User Manual

ManualsBrandsWatchGuard Technologies ManualsElectronicsSOHO6 Wireless, BF4S16E5W

Table Of Contents

WatchGuard

Firebox

SOHO 6

Wireless

User Guide

SOHO 6 firmware version 6.2

Summary of content (208 pages)

PAGE 1
WatchGuard Firebox SOHO 6 Wireless User Guide ® ® SOHO 6 firmware version 6.
PAGE 2
Using this Guide To use this guide you need to be familiar with your computer’s operating system. If you have questions about navigating in your computer’s environment, please refer to your system user manual. The following conventions are used in this guide. ii Convention Indication Bold type Menu commands, dialog box options, Web page options, Web page names. For example: “On the System Information page, select Disabled.” NOTE Important information, a helpful tip or additional instructions.
PAGE 3
Abbreviations used in this user guide 3DES Triple Data Encryption Standard DES Data Encryption Standard DNS Domain Name Service DHCP Dynamic Host Control Protocol DSL Digital Subscriber Line IP Internet Protocol IPSec Internet Protocol Security ISDN Integrated Services Digital Network ISP Internet Service Provider MAC Media Access Control MUVPN Mobile User Virtual Private Network NAT Network Address Translation PPP Point-to-Point Protocol PPPoE Point-to-Point Protocol over Etherne
PAGE 4
Certifications and Notices FCC Certification This appliance has been tested and found to comply with limits for a Class A digital appliance, pursuant to Part 15 of the FCC Rules. Operation is subject to the following two conditions: •This appliance may not cause harmful interference. •This appliance must accept any interference received, including interference that may cause undesired operation.
PAGE 5
CE Notice The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the Electromagnetic Compatibility (EMC) directive and the Low Voltage Directive (LVD) of the European Union (EU). Industry Canada This Class A digital apparatus meets all requirements of the Canadian Interference-Causing Equipment Regulations. Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel broulleur du Canada.
PAGE 6
VCCI Notice Class A ITE vi WatchGuard Firebox SOHO 6 Wireless
PAGE 7
Declaration of Conformity User Guide vii
PAGE 8
WATCHGUARD SOHO SOFTWARE END-USER LICENSE AGREEMENT WATCHGUARD SOHO SOFTWARE END-USER LICENSE AGREEMENT IMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE This WatchGuard SOHO Software End-User License Agreement ("EULA") is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc.
PAGE 9
If you are accessing the SOFTWARE PRODUCT via a Web based installer program, you are granted the following additional rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any computer with an associated connection to the SOHO hardware product in accordance with the SOHO user documentation; (B) You may install and use the SOFTWARE PRODUCT on more than one computer at once without licensing an additional copy of the SOFTWARE PRODUCT for each additional computer on which you want
PAGE 10
election. Disclaimer and Release.
PAGE 11
Restricted Rights. Use, duplication or disclosure by the U.S Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 5th Ave. South, Suite 500,Seattle, WA 98104. 6.
PAGE 12
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright© 1998 - 2002 WatchGuard Technologies, Inc. All rights reserved.
PAGE 13
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
PAGE 14
and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
PAGE 15
4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact rse@engelschall.com. 5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without prior written permission of Ralf S. Engelschall. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by Ralf S.
PAGE 16
5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
PAGE 17
liability for, performance of, enforcement of, or damages or other relief on account of, any such warranties or any breach thereof. 2. Remedies. If any Product does not comply with the WatchGuard warranties set forth in Section 1 above, WatchGuard will, at its option, either (a) repair the Product, or (b) replace the Product; provided, that you will be responsible for returning the Product to the place of purchase and for all costs of shipping and handling.
PAGE 18
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF ANY AGREED REMEDY. 5. Miscellaneous Provisions. This Warranty will be governed by the laws of the state of Washington, U.S.A., without reference to its choice of law rules. The provisions of the 1980 United Nations Convention on Contracts for the International Sales of Goods, as amended, shall not apply.
PAGE 19
Contents Introduction .................................................. 1 Package contents ...................................................... 2 How does a firewall work? ........................................ 2 How does information travel on the Internet? .......... 4 How does the SOHO 6 Wireless process information? ..........................................................5 How Does Wireless Networking Work? .................... 5 SOHO 6 Wireless hardware description ...................
PAGE 20
SOHO 6 Wireless basics ........................... 29 SOHO 6 Wireless System Status page ...................29 Factory default settings ........................................... 31 Register your SOHO 6 Wireless and activate the LiveSecurity Service ............................................ 33 Reboot the SOHO 6 Wireless .................................34 CHAPTER 3 Configure the Network Interfaces ........... 37 External Network Configuration .............................
PAGE 21
Enable override MAC address for the external network ............................................................... 82 Create an Unrestricted Pass Through ..................... 82 Configure logging .....................................85 View SOHO 6 Wireless log messages .................... 86 Set up logging to a WatchGuard Security Event Processor log host .............................................. 87 Set up logging to a Syslog host .............................. 88 Set the system time ............
PAGE 22
MUVPN Clients ........................................119 Configure the SOHO 6 Wireless for MUVPN Clients .................................................120 Prepare the Remote Computers for the MUVPN Client ................................................................ 123 Install and Configure the MUVPN Client .............. 137 Connect and Disconnect the MUVPN Client ........ 147 Monitor the MUVPN Client Connection ............... 151 The ZoneAlarm Personal Firewall ..........................
PAGE 23
CHAPTER 1 Introduction This manual shows how to use your WatchGuard® Firebox® SOHO 6 Wireless or SOHO 6tc Wireless security appliance for secure access to the Internet.
PAGE 24
The only difference between these two appliances is the VPN feature. VPN is available as an upgrade option for the SOHO 6 Wireless. The SOHO 6tc Wireless includes the VPN upgrade option. The SOHO 6 Wireless provides security and wireless networking when your computer is connected to the Internet with a highspeed cable modem, DSL modem, leased line, or ISDN. The newest installation and user information is available from the WatchGuard Web site: http://support.watchguard.
PAGE 25
How does a firewall work? conferencing. A connection to the Internet is dangerous to the privacy and the security of your network. A firewall divides your internal network from the Internet to reduce this danger. The appliances on the trusted side of your SOHO 6 Wireless firewall are protected. The illustration below shows how the SOHO 6 Wireless physically divides your trusted network from the Internet.
PAGE 26
How does information travel on the Internet? The data that is sent through the Internet is divided into packets. To make sure that the packets are received at the destination, information is added to the packets. The protocols for these tasks are called TCP and IP. TCP disassembles and reassembles the data, for example an email message or a program file. IP adds information to the packets, which includes the destination and the handling requirements.
PAGE 27
How does the SOHO 6 Wireless process information? How does the SOHO 6 Wireless process information? Services A service is the group of protocols and port numbers for a specified program or type of application. The standard configuration of the SOHO 6 Wireless contains the correct settings for many standard services. Network Address Translation All connections from the trusted network to the external network through a SOHO 6 Wireless use dynamic NAT.
PAGE 28
the Institute of Electrical and Electronics Engineers (IEEE) and is part of a series of wireless standards. Unless adequately protected, a wireless network is susceptible to access from the outside by unauthorized users to compromise your machine or simply to access a free Internet connection. Increase your corporate network security by forcing users to authenticate with a Mobile User VPN client, creating a secure IPSec tunnel from the wireless computer to the SOHO 6 Wireless.
PAGE 29
SOHO 6 Wireless hardware description Wireless Wireless operating range--indoors (these values are approximations): 100 feet at 11 Mbps 165 feet at 5.5 Mbps 230 feet at 2 Mbps 300 feet at 1 Mbps Understanding IEEE 802.11b Wireless Communication In general, transmitted RF power and signal bandwidth place an upper limit on the rate that data can be transmitted over a wireless link.
PAGE 30
Noise Level (watts) The more in-band RF noise there is the less data can be transmitted over a given channel (wireless link). The noise level is primarily due to three factors: First, there is a minimum level of background noise due to the ambient temperature of the channel (atmosphere) and the bandwidth. Second, the 802.11b receiver will have an innate noise level due to its own components operating temperature. Third, there are many unlicensed transmitters using the same frequency bands as 802.11.
PAGE 31
SOHO 6 Wireless hardware description - How much directional antenna gain there is at the transmitter and receiver - The signal attenuation (path-loss) between the transmitter and receiver. Path Loss: The path-loss is directly proportional to line-of-site distance between transmitter and receiver, and inversely proportional to the wavelength of the transmitted signal. The equation for Signal Loss is: Loss = 20xLog10(4xpi x(Distance/Wavelength)). - Wavelength = (speed-of-light/ frequency).
PAGE 32
NOTE Laptop computers typically have one antenna, which is more susceptible to signal fading depending on position. This can lead to a situation where the SOHO 6 Wireless hears the laptop’s signal, but the laptop doesn’t hear the access point. Antenna Directional Gain: Antenna Gain is the result of how directional the radiation (transmit/receive signal strength) pattern is. The higher the gain, then the more directional the antenna is. The SOHO 6 Wireless ships with 5dBi antennas.
PAGE 33
SOHO 6 Wireless hardware description (1Mbps). The factor that determines which modulation scheme is used is the Packet Error Rate (PER). The modulation scheme switches automatically to maintain the PER at or below 8% by using slower data rates (different modulation schemes) as necessary. SOHO 6 Wireless front and rear views There are 14 indicator lights on the front panel of the SOHO 6 Wireless. The illustration below shows the front view.
PAGE 34
WAN WAN is lit while there is an active physical connection to the WAN port. The indicator flashes when data flows through the port. Mode Mode is lit while there is a connection to the Internet. There are five Ethernet ports, a reset button, and a power input on the rear of the SOHO 6 Wireless. The illustration below shows the rear view. RESET button Push the reset button to reset to the SOHO 6 Wireless to the factory default configuration.
PAGE 35
CHAPTER 2 Installation The SOHO 6 Wireless protects computers that are connected to it by Ethernet cable or wireless connection. Follow the procedures in this chapter to install the SOHO 6 Wireless and set up the wireless network. Because WatchGuard is concerned about the security of your network, the wireless feature is turned off on the SOHO 6 Wireless we ship you. This allows you to enable the wireless network after you set up the desired security.
PAGE 36
To set up the wireless network, you complete the following steps: • Set up the Wireless Network • Set up the Wireless Access Point • Configure the Wireless Card on your computer See the SOHO 6 Wireless QuickStart Guide included with the SOHO 6 Wireless for a summary of this information.
PAGE 37
Before you Begin the Installation router to the SOHO 6 Wireless and the SOHO 6 Wireless to your computer. 4 Attach the two antennae supplied with the SOHO 6 Wireless. NOTE The SOHO 6 Wireless must be installed to provide a separation distance of at least 20 centimeters from all persons and must not be collocated or operating in conjunction with any other antenna or transmitter. 5 Call your ISP to determine the method of network address assignment.
PAGE 38
Microsoft Windows NT 1 Click Start => Programs => Command Prompt. 2 At the default prompt, type ipconfig /all, then press Enter. 3 Record the TCP/IP settings in the table provided. 4 Click Cancel. Microsoft Windows 95 or 98 or ME 1 Click Start => Run. 2 Type: winipcfg. 3 Click OK. 4 Select the “Ethernet Adapter”. 5 Record the TCP/IP settings in the table provided. 6 Click Cancel. Macintosh 1 Click the Apple menu => Control Panels => TCP/IP.
PAGE 39
Before you Begin the Installation TCP/IP Setting Value IP Address Subnet Mask Default Gateway . . . . . . . . . DHCP Enabled DNS Server(s) Yes Primary Secondary No . . . . . . NOTE If you must connect more than one computer to the trusted network behind the SOHO 6 Wireless, determine the TCP/IP settings for each computer. Enable your computer for DHCP To open the configuration pages for the SOHO 6 Wireless, configure your computer to receive its IP address through DHCP.
PAGE 40
2 3 4 18 Double-click the Network & Dial-up Connections icon. Double-click the connection you use to connect to the Internet. The network connection dialog box opens. Click Properties. The network connection properties dialog box opens.
PAGE 41
Before you Begin the Installation 5 Double-click the Internet Protocol (TCP/IP) component. The Internet Protocol (TCP/IP) Properties dialog box opens. 6 Click to select the obtain an IP address automatically checkbox. 7 Click to select the Obtain DNS server address automatically checkbox. 8 Click OK to close the Internet Protocol (TCP/IP) Properties dialog box. 9 Click OK again to close the Network Connection Properties dialog box.
PAGE 42
the HTTP proxy setting in your browser is enabled, you can not open these pages to complete the configuration procedure. If the HTTP proxy setting is enabled, the browser only sees Web pages found on the Internet, and not pages in other locations. If the HTTP proxy setting is disabled, you can open the configuration pages in the SOHO 6 Wireless and Web pages on the Internet. The instructions below show how to disable the HTTP proxy setting in three browser applications.
PAGE 43
Physically Connect to the SOHO 6 Wireless 4 Click Proxies. 5 Make sure the Direct Connection to the Internet option is selected. 6 Click OK to save the settings. Internet Explorer 5.0, 5.5, and 6.0 1 2 Open Internet Explorer. Click Tools => Internet Options. The Internet Options window opens. 3 Click the Advanced tab. 4 Scroll down the page to HTTP 1.1 Settings. 5 Disable all of the check boxes. 6 Click OK to save the settings.
PAGE 44
Cabling the SOHO 6 Wireless for one to four appliances A maximum of four computers, printers, scanners, or other network peripherals can connect directly to the SOHO 6 Wireless. These connections use the four trusted network ports (0-3). To connect a maximum of four appliances, use the SOHO 6 Wireless as a network hub. 1 Shut down your computer. 2 If you connect to the Internet through a DSL modem or cable modem, disconnect the power supply to this device.
PAGE 45
Physically Connect to the SOHO 6 Wireless 3 Disconnect the Ethernet cable that connects your DSL modem, cable modem or other Internet connection to your computer. Connect this cable to the WAN port on the SOHO 6 Wireless. The SOHO 6 Wireless is connected directly to the modem or other Internet connection. 4 Connect one end of the straight-through Ethernet cable supplied with your SOHO 6 Wireless to a trusted network port (0-3) on the SOHO 6 Wireless.
PAGE 46
The base model SOHO 6 Wireless includes a ten-seat license. This license allows a maximum of ten appliances on the trusted network to connect to the Internet at the same time. There can be more than ten appliances on the trusted network, but the SOHO 6 Wireless will only allow ten Internet connections. A seat is in use when an appliance connects to the Internet and is free when the connection is broken. License upgrades are available from the WatchGuard Web site: http://www.watchguard.com/sales/buyonline.
PAGE 47
Physically Connect to the SOHO 6 Wireless • a straight-through Ethernet cable to connect each hub to the SOHO 6 Wireless. 1 Shut down your computer. If you connect to the Internet through a DSL modem or cable modem, disconnect the power supply from this device. 2 Disconnect the Ethernet cable that runs from your DSL modem, cable modem or other Internet connection to your computer. Connect the Ethernet cable to the WAN port on the SOHO 6 Wireless.
PAGE 48
Setting up the Wireless Network The SOHO 6 Wireless protects computers that are connected to it by Ethernet cable or wireless connection. Because WatchGuard is concerned about the security of your network, the wireless feature is turned off on the SOHO 6 Wireless we ship you. This allows you to enable the wireless network after you set up the desired security. Now that you have installed the SOHO 6 Wireless device, you can set up the optional wireless network.
PAGE 49
Setting up the Wireless Access Point Setting up the Wireless Access Point 1 From the navigation bar on the left side, select Network => Wireless Configuration. The Wireless Network Configuration page appears. 2 From the Encryption drop-down list, select Disabled. 3 From the Authentication drop-down, select Open System. 4 From Basic Settings, write down the number in the SSID text box for later use.
PAGE 50
5 Type the SSID that you wrote down from the Wireless Network Configuration page into the Network Name (SSID) text box. 6 Click OK to close the Wireless Network Properties dialog box. 7 8 Click Refresh. The operating system looks for all wireless connections and list them in the Available Networks text box. Select the SSID of the wireless computer that you configured to access the SOHO 6 Wireless. Click OK to enable the wireless connections.
PAGE 51
CHAPTER 3 SOHO 6 Wireless basics The configuration of the SOHO 6 Wireless is made through Web pages contained in the software of the SOHO 6 Wireless. You can connect to these configuration page with your Web browser. SOHO 6 Wireless System Status page Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 The System Status page opens.
PAGE 52
The System Status page is the main configuration page of the SOHO 6 Wireless. A display of information about the SOHO 6 Wireless configuration is shown.
PAGE 53
Factory default settings • Configuration information for the trusted network and the external network • Configuration information for firewall settings (incoming services and outgoing services) • A reboot button to restart the SOHO 6 Wireless NOTE If the external network is configured to use the PPPoE protocol, the System Status page displays a connect button or a disconnect button. Use these buttons to start or terminate the PPPoE connection.
PAGE 54
System Security The System Security is disabled. The system administrator name and system administrator passphrase are not set. All computers on the trusted network can access the configuration pages. SOHO 6 Wireless Remote Management is disabled. VPN Manager Access is disabled. The remote logging is not configured. WebBlocker The WebBlocker is disabled and the settings are not configured. Upgrade Options The upgrade options are disabled until the license keys are entered into the configuration page.
PAGE 55
Register your SOHO 6 Wireless and activate the LiveSecurity Service 6 Connect the power supply. The PWR indicator is on and the reset is complete. The base model SOHO 6 Wireless The base model SOHO 6 Wireless includes a ten-seat license. This license allows a maximum of ten computers on the trusted network to connect to the Internet at the same time. There can be more than ten computers on the trusted network, but the SOHO 6 Wireless will only allow ten Internet connections.
PAGE 56
Register you SOHO 6 Wireless with the LiveSecurity Service at the WatchGuard Web site: http://www.watchguard.com/activate NOTE To activate the LiveSecurity Service, your browser must have JavaScript enabled. If you have a user profile on the WatchGuard Web site, enter your user name and password. If you do not have a user profile on the WatchGuard Web site, create a new account. Select your product and follow the instructions for product activation.
PAGE 57
Reboot the SOHO 6 Wireless NOTE The SOHO 6 Wireless requires 30 seconds to reboot. The Mode indicator on the front of the SOHO 6 Wireless will go off and then come on. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 Click Reboot. or 2 Disconnect and reconnect the power supply.
PAGE 58
36 WatchGuard Firebox SOHO 6 Wireless
PAGE 59
CHAPTER 4 Configure the Network Interfaces External Network Configuration When you configure the external network, you select the method of communication between the SOHO 6 Wireless and the ISP. Make this selection based on the method of network address distribution in use by your ISP. The possible methods are static addressing, DHCP, or PPPoE. Network addressing To connect to a TCP/IP network, each computer must have an IP address. The assignment of IP addresses is dynamic or static.
PAGE 60
• If the assignment is static, all computers on the network have a permanently assigned IP address. There are no computers that have the same IP address. Most ISPs make dynamic IP address assignments through DHCP (Dynamic Host Configuration Protocol). When a computer connects to the network, a DHCP server at the ISP assigns that computer an IP address. The manual assignment of IP addresses is not necessary with this system.
PAGE 61
External Network Configuration configuration causes the ISP to communicate with the SOHO 6 Wireless and not your computer. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Network => External. The External Network configuration page opens. 3 From the Configuration Mode drop-down list, select Manual Configuration.
PAGE 62
5 Click Submit. The configuration change is saved to the SOHO 6 Wireless. Configure the SOHO 6 Wireless external network for PPPoE If your ISP assigns IP addresses through PPPoE, your PPPoE login name and password are required to configure the SOHO 6 Wireless. To configure the SOHO 6 Wireless for PPPoE: 1 2 Open your Web browser and click Stop. Because the Internet connection is not configured, the browser can not load your home page from the Internet.
PAGE 63
External Network Configuration 5 Type the PPPoE login name and domain supplied by your ISP. 6 Type the PPPoE password supplied by your ISP. 7 Type the time delay before inactive TCP connections are disconnected. 8 9 Click Automatically restore lost connections. This option keeps a constant flow of traffic between the SOHO 6 Wireless and the PPPoE server. This option allows the SOHO 6 Wireless to keep the PPPoE connection open during a period of frequent packet loss.
PAGE 64
Configure the Trusted Network The DHCP Server option sets the SOHO 6 Wireless to assign IP addresses to the computers on the trusted network. The SOHO 6 Wireless uses DHCP to make the assignments. When the SOHO 6 Wireless receives a request from a new computer on the trusted network, the SOHO 6 Wireless assigns the computer an IP address. If you use a DHCP server to assign IP addresses, enable the DHCP Relay option.
PAGE 65
Configure the Trusted Network 3 Type the IP address and the subnet mask in the applicable fields. 4 Click to select the Enable DHCP Server on the Trusted Network check box. 5 Type the first IP address that is available for the computers that connect to the trusted network. 6 Type the WINS Server address, DNS Server primary address, DNS Server secondary address, and DNS Domain server suffix. 7 Click Submit. 8 Reboot the SOHO 6 Wireless if necessary.
PAGE 66
To configure the DHCP relay server: 1 From the Trusted Network configuration page, click the Enable DHCP Relay checkbox. 2 Type the IP address of the DHCP relay server. 3 Click Submit. 4 Reboot the SOHO 6 Wireless. The SOHO 6 Wireless receives a DHCP request from a computer on the trusted network. The request is sent from the SOHO 6 Wireless to the remote DHCP server. The SOHO 6 Wireless receives the IP address sent from the DHCP server.
PAGE 67
Configure the Trusted Network 6 Shut down and restart the computer. Configure the trusted network with static addresses To disable the SOHO 6 Wireless DHCP server and make static address assignments, follow these steps: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Network => Trusted.
PAGE 68
3 Type the IP address and the subnet mask in the applicable fields. 4 Reset the Enable DHCP Server on the Trusted Network check box. 5 Click Submit 6 Reboot the SOHO 6 Wireless as necessary. 7 Configure the appliances on the trusted network with static addresses. Configure the Optional Network for Wireless Networking To turn on the wireless network, you must enable the optional network.
PAGE 69
Configure the Optional Network for Wireless Networking 2 From the navigation bar on the left side, select Network => Optional (802.11b). The Optional Network Configuration page opens. 3 4 Click the Enable Optional Network checkbox. To turn on the wireless network, you need to enable the optional network. Type the IP address and subnet mask of the optional network. The default IP Address is 192.168.112.1. The default Subnet Mask is 255.255.255.0.
PAGE 70
5 Select Enable DHCP Server on the Optional Network checkbox. 6 Type the First address for DHCP server. 7 Type the WINS Server address, DNS Server primary address, DNS Server secondary address, and DNS Domain server suffix. 8 To enable the DHCP Relay on the optional network, click Enable DHCP Relay checkbox and enter the IP address of the DHCP relay server in the text box.
PAGE 71
Configure the Wireless Network Configure the Wireless Network Once you turned on the wireless network by enabling the optional network, you can set up the security setting for your wireless connection. Configure Security The SOHO 6 Wireless uses the industry standard security protocol, Wired Equivalent Privacy (WEP), specified by the IEEE standard 802.11b.
PAGE 72
2 From the navigation bar on the left side, select Network => Wireless Configuration. The Wireless Network Configuration page appears. 3 From the Encryption drop-down list, select the level of encryption you want applied to your wireless connections. The options are Disabled, 40/64 bit WEP, and 128 bit WEP.
PAGE 73
Configure the Wireless Network Disabled The default is Disabled, and you should use this option for the initial connection. Your wireless connection is not using WEP when Disabled is selected. 40/64 bit WEP or128 bit WEP Once you complete the initial connection between your wireless computer and SOHO 6 Wireless, you can change this option to add WEP. Select either 40/64 bit or128 bit based on what the wireless card in your computer supports.
PAGE 74
To change the SSID of the SOHO 6 Wireless: • In the Basic Settings section, type a new identification in SSID text box. The default SSID is the 5 digit serial number for your SOHO 6 Wireless device. The first four digits of the serial number are the product code and are not part of the SSID. The next five digits after the product code are the serial number. The remaining characters are an encoded hash for security uses. The maximum identification length is 20 characters.
PAGE 75
Configure the Wireless Network Configure the Beacon Rate 1 In the AP Beacon Rate text box, type the beacon rate in milliseconds (100 through 10,000) that you want the SOHO 6 Wireless to use. The beacon rate is the rate the SOHO 6 Wireless sends out broadcasts so that the wireless computers can find it. 2 If you want the SOHO 6 Wireless to broadcast a beacon rate, select Enabled from the Broadcast SSID in AP Beacon Frames. If you do not want to broadcast the beacon rate, select Disabled.
PAGE 76
Configure static routes To send the specified packets to different segments of the trusted network connected through a router or switch, configure static routes. Follow these instructions to configure static routes: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Network => Routes. The Routes page opens. 3 54 Click Add.
PAGE 77
View network statistics 4 From the Type drop-down list, select either Host or Network. 5 Type the IP address and the gateway of the route in the applicable fields. The gateway of the route is the local interface of the router. 6 Click Submit. To remove a route, select the route and click Remove. View network statistics The Network Statistics page gives information about network performance. This page is useful during troubleshooting.
PAGE 78
2 From the navigation bar on the left side, select Network => Network Statistics. The Network Statistics page opens. Configure the dynamic DNS Service This feature allows you to register the external IP address of the SOHO 6 Wireless with the dynamic DNS (Domain Name Server) service DynDNS.org. A dynamic DNS service makes sure that the IP address attached to your domain name is changed when your ISP assigns you a new IP address.
PAGE 79
Configure the dynamic DNS Service NOTE WatchGuard is not affiliated with dyndns.org. 2 From the navigation bar on the left side, select Network => DynamicDNS. The Dynamic DNS client page opens. 3 Select the Enable Dynamic DNS client checkbox. 4 Type the domain, name, and password in the applicable fields. 5 Click Submit.
PAGE 80
58 WatchGuard Firebox SOHO 6 Wireless
PAGE 81
CHAPTER 5 Administrative options Use the SOHO 6 Wireless Administration page to configure access to the SOHO 6 Wireless. The System Security, SOHO 6 Wireless Remote ManagementTM feature, and VPN Manager Access are configured from the Administration page. The firmware updates, upgrade activation, and display of the SOHO 6 Wireless configuration file in a text format are done from the Administration page.
PAGE 82
System security A passphrase prevents access to the configuration of the SOHO 6 Wireless by an unauthorized user on the trusted network. The use of a passphrase is important to the security of your network. NOTE Record the system administrator name and passphrase in a safe location. When system security is enabled, the system administrator name and passphrase are required to access the configuration pages.
PAGE 83
The System Security page 3 Verify that the HTTP Server Port is set to 80. 4 Click to select the Enable System Security check box. 5 Type a System Administrator Passphrase and then type it again to confirm. 6 Click Submit. SOHO 6 Wireless Remote Management Both the SOHO 6 Wireless and SOHO 6tc Wireless come equipped with the SOHO 6 Wireless Remote Management feature.
PAGE 84
connection, using Internet Protocol Security (IPSec), over an unsecured network from your remote computer in order to remotely manage your SOHO 6 Wireless. For example, the MUVPN client is installed and configured on your computer. You then establish a standard Internet connection and activate the MUVPN client. The MUVPN client creates an encrypted tunnel to your SOHO 6 Wireless. You can now access the SOHO 6 Wireless configuration pages without compromising security.
PAGE 85
Set up VPN manager access Networking or directly through a local area network (LAN) or wide area network (WAN). From the Windows desktop system tray: 10 Verify the MUVPN client status–it must be activated. If it is not, right-click the icon and select Activate Security Policy. For information on how to determine the status of the MUVPN icon, see Chapter 11, “The Mobile User VPN client icon” on page 148. Then, from the Windows desktop system tray: 11 Right-click the icon and select Connect.
PAGE 86
2 From the navigation bar on the left side, select Administration => VPN Manager Access. The VPN Manager Access page opens. 3 Select Enable VPN Manager Access. 4 Type the Status Passphrase. 5 Type the Status Passphrase again to confirm. 6 Type the Configuration Passphrase. 7 Type the Configuration Passphrase again to confirm. NOTE These passphrases must match the passphrases used in the VPN Manager software or the connection will fail. 8 64 Click Submit.
PAGE 87
Update the firmware Update the firmware Check regularly for SOHO 6 Wireless firmware updates on the WatchGuard Web site: http://support.watchguard.com/sohoresources/ Download the .exe or .wgd files that contain the firmware update. The .exe file is an installer and the .wgd file is a binary file. The .wgd file is an advanced installation method. NOTE The .exe file is not available for firmware previous to the 6.0 release. To install the .exe file: 1 2 Save the .exe file to your computer.
PAGE 88
4 Type the location of the .wgd firmware files on your computer. OR 4 Click Browse and locate the .wgd firmware files on your computer. NOTE Check your SOHO 6 Wireless firewall settings to make sure that your firewall allows .wgd files. 5 Click Update. Follow the instructions provided by the update wizard. NOTE The update wizard requests a user name and password. Type the system administrator name and passphrase configured on the System Security page. The default values are “user” and “pass”.
PAGE 89
Activate the SOHO 6 Wireless upgrade options LiveSecurity Service Web site. See “Register your SOHO 6 Wireless and activate the LiveSecurity Service” on page 33 for more information. Follow these steps to activate an upgrade option: 1 Go to the upgrade page of the WatchGuard Web site: http://www.watchguard.com/upgrade 2 Type your User Name and Password. 3 Click Log In. 4 Follow the instructions provided on the Web site to activate your license key.
PAGE 90
Upgrade options Seat licenses A seat license upgrade allows more connections between the trusted or optional network and the external network. A wired connection goes to the trusted and the wireless connection goes to the optional. For example, a 25-seat license allows 25 wired or wireless connections instead of the standard 10 connections. IPSec Virtual Private Networking (VPN) The VPN upgrade is necessary to configure virtual private networking. The SOHO 6tc Wireless includes a VPN upgrade license key.
PAGE 91
View the configuration file LiveSecurity Service subscription renewals Purchase a LiveSecurity subscription renewal for a period of one or two years from your reseller or the WatchGuard online store. Go to the renew page of the WatchGuard Web site to purchase or activate a subscription renewal: http://www.watchguard.com/renew/ Follow the instructions on the Web site.
PAGE 92
70 WatchGuard Firebox SOHO 6 Wireless
PAGE 93
CHAPTER 6 Configure the Firewall Settings Firewall settings The configuration settings of the SOHO 6 Wireless control the flow of traffic between the trusted network and the external network. The configuration you select depends on the types of risks that are acceptable for the trusted network. The SOHO 6 Wireless lists many standard services on the configuration page. A service is the combination of protocol and port numbers for a type of application or type of communication.
PAGE 94
are permitted. For example, to operate a Web server behind the SOHO 6 Wireless, add an incoming Web service. Select carefully the number and the types of services that you add. The added services decrease the security of your network. Compare the value of access to each service against the security risk caused by that service.
PAGE 95
Configure incoming and outgoing services 2 Locate a pre-configured service, such as FTP, Web, or Telnet, then select either Allow or Deny from the drop-down list. The illustration shows the HTTP service configured to allow incoming traffic. 3 Type the trusted network IP address of the computer to which this rule applies. The illustration shows the HTTP service configured to allow incoming traffic to the computer with IP address 192.168.111.2. 4 Click Submit.
PAGE 96
3 Type a name for the service in the Service name field. 4 Select TCP Port, UDP Port, or Protocol from the drop-down list below the Protocol Settings. 5 In the fields separated by the word To, enter the port number or the range of port numbers, or enter the protocol number. The Custom Service page refreshes. NOTE For a TCP port or a UDP port, specify a port number. For a protocol, specify a protocol number. You cannot specify a port number for a protocol.
PAGE 97
Block external sites 6 Click Add. The following steps determine how the service is filtered. 7 Select Allow or Deny from the Incoming Filter and Outgoing Filter drop-down lists. 8 Select Host IP Address, Network IP Address, or Host Range from the drop-down list at the bottom of the page. The Custom Service page refreshes. 9 Type a single host IP address, a network IP address, or the start and end of a range of host IP addresses in the address field. 10 Click Add.
PAGE 98
2 Select either Host IP Address, Network IP Address, or Host Range from the drop-down list. The Blocked Sites page refreshes. 3 Type a single host IP address, a network IP address, or the start and end of a range of host IP addresses in the address field. The illustration shows the selection Host IP Address and the IP address 207.68.172.246. 4 5 76 Click Add. The address information appears in the Blocked Sites field. Click Submit.
PAGE 99
Firewall options Firewall options The previous sections described how to allow or deny complete classes of services. The Firewall Options page allows the configuration of general security policies. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Firewall => Firewall Options. The Firewall Options page opens.
PAGE 100
Ping requests received from the external network You can configure the SOHO 6 Wireless to deny all ping packets received on the external interface. 1 Set the Do not respond to PING requests received on External Network check box. 2 Click Submit. Denying FTP access to the trusted network interface You can configure the SOHO 6 Wireless to prevent FTP access to the computers on the trusted network by the computers on the external network. 1 Set Do not allow FTP access to Trusted Network check box.
PAGE 101
Firewall options NOTE Configure the SOCKS-compatible application to connect to IP addresses and not to domain names. Applications that can only reference domain names are not compatible with the SOHO 6 Wireless. Some SOCKS-compatible applications that function correctly when used through the SOHO 6 Wireless are ICQ, IRC, and AOL Messenger. NOTE When a computer in the trusted network uses a SOCKS-compatible application, other users on the trusted network have free access to that computer.
PAGE 102
• Set the SOCKS proxy to the URL or IP address of the SOHO 6 Wireless. The default IP address is: http:// 192.168.111.1.
PAGE 103
Firewall options Disabling SOCKS on the SOHO 6 Wireless After a SOCKS-compatible application has connected through the SOHO 6 Wireless, the SOCKS port stays open. After the application terminates, the SOCKS port is available to anyone on your trusted network. The following steps prevent this security problem. When the SOCKS-compatible application is not in use: 1 Set the Disable SOCKS proxy check box. This disables the SOCKS proxy feature of the SOHO 6 Wireless. 2 Click Submit.
PAGE 104
Enable override MAC address for the external network If your ISP requires a MAC address, enable this option. The SOHO 6 Wireless will use its own MAC address for the trusted network. You can enter a new MAC address for use on the external network. Follow these steps to enable this option: 1 Set the Enable override MAC address for the External Network check box. 2 Type the new MAC address for the SOHO 6 Wireless external network. 3 Click Submit.
PAGE 105
Create an Unrestricted Pass Through Follow these steps to configure a pass through: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Firewall => Pass Through. The Unrestricted Pass Through IP Address page opens. 3 Set the Enable pass through address check box.
PAGE 106
84 WatchGuard Firebox SOHO 6 Wireless
PAGE 107
CHAPTER 7 Configure logging The SOHO 6 Wireless logging feature records a log of the events related to the security of the trusted network. Communication with the WatchGuard WebBlocker database and incoming traffic are examples of events that are recorded. The log records the events that show possible security problems. A denied packet is the most important type of event to log. A sequence of denied packets can show that an unauthorized person tried to access your network.
PAGE 108
View SOHO 6 Wireless log messages The SOHO 6 Wireless event log records a maximum of 150 log messages. If a new entry is added when the event log is full, the oldest log message is removed. The log messages include the time synchronizations between the SOHO 6 Wireless and the WatchGuard Time Server, packets discarded because of a packet handling violation, duplicate messages, return error messages, and IPSec messages.
PAGE 109
Set up logging to a WatchGuard Security Event Processor log host NOTE The newest entry is shown at the top of the event log. This option synchronizes the clock of the SOHO 6 Wireless to your computer: • Click Sync Time with Browser now. The SOHO 6 Wireless synchronizes the time at startup. Set up logging to a WatchGuard Security Event Processor log host The WSEP (WatchGuard Security Event Processor) is an application that is available with the WatchGuard Firebox System package used by a Firebox II/III.
PAGE 110
3 Select Enable WatchGuard Security Event Processor Logging. 4 Type the IP address of the WSEP server that is your log host in the applicable field. In the illustration, the IP address is 192.168.111.5. 5 Type a passphrase in the Log Encryption Key field. 6 Confirm the passphrase in the Confirm Key field. 7 Click Submit. NOTE Use the same encryption key recorded in the WSEP application. Set up logging to a Syslog host This option sends the SOHO 6 Wireless log entries to a Syslog host.
PAGE 111
Set up logging to a Syslog host Follow these steps to configure a Syslog Host: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Logging => Syslog Logging. The Syslog Logging page opens. 3 4 Set the Enable syslog output check box. Type the IP address of the Syslog server. In the illustration, the IP address is 206.253.208.
PAGE 112
are sent through a VPN tunnel, the data is encrypted with IPSec technology. Set the system time The SOHO 6 Wireless records the time of each log entry. The time recorded in the log entries is from the SOHO 6 Wireless system clock. Follow these steps to set the system time: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.
PAGE 113
Set the system time 2 From the navigation bar on the left side, select Logging => System Time. The System Time page opens. This step synchronizes the system time with the WatchGuard Time Server: 3 Select Get Time From WatchGuard Time Server. This step synchronizes the system time with a TCP Port 37 Time Server: 4 Select Get Time From TCP Port 37 Time Server at. 5 Type the IP address of the time server in the applicable field. 6 Click Submit.
PAGE 114
NOTE The time zone selection is only used when the Get Time From WatchGuard Time Server check box is selected.
PAGE 115
CHAPTER 8 SOHO 6 Wireless WebBlocker WebBlocker is an option for the SOHO 6 Wireless that allows the system administrator to control which Web sites the users can access. How WebBlocker works WebBlocker uses a database of Web site addresses, which is owned and maintained by SurfControl. The database shows the type of content found on thousands of Web sites. WatchGuard puts the newest version of the SurfControl database on the WebBlocker server at regular intervals.
PAGE 116
Web site not in the WebBlocker database If the Web site is not in the WatchGuard WebBlocker database, the Web browser opens the page. Web site in the WebBlocker database If the site is in the WatchGuard WebBlocker database, the SOHO 6 Wireless examines the configuration to see if that type of site is permitted. When the type of site is not permitted, the user is told that the site is not available. If the type of site is permitted, the Web browser opens the page.
PAGE 117
Purchase and activate SOHO 6 Wireless WebBlocker WebBlocker users and groups Groups A group is a set of users on the trusted network. Users Users are persons that use the computers on the trusted network. Bypass the SOHO 6 Wireless WebBlocker The SOHO 6 Wireless WebBlocker configuration page includes a full access password field. Give this password to those users of the trusted network allowed to bypass WebBlocker.
PAGE 118
WebBlocker settings Use the WebBlocker settings page to: • activate the WebBlocker; • set the full access password; • set the inactivity timeout; • require that your Web users authenticate. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select WebBlocker => Settings. The WebBlocker Settings page opens.
PAGE 119
Configure the SOHO 6 Wireless WebBlocker 4 Type the full access password. The full access password allows a user to access all Web sites until the 5 password expires or the browser is closed. Type the Inactivity Timeout in minutes. The inactivity timeout disconnects Internet connections that are inactive for the set number of minutes. 6 To set the WebBlocker to use groups and users, set the Require Web users to authenticate check box. 7 Click Submit to register your changes.
PAGE 120
2 From the navigation bar on the left side, select WebBlocker => Groups. The WebBlocker Groups page opens. 3 98 Click New to create a group name and profile.
PAGE 121
Configure the SOHO 6 Wireless WebBlocker 4 5 Define a Group Name and set the types of content to filter for this group. Click Submit. A new Groups page opens that shows the configuration changes.
PAGE 122
6 To the right of the Users field, click New. The New User page opens. 7 Type a new user name and passphrase. 8 Confirm the passphrase.
PAGE 123
WebBlocker Categories 9 Use the Group drop-down list to assign the new user to a given group. 10 Click Submit. NOTE To remove a user or group, make a selection and click Delete. WebBlocker Categories The WebBlocker database contains the following 14 categories: NOTE A Web site is only added to a category if the contents of the Web Site advocate the subject matter of the category. Web sites that provide opinion or educational material about the subject matter of the category are not included.
PAGE 124
online sports, or financial betting, including non-monetary dares. Militant/extremist Pictures or text advocating extremely aggressive or combative behavior or advocacy of unlawful political measures. Topic includes groups that advocate violence as a means to achieve their goals. It also includes pages devoted to “how to” information on the making of weapons (for both lawful and unlawful reasons), ammunition, and pyrotechnics.
PAGE 125
WebBlocker Categories Gross Depictions Pictures or text describing anyone or anything that is either crudely vulgar, grossly deficient in civility or behavior, or shows scatological impropriety. Topic includes depictions of maiming, bloody figures, and indecent depiction of bodily functions. Violence/profanity Pictures or text exposing extreme cruelty or profanity. Cruelty is defined as: physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain.
PAGE 126
Sexual Acts Pictures or text exposing anyone or anything involved in explicit sexual acts and/or lewd and lascivious behavior. Topic includes masturbation, copulation, pedophilia, as well as intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian, or homosexual encounters. It also includes phone sex advertisements, dating services, adult personals, and sites devoted to selling pornographic CD-ROMs and videos. Full Nudity Pictures exposing any or all portions of human genitalia.
PAGE 127
CHAPTER 9 VPN—Virtual Private Networking This chapter tells how to use the VPN with IPSec upgrade option of the WatchGuard SOHO 6 Wireless. Why create a Virtual Private Network? Use a VPN tunnel to make an inexpensive and secure connection between the computers in two locations. Expensive, dedicated point-to-point connections are not necessary for a VPN connection. A VPN tunnel gives the security necessary to use the public Internet for a private virtual connection between two locations.
PAGE 128
What You Need • One WatchGuard SOHO 6 Wireless with VPN and one IPSec-compatible appliance. NOTE IPSec-compatible appliances include the WatchGuard SOHO 6 Wireless, the WatchGuard Firebox II/III, and the Firebox Vclass.
PAGE 129
What You Need IP Address Table (example): Item Description External IP Address The IP address that identifies the IPSeccompatible appliance to the Internet. Assigned By ISP Site A: 207.168.55.2 Site B: 68.130.44.15 External Subnet Mask The bitmask that shows which part of the IP address identifies the local network. For example, a class C address includes 256 addresses and has a netmask of 255.255.255.0. ISP Site A: 255.255.255.0 Site B: 255.255.255.
PAGE 130
Site A: OurLittleSecret Site B: OurLittleSecret Encryption Method DES uses 56-bit encryption. 3DES uses 168-bit encryption. The 3DES encryption method gives better security, but decreases the speed of communication. The two IPSec-compatible appliances must use the same encryption method. You Site A: 3DES Site B: 3DES Authentication The two IPSec-compatible appliances must use the same authentication method.
PAGE 131
Step-by-step instructions to configure a SOHO 6 Wireless VPN tunnel Step-by-step instructions to configure a SOHO 6 Wireless VPN tunnel Instructions that tell how to configure a VPN tunnel between a SOHO 6 Wireless and another IPSec-compatible appliance are available from the WatchGuard Web site: https://support.watchguard.com/AdvancedFaqs/sointerop_main.
PAGE 132
Frequently Asked Questions Why do I need a static external address? To make a VPN connection, each of the two appliances must know the IP address of the other appliance. If the addresses are dynamic, the addresses can change. A changed address prevents a connection between the two appliances. How do I get a static external IP address? The external IP address for your computer or network is assigned by your ISP.
PAGE 133
Set Up multiple SOHO-SOHO VPN tunnels 2 When you can ping the external address of each SOHO 6 Wireless, try to ping a local address in the remote network. From Site A, ping 192.168.111.1. If the VPN tunnel functions correctly, the remote SOHO 6 Wireless sends the ping back. If the ping does not come back, make sure the local settings are correct. Make sure that the local DHCP address ranges for the two networks connected by the VPN tunnel do not use any of the same IP addresses.
PAGE 134
2 From the navigation bar on the left side, select VPN => Manual VPN. The Manual VPN page opens.
PAGE 135
Set Up multiple SOHO-SOHO VPN tunnels 3 Click Add to set up the VPN tunnel. The Add Gateway page opens.
PAGE 136
Type the Name and Shared Secret for the SOHO 6 Wireless at the remote end of the VPN tunnel. 4 The shared secret is a passphrase used by two IPSec-compatible appliances to encrypt and decrypt the data that goes through the VPN tunnel. The two appliances use the same passphrase. If the appliances do not have the same passphrase, they can not encrypt and decrypt the data correctly. Use the default Phase 1 settings or change the settings as necessary.
PAGE 137
Set Up multiple SOHO-SOHO VPN tunnels - If you set Aggressive Mode and have a static IP address, the Local ID must be an IP Address and the Remote ID can be either an IP address or a domain name. - If you set Aggressive Mode and have a dynamic IP address, the Local ID must be a domain name and the Remote ID can be either an IP address or a domain name. 9 In the Authentication Algorithm drop-down list, set the type of authentication.
PAGE 138
15 Set the authentication in the Authentication Algorithm dropdown list. The options are None (no authentication), MD5HMAC (128-bit authentication) or SHA1-HMCA (160-bit authentication). 16 Set the type of encryption in the Encryption Algorithm dropdown list. The options are None (no authentication), DES-CBC or 3DES-CBC. 17 Click the Enable Perfect Forward Secrecy check box, if necessary.
PAGE 139
MUVPN Clients To set up split tunneling follow these steps: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select VPN => Manual VPN. The Manual VPN page opens. 3 4 Click Add. The Add Gateway page opens. Configure the gateway.
PAGE 140
information on configuring a wireless network to require MUVPN connections, see “Configure the Optional Network for Wireless Networking” on page 46. View the VPN Statistics The SOHO 6 Wireless has a configuration page that displays VPN statistics. Use this page to monitor VPN traffic and to solve problems with the VPN configuration.
PAGE 141
CHAPTER 10 MUVPN Clients MUVPN clients uses Internet Protocol Security (IPSec) to establish a secure connection over an unsecured network from a remote computer to your protected network. For example, the MUVPN client is installed on an employee’s computer, on the road or working from home. The employee establishes a standard Internet connection and activates the MUVPN client.
PAGE 142
more MUVPN connections with the MUVPN Client upgrade. For information about upgrading, see “Activate the SOHO 6 Wireless upgrade options” on page 66. ZoneAlarm®, a personal firewall software application, is included as an optional feature with the MUVPN client to provide further security for your end users. The purpose of this chapter is to assist users of the SOHO 6 Wireless to set up the MUVPN client on an end-user’s remote computer and to explain the features of the personal firewall.
PAGE 143
Configure the SOHO 6 Wireless for MUVPN Clients 2 From the navigation bar on the right side, select VPN => MUVPN Clients. The MUVPN Clients page appears.
PAGE 144
3 4 5 6 7 8 122 Click the Add button. The Edit MUVPN Client page appears. Type a Username in the appropriate field. This Username will be used as the E-mail Address when setting up the MUVPN client. Type a Passphrase in the appropriate field. This passphrase will be used as the Pre-Shared Key when setting up the MUVPN client. Type the Virtual IP address which will be used by the MUVPN computer when connecting to the SOHO 6 Wireless in the appropriate field. Select the Authentication Algorithm.
PAGE 145
Prepare the Remote Computers for the MUVPN Client 9 From the VPN Client Type drop list, select Mobile User. 10 Enable the All traffic uses tunnel (0.0.0.0/0 Subnet) checkbox to force all traffic from the MUVPN client to go through IPSec tunnel. 11 Click the Submit button. Prepare the Remote Computers for the MUVPN Client The MUVPN client is only compatible with the Windows operating system. Every Windows system used as a MUVPN remote computer must have the following system requirements.
PAGE 146
• An Internet Service Provider account • A Dial-Up or Broadband (DSL or Cable modem) Connection Additionally, in order for Windows file and print sharing to occur through the MUVPN client tunnel each Windows operating system must have the proper components installed and configured to use the remote WINS and DNS servers on the trusted and optional networks behind the Firebox. NOTE You can not use the MUVPN client virtual adapter. Make sure this is disabled.
PAGE 147
Prepare the Remote Computers for the MUVPN Client 6 Type a description for your computer (optional). 7 Click OK. Click OK to close and save changes to the Network control panel. Click Cancel if you do not want to save any changes. 8 Reboot the machine. Installing the Client for Microsoft Networks From the Networks window: 1 2 Click the Configuration tab. Click Add. The Select Network Component Type window appears. Select Client. Click Add. The Select Network Client window appears.
PAGE 148
2 3 Click the Windows Setup tab. The Windows Setup dialog box appears and searches for installed components. Enable the Communications checkbox and click the OK button. The Copying Files dialog box appears and copies the necessary files. 4 The Dial-Up Networking Setup dialog box appears and prompts you to restart the computer. Click the OK button. The computer reboots. Further, Windows 98 requires that the Dial-up Networking component be updated with the 1.4 patch.
PAGE 149
Prepare the Remote Computers for the MUVPN Client NOTE You must list the DNS server on the Private network behind the Firebox first. 6 Click the WINS Configuration tab. 7 Verify that the Enable WINS Resolution option has been enabled. 8 Under the “WINS Server Search Order” heading, enter your WINS server IP address, then click the Add button. If you have multiple remote WINS servers repeat this step. 9 Click the OK button to close the TCP/IP Properties window.
PAGE 150
3 Click the Add button. 4 Select Remote Access Services from the list, then click the OK button. 5 Enter the path to the Windows NT install files or insert your system installation CD, then click the OK button. The Remote Access Setup dialog box appears. 6 Click the Yes button to add a RAS capable device and enable you to add a modem. 7 Click the Add button and complete the Install New Modem wizard.
PAGE 151
Prepare the Remote Computers for the MUVPN Client 3 Select the TCP/IP protocol and click the Properties button. The Microsoft TCP/IP Properties window appears. 4 Click the DNS tab. 5 Click the Add button. 6 Type your DNS server IP address in the appropriate field. If you have multiple remote DNS servers repeat the previous three steps. NOTE You must list the DNS server on the Private network behind the Firebox first. 7 Click the WINS Address tab.
PAGE 152
4 Verify that the following components are present and enabled: - Internet Protocol (TCP/IP) - File and Printer Sharing for Microsoft Networks - Client for Microsoft Networks Install these components if they are not already present. Installing the Internet Protocol (TCP/IP) network component From the Windows desktop: 1 Select Start => Settings => Network and Dial-up Connections, then select the Dial-up connection you use to access the Internet. The connection window appears.
PAGE 153
Prepare the Remote Computers for the MUVPN Client 3 4 5 Select the Networking tab and then click the Install button. The Select Network Component Type window appears. Double click the Services network component. The Select Network Service window appears. Select the File and Printer Sharing for Microsoft Networks Network Service and then click the OK button.
PAGE 154
From the Windows desktop: Select Start => Settings => Network and Dial-up Connections, then select the Dial-up connection you use to access the Internet. 1 The connection window appears. 2 Click the Properties button. 3 Click the Networking tab. 4 Select the Internet Protocol (TCP/IP) component, then click the Properties button. The Internet Protocol (TCP/IP) Properties window appears. Click the Advanced button. 5 The Advanced TCP/IP Settings window appears. 6 Click the DNS tab.
PAGE 155
Prepare the Remote Computers for the MUVPN Client 13 Under the “WINS addresses, in order of use” heading, click the Add button. The TCP/IP WINS Server window appears. 14 Type your WINS server IP address in the appropriate field, then click the Add button. If you have multiple remote DNS servers repeat the last two steps. 15 Click the OK button to close the Advanced TCP/IP Settings window. 16 Click the OK button to close the Internet Protocol (TCP/IP) Properties window.
PAGE 156
Installing the Internet Protocol (TCP/IP) Network Component From the Windows desktop: 1 Select Start => Control => Network Connections, then select the connection you use to access the Internet. The connection window appears. 2 3 4 5 Click the Properties button. Select the Networking tab and then click the Install button. The Select Network Component Type window appears. Double click the Protocol network component. The Select Network Protocol window appears.
PAGE 157
Prepare the Remote Computers for the MUVPN Client Installing the Client for Microsoft Networks From the Windows desktop: 1 Select Start => Control => Network Connections, then select the connection you use to access the Internet. The connection window appears. 2 3 4 Click the Properties button. Select the Networking tab and then click the Install button. The Select Network Component Type window appears. Double click the Client network component. The Select Network Protocol window appears.
PAGE 158
Click the Advanced button. 5 The Advanced TCP/IP Settings window appears. 6 Click the DNS tab. 7 Under the “DNS server addresses, in order of use” heading, click the Add button. The TCP/IP DNS Server window appears. 8 Type your DNS server IP address in the appropriate field, then click the Add button. If you have multiple remote DNS servers repeat the last two steps. NOTE You must list the DNS server on the Private network behind the Firebox first.
PAGE 159
Install and Configure the MUVPN Client 18 Click the Cancel button again to close the Dial-up connection window. Install and Configure the MUVPN Client The MUVPN installation files are available at the WatchGuard Web site: http://www.watchguard.com/support NOTE In order to perform the installation process successfully, you must log into the remote computer with local administrator rights.
PAGE 160
6 Select the type of setup. By default, Typical is enabled–this is the setup recommended by WatchGuard. Click the Next button. 7 If you are installing the client on a Windows 2000 host, the InstallShield detects the native Windows 2000 L2TP component. The client uses this component and does not need to install its own. Click the OK button to continue with the install. The Select Components window appears. Keep the default components and click the Next button. 8 The Start Copying Files window appears.
PAGE 161
Install and Configure the MUVPN Client time after installation. For more information regarding ZoneAlarm, see “The ZoneAlarm Personal Firewall” on page 153. Configuring the MUVPN Client Once you have restarted the machine, the WatchGuard Policy Import dialog box appears. Click the Cancel button as this step is not necessary. From the Windows desktop system tray: 1 Right-click the MUVPN client icon and select Activate Security Policy and then double-click the MUVPN client icon.
PAGE 162
4 5 6 Click to select the Secure option. This is the default setting. Click to select the Only Connect Manually checkbox. Select the IP Subnet option from the ID Type drop list. The Remote Part Identity and Addressing settings refresh to display the appropriate fields. 7 Type the network IP Address of the Trusted Network behind the SOHO 6 Wireless in the field labeled “Subnet”. 8 Type the Subnet Mask of the Trusted Network behind the SOHO 6 Wireless in the field labeled “Mask”.
PAGE 163
Install and Configure the MUVPN Client 2 3 Select My Identity. The My Identity and Internet Interface settings appear to the right. Select Options => Global Policy Settings. The Global Policy Settings dialog box appears.
PAGE 164
4 Click to select the Allow to Specify Internal Network Address checkbox and then click OK. The Internal Network IP Address field appears among the My Identity settings. 5 Select None from the Select Certificate drop list. 6 Select E-mail Address from the ID Type drop list and then enter the username defined on the SOHO 6 Wireless in the available field. 7 Select Disabled from the Virtual Adapter drop list. 8 Type 0.0.0.0 in the Internal Network IP Address field. 9 This value appears by default.
PAGE 165
Install and Configure the MUVPN Client 12 Type the exact text of the MUVPN client passphrase entered on the SOHO 6 Wireless appliance and then click OK. NOTE Both the Pre-Shared Key and the E-mail Address, must exactly match the System Passphrase and System Administrator Name configured on the SOHO 6 Wireless or the connection will fail. Defining Phase 1 and Phase 2 settings Follow these instructions to define the phase 1 and phase 2 settings.
PAGE 166
Select Pre-Shared Key from the Authentication Method drop list. 4 NOTE These values must match exactly those entered in the Firebox SOHO 6 Wireless appliance. 5 6 Select DES from the Encrypt Alg drop list and select SHA-1 from the Hash Alg drop list. Select Unspecified from the SA Life drop list. This is the default setting. 7 Select Diffie-Hellman Group 1 from the Key Group drop list. 8 Expand Key Exchange (Phase 2). 9 144 A Proposal entry appears. Select Proposal 1.
PAGE 167
Install and Configure the MUVPN Client 10 Select Both from the SA Life drop list and then type 86400 in the Seconds field and 8192 in the KBytes field. 11 Select None from the Compression drop list. This is the default setting. The SOHO 6 Wireless Firebox appliance does not support compression. 12 Click to select the Encapsulation (ESP) checkbox and then select a value for the Encrypt Alg and Hash Alg drop lists.
PAGE 168
Uninstall the MUVPN client At some point, it may become necessary to completely uninstall the MUVPN client. WatchGuard recommends a complete uninstall using the Windows Add/Remove Programs tool. First, disconnect all existing tunnels and dial-up connections and reboot the remote computer. Then, from the Windows desktop: Select Start => Settings => Control Panel. 1 The Control Panel window appears. Double click the Add/Remove Programs icon. 2 The Add/Remove Programs window appears.
PAGE 169
Connect and Disconnect the MUVPN Client If you wish to disregard these settings, delete the contents. 8 When the computer has restarted, select Start => Programs. 9 Right-click Mobile User VPN and select Delete to remove this selection from your Start Menu. Connect and Disconnect the MUVPN Client The MUVPN client enables the remote computer to establish a secure, encrypted connection to a protected network over the Internet.
PAGE 170
The Mobile User VPN client icon The Mobile User VPN icon exists in the Windows desktop system tray and displays several different status images. The following lists these images and provides a brief description of each. Deactivated The MUVPN Security Policy is deactivated or the Windows operating system did not start a necessary Mobile User VPN service properly and the remote computer must be restarted (if this continues you may need to reinstall the MUVPN client).
PAGE 171
Connect and Disconnect the MUVPN Client Activated, Connected and Transmitting Unsecured Data The MUVPN client has established at least one secure, MUVPN tunnel connection. The red bar on the right of the icon indicates that the client is transmitting only unsecured data. Activated, Connected and Transmitting Secured Data The MUVPN client has established at least one secure, MUVPN tunnel connection. The green bar on the right of the icon indicates that the client is transmitting only secured data.
PAGE 172
• IreIKE.exe The personal firewall will detect the attempt of these programs to access the Internet. The New Program alert dialog box appears requesting access for the MuvpnConnect.exe program. From the ZoneAlarm alert dialog box: 1 Enable the Remember this answer the next time I use this program option and click the Yes button. This enables ZoneAlarm to allow the MuvpnConnect.exe program through each time you attempt to make a MUVPN connection.
PAGE 173
Monitor the MUVPN Client Connection Disconnecting the MUVPN client The MUVPN tunnel is independent of the Internet connection. Close the MUVPN tunnels when the remote computer encounters either of the following events. - Loses the Internet connection - No longer needs the MUVPN tunnel From the Windows desktop system tray: 1 Right-click the Mobile User VPN client icon. 2 Select Disconnect All. 3 Right-click the Mobile User VPN client icon and select Deactivate Security Policy.
PAGE 174
The Log Viewer The LogViewer displays the communications log, a diagnostic tool that lists the negotiations that occur during the MUVPN client connection. From the Windows desktop system tray: 1 2 Right-click the Mobile User VPN client icon. Select Log Viewer. The Log Viewer window appears. The Connection Monitor The Connection Monitor displays statistical and diagnostic information for each active connection in the security policy.
PAGE 175
The ZoneAlarm Personal Firewall • When a single Phase 1 SA to a gateway protects multiple Phase 2 SAs, there is a single Phase 1 connection with the SA icon and individual Phase 2 connections with the key icon displayed above that entry. The ZoneAlarm Personal Firewall A personal firewall is a barrier between your computer and the outside world. The computer is most vulnerable at its doors, called ports. Without ports, no connection to the Internet is possible.
PAGE 176
means no information leaves your computer unless you give it permission. If you enable the “Remember the answer each time I use this program” checkbox you will only have to answer this question once for each program. The ZoneAlarm personal firewall provides a brief tutorial of the product immediately after installation of the MUVPN client. Carefully read each step to familiarize yourself with the application.
PAGE 177
The ZoneAlarm Personal Firewall In the example above, the Internet Explorer Web browser application has been launched and is attempting to access the users home page. The program which actually needs to pass through the firewall is “IEXPLORE.EXE”. In order to allow this program access each time the application is executed, enable the Remember the answer each time I use this program checkbox.
PAGE 178
Programs Which Must Be Allowed MUVPN client IreIKE.exe MuvpnConnect.exe MUVPN Connection Monitor CmonApp.exe MUVPN Log Viewer ViewLog.exe Programs Which May be Allowed MS Outlook OUTLOOK.exe MS Internet Explorer IEXPLORE.exe Netscape 6.1 netscp6.exe Opera Web browser Opera.exe Standard Windows network applications lsass.exe services.exe svchost.exe winlogon.exe Shutting Down ZoneAlarm From the Windows desktop system tray: 1 Right-click on the ZoneAlarm icon ZoneAlarm.
PAGE 179
Use the MUVPN Client to Enforce your Corporate Policy 3 Click the Yes button to continue with uninstalling the TrueVector service and disable its Internet Security features. The Select Uninstall Method window appears. 4 Verify that Automatic is selected and then click the Next button. 5 Click the Finish button to perform the uninstall. NOTE The Remove Shared Component window may appear.
PAGE 180
2 From the navigation bar on the right side, select VPN => MUVPN Clients. The MUVPN Clients page appears. 3 158 Click the Add button. The Edit MUVPN Client page appears.
PAGE 181
Use the MUVPN Client to Enforce your Corporate Policy 4 5 Type a username in the Username field. This Username will be used as the E-mail Address when setting up the MUVPN client. Type a passphrase in the Passphrase field. This passphrase will be used as the Pre-Shared Key when setting up the MUVPN client. 6 Type an unused IP address from the Trusted network, which will be used by the MUVPN client computer when connecting to the SOHO 6 Wireless in the Virtual IP Address field.
PAGE 182
11 Click Submit. The page refreshes and you are prompted to reboot the SOHO 6 Wireless in order activate the changes. 12 Click Reboot. 13 Connect one end of a straight-through Ethernet cable into the Ethernet port labeled OPT on the SOHO 6 Wireless. Connect the other end into the uplink port of the hub. 14 Connect Ethernet cables to the uplink ports of the hub and to the Ethernet ports of each of your computers.
PAGE 183
Use the MUVPN Client to Enforce your Corporate Policy 4 5 6 7 8 9 Click to select the Secure option. This is the default setting. Click to select the Only Connect Manually checkbox. Select the IP Subnet option from the ID Type drop list. The Remote Part Identity and Addressing settings refresh to display the appropriate fields. Type 0.0.0.0 in both the Subnet and Mask fields. These are the default values. Select All from the Protocol drop list. This is the default setting.
PAGE 184
2 Click to select the Aggressive Mode option. 3 Verify that the Enable Perfect Forward Secrecy (PFS) checkbox is not selected. 4 Click to select the Enable Replay Detection checkbox. Defining the My Identity settings Follow these instructions to define the My Identity settings. 1 2 162 From the Network Security Policy field, expand the new entry. The My Identity and Security Policy entries appear. Select My Identity. The My Identity and Internet Interface settings appear to the right.
PAGE 185
Use the MUVPN Client to Enforce your Corporate Policy 3 4 Select Options => Global Policy Settings. The Global Policy Settings dialog box appears. Click to select the Allow to Specify Internal Network Address checkbox and then click OK. The Internal Network IP Address field appears among the My Identity settings. 5 Select None from the Select Certificate drop list.
PAGE 186
6 Select E-mail Address from the ID Type drop list and then enter the username defined on the SOHO 6 Wireless in the available field. 7 Select Disabled from the Virtual Adapter drop list. 8 Type 0.0.0.0 in the Internal Network IP Address field. 9 This value appears by default. Select Any from the Name drop list. This is the default setting. 10 Click Pre-Shared Key. The Pre-Shared Key dialog box appears. 11 Click Enter Key. The text entry field is activated.
PAGE 187
Use the MUVPN Client to Enforce your Corporate Policy Defining Phase 1 and Phase 2 settings Follow these instructions to define the phase 1 and phase 2 settings. Make certain that settings match exactly with those on the Firebox SOHO 6 Wireless appliance. 1 From the Network Security Policy field, expand Security Policy. Both Phase 1 and Phase 2 negotiations appear. 2 3 4 Expand Authentication (Phase 1). A Proposal entry appears. Select Proposal 1.
PAGE 188
NOTE These values must match exactly those entered in the Firebox SOHO 6 Wireless appliance. 5 6 Select DES from the Encrypt Alg drop list and select SHA-1 from the Hash Alg drop list. Select Unspecified from the SA Life drop list. This is the default setting. 7 Select Diffie-Hellman Group 1 from the Key Group drop list. 8 Expand Key Exchange (Phase 2). 9 A Proposal entry appears. Select Proposal 1. The IPSec Protocols settings appear to the right.
PAGE 189
Troubleshooting Tips 12 Click to select the Encapsulation (ESP) checkbox and then select a value for the Encrypt Alg and Hash Alg drop lists. 13 Select DES from the Encrypt Alg drop list and select MD5 from the Hash Alg drop list. 14 Select Tunnel from the Encapsulation drop list. This is the default setting. 15 Verify that the Authentication Protocol (AH) checkbox is not selected. 16 Once you have finished, select File => Save or click the button.
PAGE 190
From the Windows desktop system tray: 1 First, reboot your computer. 2 Right-click on the Mobile User VPN client icon. 3 4 Select Disconnect All. The MUVPN client closes all VPN tunnels. Right-click on the Mobile User VPN client icon and select Deactivate Security Policy. The MUVPN icon will display a red slash to indicate that the Security Policy has been deactivated. 5 Right-click on the ZoneAlarm icon and select Shutdown ZoneAlarm. The ZoneAlarm dialog box appears.
PAGE 191
Troubleshooting Tips broadcasting its network information thereby preventing the machine from sending the necessary login information. You should be certain to shut down ZoneAlarm each time you disconnect the MUVPN connection. Is the Mobile User VPN tunnel working? The Mobile User VPN client icon, which appears in the Windows desktop system tray once it has been launched, will display a key within the icon once the client has connected. To test the connection, ping a computer on your company network.
PAGE 192
3 Use the drop list to select a drive letter. Either use the drop list or type a network drive path. 4 Click OK. The mapped drive appears in the My Computer window. Even if you enable the “Reconnect at Logon” checkbox, the mapped drive will not appear the next time you start your computer unless it is physically connected to the network. I sometimes get prompted for a password when I am browsing the company network...
PAGE 193
CHAPTER 11 Support resources Troubleshooting tips If you have problems during the installation and the configuration of your SOHO 6 Wireless, refer to this information. General What do the PWR, Status, and Mode lights signify on the SOHO 6 Wireless? When the PWR light is lit, the SOHO 6 Wireless is connected to a power source. When the Status light is lit, there is a management connection to the SOHO 6 Wireless. When the MODE light is lit, the SOHO 6 Wireless is operational.
PAGE 194
computer attached to one of the four Ethernet ports (labeled 03) to configure the SOHO 6 Wireless. If the Mode light is blinks: There SOHO 6 Wireless can not connect to the external network. Possible causes of this problem include: • The SOHO 6 Wireless did not receive an IP address for the external interface from the DHCP server. • The WAN port is not connected to another appliance. • The connection to the external interface is defective.
PAGE 195
Troubleshooting tips What is a SOHO 6 Wireless feature key? See “Activate the SOHO 6 Wireless upgrade options” on page 66. I can't get a certain SOHO 6 Wireless feature to work with a DSL modem. Some DSL routers implement NAT firewalls. An external network connection through an appliance that supplies NAT causes problems with WebBlocker and the performance of IPSec. When a SOHO 6 Wireless connects to the external network through a DSL router, set the DSL router to operate as a bridge only.
PAGE 196
that the cable is connected and the computer or hub is connected to a power supply. I can connect to the Configuration Settings page; why can’t I browse the Internet? If you can connect to the configuration page, but not the Internet, there is a problem with the connection from the SOHO 6 Wireless to the Internet. • Make sure the cable modem or DSL modem is connected to the SOHO 6 Wireless and the power supply. • Make sure the link light on the modem and the WAN indicator on the SOHO 6 Wireless are lit.
PAGE 197
Troubleshooting tips Configuration Where are the SOHO 6 Wireless settings stored? The configuration parameters are stored in memory of the SOHO 6 Wireless. How do I set up DHCP on the trusted network of the SOHO 6 Wireless? 1 Make sure your computer is configured to use DHCP. See “Enable your computer for DHCP” on page 17 for additional information.
PAGE 198
172.16.x.x 255.240.0.0 192.168.x.x 255.255.0.0 To change to a static, trusted IP address, follow these steps: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Network => Trusted. 3 Reset the Enable DHCP Server check box. 4 Click Submit. 5 Type the information. 6 Click Submit.
PAGE 199
Troubleshooting tips How do I allow incoming services such as POP3, Telnet, and Web (HTTP)? 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Firewall => Incoming. The Filter Incoming Traffic page opens. 3 Select the pre-configured service to allow. 4 Select Allow from the drop list.
PAGE 200
5 Type the new protocol number in the Protocol field. 6 Click Submit. 7 From the navigation bar on the left side, select Firewall => Incoming. The Firewall Incoming Traffic page opens. 8 At the bottom of the page, locate the new service under the Custom Service list and select Allow from the drop-down list. 9 Type the IP address of the computer that is to receive the incoming data in the Service Host field. 10 Click Submit. VPN Management See “What You Need” on page 106.
PAGE 201
Troubleshooting tips How do I set up VPN to a SOHO 6 Wireless? Information about how to configure a VPN tunnel between a SOHO 6 Wireless and another IPSec compliant appliance is available from the WatchGuard Web site: https://support.watchguard.com/AdvancedFaqs/sointerop_main.asp 1 Log in to the site. 2 Download the file you need. 3 Follow the instructions to configure your VPN tunnel.
PAGE 202
Contact technical support (877) 232-3531 United States end-user support (206) 521-8375 United States authorized reseller support (360) 482-1083 International support Online documentation and FAQs Documentation in PDF format, tutorials, and FAQs are available on the WatchGuard Web Site: https://support.watchguard.com/AdvancedFaqs/ Special notices • The online help system is not yet available on the WatchGuard Web site.
PAGE 203
Index Numerics 100 indicator 11 A Add Route page 54 appliances defined 22 B blocked sites configuring 75 Blocked Sites page 75 browsers, supported 15 C cables correct setup 173 included in package 2 required 14 configuration file, viewing 30 custom incoming services, creating 73 Custom Service page 73, 177 D Dynamic DNS client page 57 dynamic DNS service, configuring 56–57 Dynamic Host Configuration Protocol.
PAGE 204
Index I incoming service, creating custom 73 indicators 100 11 link 11 Mode 12 WAN 12 installation cabling 22 determining TCP/IP settings 15 disabling TCP/IP proxy settings 19 items required for 14 Internet how information travels on 4 problems browsing 174 Internet Protocol (TCP/IP) Network Component and Windows XP 134 IP addresses described 4 disguising 5 dynamic 37 in networks 37 maintaining table of 107 contents of 86 viewing 86 logging to a WSEP host 87 to Syslog host 88 Logging page 86 M MAC addres
PAGE 205
System Status 29, 35, 39, 40, 42, 45, 46, 49, 54, 55, 56, 60, 63, 65, 67, 69, 73, 77, 83, 86, 87, 89, 90, 96, 97, 111, 117, 118, 174, 175, 176, 177 System Time 91 Unrestricted Pass Through IP Address 83 Upgrade 67 View Configuration File 69 VPN Manager Access 64 VPN Statistics 118 WatchGuard Security Event Processor 87 WebBlocker Groups 98 WebBlocker Settings 96 Pass Through feature 83 passphrase 60 passphrases described 60 ping packets, denying all 78 Point-to-Point Protocol over Ethernet.
PAGE 206
Index resetting to factory default 32 setting up VPNs between 179 troubleshooting 179 viewing log messages for 86 SOHO 6 Administration page 59 SOHO remote management 61 Split Tunneling 116 static IP addresses and VPNs 110 obtaining 110 static IP addressing, configuring for 38 static routes configure 54 Status light 11, 171, 172 Syslog Logging page 89 system requirements 123 System Security page 59, 60 System Status page 29, 35, 39, 40, 42, 45, 46, 49, 54, 55, 56, 60, 63, 65, 67, 69, 73, 77, 83, 86, 87, 89
PAGE 207
WAN port 12 WatchGuard Security Event Processor 87 WatchGuard Security Event Processor page 87 WebBlocker activating 96 categories 101–104 configuring 95 creating users and groups for 97 database 93 described 93 enabling and disabling 176 purchasing and activating 95 users and groups 95 WebBlocker Groups page 98 WebBlocker Settings page 96 WebBlocker upgrade, purchasing 95 WebBlocker, license key for 68 Windows XP installing File and Printer Sharing for Microsoft Networks on 134 installing Internet Protocol
PAGE 208
Index 186 WatchGuard Firebox SOHO 6 Wireless