Introduction The SOHO 6 controls all traffic between the external network (the Internet) and the trusted network (your computers). All suspicious traffic is stopped. The rules and policies that identify the suspicious traffic are shown in “Configuring Incoming and Outgoing Services” on page 62. How Information Travels on the Internet The data that is sent through the Internet is divided into packets.
How Information Travels on the Internet and reassembles the data; for example, data that may consist of an email message or a program file. IP adds information to the packets that includes the destination and the handling requirements. IP addresses An IP address identifies a computer on the Internet that sends and receives packets. Each computer on the Internet has an address. The SOHO 6 is also a computer and has an IP address.
Chapter 1: Introduction How the SOHO 6 Processes Information Services A service is the group of protocols and port numbers for a specified program or type of application. The standard configuration of the SOHO 6 contains the correct settings for many standard services. Network Address Translation (NAT) All connections from the trusted network to the external network through a SOHO 6 use dynamic NAT.
SOHO 6 Hardware Description Faster Processor The SOHO 6 has a new network processor that runs at a speed of 150 MHz. Ethernet and encryption technology are included. Ethernet ports The SOHO 6 has six 10/100 Base TX ports. The Ethernet ports have the labels 0 through 3, OPT and WAN. SOHO 6 front and rear views There are 14 indicator lights on the front panel of the SOHO 6. The illustration below shows the front view. PWR PWR is lit while the SOHO 6 is connected to a power supply.
Chapter 1: Introduction 100 The 100 indicator is lit when a port is in use at 100 Mb. The 100 indicator is not lit when a port is in use at 10 Mb. WAN WAN is lit while there is an active physical connection to the WAN port. The indicator flashes when data flows through the port. Mode Mode is lit while there is a connection to the Internet. There are six Ethernet ports, a reset button, and a power input on the rear of the SOHO 6. The picture below shows the rear view.
SOHO 6 Hardware Description RESET button Push the reset button to reset the SOHO 6 to the factory default configuration. See “Resetting the SOHO 6 to the factory default settings” on page 26 for more information about this procedure. WAN port The WAN port is for the external network interface. Four numbered ports (0-3) These Ethernet ports are for the trusted network interface. Power input Connect the power input to a power supply using the 12volt AC adapter supplied with the SOHO 6.
Chapter 1: Introduction 10 WatchGuard Firebox SOHO 6
CHAPTER 2 Installation The SOHO 6 protects computers that are connected to it by Ethernet cable. Follow the procedures in this chapter to install the SOHO 6 in your network. To install the SOHO 6, you must complete the following steps: • Identify and record your TCP/IP settings. • Disable the HTTP proxy setting of your Web browser. • Enable your computer for DHCP. • Make a physical connection between the SOHO 6 and your network.
Chapter 2: Installation Before you Begin Before you install the SOHO 6, you must have the following: • A computer with a 10/100BaseT Ethernet I/O card installed and a Web browser, such as Netscape or Internet Explorer. • A functional Internet connection–this connection must be a cable or DSL modem with a 10/100BaseT port, an ISDN router, or a direct LAN connection. If the Internet connection is not functional, call your Internet Service Provider (ISP).
Before you Begin Microsoft Windows 2000 and Windows XP 1 Select Start => Programs => Accessories => Command Prompt. 2 At the prompt, type ipconfig /all and then press Enter. 3 Record the TCP/IP settings in the table provided. 4 Click Cancel. Microsoft Windows NT 1 Select Start => Programs => Command Prompt. 2 At the prompt, type ipconfig /all and then press Enter. 3 Record the TCP/IP settings in the table provided. 4 Click Cancel. Microsoft Windows 95, 98, or ME 1 Select Start => Run.
Chapter 2: Installation 2 Record the TCP/IP settings in the table provided. 3 Exit the TCP/IP configuration screen. TCP/IP Settings Value IP Address Subnet Mask Default Gateway . . . . . . . . . DHCP Enabled DNS Server(s) Yes Primary Secondary No . . . . . . NOTE If you must connect more than one computer to the trusted network behind the SOHO 6, determine the TCP/IP settings for each computer.
Before you Begin The following instructions show how to disable the HTTP proxy setting in three browser applications. If a different browser is used, use the help menus of the browser program to find the necessary information. Netscape 4.7 1 Open Netscape. 2 Select Edit => Preferences. 3 A list of options is shown at the left side of the window. Click the + symbol to the left of the Advanced option to expand the list. 4 Click Proxies.
Chapter 2: Installation Internet Explorer 5.0, 5.5, and 6.0 1 Open Internet Explorer. 2 Select Tools => Internet Options. 3 Click the Advanced tab. 4 Scroll down the page to HTTP 1.1 Settings. 5 Clear all of the checkboxes. 6 Click OK. The Internet Options window appears. Enabling your computer for DHCP To open the configuration pages for the SOHO 6, configure your computer to receive its IP address through DHCP.
Before you Begin 4 Click Properties. 5 Double-click the Internet Protocol (TCP/IP) component. The network connection properties dialog box appears. The Internet Protocol (TCP/IP) Properties dialog box appears.
Chapter 2: Installation 6 Select the Obtain an IP address automatically and the Obtain DNS server address automatically checkboxes. 7 Click OK to close the Internet Protocol (TCP/IP) Properties dialog box. 8 Click OK again to close the network connection Properties dialog box. Click Close to close the network connection dialog box. Close the Control Panel window. Physically Connecting to the SOHO 6 The SOHO 6 protects one computer or a multi-computer network.
Physically Connecting to the SOHO 6 Cabling the SOHO 6 for one to four appliances A maximum of four computers, printers, scanners, or other network peripherals can connect directly to the SOHO 6. These connections use the four numbered Ethernet ports (labeled 0-3). To connect a maximum of four appliances, use the SOHO 6 as a network hub. 1 Shut down your computer. 2 If you connect to the Internet through a DSL modem or cable modem, disconnect the power supply to this device.
Chapter 2: Installation 5 If you connect to the Internet through a DSL modem or cable modem, reconnect the power supply to this device. The indicator lights flash and then stop. The modem is ready for use. 6 Attach the AC adapter to the SOHO 6. Connect the AC adapter to a power source. 7 Restart the computer. See “Factory Default Settings” on page 25 for the factory default configuration options.
Physically Connecting to the SOHO 6 The base model SOHO 6 includes a ten-seat license. This license allows a maximum of ten appliances on the trusted network to connect to the Internet at the same time. There can be more than ten appliances on the trusted network, but the SOHO 6 will only allow ten Internet connections. A seat is in use when an appliance connects to the Internet and is free when the connection is broken. License upgrades are available from the WatchGuard Web site: http://www.watchguard.
Chapter 2: Installation 4 Connect an Ethernet cable between each of the computers and an uplink port on the Ethernet hub. 5 If you connect to the Internet through a DSL modem or cable modem, reconnect the power supply to this device. The indicator lights flash and then stop. The modem is ready for use. 6 Attach the AC adapter to the SOHO 6. Connect the AC adapter to a power supply. 7 Restart your computer. See “Factory Default Settings” on page 25 for the factory default configuration options.
CHAPTER 3 SOHO 6 Basics The configuration of the SOHO 6 is made through Web pages contained in the software of the SOHO 6. You can connect to these configuration pages with your Web browser. SOHO 6 System Status Page Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 The System Status page appears.
Chapter 3: SOHO 6 Basics The System Status page is the main configuration page of the SOHO 6. A display of information about the SOHO 6 configuration is shown.
Factory Default Settings • The status of the upgrade options • Configuration information for the trusted network and the external network • Configuration information for firewall settings (incoming services and outgoing services) • A reboot button to restart the SOHO 6 NOTE If the external network is configured to use the PPPoE protocol, the System Status page displays a connect button or a disconnect button. Use these buttons to start or terminate the PPPoE connection.
Chapter 3: SOHO 6 Basics System Security The System Security is disabled. The system administrator name and system administrator passphrase are not set. All computers on the trusted network can access the configuration pages. SOHO 6 Remote Management is disabled. VPN Manager Access is disabled. The remote logging is not configured. WebBlocker The WebBlocker is disabled and the settings are not configured.
Registering Your SOHO 6 and Activating the LiveSecurity Service 6 Connect the power supply. The PWR indicator is on and the reset is complete. The base model SOHO 6 The base model SOHO 6 includes a ten-seat license. This license allows a maximum of ten computers on the trusted network to connect to the Internet at the same time. There can be more than ten computers on the trusted network, but the SOHO 6 will only allow ten Internet connections.
Chapter 3: SOHO 6 Basics NOTE To activate the LiveSecurity Service, your browser must have JavaScript enabled. If you have a user profile on the WatchGuard Web site, enter your user name and password. If you do not have a user profile on the WatchGuard Web site, create a new account. Select your product and follow the instructions for product activation. Record your LiveSecurity Service user profile information in the table below: User name: Password: Keep this information confidential.
Rebootting the SOHO 6 2 Click Reboot. OR 1 Disconnect and reconnect the power supply. To reboot a SOHO 6 located on a remote system, use one of these methods: NOTE The remote SOHO 6 must be configured to allow incoming HTTP (Web) or FTP traffic from the Internet. See “Configuring Incoming and Outgoing Services” on page 62 for information about how to configure a SOHO 6 to receive incoming traffic.
Chapter 3: SOHO 6 Basics 30 WatchGuard Firebox SOHO 6
CHAPTER 4 Configure the Network Interfaces External Network Configuration When you configure the external network, you select the method of communication between the SOHO 6 and the ISP. Make this selection based on the method of network address distribution in use by your ISP. The possible methods are static addressing, DHCP, or PPPoE. Network addressing To connect to a TCP/IP network, each computer must have an IP address. The assignment of IP addresses is dynamic or static.
Chapter 4: Configure the Network Interfaces • If the assignment is static, all computers on the network have a permanently assigned IP address. There are no computers that have the same IP address. Most ISPs make dynamic IP address assignments through DHCP (Dynamic Host Configuration Protocol). When a computer connects to the network, a DHCP server at the ISP assigns that computer an IP address. The manual assignment of IP addresses is not necessary with this system.
External Network Configuration configuration causes the ISP to communicate with the SOHO 6 and not your computer. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 2 From the navigation bar at left, select Network => External. The External Network Configuration page opens. 3 From the Configuration Mode drop-down list, select Manual Configuration. The page refreshes.
Chapter 4: Configure the Network Interfaces Configuring the SOHO 6 external network for PPPoE If your ISP assigns IP addresses through PPPoE, your PPPoE login name and password are required to configure the SOHO 6. To configure the SOHO 6 for PPPoE: 1 Open your Web browser and click Stop. 2 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. 3 From the navigation bar at left, select Network => External.
External Network Configuration 5 Type the PPPoE login name and domain as well as the PPPoE password supplied by your ISP in the applicable fields. 6 Type the time delay before inactive TCP connections are disconnected. 7 Select the Automatically restore lost connections checkbox. This option keeps a constant flow of traffic between the SOHO 6 and the PPPoE server. This option allows the SOHO 6 to keep the PPPoE connection open during a period of frequent packet loss.
Chapter 4: Configure the Network Interfaces To set the external network link speed: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 2 From the navigation bar at left, select Network => External. The External Network Configuration page opens. 3 From the Link Speed drop-down list, select the link speed you want. 4 Click Submit.
Configuring the Trusted Network 3 Type the IP address and the subnet mask in the applicable fields. 4 Select the Enable DHCP Server on the Trusted Network checkbox. 5 Type the first IP address that is available for the computers that connect to the trusted network in the applicable fields. 6 Type the WINS Server address, DNS Server primary address, DNS Server secondary address, and DNS Domain server suffix in the applicable fields.
Chapter 4: Configure the Network Interfaces 10 Reboot the SOHO 6. The SOHO 6 will send all DHCP requests to the specified, remote DHCP server and relay the resulting IP addresses to the computers connected to the trusted network. If the SOHO 6 is unable to contact the specified, remote DHCP server in 30 second, it will revert to using its own DHCP server to respond to computer on the trusteed network.
Configuring Static Routes Configuring the trusted network with static addresses To disable the SOHO 6 DHCP server and make static address assignments, follow these steps: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 2 From the navigation bar at left, select Network => Trusted. The Trusted Network configuration page opens.
Chapter 4: Configure the Network Interfaces 2 From the navigation bar at left, select Network => Routes. The Routes page opens. 3 Click Add. 4 From the Type drop-down list, select either Host or Network. 5 Type the IP address and the gateway of the route in the applicable fields. The Add Route page opens. The gateway of the route is the local interface of the router.
Viewing Network Statistics 6 Click Submit. To remove a route, select the route and click Remove. Viewing Network Statistics The Network Statistics page gives information about network performance. This page is useful during troubleshooting. Follow these instructions to access the Network Statistics page: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.
Chapter 4: Configure the Network Interfaces Configuring the Dynamic DNS Service This feature allows you to register the external IP address of the SOHO 6 with the dynamic DNS (Domain Name Server) service DynDNS.org. A dynamic DNS service makes sure that the IP address attached to your domain name is changed when your ISP assigns you a new IP address. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6.
Configuring the OPT Port Upgrades NOTE The SOHO 6 receives the IP address of members.dyndns.org when it connects to the time server. 5 Click Submit. Configuring the OPT Port Upgrades The optional (OPT) port of the SOHO 6 supports two upgrades: • Dual ISP Port upgrade • VPNforce Port upgrade To upgrade the SOHO 6, purchase an additional license and activate the new upgrade option. See “Activating the SOHO 6 Upgrade Options” on page 56 for more information about how to upgrade the SOHO 6.
Chapter 4: Configure the Network Interfaces The SOHO 6 uses two methods to determine if the external interface connection is down: • The status of the link to the nearest router • A ping to a specified location The SOHO 6 pings the default gateway or the location selected by the administrator. If there is no response, the SOHO 6 switches to the secondary external network connection.
Configuring the OPT Port Upgrades After you upgrade the SOHO 6 to activate this upgrade option, follow these instructions to complete the configuration: 1 Connect one end of a straight-through Ethernet cable to the optional port (OPT), and connect the other end to the source of the secondary external network connection. This connection can be a DSL modem, a cable modem, or a hub. 2 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6.
Chapter 4: Configure the Network Interfaces 8 Click Submit. Configuring the VPNforce™ Port The VPNforce Port upgrade activates the SOHO 6 optional port (OPT) for connection to a second network on the trusted side. This option extends the protection of the firewall to include a telecommuter or a network in a remote office. The new users have secure access to the corporate network and protected access to the Internet.
Configuring the OPT Port Upgrades 3 To enable VPNforce, select the Enable Optional Network checkbox. 4 Type the IP address, DHCP Server, and DHCP Relay for the optional interface in the applicable fields. This is the same process for configuring the trusted network. See “Configuring the Trusted Network” on page 36 for additional instructions about these fields.
Chapter 4: Configure the Network Interfaces 7 48 Click Submit.
CHAPTER 5 Administrative Options Use the SOHO 6 Administration page to configure access to the SOHO 6. The System Security, SOHO 6 Remote Management feature, and VPN Manager Access are configured from the Administration page. The firmware updates, upgrade activation, and display of the SOHO 6 configuration file in a text format are done from the Administration page. The System Security Page The System Security page contains the settings that control access to the configuration of the SOHO 6.
Chapter 5: Administrative Options System security A passphrase prevents access to the configuration of the SOHO 6 by an unauthorized user on the trusted network. The use of a passphrase is important to the security of your network. NOTE Record the system administrator name and passphrase in a safe location. When system security is enabled, the system administrator name and passphrase are required to access the configuration pages.
The System Security Page 3 Verify that the HTTP Server Port is set to 80. 4 Select the Enable System Security checkbox. 5 Type a system administrator name and passphrase and then type the passphrase again to confirm it in the applicable fields. 6 Click Submit. SOHO 6 Remote Management Both the SOHO 6 and SOHO 6tc include the SOHO 6 Remote Management feature. This feature allows a remote computer on an unsecured network to manage the SOHO 6 with a secure connection.
Chapter 5: Administrative Options Here is an example of how the Remote Management feature can be used. First, the remote computer connects to the SOHO 6 through a standard Internet connection. Then the MUVPN client software is activated. Finally, the MUVPN client creates an encrypted tunnel to the SOHO 6. The remote computer can now access the configuration pages of the SOHO 6 without compromising security. Here is another example of how the Remote Management feature can be used.
Setting up VPN Manager Access 9 After you have installed and configured the MUVPN client, connect to the Internet using Dial-Up Networking or a LAN or WAN connection. From the Windows desktop system tray, follow these steps: 10 Verify that the MUVPN client has been activated. If the MUVPN client has not been activated, right-click the icon and select Activate Security Policy. For information on how to determine the status of the MUVPN icon, see “The MUVPN client icon” on page 133.
Chapter 5: Administrative Options 2 From the navigation bar at left, select Administration => VPN Manager Access. The VPN Manager Access page opens. 3 Select the Enable VPN Manager Access checkbox. 4 Type the status passphrase and then type it again to confirm in the applicable fields. 5 Type the configuration passphrase and then type it again to confirm in the applicable fields. NOTE These passphrases must match the passphrases used in the VPN Manager software or the connection will fail.
Updating the Firmware Updating the Firmware Check regularly for SOHO 6 firmware updates on the WatchGuard Web site: http://www.watchguard.com/support/sohoresources/ Download the files that contain the firmware update. Save the files on your computer. Follow these instructions to transfer the new firmware to your SOHO 6: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.
Chapter 5: Administrative Options 4 5 Type the location of the firmware files on your computer or click Browse and locate the firmware files on your computer. Click Update. Follow the instructions provided by the update wizard. NOTE The update wizard requests a user name and password. Type the system administrator name and passphrase configured on the System Security page. The default values are “user” and “pass”.
Activating the SOHO 6 Upgrade Options 7 From the navigation bar at left, select Administration => Upgrade. The Upgrade page opens. 8 Paste the Feature Key in the applicable field. 9 Click Submit. Upgrade options Seat licenses A seat license upgrade allows more connections between the trusted network and the external network. For example, a 25-seat license allows 25 connections instead of the standard 10 connections.
Chapter 5: Administrative Options firewall to include a telecommuter or a network in a remote office. IPSec Virtual Private Networking (VPN) The VPN upgrade is necessary to configure virtual private networking. The SOHO 6tc includes a VPN upgrade license key. The SOHO 6 does not include a VPN upgrade license key. WebBlocker The WebBlocker upgrade enables the Web filtering option. MUVPN Clients The MUVPN Clients upgrade allows remote users to connect to the SOHO 6 through a secure (IPSec) VPN tunnel.
Viewing the Configuration File 2 From the navigation bar at left, select Administration => View Configuration File. The View Configuration File page opens.
Chapter 5: Administrative Options 60 WatchGuard Firebox SOHO 6
CHAPTER 6 Configure the Firewall Settings Firewall Settings The configuration settings of the SOHO 6 control the flow of traffic between the trusted network and the external network. The configuration you select depends on the types of risks that are acceptable for the trusted network. The SOHO 6 lists many standard services on the configuration page. A service is the combination of protocol and port numbers for a type of application or communication.
Chapter 6: Configure the Firewall Settings Configuring Incoming and Outgoing Services The default configuration of the SOHO 6 prevents the transmission of all packets from the external network to the trusted network. Change the configuration to select the types of traffic that are permitted. For example, to operate a Web server behind the SOHO 6, add an incoming Web service. Select carefully the number and the types of services that you add. The added services decrease the security of your network.
Configuring Incoming and Outgoing Services 3 Locate a pre-configured service, such as FTP, Web, or Telnet. Then select either Allow or Deny from the drop-down list. The previous illustration shows the HTTP service configured to allow incoming traffic. 4 Type the trusted network IP address of the computer to which this rule applies in the applicable field. The illustration shows the HTTP service configured to allow incoming traffic to the computer with IP address 192.168.111.2. 5 Click Submit.
Chapter 6: Configure the Firewall Settings Follow these steps to configure a custom service: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 2 From the navigation bar at left, select Firewall => Custom Service. The Custom Service page opens. 3 Type a name for the service in the Service name field.
Blocking External Sites NOTE For a TCP port or a UDP port, specify a port number. For a protocol, specify a protocol number. You cannot specify a port number for a protocol. 6 Click Add. The following steps determine how the service is filtered. 7 Select Allow or Deny from the Incoming Filter and Outgoing Filter drop-down lists. 8 Select Host IP Address, Network IP Address, or Host Range from the drop-down list at the bottom of the page. The Custom Service page refreshes.
Chapter 6: Configure the Firewall Settings You can change the configuration to prevent access to specified Internet sites. Follow these steps to configure the blocked sites: 1 From the navigation bar at left, select Firewall => Blocked Sites. The Blocked Sites page opens. 2 Select either Host IP Address, Network IP Address, or Host Range from the drop-down list. The Blocked Sites page refreshes.
Firewall Options Firewall Options The previous sections described how to allow or deny complete classes of services. The Firewall Options page allows the configuration of general security policies. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 2 From the navigation bar at left, select Firewall => Firewall Options. The Firewall Options page opens.
Chapter 6: Configure the Firewall Settings 2 Click Submit. Denying FTP access to the trusted network interface You can configure the SOHO 6 to prevent FTP access to the computers on the trusted network by the computers on the external network. 1 Select the Do not allow FTP access to Trusted Network checkbox. 2 Click Submit. SOCKS implementation for the SOHO 6 The SOHO 6 functions as a SOCKS network proxy server.
Firewall Options NOTE When a computer in the trusted network uses a SOCKS-compatible application, other users on the trusted network have free access to the SOCKS proxy on that computer. Disable SOCKS on the SOHO 6 to prevent this security risk. See “Disabling SOCKS on the SOHO 6” on page 69. Configuring your SOCKS application To allow a SOCKS-compatible application on a computer in the trusted network to communicate with a computer on the external network, configure the application as described below.
Chapter 6: Configure the Firewall Settings When the SOCKS-compatible application is not in use: 1 Select the Disable SOCKS proxy checkbox. This disables the SOCKS proxy feature of the SOHO 6. 2 Click Submit. To use the SOCKS-compatible application: 1 Clear the Disable SOCKS proxy checkbox. 2 Click Submit. This enables the SOHO 6 SOCKS proxy server. This disables the SOHO 6 SOCKS proxy server.
Creating an Unrestricted Pass Through Follow these steps to enable this option: 1 Select the Enable override MAC address for the External Network checkbox. 2 Type the new MAC address for the SOHO 6 external network in the applicable field. 3 Click Submit. NOTE If the MAC address for the external network field is cleared and the SOHO 6 is rebooted, the SOHO 6 is reset to the factory-default MAC address for the external network.
Chapter 6: Configure the Firewall Settings 3 Select the Enable pass through address checkbox. 4 Type the IP address of the computer to connect to the pass through in the applicable field. 5 Click Submit. This must be a public IP address. NOTE A pass through connection decreases the security of the trusted network, because the computer with the pass through connection is on the same Ethernet segment as the trusted network.
CHAPTER 7 Configure Logging The SOHO 6 logging feature records a log of the events related to the security of the trusted, external, and optional networks. Communication with the WatchGuard WebBlocker database and incoming traffic are examples of events that are recorded. The log records the events that show possible security problems. A denied packet is the most important type of event to log. A sequence of denied packets can show that an unauthorized person tried to access your network.
Chapter 7: Configure Logging Viewing SOHO 6 Log Messages The SOHO 6 event log records a maximum of 150 log messages. If a new entry is added when the event log is full, the oldest log message is removed. The log messages include the time synchronizations between the SOHO 6 and the WatchGuard Time Server, packets discarded because of a packet handling violation, duplicate messages, return error messages, and IPSec messages.
Setting up Logging to a WatchGuard Security Event Processor Log Host This option synchronizes the clock of the SOHO 6 to your computer: • Click Sync Time with Browser now. The SOHO 6 synchronizes the time at startup. Setting up Logging to a WatchGuard Security Event Processor Log Host The WSEP (WatchGuard Security Event Processor) is an application that is available with the WatchGuard Firebox System package used by a Firebox II/III. The WSEP application runs on a computer that functions as the log host.
Chapter 7: Configure Logging 3 Select the Enable WatchGuard Security Event Processor Logging checkbox. 4 Type the IP address of the WSEP server that is your log host in the applicable field. 5 Type a passphrase in the Log Encryption Key field and confirm the passphrase in the Confirm Key field. 6 Click Submit. NOTE Use the same encryption key recorded in the WSEP application.
Setting up Logging to a Syslog Host Setting up Logging to a Syslog Host This option sends the SOHO 6 log entries to a Syslog host. Follow these steps to configure a Syslog Host: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. 2 From the navigation bar at left, select Logging => Syslog Logging. The default IP address is: http://192.168.111.1 The Syslog Logging page opens. 3 Select the Enable syslog output checkbox.
Chapter 7: Configure Logging NOTE Syslog traffic is not encrypted. Syslog messages that are sent through the Internet decrease the security of the trusted network. Use a VPN tunnel to increase the security of Syslog message traffic. If the Syslog messages are sent through a VPN tunnel, the data is encrypted with IPSec technology. Setting the System Time The SOHO 6 records the time of each log entry. The time recorded in the log entries is from the SOHO 6 system clock.
Setting the System Time 3 Select a time zone from the drop-down list. 4 Select the Adjust for daylight savings time checkbox. 5 Click Submit.
Chapter 7: Configure Logging 80 WatchGuard Firebox SOHO 6
CHAPTER 8 SOHO 6 WebBlocker WebBlocker is an option for the SOHO 6 that allows the system administrator to control which Web sites the users can access. How WebBlocker Works WebBlocker uses a database of Web site addresses, which is owned and maintained by SurfControl. The database shows the type of content found on thousands of Web sites. WatchGuard puts the newest version of the SurfControl database on the WebBlocker server at regular intervals.
Chapter 8: SOHO 6 WebBlocker Web site not in the WebBlocker database If the Web site is not in the WatchGuard WebBlocker database, the Web browser opens the page. Web site in the WebBlocker database If the site is in the WatchGuard WebBlocker database, the SOHO 6 examines the configuration to see if that type of site is permitted. When the type of site is not permitted, the user is told that the site is not available. If the type of site is permitted, the Web browser opens the page.
Purchasing and Activating the SOHO 6 WebBlocker Purchasing and Activating the SOHO 6 WebBlocker To use WatchGuard SOHO 6 WebBlocker, you must purchase and enable the WebBlocker upgrade license key. See “Activating the SOHO 6 Upgrade Options” on page 56 for information about upgrade license keys.
Chapter 8: SOHO 6 WebBlocker 3 Select the Enable WebBlocker checkbox. 4 Type a passphrase in the Full Access Password field. 5 Type a value, in minutes, in the Inactivity Timeout field. 6 To set WebBlocker to use groups and users, select the Require Web users to authenticate checkbox. 7 Click Submit. The full access password allows a user to access all Web sites until the password expires or the browser is closed.
Configuring the SOHO 6 WebBlocker 3 Click New to create a group name and profile.
Chapter 8: SOHO 6 WebBlocker 4 Define a Group Name and select the types of content to filter for this group. 5 Click Submit. 6 To the right of the Users field, click New. 7 Type a new user name and passphrase and then type the passphrase again to confirm in the applicable fields. 86 A New Groups page opens that shows the configuration changes. The New User page opens.
WebBlocker Categories 8 Use the Group drop-down list to assign the new user to a given group. 9 Click Submit. NOTE To remove a user or group, make a selection and click Delete. WebBlocker Categories The WebBlocker database contains the following 14 categories: NOTE A Web site is only added to a category if the contents of the Web site advocate the subject matter of the category. Web sites that provide opinion or educational material about the subject matter of the category are not included.
Chapter 8: SOHO 6 WebBlocker online sports, or financial betting, including non-monetary dares. Militant/extremist Pictures or text advocating extremely aggressive or combative behavior or advocacy of unlawful political measures. Topic includes groups that advocate violence as a means to achieve their goals. It also includes pages devoted to “how to” information on the making of weapons (for both lawful and unlawful reasons), ammunition, and pyrotechnics.
WebBlocker Categories Gross Depictions Pictures or text describing anyone or anything that is either crudely vulgar, grossly deficient in civility or behavior, or shows scatological impropriety. Topic includes depictions of maiming, bloody figures, and indecent depiction of bodily functions. Violence/profanity Pictures or text exposing extreme cruelty or profanity. Cruelty is defined as: physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain.
Chapter 8: SOHO 6 WebBlocker Sexual Acts Pictures or text exposing anyone or anything involved in explicit sexual acts and/or lewd and lascivious behavior. Topic includes masturbation, copulation, pedophilia, as well as intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian, or homosexual encounters. It also includes phone sex advertisements, dating services, adult personals, and sites devoted to selling pornographic CD-ROMs and videos.
CHAPTER 9 VPN—Virtual Private Networking This chapter explains how to use the Branch Office VPN upgrade option for the SOHO 6. Why Create a Virtual Private Network? Use a VPN tunnel to make an inexpensive and secure connection between the computers in two separate locations. Expensive, dedicated point-to-point connections are not necessary for a VPN connection. A VPN tunnel gives the security necessary to use the public Internet for a virtual private connection.
Chapter 9: VPN—Virtual Private Networking NOTE IPSec-compatible appliances include the Firebox SOHO 6, the Firebox II/III, and the Firebox Vclass. • The data from your ISP about the Internet connections for each of the two IPSec-compatible appliances: - IP address - Primary DNS IP address (optional) - A secondary DNS address (optional) - Domain name (optional) • The network addresses and subnet masks for the two trusted networks.
What You Need IP Address Table (example): Item Description External IP Address The IP address that identifies the IPSeccompatible appliance to the Internet. Assigned By ISP Site A: 207.168.55.2 Site B: 68.130.44.15 External Subnet Mask The bitmask that shows which part of the IP address identifies the local network. For example, a class C address includes 256 addresses and has a netmask of 255.255.255.0. ISP Site A: 255.255.255.0 Site B: 255.255.255.
Chapter 9: VPN—Virtual Private Networking Site A: OurLittleSecret Site B: OurLittleSecret Encryption Method DES uses 56-bit encryption. 3DES uses 168-bit encryption. The 3DES encryption method gives better security, but decreases the speed of communication. The two IPSec-compatible appliances must use the same encryption method. You Site A: 3DES Site B: 3DES Authentication The two IPSec-compatible appliances must use the same authentication method.
Setting Up Multiple SOHO 6 to SOHO 6 VPN Tunnels Setting Up Multiple SOHO 6 to SOHO 6 VPN Tunnels An administrator of a SOHO 6 can configure a maximum of six VPN tunnels to other SOHO 6 devices. The VPN Manager software can configure a larger number of SOHO 6 to SOHO 6 tunnels. To define multiple VPN tunnels to other SOHO 6 appliances, follow these steps: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6.
Chapter 9: VPN—Virtual Private Networking 4 Type the Name and Shared Secret for the VPN tunnel. The shared secret is a passphrase used by two IPSec-compatible appliances to encrypt and decrypt the data that goes through the VPN tunnel. The two appliances use the same passphrase. If the appliances do not have the same passphrase, they cannot encrypt and decrypt the data correctly. Use the default Phase 1 settings or change the settings as necessary.
Setting Up Multiple SOHO 6 to SOHO 6 VPN Tunnels external IP address is dynamic, select Aggressive Mode. If the external IP address is static, use either mode. 7 Select the Local ID type and the Remote ID type from the drop-down list. These must match the settings used on the remote gateway. - If you select Main Mode, the Local ID type and the Remote ID type must contain IP addresses. - If you select Aggressive Mode, the Remote ID type may be an IP address or a domain name.
Chapter 9: VPN—Virtual Private Networking intervals to maintain the connection. If the tunnel connection closes, the SOHO 6 does a rekey to open the tunnel again. The Generate IKE Keep Alive Messages checkbox is selected in the default configuration. Use the default Phase 2 settings, or change the Phase 2 settings as shown below: NOTE Make sure that the Phase 2 settings are the same on both appliances. 13 From the Authentication Algorithm drop-down list, select the type of authentication.
Creating a VPN Tunnel to a SOHO 6 with an IPSec-Compliant Appliance Creating a VPN Tunnel to a SOHO 6 with an IPSec-Compliant Appliance Instructions that tell how to configure a VPN tunnel between a SOHO 6 and another IPSec-compatible appliance are available from the WatchGuard Web site: https://www.watchguard.com/support/AdvancedFaqs/sointerop_main.
Chapter 9: VPN—Virtual Private Networking Configuring Split Tunneling The split tunneling feature allows the system administrator to direct all Internet traffic from the trusted network through the VPN tunnel. Without split tunneling, only traffic directed to the other end of the VPN tunnel is sent through the tunnel and the traffic for other Internet addresses is sent directly to the Internet. Split tunneling allows the control of access to Internet Web sites from one location.
Viewing the VPN Statistics allows users on the trusted network to access the networks connected by VPN tunnels to the local SOHO 6. If you purchase the VPNforce Port upgrade, you also receive one MUVPN connection to the optional network. Additional VPNforce Port user licenses can be purchased. Viewing the VPN Statistics The SOHO 6 has a configuration page that displays VPN statistics. Use this page to monitor VPN traffic and to solve problems with the VPN configuration.
Chapter 9: VPN—Virtual Private Networking How do I get a static external IP address? The external IP address for your computer or network is assigned by your ISP. Many ISPs use dynamic IP addresses so that their network is easier to configure and to make the connection of a Web server to their network more difficult. Most ISPs supply a static IP address as an optional service.
Frequently Asked Questions How do I obtain a VPN upgrade license key? You can purchase a license key for an upgrade from the WatchGuard Web site: http://www.watchguard.com/sales/buyonline.asp How do I enable a VPN tunnel? The instructions to help you enable a VPN tunnel are available from the WatchGuard Web site: https://support.watchguard.com/AdvancedFaqs/sointerop_main.
Chapter 9: VPN—Virtual Private Networking 104 WatchGuard Firebox SOHO 6
CHAPTER 10 MUVPN Clients The MUVPN client is a software application that is installed on a remote computer. This application makes a secure connection from the remote computer to your protected network through an unsecured network. The MUVPN client uses Internet Protocol Security (IPSec) to guarantee the security of the connection. The following is an example of how the MUVPN client can be used. First, the MUVPN client is installed on the remote computer.
Chapter 10: MUVPN Clients provides additional security for the remote users of your network by acting as a software firewall. This chapter shows how to install and configure the MUVPN client on a remote computer. This chapter also includes information about the features of the ZoneAlarm personal firewall.
Configuring the SOHO 6 for MUVPN Clients 4 Type a user name and a shared key in the applicable fields. 5 Type the virtual IP address in the applicable field. 6 From the Authentication Algorithm drop-down list, select the type of authentication. The user name is used as the e-mail address and the passphrase is used as the pre-shared key for the MUVPN client. The virual IP address is the same as the IP address on the Trusted Network Configuration page.
Chapter 10: MUVPN Clients Preparing the Remote Computers to Use the MUVPN Client The MUVPN client is only compatible with Windows operating systems. The MUVPN client can only be installed on computers that meet these system requirements: System requirements • A computer with a Pentium processor (or equivalent) • Compatible operating systems and minimum RAM: - Microsoft Windows 98: 32 MB - Microsoft Windows ME: 64 MB - Microsoft Windows NT 4.
Preparing the Remote Computers to Use the MUVPN Client NOTE You cannot use the MUVPN virtual adapter. Make sure this is disabled. Windows 98/ME operating system setup This section describes how to install and configure the network components that are required for the Windows 98/ME operating system. These components must be installed before the MUVPN client will function correctly on a Windows 98/ME computer. NOTE The Mobile User VPN Adapter supports L2TP.
Chapter 10: MUVPN Clients 8 Click OK to close the Network window. 9 Reboot the computer. Click Cancel if you do not want to save the changes. Installing the Client for Microsoft Networks The Client for Microsoft Networks must be installed before you can configure network names. If the Client for Microsoft Networks is not installed, follow these steps. From the Network window: 1 Click the Configuration tab and then click Add. 2 Select Client and then click Add.
Preparing the Remote Computers to Use the MUVPN Client 3 Click the Windows Setup tab. 4 Select the Communications checkbox and then click OK. 5 The Dial-Up Networking Setup window appears. Click OK to restart the computer. The Windows Setup dialog box appears. The operating system searches for installed components. The Copying Files dialog box appears. The operating system copies the necessary files. The computer reboots. The Dial-up Networking component of Windows 98 must be updated with the 1.
Chapter 10: MUVPN Clients NOTE The DNS server on the private network behind the SOHO 6 must be the first server in the list. 7 Click the WINS Configuration tab and then select the Enable WINS Resolution checkbox. 8 Type the IP address of the WINS server in the WINS Server Search Order text field and then click Add. 9 Click OK to close the TCP/IP Properties window. Click OK to close the Network window. If you have multiple remote WINS servers, repeat steps 7 and 8.
Preparing the Remote Computers to Use the MUVPN Client 2 Double-click the Network icon. 3 Click the Services tab and then click Add. 4 Select Remote Access Services from the list and then click OK. 5 Enter the path to the Windows NT install files or insert your system installation CD and then click OK. The Network window appears. The Remote Access Setup window appears. 6 Click Yes to add a RAS device, such as a modem, and then click Add. 7 Complete the Install New Modem wizard.
Chapter 10: MUVPN Clients Click the Protocols tab and then select the TCP/IP protocol. 3 Click Properties. 4 The Microsoft TCP/IP Properties window appears. 5 Click the DNS tab and then click Add. 6 Enter the IP address of your DNS server in the applicable field. To add additional DNS servers, repeat steps 5 and 6. NOTE The DNS server on the private network behind the SOHO 6 must be the first server in the list.
Preparing the Remote Computers to Use the MUVPN Client - File and Printer Sharing for Microsoft Networks - Client for Microsoft Networks Installing the Internet Protocol (TCP/IP) network component From the connection window, Networking tab: 1 Click Install. 2 Double-click the Protocol network component. 3 Select the Internet Protocol (TCP/IP) network protocol and then click OK. The Select Network Component Type window appears. The Select Network Protocol window appears.
Chapter 10: MUVPN Clients Configuring the WINS and DNS settings The remote computer must be able to communicate with the WINS servers and the DNS servers. These servers are located on the trusted network that is protected by the SOHO 6. From the connection window, Networking tab: Select the Internet Protocol (TCP/IP) component and then click Properties. 1 The Internet Protocol (TCP/IP) Properties window appears. 2 Click Advanced.
Preparing the Remote Computers to Use the MUVPN Client 9 Click OK to close the Advanced TCP/IP Settings window, click OK to close the Internet Protocol (TCP/IP) Properties window, and then click OK. 10 Click Cancel to close the connection window. Windows XP operating system setup This section describes how to install and configure the network components that are required for the Windows XP operating system.
Chapter 10: MUVPN Clients 3 Select the Internet Protocol (TCP/IP) network protocol and then click OK. Installing the File and Printer Sharing for Microsoft Networks From the connection window, Networking tab: 1 Click Install. 2 Double-click the Services network component. 3 Select the File and Printer Sharing for Microsoft Networks network service and then click OK. The Select Network Component Type window appears. The Select Network Service window appears.
Preparing the Remote Computers to Use the MUVPN Client 3 Click Advanced. 4 Click the DNS tab and then, from the section labeled DNS server addresses, in order of use, click Add. The Advanced TCP/IP Settings window appears. The TCP/IP DNS Server window appears. 5 Enter the IP address of the DNS server in the applicable field and then click Add. To add additional DNS servers, repeat steps 4 and 5. NOTE The DNS server on the private network behind the SOHO 6 must be the first server in the list.
Chapter 10: MUVPN Clients Installing and Configuring the MUVPN Client The MUVPN installation files are available at the WatchGuard Web site: http://www.watchguard.com/support NOTE To install and configure the MUVPN client, you must have local administrator rights on the remote computer. Installing the MUVPN client Follow these steps to install the MUVPN client: 1 Copy the MUVPN installation file to the remote computer. 2 Double-click the MUVPN installation file to start the InstallShield wizard.
Installing and Configuring the MUVPN Client 8 Do not change the default selections. Click Next. 9 Click Next to install the files. The Start Copying Files window appears. When the dni_vapmp file is installed, a command prompt window appears. This is normal. When the file has been installed, the command prompt window will close and the process will continue. 10 When the InstallShield wizard is complete, click Finish. 11 The InstallShield wizard searches for a user profile file.
Chapter 10: MUVPN Clients 2 Double-click the MUVPN client icon. The Security Policy Editor window appears. NOTE The ZoneAlarm personal firewall may display alert messages. For more information regarding ZoneAlarm see “The ZoneAlarm Personal Firewall” on page 139. 3 Select Edit => Add => Connection. 4 Type a unique name for the new connection. 5 Select the Secure option. 6 Select the Only Connect Manually checkbox. 7 Select the IP Subnet option from the ID Type drop-down list.
Installing and Configuring the MUVPN Client 8 When you set the Subnet and Mask addresses, you define whether or not an MUVPN user can access the Internet through the tunnel. If you want to access only the Trusted network, type the trusted network address in both the Subnet and Mask fields. If you want to access both the Trusted network and the Internet, type 0.0.0.0 in both the Subnet and Mask fields.
Chapter 10: MUVPN Clients Defining the My Identity settings To define the My Identity settings, follow these steps. 1 Expand the Network Security Policy to display the new entry. 2 Select Security Policy. 3 Select Aggressive Mode. Make sure the Enable Perfect Forward Secrecy (PFS) checkbox is clear and the Enable Replay Detection checkbox is selected. 4 Close the Security Policy dialog box. 5 Select My Identity. 124 The My Identity and Security Policy entries appear.
Installing and Configuring the MUVPN Client 6 Select Options => Global Policy Settings. 7 Select the Allow to Specify Internal Network Address checkbox and then click OK. The Global Policy Settings window appears. The Internal Network IP Address field appears in the My Identity section.
Chapter 10: MUVPN Clients 8 Select None from the Select Certificate drop-down list. 9 Select E-mail Address from the ID Type drop-down list and then enter the user name defined on the SOHO 6 in the applicable field. 10 Select Disabled from the Virtual Adapter drop-down list. 11 Type 0.0.0.0 in the Internal Network IP Address field if this value does not appear by default. The default value is 0.0.0.0. 12 Select Any from the Name drop-down list. This is the default setting. 13 Click Pre-Shared Key.
Installing and Configuring the MUVPN Client 15 Type the exact text of the MUVPN client passphrase entered on the SOHO 6 and then click OK. NOTE Both the pre-shared key and the e-mail address must exactly match the system passphrase and system administrator name settings of the SOHO 6. If they do not match, the connection will fail. Defining Phase 1 and Phase 2 settings Follow these steps to define the Phase 1 and Phase 2 settings. These values must match the settings of the SOHO 6.
Chapter 10: MUVPN Clients Select Pre-Shared Key from the Authentication Method dropdown list. 4 NOTE Phase 1 values must be as specified in the following steps. Phase 2 values must match the settings of the Firebox SOHO 6. 5 6 Select DES from the Encrypt Alg drop-down list and then select SHA-1 from the Hash Alg drop-down list. Select Unspecified from the SA Life drop-down list. This is the default setting. 7 Select Diffie-Hellman Group 1 from the Key Group dropdown list.
Installing and Configuring the MUVPN Client 10 Select Both from the SA Life drop-down list. 11 Type 86400 in the Seconds field and 8192 in the KBytes field. 12 Select None from the Compression drop-down list. This is the default setting. The SOHO 6 does not support compression. 13 Select the Encapsulation Protocol (ESP) checkbox. 14 Select a value for the Encrypt Alg and Hash Alg drop-down lists. NOTE The encrypted and hash values must match the settings of the SOHO 6.
Chapter 10: MUVPN Clients Uninstalling the MUVPN client Follow these directions to uninstall the MUVPN client. WatchGuard recommends that you use the Windows Add/ Remove Programs tool. Disconnect all existing tunnels and dial-up connections. Reboot the remote computer. Perform these steps from the Windows desktop: 1 Select Start => Settings => Control Panel. 2 Double-click the Add/Remove Programs icon. 3 Select Mobile User VPN and then click Change/Remove. 4 Select Remove and then click Next.
Configuring the SOHO 6 for MUVPN Clients Using Pocket PC NOTE The ZoneAlarm personal firewall settings are stored in the following directories by default. Windows 98: c:\windows\internet logs\ Windows NT and 2000: c:\winnt\internet logs\ Windows XP: c:\windows\internet logs To remove these settings, delete the contents of the appropriate directory. 8 When the computer has restarted, select Start => Programs. 9 Right-click Mobile User VPN and select Delete to remove this selection from your Start menu.
Chapter 10: MUVPN Clients 5 Type the virtual IP address in the applicable field. 6 From the Authentication Algorithm drop-down list, select the type of authentication. The virual IP address is the same as the IP address on the Trusted Network Configuration page. This address is used by the remote computer to connect to the SOHO 6. The options are MD5-HMAC and SHA1-HMAC. 7 From the Encryption Algorithm drop-down list, select the type of encryption. The options are DES-CBC and 3DES-CBC.
Connecting and Disconnecting the MUVPN Client 2 If the MUVPN client is not active, right-click the icon and select Activate Security Policy. For information about how to determine the status of the MUVPN icon, see “The MUVPN client icon” on page 133. From the Windows desktop: 3 Select Start => Programs => Mobile User VPN => Connect. 4 Click Yes. The WatchGuard Mobile User Connect window appears. The MUVPN client icon The MUVPN icon appears in the Windows desktop system tray.
Chapter 10: MUVPN Clients The MUVPN client is ready to establish a secure, MUVPN tunnel connection. The red bar on the right of the icon indicates that the client is transmitting unsecured data.
Connecting and Disconnecting the MUVPN Client Activated and Connected The MUVPN client has established at least one secure, MUVPN tunnel connection, but is not transmitting data. Activated, Connected and Transmitting Unsecured Data The MUVPN client has established at least one secure, MUVPN tunnel connection. The red bar on the right of the icon indicates that the client is only transmitting unsecured data.
Chapter 10: MUVPN Clients Allowing the MUVPN client through the personal firewall The following programs are associated with the MUVPN client. To establish the MUVPN tunnel, you must allow these programs through the personal firewall: • MuvpnConnect.exe • IreIKE.exe The personal firewall will detect when these programs attempt to access the Internet. A New Program alert window appears to request access for the MuvpnConnect.exe program.
Connecting and Disconnecting the MUVPN Client From the New Program alert window: 1 Select the Remember this answer the next time I use this program checkbox and the click Yes. With the option selected, the ZoneAlarm personal firewall will allow this program to access the Internet each time you attempt to make a MUVPN connection. The New Program alert window appears to request access for the IreIKE.exe program. 2 Set the Remember this answer the next time I use this program check box and then click Yes.
Chapter 10: MUVPN Clients Monitoring the MUVPN Client Connection The Log Viewer and the Connection Monitor are installed with the MUVPN client. These tools can be used to monitor the MUVPN connection and to diagnose problems that may occur. Using the Log Viewer The Log Viewer displays the communications log. This log shows the events that occurred during the connection of the MUVPN tunnel. From the Windows desktop system tray: 1 2 Right-click the Mobile User VPN client icon. Select Log Viewer.
The ZoneAlarm Personal Firewall - when a phase 2 SA connection has not yet been made - when a phase 2 SA connection cannot be made • A key indicates that the connection has a phase 2 SA. This connection may also have a phase 1 SA. • An animated black line underneath a key indicates that the client is processing secure IP traffic for the connection. • A single SA icon with several key icons above it indicates a single phase 1 SA to a gateway that protects multiple phase 2 SAs.
Chapter 10: MUVPN Clients This alert appears whenever one of your programs attempts to access the Internet or your local network. This alert ensures that no information leaves your computer without your authorization. The ZoneAlarm personal firewall provides a brief tutorial after the MUVPN client is installed. Follow the tutorial to learn how to use this program. For more information about the features and configuration of ZoneAlarm, please refer to the ZoneAlarm help system.
The ZoneAlarm Personal Firewall In the example above, the Internet Explorer Web browser application has been launched. The application attempts to access the user’s home page. The program that actually needs to pass through the firewall is “IEXPLORE.EXE”. To allow this program access to the Internet each time the application is started, select the Remember the answer each time I use this program checkbox.
Chapter 10: MUVPN Clients Programs That Must Be Allowed MUVPN client IreIKE.exe MuvpnConnect.exe MUVPN Connection Monitor CmonApp.exe MUVPN Log Viewer ViewLog.exe Programs That May be Allowed MS Outlook OUTLOOK.exe MS Internet Explorer IEXPLORE.exe Netscape 6.1 netscp6.exe Opera Web browser Opera.exe Standard Windows network applications lsass.exe services.exe svchost.exe winlogon.
Troubleshooting Tips 3 Click Yes. 4 Make sure Automatic is selected and then click Next. 5 Click Finish. The Select Uninstall Method window appears. NOTE The Remove Shared Component window may appear. During the initial installation of ZoneAlarm, some files were installed that could be shared by other programs on the system. Click Yes to All to completely remove all of these files. 6 The Install window appears and prompts you to restart the computer. Click OK to reboot your system.
Chapter 10: MUVPN Clients When the MUVPN client is not in use, both ZoneAlarm and the MUVPN client should be deactivated. From the Windows desktop system tray: 1 Reboot your computer. 1 Right-click the MUVPN client icon and then select Deactivate Security Policy. The MUVPN client icon with a red bar is displayed to indicate that the Security Policy has been deactivated. 1 Right-click the ZoneAlarm icon shown at right. 2 Select Shutdown ZoneAlarm. 3 Click Yes. The ZoneAlarm dialog box appears.
Troubleshooting Tips transmission of the login information. Make sure you deactivate ZoneAlarm each time you disconnect the MUVPN connection. Is the MUVPN tunnel working? The MUVPN client icon appears in the Windows desktop system tray once the application has been launched. The MUVPN client displays a key in the icon when the client is connected. To test the connection, ping a computer on your company network.
Chapter 10: MUVPN Clients The mapped drive appears in the My Computer window. Even if you select the Reconnect at Logon checkbox, the mapped drive will only appear the next time you start your computer if the computer is directly connected to the network. I am sometimes prompted for a password when I am browsing the company network... Due to a Windows networking limitation, remote user virtual private networking products can allow access only to a single network domain.
CHAPTER 11 Using VPNforce The VPNforcetm upgrade activates the SOHO 6 optional interface. The optional interface is labeled OPT on the SOHO 6 appliance. The optional interface provides remote users with a separate network, called the optional network, behind the SOHO 6. The optional network has secure access to the corporate network. The trusted network is only used for non-corporate functions. The optional network can also be used with the MUVPN client to enforce corporate security policies.
Chapter 11: Using VPNforce NOTE To use this upgrade option, you must access your corporate network through a VPN tunnel from the SOHO 6 to a WatchGuard Firebox appliance or other IPSec compliant appliance. For information about the VPN upgrade option, see “VPN—Virtual Private Networking” on page 91. Configuring the Optional Network The VPNforce upgrade activates the SOHO 6 optional interface. This upgrade option provides remote users with a separate network, called the optional network, behind the SOHO 6.
Using VPNforce to Connect to your Corporate Network 3 Select the Enable Optional Network checkbox. 4 Type the IP address and the subnet mask of the optional interface in the appropriate fields. Make sure that this network is different from that of the trusted network. 5 To configure the DHCP server, select the Enable DHCP Server on the Optional Network checkbox. 6 Type the first IP address the DHCP server will hand out to computers connected to the optional network in the applicable field.
Chapter 11: Using VPNforce 8 To configure the DHCP relay server, select the Enable DHCP Relay checkbox. 9 Type the IP address of the DHCP relay server in the applicable field. 10 Click Submit. The SOHO 6 will send all DHCP requests to the specified, remote DHCP server and relay the resulting IP addresses to the computers connected to the optional network.
Using VPNforce and the MUVPN Client Upgrades to Enforce Your Corporate Using VPNforce and the MUVPN Client Upgrades to Enforce Your Corporate Policy If you want to require remote users to use the MUVPN client to connect to the protected network, you must perform the procedures in this section. These procedures will also allow you to enforce your corporate security policies for remote users. The first procedure describes how to configure the SOHO 6.
Chapter 11: Using VPNforce 3 Click the Add button. 4 Type a user name and a passphrase in the applicable fields. 152 The Edit MUVPN Client page appears. The user name is used as the e-mail address and the passphrase is used as the pre-shared key for the MUVPN client.
Using VPNforce and the MUVPN Client Upgrades to Enforce Your Corporate 5 Type an unused IP address from the trusted network, which will be used by the MUVPN client computer when connecting to the SOHO 6 in the Virtual IP Address field. 6 Select MD5-HMAC from the Authentication Algorithm drop list. 7 Select DES-CBC from the Encryption Algorithm drop list. 8 Select Mobile User from the VPN Client Type drop list. 9 Select the All traffic uses tunnel (0.0.0.0/0 Subnet) checkbox. 10 Click Submit.
Chapter 11: Using VPNforce 3 Type a unique name for the new connection. 4 Select the Secure option. 5 Select the Only Connect Manually checkbox. 6 Select the IP Subnet option from the ID Type drop list. 7 Type 0.0.0.0 in both the Subnet and Mask fields. 8 Select All from the Protocol drop list. 9 Select the Connect using checkbox and select Secure Gateway Tunnel from the drop list. 154 If this will be a unique policy for a specific user, enter a unique name to help identify it.
Using VPNforce and the MUVPN Client Upgrades to Enforce Your Corporate 10 Select IP Address from the ID Type drop list and then type the IP address of the Optional interface in the available field. Defining the Security Policy settings Follow these instructions to define the Security Policy settings. 1 From the Network Security Policy field, select Security Policy. 2 Select the Aggressive Mode option. 3 Verify that the Enable Perfect Forward Secrecy (PFS) checkbox is not selected.
Chapter 11: Using VPNforce 2 Select My Identity. 3 Select Options => Global Policy Settings. 156 The My Identity and Internet Interface settings appear to the right. The Global Policy Settings dialog box appears.
Using VPNforce and the MUVPN Client Upgrades to Enforce Your Corporate 4 Select the Allow to Specify Internal Network Address checkbox and then click OK. The Internal Network IP Address field appears among the My Identity settings. 5 Select None from the Select Certificate drop list. 6 Select E-mail Address from the ID Type drop list and then enter the username defined on the SOHO 6 in the available field. 7 Select Disabled from the Virtual Adapter drop list. 8 9 Type 0.0.0.
Chapter 11: Using VPNforce 12 Type the exact text of the MUVPN client passphrase entered on the Firebox SOHO 6 appliance and then click OK. Defining Phase 1 and Phase 2 settings Follow these instructions to define the Phase 1 and Phase 2 settings. Make certain that settings match exactly with those on the Firebox SOHO 6 appliance. 1 From the Network Security Policy field, expand Security Policy. Both Phase 1 and Phase 2 negotiations appear. 2 Expand Authentication (Phase 1). 3 Select Proposal 1.
Using VPNforce and the MUVPN Client Upgrades to Enforce Your Corporate 4 Select Pre-Shared Key from the Authentication Method drop list. NOTE These values must match exactly those entered in the Firebox SOHO 6 appliance. 5 6 Select DES from the Encrypt Alg drop list and select SHA-1 from the Hash Alg drop list. Select Unspecified from the SA Life drop list. This is the default setting. 7 Select Diffie-Hellman Group 1 from the Key Group drop list. 8 Expand Key Exchange (Phase 2).
Chapter 11: Using VPNforce 10 Select Both from the SA Life drop list and then type 86400 in the Seconds field and 8192 in the KBytes field. 11 Select None from the Compression drop list. This is the default setting. The SOHO 6 Firebox appliance does not support compression. 12 Select the Encapsulation (ESP) checkbox and then select a value for the Encrypt Alg and Hash Alg drop lists. 13 Select DES from the Encrypt Alg drop list and select MD5 from the Hash Alg drop list.
Using the MUVPN client to Secure a Wireless Network Using the MUVPN client to Secure a Wireless Network The VPNforce upgrade and the MUVPN client can also be used to prevent wireless "drive by" hacking. This configuration requires an Ethernet connection from the wireless access point (WAP) to the OPT port on the SOHO 6. Follow these instructions to complete the configuration: 1 Identify the Ethernet cable that connects your DSL/cable modem to the WAN port of your WAP.
Chapter 11: Using VPNforce 162 WatchGuard Firebox SOHO 6
CHAPTER 12 Support Resources Troubleshooting Tips If you have problems during the installation and the configuration of your SOHO 6, refer to this information. General What do the PWR, Status, and Mode lights signify on the SOHO 6? When the PWR light is lit, the SOHO 6 is connected to a power source. When the Status light is lit, there is a management connection to the SOHO 6. When the MODE light is lit, the SOHO 6 is operational.
Chapter 12: Support Resources If the Mode light is blinks: The SOHO 6 cannot connect to the external network. Possible causes of this problem include: • The SOHO 6 did not receive an IP address for the external interface from the DHCP server. • The WAN port is not connected to another appliance. • The connection to the external interface is defective. • The appliance to which the external interface of the SOHO 6 is connected is not operating correctly.
Troubleshooting Tips I can't get a certain SOHO 6 feature to work with a DSL modem. Some DSL routers implement NAT firewalls. An external network connection through an appliance that supplies NAT causes problems with WebBlocker and the performance of IPSec. When a SOHO 6 connects to the external network through a DSL router, set the DSL router to operate as a bridge only.
Chapter 12: Support Resources I can connect to the System Status page; why can’t I browse the Internet? If you can access the configuration pages, but not the Internet, there is a problem with the connection from the SOHO 6 to the Internet. • Make sure the cable modem or DSL modem is connected to the SOHO 6 and the power supply. • Make sure the link light on the modem and the WAN indicator on the SOHO 6 are lit. Speak with your ISP if the problem is not corrected.
Troubleshooting Tips 2 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. 3 From the navigation bar at left, select Network => Trusted. 4 Clear the Enable DHCP Server check box. 5 Click Submit. The default IP address is: http://192.168.111.1 How do I change to a static, trusted IP address? To use a static IP address, select a network IP range and subnet mask for the trusted network.
Chapter 12: Support Resources 6 Click Submit. How do I set up and disable WebBlocker? 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. 2 From the navigation bar at left, select WebBlocker => Settings. 3 Select the Enable WebBlocker check box. 4 Type a passphrase in the Full Access Password field. The default IP address is: http://192.168.111.1 The WebBlocker Settings page opens.
Troubleshooting Tips How do I allow incoming IP, or uncommon TCP and UDP protocols? Record the IP address of the computer that is to receive the incoming data and the number of the new IP protocol. Follow these steps: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6. The default IP address is: http://192.168.111.1 2 From the navigation bar at left, select Firewall => Custom Service. The Custom Service page opens.
Chapter 12: Support Resources SOHO 6 configuration file. These steps apply to using a command prompt with Windows 2000 or XP. 1 Configure the firewall settings of the SOHO 6 to allow an incoming FTP service to the trusted IP address of the appliance. For information on configuring an incoming service, see Chapter 6 “Configure the Firewall Settings” on page 61. 2 Select Start => Programs => Accessories => Command Prompt. 3 At the prompt, type ftp and then the IP address of the trusted network.
Troubleshooting Tips Make sure that the two appliances use the same encryption and authentication method. How do I set up my SOHO 6 for VPN Manager Access? This requires the add-on product, WatchGuard VPN Manager, which is purchased separately and used with the WatchGuard Firebox System software. Purchase VPN Manager through the WatchGuard Web site: https://www.watchguard.com/products/vpnmanager.asp For more information on how to allow VPN Manager access to a SOHO 6, see the VPN Guide.
Chapter 12: Support Resources Contacting Technical Support (877) 232-3531 United States end-user support (206) 521-8375 United States authorized reseller support (360) 482-1083 International support Online documentation and FAQs Documentation in PDF format, tutorials, and FAQs are available on the WatchGuard Web Site: https://support.watchguard.com/AdvancedFaqs/ Special notices The online help system is not yet available on the WatchGuard Web site.
Index 100 indicator 8 A Add Gateway page 95, 100 Add MUVPN Client page 106 Add Route page 40 Automatically restore lost connections checkbox 35 B Blocked Sites page 66 blocked sites, configuring 66 C cables correct setup 165 included in package 3 required for installation 12 cabling for 1 - 4 appliances 19 for 5+ appliances 20 Client for Microsoft Networks, installing 110, 115 configuration file, viewing 24, 58 Connection Monitor 138 custom incoming services, creating 63 Custom Service page 64, 169 D D
F FAQs 172 File and Printer Sharing for Microsoft Networks and Windows XP 118 File and Printer Sharing for Microsoft Networks, installing 115 Filter Traffic page 62 Firewall Incoming Traffic page 169 Firewall Options page 67 firewalls, described 3 firmware updating 55 viewing version of 24 FTP access, denying to the trusted interface 68 H hardware description 6 hardware operating specifications 9 HTTP proxy settings, disabling 14 I incoming service, creating custom 63 indicators 100 8 link 7 Mode 8 WAN 8
M MAC address of SOHO 6 166 MAC address override 70 Macintosh operating system 165 Manual VPN page 95, 100 Mode indicator 8 MODE light 163 MUVPN client adding 106 allowing through firewall 136 and VPNforce option 151 and wireless networks 161 configuring 121 configuring SOHO 6 for 106 connecting 132 described 105 disconnecting 137 icon for 133–135 installing 120 monitoring 138–139 preparing remote computers for 108, 108–119 troubleshooting 143–146 uninstalling 130 MUVPN Clients page 106 MUVPN Clients upgrad
Optional Network Configuration 148 Routes 40, 46 SOHO 6 Administration 49 Syslog Logging 77 System Security 49, 50 System Status 23, 28, 29, 33, 34, 36, 39, 41, 42, 45, 46, 50, 53, 55, 56, 58, 62, 64, 67, 71, 74, 75, 77, 78, 83, 84, 95, 100, 101, 106, 131, 166, 167, 168, 169 System Time 78 Trusted Network Configuration 36, 39 Unrestricted Pass Through IP Address 71 Update 55 Upgrade 57 View Configuration File 59 VPN Manager Access 53, 54 VPN Statistics 101 WatchGuard Security Event Processor 75 WebBlocker
configuring access to 49 configuring for dynamic addresses 32 configuring for PPPoE 34 configuring for static addressing 32 configuring VPN tunnel with 99 default factory settings 25 described 2 firmware updates 55 front view 7 hardware 6 installing 11–22 logging 73–79 MAC address of 166 package contents 3 physically connecting to 18 ports 7, 8 rear view 8 registering 27 resetting to default settings 26 resetting to factory default 26 serial number 12 setting external network link speed 35 setting up VPNs b
purchasing 171 setting up access to 53–54 setting up SOHO 6 for 171 VPN Manager Access viewing status of 24 VPN Manager Access page 53, 54 VPN Statistics page 101 VPN tunnels, setting up multiple 95 VPN upgrade described 58 enable 94 obtaining 103 VPN Upgrade option 91 VPNforce and corporate security policy 151 and MUVPN client 151 described 147 using to connect to corporate network 147 VPNforce Port upgrade 57 VPNs and SOHO 6, SOHO 6 tc 2 and static IP addresses 101 between two SOHO 6s 171 configuring with
