Watchguard SOHO manual

Watc hGua rd SOH O and SOHO | t c WatchGuard ® SOHO User Guide SOHO and SO HO|tc version 5.0[...]

2[...]

User Guid e 5.0 3 Using this gu ide This guide ass umes that you a re famili ar with your computer’s operating syste m. If you have questi ons about navigati ng in your computer’s e nvironment, please refer to your syste m user manual. The following convent ions are used throughout this guide. Con vention Ind icati on Bol d type Den otes menu c[...]

4 Certificati ons and Notice s FCC Certification This devic e has been tested and found to comply with l imits for a Class A di gital devi ce, pursuant to Part 15 of the FCC Rules. Operation is subjec t to the foll owing two con ditions: • This device ma y not cause ha rmful interference. • This device must accept any in te rference receive d, [...]

User Guid e 5.0 5 Taiwanese Notice VC CI No tice Clas s A ITE[...]

6 Declaratio n of Conformit y[...]

User Guid e 5.0 7 WatchGuard ® End-Us er License Agreement IMPOR TANT - READ CAREFU LLY BEFOR E ACCES SING WATC HGUARD S OFTWAR E This W atchGua rd End-U ser Lice nse Agreem ent (“EU LA”) is a legal a greemen t betwe en you (either an in di vidual or a single e ntity) and Watch Guard Techn ologies, Inc. (“WA TCHGUARD”) fo r th e WAT CHG UA[...]

8 4. LIMITED WA RRANTY. W ATCHGUARD makes the follow i ng limi te d warrant ies for a period of n inety (90) d ays from the date you o btained the SOFTW ARE PROD UCT from WATCH GUARD or an author ized dealer; (A) Me dia. The di sks and document ation will be free from defects in m aterials and workmans hi p u nder normal use. If th e disks or docum[...]

User Guid e 5.0 9 SUCH DAMA GES. T HIS SH ALL BE TRUE EV EN IN TH E EVENT OF TH E FAILU RE OF A N AGRE ED REMEDY . 5. UNITE D STATES GOVERNM ENT RE STRICTED RIGHTS . The e nclosed SO FTWAR E PRODU CT and d ocumentati on are provide d with Rest r icted Rights. Us e, duplicat ion or disclosure by th e U.S Gover nment o r any agency or i nstrume ntali[...]

10 WatchGuard ® Limited Hard ware Warranty This Wa tchGuard Limi ted Hardware W arranty (the "Wa rranty") appli es to the enclo sed WatchG uard hardwa r e prod uct (the "Hardware Prod u ct"). By using the HARDW ARE Produ ct, you agree to the terms hereof . If you do not agree to these terms, please return thi s package , along [...]

User Guid e 5.0 11 OR IMPL IED, A RIS ING BY L AW OR O THERWI SE, WI TH RESP ECT TO AN Y NONCONFORMANCE OR DEFECT IN THE HARDWARE P RODUCT (INC LUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRA NTY OF MERCHANTABILITY OR FITNESS FOR A PARTIC ULAR PU RPOSE, AN Y IMPLIED W ARRAN TY ARISING FROM COURSE OF PERF ORMA NCE, COUR SE OF DE ALING, OR US AGE OF T [...]

12 Copyright and Patent Information Copyright © 1999-2001 W atchGuard Technologie s, I nc. All rights reserved. WatchG uard and L iveSecu rity are either regi st ered trademarks or tradem arks of WatchGuard Tech nologies, Inc. in the Un ited States and oth er countrie s . Fi rebox is a tradema rk of WatchG uard Technol ogies, Inc. CyberPatrol i s [...]

User Guid e 2.4 13 Table of Contents CHAPTER 1 Intro duction . .......... .... .......... ......... ..... ......... 17 Registration and I dentification Inf ormation ....... ..... 18 How does a fire wall work? ..... .......... ......... ......... ..... 18 How does information travel on the internet? ........ 20 How does the S OHO process this inf or[...]

14 Configu ring Your Truste d Network ...... .......... ......... 47 Configu ring Static Routes ........... ......... .......... ......... 49 View the Network Statistics ......... ......... .......... ......... 50 CHAPTER 4 Your Administrative O ptions ........... ......... 53 The Sys tem Security Page ...... .......... .... .......... ......... 53[...]

User Guid e 5.0 15 Configu ring the SOHO W ebBlocker ......... ......... ..... 88 WebBlocker categories .......... .......... .... .......... ......... 93 Searching for blocked site s .... .......... ......... ......... ..... 96 CHAPTER 8 Co nf ig uri n g V ir tu al Pr iv at e N et wo rk ing .. 97 What you wi ll need ....... ......... .......... ..[...]

16[...]

User Guid e 5.0 17 CHAPTER 1 Introduction Welcome Congratulations on purchasi ng the ideal soluti on for providing secure acc ess to the Internet –the WatchGuard SOHO or WatchGuard SOHO|tc. Your new security device will giv e you peace of mind when connecting to the Internet using a high- speed cabl e or DSL modem, a le ased line, or ISDN. This U[...]

Registra tion and Ide ntificati on Informat ion 18 Registr ation a nd Identificati on Information Once you h ave insta lled an d configured your SOHO f ollowing th e instructions you wi ll find in the u pcoming chapters, you wil l need to register t he unit at our Web site. When the registrati on is complete you can take adva ntage of our LiveSec u[...]

User Guid e 5.0 19 How does a fir ewall work ? these dangers. As i s illustrat ed in the image bel ow, the SOHO phy sica lly s epe rates you r trus ted network from the Internet. Using rule s we will discuss in Ch apter 3: “Configuri ng Incoming and Outgoing Servic es” on page 63, the WatchGuard SOHO evaluate s all traffic bet ween the external[...]

How does info rmation travel on the interne t? 20 How does inform ation tr avel on the intern et? Each packet of informati on transport ed over the Internet must be packaged in a special way to ensure that i t is abl e to travel f rom one computer to the next. A syst em called Internet Protocol ( IP) takes chunks of informa tion and wraps them up w[...]

User Guid e 5.0 21 How do es the S OHO pr oces s thi s inf orma tion? How does the SOHO proc ess this infor mation ? Services A service is the combi nation of protocol( s) and port numbers associ ated with a speci fic appli cation or commun ication type. To facilit ate conf iguration of your SO HO, WatchGuard lets you sel ect pre-configured ve rsio[...]

The SOH O Ho me Page —System S tatus 22 The SOHO Home Page—Sys tem Status The System Status page is effectiv ely the home page of the SOHO. A variety of information is revealed in an effort to provide you with a comprehensive display of the SOHO configuration. • The firmware ve rsi on • A few of the SOHO f eatures and their status: - WSEP L[...]

User Guid e 5.0 23 The Default Factory S ettings Fire wall Setting s All incomi ng services are blocked. An outgoing serv ice allowing a ll outbound t raffic. None of the Firewall Opti ons are enabled. The DMZ pass-through is disa bled. System Se curity System Securit y is disab led and no System Adminis trator name or passphrase i s set–the onbo[...]

Rebo oting a Wa tchGuard SO HO 24 The Base Model SOHO The base model SOHO comes with a ten se at license, that is ten computers have acces s to the Internet through the SOHO. Remember, while only four devices connect directl y to the four (numbered 1-4) Ethernet ports, one or more of thes e devices can b e a hub or router. Pl ease see, “Cabl ing [...]

User Guid e 5.0 25 Reboo ting a Wat chGuard SOHO • Send an FTP command to the remote SOHO device. Use an FTP applicat ion to connect to the SOHO devi ce, then enter the comman d: quote rebt[...]

Rebo oting a Wa tchGuard SO HO 26[...]

User Guid e 5.0 27 CHAPTER 2 Getting Started Before you begin Pre -in sta llat ion c hec klis t Before installi ng your new WatchGuard SOHO please ensure that you have: • A 10BaseT Ethernet I/ O network card install ed in your com pute r. • A cable or DSL modem wit h a 10BaseT port. • Two Ethernet network cables with RJ 45 connectors. These m[...]

The I nstalla tion Pr ocess 28 • An operational Internet connection. Setup of your SOHO requires acces s to the Internet. If your connect ion does not work, please contact your Internet serv ice provider ( ISP). When your connection has be en established, you may proceed with instal lation and setup. • If you hav e either a ca ble or DSL modem,[...]

User Guid e 5.0 29 The Ins tall ation Proce ss Determine you r current TCP /IP sett ings For your reference, record the computer’s current TCP/IP settings in the chart provided at the end of this se ction. Di ff erent operating systems wil l supply different i nformation. To locate your setti ngs: Microsoft Windo ws NT or 2000 1C l i c k Star t =[...]

The I nstalla tion Pr ocess 30 3 Exi t the TCP/IP configura tion screen . N OTE If you ar e connecting more tha n one computer to the trusted n etwork behind the SOHO, obtain the co n figuration TCP/IP in formation for each computer . Disab le your browser’s HTTP proxy To config ure a Watc hGuard SOHO af ter it i s inst alled, you must b e able t[...]

User Guid e 5.0 31 The Ins tall ation Proce ss With the HTTP proxy enabled, th e browser automatical ly points itself to Web pages located on the Inte rnet, and you cannot direct the browser t o Web pages locat ed in other places. Disabli ng the HTTP will not prev ent you from ac cessing your f avorite Web sites, but it wil l allow you to ac cess t[...]

The I nstalla tion Pr ocess 32 5 Verify that the Direct Co nnection to the Int ernet opt ion is enabled. 6C l i c k OK to save the settings. Internet Explorer 5.0/5.5 and 6.0 1 Open Internet Explorer. 2C l i c k Tool s => Inter net Opti on s . The Int ernet Opt ions screen disp lays. 3C l i c k t h e Advanced tab. 4 Scroll down the page to HTTP [...]

User Guid e 5.0 33 The Ins tall ation Proce ss 1 Complete the “Pre-insta llation checkl ist” on page 27. 2 Shut down y our computer and unplug the power from your DSL or cabl e modem. 3 Unplug the Ethernet cable that is connected from your DSL or cable modem to your computer and plug i t into the WAN port on the SOHO unit. The SOH O unit is now[...]

The I nstalla tion Pr ocess 34 6 Attach the power cord to the SOHO and plug it i nto an outlet. 7 Restart your computer. 8 For information on the factory defa ult configuration opti ons, see “The Def ault Factory Settings” on page 2 2. For speci alized configurations, see “Configuring Your Ex ternal Network” on page 37, a s well as, “Co n[...]

User Guid e 5.0 35 The Ins tall ation Proce ss exist on the network and communic a te with each other, but only the first ten which attempt to acc ess t he Internet will b e allowed through the SOHO. If you would like to upgrade your SOHO to a twenty-five or f ifty-sea t user license, pl ease visi t: http://www. watchguard.com/sales/ buyonline.asp [...]

The I nstalla tion Pr ocess 36[...]

User Guid e 5.0 37 CHAPTER 3 Setting Up Your SOHO Network The configuration instructions i n this chapter a ssume that you are using Windows 98/ME. If t his is not the case, see your operat ing system user gui de or help resources to loc ate the equivalent options and comm ands. Config uring Your External Network When you configure the external net[...]

Config uring Your External Net wor k 38 method to dist ribute I P addresses i s to use Dynamic Host Configuration Protoc ol (DHCP). W hen you connect your computer to the network, a DHCP server at your ISP automati cally assigns i t a network IP address . This el iminates th e ISP from having to manually assign and manage IP addresses. IP address a[...]

User Guid e 5.0 39 Configur ing You r External Ne twork 3 Scroll through the lis t of install ed network components. Double-cli ck the TCP/IP network component whic h is bound to your Ethernet card. Look for (Et hernet) in parentheses. The TC P/I P Pr opert ies di alog box ap pear s.[...]

Config uring Your External Net wor k 40 4 If “Obtain an IP Address Automa tically ” is selec ted, your computer is configured f or dynamic DHCP. If “Obtain an IP Address Automatically ” is not checked, you r computer is configured for stati c addressing. Configuring the SOHO Exte rnal network fo r dyna mic a ddress ing Out of the box, t he [...]

User Guid e 5.0 41 Configur ing You r External Ne twork Configuring the SOHO External network for stati c addres sing If you are a ssigned a static ad dre ss, then you must t ransfer the permanent address assignment from your computer to the SOHO. Instead of commun icating di re ctly to your computer, the I SP wil l now communicate first t hrough t[...]

Config uring Your External Net wor k 42 6 Save the changes. 7 On most platforms, c lick OK until the Control Panel window clo ses . 8 Shut down a nd reboot the computer. On the SOHO: 1 Open your We b browser. Cl ic k Stop . At this po int, the Internet conn ection is not fully conf igured, and the computer cannot load your home page f rom the Inter[...]

User Guid e 5.0 43 Configur ing You r External Ne twork 4 From the Configuration Mode drop list, selec t Manual Configur ation . 5 Enter the T C P/IP settings you copied from the computer when you started the i nstall process. 6C l i c k t h e Subm i t button. To complete the SOHO External Network configuration, see “Release and renew the IP conf[...]

Config uring Your External Net wor k 44 ISP to see if they use PPPoE. If you cannot find this informat ion, contact your ISP and ask. You will need your PPPoE login name and password. To configure the SOHO for PPPoE: 1 Open your We b browser an d clic k Stop . At this po int, the Internet conn ection is not fully conf igured, and the computer canno[...]

User Guid e 5.0 45 Configur ing You r External Ne twork 5 Enter the PPP oE login name supplied by your ISP. 6 Enter the PPP oE password supplied by your ISP 7C l i c k Automatical ly res tore lo st connecti ons. This enables a con stant flo w of “heartbeat” t raffic between the SOHO an d the PPPoE server . In the event of routine pack et loss, [...]

Config uring Your External Net wor k 46 Releas e and renew the IP configuration Regardless of what type of addressing your computer used origin ally, it wil l now obtain th is informati on from the SOHO using DHCP. To enable your computer to rece ive this information from the SOHO, you must f orce it to release a nd renew its IP con figu ratio n in[...]

User Guid e 5.0 47 Config uring Yo ur Truste d Netwo rk Config uring Your Trusted Network Out of the box, t he SOHO automaticall y uses DHCP to assi gn addresses to computers on your trusted network. In other words, every ti me you connect a computer to the SOHO, either di rectly or through a hub, it automati cally at tempts to obta in its addresse[...]

Config uring Yo ur Truste d Netwo rk 48 3 Enter the IP address and the Su bnet Mask in the appropriate fiel ds. 4 Disable the c heckbox label ed Enable DHCP Serve r on the Truste d Network . 5C l i c k t h e Subm i t button. Configure ad ditional comp uters to the trusted network Up to four computers can be pl ugged directly i nto the four (numbere[...]

User Guid e 5.0 49 Configur ing Stat ic Routes (LAN). You can also mi x computers with diff erent operating systems on your network and they will pass traff ic through the SOHO to acce ss the Internet. Follow these st eps to add one or more computers to your Trusted network: 1 Ensure that any additional c omputer has an Ethernet card install ed. Sh[...]

View the Ne twork S tatistics 50 3C l i c k t h e Add button. 4 From the Type drop list, sel ect e ither a Host or Network . 5 Enter the IP address and the Gateway of the route in the appropriate f ield. 6C l i c k t h e Subm i t button. View the Network Stati stics The SOHO has a configuration page which displays a variety of network statisti cs t[...]

User Guid e 5.0 51 View the Ne twork Statis tics Follow these ins tructions to view this page: 1 With your Web browser, go to the SOHO System Status page using the Truste d IP address of the SOHO. For exa mple, i f using t he defaul t IP add ress , go to: http ://19 2.16 8.111.1 2 From the navigation bar on the l eft side, select Networ k => Net[...]

View the Ne twork S tatistics 52[...]

User Guid e 5.0 53 CHAPTER 4 Your Administrative Options The SOHO Administration page al low s yo u t o c onf igure ac cess to the unit, update the f irmware from a non-Windows operating system, rede em any upgrade options you may hav e purchased, and see th e SOHO configuration file in a text format. The Syste m Security Page The System Security c[...]

The Sy stem Se curity Page 54 depth in the SOHO Rem ote Monument Guide l ocated on our Web site: http://help.watchguard.com/documentation/default.asp Setting a System Adminis trator Name and Sy stem Pass phr ase Passphrases are a barrier between your computer and anyone trying to break in. They are the fi rst line of defense in compute r security. [...]

User Guid e 5.0 55 The Sy stem Security Pa ge Follow these st eps to setup the SOHO System Pas sphrase: 1 With your Web browser, go to the SOHO System Status page using the Truste d IP address of the SOHO. For exa mple, i f using t he defaul t IP add ress , go to: http ://19 2.16 8.111.1 . 2 From the navigation bar on the left side , select Adminis[...]

Set ting up VPN M anag er Acc ess 56 7 Enter the System Passphras e again to confirm it in the appropriate f ield. 8C l i c k t h e Subm i t button. Setting up VPN Manager Access The SOHO can be configured to a llow the WatchGuard VPN Manager software access in order to configure and ma nage Branch Offi ce VPN tunnels from a remote location. The VP[...]

User Guid e 5.0 57 Setting up VPN M anage r Acce ss 3 Enable the checkbox label ed Enable VPN Manager Access . 4 Enter the Status Passphrase in the appropriate f ield. 5 Enter the Status Passphrase in the appropriate f ield again to con firm it. 6 Enter the Configuration Passphrase in the appropria te field. 7 Enter the Configuration Passphrase in [...]

Update Your C onfigur ation fro m a Non -Wind ows Pl atform 58 Update Your C onfiguration from a Non- Window s Platform If you are mana ging your SOHO from a computer running a operating syste m plat form other than Windows (such as a Macintosh or Linux OS), you must update your firmware from t his configuration page as firmware versions are releas[...]

User Guid e 5.0 59 Redeem ing yo ur SOHO upgrade certific ates these sof tware options is stored within the SOHO. Once you hav e purchased an upgrade option an d redeemed it , the Feature k ey stored on your unit is modifi ed to enable the s oftware upgrade. Follow these st eps to redeem your upgrade certi ficate: 1 With your Web browser, go to the[...]

Redee ming yo ur SO HO up grade c ertificate s 60 Upgrade certificates Seat Li censes The SOHO can be upgrade d to provide for more seats than are avai lable with th e base mode l ( for example, the 25 seat license certificate) . These cert ificat es must be purchased separately . IPSec Vi rtual Pr ivate Net working ( VPN) The SOHO|tc com es with a[...]

User Guid e 5.0 61 View th e Config uration File View the Configuration File From this configuration page , you can view your SOHO con figu ratio n fi le as it app ears i n tex t form . Follow these st eps to view the file: 1 With your Web browser, go to the SOHO System Status page using the Truste d IP address of the SOHO. For exa mple, i f using [...]

View the Configu ration File 62[...]

User Guid e 5.0 63 CHAPTER 5 Configuring Your Firewall Settings Firewall s ettings The WatchGuard SOHO enables you to customize what is allowed both incomi ng and outgoing through your firewall. With this feature, you can n a rrowly defin e what kind of com munication is permitted between computers on the I nternet and computers on your trusted net[...]

Config uring In coming an d Outgoing Se rvices 64 by the SOHO firewall. You can, however, selecti vely open your network to certain types of I nternet connectiv ity. For example, if you would like to set up a Web s erver behind the SOHO, you can add an in coming Web service. It is i mportant to remember that e ach service you add opens a small wind[...]

User Guid e 5.0 65 Configu ring Inco ming and Ou tgoing Servic es 2 Locate the pre-configured servi ce you wish to defi ne, such as FTP, Web, or Telnet, then select either Allow or Den y from th e drop list. In our example, the HTTP service is set to Allow enabling Web traffic incomin g . 3 Enter the trusted network IP a ddress of the comput er to [...]

Config uring In coming an d Outgoing Se rvices 66 custom servi ce using either a TCP port, UDP port or specif ying an IP protocol. You can also create a custom servi ce allowing any form of protocol over any port incoming from an ext ernal address to a trusted host or outgoing from a trusted host to an external address. TCP an d UDP Po rts Follow t[...]

User Guid e 5.0 67 Block ing Exter nal S ites 3 Beneath the Protocol Sett ings fields , sele ct either TCP Port , UDP Port or Pro tocol from the drop li st. The Custom Service pag e refreshes . 4 Define a name for t he service in the a ppropriate field . 5 Enter the protocol number to all ow in the Protocol field. Now that you have create d a custo[...]

Block ing Exter nal S ites 68 Follow these st eps to configure blocke d sites: 1 From the navigation bar on the l eft side, select Fi rewall => Blocked Sites . The Blocked Sites p age appea rs. 2 Select either Host IP Address, Network IP Address, or Host Range from the drop li st. The config urati on pa ge refreshes . 3 Enter either a single hos[...]

User Guid e 5.0 69 Firewall Opti ons 5C l i c k t h e Subm i t button. Firewall O ptions The SOHO firewall feature in cludes a fe w rule settings which are less speci fic then the service settings discussed previ ously and can be used to provide further security for your private network. These options are found on the Fi rewall Options page. 1 With[...]

Fire wall Optio ns 70 Ping requests receive d on the External Network You can config ure the SOHO to deny al l ping packets whic h it may recei ve on the external interfa ce. 1 Enable the chec kbox labe led Do not respond to PING r equests recei ved on Exte rnal Networ k . 2C l i c k t h e Subm i t button.[...]

User Guid e 5.0 71 Firewall Opti ons Denying F TP access to the Trusted Network interface You can config ure the SOHO to deny FTP acc ess to Trusted in terfa ce. 1 Enable the checkbox label ed Do n ot allo w FTP access to Truste d Network . 2C l i c k t h e Subm i t button. C AUT IO N When per forming an u p date of the system firm ware, this optio[...]

Fire wall Optio ns 72 • SOHO supports SOCKS versi on 5 only. • It is a limi ted version of SOCKS and doe s not support authentication, nor does it support Dom ain Name System (DNS ) resol utio n. C AUT IO N Configure the particular ap p lication so that it will not attempt to make DNS look-ups with SOCKS. However, some applications use on ly DN[...]

User Guid e 5.0 73 Firewall Opti ons • For the SOCKS proxy, enter th e URL or IP address of the SOHO trusted network. The default IP address is 192.168 .111.0. Disabling SOCKS on the SOHO Once you have used a SOCKS-compliant appl ication through the SOHO, the primary SOCKS port is avail able to anyon e on your trusted network. You can, however, c[...]

Creat ing a virtual DMZ 74 Follow these st eps: 1 Enable the checkbox label ed Log All Al lowed Outbound Access . 2C l i c k t h e Subm i t button. Crea ting a virtual DMZ The SOHO can be configured to a llow traffi c to be passe d through to a de dicated m achine tha t has been separated from the rest of the Trusted Network. Follow these st eps to[...]

User Guid e 5.0 75 Creating a virtu al DM Z 3 Enable the checkbox label ed Enable pa ss throug h addre ss . 4 Enter the IP address to the pass through machine in the appropriate f ield. 5C l i c k t h e Subm i t button.[...]

Creat ing a virtual DMZ 76[...]

User Guid e 5.0 77 CHAPTER 6 What is Logging? Logging is t he act of recording “events” that occ ur at the SOHO interfac es. An event is any si ngle activi ty, such as communication with the WatchGuard Feature Key Server or the WatchGuard WebBlocker dat abase and incom i ng traffic passi ng through the SOHO. Logging is i ntended to record t he [...]

Sett ing a Wa tchGuar d Securit y Eve nt Proc essor log host 78 The log messa ges may include time synchronizations b etween the SOHO and the WatchGuard Key Server, disc arded packets for a packet handli ng violation, dupli cate messa ges, time- outs for attempti ng to open the WatchGuard Feature Key Server, or return error messages. Follow these s[...]

User Guid e 5.0 79 Settin g a Wat chGuard Security Even t Pro cessor lo g host 3 Enable the checkbox label ed Enable Watc hGuard Securi ty Event Pr ocessor Logging . 4 Enter the IP address of the WSEP server that will be your Log Ho st in the app ropr iat e fi eld. In our example, 206 .253.208.100. 5I n t h e Log Encrypti on Key fiel d, enter a pas[...]

Set ting a Sys log Ho st 80 Setting a Syslog H ost The SOHO can also b e configured to transmit log entries to a Syslog host. Follow these st eps to setup a Sysl og Host: 1 With your Web browser, go to the SOHO System Status page using the Truste d IP address of the SOHO. For exa mple, i f using t he defaul t IP add ress , go to: http ://19 2.16 8.[...]

User Guid e 5.0 81 Setting the Sy stem Time 4 Enter the IP address of the Syslog server in the appropriate field. In our example, 206 .253.208.100. 5C l i c k th e Submit button. Setting the System Ti me The SOHO stamps each log entry with the time that the event occurred. By default, the SOHO is set to record event ti mes in seconds beg inning fro[...]

Set ting the Sy stem T ime 82 If you have d ecided to use the WatchGuard Time Server: 3 Enable the option labeled Get Time From WatchGuard Time Server . Or, if you have deci ded to use a TCP Port 37 Time Server: 4 Enable the option labeled Get Time From TCP Port 37 Time Server at . 5 Enter the IP address of the tim e server in the appropriate f iel[...]

User Guid e 5.0 83 Setting the Sy stem Time • Enable the che ckbox labeled Set to GMT . If you want to have your log messages s ync with your computer: • Click the Sync Time Now button.[...]

Set ting the Sy stem T ime 84[...]

User Guid e 5.0 85 CHAPTER 7 WatchGuard SOHO WebBlocke r WatchGuard SO HO WebBlocker is an optional fea ture of the WatchGuard SOHO a nd SOHO|tc t hat provi des Web s ite fi ltering capabi lities. It gives you precise control over the types of Web sites users on your trusted network are allowed to vie w. How WebBlocker works WebBlocker rel ies on a[...]

How WebBlocker works 86 site, the SOHO queries the WatchGuard database and determines whether or n ot to bl ock the site. The SOHO considers the f ollowing conditions in de termining whether or not to block the s ite: Web si te not in WebBl ocker dat abase If the s ite is not in the WatchGuard WebBlocker database, the Web browser opens the page f o[...]

User Guid e 5.0 87 Pur chasin g and enabl ing SO HO Web Block er Users This feature allows you to create a n individual user account, with a unique us ername and password, and restrict thei r web browsing by assi gning them to a give n Group. Bypas sing the SOHO WebB locker Occasi onally, you may wan t to allow sel ect in dividuals t o bypass the f[...]

Config uring th e SOHO WebBloc ker 88 Config uring the SOHO WebBl o cker Us e the Wat c hG uard SO HO C onf ig ur at i on pa ge s to ena bl e WebBlocker, c reate a full access pas sword for bypassing WebBlocker, define a n Inactivity Ti meout which sets the duration that the full access pa ssword is v alid, defi ne the cat egories you want to block[...]

User Guid e 5.0 89 Config uring th e SOHO WebBlocke r 3 Enable the checkbox label ed Enable WebBloc king . 4 Enter the full acce ss password. The full access password allows a user a to bypasses otherwise block ed sites. 5 Enter the Inactivity Timeout in mi nutes. Setti ng the inact ivity timeout at, for example, 15 minutes, ensure s that unattende[...]

Config uring th e SOHO WebBloc ker 90 Create WebBlock er Groups and Use rs F o l l o w t h e i n s t r u c t i o n s b e l o w t o c r e a t e W e b B l o c k e r G r o u p s . I f y o u wish to use a global policy for all users, instead of creating separate group policie s, ignore th is sect ion and fol low the instruct ions to ena ble WebB lock e[...]

User Guid e 5.0 91 Config uring th e SOHO WebBlocke r 4C l i c k t h e Subm i t button. A new G roups pa ge appear s in dicatin g the conf iguratio n changes hav e been accep ted and provid ing access to creatin g users. 5 To the right of the “Users” f ield, cli ck the New butt on . The New Us er page a ppears .[...]

Config uring th e SOHO WebBloc ker 92 6 Enter a unique User name and Passphrase (r emember to confirm the Pass phrase). Use the Group drop down list t o assign the new user to a g iven group. In our example, we have assigned the User “rodolfo” to the Group “chicosmalos” created pr eviously. 7C l i c k t h e Subm i t button. N OTE You can de[...]

User Guid e 5.0 93 WebBlocker categories WebBl ocker categories WebBlocker rel ies on a URL da tabase, t he CyberNOT l ist, a service of Cybe rPatrol. The WebBlocker datab ase contains ma ny thousands of IP address es and di rectories . These address es are divided into categories based on content such as Drug Culture, Intolerance, or Sexual Acts. [...]

WebBlocker categories 94 measures. Topic include s groups that advocate violen ce as a means to a chieve their goal s. It also includes pa ges devoted to “ how to” information on the maki ng of weapons (for both lawful and unlawful reas ons), ammunition, an d pyrotechnics. Drug Cul ture Pictures or text advocati ng the il legal use of drugs for[...]

User Guid e 5.0 95 WebBlocker categories of maiming, bl oody figures, and i ndecent depiction of bodily functions. Viole nce/Profa nit y Pictures or text exposi ng extreme cruelty or profanity . Cruelty is de fi ned as: Physic al or emotion al acts a gainst any anima l or person t hat are primarily intended to hurt or inflict pai n. Topic includes [...]

Searching fo r blocke d sites 96 adult personals , and sites devot ed to se lling pornographic CD-ROMs and videos. Full Nudity Pictures exposing any or all portions of human geni ta lia. Topic does no t include s ites categorized as Partial /Artistic Nudity contai ning partial nudity of a wholesome nature. For example, it does not i nclude Web site[...]

User Guid e 5.0 97 CHAPTER 8 Configuring Virtual Private Networking This chapter desc ribes an option al feature of the WatchGuard SOHO: Virtual Private Networking (VPN) with IPSec. The following Wa tchGuard SO HO products support IPSec tunnels: • WatchGuard SOHO with VP N option enabled • WatchGuard SOHO| tc Why create a virtual pri vate netwo[...]

What you will need 98 What you will need • One WatchGuard SOHO with VP N and an IPSec-compl iant device . N OTE While you ca n create a SOHO t o SOHO VPN, you can also create a VPN with a W atchGua rd Fir ebox or ot her IPSec-comp liant devices . • The fo llowing informa tion fro m your Int ernet se rvice provider for bo th devices: - Static I [...]

User Guid e 5.0 99 What you w ill need IP Address Table (example): Ite m Descri ption A ssigned By External IP Addr ess The IP addres s that identifies the SO HO to the In ternet. ISP Site A : 207.16 8.55.2 Site B: 68.130.4 4.15 External Subn et Ma sk The o verlay of bits th at dete rmines whi ch part of th e IP addre ss ident i fies your net work.[...]

Step- by-step instru ctions for c onfigur ing a SO HO VPN tunne l 100 Obtaini ng the VP N up grade If you purchased a Wat chGuard SOHO and would like to purchase the VPN upgrade from a resell er or e-tailer, o pen your Web browser to: http://www. watchguard.com/sales/ buyonline.asp Enabling the VPN up grade Whether you purchased a VPN upgrade separ[...]

User Guid e 5.0 101 Frequen tly as ked questi ons device . To set up multiple VPN tunnels, you will need to have at least one WatchGua rd Fi rebox config ured with the WatchGua rd VPN Manager. • Each devi ce must be ab le to send messa ges to the othe r. If either devi ce has a dynamicall y assigned Internet (I P) address ( see “Network ad dres[...]

Freque ntly aske d ques tions 102 How do I connect three or four offices together? To connect more than two off ices together, WatchGuard recommends desi gnating one office the c enter of a “sta r” network configurati on and upgrading it to a WatchGuard Fire box. You can then manage multi ple tunnels to SOHOs or other IPSec com pliant device s [...]

User Guid e 5.0 103 MUVPN Clients How do I enable a VPN Tunnel? Full instr uctions for enablin g a VPN tunnel c an be found online at: http://www.watchguar d.com/AdvancedFaqs/ sointerop_main.asp MUVPN C lient s The SOHO can be upgraded to use the MUVPN clients option. This feat ure allows si ngle remot e users to securely c onnect to the SOHO throu[...]

View the VPN Statistics 104[...]

User Guid e 5.0 105 CHAPTER 9 Resources Tro ubl es hooti ng The following informati on is offered t o help overc ome any minor difficul ties t hat might occur when install ing and setting up your SOHO. General How do I reboot my SOHO? 1 With your Web browser, go to the SOHO System Status page using the Truste d IP address of the SOHO. For exa mple,[...]

Troub lesho oting 106 N OTE You can al so rebo ot by remo ving the po wer so urce for ten secon ds, and then r est oring po wer. What do the ON and MODE lig hts signify on th e SOHO? When the ON lig ht is illumi nated, the SOHO has power. When the MODE light is illumi nated, the SOHO i s operational. If the ON light is blink ing it is indic ative o[...]

User Guid e 5.0 107 Troub lesho oting avail able. The first year of service i s free with purchase of the SOHO. To register your SOHO: 1 With your Web browser, go to the SOHO System Status page using the Truste d IP address of the SOHO. For exa mple, i f using t he defaul t IP add ress , go to: http ://19 2.16 8.111.1 2C l i c k o n LiveSe curity i[...]

Troub lesho oting 108 DSL router, the NAT feature of the DSL router should b e set for bridge- only mode. How do I install a SOHO using a Macintosh? The proces s is essentia lly identical to instal ling on any oth er platform. Use the Instal lat ion chap ter within this Guide. The one unique element for Macintos h users, determining your TCP/IP set[...]

User Guid e 5.0 109 Troub lesho oting How can I see the MAC address of my SOHO? A MAC (Medium Acce ss Contr ol) address is a uniq ue number used to identi fy the actual phys ical hardware of a n Ethernet device . 1 With your W eb browser, go to the SOHO Configuration Settings page using the Trusted IP address of the SOHO. For exa mple, i f using t [...]

Troub lesho oting 110 How do I change to a static trusted IP ad dress? Before you ca n use a static IP address, you must have a base Trusted IP address and sub net mask. The following I P address ranges and subnet m asks are set a side for private networks i n complian ce with RFC 1918. Repl ace the Xs in the network IP address with a number b etwe[...]

User Guid e 5.0 111 Troub lesho oting 3 Enable the checkbox label ed Enable WebBloc ker . Enter a Full Access pa ssword, and an Inactivit y Timeout (in mi nutes). To disabl e Web bl ocking, disable t he checkbox l abeled Ena ble WebBlocke r . How do I allow incomin g servic es such as PO P3, Te lnet, and Web (HTTP)? 1 With your Web browser, go to t[...]

Troub lesho oting 112 3 Beneath the Protocol Sett ings fields , sele ct either TCP Port , UDP Port or Pro tocol from the drop li st. The Custom Service pag e refreshes . 4 Define a name for t he service in the a ppropriate field . 5 Enter the protocol number to all ow in the Protocol field . 6C l i c k t h e Subm i t button. 7 From the navigation b[...]

User Guid e 5.0 113 Troub lesho oting • The same authentica tion method for each e nd (MD-5 or SHA-1). How do I set up my SOHO for VPN Manager Acces s? This requires the add-on product, WatchGua rd VPN Manager software, which is purchased sepa rately. To purchase VPN Manager, use your Web browser to go to: https://www.watchguard.com/products/vpnm[...]

Cont acting Tec hnical s upport 114 Contacting Tech nical support Onli ne Do cum ent ing and In -D ept h FA Qs WatchGuard maintains an extensiv e knowledge bas e consisting of product documen tation in th e form of printer friendly .pdf files , tutorials, In-Depth FAQs, an d more. This i nformatio n is avail able at: https://support .watchguard.com[...]

User Guid e 5.0 115 B bloc ked s ites in WebBlocker 96 Brow ser Ne tsc a pe 4. 0 disab lin g HTTP pr ox y 31 Bro wsers , su ppo rte d 28 C Cables , required 27 Cabli ng, ne w SOHO 32 Categories , WebBlocker 93 certification, FCC 4 Checklist, pre-installa tion 27 Conf igure PPPoE client 43 Copy right Info rmatio n 12 Custom incoming services, creati[...]

116 H HTTP prox y disa bling 30 I ICQ, enable with SO CKS 71 ICQ, IRC, AOL Mess enger 72 Incom ing serv ice creating custom 65 Info rmati on copyrigh t 12 patent 12 Insta llation cabling the SOHO 32 manual 28 pre-installa t ion checklis t 27 Intro duction 3 inform atio n & Int ern et 63 IP addr ess 20 port n umber 20 proto col 20 services 21 IP[...]

User Guid e 5.0 117 M Maci ntosh , sett ing TCP /IP 29 Ma nua l i nst al la ti on 28 Masqu era ding 21 N Network pri vate netw ork de faul t fac tory sett ings 22 Netw ork A ddress T rans lation 21 P Part numb er, SOHO 12 Pass word sav ing 18 Pate nt Inform ation 12 Ping 102 Port numbe r, int roduct ion 20 PPPoE , config uring cl ient 43 Pre-conf i[...]

118 adding pr e-conf igured 64 creating custom incoming 65 Services, introd uction 21 SOCKS 71 and ICQ 72 and IR C 72 SOCKS an d AOL Messen ger 72 Stat ic IP addre ss 98, 99 Stat ic IP addre ss, rea son fo r 10 1 T TCP/IP releasin g IP configuratio n 46 setting in Macintosh 29 setti ng in Unix , Linux, etc. 29 settin g in Wi n dow s ’95, ’98 29[...]