WatchGuard Technologies FireboxTM System 4.6 instruction

CHAPTER 17 Configuring Branch Office Virtual

Private Networking

Branch office virtual private networking (VPN) creates a secure tunnel, over an unsecure network, between two networks protected by the WatchGuard Firebox System or between a WatchGuard Firebox and an IPSec-compliant device. Using branch office VPN, you can connect two or more locations over the Internet while still protecting the resources of your trusted and optional networks.

WatchGuard offers three branch office VPN methods:

• DVCP VPN

This method defines a Firebox as a DVCP server at the center of a distributed array of WatchGuard Firebox and SOHO clients.

• IPSec (Internet Protocol Security)

This method uses IPSec to tunnel between a WatchGuard Firebox and an IPSec- compliant device from another vendor or between two Fireboxes.

• WatchGuard VPN

This method uses the WatchGuard proprietary secure connection, called WatchGuard VPN, to create a tunnel between two WatchGuard Fireboxes.

A given pair of Fireboxes can establish only one VPN connection between them. However, a single Firebox can tunnel to multiple branch locations. Incoming connections from branch office VPN networks can access machines on the Trusted interface regardless of whether the local machines are using NAT.

Connections made through a branch office VPN are exempt from Simple NAT.

Addresses used for VPN must not be on the Blocked Sites list.

Configuration checklist

Before implementing branch office VPN, gather the following information:

• IP address of both ends of the tunnel.

User Guide

121

Image 131

WatchGuard Technologies FireboxTM System 4.6 Configuring Branch Office Virtual Private Networking, Configuration checklist

Contents

WatchGuard Firebox System User Guide Copyright and Patent Information Disclaimer WatchGuard Firebox System WFS End-User License Agreement Page Watchguard Declaration of Conformity CSA Statement FCC CertificationCE Notice Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 WatchGuard Firebox System components Part I IntroductionWelcome to WatchGuard WatchGuard security suite WatchGuard FireboxWatchGuard Control Center Web browser requirements LiveSecurity ServiceMinimum requirements Software requirements CPU Hardware requirements Technical Support Part II WatchGuard ServicesLiveSecurity Service WatchGuard Optional FeaturesPage Information Alert LiveSecurity ServiceSoftware Update LiveSecurity broadcasts Virus Alert Activating the LiveSecurity ServiceEditorial Support Flash Minimize or close your Web browser LiveSecurity broadcasts Technical Support Accessing frequently asked questions FAQ Getting telephone support Known issuesClick the LSS/SOHO Known Issues link on the left Getting Internet technical support WatchGuard Interactive Training System Wits Training Instructor-led courses WatchGuard users groupOnline Help Online Help system requirements Starting WatchGuard Online HelpSearching for topics Copying the Help system to additional platforms Context-sensitive Help High Availability WatchGuard OptionsCurrently available options VPN Manager SpamScreen Obtaining WatchGuard optionsMobile User VPN Part III Configuring a Security Policy Connect with out-of-band management Set up network address translation NATSet up logging and notification Firebox Basics What is a Firebox? Placing a Firebox within a network Opening a configuration from a local hard disk Opening a configuration fileSaving a configuration file Opening a configuration from the Firebox Tips for creating secure passphrases Resetting Firebox passphrasesSaving a configuration to the local hard disk Saving a configuration to the Firebox Reinitialize the Firebox using the QuickSetup wizard Setting the time zoneReinitializing a misconfigured Firebox Select Setup =Time Zone Booting from the system area Control Center components Using the WatchGuard Control CenterStarting the Control Center and connecting to a Firebox Navigating the WatchGuard Control Center Firebox and VPN tunnel status QuickGuideFront panel Red exclamation point IPSecRemote VPN tunnels Expanding and collapsing the display Traffic Monitor Connecting to a FireboxSetting the maximum number of log messages Working with the Control Center Opening WatchGuard Firebox System tools Policy ManagerManipulating the Traffic Monitor Changing the Policy Manager view Firebox MonitorsLogViewer LiveSecurity Event Processor HostWatchHistorical Reports LiveSecurity Event Processor External Configuring a NetworkRunning the QuickSetup wizard Trusted Setting up a drop-in network Setting up a routed network Select Network = Routes Select Network = ConfigurationAdding a secondary network Defining a network route Changing an interface IP address Setting the default gatewaySelect Network = Default Gateway Defining a host route Defining a Firebox as a Dhcp server Select Network = Configuration. Click the General tabSelect Network = Configuration. Click the Dhcp Server tab Entering Wins and DNS server addresses Click the subnet to remove it. Click Remove Click OK Modifying an existing subnetRemoving a Subnet Defining a Firebox as a Dhcp server Blocking Sites and Ports Configuring default packet handlingSelect Setup = Default Packet Handling Logging and notification for blocked sites Blocking a site permanentlyRemoving a blocked site Changing the auto-block duration Category list, click Blocked Sites Blocking a port permanentlyRemoving a blocked port Logging and notification for blocked ports Viewing the Blocked Sites list Blocking sites temporarily with service settingsConfiguring a service to temporarily block sites Click OK to close the Properties dialog box Configuring ServicesAdding an existing service Port Creating a new serviceIgnore Secure Adding incoming service properties Defining service properties Working with wg icons Adding outgoing service propertiesAdding addresses to service properties Under Internal Hosts, click Add Configuring services for authenticationModifying a service Deleting a service Click Yes Setting up proxy servicesConfiguring an Smtp proxy service Configuring the incoming Smtp proxy Select headers to allow Selecting content typesAdding address patterns Protecting your mail server against relaying Add masquerading options Configuring an FTP proxy serviceConfiguring the outgoing Smtp proxy Click Outgoing Configuring an Http proxy service Service precedence From Rank Any List Service precedence Reverting to old WebBlocker databases Controlling Web TrafficHow WebBlocker works Activating WebBlocker Configuring the WebBlocker servicePrerequisites to using WebBlocker Logging and WebBlocker Click the WebBlocker Controls tab Setting privilegesScheduling operational and non-operational hours Creating WebBlocker exceptions Debug- Outputs debugging information Manually downloading the WebBlocker database What is dynamic NAT? Setting Up Network Address Translation Adding dynamic NAT entries Using simple dynamic NATSelect Setup = NAT Enabling simple dynamic NAT Configuring service-based NAT exceptions Using service-based NATEnabling service-based NAT Adding external IP addresses Configuring a service for incoming static NATSetting static NAT for a service Select Network = Configuration. Click the External tab Click OK to close the Add Static NAT dialog box Enter the internal IP addressCheckbox Configuring a service for incoming static NAT Ensure logging with failover logging Setting Up Logging Notification LiveSecurity Event Processor WatchGuard logging architectureDesignating Event Processors for a Firebox Enabling Syslog logging Editing an Event Processor settingSelect Setup = Logging Adding an Event Processor For Windows NT Event Processors Removing an Event ProcessorReordering Event Processors Synchronizing Event Processors Running an Event Processor on Windows NT or Windows Setting up the LiveSecurity Event ProcessorInstalling the Event Processor program Running an Event Processor on Windows Click WG LiveSecurity Event Processor. Click Startup As a Windows NT or Windows 2000 ServiceInteractive mode from a DOS window Viewing the Event Processor Starting and stopping the Event Processor Setting global logging and notification preferencesSetting the log encryption key Setting the interval for log rollover Category Customizing logging and notification by service or optionScheduling log reports Controlling notification Setting Launch Interval and Repeat Count Setting logging and notification for a service Select Setup = Blocked Sites Setting logging and notification for blocked sites and ports Enabling the Management Station Connecting a Firebox with OOB managementConnect with Out-of-Band Management Preparing a Windows 95/98 Management Station for OOB Install the modemConfigure the dial-up connection Preparing a Windows NT Management Station for OOB Establishing an OOB connection Configuring the Firebox for OOBSelect Network = Configuration. Click the OOB tab Configuring PPP for connecting to a Firebox Establishing an OOB connection Network Activity Reports Part IV Administering a Security PolicyAliases and Authentication Firebox Activity MonitorsPage Using host aliases Creating Aliases Implementing Authentication Removing a host alias Adding a host aliasModifying a host alias How user authentication works What is user authentication?User authentication types To close the Setup Remote User dialog box, click Close Configuring Firebox authenticationConfiguring Windows NT Server authentication Under Authentication Enabled Via, click the Firebox option Click the Windows NT Server tab Configuring Radius server authentication Enter or accept the time-out in seconds Configuring CRYPTOCard server authenticationEnter the administrator password On the Radius Server Configuring SecurID authentication Example Configuring a service for Remote User VPN Using authentication to define remote user VPN access Monitoring Firebox Activity Starting Firebox Monitors and connecting to a Firebox StatusReport Setting Firebox Monitors view propertiesServiceWatch Bandwidth Meter Blocked Sites list Network configurationPacket counts Log and notification hosts Load average Authentication host informationLogging options Memory Interface the Firebox uses for each destination address InterfacesRoutes ARP table Authentication listBlocked Sites list Select File = Open Replaying a log fileHostWatch display Select File = Connect Viewing specific ports Viewing authenticated usersControlling the HostWatch display Viewing specific hosts Add Modifying view properties HostWatch 102 Starting LogViewer and opening a log file Setting LogViewer preferencesReviewing and Working with Log Files Viewing files with LogViewer Copying and exporting LogViewer data Searching for specific entries Displaying and hiding fields Consolidating logs from multiple locations Working with log files From LiveSecurity Event Processor Setting log encryption keysCopying log files Forcing the rollover of log files Working with log files 108 Viewing the reports list Generating Reports of Network ActivityStarting Historical Reports Creating and editing reports Deleting a report Specifying report sectionsCreating a new report Editing an existing report Consolidating report sections Setting report propertiesSpecifying a report time span Enter the number of elements to rank in the table Exporting reportsExporting reports to Html format Exporting a report to WebTrends for Firewalls and VPNs Creating a new filter Using report filtersExporting a report to a text file Applying a filter Scheduling and running reportsEditing a filter Deleting a filter Manually running a report Report sections and consolidated sections Proxy Summary Session Summary Packet FilteredTime Summary Proxied Traffic Host Summary Proxied Traffic Consolidated Sections 118 Remote user virtual private network Part V WatchGuard Virtual Private NetworkingBranch office virtual private network 120 Configuration checklist Configuring Branch Office Virtual Private Networking Creating a tunnel to a Soho or SOHOtc Using Dvcp to connect to devicesHow does Dvcp work? Basic and Enhanced Dvcp Soho Private Network Editing a tunnel to a deviceSelect Network = Branch Office VPN = Basic Dvcp Telecommuter IP Address Select the tunnel policy. Click Edit Branch office VPN with IPSecRemoving a tunnel to a device Defining a Firebox as an Enhanced Dvcp Client Click Gateways Configuring a gatewaySelect Network = Branch Office VPN = IPSec Adding a gateway Removing a gateway Configuring a tunnel with manual securityIncoming Settings for Outgoing checkbox Using Encapsulated Security Protocol ESP Click the Dynamic Security tab Configuring a tunnel with dynamic securityUsing Authenticated Headers AH Click Key. Enter a passphrase. Click OK Dst Port field, enter the remote host port Creating an IPSec policyBlock Bypass Incoming Configuring services for branch office VPN with IPSecChanging IPSec policy order Src Port field, enter the local host port Allow VPN access to any services Configuring WatchGuard VPNWatchGuard VPN configuration models Setting up WatchGuard VPN Enter the encryption key. Click Make Key Enable the Activate WatchGuard VPN checkboxChanging remote network entries Preventing IP spoofing with WatchGuard VPN Verifying successful WatchGuard VPN configuration Configuring incoming services to allow VPN Mobile User VPN Configuring the Firebox for Remote User VPNRemote User Pptp Adding a member to built-in Ruvpn user groups Configuring shared servers for RuvpnAdding remote access users Using the Any service Configuring services to allow incoming RuvpnBy individual service Select Network = Remote User. Click the Pptp tab Configuring the Firebox for Remote User PptpActivating Remote User Pptp Entering IP addresses for Remote User sessions Rules for valid Remote User Pptp addresses Configuring the Firebox for Mobile User VPNPurchasing a Mobile User VPN license Select Network = Remote User. Click the Mobile User VPN tab Preparing Mobile User VPN configuration filesEntering license keys Defining a new mobile user Select Network = Remote User Saving the configuration to a FireboxDistributing the software and configuration files Modifying an existing Mobile User VPN entry Debugging Remote User VPN Pptp Configuring debugging optionsDebugging Mobile User VPN Preparing the client computers Preparing a Host for Remote User VPN Click the Identification tab Remote host operating systemWindows 95/98 platform preparation Windows NT platform preparation Installing Client for Microsoft NetworksInstalling Dial-Up Adapter #2 VPN Support Select Computer Browser Setting up Ruvpn for WindowsClick Dial Out Only. Click Continue Adding a domain name to a Windows NT workstation Click Obtain an IP Address Automatically. Click OK Configuring the remote host for Ruvpn with PptpInstalling a VPN adapter on Windows 95/98 Initial Connection window that appears, click Yes Starting Remote User Pptp Using Remote User PptpInstalling a VPN adapter on Windows NT Click Connect Enter the remote client username and passwordRunning Remote User Pptp Double-click the Ruvpn connection Configuring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160