background image

User Guide

145

Install and Configure the MUVPN Client

 

10 Select 

Both

 from the 

SA Life

 drop list and then type 

86400

 in 

the 

Seconds

 field and 

8192

 in the 

KBytes

 field.

11 Select 

None

 from the 

Compression

 drop list. 

This is the default setting. The SOHO 6 Wireless Firebox appliance does 

not support compression.

12 Click to select the 

Encapsulation

 (

ESP)

 checkbox and then 

select a value for the 

Encrypt Alg

 and 

Hash Alg

 drop lists.

N

OTE

These two setting 

must

 exactly match those on the SOHO 6 Wireless or 

the connection will fail.

13 Select 

Tunnel

 from the 

Encapsulation

 drop list. 

This is the default setting.

14 Verify that the 

Authentication Protocol (AH)

 checkbox is 

not

 

selected.

15 Once you have finished, select 

File

 => 

Save

 or click the 

 

button.

Summary of Contents for Firebox SOHO 6 Wireless

Page 1: ...WatchGuard Firebox SOHO 6 Wireless User Guide SOHO 6 firmware version 6 2...

Page 2: ...out navigating in your computer s environment please refer to your system user manual The following conventions are used in this guide Convention Indication Bold type Menu commands dialog box options...

Page 3: ...t Protocol Security ISDN Integrated Services Digital Network ISP Internet Service Provider MAC Media Access Control MUVPN Mobile User Virtual Private Network NAT Network Address Translation PPP Point...

Page 4: ...compliance could void the user s authority to operate the equipment This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rule...

Page 5: ...dian Interference Causing Equipment Regulations Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel broulleur du Canada CANADA RSS 210 The term IC before t...

Page 6: ...vi WatchGuard Firebox SOHO 6 Wireless VCCI Notice Class A ITE...

Page 7: ...User Guide vii Declaration of Conformity...

Page 8: ...ARD will not license the SOFTWARE PRODUCT to you and you will not have any rights in the SOFTWARE PRODUCT In that case promptly return the SOFTWARE PRODUCT along with proof of payment to the authorize...

Page 9: ...to replace the original copy in the event it is destroyed or becomes defective D Sublicense lend lease or rent the SOFTWARE PRODUCT or E Transfer this license to another party unless i the transfer i...

Page 10: ...SIVE OR IMPUTED OR FAULT OF WATCHGUARD AND ANY OBLIGATION LIABILITY RIGHT CLAIM OR REMEDY FOR LOSS OR DAMAGE TO OR CAUSED BY OR CONTRIBUTED TO BY THE SOFTWARE PRODUCT Limitation of Liability WATCHGUAR...

Page 11: ...l destroy all copies of the SOFTWARE PRODUCT and documentation remaining in your control or possession 8 Miscellaneous Provisions This EULA will be governed by and construed in accordance with the sub...

Page 12: ...States and or other countries Hi fn Inc 1993 including one or more U S Patents 4701745 5016009 5126739 and 5146221 and other patents pending Microsoft Internet Explorer Windows 95 Windows 98 Windows...

Page 13: ...PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE...

Page 14: ...IAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTR...

Page 15: ...WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The Apache Software...

Page 16: ...gn All other trademarks or trade names mentioned herein if any are the property of their respective owners Limited Hardware Warranty This Limited Hardware Warranty the Warranty applies to the enclosed...

Page 17: ...NOT LIMITED TO ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE ANY IMPLIED WARRANTY ARISING FROM COURSE OF PERFORMANCE COURSE OF DEALING OR USAGE OF TRADE ANY WARRANTY OF N...

Page 18: ...ich such transfer would be prohibited by the U S Export laws and regulations If any provision of this Warranty is found to be invalid or unenforceable then the remainder shall have full force and effe...

Page 19: ...the SOHO 6 Wireless process information 5 How Does Wireless Networking Work 5 SOHO 6 Wireless hardware description 6 CHAPTER 2 Installation 13 Before you Begin the Installation 14 Physically Connect...

Page 20: ...d Network 42 Configure the Optional Network for Wireless Networking 46 Configure the Wireless Network 49 Configure static routes 54 View network statistics 55 Configure the dynamic DNS Service 56 CHAP...

Page 21: ...e system time 90 CHAPTER 8 SOHO 6 Wireless WebBlocker 93 How WebBlocker works 93 Purchase and activate SOHO 6 Wireless WebBlocker 95 Configure the SOHO 6 Wireless WebBlocker 95 WebBlocker Categories 1...

Page 22: ...Configure the MUVPN Client 137 Connect and Disconnect the MUVPN Client 147 Monitor the MUVPN Client Connection 151 The ZoneAlarm Personal Firewall 153 Use the MUVPN Client to Enforce your Corporate Po...

Page 23: ...User Guide 1 CHAPTER 1 Introduction This manual shows how to use your WatchGuard Firebox SOHO 6 Wireless or SOHO 6tc Wireless security appliance for secure access to the Internet...

Page 24: ...r ISDN The newest installation and user information is available from the WatchGuard Web site http support watchguard com sohoresources Package contents Make sure that the package contains all of thes...

Page 25: ...ted side of your SOHO 6 Wireless firewall are protected The illustration below shows how the SOHO 6 Wireless physically divides your trusted network from the Internet The SOHO 6 Wireless controls all...

Page 26: ...et that sends and receives packets Each computer on the Internet has an address The SOHO 6 Wireless is also a computer and has an IP address When you configure a service behind a firewall you must inc...

Page 27: ...6 Wireless replaces the private IP addresses with the public IP address to protect the trusted network Each packet sent through the Internet contains IP address information Packets sent through the S...

Page 28: ...l from the wireless computer to the SOHO 6 Wireless Separation of the trusted network from the optional network further protects the connection from the wireless computer to the SOHO 6 Wireless For in...

Page 29: ...ansmitted over a wireless link The basic equation to determines the maximum data rate is Channel Capacity Channel Bandwidth x Log2 1 Signal Strength Noise Level This equation says the maximum amount o...

Page 30: ...quency bands as 802 11 Some of these are Cordless phones Other 802 11b devices operating on adjacent channels Note that only channels 1 6 and11 are unique All other channels overlap because while the...

Page 31: ...gnal loss will only pertain to about the first 20 feet and will then increase by about 30 dB per 100 feet due the effect of walls and cubicles and widows etc Second the signals can arrive by different...

Page 32: ...ll vary but might be as low as 10dBi for embedded wireless antennas Transmitted Power SOHO 6 Wireless transmits at 15dBm 0 032 watts which is compatible with US and European and other requirements In...

Page 33: ...are 14 indicator lights on the front panel of the SOHO 6 Wireless The illustration below shows the front view PWR PWR is lit while the SOHO 6 Wireless is connected to a power supply Status Status is...

Page 34: ...ess The illustration below shows the rear view RESET button Push the reset button to reset to the SOHO 6 Wireless to the factory default configuration See Reset the SOHO 6 Wireless to the factory defa...

Page 35: ...s concerned about the security of your network the wireless feature is turned off on the SOHO 6 Wireless we ship you This allows you to enable the wireless network after you set up the desired securit...

Page 36: ...O 6 Wireless Computer with wireless card for Wireless You also need to follow these steps 1 Make sure there are a 10 100BaseT Ethernet card or an 802 11b wireless networking card installed in your com...

Page 37: ...ion procedure See External Network Configuration on page 37 for more information 6 Make sure that the Web browser program installed on your computer is Netscape Navigator version 4 77 or higher or Int...

Page 38: ...Click Start Run 2 Type winipcfg 3 Click OK 4 Select the Ethernet Adapter 5 Record the TCP IP settings in the table provided 6 Click Cancel Macintosh 1 Click the Apple menu Control Panels TCP IP 2 Rec...

Page 39: ...tion pages for the SOHO 6 Wireless configure your computer to receive its IP address through DHCP See Network addressing on page 37 for more information about network addressing and DHCP NOTE These co...

Page 40: ...eless 2 Double click the Network Dial up Connections icon 3 Double click the connection you use to connect to the Internet The network connection dialog box opens 4 Click Properties The network connec...

Page 41: ...automatically checkbox 7 Click to select the Obtain DNS server address automatically checkbox 8 Click OK to close the Internet Protocol TCP IP Properties dialog box 9 Click OK again to close the Netwo...

Page 42: ...e browser applications If a different browser is used use the help menus of the browser program to find the necessary information Netscape 4 7 1 Open Netscape 2 Click Edit Preferences The Preferences...

Page 43: ...Connect to the SOHO 6 Wireless The SOHO 6 Wireless protects computers that are connected to it by Ethernet cable or wireless connection This section discusses how to connect computers to the SOHO 6 W...

Page 44: ...ther network peripherals can connect directly to the SOHO 6 Wireless These connections use the four trusted network ports 0 3 To connect a maximum of four appliances use the SOHO 6 Wireless as a netwo...

Page 45: ...ed to the Internet and your computer 5 If you connect to the Internet through a DSL modem or cable modem reconnect the power supply to this device The indicator lights flash and then stop The modem is...

Page 46: ...sted network but the SOHO 6 Wireless will only allow ten Internet connections A seat is in use when an appliance connects to the Internet and is free when the connection is broken License upgrades are...

Page 47: ...h your SOHO 6 Wireless to one of the trusted network ports 0 3 on the SOHO 6 Wireless Connect the other end to the uplink port of the Ethernet hub The SOHO 6 Wireless is connected to the Internet and...

Page 48: ...rk in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation bar on the left side select Network Optional 80...

Page 49: ...ur SOHO 6 Wireless device 5 Click Submit For more information on configuring the wireless network see Configure the Wireless Network on page 49 Configuring the Wireless Card on your computer The follo...

Page 50: ...e wireless network connection should now show that your wireless network is active 9 Set up the wireless computer to use DHCP For information on setting up DHCP see Figure Enable your computer for DHC...

Page 51: ...oftware of the SOHO 6 Wireless You can connect to these configuration page with your Web browser SOHO 6 Wireless System Status page Type the IP address of the trusted network in your browser window to...

Page 52: ...ss A display of information about the SOHO 6 Wireless configuration is shown This information includes the following The firmware version The serial number of the appliance The status of the following...

Page 53: ...connect button Use these buttons to start or terminate the PPPoE connection Factory default settings The default network settings and configuration settings for the SOHO 6 Wireless External network Th...

Page 54: ...ys are entered into the configuration page Reset the SOHO 6 Wireless to the factory default settings Reset the SOHO 6 Wireless to the factory default settings if it is not possible to correct a config...

Page 55: ...for additional information Register your SOHO 6 Wireless and activate the LiveSecurity Service After the SOHO 6 Wireless is installed and configured register the SOHO 6 Wireless and activate your Live...

Page 56: ...rofile on the WatchGuard Web site enter your user name and password If you do not have a user profile on the WatchGuard Web site create a new account Select your product and follow the instructions fo...

Page 57: ...Wireless located on a remote system use one of these methods NOTE The remote SOHO 6 Wireless must be configured to allow incoming HTTP Web or FTP traffic from the Internet See Configure incoming and o...

Page 58: ...36 WatchGuard Firebox SOHO 6 Wireless...

Page 59: ...rk address distribution in use by your ISP The possible methods are static addressing DHCP or PPPoE Network addressing To connect to a TCP IP network each computer must have an IP address The assignme...

Page 60: ...ling authentication and security systems designed for dial up DSL modem and cable modem service When the SOHO 6 Wireless is configured to use PPPoE a button on the System Status page controls the conn...

Page 61: ...of the SOHO 6 Wireless The default IP address is http 192 168 111 1 2 From the navigation bar on the left side select Network External The External Network configuration page opens 3 From the Configur...

Page 62: ...and click Stop Because the Internet connection is not configured the browser can not load your home page from the Internet The browser can open the configuration pages in the SOHO 6 Wireless 2 Type t...

Page 63: ...ion allows the SOHO 6 Wireless to keep the PPPoE connection open during a period of frequent packet loss If the flow of traffic stops the SOHO 6 Wireless reboots A reboot frequently restores the conne...

Page 64: ...the computer an IP address If you use a DHCP server to assign IP addresses enable the DHCP Relay option This option causes the SOHO 6 Wireless to forward the DHCP request to the specified DHCP server...

Page 65: ...the Enable DHCP Server on the Trusted Network check box 5 Type the first IP address that is available for the computers that connect to the trusted network 6 Type the WINS Server address DNS Server pr...

Page 66: ...ess than 30 seconds the SOHO 6 Wireless uses its internal DHCP server to respond to the computer on the trusted network Configure additional computers on the trusted network The SOHO 6 Wireless accept...

Page 67: ...reless DHCP server and make static address assignments follow these steps 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireles...

Page 68: ...7 Configure the appliances on the trusted network with static addresses Configure the Optional Network for Wireless Networking To turn on the wireless network you must enable the optional network Fol...

Page 69: ...k Optional 802 11b The Optional Network Configuration page opens 3 Click the Enable Optional Network checkbox To turn on the wireless network you need to enable the optional network 4 Type the IP addr...

Page 70: ...ct this checkbox all wireless devices that are connected to the optional network can access the computers on your trusted network 10 To require encrypted MUVPN connections through the wireless interfa...

Page 71: ...y physical security such as login credentials that are only effective for a controlled physical environment because the radio transmissions of a WLAN are not bound by the walls containing the network...

Page 72: ...he left side select Network Wireless Configuration The Wireless Network Configuration page appears 3 From the Encryption drop down list select the level of encryption you want applied to your wireless...

Page 73: ...hat the wireless network will use to connect If you have 40 64 bit WEP the key can be up to 10 characters If you have 128 bit WEP the key can be up to 26 characters 5 If you typed more than one key se...

Page 74: ...rs To change the Channel From the Channel drop down list select the channel you want to use in your wireless connection Restrict Access by Hardware Address You can change the settings of how the SOHO...

Page 75: ...he wireless computers select Enabled in the Respond to SSID Query Requests If you do not want the SOHO 6 Wireless to respond select Disabled The wireless computers send out query requests to find if t...

Page 76: ...configure static routes Follow these instructions to configure static routes 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wire...

Page 77: ...lick Submit To remove a route select the route and click Remove View network statistics The Network Statistics page gives information about network performance This page is useful during troubleshooti...

Page 78: ...r the external IP address of the SOHO 6 Wireless with the dynamic DNS Domain Name Server service DynDNS org A dynamic DNS service makes sure that the IP address attached to your domain name is changed...

Page 79: ...d is not affiliated with dyndns org 2 From the navigation bar on the left side select Network DynamicDNS The Dynamic DNS client page opens 3 Select the Enable Dynamic DNS client checkbox 4 Type the do...

Page 80: ...58 WatchGuard Firebox SOHO 6 Wireless...

Page 81: ...irmware updates upgrade activation and display of the SOHO 6 Wireless configuration file in a text format are done from the Administration page The System Security page The System Security page contai...

Page 82: ...t reset the SOHO 6 Wireless to the factory default settings See Factory default settings on page 31 for additional information Change the System Administrator passphrase every month Select a combinati...

Page 83: ...ecurity check box 5 Type a System Administrator Passphrase and then type it again to confirm 6 Click Submit SOHO 6 Wireless Remote Management Both the SOHO 6 Wireless and SOHO 6tc Wireless come equipp...

Page 84: ...uration page 1 First follow the steps above to configure System Security 2 Enable the checkbox labeled Enable SOHO 6 Wireless Wireless Remote Management 3 Type the Virtual IP address which will be use...

Page 85: ...rnal network in your browser window to connect to the System Status page of the SOHO 6 Wireless Set up VPN manager access The VPN Manager Access page configures the SOHO 6 Wireless to allow remote con...

Page 86: ...cess page opens 3 Select Enable VPN Manager Access 4 Type the Status Passphrase 5 Type the Status Passphrase again to confirm 6 Type the Configuration Passphrase 7 Type the Configuration Passphrase ag...

Page 87: ...e file 1 Save the exe file to your computer 2 Double click the exe file The installer will install the updated firmware To install the wgd file 1 Type the IP address of the trusted network in your bro...

Page 88: ...ons provided by the update wizard NOTE The update wizard requests a user name and password Type the system administrator name and passphrase configured on the System Security page The default values a...

Page 89: ...2 Type your User Name and Password 3 Click Log In 4 Follow the instructions provided on the Web site to activate your license key 5 Copy the license key from the LiveSecurity Service Web site 6 Type...

Page 90: ...rade enables the Web filtering option MUVPN Client The MUVPN Client upgrade allows remote users to connect to the SOHO 6 Wireless through a secure IPSec VPN tunnel The MUVPN client creates an encrypte...

Page 91: ...ww watchguard com renew Follow the instructions on the Web site View the configuration file The contents of the SOHO 6 Wireless configuration file is available in text format from the View Configurati...

Page 92: ...70 WatchGuard Firebox SOHO 6 Wireless...

Page 93: ...at are acceptable for the trusted network The SOHO 6 Wireless lists many standard services on the configuration page A service is the combination of protocol and port numbers for a type of application...

Page 94: ...ces that you add The added services decrease the security of your network Compare the value of access to each service against the security risk caused by that service Common services Follow these step...

Page 95: ...to allow incoming traffic to the computer with IP address 192 168 111 2 4 Click Submit Create a custom service If you need to allow a service that is not listed in the common services configure a cust...

Page 96: ...drop down list below the Protocol Settings The Custom Service page refreshes 5 In the fields separated by the word To enter the port number or the range of port numbers or enter the protocol number NO...

Page 97: ...ses in the address field 10 Click Add Repeat the previous three steps until all of the address information for this custom service is set 11 Click Submit Block external sites The default configuration...

Page 98: ...Blocked Sites page refreshes 3 Type a single host IP address a network IP address or the start and end of a range of host IP addresses in the address field The illustration shows the selection Host I...

Page 99: ...tions page allows the configuration of general security policies 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The def...

Page 100: ...access to Trusted Network check box 2 Click Submit SOCKS implementation for the SOHO 6 Wireless The SOHO 6 Wireless functions as a SOCKS network proxy server An application that uses more than one soc...

Page 101: ...omputer Disable SOCKS on the SOHO 6 Wireless to prevent this security risk See Disabling SOCKS on the SOHO 6 Wireless on page 81 Configuring your SOCKS application To allow a SOCKS compatible applicat...

Page 102: ...80 WatchGuard Firebox SOHO 6 Wireless Set the SOCKS proxy to the URL or IP address of the SOHO 6 Wireless The default IP address is http 192 168 111 1...

Page 103: ...he SOCKS compatible application 1 Reset the Disable SOCKS proxy check box This enables the SOHO 6 Wireless SOCKS proxy server 2 Click Submit This disables the SOHO 6 Wireless SOCKS proxy server Loggin...

Page 104: ...rk 3 Click Submit NOTE If the MAC address for the external network field is cleared and the SOHO 6 Wireless is rebooted the SOHO 6 Wireless is reset to the factory default MAC address for the external...

Page 105: ...IP Address page opens 3 Set the Enable pass through address check box 4 Type the IP address of the computer to connect to the pass through This must be a public IP address The illustration shows a pas...

Page 106: ...84 WatchGuard Firebox SOHO 6 Wireless...

Page 107: ...bBlocker database and incoming traffic are examples of events that are recorded The log records the events that show possible security problems A denied packet is the most important type of event to l...

Page 108: ...and the WatchGuard Time Server packets discarded because of a packet handling violation duplicate messages return error messages and IPSec messages The following procedure shows how to view the event...

Page 109: ...Guard Firebox System package used by a Firebox II III The WSEP application runs on a computer that functions as the log host The WSEP application records log messages sent from the Firebox II III If y...

Page 110: ...t in the applicable field In the illustration the IP address is 192 168 111 5 5 Type a passphrase in the Log Encryption Key field 6 Confirm the passphrase in the Confirm Key field 7 Click Submit NOTE...

Page 111: ...ging The Syslog Logging page opens 3 Set the Enable syslog output check box 4 Type the IP address of the Syslog server In the illustration the IP address is 206 253 208 100 5 Click Submit This option...

Page 112: ...6 Wireless records the time of each log entry The time recorded in the log entries is from the SOHO 6 Wireless system clock Follow these steps to set the system time 1 Type the IP address of the trus...

Page 113: ...Time Server This step synchronizes the system time with a TCP Port 37 Time Server 4 Select Get Time From TCP Port 37 Time Server at 5 Type the IP address of the time server in the applicable field 6 C...

Page 114: ...92 WatchGuard Firebox SOHO 6 Wireless NOTE The time zone selection is only used when the Get Time From WatchGuard Time Server check box is selected...

Page 115: ...d and maintained by SurfControl The database shows the type of content found on thousands of Web sites WatchGuard puts the newest version of the SurfControl database on the WebBlocker server at regula...

Page 116: ...ireless examines the configuration to see if that type of site is permitted When the type of site is not permitted the user is told that the site is not available If the type of site is permitted the...

Page 117: ...bypass WebBlocker When a site is blocked the user can supply the full access password to access the Web site After the user supplies the password the user can access all Web sites until the password...

Page 118: ...timeout require that your Web users authenticate 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO 6 Wireless The default IP address...

Page 119: ...cts Internet connections that are inactive for the set number of minutes 6 To set the WebBlocker to use groups and users set the Require Web users to authenticate check box 7 Click Submit to register...

Page 120: ...98 WatchGuard Firebox SOHO 6 Wireless 2 From the navigation bar on the left side select WebBlocker Groups The WebBlocker Groups page opens 3 Click New to create a group name and profile...

Page 121: ...r Guide 99 Configure the SOHO 6 Wireless WebBlocker 4 Define a Group Name and set the types of content to filter for this group 5 Click Submit A new Groups page opens that shows the configuration chan...

Page 122: ...100 WatchGuard Firebox SOHO 6 Wireless 6 To the right of the Users field click New The New User page opens 7 Type a new user name and passphrase 8 Confirm the passphrase...

Page 123: ...ot included For example the drugs drug culture category blocks sites describing how to grow and use marijuana but does not block sites discussing the historical use of marijuana Alcohol tobacco Pictur...

Page 124: ...their primary purpose to alter the individual s state of mind such as glue sniffing This does not include that is if selected these sites would not be WebBlocked under this category currently illegal...

Page 125: ...phrases and profanity in either audio text or pictures Search Engines Search engine sites such as AltaVista InfoSeek Yahoo and WebCrawler Sports and Leisure Pictures or text describing sporting event...

Page 126: ...c CD ROMs and videos Full Nudity Pictures exposing any or all portions of human genitalia Topic does not include sites categorized as Partial Artistic Nudity containing partial nudity of a wholesome n...

Page 127: ...ss Why create a Virtual Private Network Use a VPN tunnel to make an inexpensive and secure connection between the computers in two locations Expensive dedicated point to point connections are not nece...

Page 128: ...l A secondary DNS address optional Domain name optional The network addresses and subnet masks for the two trusted networks The default IP address for the SOHO 6 Wireless trusted network is 192 168 11...

Page 129: ...twork A local network address cannot be used as an external IP address WatchGuard recommends that you use an address from one of the reserved ranges 10 0 0 0 8 172 16 0 0 12 255 240 0 0 192 168 0 0 16...

Page 130: ...ess that is installed and configured a connection to the Internet a VPN upgrade license key Site A OurLittleSecret Site B OurLittleSecret Encryption Method DES uses 56 bit encryption 3DES uses 168 bit...

Page 131: ...together in a star configuration To configure more than one VPN tunnel a WatchGuard Firebox II III with the WatchGuard VPN Manager is necessary The two appliances that make a VPN tunnel must each have...

Page 132: ...y a static IP address as an optional service How do I troubleshoot the connection If you can ping the remote SOHO 6 Wireless and the computers on the remote network the VPN tunnel functions correctly...

Page 133: ...se key You can purchase a license key for an upgrade from the WatchGuard Web site http www watchguard com sales buyonline asp How do I enable a VPN tunnel The instructions to help you enable a VPN tun...

Page 134: ...112 WatchGuard Firebox SOHO 6 Wireless 2 From the navigation bar on the left side select VPN Manual VPN The Manual VPN page opens...

Page 135: ...User Guide 113 Set Up multiple SOHO SOHO VPN tunnels 3 Click Add to set up the VPN tunnel The Add Gateway page opens...

Page 136: ...ain and Aggressive If the external IP address is dynamic select Aggressive Mode If the external IP address is static use either mode 7 Set the Local ID Type and the Remote ID Type These must match the...

Page 137: ...tiation expiration 13 In the Diffie Hellman Group drop down list set the group number WatchGuard supports group 1 and group 2 Diffie Hellman is a mathematical technique used to securely negotiate secr...

Page 138: ...s option gives more security but increases the time necessary for the communication because of the additional exchange 18 Set the number of kilobytes until key expiration 19 Set the number of hours un...

Page 139: ...the IP address of the Remote Network 7 Click Submit MUVPN Clients The MUVPN Clients allows remote users to connect to the SOHO 6 Wireless through a secure IPSec VPN tunnel This option allows remote u...

Page 140: ...nfiguration page that displays VPN statistics Use this page to monitor VPN traffic and to solve problems with the VPN configuration To view the VPN Statistics page 1 Type the IP address of the trusted...

Page 141: ...lient then creates an encrypted tunnel protected behind a SOHO 6 Wireless to your trusted or optional network depending on if it is a wired or wireless connection A wired connection goes to the truste...

Page 142: ...your end users The purpose of this chapter is to assist users of the SOHO 6 Wireless to set up the MUVPN client on an end user s remote computer and to explain the features of the personal firewall C...

Page 143: ...User Guide 121 Configure the SOHO 6 Wireless for MUVPN Clients 2 From the navigation bar on the right side select VPN MUVPN Clients The MUVPN Clients page appears...

Page 144: ...ient 5 Type a Passphrase in the appropriate field This passphrase will be used as the Pre Shared Key when setting up the MUVPN client 6 Type the Virtual IP address which will be used by the MUVPN comp...

Page 145: ...tem Every Windows system used as a MUVPN remote computer must have the following system requirements System requirements PC compatible computer with Pentium processor or equivalent Compatible operatin...

Page 146: ...etworking components must be configured and installed on a remote computer running Windows 98 ME in order for the MUVPN client to function properly Configuring networking names From the Windows deskto...

Page 147: ...the left Select Client for Microsoft Networks from the list on the right Click OK 4 Select Client for Microsoft Networks 5 Click Properties 6 Enable the Log on to Windows NT domain option 7 In the Win...

Page 148: ...soft Web site to receive this free update Configuring the WINS and DNS settings You must configure the remote computer to use the WINS and DNS servers of the trusted network behind the Firebox From th...

Page 149: ...k the OK button to close the Network window The System Settings Change dialog box appears 11 Click the Yes button to restart the computer and implement the changes Windows NT operating system setup Th...

Page 150: ...it from a list checkbox then add a Standard 28800 modem Windows NT requires at least one RAS device such as a modem if the RAS component is installed If no modems are available a dial up networking se...

Page 151: ...opriate field then click the OK button If you have multiple remote WINS servers repeat this step 9 Click the Close button to close the Network window The Network Settings Change dialog box appears 10...

Page 152: ...use to access the Internet The connection window appears 2 Click the Properties button 3 Select the Networking tab and then click the Install button The Select Network Component Type window appears 4...

Page 153: ...n you use to access the Internet The connection window appears 2 Click the Properties button 3 Select the Networking tab and then click the Install button The Select Network Component Type window appe...

Page 154: ...CP IP Settings window appears 6 Click the DNS tab 7 Under the DNS server addresses in order of use heading click the Add button The TCP IP DNS Server window appears 8 Type your DNS server IP address i...

Page 155: ...window 18 Click the Cancel button again to close the Dial up connection window Windows XP operating system setup The following networking components must be installed and configured on a remote compu...

Page 156: ...rotocol window appears 5 Select the Internet Protocol TCP IP Network Protocol and then click the OK button Installing the File and Printer Sharing for Microsoft Networks From the Windows desktop 1 Sel...

Page 157: ...ient and then click the OK button 6 Click the Cancel button to close the Select Network Component Type window 7 Click the OK button to preserve the installed components 8 Click the Cancel button to cl...

Page 158: ...nd these DNS suffixes in order option 10 Click the Add button The TCP IP Domain Suffix window appears 11 Type your Domain suffix in the appropriate field If you have multiple DNS suffixes repeat the l...

Page 159: ...allation file to the remote computer 2 Double click the MUVPN installation file If at any time during the installation process you inadvertently skip a step simply cancel the process and begin again 3...

Page 160: ...alled this is normal When it is complete the installation will continue 10 When the InstallShield Wizard is complete click the Finish button 11 The InstallShield Wizard then searches for a User Profil...

Page 161: ...N client icon The Security Policy Editor dialog box appears NOTE The ZoneAlarm personal firewall may immediately begin to display alerts on your Windows desktop For more information regarding ZoneAlar...

Page 162: ...ubnet 8 Type the Subnet Mask of the Trusted Network behind the SOHO 6 Wireless in the field labeled Mask 9 Select All from the Protocol drop list This is the default setting 10 Click to select the Con...

Page 163: ...Install and Configure the MUVPN Client 2 Select My Identity The My Identity and Internet Interface settings appear to the right 3 Select Options Global Policy Settings The Global Policy Settings dial...

Page 164: ...ist 6 Select E mail Address from the ID Type drop list and then enter the username defined on the SOHO 6 Wireless in the available field 7 Select Disabled from the Virtual Adapter drop list 8 Type 0 0...

Page 165: ...the SOHO 6 Wireless or the connection will fail Defining Phase 1 and Phase 2 settings Follow these instructions to define the phase 1 and phase 2 settings Make certain that settings match exactly with...

Page 166: ...O 6 Wireless appliance 5 Select DES from the Encrypt Alg drop list and select SHA 1 from the Hash Alg drop list 6 Select Unspecified from the SA Life drop list This is the default setting 7 Select Dif...

Page 167: ...appliance does not support compression 12 Click to select the Encapsulation ESP checkbox and then select a value for the Encrypt Alg and Hash Alg drop lists NOTE These two setting must exactly match t...

Page 168: ...ars 4 Select Remove Click the Next button The Confirm File Deletion dialog box appears 5 Click the OK button to completely remove all of the components A command prompt window appears while the dni_va...

Page 169: ...ernet and then use the MUVPN client to connect to the protected network Connecting the MUVPN Client 1 First establish an Internet connection through either Dial Up Networking or directly through a loc...

Page 170: ...ry Mobile User VPN service properly and the remote computer must be restarted if this continues you may need to reinstall the MUVPN client Activated The MUVPN client is ready to establish a secure MUV...

Page 171: ...nnection The green bar on the right of the icon indicates that the client is transmitting only secured data Activated Connected and Transmitting both Secure and Unsecured Data The MUVPN client has est...

Page 172: ...is answer the next time I use this program option and click the Yes button This enables ZoneAlarm to allow the MuvpnConnect exe program through each time you attempt to make a MUVPN connection The New...

Page 173: ...nternet You must disconnect from the Internet separately 3 Right click the Mobile User VPN client icon and select Deactivate Security Policy The MUVPN icon displays a red slash to indicate a deactivat...

Page 174: ...and the security association SA information established during Phase 1 IKE negotiations and Phase 2 IPSec negotiations From the Windows desktop system tray 1 Right click the Mobile User VPN client ic...

Page 175: ...een your computer and the outside world The computer is most vulnerable at its doors called ports Without ports no connection to the Internet is possible ZoneAlarm protects these ports by following a...

Page 176: ...ad each step to familiarize yourself with the application For more information on ZoneAlarm features and configuration please refer to the ZoneAlarm Help system To access the Help system select Start...

Page 177: ...e The program which actually needs to pass through the firewall is IEXPLORE EXE In order to allow this program access each time the application is executed enable the Remember the answer each time I u...

Page 178: ...Programs Zone Labs Uninstall ZoneAlarm The Confirm Uninstall dialog box appears 2 Click the Yes button The ZoneLabs TrueVector service dialog box appears Programs Which Must Be Allowed MUVPN client Ir...

Page 179: ...completely remove all of these files 6 The Install window appears and prompts you to restart the computer Click the OK button to reboot your system Use the MUVPN Client to Enforce your Corporate Poli...

Page 180: ...158 WatchGuard Firebox SOHO 6 Wireless 2 From the navigation bar on the right side select VPN MUVPN Clients The MUVPN Clients page appears 3 Click the Add button The Edit MUVPN Client page appears...

Page 181: ...e Pre Shared Key when setting up the MUVPN client 6 Type an unused IP address from the Trusted network which will be used by the MUVPN client computer when connecting to the SOHO 6 Wireless in the Vir...

Page 182: ...nstall it on your computer For information on installing the client see Chapter 9 Install and Configure the MUVPN Client on page 137 Follow these procedures to create a MUVPN security policy 1 Right c...

Page 183: ...Subnet and Mask fields These are the default values 8 Select All from the Protocol drop list This is the default setting 9 Click to select the Connect using checkbox and select Secure Gateway Tunnel...

Page 184: ...cted 4 Click to select the Enable Replay Detection checkbox Defining the My Identity settings Follow these instructions to define the My Identity settings 1 From the Network Security Policy field expa...

Page 185: ...lobal Policy Settings The Global Policy Settings dialog box appears 4 Click to select the Allow to Specify Internal Network Address checkbox and then click OK The Internal Network IP Address field app...

Page 186: ...Adapter drop list 8 Type 0 0 0 0 in the Internal Network IP Address field This value appears by default 9 Select Any from the Name drop list This is the default setting 10 Click Pre Shared Key The Pr...

Page 187: ...ettings match exactly with those on the Firebox SOHO 6 Wireless appliance 1 From the Network Security Policy field expand Security Policy Both Phase 1 and Phase 2 negotiations appear 2 Expand Authenti...

Page 188: ...list This is the default setting 7 Select Diffie Hellman Group 1 from the Key Group drop list 8 Expand Key Exchange Phase 2 A Proposal entry appears 9 Select Proposal 1 The IPSec Protocols settings ap...

Page 189: ...ips WatchGuard maintains a knowledge base on our Web site including an In Depth FAQ section on configuring and using the MUVPN client This is available at www watchguard com support A few of the most...

Page 190: ...ot connected to the network When you start your computer you are prompted to enter your Windows network user name password and domain It is very important that you enter this information correctly jus...

Page 191: ...ress of a computer on your company network My mapped drives have a red X through them Windows 98 ME NT and 2000 verifies and maps networks drives automatically when the computer starts Because there i...

Page 192: ...is large enough to require subnetting multiple networks connected together you will only be able to browse your own domain Attempts to access other domains will result in a password prompt Unfortunate...

Page 193: ...tatus and Mode lights signify on the SOHO 6 Wireless When the PWR light is lit the SOHO 6 Wireless is connected to a power source When the Status light is lit there is a management connection to the S...

Page 194: ...nnection to the external interface is defective The appliance to which the external interface of the SOHO 6 Wireless is connected is not operating correctly How do I register my SOHO 6 Wireless with t...

Page 195: ...n instructions for the Macintosh and other operating systems are available from the WatchGuard Web site https support watchguard com sohoresources How do I know whether the cables are connected correc...

Page 196: ...m and the WAN indicator on the SOHO 6 Wireless are lit Speak with your ISP if the problem is not corrected How can I see the MAC address of my SOHO 6 Wireless 1 Type the IP address of the trusted netw...

Page 197: ...to the System Status page of the SOHO 6 Wireless The default IP address is http 192 168 111 1 3 From the navigation bar on the left side select Network Trusted 4 Set the Enable DHCP Server check box 5...

Page 198: ...Submit 5 Type the information 6 Click Submit How do I set up and disable WebBlocker 1 Type the IP address of the trusted network in your browser window to connect to the System Status page of the SOHO...

Page 199: ...ddress of the computer hosting the service 6 Click Submit How do I allow incoming IP or uncommon TCP and UDP protocols Record the IP address of the computer that is to receive the incoming data and th...

Page 200: ...st field 10 Click Submit VPN Management See What You Need on page 106 Make sure that the two appliances use the same encryption method Make sure that the two appliances use the same authentication met...

Page 201: ...to configure a VPN tunnel between a SOHO 6 Wireless and another IPSec compliant appliance is available from the WatchGuard Web site https support watchguard com AdvancedFaqs sointerop_main asp 1 Log...

Page 202: ...uard com AdvancedFaqs Special notices The online help system is not yet available on the WatchGuard Web site Click on the Help link at the top of the System Status page to connect to the WatchGuard Pr...

Page 203: ...DNS service dynamic 56 DSL modems and SOHO 6 173 Dynamic DNS client page 57 dynamic DNS service configuring 56 57 Dynamic Host Configuration Protocol See DHCP dynamic IP addresses configuring for 38 d...

Page 204: ...12 link indicator 11 LiveSecurity Service registering with 33 renewing subscription 69 log host setting WSEP 87 log messages contents of 86 viewing 86 logging to a WSEP host 87 to Syslog host 88 Loggi...

Page 205: ...stem 35 registration 33 remote management 61 resetting to factory default 32 Routes page 47 54 routes configure static 54 S seat licenses upgrade 68 seat limitation 24 serial number location 15 serial...

Page 206: ...c crearing unrestricted pass through 82 logging all outbound 81 troubleshooting 171 180 Trusted Network configuring additional computers on 44 denying FTP access to 78 Trusted Network Configuration pa...

Page 207: ...and groups for 97 database 93 described 93 enabling and disabling 176 purchasing and activating 95 users and groups 95 WebBlocker Groups page 98 WebBlocker Settings page 96 WebBlocker upgrade purchas...

Page 208: ...Index 186 WatchGuard Firebox SOHO 6 Wireless...

Reviews: