WatchGuard Technologies SOHO manual

Watc hGua rd SOH O and S OHO | t c WatchGuard ® SOHO User Guide SOHO and SOHO|tc ve rsion 5.0[...]

2[...]

User Guide 5 .0 3 Using this guide This guide ass umes that you are famili ar with your computer’s operating system. If you have questions about navigati ng in your computer’s environment, plea se refer to your system user manual. The following conventions are used throughout this guide. Conve ntion Ind icati on Bold type Deno tes m enu c omma [...]

4 Certification s and Notices FCC Certification This device has b een tested and found to comply with l imits for a Class A digital device, pursuant to Part 15 of the FCC Rules. Operation is s ubject to the following two con ditions: • This device may not cause harmful int erference. • This device must accept any in terference rec eived, includ[...]

User Guide 5 .0 5 Taiwanese Notice VCCI N otice Clas s A IT E[...]

6 Declaration o f Conformit y[...]

User Guide 5 .0 7 WatchGuard ® End-User Licens e Agreement IMPOR TANT - READ CA REFU LLY BEFOR E ACCESSIN G WATCH GUARD S OFTWARE This Wa tchGuard E nd-User License Agreemen t (“EUL A”) is a legal a greement between you (either an indivi dual or a single entity) an d WatchGu ard Technologi es, Inc. (“WATCH GUARD”) for the WATCHG UARD s oft[...]

8 4. LIMITED WA RRANTY. WA TCHGUARD make s the following l imited warranties for a pe riod of n inety (90) d ays from th e date you obta ined the S OFTWAR E PRODUC T from WATCHG UARD or an autho rized dealer; (A) Media. The disks and do cumentati on will be free from de fects in m aterials and w orkmanship u nder norm al use. If th e disks o r docu[...]

User Guide 5 .0 9 SUCH DAMA GES. T HIS SHA LL BE TRU E EVEN IN THE EVENT OF TH E FAILU RE OF A N AGREED REMEDY . 5. UNITE D STATES GO VERNME NT REST RICTED RI GHTS. The e nclosed SO FTWAR E PRODU CT and doc umentation are provide d with Restric ted Rights. Use, duplicat ion or discl osure by the U.S Governm ent o r any agency or ins trumental ity t[...]

10 WatchGuard ® Limited Hardware Wa rranty This Watch Guard Limited Hardware Warrant y (the "War ranty") applies to the enclosed WatchG uard hardware prod uct (the "Hard ware Prod uct "). By using the HARDWA RE Product, you agree to the terms hereof. If you do not agree to these te rms, please return this package, along w ith p[...]

User Guide 5 .0 11 OR I MPLI ED, A RISI NG BY LAW OR OTH ERWI SE, WI TH RESPECT TO ANY NONCONFORMANCE OR DEFECT IN THE HARDWARE PROD UCT (INCLUDING, BUT NO T LIMITED TO, ANY IMPLIED WARRANTY O F MERCHANTABILITY OR FITNESS FOR A PARTIC ULAR PU RPOSE, ANY I MPLIED W ARRANTY AR ISING FRO M COURS E OF PERFOR MAN CE, COUR SE OF DEAL ING, OR U SAGE OF TR[...]

12 Copyright and Patent Information Copyright © 1999-2001 WatchGu ard Technologies, Inc. All rights reserved. WatchG uard and L iveSecurity are ei ther regist ere d trademarks or trademarks of WatchGuard Technol ogies, Inc. in the United States and other count ries. Firebox is a tr ademark of WatchG uard Technolog ies, Inc. CyberPatrol is a regist[...]

User Guide 2 .4 13 Table of Contents CHAPTER 1 Introduction ............... .............. .......... ......... 17 Registration and Iden tification Information ............ 18 How does a firewall work? .......... ......... .............. ..... 18 How does information travel on the internet? ........ 20 How does the SOHO process this information? ..[...]

14 Configuring Y our Trusted Network ........... ......... ..... 47 Configuring S tatic Routes .. ......... ......... .............. ..... 49 View the Network Statistics .............. ......... .............. 5 0 CHAPTER 4 Your Administrative Options ........... ......... 53 The System Security Page ................ ......... ......... ..... 53 Se[...]

User Guide 5 .0 15 Configuring the SOHO WebBlocker ....................... 88 WebBlocker categories .................... ......... .............. 93 Searching for blocked sites .................. .............. ..... 96 CHAPTER 8 Con fi guri ng Vir tu al P ri vat e Ne tw ork ing .. 97 What you will ne ed .. .......... .............. ......... .....[...]

16[...]

User Guide 5 .0 17 CHAPTER 1 Introduction Welcome Congratulations on purchasing the ideal solution for providi ng secure access to the Internet –the WatchGuard SOHO or WatchGuard SOHO|tc. Your new security device will giv e you peace of mind when connecting to the Internet using a high-speed cable or DSL modem , a leased line, or ISDN. This User [...]

Registra tion and Ide ntificati on Informat ion 18 Registratio n and Ident ification Information Once you have installe d and configured your SOHO following the instructions you will find in the upcom ing chapters, you will n eed to register the unit at our Web sit e. When the registration is complete you can tak e advantage of our LiveSecurity ser[...]

User Guide 5 .0 19 How does a fir ewall work? these dangers. As is il lustrat ed in the image bel ow, the SOHO phy sica lly s eper ates your trus ted network from the Internet. Using rules we wi ll discuss in Chapter 3: “Configuring Incoming and Outgoing Servic es” on page 63, the Watc hGuard SOHO evaluates all traffic bet ween the external net[...]

How does informatio n travel on the internet? 20 How does inform ation tr avel on the inte rnet? Each packet of i nformation trans ported over the Internet must be packaged in a special way to ensure th at it is abl e to travel fr om one computer to the next. A system ca lled Internet Protoc ol (IP) takes chunks of informa tion and wraps them up wi[...]

User Guide 5 .0 21 How do es th e SOH O proc ess th is in forma tion? How does the SOHO proc ess this informa tion? Services A service is the c ombination of protoc ol(s) and port numbers associated with a specific application or commun ication type. To facilit ate configuration of your SO HO, WatchGuard lets you select pre-configured versions of s[...]

The SOH O Home Pa ge—System S tatus 22 The SOHO Home Page—System Status The System Status page is effectiv ely the home page of the SOHO. A variety of inf ormation is revealed in an ef fort to provide you with a comprehensive display of the SOHO configuration. • The firmware version • A few of the SOHO features a nd their status: - WSEP Log[...]

User Guide 5 .0 23 The Default Factory Settings Firewall Sett ings All incoming services are bloc ked. An outgoing service allowing all outb ound traffic. None of the Firewall Opti ons are enabled. The DMZ pass-through is disa bled. System Secur ity System Security is di sabled and no Syst em Administrator name or passphrase is set–the onboard c [...]

Rebootin g a WatchGuar d SOHO 24 The Base Model SOHO The base model SOHO come s with a ten seat li cense, that is ten computers have acces s to the Internet through the SOHO. Remember, while onl y four devices connect di rectly to the four (numbered 1-4) Ethernet ports, one or more of thes e devices can b e a hub or router. Please see, “Cabling t[...]

User Guide 5 .0 25 Rebootin g a WatchGuard SOHO • Send an FTP command to the remote SOHO devi ce. Use an FTP application to connect to the SOHO device, the n enter the command: quote r ebt[...]

Rebootin g a WatchGuar d SOHO 26[...]

User Guide 5 .0 27 CHAPTER 2 Getting Started Before you begin Pre- inst allat ion chec klis t Before installi ng your new WatchGuard SOHO please ensure that you have: • A 10BaseT Ethernet I/O network card i nstalled in your comp uter . • A cable or DSL modem with a 10Ba seT port. • Two Ethernet network cables with RJ45 c onnectors. These must[...]

The Ins tallat ion Pr ocess 28 • An operational Internet connection. Setup of your SOHO requires access to the Internet. If your connection does not work, please contact your Internet service provider (ISP). When your connection has been estab lished, you may proceed with installat ion and setup. • If you have eit her a cable or DSL modem, cons[...]

User Guide 5 .0 29 The Instal lation Proce ss Determine your curr ent TCP/IP settings For your reference, record the computer’s current TCP/IP settings in the chart provided at the end of this section. Di fferent operating systems will suppl y different informati on. To locate your setti ngs: Microsoft Windows NT or 2000 1C l i c k Start => Pr[...]

The Ins tallat ion Pr ocess 30 3 Exit the TCP/IP confi guration screen . N OTE If you are connecting more than one computer to the trusted n etwork behind the SOHO, obtain the configuratio n TCP/IP information for each computer. Disable your browser’s HTTP prox y To config ure a WatchGuard SOHO after it i s installe d, you must be able to acc ess[...]

User Guide 5 .0 31 The Instal lation Proce ss With the HTTP proxy enabled, th e browser automati cally points itself to Web pa ges located on the I nternet, and you cannot direct the browser to Web pages located in other pla ces. Disabli ng the HTTP will not prevent you f rom access ing your favorite Web sites, but it will al low you to access the [...]

The Ins tallat ion Pr ocess 32 5 Verify that the Direct Connecti on to the Internet opt ion is enabled. 6C l i c k OK to save the settings. Internet Explorer 5.0/5.5 and 6.0 1 Open Internet Explorer. 2C l i c k Tool s => Int ernet Opti ons . The Inte rnet Option s screen disp lays. 3C l i c k t h e Advanced tab. 4 Scroll down the page to HTTP 1.[...]

User Guide 5 .0 33 The Instal lation Proce ss 1 Complete the “Pre-installat ion checklist” on page 27 . 2 Shut down your computer and unplug the power from your DSL or cable modem. 3 Unplug the Ethernet cable that is connected f rom your DSL or cable modem to y our computer and plug it into the WAN port on the SOHO unit. The SOH O unit is now c[...]

The Ins tallat ion Pr ocess 34 6 Attach the power cord to the SOHO and plug it int o an outlet. 7 Restart your computer. 8 For information on the factory defa ult configuration options, see “The Default Factory Settings” on page 2 2. For speci alized configurations, see “Configuring Your External Network ” on page 37, as well as, “Configu[...]

User Guide 5 .0 35 The Instal lation Proce ss exist on the network and communica te with ea ch other, but only the first ten which attempt to access t he Internet will b e allowed through the SOHO. If you would like to upgrade your SOHO to a twenty-five or fift y-seat user li cense, please visi t: http://www.watchguard.com/s ales/buyonli ne.asp 1 C[...]

The Ins tallat ion Pr ocess 36[...]

User Guide 5 .0 37 CHAPTER 3 Setting Up Your SOHO Network The configuration i nstructions in this ch apter assume that you are using Windows 98/ME. If t his is not the case , see your operating system user guide or help resources to locate the equivalent options and command s. Configurin g Your External Network When you configure the external netwo[...]

Configurin g Your External Networ k 38 method to dist ribute IP addresses i s to use Dynamic Host Configuration Protocol (DHCP). W hen you connect your computer to the network, a DHCP server at your ISP automatical ly assigns i t a network IP address. This el iminates th e ISP from having to manually assign and manage IP addresses. IP address assig[...]

User Guide 5 .0 39 Configuring Your Extern al Network 3 Scroll through the list of installed network components. Double-cli ck the TCP/IP network component which is b ound to your Ethernet card. Look for (Et hernet) in parentheses. The TC P/IP Proper ties di alog box appear s.[...]

Configurin g Your External Networ k 40 4 If “Obtain an IP Address Automatically ” is selec ted, your computer is configured for dynamic DHCP. If “Obtain an IP Address Automatically” is not checked, your computer is configured for static add ressing. Configuring t he SOHO Exte rnal network fo r dynami c ad dress ing Out of the box, the SOHO [...]

User Guide 5 .0 41 Configuring Your Extern al Network Configuring the SOHO External network for static addressi ng If you are assigned a static addre ss, then you must t ransfer the permanent address assignment from your computer to the SOHO. Instead of communicatin g dire ctly to your comput er, the IS P will now communicate first through the SOHO[...]

Configurin g Your External Networ k 42 6 Save the changes. 7 On most platforms, clic k OK until the Control Panel window clos es . 8 Shut down and reboot the computer. On the SOHO: 1 Open your Web br owser. Clic k Stop . At this point, the I nternet connection is not fu lly configured, and the computer cannot loa d your home page from the Int ernet[...]

User Guide 5 .0 43 Configuring Your Extern al Network 4 From the Configuration Mode drop list, s elect Manual Configurati on . 5 Enter the TCP/IP settings you copied f rom the computer when you started the inst all process. 6C l i c k t h e Subm it button. To complete the SOHO External Network conf iguration, see “Release and renew the I P config[...]

Configurin g Your External Networ k 44 ISP to see if they use PPPoE. If you cannot find this information, contact your ISP and ask. You will need your PPPoE login name and password. To configure the SOHO for PPPoE: 1 Open your Web br owser and c lick Stop . At this point, the I nternet connection is not fu lly configured, and the computer cannot lo[...]

User Guide 5 .0 45 Configuring Your Extern al Network 5 Enter the PPPoE login nam e supplied by your ISP. 6 Enter the PPPoE password supplied by your ISP 7C l i c k Automatically restore lo st connec tions . This enables a const ant flow of “heartb eat” traffic between the SOHO and the PPPoE server. In the event o f routine packet loss, this op[...]

Configurin g Your External Networ k 46 Release and rene w the IP configuration Regardless of what type of address ing your computer used originall y, it will now obta in this informati on from the SOHO using DHCP. To enable your computer to receive this information from the SOHO, you must force i t to release and re new its IP con figur atio n inf [...]

User Guide 5 .0 47 Configurin g Your Trus ted Netwo rk Configurin g Your Trusted Network Out of the box, the SOHO automati cally uses D HCP to assign addresses to computers on your trusted network. In other words, every time you connect a comput er to the SOHO, either di rectly or through a hub, it automatical ly attempts to obtain its addresses fr[...]

Configurin g Your Trus ted Netwo rk 48 3 Enter the IP address and the Su bnet Mask in the appropriate fields. 4 Disable the checkbox la beled Enable DHCP Serve r on the Trusted Networ k . 5C l i c k t h e Subm it button. Configure addi tional computers to the trusted network Up to four computers can be plugged direc tly into the four (numbered 1-4)[...]

User Guide 5 .0 49 Configuring S tatic Routes (LAN). You can also mix computers wit h different operati ng systems on your network and they will pass traffic through the SOHO to access the Internet. Follow these steps to ad d one or more computers to your Trusted network: 1 Ensure that any additional computer has an Ethernet ca rd installed. Shut t[...]

View the Network S tatistics 50 3C l i c k t h e Add button. 4 From the Type drop list, sel ect either a Host or Networ k . 5 Enter the IP address and the Gateway of the rout e in the appropriate field. 6C l i c k t h e Subm it button. View the Network Statis tics The SOHO has a configuration page which displays a variety of network statistics t o [...]

User Guide 5 .0 51 View th e Network S tatistics Follow these instructions to v iew this page: 1 With your Web browser, go to the SOHO System Status page using the Trusted IP address o f the SOHO. For exa mple, if usi ng the defaul t IP addres s, go to: http://19 2.168.1 11.1 2 From the navigation bar on the l eft side, selec t Network => Netw o[...]

View the Network S tatistics 52[...]

User Guide 5 .0 53 CHAPTER 4 Your Administrative Options The SOHO Administration page al lows y ou to c onf igure ac cess to the unit, update the firmware from a non-Windows operating system, redeem any upgrade opti ons you may have purchased, and see the SOHO conf iguration file in a text format. The System Security Page The System Security config[...]

The Sys tem Security Page 54 depth in the SOHO Remote M onument Guide locate d on our Web site: http://help.watchguard.com/documentation/default.asp Setting a System Administrator Name and Syste m Pass phrase Passphrases are a barrier between your computer and anyone trying to break in. They are the f i rst line of defe nse in computer security. Th[...]

User Guide 5 .0 55 The Sys tem Secur ity Page Follow these steps to se tup the SOHO System Passphrase: 1 With your Web browser, go to the SOHO System Status page using the Trusted IP address o f the SOHO. For exa mple, if usi ng the defaul t IP addres s, go to: http://19 2.168.1 11.1. 2 From the navigation bar on the left side , select Administrati[...]

Setti ng up VPN M anage r Acce ss 56 7 Enter the System Passphrase again to confirm i t in the appropriate field. 8C l i c k t h e Subm it button. Setting up VPN Manager Access The SOHO can be configured to allow the WatchGuard VPN Manager software access in order to configure and manage Branch Office VPN tunnels f rom a remote locat ion. The VPN M[...]

User Guide 5 .0 57 Setting up V PN Ma nager Acce ss 3 Enable the checkbox labeled Enable VPN Manager Acces s . 4 Enter the Status Passphrase in the appropriate fiel d. 5 Enter the Status Passphrase in the appropriate fiel d again to con firm it . 6 Enter the Configuration Passphrase in the appropriate fi eld. 7 Enter the Configuration Passphrase in[...]

Update Yo ur Conf iguration fro m a Non -Windows P latform 58 Update Your Configu ration from a Non- Windows Pla tform If you are managing your SOHO from a computer running a operating syste m platform other than W indows (such as a Macintosh or Linux OS), you must update your firmware from this configuration page as firmware versions are released.[...]

User Guide 5 .0 59 Redeeming y our SOH O upgrade certificates these software opti ons is stored within the SOHO. Once you hav e purchased an upgrade option an d rede emed it, the Feat ure key stored on your unit is modi fied to enab le the software upgrade. Follow these steps to redee m your upgrade certificate : 1 With your Web browser, go to the [...]

Redeeming your SOHO up grade cer tificates 60 Upgrade certificates Seat Lice nses The SOHO can be upgraded to provi de for more seats than are availab le with the base mod e l (for example, the 25 seat license certif icate). These c ertificat es must be purchased separately. IPSec Virt ual Privat e Networking ( VPN) The SOHO|tc comes with a VPN upg[...]

User Guide 5 .0 61 View the Co nfiguration File View the Configuration Fi le From this configuration page , you can view your SOHO con figur ation file as it appe ars i n text form . Follow these steps to v iew the file: 1 With your Web browser, go to the SOHO System Status page using the Trusted IP address o f the SOHO. For exa mple, if usi ng the[...]

View the Co nfiguration File 62[...]

User Guide 5 .0 63 CHAPTER 5 Configuring Your Firewall Settings Firewall se ttings The WatchGuard SOHO enables you to custom ize what is al lowed both incoming and out going through your firewall. With this feature, you can narrowl y define what kind of communic ation is permitted between computers on the I nternet and computers on your trusted net[...]

Configurin g Incoming an d Outgoing Service s 64 by the SOHO firewall. You can, however, selectively open your network to certain types of I nternet connectivity. For example, i f you would like to set up a Web server behind the SOHO, you can add an incomi ng Web servic e. It is important to reme mber that each service y ou add opens a small window[...]

User Guide 5 .0 65 Configuring Incoming and Ou tgoing Ser vices 2 Locate the pre-configured service you wish to define, such as FTP, Web, or Telnet, then select either Allow or Den y from th e drop list. In our example, the HTTP service is set to Allow enabling Web traffic incoming. 3 Enter the trusted network IP a ddress of the computer to which t[...]

Configurin g Incoming an d Outgoing Service s 66 custom service usi ng either a TCP port, UDP port or specifying an IP protocol. You can also create a custom service al lowing any form of protocol over any port incoming from an external address to a trusted host or outgoing from a trusted host to an external address. TCP and U DP Ports Follow these[...]

User Guide 5 .0 67 Blocking E xternal S ites 3 Beneath the Protocol Sett ings fields, sele ct either TCP Port , UDP Port or Protoc ol from the drop list. The Custom Service page refr eshes. 4 Define a name for the servic e in the appropriate f ield. 5 Enter the protocol number to allow in the Protocol field. Now that you have created a cust om serv[...]

Blocking E xternal S ites 68 Follow these steps to c onfigure blocked site s: 1 From the navigation bar on the l eft side, selec t Firewall => Blocked Sites . The Blocked Sites page a ppears. 2 Select either Host IP Address, Network IP Address, or Host Range from the drop list. The config uration pa ge refreshes . 3 Enter either a single host IP[...]

User Guide 5 .0 69 Firewall Opti ons 5C l i c k t h e Subm it button. Firewall O ptions The SOHO firewall feat ure includes a few rule settings which are less specifi c then the service settings discussed previously and can be used to provide further security for your private network. These options are found on the Firewall O ptions page. 1 With yo[...]

Fire wall Op tions 70 Ping requests r eceived on the External Network You can configure t he SOHO to deny all ping pac kets which it may receive on the external interface. 1 Enable the checkbox l abeled Do not respond to PING reques ts received on External Networ k . 2C l i c k t h e Subm it button.[...]

User Guide 5 .0 71 Firewall Opti ons Denying F TP access to the Trusted Network interface You can configure t he SOHO to deny FTP access to Trusted int erfac e. 1 Enable the checkbox labeled Do n ot allo w FTP access to Trusted Networ k . 2C l i c k t h e Subm it button. C AUT ION When perfo rming an upda te of the system fi rmware, this option mus[...]

Fire wall Op tions 72 • SOHO supports SOCKS version 5 only. • It is a limited ver sion of SOCKS and doe s not support authentication, nor does it support Dom ain Name System (DNS) resol ution. C AUT ION Configure the particular application so tha t it will not attempt to make DNS look-ups with SOCKS . However, some applications use only DNS thr[...]

User Guide 5 .0 73 Firewall Opti ons • For the SOCKS proxy, enter th e URL or IP address of the SOHO trusted network. The default IP address is 192.168.111. 0. Disabling SOCKS on the SOHO Once you have used a SOCKS-compliant applica tion through the SOHO, the primary SOCKS port is availabl e to anyone on your trusted network. You can, however, cl[...]

Creating a virtual DMZ 74 Follow these steps: 1 Enable the checkbox labeled Log All Allowed Outbound Access . 2C l i c k t h e Subm it button. Creating a virtual DMZ The SOHO can be configured to a llow traffic to b e passed through to a dedica ted machine t hat has been separated from the rest of the Trusted Network. Follow these steps to c onfigu[...]

User Guide 5 .0 75 Creating a v irtual DM Z 3 Enable the checkbox labeled Enable pass t hrough addre ss . 4 Enter the IP address to the pass through machine i n the appropriate field. 5C l i c k t h e Subm it button.[...]

Creating a virtual DMZ 76[...]

User Guide 5 .0 77 CHAPTER 6 What is Logging? Logging is t he act of recording “events” that occ ur at the SOHO interfaces. An event i s any single activi ty, such as communication with the WatchGuard Feature Key Server or the WatchGuard WebBlocker databas e and incomi ng traffic passing through the SOHO. Logging is intend ed to record the kind[...]

Setting a WatchGuar d Securit y Event P rocessor log host 78 The log messa ges may include time synchronizations b etween the SOHO and the WatchGuard Key Server, discarded pac kets for a packet handling viol ation, duplicat e messages, time- outs for attempting to open the WatchGuard Feature Key Serve r, or return error messages. Follow these steps[...]

User Guide 5 .0 79 Setting a W atchGuard Security Event P rocessor lo g host 3 Enable the checkbox labeled Enable WatchGuard Se curity Event Proces sor Loggi ng . 4 Enter the IP address of the WSEP server that will be y our Log Hos t in t he a ppr opri at e fiel d. In our exa mple, 206.25 3.208.100. 5I n t h e Log Encryption Key f ield, enter a pas[...]

Setti ng a Sys log Ho st 80 Setting a Syslog Host The SOHO can also be conf igured to transmit log entri es to a Syslog host. Follow these steps to se tup a Syslog Host: 1 With your Web browser, go to the SOHO System Status page using the Trusted IP address o f the SOHO. For exa mple, if usi ng the defaul t IP addres s, go to: http://19 2.168.1 11.[...]

User Guide 5 .0 81 Setting the System Time 4 Enter the IP address of the Syslog server i n the appropriate field. In our exa mple, 206.25 3.208.100. 5C l i c k th e Submit button. Setting the System Time The SOHO stamps each log entry with the ti me that the event occurred. By default, the SOHO is s et to record event ti mes in seconds beginning fr[...]

Setti ng th e Sys tem Ti me 82 If you have decide d to use the WatchGuard Time Server: 3 Enable the option labeled Get Time Fr om WatchGuard Time Server . Or, if you have decided to use a TCP Port 37 Time Server: 4 Enable the option labeled Get Time Fr om TCP Port 37 Time Server at . 5 Enter the IP address of the time server i n the appropriate fie[...]

User Guide 5 .0 83 Setting the System Time • Enable the checkbox l abeled Set to GMT . If you want to have your log mess ages sync with your computer: • Click the Sync Time Now button.[...]

Setti ng th e Sys tem Ti me 84[...]

User Guide 5 .0 85 CHAPTER 7 WatchGuard SOHO WebBlocker WatchGuard SOHO Web Blocker is an optional fea ture of the WatchGuard SOHO and SOHO|tc that provi des Web s ite filteri ng capabilit ies. It gives you precise control over the types of Web sites users on your trusted network are all owed to view. How WebBlocker works WebBlocker relies on a URL[...]

How WebBlocker works 86 site, the SOHO queries the WatchGuard datab ase and determines whether or not to block the site. The SOHO considers the following conditions in determining whether or not to bl ock the site: Web si te not in WebBlo cker data base If the site is not in the WatchGuard WebBlocker database, the Web browser opens the page for vie[...]

User Guide 5 .0 87 Purc hasin g and en abli ng SOHO WebBl ock er Users This feature allows you to create an individual user account, with a unique us ername and password, and restrict their web browsing b y assigning them to a give n Group. Bypassi ng the SO HO WebBl ocker Occasionally, you may want to a llow select in dividuals to bypass the filte[...]

Configurin g the SOH O WebBloc ker 88 Configurin g the SOHO WebBlocke r Use the Wa tc hGua rd S OHO C onfi gur at io n pag es to ena ble WebBlocker, create a full acc ess password for bypassing WebBlocker, define a n Inactivity Timeout which sets the duration that the full access password is v alid, defi ne the categories y ou want to block, and co[...]

User Guide 5 .0 89 Configurin g the SOH O WebBlocke r 3 Enable the checkbox labeled Enable WebBlocking . 4 Enter the full access pass word. The full access password allows a user a to bypa sses otherwise blocked sites. 5 Enter the Inactivity Timeout in mi nutes. Setting t he inactivit y timeout at, for examp le, 15 minut es, ensure s that unattende[...]

Configurin g the SOH O WebBloc ker 90 Create WebBlocker G roups a nd User s F o l l o w t h e i n s t r u c t i o n s b e l o w t o c r e a t e W e b B l o c k e r G r o u p s . I f y o u wish to use a global policy for all users, instead of creati ng separate group policie s, ignore this sect ion and fol low the instruct ions to ena ble We bB lock[...]

User Guide 5 .0 91 Configurin g the SOH O WebBlocke r 4C l i c k t h e Subm it button. A new Groups page ap pears in dicating the co nfigurati on changes have been accepted an d providing access to creating users. 5 To the right of the “Users” field, click the New button . The New User p age appea rs.[...]

Configurin g the SOH O WebBloc ker 92 6 Enter a unique User name and Passphrase (remembe r to confirm the Passphrase). Use the Group drop down list to assign the new user to a given group. In our example, we have assigned the User “rodolfo” to the Group “chicosmalos” created previously. 7C l i c k t h e Subm it button. N OTE You can delete [...]

User Guide 5 .0 93 WebBlocker categories WebBlocker categories WebBlocker relies on a URL databa se, the CyberNOT l ist, a service of CyberPatrol . The WebBlocker database contains ma ny thousands of IP addresses and di rectories. These address es are divided into ca tegories base d on content such as Drug Culture, Intolerance, or Sexual Acts. Cybe[...]

WebBlocker categories 94 measures. Topic in cludes groups that advo cate violen ce as a means to achieve their goals. It also i ncludes pages devoted to “how to” informat ion on the making of weapons (for both lawful and unlawful reasons), ammunition, and pyrotec hnics. Drug Cultur e Pictures or text advocati ng the illegal use of drugs for ent[...]

User Guide 5 .0 95 WebBlocker categories of maiming, bloody f igures, and indecent depicti on of bodily functions. Violence/ Profanit y Pictures or text exposing extreme cruelt y or profanity. Cruelty is de fined as: Ph ysical or emotion al acts against any animal or person that are primarily intended to hurt or inflict pain. Topic includes obscene[...]

Searching for b locked sites 96 adult personals, and sites devoted to se lling pornographic CD-ROMs and videos. Full Nudity Pictures exposing any or all portions of human genitalia. Topic does not i nclude sites categori zed as Partial /Artistic Nudity containing partial nudity of a wholesome nat ure. For example, it does not i nclude Web sites for[...]

User Guide 5 .0 97 CHAPTER 8 Configuring Virtual Private Networking This chapter describes an option al fea ture of the WatchGuard SOHO: Virtual Private Networking (VPN) with IPSec. The following WatchG uard SO HO products support IPSec tunnels: • WatchGuard SOHO with VPN option en abled • WatchGuard SOHO|tc Why create a vi rtual private networ[...]

What you will ne ed 98 What you will need • One WatchGuard SOHO with VPN and an IPSec-compliant device. N OTE While you can cr eate a SOHO t o SOHO VPN, you can also cr eate a VPN with a Watch Guard Fir ebox or ot her IPSec- compliant devi ces. • The fol lowing in format ion from your Inte rnet serv ice provider for both devic es: - Static I P [...]

User Guide 5 .0 99 What you w ill need IP Address Table (example): Item De scri ption Assi gned By External IP Address The IP addres s that identifies the SOHO to the Internet. ISP Site A : 207.168.5 5.2 Site B: 68.130.4 4.15 External Subn et Mas k The overla y of bits that determines whi ch part of the IP addre ss identifi es your network. For exa[...]

Step-by -step ins tructions for con figuring a SOHO VPN tunnel 100 Obtainin g the VPN upgrade If you purchased a WatchGuard SOHO and would lik e to purchase the VPN upgrade from a res eller or e-ta iler, open your Web browser to: http://www.watchguard.com/s ales/buyonli ne.asp Enabling t he VPN upgr ade Whether you purchased a VPN upgrade separatel[...]

User Guide 5 .0 101 Frequently asked ques tions device. To set up mul tiple VPN tunnels, you will need to have at least one WatchGuard Firebox co nfigured with the WatchGuard VPN M anager. • Each device must be able to send messa ges to the othe r. If either device has a dynamically assi gned Internet (IP) address (see “Net work addressing” o[...]

Frequentl y asked qu estions 102 How do I connect three or four offices toge ther? To connect more than two offic es together, WatchGuard recommends designating one of fice the center of a “star” network configuration an d upgrading it to a WatchGuard Fire box. You can then manage multiple tunnels to SOHOs or other IPSec compliant devices from [...]

User Guide 5 .0 103 MUVPN Clients How do I enable a VPN Tunnel? Full instructi ons for enab ling a VPN tunnel c an be found onlin e at: http://www.watchguard.com/A dvancedFaqs/ sointerop_main.asp MUVPN Cl ients The SOHO can be upgraded to use the MUVPN cli ents option. This feature a llows single remot e users to securely c onnect to the SOHO throu[...]

View the VPN Statistics 104[...]

User Guide 5 .0 105 CHAPTER 9 Resources Tro ubles hooti ng The following informati on is offered to help overc ome any minor difficul ties that might occur when i nstalling and setting up your SOHO. General How do I reboot my SOHO? 1 With your Web browser, go to the SOHO System Status page using the Trusted IP address o f the SOHO. For exa mple, if[...]

Troubl eshootin g 106 N OTE You can als o reboot b y removing the po wer sour ce for ten seconds , and then re stori ng power. What do th e ON and MODE lights signify on th e SOHO? When the ON light is illuminated, the SOHO has power. When the MODE light is i lluminated, the SOHO i s operational. If the ON light is blinking it is indic ative of a c[...]

User Guide 5 .0 107 Troub leshoot ing availabl e. The first year of servi ce is free with purchase of the SOHO. To register your SOHO: 1 With your Web browser, go to the SOHO System Status page using the Trusted IP address o f the SOHO. For exa mple, if usi ng the defaul t IP addres s, go to: http://19 2.168.1 11.1 2C l i c k o n LiveSecuri ty in t[...]

Troubl eshootin g 108 DSL router, the NAT feature of the DSL router should be set f or bridge-onl y mode. How do I install a SOHO using a Macintosh? The process is essentially identical to installin g on any other platform. Us e the Installat ion chap ter within this Guide. The one unique element for Macintosh users, determi ning your TCP/IP settin[...]

User Guide 5 .0 109 Troub leshoot ing How can I see the MAC address of my SOHO? A MAC (Medium Acce ss Control) addr ess is a uniq ue number used to identify the a ctual physical hardware of a n Ethernet device. 1 With your We b browser, go to the SOHO Configuration Settings page using the Trus ted IP address of the SOHO. For exa mple, if usi ng the[...]

Troubl eshootin g 110 How do I change to a static trus ted IP address ? Before you can use a sta tic IP address, you m ust have a base Trusted IP address and subnet mask. The following IP address ranges and subnet masks are set aside for private networks in c ompliance with RFC 19 18. Replace the Xs in the network IP address with a number between 1[...]

User Guide 5 .0 111 Troub leshoot ing 3 Enable the checkbox labeled Enable WebBlocker . Enter a Full Access password, and an Inacti vity Timeout ( in minutes). To disable We b blocking, disable t he checkbox labe led Enable WebBlocker. How do I allow inco ming servic es such a s POP3, Telnet, and Web (HTTP)? 1 With your Web browser, go to the SOHO [...]

Troubl eshootin g 112 3 Beneath the Protocol Sett ings fields, sele ct either TCP Port , UDP Port or Protoc ol from the drop list. The Custom Service page refr eshes. 4 Define a name for the servic e in the appropriate f ield. 5 Enter the protocol number to allow in the Protocol field. 6C l i c k t h e Subm it button. 7 From the navigation bar on t[...]

User Guide 5 .0 113 Troub leshoot ing • The same authentication method f or each end (MD-5 or SHA-1). How do I set up my SOHO for VPN Mana ger Access? This requires the add-on product, WatchGuard VP N Manager software, which is purchased separately. To purchase VPN Manager, use your Web browser to go to: https://www.watchguard.com/products/vpnman[...]

Contacting Technic al support 114 Contacting Technical support Onli ne Do cum entin g and I n-D epth F AQs WatchGuard maintains an extensive knowle dge base consisting of product documentati on in the form of pr inter friendly .pdf files, tutorials, In-Depth FAQs, and more. This information is availabl e at: https://support.watchguard.com/faqs/ Spe[...]

User Guide 5 .0 115 B block ed si tes in WebBlocker 96 Browse r Net sca pe 4. 0 disab ling HTT P prox y 31 Brows ers, suppo rted 28 C Cables, requ ired 27 Cabling, new SOHO 32 Categories, WebBlocker 93 certification, FCC 4 Checklist, pre-installation 27 Configur e PPPoE client 43 Copyrig ht Inform ation 12 Custom incoming services, creating 65 Cybe[...]

116 H HTTP proxy disabl ing 30 I ICQ, enable with SO CKS 71 ICQ, IRC, AOL Messeng er 72 Incomi ng servi ce creating custom 65 Inform ation copyright 12 patent 12 Installa tion cabling the SOHO 32 manual 28 pre-installation checklist 27 Introduct ion 3 inform ation & Int ern et 63 IP address 20 port number 20 protoc ol 20 services 21 IP addr ess[...]

User Guide 5 .0 117 M Maci ntosh , setting TCP/ IP 29 Man ual i nst al lati on 28 Masqu eradi ng 21 N Network pri vate n etwor k de fault fact ory s ettin gs 22 Networ k Addres s Trans lation 21 P Part n umber, SOHO 12 Passwo rd savin g 18 Paten t Informat ion 12 Ping 102 Port numb er, i ntroduct ion 20 PPPoE, co nfiguri ng client 43 Pre-configur e[...]

118 adding pre-co nfigur ed 64 creating custom incoming 65 Services, introdu ction 21 SOCKS 71 and ICQ 72 and IRC 72 SOCKS and AOL Messenger 72 Stat ic IP ad dress 98, 99 Stat ic IP ad dress , reaso n fo r 101 T TCP/IP releasing IP configur ation 46 setting in Macintosh 29 setting in U nix, Linu x, etc. 29 setting in Window s ’95, ’98 29 Troubl[...]