Remote User Pptp | WatchGuard Technologies FireboxTM System 4.6

CHAPTER 18 Configuring the Firebox for

Remote User VPN

Remote user virtual private networking (RUVPN) establishes a secure connection between an unsecured remote host and a protected network over an unsecured network. RUVPN connects an employee on the road or working from home to trusted and optional networks behind a Firebox using a standard Internet dial-up connection without compromising security.

WatchGuard Firebox System offers two types of RUVPN:

Remote User PPTP

Uses the Point-to-Point Tunneling Protocol. This type of RUVPN is included with the basic WatchGuard package and supports up to 50 concurrent sessions per Firebox. Works with any Firebox encryption level.

Mobile User VPN

Uses Internet Protocol Security. This type of RUVPN is an optional feature of the WatchGuard package. It requires strong or medium encryption.

RUVPN requires configuration of both the Firebox and the end-user remote host computers. This section describes how to configure a Firebox for both types of RUVPN. For information on configuring the remote host, see “Preparing a Host for Remote User VPN” on page 141.

Remote User PPTP and Mobile User VPN require that the Management Station be upgraded to either medium or strong encryption level. The medium and strong encryption upgrade files are available to eligible users on the LiveSecurity Service Web site at http://www.watchguard.com/support.

Configuration checklist

Before configuring a Firebox to use remote user virtual private networking (RUVPN), gather the following information:

•The IP addresses to assign to the remote client during RUVPN sessions. The IP addresses cannot be addresses currently in use in the network.

User Guide

133

Image 143

WatchGuard Technologies FireboxTM System 4.6 manual Configuring the Firebox for Remote User VPN, Remote User Pptp

Contents

WatchGuard Firebox System User Guide Copyright and Patent Information Disclaimer WatchGuard Firebox System WFS End-User License Agreement Page Watchguard Declaration of Conformity CSA Statement FCC CertificationCE Notice Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 WatchGuard Firebox System components Part I IntroductionWelcome to WatchGuard WatchGuard security suite WatchGuard FireboxWatchGuard Control Center Web browser requirements LiveSecurity ServiceMinimum requirements Software requirements CPU Hardware requirements Technical Support Part II WatchGuard ServicesLiveSecurity Service WatchGuard Optional FeaturesPage Information Alert LiveSecurity ServiceSoftware Update LiveSecurity broadcasts Virus Alert Activating the LiveSecurity ServiceEditorial Support Flash Minimize or close your Web browser LiveSecurity broadcasts Technical Support Accessing frequently asked questions FAQ Getting telephone support Known issuesClick the LSS/SOHO Known Issues link on the left Getting Internet technical support WatchGuard Interactive Training System Wits Training Instructor-led courses WatchGuard users groupOnline Help Online Help system requirements Starting WatchGuard Online HelpSearching for topics Copying the Help system to additional platforms Context-sensitive Help High Availability WatchGuard OptionsCurrently available options VPN Manager SpamScreen Obtaining WatchGuard optionsMobile User VPN Part III Configuring a Security Policy Connect with out-of-band management Set up network address translation NATSet up logging and notification Firebox Basics What is a Firebox? Placing a Firebox within a network Opening a configuration from a local hard disk Opening a configuration fileSaving a configuration file Opening a configuration from the Firebox Tips for creating secure passphrases Resetting Firebox passphrasesSaving a configuration to the local hard disk Saving a configuration to the Firebox Reinitialize the Firebox using the QuickSetup wizard Setting the time zoneReinitializing a misconfigured Firebox Select Setup =Time Zone Booting from the system area Control Center components Using the WatchGuard Control CenterStarting the Control Center and connecting to a Firebox Navigating the WatchGuard Control Center Firebox and VPN tunnel status QuickGuideFront panel Red exclamation point IPSecRemote VPN tunnels Expanding and collapsing the display Traffic Monitor Connecting to a FireboxSetting the maximum number of log messages Working with the Control Center Opening WatchGuard Firebox System tools Policy ManagerManipulating the Traffic Monitor Changing the Policy Manager view Firebox MonitorsLogViewer LiveSecurity Event Processor HostWatchHistorical Reports LiveSecurity Event Processor External Configuring a NetworkRunning the QuickSetup wizard Trusted Setting up a drop-in network Setting up a routed network Select Network = Routes Select Network = ConfigurationAdding a secondary network Defining a network route Changing an interface IP address Setting the default gatewaySelect Network = Default Gateway Defining a host route Defining a Firebox as a Dhcp server Select Network = Configuration. Click the General tabSelect Network = Configuration. Click the Dhcp Server tab Entering Wins and DNS server addresses Click the subnet to remove it. Click Remove Click OK Modifying an existing subnetRemoving a Subnet Defining a Firebox as a Dhcp server Blocking Sites and Ports Configuring default packet handlingSelect Setup = Default Packet Handling Logging and notification for blocked sites Blocking a site permanentlyRemoving a blocked site Changing the auto-block duration Category list, click Blocked Sites Blocking a port permanentlyRemoving a blocked port Logging and notification for blocked ports Viewing the Blocked Sites list Blocking sites temporarily with service settingsConfiguring a service to temporarily block sites Click OK to close the Properties dialog box Configuring ServicesAdding an existing service Port Creating a new serviceIgnore Secure Adding incoming service properties Defining service properties Working with wg icons Adding outgoing service propertiesAdding addresses to service properties Under Internal Hosts, click Add Configuring services for authenticationModifying a service Deleting a service Click Yes Setting up proxy servicesConfiguring an Smtp proxy service Configuring the incoming Smtp proxy Select headers to allow Selecting content typesAdding address patterns Protecting your mail server against relaying Add masquerading options Configuring an FTP proxy serviceConfiguring the outgoing Smtp proxy Click Outgoing Configuring an Http proxy service Service precedence From Rank Any List Service precedence Reverting to old WebBlocker databases Controlling Web TrafficHow WebBlocker works Activating WebBlocker Configuring the WebBlocker servicePrerequisites to using WebBlocker Logging and WebBlocker Click the WebBlocker Controls tab Setting privilegesScheduling operational and non-operational hours Creating WebBlocker exceptions Debug- Outputs debugging information Manually downloading the WebBlocker database What is dynamic NAT? Setting Up Network Address Translation Adding dynamic NAT entries Using simple dynamic NATSelect Setup = NAT Enabling simple dynamic NAT Configuring service-based NAT exceptions Using service-based NATEnabling service-based NAT Adding external IP addresses Configuring a service for incoming static NATSetting static NAT for a service Select Network = Configuration. Click the External tab Click OK to close the Add Static NAT dialog box Enter the internal IP addressCheckbox Configuring a service for incoming static NAT Ensure logging with failover logging Setting Up Logging Notification LiveSecurity Event Processor WatchGuard logging architectureDesignating Event Processors for a Firebox Enabling Syslog logging Editing an Event Processor settingSelect Setup = Logging Adding an Event Processor For Windows NT Event Processors Removing an Event ProcessorReordering Event Processors Synchronizing Event Processors Running an Event Processor on Windows NT or Windows Setting up the LiveSecurity Event ProcessorInstalling the Event Processor program Running an Event Processor on Windows Click WG LiveSecurity Event Processor. Click Startup As a Windows NT or Windows 2000 ServiceInteractive mode from a DOS window Viewing the Event Processor Starting and stopping the Event Processor Setting global logging and notification preferencesSetting the log encryption key Setting the interval for log rollover Category Customizing logging and notification by service or optionScheduling log reports Controlling notification Setting Launch Interval and Repeat Count Setting logging and notification for a service Select Setup = Blocked Sites Setting logging and notification for blocked sites and ports Enabling the Management Station Connecting a Firebox with OOB managementConnect with Out-of-Band Management Preparing a Windows 95/98 Management Station for OOB Install the modemConfigure the dial-up connection Preparing a Windows NT Management Station for OOB Establishing an OOB connection Configuring the Firebox for OOBSelect Network = Configuration. Click the OOB tab Configuring PPP for connecting to a Firebox Establishing an OOB connection Network Activity Reports Part IV Administering a Security PolicyAliases and Authentication Firebox Activity MonitorsPage Using host aliases Creating Aliases Implementing Authentication Removing a host alias Adding a host aliasModifying a host alias How user authentication works What is user authentication?User authentication types To close the Setup Remote User dialog box, click Close Configuring Firebox authenticationConfiguring Windows NT Server authentication Under Authentication Enabled Via, click the Firebox option Click the Windows NT Server tab Configuring Radius server authentication Enter or accept the time-out in seconds Configuring CRYPTOCard server authenticationEnter the administrator password On the Radius Server Configuring SecurID authentication Example Configuring a service for Remote User VPN Using authentication to define remote user VPN access Monitoring Firebox Activity Starting Firebox Monitors and connecting to a Firebox StatusReport Setting Firebox Monitors view propertiesServiceWatch Bandwidth Meter Blocked Sites list Network configurationPacket counts Log and notification hosts Load average Authentication host informationLogging options Memory Interface the Firebox uses for each destination address InterfacesRoutes ARP table Authentication listBlocked Sites list Select File = Open Replaying a log fileHostWatch display Select File = Connect Viewing specific ports Viewing authenticated usersControlling the HostWatch display Viewing specific hosts Add Modifying view properties HostWatch 102 Starting LogViewer and opening a log file Setting LogViewer preferencesReviewing and Working with Log Files Viewing files with LogViewer Copying and exporting LogViewer data Searching for specific entries Displaying and hiding fields Consolidating logs from multiple locations Working with log files From LiveSecurity Event Processor Setting log encryption keysCopying log files Forcing the rollover of log files Working with log files 108 Viewing the reports list Generating Reports of Network ActivityStarting Historical Reports Creating and editing reports Deleting a report Specifying report sectionsCreating a new report Editing an existing report Consolidating report sections Setting report propertiesSpecifying a report time span Enter the number of elements to rank in the table Exporting reportsExporting reports to Html format Exporting a report to WebTrends for Firewalls and VPNs Creating a new filter Using report filtersExporting a report to a text file Applying a filter Scheduling and running reportsEditing a filter Deleting a filter Manually running a report Report sections and consolidated sections Proxy Summary Session Summary Packet FilteredTime Summary Proxied Traffic Host Summary Proxied Traffic Consolidated Sections 118 Remote user virtual private network Part V WatchGuard Virtual Private NetworkingBranch office virtual private network 120 Configuration checklist Configuring Branch Office Virtual Private Networking Creating a tunnel to a Soho or SOHOtc Using Dvcp to connect to devicesHow does Dvcp work? Basic and Enhanced Dvcp Soho Private Network Editing a tunnel to a deviceSelect Network = Branch Office VPN = Basic Dvcp Telecommuter IP Address Select the tunnel policy. Click Edit Branch office VPN with IPSecRemoving a tunnel to a device Defining a Firebox as an Enhanced Dvcp Client Click Gateways Configuring a gatewaySelect Network = Branch Office VPN = IPSec Adding a gateway Removing a gateway Configuring a tunnel with manual securityIncoming Settings for Outgoing checkbox Using Encapsulated Security Protocol ESP Click the Dynamic Security tab Configuring a tunnel with dynamic securityUsing Authenticated Headers AH Click Key. Enter a passphrase. Click OK Dst Port field, enter the remote host port Creating an IPSec policyBlock Bypass Incoming Configuring services for branch office VPN with IPSecChanging IPSec policy order Src Port field, enter the local host port Allow VPN access to any services Configuring WatchGuard VPNWatchGuard VPN configuration models Setting up WatchGuard VPN Enter the encryption key. Click Make Key Enable the Activate WatchGuard VPN checkboxChanging remote network entries Preventing IP spoofing with WatchGuard VPN Verifying successful WatchGuard VPN configuration Configuring incoming services to allow VPN Mobile User VPN Configuring the Firebox for Remote User VPNRemote User Pptp Adding a member to built-in Ruvpn user groups Configuring shared servers for RuvpnAdding remote access users Using the Any service Configuring services to allow incoming RuvpnBy individual service Select Network = Remote User. Click the Pptp tab Configuring the Firebox for Remote User PptpActivating Remote User Pptp Entering IP addresses for Remote User sessions Rules for valid Remote User Pptp addresses Configuring the Firebox for Mobile User VPNPurchasing a Mobile User VPN license Select Network = Remote User. Click the Mobile User VPN tab Preparing Mobile User VPN configuration filesEntering license keys Defining a new mobile user Select Network = Remote User Saving the configuration to a FireboxDistributing the software and configuration files Modifying an existing Mobile User VPN entry Debugging Remote User VPN Pptp Configuring debugging optionsDebugging Mobile User VPN Preparing the client computers Preparing a Host for Remote User VPN Click the Identification tab Remote host operating systemWindows 95/98 platform preparation Windows NT platform preparation Installing Client for Microsoft NetworksInstalling Dial-Up Adapter #2 VPN Support Select Computer Browser Setting up Ruvpn for WindowsClick Dial Out Only. Click Continue Adding a domain name to a Windows NT workstation Click Obtain an IP Address Automatically. Click OK Configuring the remote host for Ruvpn with PptpInstalling a VPN adapter on Windows 95/98 Initial Connection window that appears, click Yes Starting Remote User Pptp Using Remote User PptpInstalling a VPN adapter on Windows NT Click Connect Enter the remote client username and passwordRunning Remote User Pptp Double-click the Ruvpn connection Configuring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160