WatchGuard Technologies FireboxTM System 4.6 guide

Configuring shared servers for RUVPN

•The IP addresses of the DNS and WINS servers in the trusted network that perform IP address lookup on host alias names.

•The usernames and passwords of those authorized to connect to the Firebox using RUVPN.

•For Mobile User VPN, you will also need:

-Mobile User VPN license key

-Target Firebox upgraded to strong or medium encryption

Configuring shared servers for RUVPN

RUVPN clients rely on shared Windows Internet Name Server (WINS) and Domain Name System (DNS) server addresses. For information on configuring these servers, see “Entering WINS and DNS server addresses” on page 40.

Adding remote access users

The Firebox configuration file automatically includes two Firebox User groups called pptp_users and ipsec_users. When a remote host connects and creates a tunnel, Policy Manager authenticates the username against the list of members for the group associated with the tunnel type. In other words, an incoming PPTP tunnel would authenticate against the pptp_users group.

Once authenticated, the Policy Manager then adds the remote client IP address to the group. Use the Firebox User group to configure services for incoming and outgoing RUVPN traffic.

Because of the way Windows holds the username and password for subsequent logins, one option to reduce end-user confusion is to assign the same RUVPN login and password as those used for Windows NT login and password. This method, however, is less secure than using multiple passwords.

RUVPN users must be added as Firebox users even if another authentication method is used internally.

Adding a member to built-in RUVPN user groups

The process to add a member to the built-in RUVPN user groups is the same for both PPTP and IPSec. The example below is for pptp_users. From Policy Manager:

1Select Setup => Authentication.

2Click the Firebox Users tab. To add a new user, click the Add button beneath the

Users list.

There is also a button to access the Setup Firebox User dialog box from within the Mobile User VPN wizard.

134

Image 144

WatchGuard Technologies FireboxTM System 4.6 manual Configuring shared servers for Ruvpn, Adding remote access users

Contents

WatchGuard Firebox System User Guide Disclaimer Copyright and Patent Information WatchGuard Firebox System WFS End-User License Agreement Page Declaration of Conformity Watchguard FCC Certification CE NoticeCSA Statement Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 Part I Introduction Welcome to WatchGuardWatchGuard Firebox System components WatchGuard Firebox WatchGuard Control CenterWatchGuard security suite LiveSecurity Service Minimum requirementsSoftware requirements Web browser requirements Hardware requirements CPU Part II WatchGuard Services LiveSecurity ServiceWatchGuard Optional Features Technical SupportPage LiveSecurity Service Software UpdateLiveSecurity broadcasts Information Alert Activating the LiveSecurity Service EditorialSupport Flash Virus Alert Minimize or close your Web browser LiveSecurity broadcasts Accessing frequently asked questions FAQ Technical Support Known issues Click the LSS/SOHO Known Issues link on the leftGetting Internet technical support Getting telephone support Training WatchGuard Interactive Training System Wits WatchGuard users group Online HelpInstructor-led courses Starting WatchGuard Online Help Searching for topicsCopying the Help system to additional platforms Online Help system requirements Context-sensitive Help WatchGuard Options Currently available optionsVPN Manager High Availability Obtaining WatchGuard options Mobile User VPNSpamScreen Part III Configuring a Security Policy Set up network address translation NAT Set up logging and notificationConnect with out-of-band management What is a Firebox? Firebox Basics Placing a Firebox within a network Opening a configuration file Saving a configuration fileOpening a configuration from the Firebox Opening a configuration from a local hard disk Resetting Firebox passphrases Saving a configuration to the local hard diskSaving a configuration to the Firebox Tips for creating secure passphrases Setting the time zone Reinitializing a misconfigured FireboxSelect Setup =Time Zone Reinitialize the Firebox using the QuickSetup wizard Booting from the system area Using the WatchGuard Control Center Starting the Control Center and connecting to a FireboxNavigating the WatchGuard Control Center Control Center components QuickGuide Front panelFirebox and VPN tunnel status IPSec Remote VPN tunnelsExpanding and collapsing the display Red exclamation point Connecting to a Firebox Setting the maximum number of log messagesWorking with the Control Center Traffic Monitor Policy Manager Manipulating the Traffic MonitorOpening WatchGuard Firebox System tools Firebox Monitors LogViewerChanging the Policy Manager view HostWatch Historical ReportsLiveSecurity Event Processor LiveSecurity Event Processor Configuring a Network Running the QuickSetup wizardTrusted External Setting up a drop-in network Setting up a routed network Select Network = Configuration Adding a secondary networkDefining a network route Select Network = Routes Setting the default gateway Select Network = Default GatewayDefining a host route Changing an interface IP address Select Network = Configuration. Click the General tab Select Network = Configuration. Click the Dhcp Server tabEntering Wins and DNS server addresses Defining a Firebox as a Dhcp server Modifying an existing subnet Removing a SubnetClick the subnet to remove it. Click Remove Click OK Defining a Firebox as a Dhcp server Configuring default packet handling Select Setup = Default Packet HandlingBlocking Sites and Ports Blocking a site permanently Removing a blocked siteChanging the auto-block duration Logging and notification for blocked sites Blocking a port permanently Removing a blocked portLogging and notification for blocked ports Category list, click Blocked Sites Blocking sites temporarily with service settings Configuring a service to temporarily block sitesViewing the Blocked Sites list Configuring Services Adding an existing serviceClick OK to close the Properties dialog box Creating a new service IgnoreSecure Port Defining service properties Adding incoming service properties Adding outgoing service properties Adding addresses to service propertiesWorking with wg icons Configuring services for authentication Modifying a serviceDeleting a service Under Internal Hosts, click Add Setting up proxy services Configuring an Smtp proxy serviceConfiguring the incoming Smtp proxy Click Yes Selecting content types Adding address patternsProtecting your mail server against relaying Select headers to allow Configuring an FTP proxy service Configuring the outgoing Smtp proxyClick Outgoing Add masquerading options Configuring an Http proxy service Service precedence From Rank Any List Service precedence Controlling Web Traffic How WebBlocker worksReverting to old WebBlocker databases Configuring the WebBlocker service Prerequisites to using WebBlockerLogging and WebBlocker Activating WebBlocker Setting privileges Scheduling operational and non-operational hoursCreating WebBlocker exceptions Click the WebBlocker Controls tab Manually downloading the WebBlocker database Debug- Outputs debugging information Setting Up Network Address Translation What is dynamic NAT? Using simple dynamic NAT Select Setup = NATEnabling simple dynamic NAT Adding dynamic NAT entries Using service-based NAT Enabling service-based NATConfiguring service-based NAT exceptions Configuring a service for incoming static NAT Setting static NAT for a serviceSelect Network = Configuration. Click the External tab Adding external IP addresses Enter the internal IP address CheckboxClick OK to close the Add Static NAT dialog box Configuring a service for incoming static NAT Setting Up Logging Notification Ensure logging with failover logging WatchGuard logging architecture Designating Event Processors for a FireboxLiveSecurity Event Processor Editing an Event Processor setting Select Setup = LoggingAdding an Event Processor Enabling Syslog logging Removing an Event Processor Reordering Event ProcessorsSynchronizing Event Processors For Windows NT Event Processors Setting up the LiveSecurity Event Processor Installing the Event Processor programRunning an Event Processor on Windows Running an Event Processor on Windows NT or Windows As a Windows NT or Windows 2000 Service Interactive mode from a DOS windowViewing the Event Processor Click WG LiveSecurity Event Processor. Click Startup Setting global logging and notification preferences Setting the log encryption keySetting the interval for log rollover Starting and stopping the Event Processor Customizing logging and notification by service or option Scheduling log reportsControlling notification Category Setting logging and notification for a service Setting Launch Interval and Repeat Count Setting logging and notification for blocked sites and ports Select Setup = Blocked Sites Connecting a Firebox with OOB management Connect with Out-of-Band ManagementEnabling the Management Station Install the modem Configure the dial-up connectionPreparing a Windows NT Management Station for OOB Preparing a Windows 95/98 Management Station for OOB Configuring the Firebox for OOB Select Network = Configuration. Click the OOB tabConfiguring PPP for connecting to a Firebox Establishing an OOB connection Establishing an OOB connection Part IV Administering a Security Policy Aliases and AuthenticationFirebox Activity Monitors Network Activity ReportsPage Creating Aliases Implementing Authentication Using host aliases Adding a host alias Modifying a host aliasRemoving a host alias What is user authentication? User authentication typesHow user authentication works Configuring Firebox authentication Configuring Windows NT Server authenticationUnder Authentication Enabled Via, click the Firebox option To close the Setup Remote User dialog box, click Close Configuring Radius server authentication Click the Windows NT Server tab Configuring CRYPTOCard server authentication Enter the administrator passwordOn the Radius Server Enter or accept the time-out in seconds Configuring SecurID authentication Using authentication to define remote user VPN access Example Configuring a service for Remote User VPN Starting Firebox Monitors and connecting to a Firebox Monitoring Firebox Activity Setting Firebox Monitors view properties ServiceWatchBandwidth Meter StatusReport Network configuration Packet countsLog and notification hosts Blocked Sites list Authentication host information Logging optionsMemory Load average Interfaces RoutesInterface the Firebox uses for each destination address Authentication list Blocked Sites listARP table Replaying a log file HostWatch displaySelect File = Connect Select File = Open Viewing authenticated users Controlling the HostWatch displayViewing specific hosts Viewing specific ports Modifying view properties Add HostWatch 102 Setting LogViewer preferences Reviewing and Working with Log FilesViewing files with LogViewer Starting LogViewer and opening a log file Searching for specific entries Copying and exporting LogViewer data Displaying and hiding fields Working with log files Consolidating logs from multiple locations Setting log encryption keys Copying log filesForcing the rollover of log files From LiveSecurity Event Processor Working with log files 108 Generating Reports of Network Activity Starting Historical ReportsCreating and editing reports Viewing the reports list Specifying report sections Creating a new reportEditing an existing report Deleting a report Setting report properties Specifying a report time spanConsolidating report sections Exporting reports Exporting reports to Html formatExporting a report to WebTrends for Firewalls and VPNs Enter the number of elements to rank in the table Using report filters Exporting a report to a text fileCreating a new filter Scheduling and running reports Editing a filterDeleting a filter Applying a filter Report sections and consolidated sections Manually running a report Session Summary Packet Filtered Time Summary Proxied TrafficHost Summary Proxied Traffic Proxy Summary Consolidated Sections 118 Part V WatchGuard Virtual Private Networking Branch office virtual private networkRemote user virtual private network 120 Configuring Branch Office Virtual Private Networking Configuration checklist Using Dvcp to connect to devices How does Dvcp work?Basic and Enhanced Dvcp Creating a tunnel to a Soho or SOHOtc Editing a tunnel to a device Select Network = Branch Office VPN = Basic DvcpTelecommuter IP Address Soho Private Network Branch office VPN with IPSec Removing a tunnel to a deviceDefining a Firebox as an Enhanced Dvcp Client Select the tunnel policy. Click Edit Configuring a gateway Select Network = Branch Office VPN = IPSecAdding a gateway Click Gateways Configuring a tunnel with manual security Incoming Settings for Outgoing checkboxUsing Encapsulated Security Protocol ESP Removing a gateway Configuring a tunnel with dynamic security Using Authenticated Headers AHClick Key. Enter a passphrase. Click OK Click the Dynamic Security tab Creating an IPSec policy BlockBypass Dst Port field, enter the remote host port Configuring services for branch office VPN with IPSec Changing IPSec policy orderSrc Port field, enter the local host port Incoming Configuring WatchGuard VPN WatchGuard VPN configuration modelsSetting up WatchGuard VPN Allow VPN access to any services Enable the Activate WatchGuard VPN checkbox Changing remote network entriesPreventing IP spoofing with WatchGuard VPN Enter the encryption key. Click Make Key Configuring incoming services to allow VPN Verifying successful WatchGuard VPN configuration Configuring the Firebox for Remote User VPN Remote User PptpMobile User VPN Configuring shared servers for Ruvpn Adding remote access usersAdding a member to built-in Ruvpn user groups Configuring services to allow incoming Ruvpn By individual serviceUsing the Any service Configuring the Firebox for Remote User Pptp Activating Remote User PptpEntering IP addresses for Remote User sessions Select Network = Remote User. Click the Pptp tab Configuring the Firebox for Mobile User VPN Purchasing a Mobile User VPN licenseRules for valid Remote User Pptp addresses Preparing Mobile User VPN configuration files Entering license keysDefining a new mobile user Select Network = Remote User. Click the Mobile User VPN tab Saving the configuration to a Firebox Distributing the software and configuration filesModifying an existing Mobile User VPN entry Select Network = Remote User Configuring debugging options Debugging Mobile User VPNDebugging Remote User VPN Pptp Preparing a Host for Remote User VPN Preparing the client computers Remote host operating system Windows 95/98 platform preparationClick the Identification tab Installing Client for Microsoft Networks Installing Dial-Up Adapter #2 VPN SupportWindows NT platform preparation Setting up Ruvpn for Windows Click Dial Out Only. Click ContinueAdding a domain name to a Windows NT workstation Select Computer Browser Configuring the remote host for Ruvpn with Pptp Installing a VPN adapter on Windows 95/98Initial Connection window that appears, click Yes Click Obtain an IP Address Automatically. Click OK Using Remote User Pptp Installing a VPN adapter on Windows NTStarting Remote User Pptp Enter the remote client username and password Running Remote User PptpDouble-click the Ruvpn connection Click Connect Configuring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160