WatchGuard Firebox SOHO 6 Wireless User Guide ® ® SOHO 6 firmware version 6.
Using this Guide To use this guide you need to be familiar with your computer’s operating system. If you have questions about navigating in your computer’s environment, please refer to your system user manual. The following conventions are used in this guide. ii Convention Indication Bold type Menu commands, dialog box options, Web page options, Web page names. For example: “On the System Information page, select Disabled.” NOTE Important information, a helpful tip or additional instructions.
Abbreviations used in this user guide 3DES Triple Data Encryption Standard DES Data Encryption Standard DNS Domain Name Service DHCP Dynamic Host Control Protocol DSL Digital Subscriber Line IP Internet Protocol IPSec Internet Protocol Security ISDN Integrated Services Digital Network ISP Internet Service Provider MAC Media Access Control MUVPN Mobile User Virtual Private Network NAT Network Address Translation PPP Point-to-Point Protocol PPPoE Point-to-Point Protocol over Etherne
Certifications and Notices FCC Certification This appliance has been tested and found to comply with limits for a Class A digital appliance, pursuant to Part 15 of the FCC Rules. Operation is subject to the following two conditions: •This appliance may not cause harmful interference. •This appliance must accept any interference received, including interference that may cause undesired operation.
CE Notice The CE symbol on your WatchGuard Technologies equipment indicates that it is in compliance with the Electromagnetic Compatibility (EMC) directive and the Low Voltage Directive (LVD) of the European Union (EU). Industry Canada This Class A digital apparatus meets all requirements of the Canadian Interference-Causing Equipment Regulations. Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel broulleur du Canada.
VCCI Notice Class A ITE vi WatchGuard Firebox SOHO 6 Wireless
Declaration of Conformity User Guide vii
WATCHGUARD SOHO SOFTWARE END-USER LICENSE AGREEMENT WATCHGUARD SOHO SOFTWARE END-USER LICENSE AGREEMENT IMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE This WatchGuard SOHO Software End-User License Agreement ("EULA") is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc.
If you are accessing the SOFTWARE PRODUCT via a Web based installer program, you are granted the following additional rights to the SOFTWARE PRODUCT: (A) You may install and use the SOFTWARE PRODUCT on any computer with an associated connection to the SOHO hardware product in accordance with the SOHO user documentation; (B) You may install and use the SOFTWARE PRODUCT on more than one computer at once without licensing an additional copy of the SOFTWARE PRODUCT for each additional computer on which you want
election. Disclaimer and Release.
Restricted Rights. Use, duplication or disclosure by the U.S Government or any agency or instrumentality thereof is subject to restrictions as set forth in subdivision (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013, or in subdivision (c)(1) and (2) of the Commercial Computer Software -- Restricted Rights Clause at 48 C.F.R. 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 5th Ave. South, Suite 500,Seattle, WA 98104. 6.
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright© 1998 - 2002 WatchGuard Technologies, Inc. All rights reserved.
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3.
4. The names "mod_ssl" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact rse@engelschall.com. 5. Products derived from this software may not be called "mod_ssl" nor may "mod_ssl" appear in their names without prior written permission of Ralf S. Engelschall. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by Ralf S.
5. Products derived from this software may not be called "Apache", nor may "Apache" appear in their name, without prior written permission of the Apache Software Foundation. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
liability for, performance of, enforcement of, or damages or other relief on account of, any such warranties or any breach thereof. 2. Remedies. If any Product does not comply with the WatchGuard warranties set forth in Section 1 above, WatchGuard will, at its option, either (a) repair the Product, or (b) replace the Product; provided, that you will be responsible for returning the Product to the place of purchase and for all costs of shipping and handling.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS SHALL BE TRUE EVEN IN THE EVENT OF THE FAILURE OF ANY AGREED REMEDY. 5. Miscellaneous Provisions. This Warranty will be governed by the laws of the state of Washington, U.S.A., without reference to its choice of law rules. The provisions of the 1980 United Nations Convention on Contracts for the International Sales of Goods, as amended, shall not apply.
Contents Introduction .................................................. 1 Package contents ...................................................... 2 How does a firewall work? ........................................ 2 How does information travel on the Internet? .......... 4 How does the SOHO 6 Wireless process information? ..........................................................5 How Does Wireless Networking Work? .................... 5 SOHO 6 Wireless hardware description ...................
SOHO 6 Wireless basics ........................... 29 SOHO 6 Wireless System Status page ...................29 Factory default settings ........................................... 31 Register your SOHO 6 Wireless and activate the LiveSecurity Service ............................................ 33 Reboot the SOHO 6 Wireless .................................34 CHAPTER 3 Configure the Network Interfaces ........... 37 External Network Configuration .............................
Enable override MAC address for the external network ............................................................... 82 Create an Unrestricted Pass Through ..................... 82 Configure logging .....................................85 View SOHO 6 Wireless log messages .................... 86 Set up logging to a WatchGuard Security Event Processor log host .............................................. 87 Set up logging to a Syslog host .............................. 88 Set the system time ............
MUVPN Clients ........................................119 Configure the SOHO 6 Wireless for MUVPN Clients .................................................120 Prepare the Remote Computers for the MUVPN Client ................................................................ 123 Install and Configure the MUVPN Client .............. 137 Connect and Disconnect the MUVPN Client ........ 147 Monitor the MUVPN Client Connection ............... 151 The ZoneAlarm Personal Firewall ..........................
CHAPTER 1 Introduction This manual shows how to use your WatchGuard® Firebox® SOHO 6 Wireless or SOHO 6tc Wireless security appliance for secure access to the Internet.
The only difference between these two appliances is the VPN feature. VPN is available as an upgrade option for the SOHO 6 Wireless. The SOHO 6tc Wireless includes the VPN upgrade option. The SOHO 6 Wireless provides security and wireless networking when your computer is connected to the Internet with a highspeed cable modem, DSL modem, leased line, or ISDN. The newest installation and user information is available from the WatchGuard Web site: http://support.watchguard.
How does a firewall work? conferencing. A connection to the Internet is dangerous to the privacy and the security of your network. A firewall divides your internal network from the Internet to reduce this danger. The appliances on the trusted side of your SOHO 6 Wireless firewall are protected. The illustration below shows how the SOHO 6 Wireless physically divides your trusted network from the Internet.
How does information travel on the Internet? The data that is sent through the Internet is divided into packets. To make sure that the packets are received at the destination, information is added to the packets. The protocols for these tasks are called TCP and IP. TCP disassembles and reassembles the data, for example an email message or a program file. IP adds information to the packets, which includes the destination and the handling requirements.
How does the SOHO 6 Wireless process information? How does the SOHO 6 Wireless process information? Services A service is the group of protocols and port numbers for a specified program or type of application. The standard configuration of the SOHO 6 Wireless contains the correct settings for many standard services. Network Address Translation All connections from the trusted network to the external network through a SOHO 6 Wireless use dynamic NAT.
the Institute of Electrical and Electronics Engineers (IEEE) and is part of a series of wireless standards. Unless adequately protected, a wireless network is susceptible to access from the outside by unauthorized users to compromise your machine or simply to access a free Internet connection. Increase your corporate network security by forcing users to authenticate with a Mobile User VPN client, creating a secure IPSec tunnel from the wireless computer to the SOHO 6 Wireless.
SOHO 6 Wireless hardware description Wireless Wireless operating range--indoors (these values are approximations): 100 feet at 11 Mbps 165 feet at 5.5 Mbps 230 feet at 2 Mbps 300 feet at 1 Mbps Understanding IEEE 802.11b Wireless Communication In general, transmitted RF power and signal bandwidth place an upper limit on the rate that data can be transmitted over a wireless link.
Noise Level (watts) The more in-band RF noise there is the less data can be transmitted over a given channel (wireless link). The noise level is primarily due to three factors: First, there is a minimum level of background noise due to the ambient temperature of the channel (atmosphere) and the bandwidth. Second, the 802.11b receiver will have an innate noise level due to its own components operating temperature. Third, there are many unlicensed transmitters using the same frequency bands as 802.11.
SOHO 6 Wireless hardware description - How much directional antenna gain there is at the transmitter and receiver - The signal attenuation (path-loss) between the transmitter and receiver. Path Loss: The path-loss is directly proportional to line-of-site distance between transmitter and receiver, and inversely proportional to the wavelength of the transmitted signal. The equation for Signal Loss is: Loss = 20xLog10(4xpi x(Distance/Wavelength)). - Wavelength = (speed-of-light/ frequency).
NOTE Laptop computers typically have one antenna, which is more susceptible to signal fading depending on position. This can lead to a situation where the SOHO 6 Wireless hears the laptop’s signal, but the laptop doesn’t hear the access point. Antenna Directional Gain: Antenna Gain is the result of how directional the radiation (transmit/receive signal strength) pattern is. The higher the gain, then the more directional the antenna is. The SOHO 6 Wireless ships with 5dBi antennas.
SOHO 6 Wireless hardware description (1Mbps). The factor that determines which modulation scheme is used is the Packet Error Rate (PER). The modulation scheme switches automatically to maintain the PER at or below 8% by using slower data rates (different modulation schemes) as necessary. SOHO 6 Wireless front and rear views There are 14 indicator lights on the front panel of the SOHO 6 Wireless. The illustration below shows the front view.
WAN WAN is lit while there is an active physical connection to the WAN port. The indicator flashes when data flows through the port. Mode Mode is lit while there is a connection to the Internet. There are five Ethernet ports, a reset button, and a power input on the rear of the SOHO 6 Wireless. The illustration below shows the rear view. RESET button Push the reset button to reset to the SOHO 6 Wireless to the factory default configuration.
CHAPTER 2 Installation The SOHO 6 Wireless protects computers that are connected to it by Ethernet cable or wireless connection. Follow the procedures in this chapter to install the SOHO 6 Wireless and set up the wireless network. Because WatchGuard is concerned about the security of your network, the wireless feature is turned off on the SOHO 6 Wireless we ship you. This allows you to enable the wireless network after you set up the desired security.
To set up the wireless network, you complete the following steps: • Set up the Wireless Network • Set up the Wireless Access Point • Configure the Wireless Card on your computer See the SOHO 6 Wireless QuickStart Guide included with the SOHO 6 Wireless for a summary of this information.
Before you Begin the Installation router to the SOHO 6 Wireless and the SOHO 6 Wireless to your computer. 4 Attach the two antennae supplied with the SOHO 6 Wireless. NOTE The SOHO 6 Wireless must be installed to provide a separation distance of at least 20 centimeters from all persons and must not be collocated or operating in conjunction with any other antenna or transmitter. 5 Call your ISP to determine the method of network address assignment.
Microsoft Windows NT 1 Click Start => Programs => Command Prompt. 2 At the default prompt, type ipconfig /all, then press Enter. 3 Record the TCP/IP settings in the table provided. 4 Click Cancel. Microsoft Windows 95 or 98 or ME 1 Click Start => Run. 2 Type: winipcfg. 3 Click OK. 4 Select the “Ethernet Adapter”. 5 Record the TCP/IP settings in the table provided. 6 Click Cancel. Macintosh 1 Click the Apple menu => Control Panels => TCP/IP.
Before you Begin the Installation TCP/IP Setting Value IP Address Subnet Mask Default Gateway . . . . . . . . . DHCP Enabled DNS Server(s) Yes Primary Secondary No . . . . . . NOTE If you must connect more than one computer to the trusted network behind the SOHO 6 Wireless, determine the TCP/IP settings for each computer. Enable your computer for DHCP To open the configuration pages for the SOHO 6 Wireless, configure your computer to receive its IP address through DHCP.
2 3 4 18 Double-click the Network & Dial-up Connections icon. Double-click the connection you use to connect to the Internet. The network connection dialog box opens. Click Properties. The network connection properties dialog box opens.
Before you Begin the Installation 5 Double-click the Internet Protocol (TCP/IP) component. The Internet Protocol (TCP/IP) Properties dialog box opens. 6 Click to select the obtain an IP address automatically checkbox. 7 Click to select the Obtain DNS server address automatically checkbox. 8 Click OK to close the Internet Protocol (TCP/IP) Properties dialog box. 9 Click OK again to close the Network Connection Properties dialog box.
the HTTP proxy setting in your browser is enabled, you can not open these pages to complete the configuration procedure. If the HTTP proxy setting is enabled, the browser only sees Web pages found on the Internet, and not pages in other locations. If the HTTP proxy setting is disabled, you can open the configuration pages in the SOHO 6 Wireless and Web pages on the Internet. The instructions below show how to disable the HTTP proxy setting in three browser applications.
Physically Connect to the SOHO 6 Wireless 4 Click Proxies. 5 Make sure the Direct Connection to the Internet option is selected. 6 Click OK to save the settings. Internet Explorer 5.0, 5.5, and 6.0 1 2 Open Internet Explorer. Click Tools => Internet Options. The Internet Options window opens. 3 Click the Advanced tab. 4 Scroll down the page to HTTP 1.1 Settings. 5 Disable all of the check boxes. 6 Click OK to save the settings.
Cabling the SOHO 6 Wireless for one to four appliances A maximum of four computers, printers, scanners, or other network peripherals can connect directly to the SOHO 6 Wireless. These connections use the four trusted network ports (0-3). To connect a maximum of four appliances, use the SOHO 6 Wireless as a network hub. 1 Shut down your computer. 2 If you connect to the Internet through a DSL modem or cable modem, disconnect the power supply to this device.
Physically Connect to the SOHO 6 Wireless 3 Disconnect the Ethernet cable that connects your DSL modem, cable modem or other Internet connection to your computer. Connect this cable to the WAN port on the SOHO 6 Wireless. The SOHO 6 Wireless is connected directly to the modem or other Internet connection. 4 Connect one end of the straight-through Ethernet cable supplied with your SOHO 6 Wireless to a trusted network port (0-3) on the SOHO 6 Wireless.
The base model SOHO 6 Wireless includes a ten-seat license. This license allows a maximum of ten appliances on the trusted network to connect to the Internet at the same time. There can be more than ten appliances on the trusted network, but the SOHO 6 Wireless will only allow ten Internet connections. A seat is in use when an appliance connects to the Internet and is free when the connection is broken. License upgrades are available from the WatchGuard Web site: http://www.watchguard.com/sales/buyonline.
Physically Connect to the SOHO 6 Wireless • a straight-through Ethernet cable to connect each hub to the SOHO 6 Wireless. 1 Shut down your computer. If you connect to the Internet through a DSL modem or cable modem, disconnect the power supply from this device. 2 Disconnect the Ethernet cable that runs from your DSL modem, cable modem or other Internet connection to your computer. Connect the Ethernet cable to the WAN port on the SOHO 6 Wireless.
Setting up the Wireless Network The SOHO 6 Wireless protects computers that are connected to it by Ethernet cable or wireless connection. Because WatchGuard is concerned about the security of your network, the wireless feature is turned off on the SOHO 6 Wireless we ship you. This allows you to enable the wireless network after you set up the desired security. Now that you have installed the SOHO 6 Wireless device, you can set up the optional wireless network.
Setting up the Wireless Access Point Setting up the Wireless Access Point 1 From the navigation bar on the left side, select Network => Wireless Configuration. The Wireless Network Configuration page appears. 2 From the Encryption drop-down list, select Disabled. 3 From the Authentication drop-down, select Open System. 4 From Basic Settings, write down the number in the SSID text box for later use.
5 Type the SSID that you wrote down from the Wireless Network Configuration page into the Network Name (SSID) text box. 6 Click OK to close the Wireless Network Properties dialog box. 7 8 Click Refresh. The operating system looks for all wireless connections and list them in the Available Networks text box. Select the SSID of the wireless computer that you configured to access the SOHO 6 Wireless. Click OK to enable the wireless connections.
CHAPTER 3 SOHO 6 Wireless basics The configuration of the SOHO 6 Wireless is made through Web pages contained in the software of the SOHO 6 Wireless. You can connect to these configuration page with your Web browser. SOHO 6 Wireless System Status page Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 The System Status page opens.
The System Status page is the main configuration page of the SOHO 6 Wireless. A display of information about the SOHO 6 Wireless configuration is shown.
Factory default settings • Configuration information for the trusted network and the external network • Configuration information for firewall settings (incoming services and outgoing services) • A reboot button to restart the SOHO 6 Wireless NOTE If the external network is configured to use the PPPoE protocol, the System Status page displays a connect button or a disconnect button. Use these buttons to start or terminate the PPPoE connection.
System Security The System Security is disabled. The system administrator name and system administrator passphrase are not set. All computers on the trusted network can access the configuration pages. SOHO 6 Wireless Remote Management is disabled. VPN Manager Access is disabled. The remote logging is not configured. WebBlocker The WebBlocker is disabled and the settings are not configured. Upgrade Options The upgrade options are disabled until the license keys are entered into the configuration page.
Register your SOHO 6 Wireless and activate the LiveSecurity Service 6 Connect the power supply. The PWR indicator is on and the reset is complete. The base model SOHO 6 Wireless The base model SOHO 6 Wireless includes a ten-seat license. This license allows a maximum of ten computers on the trusted network to connect to the Internet at the same time. There can be more than ten computers on the trusted network, but the SOHO 6 Wireless will only allow ten Internet connections.
Register you SOHO 6 Wireless with the LiveSecurity Service at the WatchGuard Web site: http://www.watchguard.com/activate NOTE To activate the LiveSecurity Service, your browser must have JavaScript enabled. If you have a user profile on the WatchGuard Web site, enter your user name and password. If you do not have a user profile on the WatchGuard Web site, create a new account. Select your product and follow the instructions for product activation.
Reboot the SOHO 6 Wireless NOTE The SOHO 6 Wireless requires 30 seconds to reboot. The Mode indicator on the front of the SOHO 6 Wireless will go off and then come on. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 Click Reboot. or 2 Disconnect and reconnect the power supply.
36 WatchGuard Firebox SOHO 6 Wireless
CHAPTER 4 Configure the Network Interfaces External Network Configuration When you configure the external network, you select the method of communication between the SOHO 6 Wireless and the ISP. Make this selection based on the method of network address distribution in use by your ISP. The possible methods are static addressing, DHCP, or PPPoE. Network addressing To connect to a TCP/IP network, each computer must have an IP address. The assignment of IP addresses is dynamic or static.
• If the assignment is static, all computers on the network have a permanently assigned IP address. There are no computers that have the same IP address. Most ISPs make dynamic IP address assignments through DHCP (Dynamic Host Configuration Protocol). When a computer connects to the network, a DHCP server at the ISP assigns that computer an IP address. The manual assignment of IP addresses is not necessary with this system.
External Network Configuration configuration causes the ISP to communicate with the SOHO 6 Wireless and not your computer. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Network => External. The External Network configuration page opens. 3 From the Configuration Mode drop-down list, select Manual Configuration.
5 Click Submit. The configuration change is saved to the SOHO 6 Wireless. Configure the SOHO 6 Wireless external network for PPPoE If your ISP assigns IP addresses through PPPoE, your PPPoE login name and password are required to configure the SOHO 6 Wireless. To configure the SOHO 6 Wireless for PPPoE: 1 2 Open your Web browser and click Stop. Because the Internet connection is not configured, the browser can not load your home page from the Internet.
External Network Configuration 5 Type the PPPoE login name and domain supplied by your ISP. 6 Type the PPPoE password supplied by your ISP. 7 Type the time delay before inactive TCP connections are disconnected. 8 9 Click Automatically restore lost connections. This option keeps a constant flow of traffic between the SOHO 6 Wireless and the PPPoE server. This option allows the SOHO 6 Wireless to keep the PPPoE connection open during a period of frequent packet loss.
Configure the Trusted Network The DHCP Server option sets the SOHO 6 Wireless to assign IP addresses to the computers on the trusted network. The SOHO 6 Wireless uses DHCP to make the assignments. When the SOHO 6 Wireless receives a request from a new computer on the trusted network, the SOHO 6 Wireless assigns the computer an IP address. If you use a DHCP server to assign IP addresses, enable the DHCP Relay option.
Configure the Trusted Network 3 Type the IP address and the subnet mask in the applicable fields. 4 Click to select the Enable DHCP Server on the Trusted Network check box. 5 Type the first IP address that is available for the computers that connect to the trusted network. 6 Type the WINS Server address, DNS Server primary address, DNS Server secondary address, and DNS Domain server suffix. 7 Click Submit. 8 Reboot the SOHO 6 Wireless if necessary.
To configure the DHCP relay server: 1 From the Trusted Network configuration page, click the Enable DHCP Relay checkbox. 2 Type the IP address of the DHCP relay server. 3 Click Submit. 4 Reboot the SOHO 6 Wireless. The SOHO 6 Wireless receives a DHCP request from a computer on the trusted network. The request is sent from the SOHO 6 Wireless to the remote DHCP server. The SOHO 6 Wireless receives the IP address sent from the DHCP server.
Configure the Trusted Network 6 Shut down and restart the computer. Configure the trusted network with static addresses To disable the SOHO 6 Wireless DHCP server and make static address assignments, follow these steps: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Network => Trusted.
3 Type the IP address and the subnet mask in the applicable fields. 4 Reset the Enable DHCP Server on the Trusted Network check box. 5 Click Submit 6 Reboot the SOHO 6 Wireless as necessary. 7 Configure the appliances on the trusted network with static addresses. Configure the Optional Network for Wireless Networking To turn on the wireless network, you must enable the optional network.
Configure the Optional Network for Wireless Networking 2 From the navigation bar on the left side, select Network => Optional (802.11b). The Optional Network Configuration page opens. 3 4 Click the Enable Optional Network checkbox. To turn on the wireless network, you need to enable the optional network. Type the IP address and subnet mask of the optional network. The default IP Address is 192.168.112.1. The default Subnet Mask is 255.255.255.0.
5 Select Enable DHCP Server on the Optional Network checkbox. 6 Type the First address for DHCP server. 7 Type the WINS Server address, DNS Server primary address, DNS Server secondary address, and DNS Domain server suffix. 8 To enable the DHCP Relay on the optional network, click Enable DHCP Relay checkbox and enter the IP address of the DHCP relay server in the text box.
Configure the Wireless Network Configure the Wireless Network Once you turned on the wireless network by enabling the optional network, you can set up the security setting for your wireless connection. Configure Security The SOHO 6 Wireless uses the industry standard security protocol, Wired Equivalent Privacy (WEP), specified by the IEEE standard 802.11b.
2 From the navigation bar on the left side, select Network => Wireless Configuration. The Wireless Network Configuration page appears. 3 From the Encryption drop-down list, select the level of encryption you want applied to your wireless connections. The options are Disabled, 40/64 bit WEP, and 128 bit WEP.
Configure the Wireless Network Disabled The default is Disabled, and you should use this option for the initial connection. Your wireless connection is not using WEP when Disabled is selected. 40/64 bit WEP or128 bit WEP Once you complete the initial connection between your wireless computer and SOHO 6 Wireless, you can change this option to add WEP. Select either 40/64 bit or128 bit based on what the wireless card in your computer supports.
To change the SSID of the SOHO 6 Wireless: • In the Basic Settings section, type a new identification in SSID text box. The default SSID is the 5 digit serial number for your SOHO 6 Wireless device. The first four digits of the serial number are the product code and are not part of the SSID. The next five digits after the product code are the serial number. The remaining characters are an encoded hash for security uses. The maximum identification length is 20 characters.
Configure the Wireless Network Configure the Beacon Rate 1 In the AP Beacon Rate text box, type the beacon rate in milliseconds (100 through 10,000) that you want the SOHO 6 Wireless to use. The beacon rate is the rate the SOHO 6 Wireless sends out broadcasts so that the wireless computers can find it. 2 If you want the SOHO 6 Wireless to broadcast a beacon rate, select Enabled from the Broadcast SSID in AP Beacon Frames. If you do not want to broadcast the beacon rate, select Disabled.
Configure static routes To send the specified packets to different segments of the trusted network connected through a router or switch, configure static routes. Follow these instructions to configure static routes: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Network => Routes. The Routes page opens. 3 54 Click Add.
View network statistics 4 From the Type drop-down list, select either Host or Network. 5 Type the IP address and the gateway of the route in the applicable fields. The gateway of the route is the local interface of the router. 6 Click Submit. To remove a route, select the route and click Remove. View network statistics The Network Statistics page gives information about network performance. This page is useful during troubleshooting.
2 From the navigation bar on the left side, select Network => Network Statistics. The Network Statistics page opens. Configure the dynamic DNS Service This feature allows you to register the external IP address of the SOHO 6 Wireless with the dynamic DNS (Domain Name Server) service DynDNS.org. A dynamic DNS service makes sure that the IP address attached to your domain name is changed when your ISP assigns you a new IP address.
Configure the dynamic DNS Service NOTE WatchGuard is not affiliated with dyndns.org. 2 From the navigation bar on the left side, select Network => DynamicDNS. The Dynamic DNS client page opens. 3 Select the Enable Dynamic DNS client checkbox. 4 Type the domain, name, and password in the applicable fields. 5 Click Submit.
58 WatchGuard Firebox SOHO 6 Wireless
CHAPTER 5 Administrative options Use the SOHO 6 Wireless Administration page to configure access to the SOHO 6 Wireless. The System Security, SOHO 6 Wireless Remote ManagementTM feature, and VPN Manager Access are configured from the Administration page. The firmware updates, upgrade activation, and display of the SOHO 6 Wireless configuration file in a text format are done from the Administration page.
System security A passphrase prevents access to the configuration of the SOHO 6 Wireless by an unauthorized user on the trusted network. The use of a passphrase is important to the security of your network. NOTE Record the system administrator name and passphrase in a safe location. When system security is enabled, the system administrator name and passphrase are required to access the configuration pages.
The System Security page 3 Verify that the HTTP Server Port is set to 80. 4 Click to select the Enable System Security check box. 5 Type a System Administrator Passphrase and then type it again to confirm. 6 Click Submit. SOHO 6 Wireless Remote Management Both the SOHO 6 Wireless and SOHO 6tc Wireless come equipped with the SOHO 6 Wireless Remote Management feature.
connection, using Internet Protocol Security (IPSec), over an unsecured network from your remote computer in order to remotely manage your SOHO 6 Wireless. For example, the MUVPN client is installed and configured on your computer. You then establish a standard Internet connection and activate the MUVPN client. The MUVPN client creates an encrypted tunnel to your SOHO 6 Wireless. You can now access the SOHO 6 Wireless configuration pages without compromising security.
Set up VPN manager access Networking or directly through a local area network (LAN) or wide area network (WAN). From the Windows desktop system tray: 10 Verify the MUVPN client status–it must be activated. If it is not, right-click the icon and select Activate Security Policy. For information on how to determine the status of the MUVPN icon, see Chapter 11, “The Mobile User VPN client icon” on page 148. Then, from the Windows desktop system tray: 11 Right-click the icon and select Connect.
2 From the navigation bar on the left side, select Administration => VPN Manager Access. The VPN Manager Access page opens. 3 Select Enable VPN Manager Access. 4 Type the Status Passphrase. 5 Type the Status Passphrase again to confirm. 6 Type the Configuration Passphrase. 7 Type the Configuration Passphrase again to confirm. NOTE These passphrases must match the passphrases used in the VPN Manager software or the connection will fail. 8 64 Click Submit.
Update the firmware Update the firmware Check regularly for SOHO 6 Wireless firmware updates on the WatchGuard Web site: http://support.watchguard.com/sohoresources/ Download the .exe or .wgd files that contain the firmware update. The .exe file is an installer and the .wgd file is a binary file. The .wgd file is an advanced installation method. NOTE The .exe file is not available for firmware previous to the 6.0 release. To install the .exe file: 1 2 Save the .exe file to your computer.
4 Type the location of the .wgd firmware files on your computer. OR 4 Click Browse and locate the .wgd firmware files on your computer. NOTE Check your SOHO 6 Wireless firewall settings to make sure that your firewall allows .wgd files. 5 Click Update. Follow the instructions provided by the update wizard. NOTE The update wizard requests a user name and password. Type the system administrator name and passphrase configured on the System Security page. The default values are “user” and “pass”.
Activate the SOHO 6 Wireless upgrade options LiveSecurity Service Web site. See “Register your SOHO 6 Wireless and activate the LiveSecurity Service” on page 33 for more information. Follow these steps to activate an upgrade option: 1 Go to the upgrade page of the WatchGuard Web site: http://www.watchguard.com/upgrade 2 Type your User Name and Password. 3 Click Log In. 4 Follow the instructions provided on the Web site to activate your license key.
Upgrade options Seat licenses A seat license upgrade allows more connections between the trusted or optional network and the external network. A wired connection goes to the trusted and the wireless connection goes to the optional. For example, a 25-seat license allows 25 wired or wireless connections instead of the standard 10 connections. IPSec Virtual Private Networking (VPN) The VPN upgrade is necessary to configure virtual private networking. The SOHO 6tc Wireless includes a VPN upgrade license key.
View the configuration file LiveSecurity Service subscription renewals Purchase a LiveSecurity subscription renewal for a period of one or two years from your reseller or the WatchGuard online store. Go to the renew page of the WatchGuard Web site to purchase or activate a subscription renewal: http://www.watchguard.com/renew/ Follow the instructions on the Web site.
70 WatchGuard Firebox SOHO 6 Wireless
CHAPTER 6 Configure the Firewall Settings Firewall settings The configuration settings of the SOHO 6 Wireless control the flow of traffic between the trusted network and the external network. The configuration you select depends on the types of risks that are acceptable for the trusted network. The SOHO 6 Wireless lists many standard services on the configuration page. A service is the combination of protocol and port numbers for a type of application or type of communication.
are permitted. For example, to operate a Web server behind the SOHO 6 Wireless, add an incoming Web service. Select carefully the number and the types of services that you add. The added services decrease the security of your network. Compare the value of access to each service against the security risk caused by that service.
Configure incoming and outgoing services 2 Locate a pre-configured service, such as FTP, Web, or Telnet, then select either Allow or Deny from the drop-down list. The illustration shows the HTTP service configured to allow incoming traffic. 3 Type the trusted network IP address of the computer to which this rule applies. The illustration shows the HTTP service configured to allow incoming traffic to the computer with IP address 192.168.111.2. 4 Click Submit.
3 Type a name for the service in the Service name field. 4 Select TCP Port, UDP Port, or Protocol from the drop-down list below the Protocol Settings. 5 In the fields separated by the word To, enter the port number or the range of port numbers, or enter the protocol number. The Custom Service page refreshes. NOTE For a TCP port or a UDP port, specify a port number. For a protocol, specify a protocol number. You cannot specify a port number for a protocol.
Block external sites 6 Click Add. The following steps determine how the service is filtered. 7 Select Allow or Deny from the Incoming Filter and Outgoing Filter drop-down lists. 8 Select Host IP Address, Network IP Address, or Host Range from the drop-down list at the bottom of the page. The Custom Service page refreshes. 9 Type a single host IP address, a network IP address, or the start and end of a range of host IP addresses in the address field. 10 Click Add.
2 Select either Host IP Address, Network IP Address, or Host Range from the drop-down list. The Blocked Sites page refreshes. 3 Type a single host IP address, a network IP address, or the start and end of a range of host IP addresses in the address field. The illustration shows the selection Host IP Address and the IP address 207.68.172.246. 4 5 76 Click Add. The address information appears in the Blocked Sites field. Click Submit.
Firewall options Firewall options The previous sections described how to allow or deny complete classes of services. The Firewall Options page allows the configuration of general security policies. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Firewall => Firewall Options. The Firewall Options page opens.
Ping requests received from the external network You can configure the SOHO 6 Wireless to deny all ping packets received on the external interface. 1 Set the Do not respond to PING requests received on External Network check box. 2 Click Submit. Denying FTP access to the trusted network interface You can configure the SOHO 6 Wireless to prevent FTP access to the computers on the trusted network by the computers on the external network. 1 Set Do not allow FTP access to Trusted Network check box.
Firewall options NOTE Configure the SOCKS-compatible application to connect to IP addresses and not to domain names. Applications that can only reference domain names are not compatible with the SOHO 6 Wireless. Some SOCKS-compatible applications that function correctly when used through the SOHO 6 Wireless are ICQ, IRC, and AOL Messenger. NOTE When a computer in the trusted network uses a SOCKS-compatible application, other users on the trusted network have free access to that computer.
• Set the SOCKS proxy to the URL or IP address of the SOHO 6 Wireless. The default IP address is: http:// 192.168.111.1.
Firewall options Disabling SOCKS on the SOHO 6 Wireless After a SOCKS-compatible application has connected through the SOHO 6 Wireless, the SOCKS port stays open. After the application terminates, the SOCKS port is available to anyone on your trusted network. The following steps prevent this security problem. When the SOCKS-compatible application is not in use: 1 Set the Disable SOCKS proxy check box. This disables the SOCKS proxy feature of the SOHO 6 Wireless. 2 Click Submit.
Enable override MAC address for the external network If your ISP requires a MAC address, enable this option. The SOHO 6 Wireless will use its own MAC address for the trusted network. You can enter a new MAC address for use on the external network. Follow these steps to enable this option: 1 Set the Enable override MAC address for the External Network check box. 2 Type the new MAC address for the SOHO 6 Wireless external network. 3 Click Submit.
Create an Unrestricted Pass Through Follow these steps to configure a pass through: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Firewall => Pass Through. The Unrestricted Pass Through IP Address page opens. 3 Set the Enable pass through address check box.
84 WatchGuard Firebox SOHO 6 Wireless
CHAPTER 7 Configure logging The SOHO 6 Wireless logging feature records a log of the events related to the security of the trusted network. Communication with the WatchGuard WebBlocker database and incoming traffic are examples of events that are recorded. The log records the events that show possible security problems. A denied packet is the most important type of event to log. A sequence of denied packets can show that an unauthorized person tried to access your network.
View SOHO 6 Wireless log messages The SOHO 6 Wireless event log records a maximum of 150 log messages. If a new entry is added when the event log is full, the oldest log message is removed. The log messages include the time synchronizations between the SOHO 6 Wireless and the WatchGuard Time Server, packets discarded because of a packet handling violation, duplicate messages, return error messages, and IPSec messages.
Set up logging to a WatchGuard Security Event Processor log host NOTE The newest entry is shown at the top of the event log. This option synchronizes the clock of the SOHO 6 Wireless to your computer: • Click Sync Time with Browser now. The SOHO 6 Wireless synchronizes the time at startup. Set up logging to a WatchGuard Security Event Processor log host The WSEP (WatchGuard Security Event Processor) is an application that is available with the WatchGuard Firebox System package used by a Firebox II/III.
3 Select Enable WatchGuard Security Event Processor Logging. 4 Type the IP address of the WSEP server that is your log host in the applicable field. In the illustration, the IP address is 192.168.111.5. 5 Type a passphrase in the Log Encryption Key field. 6 Confirm the passphrase in the Confirm Key field. 7 Click Submit. NOTE Use the same encryption key recorded in the WSEP application. Set up logging to a Syslog host This option sends the SOHO 6 Wireless log entries to a Syslog host.
Set up logging to a Syslog host Follow these steps to configure a Syslog Host: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Logging => Syslog Logging. The Syslog Logging page opens. 3 4 Set the Enable syslog output check box. Type the IP address of the Syslog server. In the illustration, the IP address is 206.253.208.
are sent through a VPN tunnel, the data is encrypted with IPSec technology. Set the system time The SOHO 6 Wireless records the time of each log entry. The time recorded in the log entries is from the SOHO 6 Wireless system clock. Follow these steps to set the system time: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.
Set the system time 2 From the navigation bar on the left side, select Logging => System Time. The System Time page opens. This step synchronizes the system time with the WatchGuard Time Server: 3 Select Get Time From WatchGuard Time Server. This step synchronizes the system time with a TCP Port 37 Time Server: 4 Select Get Time From TCP Port 37 Time Server at. 5 Type the IP address of the time server in the applicable field. 6 Click Submit.
NOTE The time zone selection is only used when the Get Time From WatchGuard Time Server check box is selected.
CHAPTER 8 SOHO 6 Wireless WebBlocker WebBlocker is an option for the SOHO 6 Wireless that allows the system administrator to control which Web sites the users can access. How WebBlocker works WebBlocker uses a database of Web site addresses, which is owned and maintained by SurfControl. The database shows the type of content found on thousands of Web sites. WatchGuard puts the newest version of the SurfControl database on the WebBlocker server at regular intervals.
Web site not in the WebBlocker database If the Web site is not in the WatchGuard WebBlocker database, the Web browser opens the page. Web site in the WebBlocker database If the site is in the WatchGuard WebBlocker database, the SOHO 6 Wireless examines the configuration to see if that type of site is permitted. When the type of site is not permitted, the user is told that the site is not available. If the type of site is permitted, the Web browser opens the page.
Purchase and activate SOHO 6 Wireless WebBlocker WebBlocker users and groups Groups A group is a set of users on the trusted network. Users Users are persons that use the computers on the trusted network. Bypass the SOHO 6 Wireless WebBlocker The SOHO 6 Wireless WebBlocker configuration page includes a full access password field. Give this password to those users of the trusted network allowed to bypass WebBlocker.
WebBlocker settings Use the WebBlocker settings page to: • activate the WebBlocker; • set the full access password; • set the inactivity timeout; • require that your Web users authenticate. 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select WebBlocker => Settings. The WebBlocker Settings page opens.
Configure the SOHO 6 Wireless WebBlocker 4 Type the full access password. The full access password allows a user to access all Web sites until the 5 password expires or the browser is closed. Type the Inactivity Timeout in minutes. The inactivity timeout disconnects Internet connections that are inactive for the set number of minutes. 6 To set the WebBlocker to use groups and users, set the Require Web users to authenticate check box. 7 Click Submit to register your changes.
2 From the navigation bar on the left side, select WebBlocker => Groups. The WebBlocker Groups page opens. 3 98 Click New to create a group name and profile.
Configure the SOHO 6 Wireless WebBlocker 4 5 Define a Group Name and set the types of content to filter for this group. Click Submit. A new Groups page opens that shows the configuration changes.
6 To the right of the Users field, click New. The New User page opens. 7 Type a new user name and passphrase. 8 Confirm the passphrase.
WebBlocker Categories 9 Use the Group drop-down list to assign the new user to a given group. 10 Click Submit. NOTE To remove a user or group, make a selection and click Delete. WebBlocker Categories The WebBlocker database contains the following 14 categories: NOTE A Web site is only added to a category if the contents of the Web Site advocate the subject matter of the category. Web sites that provide opinion or educational material about the subject matter of the category are not included.
online sports, or financial betting, including non-monetary dares. Militant/extremist Pictures or text advocating extremely aggressive or combative behavior or advocacy of unlawful political measures. Topic includes groups that advocate violence as a means to achieve their goals. It also includes pages devoted to “how to” information on the making of weapons (for both lawful and unlawful reasons), ammunition, and pyrotechnics.
WebBlocker Categories Gross Depictions Pictures or text describing anyone or anything that is either crudely vulgar, grossly deficient in civility or behavior, or shows scatological impropriety. Topic includes depictions of maiming, bloody figures, and indecent depiction of bodily functions. Violence/profanity Pictures or text exposing extreme cruelty or profanity. Cruelty is defined as: physical or emotional acts against any animal or person that are primarily intended to hurt or inflict pain.
Sexual Acts Pictures or text exposing anyone or anything involved in explicit sexual acts and/or lewd and lascivious behavior. Topic includes masturbation, copulation, pedophilia, as well as intimacy involving nude or partially nude people in heterosexual, bisexual, lesbian, or homosexual encounters. It also includes phone sex advertisements, dating services, adult personals, and sites devoted to selling pornographic CD-ROMs and videos. Full Nudity Pictures exposing any or all portions of human genitalia.
CHAPTER 9 VPN—Virtual Private Networking This chapter tells how to use the VPN with IPSec upgrade option of the WatchGuard SOHO 6 Wireless. Why create a Virtual Private Network? Use a VPN tunnel to make an inexpensive and secure connection between the computers in two locations. Expensive, dedicated point-to-point connections are not necessary for a VPN connection. A VPN tunnel gives the security necessary to use the public Internet for a private virtual connection between two locations.
What You Need • One WatchGuard SOHO 6 Wireless with VPN and one IPSec-compatible appliance. NOTE IPSec-compatible appliances include the WatchGuard SOHO 6 Wireless, the WatchGuard Firebox II/III, and the Firebox Vclass.
What You Need IP Address Table (example): Item Description External IP Address The IP address that identifies the IPSeccompatible appliance to the Internet. Assigned By ISP Site A: 207.168.55.2 Site B: 68.130.44.15 External Subnet Mask The bitmask that shows which part of the IP address identifies the local network. For example, a class C address includes 256 addresses and has a netmask of 255.255.255.0. ISP Site A: 255.255.255.0 Site B: 255.255.255.
Site A: OurLittleSecret Site B: OurLittleSecret Encryption Method DES uses 56-bit encryption. 3DES uses 168-bit encryption. The 3DES encryption method gives better security, but decreases the speed of communication. The two IPSec-compatible appliances must use the same encryption method. You Site A: 3DES Site B: 3DES Authentication The two IPSec-compatible appliances must use the same authentication method.
Step-by-step instructions to configure a SOHO 6 Wireless VPN tunnel Step-by-step instructions to configure a SOHO 6 Wireless VPN tunnel Instructions that tell how to configure a VPN tunnel between a SOHO 6 Wireless and another IPSec-compatible appliance are available from the WatchGuard Web site: https://support.watchguard.com/AdvancedFaqs/sointerop_main.
Frequently Asked Questions Why do I need a static external address? To make a VPN connection, each of the two appliances must know the IP address of the other appliance. If the addresses are dynamic, the addresses can change. A changed address prevents a connection between the two appliances. How do I get a static external IP address? The external IP address for your computer or network is assigned by your ISP.
Set Up multiple SOHO-SOHO VPN tunnels 2 When you can ping the external address of each SOHO 6 Wireless, try to ping a local address in the remote network. From Site A, ping 192.168.111.1. If the VPN tunnel functions correctly, the remote SOHO 6 Wireless sends the ping back. If the ping does not come back, make sure the local settings are correct. Make sure that the local DHCP address ranges for the two networks connected by the VPN tunnel do not use any of the same IP addresses.
2 From the navigation bar on the left side, select VPN => Manual VPN. The Manual VPN page opens.
Set Up multiple SOHO-SOHO VPN tunnels 3 Click Add to set up the VPN tunnel. The Add Gateway page opens.
Type the Name and Shared Secret for the SOHO 6 Wireless at the remote end of the VPN tunnel. 4 The shared secret is a passphrase used by two IPSec-compatible appliances to encrypt and decrypt the data that goes through the VPN tunnel. The two appliances use the same passphrase. If the appliances do not have the same passphrase, they can not encrypt and decrypt the data correctly. Use the default Phase 1 settings or change the settings as necessary.
Set Up multiple SOHO-SOHO VPN tunnels - If you set Aggressive Mode and have a static IP address, the Local ID must be an IP Address and the Remote ID can be either an IP address or a domain name. - If you set Aggressive Mode and have a dynamic IP address, the Local ID must be a domain name and the Remote ID can be either an IP address or a domain name. 9 In the Authentication Algorithm drop-down list, set the type of authentication.
15 Set the authentication in the Authentication Algorithm dropdown list. The options are None (no authentication), MD5HMAC (128-bit authentication) or SHA1-HMCA (160-bit authentication). 16 Set the type of encryption in the Encryption Algorithm dropdown list. The options are None (no authentication), DES-CBC or 3DES-CBC. 17 Click the Enable Perfect Forward Secrecy check box, if necessary.
MUVPN Clients To set up split tunneling follow these steps: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select VPN => Manual VPN. The Manual VPN page opens. 3 4 Click Add. The Add Gateway page opens. Configure the gateway.
information on configuring a wireless network to require MUVPN connections, see “Configure the Optional Network for Wireless Networking” on page 46. View the VPN Statistics The SOHO 6 Wireless has a configuration page that displays VPN statistics. Use this page to monitor VPN traffic and to solve problems with the VPN configuration.
CHAPTER 10 MUVPN Clients MUVPN clients uses Internet Protocol Security (IPSec) to establish a secure connection over an unsecured network from a remote computer to your protected network. For example, the MUVPN client is installed on an employee’s computer, on the road or working from home. The employee establishes a standard Internet connection and activates the MUVPN client.
more MUVPN connections with the MUVPN Client upgrade. For information about upgrading, see “Activate the SOHO 6 Wireless upgrade options” on page 66. ZoneAlarm®, a personal firewall software application, is included as an optional feature with the MUVPN client to provide further security for your end users. The purpose of this chapter is to assist users of the SOHO 6 Wireless to set up the MUVPN client on an end-user’s remote computer and to explain the features of the personal firewall.
Configure the SOHO 6 Wireless for MUVPN Clients 2 From the navigation bar on the right side, select VPN => MUVPN Clients. The MUVPN Clients page appears.
3 4 5 6 7 8 122 Click the Add button. The Edit MUVPN Client page appears. Type a Username in the appropriate field. This Username will be used as the E-mail Address when setting up the MUVPN client. Type a Passphrase in the appropriate field. This passphrase will be used as the Pre-Shared Key when setting up the MUVPN client. Type the Virtual IP address which will be used by the MUVPN computer when connecting to the SOHO 6 Wireless in the appropriate field. Select the Authentication Algorithm.
Prepare the Remote Computers for the MUVPN Client 9 From the VPN Client Type drop list, select Mobile User. 10 Enable the All traffic uses tunnel (0.0.0.0/0 Subnet) checkbox to force all traffic from the MUVPN client to go through IPSec tunnel. 11 Click the Submit button. Prepare the Remote Computers for the MUVPN Client The MUVPN client is only compatible with the Windows operating system. Every Windows system used as a MUVPN remote computer must have the following system requirements.
• An Internet Service Provider account • A Dial-Up or Broadband (DSL or Cable modem) Connection Additionally, in order for Windows file and print sharing to occur through the MUVPN client tunnel each Windows operating system must have the proper components installed and configured to use the remote WINS and DNS servers on the trusted and optional networks behind the Firebox. NOTE You can not use the MUVPN client virtual adapter. Make sure this is disabled.
Prepare the Remote Computers for the MUVPN Client 6 Type a description for your computer (optional). 7 Click OK. Click OK to close and save changes to the Network control panel. Click Cancel if you do not want to save any changes. 8 Reboot the machine. Installing the Client for Microsoft Networks From the Networks window: 1 2 Click the Configuration tab. Click Add. The Select Network Component Type window appears. Select Client. Click Add. The Select Network Client window appears.
2 3 Click the Windows Setup tab. The Windows Setup dialog box appears and searches for installed components. Enable the Communications checkbox and click the OK button. The Copying Files dialog box appears and copies the necessary files. 4 The Dial-Up Networking Setup dialog box appears and prompts you to restart the computer. Click the OK button. The computer reboots. Further, Windows 98 requires that the Dial-up Networking component be updated with the 1.4 patch.
Prepare the Remote Computers for the MUVPN Client NOTE You must list the DNS server on the Private network behind the Firebox first. 6 Click the WINS Configuration tab. 7 Verify that the Enable WINS Resolution option has been enabled. 8 Under the “WINS Server Search Order” heading, enter your WINS server IP address, then click the Add button. If you have multiple remote WINS servers repeat this step. 9 Click the OK button to close the TCP/IP Properties window.
3 Click the Add button. 4 Select Remote Access Services from the list, then click the OK button. 5 Enter the path to the Windows NT install files or insert your system installation CD, then click the OK button. The Remote Access Setup dialog box appears. 6 Click the Yes button to add a RAS capable device and enable you to add a modem. 7 Click the Add button and complete the Install New Modem wizard.
Prepare the Remote Computers for the MUVPN Client 3 Select the TCP/IP protocol and click the Properties button. The Microsoft TCP/IP Properties window appears. 4 Click the DNS tab. 5 Click the Add button. 6 Type your DNS server IP address in the appropriate field. If you have multiple remote DNS servers repeat the previous three steps. NOTE You must list the DNS server on the Private network behind the Firebox first. 7 Click the WINS Address tab.
4 Verify that the following components are present and enabled: - Internet Protocol (TCP/IP) - File and Printer Sharing for Microsoft Networks - Client for Microsoft Networks Install these components if they are not already present. Installing the Internet Protocol (TCP/IP) network component From the Windows desktop: 1 Select Start => Settings => Network and Dial-up Connections, then select the Dial-up connection you use to access the Internet. The connection window appears.
Prepare the Remote Computers for the MUVPN Client 3 4 5 Select the Networking tab and then click the Install button. The Select Network Component Type window appears. Double click the Services network component. The Select Network Service window appears. Select the File and Printer Sharing for Microsoft Networks Network Service and then click the OK button.
From the Windows desktop: Select Start => Settings => Network and Dial-up Connections, then select the Dial-up connection you use to access the Internet. 1 The connection window appears. 2 Click the Properties button. 3 Click the Networking tab. 4 Select the Internet Protocol (TCP/IP) component, then click the Properties button. The Internet Protocol (TCP/IP) Properties window appears. Click the Advanced button. 5 The Advanced TCP/IP Settings window appears. 6 Click the DNS tab.
Prepare the Remote Computers for the MUVPN Client 13 Under the “WINS addresses, in order of use” heading, click the Add button. The TCP/IP WINS Server window appears. 14 Type your WINS server IP address in the appropriate field, then click the Add button. If you have multiple remote DNS servers repeat the last two steps. 15 Click the OK button to close the Advanced TCP/IP Settings window. 16 Click the OK button to close the Internet Protocol (TCP/IP) Properties window.
Installing the Internet Protocol (TCP/IP) Network Component From the Windows desktop: 1 Select Start => Control => Network Connections, then select the connection you use to access the Internet. The connection window appears. 2 3 4 5 Click the Properties button. Select the Networking tab and then click the Install button. The Select Network Component Type window appears. Double click the Protocol network component. The Select Network Protocol window appears.
Prepare the Remote Computers for the MUVPN Client Installing the Client for Microsoft Networks From the Windows desktop: 1 Select Start => Control => Network Connections, then select the connection you use to access the Internet. The connection window appears. 2 3 4 Click the Properties button. Select the Networking tab and then click the Install button. The Select Network Component Type window appears. Double click the Client network component. The Select Network Protocol window appears.
Click the Advanced button. 5 The Advanced TCP/IP Settings window appears. 6 Click the DNS tab. 7 Under the “DNS server addresses, in order of use” heading, click the Add button. The TCP/IP DNS Server window appears. 8 Type your DNS server IP address in the appropriate field, then click the Add button. If you have multiple remote DNS servers repeat the last two steps. NOTE You must list the DNS server on the Private network behind the Firebox first.
Install and Configure the MUVPN Client 18 Click the Cancel button again to close the Dial-up connection window. Install and Configure the MUVPN Client The MUVPN installation files are available at the WatchGuard Web site: http://www.watchguard.com/support NOTE In order to perform the installation process successfully, you must log into the remote computer with local administrator rights.
6 Select the type of setup. By default, Typical is enabled–this is the setup recommended by WatchGuard. Click the Next button. 7 If you are installing the client on a Windows 2000 host, the InstallShield detects the native Windows 2000 L2TP component. The client uses this component and does not need to install its own. Click the OK button to continue with the install. The Select Components window appears. Keep the default components and click the Next button. 8 The Start Copying Files window appears.
Install and Configure the MUVPN Client time after installation. For more information regarding ZoneAlarm, see “The ZoneAlarm Personal Firewall” on page 153. Configuring the MUVPN Client Once you have restarted the machine, the WatchGuard Policy Import dialog box appears. Click the Cancel button as this step is not necessary. From the Windows desktop system tray: 1 Right-click the MUVPN client icon and select Activate Security Policy and then double-click the MUVPN client icon.
4 5 6 Click to select the Secure option. This is the default setting. Click to select the Only Connect Manually checkbox. Select the IP Subnet option from the ID Type drop list. The Remote Part Identity and Addressing settings refresh to display the appropriate fields. 7 Type the network IP Address of the Trusted Network behind the SOHO 6 Wireless in the field labeled “Subnet”. 8 Type the Subnet Mask of the Trusted Network behind the SOHO 6 Wireless in the field labeled “Mask”.
Install and Configure the MUVPN Client 2 3 Select My Identity. The My Identity and Internet Interface settings appear to the right. Select Options => Global Policy Settings. The Global Policy Settings dialog box appears.
4 Click to select the Allow to Specify Internal Network Address checkbox and then click OK. The Internal Network IP Address field appears among the My Identity settings. 5 Select None from the Select Certificate drop list. 6 Select E-mail Address from the ID Type drop list and then enter the username defined on the SOHO 6 Wireless in the available field. 7 Select Disabled from the Virtual Adapter drop list. 8 Type 0.0.0.0 in the Internal Network IP Address field. 9 This value appears by default.
Install and Configure the MUVPN Client 12 Type the exact text of the MUVPN client passphrase entered on the SOHO 6 Wireless appliance and then click OK. NOTE Both the Pre-Shared Key and the E-mail Address, must exactly match the System Passphrase and System Administrator Name configured on the SOHO 6 Wireless or the connection will fail. Defining Phase 1 and Phase 2 settings Follow these instructions to define the phase 1 and phase 2 settings.
Select Pre-Shared Key from the Authentication Method drop list. 4 NOTE These values must match exactly those entered in the Firebox SOHO 6 Wireless appliance. 5 6 Select DES from the Encrypt Alg drop list and select SHA-1 from the Hash Alg drop list. Select Unspecified from the SA Life drop list. This is the default setting. 7 Select Diffie-Hellman Group 1 from the Key Group drop list. 8 Expand Key Exchange (Phase 2). 9 144 A Proposal entry appears. Select Proposal 1.
Install and Configure the MUVPN Client 10 Select Both from the SA Life drop list and then type 86400 in the Seconds field and 8192 in the KBytes field. 11 Select None from the Compression drop list. This is the default setting. The SOHO 6 Wireless Firebox appliance does not support compression. 12 Click to select the Encapsulation (ESP) checkbox and then select a value for the Encrypt Alg and Hash Alg drop lists.
Uninstall the MUVPN client At some point, it may become necessary to completely uninstall the MUVPN client. WatchGuard recommends a complete uninstall using the Windows Add/Remove Programs tool. First, disconnect all existing tunnels and dial-up connections and reboot the remote computer. Then, from the Windows desktop: Select Start => Settings => Control Panel. 1 The Control Panel window appears. Double click the Add/Remove Programs icon. 2 The Add/Remove Programs window appears.
Connect and Disconnect the MUVPN Client If you wish to disregard these settings, delete the contents. 8 When the computer has restarted, select Start => Programs. 9 Right-click Mobile User VPN and select Delete to remove this selection from your Start Menu. Connect and Disconnect the MUVPN Client The MUVPN client enables the remote computer to establish a secure, encrypted connection to a protected network over the Internet.
The Mobile User VPN client icon The Mobile User VPN icon exists in the Windows desktop system tray and displays several different status images. The following lists these images and provides a brief description of each. Deactivated The MUVPN Security Policy is deactivated or the Windows operating system did not start a necessary Mobile User VPN service properly and the remote computer must be restarted (if this continues you may need to reinstall the MUVPN client).
Connect and Disconnect the MUVPN Client Activated, Connected and Transmitting Unsecured Data The MUVPN client has established at least one secure, MUVPN tunnel connection. The red bar on the right of the icon indicates that the client is transmitting only unsecured data. Activated, Connected and Transmitting Secured Data The MUVPN client has established at least one secure, MUVPN tunnel connection. The green bar on the right of the icon indicates that the client is transmitting only secured data.
• IreIKE.exe The personal firewall will detect the attempt of these programs to access the Internet. The New Program alert dialog box appears requesting access for the MuvpnConnect.exe program. From the ZoneAlarm alert dialog box: 1 Enable the Remember this answer the next time I use this program option and click the Yes button. This enables ZoneAlarm to allow the MuvpnConnect.exe program through each time you attempt to make a MUVPN connection.
Monitor the MUVPN Client Connection Disconnecting the MUVPN client The MUVPN tunnel is independent of the Internet connection. Close the MUVPN tunnels when the remote computer encounters either of the following events. - Loses the Internet connection - No longer needs the MUVPN tunnel From the Windows desktop system tray: 1 Right-click the Mobile User VPN client icon. 2 Select Disconnect All. 3 Right-click the Mobile User VPN client icon and select Deactivate Security Policy.
The Log Viewer The LogViewer displays the communications log, a diagnostic tool that lists the negotiations that occur during the MUVPN client connection. From the Windows desktop system tray: 1 2 Right-click the Mobile User VPN client icon. Select Log Viewer. The Log Viewer window appears. The Connection Monitor The Connection Monitor displays statistical and diagnostic information for each active connection in the security policy.
The ZoneAlarm Personal Firewall • When a single Phase 1 SA to a gateway protects multiple Phase 2 SAs, there is a single Phase 1 connection with the SA icon and individual Phase 2 connections with the key icon displayed above that entry. The ZoneAlarm Personal Firewall A personal firewall is a barrier between your computer and the outside world. The computer is most vulnerable at its doors, called ports. Without ports, no connection to the Internet is possible.
means no information leaves your computer unless you give it permission. If you enable the “Remember the answer each time I use this program” checkbox you will only have to answer this question once for each program. The ZoneAlarm personal firewall provides a brief tutorial of the product immediately after installation of the MUVPN client. Carefully read each step to familiarize yourself with the application.
The ZoneAlarm Personal Firewall In the example above, the Internet Explorer Web browser application has been launched and is attempting to access the users home page. The program which actually needs to pass through the firewall is “IEXPLORE.EXE”. In order to allow this program access each time the application is executed, enable the Remember the answer each time I use this program checkbox.
Programs Which Must Be Allowed MUVPN client IreIKE.exe MuvpnConnect.exe MUVPN Connection Monitor CmonApp.exe MUVPN Log Viewer ViewLog.exe Programs Which May be Allowed MS Outlook OUTLOOK.exe MS Internet Explorer IEXPLORE.exe Netscape 6.1 netscp6.exe Opera Web browser Opera.exe Standard Windows network applications lsass.exe services.exe svchost.exe winlogon.exe Shutting Down ZoneAlarm From the Windows desktop system tray: 1 Right-click on the ZoneAlarm icon ZoneAlarm.
Use the MUVPN Client to Enforce your Corporate Policy 3 Click the Yes button to continue with uninstalling the TrueVector service and disable its Internet Security features. The Select Uninstall Method window appears. 4 Verify that Automatic is selected and then click the Next button. 5 Click the Finish button to perform the uninstall. NOTE The Remove Shared Component window may appear.
2 From the navigation bar on the right side, select VPN => MUVPN Clients. The MUVPN Clients page appears. 3 158 Click the Add button. The Edit MUVPN Client page appears.
Use the MUVPN Client to Enforce your Corporate Policy 4 5 Type a username in the Username field. This Username will be used as the E-mail Address when setting up the MUVPN client. Type a passphrase in the Passphrase field. This passphrase will be used as the Pre-Shared Key when setting up the MUVPN client. 6 Type an unused IP address from the Trusted network, which will be used by the MUVPN client computer when connecting to the SOHO 6 Wireless in the Virtual IP Address field.
11 Click Submit. The page refreshes and you are prompted to reboot the SOHO 6 Wireless in order activate the changes. 12 Click Reboot. 13 Connect one end of a straight-through Ethernet cable into the Ethernet port labeled OPT on the SOHO 6 Wireless. Connect the other end into the uplink port of the hub. 14 Connect Ethernet cables to the uplink ports of the hub and to the Ethernet ports of each of your computers.
Use the MUVPN Client to Enforce your Corporate Policy 4 5 6 7 8 9 Click to select the Secure option. This is the default setting. Click to select the Only Connect Manually checkbox. Select the IP Subnet option from the ID Type drop list. The Remote Part Identity and Addressing settings refresh to display the appropriate fields. Type 0.0.0.0 in both the Subnet and Mask fields. These are the default values. Select All from the Protocol drop list. This is the default setting.
2 Click to select the Aggressive Mode option. 3 Verify that the Enable Perfect Forward Secrecy (PFS) checkbox is not selected. 4 Click to select the Enable Replay Detection checkbox. Defining the My Identity settings Follow these instructions to define the My Identity settings. 1 2 162 From the Network Security Policy field, expand the new entry. The My Identity and Security Policy entries appear. Select My Identity. The My Identity and Internet Interface settings appear to the right.
Use the MUVPN Client to Enforce your Corporate Policy 3 4 Select Options => Global Policy Settings. The Global Policy Settings dialog box appears. Click to select the Allow to Specify Internal Network Address checkbox and then click OK. The Internal Network IP Address field appears among the My Identity settings. 5 Select None from the Select Certificate drop list.
6 Select E-mail Address from the ID Type drop list and then enter the username defined on the SOHO 6 Wireless in the available field. 7 Select Disabled from the Virtual Adapter drop list. 8 Type 0.0.0.0 in the Internal Network IP Address field. 9 This value appears by default. Select Any from the Name drop list. This is the default setting. 10 Click Pre-Shared Key. The Pre-Shared Key dialog box appears. 11 Click Enter Key. The text entry field is activated.
Use the MUVPN Client to Enforce your Corporate Policy Defining Phase 1 and Phase 2 settings Follow these instructions to define the phase 1 and phase 2 settings. Make certain that settings match exactly with those on the Firebox SOHO 6 Wireless appliance. 1 From the Network Security Policy field, expand Security Policy. Both Phase 1 and Phase 2 negotiations appear. 2 3 4 Expand Authentication (Phase 1). A Proposal entry appears. Select Proposal 1.
NOTE These values must match exactly those entered in the Firebox SOHO 6 Wireless appliance. 5 6 Select DES from the Encrypt Alg drop list and select SHA-1 from the Hash Alg drop list. Select Unspecified from the SA Life drop list. This is the default setting. 7 Select Diffie-Hellman Group 1 from the Key Group drop list. 8 Expand Key Exchange (Phase 2). 9 A Proposal entry appears. Select Proposal 1. The IPSec Protocols settings appear to the right.
Troubleshooting Tips 12 Click to select the Encapsulation (ESP) checkbox and then select a value for the Encrypt Alg and Hash Alg drop lists. 13 Select DES from the Encrypt Alg drop list and select MD5 from the Hash Alg drop list. 14 Select Tunnel from the Encapsulation drop list. This is the default setting. 15 Verify that the Authentication Protocol (AH) checkbox is not selected. 16 Once you have finished, select File => Save or click the button.
From the Windows desktop system tray: 1 First, reboot your computer. 2 Right-click on the Mobile User VPN client icon. 3 4 Select Disconnect All. The MUVPN client closes all VPN tunnels. Right-click on the Mobile User VPN client icon and select Deactivate Security Policy. The MUVPN icon will display a red slash to indicate that the Security Policy has been deactivated. 5 Right-click on the ZoneAlarm icon and select Shutdown ZoneAlarm. The ZoneAlarm dialog box appears.
Troubleshooting Tips broadcasting its network information thereby preventing the machine from sending the necessary login information. You should be certain to shut down ZoneAlarm each time you disconnect the MUVPN connection. Is the Mobile User VPN tunnel working? The Mobile User VPN client icon, which appears in the Windows desktop system tray once it has been launched, will display a key within the icon once the client has connected. To test the connection, ping a computer on your company network.
3 Use the drop list to select a drive letter. Either use the drop list or type a network drive path. 4 Click OK. The mapped drive appears in the My Computer window. Even if you enable the “Reconnect at Logon” checkbox, the mapped drive will not appear the next time you start your computer unless it is physically connected to the network. I sometimes get prompted for a password when I am browsing the company network...
CHAPTER 11 Support resources Troubleshooting tips If you have problems during the installation and the configuration of your SOHO 6 Wireless, refer to this information. General What do the PWR, Status, and Mode lights signify on the SOHO 6 Wireless? When the PWR light is lit, the SOHO 6 Wireless is connected to a power source. When the Status light is lit, there is a management connection to the SOHO 6 Wireless. When the MODE light is lit, the SOHO 6 Wireless is operational.
computer attached to one of the four Ethernet ports (labeled 03) to configure the SOHO 6 Wireless. If the Mode light is blinks: There SOHO 6 Wireless can not connect to the external network. Possible causes of this problem include: • The SOHO 6 Wireless did not receive an IP address for the external interface from the DHCP server. • The WAN port is not connected to another appliance. • The connection to the external interface is defective.
Troubleshooting tips What is a SOHO 6 Wireless feature key? See “Activate the SOHO 6 Wireless upgrade options” on page 66. I can't get a certain SOHO 6 Wireless feature to work with a DSL modem. Some DSL routers implement NAT firewalls. An external network connection through an appliance that supplies NAT causes problems with WebBlocker and the performance of IPSec. When a SOHO 6 Wireless connects to the external network through a DSL router, set the DSL router to operate as a bridge only.
that the cable is connected and the computer or hub is connected to a power supply. I can connect to the Configuration Settings page; why can’t I browse the Internet? If you can connect to the configuration page, but not the Internet, there is a problem with the connection from the SOHO 6 Wireless to the Internet. • Make sure the cable modem or DSL modem is connected to the SOHO 6 Wireless and the power supply. • Make sure the link light on the modem and the WAN indicator on the SOHO 6 Wireless are lit.
Troubleshooting tips Configuration Where are the SOHO 6 Wireless settings stored? The configuration parameters are stored in memory of the SOHO 6 Wireless. How do I set up DHCP on the trusted network of the SOHO 6 Wireless? 1 Make sure your computer is configured to use DHCP. See “Enable your computer for DHCP” on page 17 for additional information.
172.16.x.x 255.240.0.0 192.168.x.x 255.255.0.0 To change to a static, trusted IP address, follow these steps: 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Network => Trusted. 3 Reset the Enable DHCP Server check box. 4 Click Submit. 5 Type the information. 6 Click Submit.
Troubleshooting tips How do I allow incoming services such as POP3, Telnet, and Web (HTTP)? 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless: The default IP address is: http://192.168.111.1 2 From the navigation bar on the left side, select Firewall => Incoming. The Filter Incoming Traffic page opens. 3 Select the pre-configured service to allow. 4 Select Allow from the drop list.
5 Type the new protocol number in the Protocol field. 6 Click Submit. 7 From the navigation bar on the left side, select Firewall => Incoming. The Firewall Incoming Traffic page opens. 8 At the bottom of the page, locate the new service under the Custom Service list and select Allow from the drop-down list. 9 Type the IP address of the computer that is to receive the incoming data in the Service Host field. 10 Click Submit. VPN Management See “What You Need” on page 106.
Troubleshooting tips How do I set up VPN to a SOHO 6 Wireless? Information about how to configure a VPN tunnel between a SOHO 6 Wireless and another IPSec compliant appliance is available from the WatchGuard Web site: https://support.watchguard.com/AdvancedFaqs/sointerop_main.asp 1 Log in to the site. 2 Download the file you need. 3 Follow the instructions to configure your VPN tunnel.
Contact technical support (877) 232-3531 United States end-user support (206) 521-8375 United States authorized reseller support (360) 482-1083 International support Online documentation and FAQs Documentation in PDF format, tutorials, and FAQs are available on the WatchGuard Web Site: https://support.watchguard.com/AdvancedFaqs/ Special notices • The online help system is not yet available on the WatchGuard Web site.
Index Numerics 100 indicator 11 A Add Route page 54 appliances defined 22 B blocked sites configuring 75 Blocked Sites page 75 browsers, supported 15 C cables correct setup 173 included in package 2 required 14 configuration file, viewing 30 custom incoming services, creating 73 Custom Service page 73, 177 D Dynamic DNS client page 57 dynamic DNS service, configuring 56–57 Dynamic Host Configuration Protocol.
Index I incoming service, creating custom 73 indicators 100 11 link 11 Mode 12 WAN 12 installation cabling 22 determining TCP/IP settings 15 disabling TCP/IP proxy settings 19 items required for 14 Internet how information travels on 4 problems browsing 174 Internet Protocol (TCP/IP) Network Component and Windows XP 134 IP addresses described 4 disguising 5 dynamic 37 in networks 37 maintaining table of 107 contents of 86 viewing 86 logging to a WSEP host 87 to Syslog host 88 Logging page 86 M MAC addres
System Status 29, 35, 39, 40, 42, 45, 46, 49, 54, 55, 56, 60, 63, 65, 67, 69, 73, 77, 83, 86, 87, 89, 90, 96, 97, 111, 117, 118, 174, 175, 176, 177 System Time 91 Unrestricted Pass Through IP Address 83 Upgrade 67 View Configuration File 69 VPN Manager Access 64 VPN Statistics 118 WatchGuard Security Event Processor 87 WebBlocker Groups 98 WebBlocker Settings 96 Pass Through feature 83 passphrase 60 passphrases described 60 ping packets, denying all 78 Point-to-Point Protocol over Ethernet.
Index resetting to factory default 32 setting up VPNs between 179 troubleshooting 179 viewing log messages for 86 SOHO 6 Administration page 59 SOHO remote management 61 Split Tunneling 116 static IP addresses and VPNs 110 obtaining 110 static IP addressing, configuring for 38 static routes configure 54 Status light 11, 171, 172 Syslog Logging page 89 system requirements 123 System Security page 59, 60 System Status page 29, 35, 39, 40, 42, 45, 46, 49, 54, 55, 56, 60, 63, 65, 67, 69, 73, 77, 83, 86, 87, 89
WAN port 12 WatchGuard Security Event Processor 87 WatchGuard Security Event Processor page 87 WebBlocker activating 96 categories 101–104 configuring 95 creating users and groups for 97 database 93 described 93 enabling and disabling 176 purchasing and activating 95 users and groups 95 WebBlocker Groups page 98 WebBlocker Settings page 96 WebBlocker upgrade, purchasing 95 WebBlocker, license key for 68 Windows XP installing File and Printer Sharing for Microsoft Networks on 134 installing Internet Protocol
Index 186 WatchGuard Firebox SOHO 6 Wireless