Watchguard BF4S16E5W, User Manual

Page 1: ...WatchGuard Firebox SOHO 6 Wireless User Guide SOHO 6 firmware version 6 2 ...

Page 2: ...bout navigating in your computer s environment please refer to your system user manual The following conventions are used in this guide Convention Indication Bold type Menu commands dialog box options Web page options Web page names For example On the System Information page select Disabled NOTE Important information a helpful tip or additional instructions ...

Page 3: ...et Protocol Security ISDN Integrated Services Digital Network ISP Internet Service Provider MAC Media Access Control MUVPN Mobile User Virtual Private Network NAT Network Address Translation PPP Point to Point Protocol PPPoE Point to Point Protocol over Ethernet TCP Transfer Control Protocol UDP User Datagram Protocol URL Universal Resource Locator VPN Virtual Private Network WAN Wide Area Network...

Page 4: ...r compliance could void the user s authority to operate the equipment This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radi...

Page 5: ...adian Interference Causing Equipment Regulations Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel broulleur du Canada CANADA RSS 210 The term IC before the radio certification number only signifies that Industry of Canada technical specifications were met Operation is subject to the following two conditions This device may not cause interference This...

Page 6: ...vi WatchGuard Firebox SOHO 6 Wireless VCCI Notice Class A ITE ...

Page 7: ...User Guide vii Declaration of Conformity ...

Page 8: ...UARD will not license the SOFTWARE PRODUCT to you and you will not have any rights in the SOFTWARE PRODUCT In that case promptly return the SOFTWARE PRODUCT along with proof of payment to the authorized dealer from whom you obtained the SOFTWARE PRODUCT for a full refund of the price you paid 1 Ownership and License The SOFTWARE PRODUCT is protected by copyright laws and international copyright tr...

Page 9: ...n to replace the original copy in the event it is destroyed or becomes defective D Sublicense lend lease or rent the SOFTWARE PRODUCT or E Transfer this license to another party unless i the transfer is permanent ii the third party recipient agrees to the terms of this EULA and iii you do not retain any copies of the SOFTWARE PRODUCT 4 Limited Warranty WATCHGUARD makes the following limited warran...

Page 10: ...SSIVE OR IMPUTED OR FAULT OF WATCHGUARD AND ANY OBLIGATION LIABILITY RIGHT CLAIM OR REMEDY FOR LOSS OR DAMAGE TO OR CAUSED BY OR CONTRIBUTED TO BY THE SOFTWARE PRODUCT Limitation of Liability WATCHGUARD S LIABILITY WHETHER IN CONTRACT TORT OR OTHERWISE AND NOTWITHSTANDING ANY FAULT NEGLIGENCE STRICT LIABILITY OR PRODUCT LIABILITY WITH REGARD TO THE SOFTWARE PRODUCT WILL IN NO EVENT EXCEED THE PURC...

Page 11: ...ll destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession 8 Miscellaneous Provisions This EULA will be governed by and construed in accordance with the substantive laws of Washington excluding the 1980 United National Convention on Contracts for the International Sale of Goods as amended This is the entire EULA between us relating to the contents of th...

Page 12: ...d States and or other countries Hi fn Inc 1993 including one or more U S Patents 4701745 5016009 5126739 and 5146221 and other patents pending Microsoft Internet Explorer Windows 95 Windows 98 Windows NT and Windows 2000 are either registered trademarks or trademarks of Microsoft Corporation in the United States and or other countries Netscape and Netscape Navigator are registered trademarks of Ne...

Page 13: ... PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE US...

Page 14: ...TIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms ...

Page 15: ... WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The Apache Software License Version 1 1 Copyright c 2000 The Apache Software Foundation All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the ...

Page 16: ...ign All other trademarks or trade names mentioned herein if any are the property of their respective owners Limited Hardware Warranty This Limited Hardware Warranty the Warranty applies to the enclosed WatchGuard hardware product the Product not including any associated software which is licensed pursuant to a separate end user license agreement and warranty BY USING THE PRODUCT YOU AGREE TO THE T...

Page 17: ... NOT LIMITED TO ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE COURSE OF DEALING OR USAGE OF TRADE ANY WARRANTY OF NONINFRINGEMENT ANY WARRANTY OF UNINTERRUPTED OR ERROR FREE OPERATION ANY OBLIGATION LIABILITY RIGHT CLAIM OR REMEDY IN TORT WHETHER OR NOT ARISING FROM THE NEGLIGENCE WHETHER ACTIVE PASSIVE OR IMPUTE...

Page 18: ...hich such transfer would be prohibited by the U S Export laws and regulations If any provision of this Warranty is found to be invalid or unenforceable then the remainder shall have full force and effect and the invalid provision shall be modified or partially enforced to the maximum extent permitted by law to effectuate the purpose of this Warranty This is the entire agreement between WatchGuard ...

Page 19: ...s the SOHO 6 Wireless process information 5 How Does Wireless Networking Work 5 SOHO 6 Wireless hardware description 6 CHAPTER 2 Installation 13 Before you Begin the Installation 14 Physically Connect to the SOHO 6 Wireless 21 Setting up the Wireless Network 26 Setting up the Wireless Access Point 27 Configuring the Wireless Card on your computer 27 ...

Page 20: ...ed Network 42 Configure the Optional Network for Wireless Networking 46 Configure the Wireless Network 49 Configure static routes 54 View network statistics 55 Configure the dynamic DNS Service 56 CHAPTER 5 Administrative options 59 The System Security page 59 Set up VPN manager access 63 Update the firmware 65 Activate the SOHO 6 Wireless upgrade options 66 View the configuration file 69 CHAPTER ...

Page 21: ...he system time 90 CHAPTER 8 SOHO 6 Wireless WebBlocker 93 How WebBlocker works 93 Purchase and activate SOHO 6 Wireless WebBlocker 95 Configure the SOHO 6 Wireless WebBlocker 95 WebBlocker Categories 101 CHAPTER 9 VPN Virtual Private Networking 105 What You Need 106 Step by step instructions to configure a SOHO 6 Wireless VPN tunnel 109 Frequently Asked Questions 110 Set Up multiple SOHO SOHO VPN ...

Page 22: ... Configure the MUVPN Client 137 Connect and Disconnect the MUVPN Client 147 Monitor the MUVPN Client Connection 151 The ZoneAlarm Personal Firewall 153 Use the MUVPN Client to Enforce your Corporate Policy 157 Troubleshooting Tips 167 CHAPTER 11 Support resources 171 Troubleshooting tips 171 Contact technical support 180 Online documentation and FAQs 180 Special notices 180 Index 181 ...

Page 23: ...User Guide 1 CHAPTER 1 Introduction This manual shows how to use your WatchGuard Firebox SOHO 6 Wireless or SOHO 6tc Wireless security appliance for secure access to the Internet ...

Page 24: ...or ISDN The newest installation and user information is available from the WatchGuard Web site http support watchguard com sohoresources Package contents Make sure that the package contains all of these items SOHO 6 Wireless QuickStart Guide Wireless User Guide LiveSecurity Service activation card Hardware Warranty card AC adapter 12 V 1 2 A Straight through Ethernet cable SOHO 6 Wireless security...

Page 25: ...sted side of your SOHO 6 Wireless firewall are protected The illustration below shows how the SOHO 6 Wireless physically divides your trusted network from the Internet The SOHO 6 Wireless controls all traffic between the external network the Internet and the trusted network your computers All suspicious traffic is stopped The rules and policies that identify the suspicious traffic are shown in Con...

Page 26: ...net that sends and receives packets Each computer on the Internet has an address The SOHO 6 Wireless is also a computer and has an IP address When you configure a service behind a firewall you must include the trusted network IP address for the computer that supplies the service A URL Uniform Resource Locator identifies each IP address on the Internet An example of a URL is http www watchguard com...

Page 27: ...O 6 Wireless replaces the private IP addresses with the public IP address to protect the trusted network Each packet sent through the Internet contains IP address information Packets sent through the SOHO 6 Wireless with Dynamic NAT include only the public IP address of the SOHO 6 Wireless and not the private IP address of the computer in the trusted network Because only the IP address of the SOHO...

Page 28: ...el from the wireless computer to the SOHO 6 Wireless Separation of the trusted network from the optional network further protects the connection from the wireless computer to the SOHO 6 Wireless For information on how to configure this see Chapter 11 MUVPN Clients on page 119 SOHO 6 Wireless hardware description The hardware of the SOHO 6 Wireless uses newer technology than earlier SOHO models Fas...

Page 29: ...ransmitted over a wireless link The basic equation to determines the maximum data rate is Channel Capacity Channel Bandwidth x Log2 1 Signal Strength Noise Level This equation says the maximum amount of data bits s that can be transmitted over a given channel depends on The Channel Bandwidth 22Mbits s for 802 11b The Signal Strength 15dBm transmitted for Soho6 Wireless The Noise Level Depends on t...

Page 30: ...equency bands as 802 11 Some of these are Cordless phones Other 802 11b devices operating on adjacent channels Note that only channels 1 6 and11 are unique All other channels overlap because while the center frequencies increment by 5MHz per channel the bandwidths are 22MHz Microwave ovens Sodium type lighting systems fusion lamps Arc welders broadband spark gap transmitters Blue Tooth transmitter...

Page 31: ...ignal loss will only pertain to about the first 20 feet and will then increase by about 30 dB per 100 feet due the effect of walls and cubicles and widows etc Second the signals can arrive by different paths depending on how many surfaces reflect the signal This is called multi path Many surfaces will reflect a signal at 2 4 GHz The problem is that some combinations of reflected signals will resul...

Page 32: ...ill vary but might be as low as 10dBi for embedded wireless antennas Transmitted Power SOHO 6 Wireless transmits at 15dBm 0 032 watts which is compatible with US and European and other requirements In the USA 802 11b devices may transmit at up to 1 watt and up to 0 1 watt in Europe Allocated channels vary for USA and Europe Signal strength is a function both of how much power was transmitted and h...

Page 33: ...e are 14 indicator lights on the front panel of the SOHO 6 Wireless The illustration below shows the front view PWR PWR is lit while the SOHO 6 Wireless is connected to a power supply Status Status is lit while a management connection is in use Link Link indicators are lit while there is an active physical connection to the related Ethernet port A link indicator flashes when data flows through the...

Page 34: ...less The illustration below shows the rear view RESET button Push the reset button to reset to the SOHO 6 Wireless to the factory default configuration See Reset the SOHO 6 Wireless to the factory default settings on page 32 for more information about this procedure WAN port The WAN port is for the external interface Four numbered ports 0 3 These Ethernet ports are for the trusted network connecti...

Page 35: ...is concerned about the security of your network the wireless feature is turned off on the SOHO 6 Wireless we ship you This allows you to enable the wireless network after you set up the desired security To install the SOHO 6 Wireless you complete the following steps Identify and record your TCP IP settings Disable the HTTP proxy setting of your Web browser Enable your computer for DHCP Make the ph...

Page 36: ...HO 6 Wireless Computer with wireless card for Wireless You also need to follow these steps 1 Make sure there are a 10 100BaseT Ethernet card or an 802 11b wireless networking card installed in your computer 2 Make sure you have a functional Internet connection If the Internet connection is not functional call your ISP The Internet connection must be a cable modem or DSL modem with a 10 100BaseT po...

Page 37: ...tion procedure See External Network Configuration on page 37 for more information 6 Make sure that the Web browser program installed on your computer is Netscape Navigator version 4 77 or higher or Internet Explorer version 5 0 or higher 7 Record the SOHO 6 Wireless serial number The serial number is found on the bottom of the appliance Examine and record the current TCP IP settings Examine the cu...

Page 38: ...1 Click Start Run 2 Type winipcfg 3 Click OK 4 Select the Ethernet Adapter 5 Record the TCP IP settings in the table provided 6 Click Cancel Macintosh 1 Click the Apple menu Control Panels TCP IP 2 Record the TCP IP settings in the table provided 3 Close the window Other operating systems Unix Linux 1 Consult your operating system guide to locate the TCP IP screen 2 Record the TCP IP settings in t...

Page 39: ...ation pages for the SOHO 6 Wireless configure your computer to receive its IP address through DHCP See Network addressing on page 37 for more information about network addressing and DHCP NOTE These configuration instructions are for the Windows 2000 operating system 1 Click Start Settings Control Panel The control panel window opens TCP IP Setting Value IP Address Subnet Mask Default Gateway DHCP...

Page 40: ...reless 2 Double click the Network Dial up Connections icon 3 Double click the connection you use to connect to the Internet The network connection dialog box opens 4 Click Properties The network connection properties dialog box opens ...

Page 41: ... automatically checkbox 7 Click to select the Obtain DNS server address automatically checkbox 8 Click OK to close the Internet Protocol TCP IP Properties dialog box 9 Click OK again to close the Network Connection Properties dialog box Disable the HTTP proxy setting of your Web browser To configure a SOHO 6 Wireless you must access the configuration pages in the SOHO 6 Wireless with your browser ...

Page 42: ...ee browser applications If a different browser is used use the help menus of the browser program to find the necessary information Netscape 4 7 1 Open Netscape 2 Click Edit Preferences The Preferences window opens 3 A list of options is shown at the left side of the window Click the symbol to the left of the Advanced option to expand the list 4 Click Proxies 5 Make sure the Direct Connection to th...

Page 43: ...y Connect to the SOHO 6 Wireless The SOHO 6 Wireless protects computers that are connected to it by Ethernet cable or wireless connection This section discusses how to connect computers to the SOHO 6 Wireless by using Ethernet cables The SOHO 6 Wireless protects one computer or a multi computer network and can also function as a hub to connect other computers If you want to set up a wireless netwo...

Page 44: ...other network peripherals can connect directly to the SOHO 6 Wireless These connections use the four trusted network ports 0 3 To connect a maximum of four appliances use the SOHO 6 Wireless as a network hub 1 Shut down your computer 2 If you connect to the Internet through a DSL modem or cable modem disconnect the power supply to this device ...

Page 45: ...ted to the Internet and your computer 5 If you connect to the Internet through a DSL modem or cable modem reconnect the power supply to this device The indicator lights flash and then stop The modem is ready for use 6 Attach the AC adapter to the SOHO 6 Wireless Connect the AC adapter to a power source 7 Restart the computer See Factory default settings on page 31 for the factory default configura...

Page 46: ...usted network but the SOHO 6 Wireless will only allow ten Internet connections A seat is in use when an appliance connects to the Internet and is free when the connection is broken License upgrades are available from the WatchGuard Web site http www watchguard com sales buyonline asp To connect more than four appliances to the SOHO 6 Wireless these items are necessary an Ethernet hub a straight th...

Page 47: ...th your SOHO 6 Wireless to one of the trusted network ports 0 3 on the SOHO 6 Wireless Connect the other end to the uplink port of the Ethernet hub The SOHO 6 Wireless is connected to the Internet and your Ethernet hub 4 Connect an Ethernet cable between each of the computers and an uplink port on the Ethernet hub 5 If you connect to the Internet through a DSL modem or cable modem reconnect the po...

Page 48: ...ork in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation bar on the left side select Network Optional 802 11b The Optional Network Configuration page appears 3 Select the Enable Optional Network checkbox to turn on the wireless network 4 Type the IP Address and Subnet Mask of the wireless network The d...

Page 49: ...our SOHO 6 Wireless device 5 Click Submit For more information on configuring the wireless network see Configure the Wireless Network on page 49 Configuring the Wireless Card on your computer The following instructions are for the Windows XP operating system Refer to the WatchGuard SOHO 6 Wireless User Guide for instruction on other operating systems 1 Click Start Control Panel Network Connections...

Page 50: ...he wireless network connection should now show that your wireless network is active 9 Set up the wireless computer to use DHCP For information on setting up DHCP see Figure Enable your computer for DHCP on page 17 Your Windows operating system should automatically look for the wireless connection and if more than one wireless network is found a dialog box will appear listing all wireless devices i...

Page 51: ...software of the SOHO 6 Wireless You can connect to these configuration page with your Web browser SOHO 6 Wireless System Status page Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 The System Status page opens ...

Page 52: ...ess A display of information about the SOHO 6 Wireless configuration is shown This information includes the following The firmware version The serial number of the appliance The status of the following SOHO 6 Wireless features WSEP Logging VPN Manager Access Syslog Pass Through The status of the upgrade options ...

Page 53: ...sconnect button Use these buttons to start or terminate the PPPoE connection Factory default settings The default network settings and configuration settings for the SOHO 6 Wireless External network The external network settings use DHCP Trusted network The default IP address of the trusted interface is 192 168 111 1 The IP addresses for the computers on the trusted network are assigned through DH...

Page 54: ...eys are entered into the configuration page Reset the SOHO 6 Wireless to the factory default settings Reset the SOHO 6 Wireless to the factory default settings if it is not possible to correct a configuration problem A reset to the factory default settings is required if the system security passphrase is unknown or the firmware of the SOHO 6 Wireless is damaged by a power interruption Follow these...

Page 55: ... for additional information Register your SOHO 6 Wireless and activate the LiveSecurity Service After the SOHO 6 Wireless is installed and configured register the SOHO 6 Wireless and activate your LiveSecurity Service subscription LiveSecurity Service provides threat alert notifications security advice free virus protection software updates technical support by Web or telephone and access to onlin...

Page 56: ...profile on the WatchGuard Web site enter your user name and password If you do not have a user profile on the WatchGuard Web site create a new account Select your product and follow the instructions for product activation Record your LiveSecurity Service user profile information in the table below Keep this information confidential Reboot the SOHO 6 Wireless To reboot a SOHO 6 Wireless located on ...

Page 57: ... Wireless located on a remote system use one of these methods NOTE The remote SOHO 6 Wireless must be configured to allow incoming HTTP Web or FTP traffic from the Internet See Configure incoming and outgoing services on page 71 for information about how to configure a SOHO 6 Wireless to receive incoming traffic 3 Type the external network IP address of the remote SOHO 6 Wireless in your browser w...

Page 58: ...36 WatchGuard Firebox SOHO 6 Wireless ...

Page 59: ...ork address distribution in use by your ISP The possible methods are static addressing DHCP or PPPoE Network addressing To connect to a TCP IP network each computer must have an IP address The assignment of IP addresses is dynamic or static If the assignment is dynamic the ISP assigns a different IP address to a computer each time the computer connects to the network When the computer disconnects ...

Page 60: ...lling authentication and security systems designed for dial up DSL modem and cable modem service When the SOHO 6 Wireless is configured to use PPPoE a button on the System Status page controls the connection to the external network Your ISP can tell you how their system assigns the IP addresses Configure the SOHO 6 Wireless external network for dynamic addressing The default configuration sets the...

Page 61: ... of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation bar on the left side select Network External The External Network configuration page opens 3 From the Configuration Mode drop down list select Manual Configuration The page refreshes 4 Type the TCP IP settings you recorded from your computer during the installation process Refer to the table Examine and reco...

Page 62: ...r and click Stop Because the Internet connection is not configured the browser can not load your home page from the Internet The browser can open the configuration pages in the SOHO 6 Wireless 2 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 3 From the navigation bar on the l...

Page 63: ...tion allows the SOHO 6 Wireless to keep the PPPoE connection open during a period of frequent packet loss If the flow of traffic stops the SOHO 6 Wireless reboots A reboot frequently restores the connection The ISP sees this constant flow of traffic as a continuous connection The regulations and billing policy of the ISP determine if you can use this option Watchguard Technical Support uses this f...

Page 64: ...s the computer an IP address If you use a DHCP server to assign IP addresses enable the DHCP Relay option This option causes the SOHO 6 Wireless to forward the DHCP request to the specified DHCP server Configure DHCP server and DHCP relay To configure DHCP server 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The defa...

Page 65: ... the Enable DHCP Server on the Trusted Network check box 5 Type the first IP address that is available for the computers that connect to the trusted network 6 Type the WINS Server address DNS Server primary address DNS Server secondary address and DNS Domain server suffix 7 Click Submit 8 Reboot the SOHO 6 Wireless if necessary ...

Page 66: ...less than 30 seconds the SOHO 6 Wireless uses its internal DHCP server to respond to the computer on the trusted network Configure additional computers on the trusted network The SOHO 6 Wireless accepts the direct connection of a maximum of four computers printers scanners or other network peripherals The use of one or more 10BaseT Ethernet hubs with RJ 45 connectors allows the connection of addit...

Page 67: ...ireless DHCP server and make static address assignments follow these steps 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation bar on the left side select Network Trusted The Trusted Network configuration page opens ...

Page 68: ...y 7 Configure the appliances on the trusted network with static addresses Configure the Optional Network for Wireless Networking To turn on the wireless network you must enable the optional network Follow these instructions to complete the configuration 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP add...

Page 69: ...rk Optional 802 11b The Optional Network Configuration page opens 3 Click the Enable Optional Network checkbox To turn on the wireless network you need to enable the optional network 4 Type the IP address and subnet mask of the optional network The default IP Address is 192 168 112 1 The default Subnet Mask is 255 255 255 0 ...

Page 70: ...ect this checkbox all wireless devices that are connected to the optional network can access the computers on your trusted network 10 To require encrypted MUVPN connections through the wireless interface click to select the Requires Encrypted MUVPN connections on this interface checkbox You may want to enable this feature after the initial connection between your wireless computers and the SOHO 6 ...

Page 71: ...by physical security such as login credentials that are only effective for a controlled physical environment because the radio transmissions of a WLAN are not bound by the walls containing the network WEP achieves security by encrypting the data transmitted over the WLAN Data encryption protects the vulnerable wireless connection between computers and access points once this measure has been taken...

Page 72: ...the left side select Network Wireless Configuration The Wireless Network Configuration page appears 3 From the Encryption drop down list select the level of encryption you want applied to your wireless connections The options are Disabled 40 64 bit WEP and 128 bit WEP ...

Page 73: ...that the wireless network will use to connect If you have 40 64 bit WEP the key can be up to 10 characters If you have 128 bit WEP the key can be up to 26 characters 5 If you typed more than one key select which key you want to use as the default key from the Default Key drop down list 6 Select the Authentication mode you want to use for your wireless network connection The options are Open System...

Page 74: ...ers To change the Channel From the Channel drop down list select the channel you want to use in your wireless connection Restrict Access by Hardware Address You can change the settings of how the SOHO 6 Wireless communicates with your wireless computer and other settings 1 If you want to restrict access to the SOHO 6 Wireless by the computer hardware address select Enabled in the Restrict Access b...

Page 75: ...the wireless computers select Enabled in the Respond to SSID Query Requests If you do not want the SOHO 6 Wireless to respond select Disabled The wireless computers send out query requests to find if there are any wireless access points that it can connect to Log Authentication Events If you want the SOHO 6 Wireless to log when a wireless computer tries to access it select Enabled If you do not wa...

Page 76: ... configure static routes Follow these instructions to configure static routes 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation bar on the left side select Network Routes The Routes page opens 3 Click Add The Add Route page opens ...

Page 77: ...Click Submit To remove a route select the route and click Remove View network statistics The Network Statistics page gives information about network performance This page is useful during troubleshooting Follow these instructions to access the Network Statistics page 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The ...

Page 78: ...er the external IP address of the SOHO 6 Wireless with the dynamic DNS Domain Name Server service DynDNS org A dynamic DNS service makes sure that the IP address attached to your domain name is changed when your ISP assigns you a new IP address 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is h...

Page 79: ...rd is not affiliated with dyndns org 2 From the navigation bar on the left side select Network DynamicDNS The Dynamic DNS client page opens 3 Select the Enable Dynamic DNS client checkbox 4 Type the domain name and password in the applicable fields 5 Click Submit ...

Page 80: ...58 WatchGuard Firebox SOHO 6 Wireless ...

Page 81: ...firmware updates upgrade activation and display of the SOHO 6 Wireless configuration file in a text format are done from the Administration page The System Security page The System Security page contains the settings that control access to the configuration of the SOHO 6 Wireless Set a system administrator name and passphrase to limit access to the configuration pages Enable remote management to a...

Page 82: ...st reset the SOHO 6 Wireless to the factory default settings See Factory default settings on page 31 for additional information Change the System Administrator passphrase every month Select a combination of eight letters numbers and symbols Do not use a word Use at least one special symbol a number and a mixture of upper case and lower case letters for increased security Follow these instructions ...

Page 83: ...Security check box 5 Type a System Administrator Passphrase and then type it again to confirm 6 Click Submit SOHO 6 Wireless Remote Management Both the SOHO 6 Wireless and SOHO 6tc Wireless come equipped with the SOHO 6 Wireless Remote Management feature This feature uses the MUVPN client or Pocket PC to establish a secure ...

Page 84: ...guration page 1 First follow the steps above to configure System Security 2 Enable the checkbox labeled Enable SOHO 6 Wireless Wireless Remote Management 3 Type the Virtual IP address which will be used by the remote management computer when connecting to the SOHO 6 Wireless in the appropriate field 4 In the Authentication Algorithm drop list specify the authentication MD5 HMAC 128 bit authenticat...

Page 85: ...ernal network in your browser window to connect to the System Status page of the SOHO 6 Wireless Set up VPN manager access The VPN Manager Access page configures the SOHO 6 Wireless to allow remote configuration of the SOHO 6 Wireless by the WatchGuard VPN Manager software The WatchGuard VPN Manager software configures and manages VPN tunnels The VPN Manager software is a separate product and must...

Page 86: ...ccess page opens 3 Select Enable VPN Manager Access 4 Type the Status Passphrase 5 Type the Status Passphrase again to confirm 6 Type the Configuration Passphrase 7 Type the Configuration Passphrase again to confirm NOTE These passphrases must match the passphrases used in the VPN Manager software or the connection will fail 8 Click Submit ...

Page 87: ...xe file 1 Save the exe file to your computer 2 Double click the exe file The installer will install the updated firmware To install the wgd file 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 Click Update NOTE If you configure your SOHO 6 Wireless from a computer that doe...

Page 88: ...ions provided by the update wizard NOTE The update wizard requests a user name and password Type the system administrator name and passphrase configured on the System Security page The default values are user and pass Activate the SOHO 6 Wireless upgrade options Every SOHO 6 Wireless includes the software for all upgrade options To activate an upgrade option you must enter a license key in the con...

Page 89: ...e 2 Type your User Name and Password 3 Click Log In 4 Follow the instructions provided on the Web site to activate your license key 5 Copy the license key from the LiveSecurity Service Web site 6 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 7 From the navigation bar on the ...

Page 90: ...grade enables the Web filtering option MUVPN Client The MUVPN Client upgrade allows remote users to connect to the SOHO 6 Wireless through a secure IPSec VPN tunnel The MUVPN client creates an encrypted tunnel to your trusted or optional network depending on if it is a wired or wireless connection A wired connection goes to the trusted and the wireless connection goes to the optional If you have a...

Page 91: ...www watchguard com renew Follow the instructions on the Web site View the configuration file The contents of the SOHO 6 Wireless configuration file is available in text format from the View Configuration File page 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the na...

Page 92: ...70 WatchGuard Firebox SOHO 6 Wireless ...

Page 93: ...hat are acceptable for the trusted network The SOHO 6 Wireless lists many standard services on the configuration page A service is the combination of protocol and port numbers for a type of application or type of communication Configure incoming and outgoing services The default configuration of the SOHO 6 Wireless prevents the transmission of all packets from the external network to the trusted n...

Page 94: ...ices that you add The added services decrease the security of your network Compare the value of access to each service against the security risk caused by that service Common services Follow these steps to change the configuration of the incoming filters for common services 1 From the navigation bar on the left side select Firewall Incoming or Outgoing The Filter Incoming Traffic page opens ...

Page 95: ... to allow incoming traffic to the computer with IP address 192 168 111 2 4 Click Submit Create a custom service If you need to allow a service that is not listed in the common services configure a custom service based on a TCP port a UDP port or a protocol Follow these steps to configure a custom service 1 Type the IP address of the trusted network in your browser window to connect to the System S...

Page 96: ... drop down list below the Protocol Settings The Custom Service page refreshes 5 In the fields separated by the word To enter the port number or the range of port numbers or enter the protocol number NOTE For a TCP port or a UDP port specify a port number For a protocol specify a protocol number You cannot specify a port number for a protocol ...

Page 97: ...sses in the address field 10 Click Add Repeat the previous three steps until all of the address information for this custom service is set 11 Click Submit Block external sites The default configuration of the SOHO 6 Wireless allows the transmission of all packets from the trusted network to the external network prevents the transmission of all packets from the external network to the trusted netwo...

Page 98: ...e Blocked Sites page refreshes 3 Type a single host IP address a network IP address or the start and end of a range of host IP addresses in the address field The illustration shows the selection Host IP Address and the IP address 207 68 172 246 4 Click Add The address information appears in the Blocked Sites field 5 Click Submit ...

Page 99: ...ptions page allows the configuration of general security policies 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation bar on the left side select Firewall Firewall Options The Firewall Options page opens ...

Page 100: ... access to Trusted Network check box 2 Click Submit SOCKS implementation for the SOHO 6 Wireless The SOHO 6 Wireless functions as a SOCKS network proxy server An application that uses more than one socket connection and implements the SOCKS version 5 protocol can communicate through the SOHO 6 Wireless SOCKS supplies a secure two way communication channel between a computer on the external network...

Page 101: ...computer Disable SOCKS on the SOHO 6 Wireless to prevent this security risk See Disabling SOCKS on the SOHO 6 Wireless on page 81 Configuring your SOCKS application To allow a SOCKS compatible application on a computer in the trusted network to communicate with a computer on the external network configure the application as described below To make these settings refer to the users guide for the ap...

Page 102: ...80 WatchGuard Firebox SOHO 6 Wireless Set the SOCKS proxy to the URL or IP address of the SOHO 6 Wireless The default IP address is http 192 168 111 1 ...

Page 103: ...the SOCKS compatible application 1 Reset the Disable SOCKS proxy check box This enables the SOHO 6 Wireless SOCKS proxy server 2 Click Submit This disables the SOHO 6 Wireless SOCKS proxy server Logging all allowed outbound traffic When in the default configuration the SOHO 6 Wireless only records unusual events For example all denied traffic is recorded in the log file You can change the configur...

Page 104: ...ork 3 Click Submit NOTE If the MAC address for the external network field is cleared and the SOHO 6 Wireless is rebooted the SOHO 6 Wireless is reset to the factory default MAC address for the external network To prevent MAC address collisions the SOHO 6 Wireless searches the external network periodically for the override MAC address If the SOHO 6 Wireless finds a device that uses the same MAC add...

Page 105: ... IP Address page opens 3 Set the Enable pass through address check box 4 Type the IP address of the computer to connect to the pass through This must be a public IP address The illustration shows a pass through address of 206 253 208 103 5 Click Submit NOTE A pass through connection decreases the security of the trusted network because the computer with the pass through connection is on the same E...

Page 106: ...84 WatchGuard Firebox SOHO 6 Wireless ...

Page 107: ...ebBlocker database and incoming traffic are examples of events that are recorded The log records the events that show possible security problems A denied packet is the most important type of event to log A sequence of denied packets can show that an unauthorized person tried to access your network NOTE The records in the SOHO 6 Wireless log are erased if the power supply is disconnected ...

Page 108: ...s and the WatchGuard Time Server packets discarded because of a packet handling violation duplicate messages return error messages and IPSec messages The following procedure shows how to view the event log 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation...

Page 109: ...hGuard Firebox System package used by a Firebox II III The WSEP application runs on a computer that functions as the log host The WSEP application records log messages sent from the Firebox II III If you have a Firebox II III configure the WSEP to accept the log messages from your SOHO 6 Wireless Then follow these instructions to send your event logs to the WSEP 1 Type the IP address of the truste...

Page 110: ...st in the applicable field In the illustration the IP address is 192 168 111 5 5 Type a passphrase in the Log Encryption Key field 6 Confirm the passphrase in the Confirm Key field 7 Click Submit NOTE Use the same encryption key recorded in the WSEP application Set up logging to a Syslog host This option sends the SOHO 6 Wireless log entries to a Syslog host ...

Page 111: ...gging The Syslog Logging page opens 3 Set the Enable syslog output check box 4 Type the IP address of the Syslog server In the illustration the IP address is 206 253 208 100 5 Click Submit This option includes the local time from your browser in the Syslog messages Select Include local time in Syslog message NOTE Syslog traffic is not encrypted Syslog messages that are sent through the Internet de...

Page 112: ...O 6 Wireless records the time of each log entry The time recorded in the log entries is from the SOHO 6 Wireless system clock Follow these steps to set the system time 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 ...

Page 113: ... Time Server This step synchronizes the system time with a TCP Port 37 Time Server 4 Select Get Time From TCP Port 37 Time Server at 5 Type the IP address of the time server in the applicable field 6 Click Submit This step sets the SOHO 6 Wireless to adjust for daylight savings time Set the Adjust for daylight savings time check box This step sets the current time zone of the SOHO 6 Wireless Selec...

Page 114: ...92 WatchGuard Firebox SOHO 6 Wireless NOTE The time zone selection is only used when the Get Time From WatchGuard Time Server check box is selected ...

Page 115: ...ed and maintained by SurfControl The database shows the type of content found on thousands of Web sites WatchGuard puts the newest version of the SurfControl database on the WebBlocker server at regular intervals The WebBlocker checks each Web site request by users in the trusted network The SOHO 6 Wireless sends to the database a request for the type of content found on the Web site The SOHO 6 Wi...

Page 116: ...Wireless examines the configuration to see if that type of site is permitted When the type of site is not permitted the user is told that the site is not available If the type of site is permitted the Web browser opens the page WatchGuard WebBlocker database unavailable If the WatchGuard WebBlocker database is not available the user is told that the Web site is not available The database is not av...

Page 117: ...o bypass WebBlocker When a site is blocked the user can supply the full access password to access the Web site After the user supplies the password the user can access all Web sites until the password expires or the browser is closed Purchase and activate SOHO 6 Wireless WebBlocker To use the WatchGuard SOHO 6 Wireless WebBlocker you must purchase and enable the WebBlocker upgrade license key See ...

Page 118: ... timeout require that your Web users authenticate 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation bar on the left side select WebBlocker Settings The WebBlocker Settings page opens 3 Set the Enable WebBlocking check box ...

Page 119: ...ects Internet connections that are inactive for the set number of minutes 6 To set the WebBlocker to use groups and users set the Require Web users to authenticate check box 7 Click Submit to register your changes Create WebBlocker groups and users Follow these instructions to create WebBlocker groups 1 Type the IP address of the trusted network in your browser window to connect to the System Stat...

Page 120: ...98 WatchGuard Firebox SOHO 6 Wireless 2 From the navigation bar on the left side select WebBlocker Groups The WebBlocker Groups page opens 3 Click New to create a group name and profile ...

Page 121: ...er Guide 99 Configure the SOHO 6 Wireless WebBlocker 4 Define a Group Name and set the types of content to filter for this group 5 Click Submit A new Groups page opens that shows the configuration changes ...

Page 122: ...100 WatchGuard Firebox SOHO 6 Wireless 6 To the right of the Users field click New The New User page opens 7 Type a new user name and passphrase 8 Confirm the passphrase ...

Page 123: ...not included For example the drugs drug culture category blocks sites describing how to grow and use marijuana but does not block sites discussing the historical use of marijuana Alcohol tobacco Pictures or text advocating the sale consumption or production of alcoholic beverages and tobacco products Illegal Gambling Pictures or text advocating materials or activities of a dubious nature that may ...

Page 124: ... their primary purpose to alter the individual s state of mind such as glue sniffing This does not include that is if selected these sites would not be WebBlocked under this category currently illegal drugs legally prescribed for medicinal purposes such as drugs used to treat glaucoma or cancer Satanic cult Pictures or text advocating devil worship an affinity for evil wickedness or the advocacy t...

Page 125: ...s phrases and profanity in either audio text or pictures Search Engines Search engine sites such as AltaVista InfoSeek Yahoo and WebCrawler Sports and Leisure Pictures or text describing sporting events sports figures or other entertainment activities Sex Education Pictures or text advocating the proper use of contraceptives Topic includes sites devoted to the explanation and description of condom...

Page 126: ...ic CD ROMs and videos Full Nudity Pictures exposing any or all portions of human genitalia Topic does not include sites categorized as Partial Artistic Nudity containing partial nudity of a wholesome nature For example it does not include Web sites for publications such as National Geographic or Smithsonian magazine nor sites hosted by museums such as the Guggenheim the Louvre or the Museum of Mod...

Page 127: ...ess Why create a Virtual Private Network Use a VPN tunnel to make an inexpensive and secure connection between the computers in two locations Expensive dedicated point to point connections are not necessary for a VPN connection A VPN tunnel gives the security necessary to use the public Internet for a private virtual connection between two locations ...

Page 128: ...al A secondary DNS address optional Domain name optional The network addresses and subnet masks for the two trusted networks The default IP address for the SOHO 6 Wireless trusted network is 192 168 111 0 The default subnet mask for the SOHO 6 Wireless trusted network is 255 255 255 0 NOTE The trusted networks at the two ends of the VPN tunnel must have different network addresses If the appliance...

Page 129: ...etwork A local network address cannot be used as an external IP address WatchGuard recommends that you use an address from one of the reserved ranges 10 0 0 0 8 172 16 0 0 12 255 240 0 0 192 168 0 0 16 255 255 0 0 You Site A 192 168 111 0 24 Site B 192 168 222 0 24 Shared Secret The shared secret is a passphrase used by two IPSec compatible appliances to encrypt and decrypt the data that goes thro...

Page 130: ...less that is installed and configured a connection to the Internet a VPN upgrade license key Site A OurLittleSecret Site B OurLittleSecret Encryption Method DES uses 56 bit encryption 3DES uses 168 bit encryption The 3DES encryption method gives better security but decreases the speed of communication The two IPSec compatible appliances must use the same encryption method You Site A 3DES Site B 3D...

Page 131: ... together in a star configuration To configure more than one VPN tunnel a WatchGuard Firebox II III with the WatchGuard VPN Manager is necessary The two appliances that make a VPN tunnel must each have a static IP address If an appliance has a dynamic IP address packets sent from the other end of the tunnel will not get to their destination See Network addressing on page 37 for more information ab...

Page 132: ...ly a static IP address as an optional service How do I troubleshoot the connection If you can ping the remote SOHO 6 Wireless and the computers on the remote network the VPN tunnel functions correctly The configuration of the network software or the applications are possible causes of other problems Why is ping not working If you cannot ping the local network address of the remote SOHO 6 Wireless ...

Page 133: ...nse key You can purchase a license key for an upgrade from the WatchGuard Web site http www watchguard com sales buyonline asp How do I enable a VPN tunnel The instructions to help you enable a VPN tunnel are available from the WatchGuard Web site https support watchguard com AdvancedFaqs sointerop_main asp Set Up multiple SOHO SOHO VPN tunnels An administrator of a SOHO 6 Wireless can configure a...

Page 134: ...112 WatchGuard Firebox SOHO 6 Wireless 2 From the navigation bar on the left side select VPN Manual VPN The Manual VPN page opens ...

Page 135: ...User Guide 113 Set Up multiple SOHO SOHO VPN tunnels 3 Click Add to set up the VPN tunnel The Add Gateway page opens ...

Page 136: ...Main and Aggressive If the external IP address is dynamic select Aggressive Mode If the external IP address is static use either mode 7 Set the Local ID Type and the Remote ID Type These must match the settings used on the remote gateway If you set Main Mode the Local ID Type and the Remote ID Type must contain IP addresses If you set Aggressive Mode the Remote ID Type may be an IP Address or a do...

Page 137: ...otiation expiration 13 In the Diffie Hellman Group drop down list set the group number WatchGuard supports group 1 and group 2 Diffie Hellman is a mathematical technique used to securely negotiate secret keys through a public network Diffie Hellman groups are collections of parameters used to achieve this Group 2 is more secure than group 1 but more time is required to calculate group 2 secret key...

Page 138: ...is option gives more security but increases the time necessary for the communication because of the additional exchange 18 Set the number of kilobytes until key expiration 19 Set the number of hours until key expiration 20 Set the IP address of the local network and the remote network that must use Phase 2 negotiation 21 Click Submit Configure split tunneling The split tunneling feature allows the...

Page 139: ...t the IP address of the Remote Network 7 Click Submit MUVPN Clients The MUVPN Clients allows remote users to connect to the SOHO 6 Wireless through a secure IPSec VPN tunnel This option allows remote users to connect to the SOHO 6 Wireless through an IPSec VPN tunnel The MUVPN client creates an encrypted tunnel protected behind a SOHO 6 Wireless to your trusted or optional network depending on if ...

Page 140: ...onfiguration page that displays VPN statistics Use this page to monitor VPN traffic and to solve problems with the VPN configuration To view the VPN Statistics page 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation bar on the left side select VPN VPN Stat...

Page 141: ...client then creates an encrypted tunnel protected behind a SOHO 6 Wireless to your trusted or optional network depending on if it is a wired or wireless connection A wired connection goes to the trusted and the wireless connection goes to the optional The MUVPN client allows you to provide remote access to your internal networks without compromising security If you have a wireless network you can ...

Page 142: ...r your end users The purpose of this chapter is to assist users of the SOHO 6 Wireless to set up the MUVPN client on an end user s remote computer and to explain the features of the personal firewall Configure the SOHO 6 Wireless for MUVPN Clients Follow these steps to configure your SOHO 6 Wireless 1 With your Web browser go to the System Status page using the Trusted IP address of the SOHO 6 Wir...

Page 143: ...User Guide 121 Configure the SOHO 6 Wireless for MUVPN Clients 2 From the navigation bar on the right side select VPN MUVPN Clients The MUVPN Clients page appears ...

Page 144: ...lient 5 Type a Passphrase in the appropriate field This passphrase will be used as the Pre Shared Key when setting up the MUVPN client 6 Type the Virtual IP address which will be used by the MUVPN computer when connecting to the SOHO 6 Wireless in the appropriate field 7 Select the Authentication Algorithm The options are MD5 HMAC and SHA1 HMAC 8 Select the Encryption Algorithm The options are DES...

Page 145: ...stem Every Windows system used as a MUVPN remote computer must have the following system requirements System requirements PC compatible computer with Pentium processor or equivalent Compatible operating systems and minimum RAM Microsoft Windows 98 32 MB Microsoft Windows ME 64 MB Microsoft Windows NT 4 0 Workstation 32 MB Microsoft Windows 2000 Professional 64 MB Microsoft Windows XP 64 MB The lat...

Page 146: ...networking components must be configured and installed on a remote computer running Windows 98 ME in order for the MUVPN client to function properly Configuring networking names From the Windows desktop 1 Select Start Settings Control Panel Double click the Network icon The Network window appears 2 Verify that the Client for Microsoft Networks is installed If Client for Microsoft Networks is not i...

Page 147: ... the left Select Client for Microsoft Networks from the list on the right Click OK 4 Select Client for Microsoft Networks 5 Click Properties 6 Enable the Log on to Windows NT domain option 7 In the Windows NT Domain field type the domain name For example your domains might be sales office and warehouse 8 Enable the Logon and Restore Network Connections option Installing Dial Up Networking The Mobi...

Page 148: ...osoft Web site to receive this free update Configuring the WINS and DNS settings You must configure the remote computer to use the WINS and DNS servers of the trusted network behind the Firebox From the Windows desktop 1 Select Start Settings Control Panel Double click the Network icon The Network window appears 2 Select the network component TCP IP Dial Up Adapter then click the Properties button...

Page 149: ...ck the OK button to close the Network window The System Settings Change dialog box appears 11 Click the Yes button to restart the computer and implement the changes Windows NT operating system setup The following networking components must be installed and configured on a remote computer running Windows NT in order for the MUVPN client to function properly Installing Remote Access Services on Wind...

Page 150: ... it from a list checkbox then add a Standard 28800 modem Windows NT requires at least one RAS device such as a modem if the RAS component is installed If no modems are available a dial up networking serial cable between two computers can be selected 8 Select the modem added in the last step in the Add RAS Device dialog box then click the OK button 9 Click the Continue button then click the Close b...

Page 151: ...ropriate field then click the OK button If you have multiple remote WINS servers repeat this step 9 Click the Close button to close the Network window The Network Settings Change dialog box appears 10 Click the Yes button to restart the computer and implement the changes Windows 2000 operating system setup The following networking components must be installed and configured on a remote computer ru...

Page 152: ... use to access the Internet The connection window appears 2 Click the Properties button 3 Select the Networking tab and then click the Install button The Select Network Component Type window appears 4 Double click the Protocol network component The Select Network Protocol window appears 5 Select the Internet Protocol TCP IP Network Protocol and then click the OK button Installing the File and Prin...

Page 153: ...on you use to access the Internet The connection window appears 2 Click the Properties button 3 Select the Networking tab and then click the Install button The Select Network Component Type window appears 4 Double click the Client network component The Select Network Protocol window appears 5 Select the Client for Microsoft Networks Network Client and then click the OK button 6 Click the Cancel bu...

Page 154: ...TCP IP Settings window appears 6 Click the DNS tab 7 Under the DNS server addresses in order of use heading click the Add button The TCP IP DNS Server window appears 8 Type your DNS server IP address in the appropriate field then click the Add button If you have multiple remote DNS servers repeat the last two steps NOTE You must list the DNS server on the Private network behind the Firebox first 9...

Page 155: ...t window 18 Click the Cancel button again to close the Dial up connection window Windows XP operating system setup The following networking components must be installed and configured on a remote computer running Windows XP in order for the MUVPN client to function properly From the Windows desktop 1 Select Start Control Panel Network Connections then select the connection you use to access the In...

Page 156: ...Protocol window appears 5 Select the Internet Protocol TCP IP Network Protocol and then click the OK button Installing the File and Printer Sharing for Microsoft Networks From the Windows desktop 1 Select Start Control Network Connections then select the connection you use to access the Internet The connection window appears 2 Click the Properties button 3 Select the Networking tab and then click ...

Page 157: ...lient and then click the OK button 6 Click the Cancel button to close the Select Network Component Type window 7 Click the OK button to preserve the installed components 8 Click the Cancel button to close the Dial up connection window Configuring the WINS and DNS settings You must configure the remote computer to use the WINS and DNS servers of the trusted network behind the Firebox From the Windo...

Page 158: ...end these DNS suffixes in order option 10 Click the Add button The TCP IP Domain Suffix window appears 11 Type your Domain suffix in the appropriate field If you have multiple DNS suffixes repeat the last two steps 12 Click the WINS tab 13 Under the WINS addresses in order of use heading click the Add button The TCP IP WINS Server window appears 14 Type your WINS server IP address in the appropria...

Page 159: ...tallation file to the remote computer 2 Double click the MUVPN installation file If at any time during the installation process you inadvertently skip a step simply cancel the process and begin again 3 The installation welcomes you to the InstallShield Wizard Click the Next button During the Setup Status portion of the install procedure the InstallShield may detect ReadOnly Files If this occurs cl...

Page 160: ...talled this is normal When it is complete the installation will continue 10 When the InstallShield Wizard is complete click the Finish button 11 The InstallShield Wizard then searches for a User Profile file click the Next button as this step is not necessary An Information dialog box appears 12 Click the OK button to continue with the installation 13 The InstallShield Wizard has completed the ins...

Page 161: ...PN client icon The Security Policy Editor dialog box appears NOTE The ZoneAlarm personal firewall may immediately begin to display alerts on your Windows desktop For more information regarding ZoneAlarm see The ZoneAlarm Personal Firewall on page 153 2 Select Edit Add Connection A New Connection appears in the Network Security Policy field on the left side and the and the Connection Security and R...

Page 162: ...Subnet 8 Type the Subnet Mask of the Trusted Network behind the SOHO 6 Wireless in the field labeled Mask 9 Select All from the Protocol drop list This is the default setting 10 Click to select the Connect using checkbox and select Secure Gateway Tunnel from the drop list 11 Select IP Address from the ID Type drop list and then type the IP address of the External interface in the available field D...

Page 163: ...1 Install and Configure the MUVPN Client 2 Select My Identity The My Identity and Internet Interface settings appear to the right 3 Select Options Global Policy Settings The Global Policy Settings dialog box appears ...

Page 164: ...list 6 Select E mail Address from the ID Type drop list and then enter the username defined on the SOHO 6 Wireless in the available field 7 Select Disabled from the Virtual Adapter drop list 8 Type 0 0 0 0 in the Internal Network IP Address field This value appears by default 9 Select Any from the Name drop list This is the default setting 10 Click Pre Shared Key The Pre Shared Key dialog box appe...

Page 165: ... the SOHO 6 Wireless or the connection will fail Defining Phase 1 and Phase 2 settings Follow these instructions to define the phase 1 and phase 2 settings Make certain that settings match exactly with those on the Firebox SOHO 6 Wireless appliance 1 From the Network Security Policy field expand Security Policy Both Phase 1 and Phase 2 negotiations appear 2 Expand Authentication Phase 1 A Proposal...

Page 166: ...HO 6 Wireless appliance 5 Select DES from the Encrypt Alg drop list and select SHA 1 from the Hash Alg drop list 6 Select Unspecified from the SA Life drop list This is the default setting 7 Select Diffie Hellman Group 1 from the Key Group drop list 8 Expand Key Exchange Phase 2 A Proposal entry appears 9 Select Proposal 1 The IPSec Protocols settings appear to the right ...

Page 167: ... appliance does not support compression 12 Click to select the Encapsulation ESP checkbox and then select a value for the Encrypt Alg and Hash Alg drop lists NOTE These two setting must exactly match those on the SOHO 6 Wireless or the connection will fail 13 Select Tunnel from the Encapsulation drop list This is the default setting 14 Verify that the Authentication Protocol AH checkbox is not sel...

Page 168: ...ears 4 Select Remove Click the Next button The Confirm File Deletion dialog box appears 5 Click the OK button to completely remove all of the components A command prompt window appears while the dni_vapmp file is installed this is normal When it is complete the installation will continue The Uninstall Security Policy dialog box appears 6 Click the Yes button to delete the Security Policy Personal ...

Page 169: ...ternet and then use the MUVPN client to connect to the protected network Connecting the MUVPN Client 1 First establish an Internet connection through either Dial Up Networking or directly through a local area network LAN or wide area network WAN From the Windows desktop system tray 2 Verify the MUVPN client status it must be activated If it is not right click the icon and select Activate Security ...

Page 170: ...ary Mobile User VPN service properly and the remote computer must be restarted if this continues you may need to reinstall the MUVPN client Activated The MUVPN client is ready to establish a secure MUVPN tunnel connection Activated and Transmitting Unsecured Data The MUVPN client is ready to establish a secure MUVPN tunnel connection The red bar on the right of the icon indicates that the client h...

Page 171: ...onnection The green bar on the right of the icon indicates that the client is transmitting only secured data Activated Connected and Transmitting both Secure and Unsecured Data The MUVPN client has established at least one secure MUVPN tunnel connection The red and green bars on the right of the icon indicate that the client is transmitting both secured and unsecured data Allowing the MUVPN client...

Page 172: ...his answer the next time I use this program option and click the Yes button This enables ZoneAlarm to allow the MuvpnConnect exe program through each time you attempt to make a MUVPN connection The New Program alert dialog box appears requesting access for the IreIKE exe program 2 Enable the Remember this answer the next time I use this program option and click the Yes button This enables ZoneAlar...

Page 173: ...Internet You must disconnect from the Internet separately 3 Right click the Mobile User VPN client icon and select Deactivate Security Policy The MUVPN icon displays a red slash to indicate a deactivated Security Policy If you are using the ZoneAlarm personal firewall deactivate this as well From the Windows desktop system tray 1 Right click the ZoneAlarm icon and select Shutdown ZoneAlarm The Zon...

Page 174: ...s and the security association SA information established during Phase 1 IKE negotiations and Phase 2 IPSec negotiations From the Windows desktop system tray 1 Right click the Mobile User VPN client icon 2 Select Connection Monitor The Connection Monitor window appears An icon appears to the left of the connection name SA indicates that the connection has only a Phase 1 IKE SA This occurs when con...

Page 175: ...ween your computer and the outside world The computer is most vulnerable at its doors called ports Without ports no connection to the Internet is possible ZoneAlarm protects these ports by following a simple rule Block all incoming and outgoing traffic unless you explicitly allow it for trusted programs When using ZoneAlarm you often see Program Alert dialog boxes similar to the image below This a...

Page 176: ...ead each step to familiarize yourself with the application For more information on ZoneAlarm features and configuration please refer to the ZoneAlarm Help system To access the Help system select Start Programs Zone Labs ZoneAlarm Help Allowing Traffic through ZoneAlarm When an application requires access through the ZoneAlarm personal firewall a Program Alert will be displayed on the Windows deskt...

Page 177: ...ge The program which actually needs to pass through the firewall is IEXPLORE EXE In order to allow this program access each time the application is executed enable the Remember the answer each time I use this program checkbox Here is a list of a few essential programs which will need access through the ZoneAlarm personal firewall in order to operate some important applications ...

Page 178: ... Programs Zone Labs Uninstall ZoneAlarm The Confirm Uninstall dialog box appears 2 Click the Yes button The ZoneLabs TrueVector service dialog box appears Programs Which Must Be Allowed MUVPN client IreIKE exe MuvpnConnect exe MUVPN Connection Monitor CmonApp exe MUVPN Log Viewer ViewLog exe Programs Which May be Allowed MS Outlook OUTLOOK exe MS Internet Explorer IEXPLORE exe Netscape 6 1 netscp6...

Page 179: ...o completely remove all of these files 6 The Install window appears and prompts you to restart the computer Click the OK button to reboot your system Use the MUVPN Client to Enforce your Corporate Policy In order to require telecommuters to authenticate with a MUVPN client and enforce your corporate security policies for these users you must configure the MUVPN Clients on the SOHO 6 Wireless and c...

Page 180: ...158 WatchGuard Firebox SOHO 6 Wireless 2 From the navigation bar on the right side select VPN MUVPN Clients The MUVPN Clients page appears 3 Click the Add button The Edit MUVPN Client page appears ...

Page 181: ...he Pre Shared Key when setting up the MUVPN client 6 Type an unused IP address from the Trusted network which will be used by the MUVPN client computer when connecting to the SOHO 6 Wireless in the Virtual IP Address field 7 Select MD5 HMAC from the Authentication Algorithm drop list 8 Select DES CBC from the Encryption Algorithm drop list 9 Select Mobile User from the VPN Client Type drop list 10...

Page 182: ...install it on your computer For information on installing the client see Chapter 9 Install and Configure the MUVPN Client on page 137 Follow these procedures to create a MUVPN security policy 1 Right click the MUVPN client icon and select Security Policy Editor The Security Policy Editor dialog box appears 2 Select Edit Add Connection A New Connection appears in the Network Security Policy field o...

Page 183: ...e Subnet and Mask fields These are the default values 8 Select All from the Protocol drop list This is the default setting 9 Click to select the Connect using checkbox and select Secure Gateway Tunnel from the drop list 10 Select IP Address from the ID Type drop list and then type the IP address of the Optional interface in the available field Defining the Security Policy settings Follow these ins...

Page 184: ...ected 4 Click to select the Enable Replay Detection checkbox Defining the My Identity settings Follow these instructions to define the My Identity settings 1 From the Network Security Policy field expand the new entry The My Identity and Security Policy entries appear 2 Select My Identity The My Identity and Internet Interface settings appear to the right ...

Page 185: ...Global Policy Settings The Global Policy Settings dialog box appears 4 Click to select the Allow to Specify Internal Network Address checkbox and then click OK The Internal Network IP Address field appears among the My Identity settings 5 Select None from the Select Certificate drop list ...

Page 186: ...l Adapter drop list 8 Type 0 0 0 0 in the Internal Network IP Address field This value appears by default 9 Select Any from the Name drop list This is the default setting 10 Click Pre Shared Key The Pre Shared Key dialog box appears 11 Click Enter Key The text entry field is activated 12 Type the exact text of the MUVPN client passphrase entered on the Firebox SOHO 6 Wireless appliance and then cl...

Page 187: ...settings match exactly with those on the Firebox SOHO 6 Wireless appliance 1 From the Network Security Policy field expand Security Policy Both Phase 1 and Phase 2 negotiations appear 2 Expand Authentication Phase 1 A Proposal entry appears 3 Select Proposal 1 The Authentication Method and Algorithms settings appear to the right 4 Select Pre Shared Key from the Authentication Method drop list ...

Page 188: ... list This is the default setting 7 Select Diffie Hellman Group 1 from the Key Group drop list 8 Expand Key Exchange Phase 2 A Proposal entry appears 9 Select Proposal 1 The IPSec Protocols settings appear to the right 10 Select Both from the SA Life drop list and then type 86400 in the Seconds field and 8192 in the KBytes field 11 Select None from the Compression drop list This is the default set...

Page 189: ...Tips WatchGuard maintains a knowledge base on our Web site including an In Depth FAQ section on configuring and using the MUVPN client This is available at www watchguard com support A few of the most common issues found in installing configuring and using the MUVPN client are described below My computer is hung up just after installing the MUVPN client This is most likely due to either the ZoneAl...

Page 190: ...not connected to the network When you start your computer you are prompted to enter your Windows network user name password and domain It is very important that you enter this information correctly just as you would if you were at the office connected to the network Windows stores the information for use by network adapters and networked applications Later when you connect to your ISP and start th...

Page 191: ...dress of a computer on your company network My mapped drives have a red X through them Windows 98 ME NT and 2000 verifies and maps networks drives automatically when the computer starts Because there is no way for you to establish a remote session with the company network before the computer actually starts drive mapping fails during the boot process and a red X appears on the drive icon Establish...

Page 192: ... is large enough to require subnetting multiple networks connected together you will only be able to browse your own domain Attempts to access other domains will result in a password prompt Unfortunately even providing the correct information will not open these additional networks It takes a really long time to shut down the computer after using Mobile User VPN If you open and browse a mapped net...

Page 193: ...Status and Mode lights signify on the SOHO 6 Wireless When the PWR light is lit the SOHO 6 Wireless is connected to a power source When the Status light is lit there is a management connection to the SOHO 6 Wireless When the MODE light is lit the SOHO 6 Wireless is operational If the PWR light blinks The SOHO 6 Wireless is running from its backup flash memory You can connect to the SOHO 6 Wireless...

Page 194: ...onnection to the external interface is defective The appliance to which the external interface of the SOHO 6 Wireless is connected is not operating correctly How do I register my SOHO 6 Wireless with the LiveSecurity Service See Register your SOHO 6 Wireless and activate the LiveSecurity Service on page 33 How do I restart my SOHO 6 Wireless See Reboot the SOHO 6 Wireless on page 34 How do I reset...

Page 195: ...on instructions for the Macintosh and other operating systems are available from the WatchGuard Web site https support watchguard com sohoresources How do I know whether the cables are connected correctly to my SOHO 6 Wireless The front panel of the SOHO 6 Wireless has fourteen indicators The WAN indicator shows if the SOHO 6 Wireless is connected to the modem If this indicator is not lit the SOHO...

Page 196: ...em and the WAN indicator on the SOHO 6 Wireless are lit Speak with your ISP if the problem is not corrected How can I see the MAC address of my SOHO 6 Wireless 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 At the bottom of the System Status page the External network head...

Page 197: ... to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 3 From the navigation bar on the left side select Network Trusted 4 Set the Enable DHCP Server check box 5 Click Submit How do I change to a static trusted IP address To use a static IP address select a network IP range and subnet mask for the trusted network The network IP ranges and subnet masks in the...

Page 198: ... Submit 5 Type the information 6 Click Submit How do I set up and disable WebBlocker 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation bar on the left side select WebBlocker Settings The WebBlocker Settings page opens 3 Set the Enable WebBlocker check box...

Page 199: ...address of the computer hosting the service 6 Click Submit How do I allow incoming IP or uncommon TCP and UDP protocols Record the IP address of the computer that is to receive the incoming data and the number of the new IP protocol Follow these steps 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP addre...

Page 200: ...ost field 10 Click Submit VPN Management See What You Need on page 106 Make sure that the two appliances use the same encryption method Make sure that the two appliances use the same authentication method How do I set up my SOHO 6 Wireless for VPN Manager Access This requires the add on product WatchGuard VPN Manager software which is purchased separately and used with the WatchGuard Firebox Syste...

Page 201: ...w to configure a VPN tunnel between a SOHO 6 Wireless and another IPSec compliant appliance is available from the WatchGuard Web site https support watchguard com AdvancedFaqs sointerop_main asp 1 Log in to the site 2 Download the file you need 3 Follow the instructions to configure your VPN tunnel ...

Page 202: ...guard com AdvancedFaqs Special notices The online help system is not yet available on the WatchGuard Web site Click on the Help link at the top of the System Status page to connect to the WatchGuard Product Documentation page which has links to more information sources 877 232 3531 United States end user support 206 521 8375 United States authorized reseller support 360 482 1083 International supp...

Page 203: ... DNS service dynamic 56 DSL modems and SOHO 6 173 Dynamic DNS client page 57 dynamic DNS service configuring 56 57 Dynamic Host Configuration Protocol See DHCP dynamic IP addresses configuring for 38 described 37 E events described 85 External Network denying ping packets received on 78 F File and Printer Sharing for Microsoft Networks and Windows XP 134 Filter Traffic page 72 Firewall Incoming Tr...

Page 204: ... 12 link indicator 11 LiveSecurity Service registering with 33 renewing subscription 69 log host setting WSEP 87 log messages contents of 86 viewing 86 logging to a WSEP host 87 to Syslog host 88 Logging page 86 M MAC address of SOHO 6 174 Macintosh operating system 173 Mode indicator 12 MODE light 171 MUVPN clients option 117 N NAT 5 Network Address Translation NAT 5 Network Statistics page 56 ne...

Page 205: ...ystem 35 registration 33 remote management 61 resetting to factory default 32 Routes page 47 54 routes configure static 54 S seat licenses upgrade 68 seat limitation 24 serial number location 15 serial number viewing 30 services allowing incoming 177 creating custom 73 75 creating custom incoming 73 described 5 71 services add standard 72 sites blocking 75 SOCKS configuring application 79 configur...

Page 206: ...ic crearing unrestricted pass through 82 logging all outbound 81 troubleshooting 171 180 Trusted Network configuring additional computers on 44 denying FTP access to 78 Trusted Network Configuration page 42 45 U Unrestricted Pass Through IP Address page 83 Update Wizard 66 upgrade seat license 24 upgrade license keys types of 68 Upgrade page 67 upgrading VPNs 68 V View Configuration File page 69 V...

Page 207: ...s and groups for 97 database 93 described 93 enabling and disabling 176 purchasing and activating 95 users and groups 95 WebBlocker Groups page 98 WebBlocker Settings page 96 WebBlocker upgrade purchasing 95 WebBlocker license key for 68 Windows XP installing File and Printer Sharing for Microsoft Networks on 134 installing Internet Protocol TCP IP Network Component on 134 WSEP 87 ...

Page 208: ...Index 186 WatchGuard Firebox SOHO 6 Wireless ...