Manuals / WatchGuard Technologies / Computer Equipment / Network Router

WatchGuard Technologies FireboxTM System 4.6 manual Preparing a Host for Remote User VPN

Models: FireboxTM System 4.6

1 170

Download 170 pages 21.61 Kb

Page 151

CHAPTER 19 Preparing a Host for Remote

User VPN

Remote user virtual private networking (RUVPN) establishes a secure connection between an unsecured remote host and a protected network over an unsecured network. RUVPN connects an employee on the road or working from home to trusted and optional networks behind a Firebox using a standard Internet dial-up connection without compromising security.

The WatchGuard Firebox System offers two types of RUVPN:

•Remote User PPTP – Uses the Point-to-Point Tunneling Protocol. This type of RUVPN is included with the basic WatchGuard package and supports up to 50 concurrent sessions per Firebox. It works with any Firebox encryption level.

•Mobile User VPN – Uses Internet Protocol Security (IPSec). This type of RUVPN is an optional feature of the WatchGuard package. It also requires that the Firebox be approved and upgraded to strong or medium encryption level.

RUVPN requires configuration of both the Firebox and the end-user remote host computers. This section describes how to configure a remote host for Remote User VPN with PPTP. For information on configuring the Firebox, see “Configuring the Firebox for Remote User VPN” on page 133.

For information on configuring a remote host for Mobile User VPN, see the Mobile User VPN brochure provided with Mobile User VPN licenses. You can download a copy from the LiveSecurity Service Web site.

Preparing the client computers

Every computer used as a Remote User VPN with PPTP remote host must first be prepared with the following:

•Operating system software

•Device drivers

•Internet service provider account

User Guide

141

Image 151

WatchGuard Technologies FireboxTM System 4.6 manual Preparing a Host for Remote User VPN, Preparing the client computers

Contents

WatchGuard Firebox System User Guide Copyright and Patent Information DisclaimerWatchGuard Firebox System WFS End-User License Agreement Page Watchguard Declaration of ConformityCE Notice FCC CertificationCSA Statement Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 Welcome to WatchGuard Part I IntroductionWatchGuard Firebox System components WatchGuard Control Center WatchGuard FireboxWatchGuard security suite Web browser requirements LiveSecurity ServiceMinimum requirements Software requirementsCPU Hardware requirementsTechnical Support Part II WatchGuard ServicesLiveSecurity Service WatchGuard Optional FeaturesPage Information Alert LiveSecurity ServiceSoftware Update LiveSecurity broadcastsVirus Alert Activating the LiveSecurity ServiceEditorial Support FlashMinimize or close your Web browser LiveSecurity broadcasts Technical Support Accessing frequently asked questions FAQGetting telephone support Known issuesClick the LSS/SOHO Known Issues link on the left Getting Internet technical supportWatchGuard Interactive Training System Wits TrainingOnline Help WatchGuard users groupInstructor-led courses Online Help system requirements Starting WatchGuard Online HelpSearching for topics Copying the Help system to additional platformsContext-sensitive Help High Availability WatchGuard OptionsCurrently available options VPN ManagerMobile User VPN Obtaining WatchGuard optionsSpamScreen Part III Configuring a Security Policy Set up logging and notification Set up network address translation NATConnect with out-of-band management Firebox Basics What is a Firebox?Placing a Firebox within a network Opening a configuration from a local hard disk Opening a configuration fileSaving a configuration file Opening a configuration from the FireboxTips for creating secure passphrases Resetting Firebox passphrasesSaving a configuration to the local hard disk Saving a configuration to the FireboxReinitialize the Firebox using the QuickSetup wizard Setting the time zoneReinitializing a misconfigured Firebox Select Setup =Time ZoneBooting from the system area Control Center components Using the WatchGuard Control CenterStarting the Control Center and connecting to a Firebox Navigating the WatchGuard Control CenterFront panel QuickGuideFirebox and VPN tunnel status Red exclamation point IPSecRemote VPN tunnels Expanding and collapsing the displayTraffic Monitor Connecting to a FireboxSetting the maximum number of log messages Working with the Control CenterManipulating the Traffic Monitor Policy ManagerOpening WatchGuard Firebox System tools LogViewer Firebox MonitorsChanging the Policy Manager view Historical Reports HostWatchLiveSecurity Event Processor LiveSecurity Event Processor External Configuring a NetworkRunning the QuickSetup wizard TrustedSetting up a drop-in network Setting up a routed network Select Network = Routes Select Network = ConfigurationAdding a secondary network Defining a network routeChanging an interface IP address Setting the default gatewaySelect Network = Default Gateway Defining a host routeDefining a Firebox as a Dhcp server Select Network = Configuration. Click the General tabSelect Network = Configuration. Click the Dhcp Server tab Entering Wins and DNS server addressesRemoving a Subnet Modifying an existing subnetClick the subnet to remove it. Click Remove Click OK Defining a Firebox as a Dhcp server Select Setup = Default Packet Handling Configuring default packet handlingBlocking Sites and Ports Logging and notification for blocked sites Blocking a site permanentlyRemoving a blocked site Changing the auto-block durationCategory list, click Blocked Sites Blocking a port permanentlyRemoving a blocked port Logging and notification for blocked portsConfiguring a service to temporarily block sites Blocking sites temporarily with service settingsViewing the Blocked Sites list Adding an existing service Configuring ServicesClick OK to close the Properties dialog box Port Creating a new serviceIgnore SecureAdding incoming service properties Defining service propertiesAdding addresses to service properties Adding outgoing service propertiesWorking with wg icons Under Internal Hosts, click Add Configuring services for authenticationModifying a service Deleting a serviceClick Yes Setting up proxy servicesConfiguring an Smtp proxy service Configuring the incoming Smtp proxySelect headers to allow Selecting content typesAdding address patterns Protecting your mail server against relayingAdd masquerading options Configuring an FTP proxy serviceConfiguring the outgoing Smtp proxy Click OutgoingConfiguring an Http proxy service Service precedence From Rank Any List Service precedence How WebBlocker works Controlling Web TrafficReverting to old WebBlocker databases Activating WebBlocker Configuring the WebBlocker servicePrerequisites to using WebBlocker Logging and WebBlockerClick the WebBlocker Controls tab Setting privilegesScheduling operational and non-operational hours Creating WebBlocker exceptionsDebug- Outputs debugging information Manually downloading the WebBlocker databaseWhat is dynamic NAT? Setting Up Network Address TranslationAdding dynamic NAT entries Using simple dynamic NATSelect Setup = NAT Enabling simple dynamic NATEnabling service-based NAT Using service-based NATConfiguring service-based NAT exceptions Adding external IP addresses Configuring a service for incoming static NATSetting static NAT for a service Select Network = Configuration. Click the External tabCheckbox Enter the internal IP addressClick OK to close the Add Static NAT dialog box Configuring a service for incoming static NAT Ensure logging with failover logging Setting Up Logging NotificationDesignating Event Processors for a Firebox WatchGuard logging architectureLiveSecurity Event Processor Enabling Syslog logging Editing an Event Processor settingSelect Setup = Logging Adding an Event ProcessorFor Windows NT Event Processors Removing an Event ProcessorReordering Event Processors Synchronizing Event ProcessorsRunning an Event Processor on Windows NT or Windows Setting up the LiveSecurity Event ProcessorInstalling the Event Processor program Running an Event Processor on WindowsClick WG LiveSecurity Event Processor. Click Startup As a Windows NT or Windows 2000 ServiceInteractive mode from a DOS window Viewing the Event ProcessorStarting and stopping the Event Processor Setting global logging and notification preferencesSetting the log encryption key Setting the interval for log rolloverCategory Customizing logging and notification by service or optionScheduling log reports Controlling notificationSetting Launch Interval and Repeat Count Setting logging and notification for a serviceSelect Setup = Blocked Sites Setting logging and notification for blocked sites and portsConnect with Out-of-Band Management Connecting a Firebox with OOB managementEnabling the Management Station Preparing a Windows 95/98 Management Station for OOB Install the modemConfigure the dial-up connection Preparing a Windows NT Management Station for OOBEstablishing an OOB connection Configuring the Firebox for OOBSelect Network = Configuration. Click the OOB tab Configuring PPP for connecting to a FireboxEstablishing an OOB connection Network Activity Reports Part IV Administering a Security PolicyAliases and Authentication Firebox Activity MonitorsPage Using host aliases Creating Aliases Implementing AuthenticationModifying a host alias Adding a host aliasRemoving a host alias User authentication types What is user authentication?How user authentication works To close the Setup Remote User dialog box, click Close Configuring Firebox authenticationConfiguring Windows NT Server authentication Under Authentication Enabled Via, click the Firebox optionClick the Windows NT Server tab Configuring Radius server authenticationEnter or accept the time-out in seconds Configuring CRYPTOCard server authenticationEnter the administrator password On the Radius ServerConfiguring SecurID authentication Example Configuring a service for Remote User VPN Using authentication to define remote user VPN accessMonitoring Firebox Activity Starting Firebox Monitors and connecting to a FireboxStatusReport Setting Firebox Monitors view propertiesServiceWatch Bandwidth MeterBlocked Sites list Network configurationPacket counts Log and notification hostsLoad average Authentication host informationLogging options MemoryRoutes InterfacesInterface the Firebox uses for each destination address Blocked Sites list Authentication listARP table Select File = Open Replaying a log fileHostWatch display Select File = ConnectViewing specific ports Viewing authenticated usersControlling the HostWatch display Viewing specific hostsAdd Modifying view propertiesHostWatch 102 Starting LogViewer and opening a log file Setting LogViewer preferencesReviewing and Working with Log Files Viewing files with LogViewerCopying and exporting LogViewer data Searching for specific entriesDisplaying and hiding fields Consolidating logs from multiple locations Working with log filesFrom LiveSecurity Event Processor Setting log encryption keysCopying log files Forcing the rollover of log filesWorking with log files 108 Viewing the reports list Generating Reports of Network ActivityStarting Historical Reports Creating and editing reportsDeleting a report Specifying report sectionsCreating a new report Editing an existing reportSpecifying a report time span Setting report propertiesConsolidating report sections Enter the number of elements to rank in the table Exporting reportsExporting reports to Html format Exporting a report to WebTrends for Firewalls and VPNsExporting a report to a text file Using report filtersCreating a new filter Applying a filter Scheduling and running reportsEditing a filter Deleting a filterManually running a report Report sections and consolidated sectionsProxy Summary Session Summary Packet FilteredTime Summary Proxied Traffic Host Summary Proxied TrafficConsolidated Sections 118 Branch office virtual private network Part V WatchGuard Virtual Private NetworkingRemote user virtual private network 120 Configuration checklist Configuring Branch Office Virtual Private NetworkingCreating a tunnel to a Soho or SOHOtc Using Dvcp to connect to devicesHow does Dvcp work? Basic and Enhanced DvcpSoho Private Network Editing a tunnel to a deviceSelect Network = Branch Office VPN = Basic Dvcp Telecommuter IP AddressSelect the tunnel policy. Click Edit Branch office VPN with IPSecRemoving a tunnel to a device Defining a Firebox as an Enhanced Dvcp ClientClick Gateways Configuring a gatewaySelect Network = Branch Office VPN = IPSec Adding a gatewayRemoving a gateway Configuring a tunnel with manual securityIncoming Settings for Outgoing checkbox Using Encapsulated Security Protocol ESPClick the Dynamic Security tab Configuring a tunnel with dynamic securityUsing Authenticated Headers AH Click Key. Enter a passphrase. Click OKDst Port field, enter the remote host port Creating an IPSec policyBlock BypassIncoming Configuring services for branch office VPN with IPSecChanging IPSec policy order Src Port field, enter the local host portAllow VPN access to any services Configuring WatchGuard VPNWatchGuard VPN configuration models Setting up WatchGuard VPNEnter the encryption key. Click Make Key Enable the Activate WatchGuard VPN checkboxChanging remote network entries Preventing IP spoofing with WatchGuard VPNVerifying successful WatchGuard VPN configuration Configuring incoming services to allow VPNRemote User Pptp Configuring the Firebox for Remote User VPNMobile User VPN Adding remote access users Configuring shared servers for RuvpnAdding a member to built-in Ruvpn user groups By individual service Configuring services to allow incoming RuvpnUsing the Any service Select Network = Remote User. Click the Pptp tab Configuring the Firebox for Remote User PptpActivating Remote User Pptp Entering IP addresses for Remote User sessionsPurchasing a Mobile User VPN license Configuring the Firebox for Mobile User VPNRules for valid Remote User Pptp addresses Select Network = Remote User. Click the Mobile User VPN tab Preparing Mobile User VPN configuration filesEntering license keys Defining a new mobile userSelect Network = Remote User Saving the configuration to a FireboxDistributing the software and configuration files Modifying an existing Mobile User VPN entryDebugging Mobile User VPN Configuring debugging optionsDebugging Remote User VPN Pptp Preparing the client computers Preparing a Host for Remote User VPNWindows 95/98 platform preparation Remote host operating systemClick the Identification tab Installing Dial-Up Adapter #2 VPN Support Installing Client for Microsoft NetworksWindows NT platform preparation Select Computer Browser Setting up Ruvpn for WindowsClick Dial Out Only. Click Continue Adding a domain name to a Windows NT workstationClick Obtain an IP Address Automatically. Click OK Configuring the remote host for Ruvpn with PptpInstalling a VPN adapter on Windows 95/98 Initial Connection window that appears, click YesInstalling a VPN adapter on Windows NT Using Remote User PptpStarting Remote User Pptp Click Connect Enter the remote client username and passwordRunning Remote User Pptp Double-click the Ruvpn connectionConfiguring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160