WatchGuard Firebox System 4.6 User Guide
WatchGuard Firebox System 4.6 User Guide WatchGuard Firebox System 4.6 User Guide
Configuring the Firebox for Mobile User VPNEntering license keysThe first step in configuring the Firebox for Mobile User VPN is to enter the licensekey(s) into the Firebox configuration file. The Firebox automatically restricts thenumber of Mobile User VPN connections to the sum of the number of seats eachlicense key provides. From Policy Manager:1 Select Network => Remote User. Click the Mobile User Licenses tab.2 Enter the license key in the text field to the left of the Add button. Click Add.The license key appears in the list of client licenses configured for use with the Firebox. Repeatthe add-license process until you have added all of your keys.Preparing Mobile User VPN configuration filesWith Mobile User VPN, the network security administrator controls end-userconfiguration settings. Use Policy Manager to define an end-user and generate aconfiguration file with the extension .exp. The .exp file contains the shared key, useridentification, IP addresses, and settings required to create a secure tunnel betweenthe remote computer and the Firebox.Defining a new mobile userFrom Policy Manager:1 Select Network => Remote User. Click the Mobile User VPN tab.2 Click Add.The Mobile User VPN wizard appears.3 Click Next.4 Use the Select User Name drop list to select a user.The only names that appear in the drop list are users who have not already been configured forMobile User VPN. To add a new user, click Add New. For more information on adding a newuser, see “Adding a member to built-in RUVPN user groups” on page 134.5 Enter the shared key.The shared key is not the same as the Firebox Users authentication password. However, you canenter the same value for both the key and the password.6 Click Next.The Allowed Resource and Virtual IP Address form appears. By default, the IP address of theTrusted network appears in the Allow User Access To field. This provides the Mobile User VPNuser with access to the Trusted network.7 Enter the end-user virtual IP address. Click Next.8 Use the Type drop list to select an encryption method.Options include: ESP (Encapsulated Security Protocol) and/or AH (Authenticated Headers) orAH Only.9 Use the Authentication drop list to select an authentication method.Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC(160-bit algorithm).10 Use the Encryption drop list to select an encryption method.Options available with the strong encryption version of WatchGuard Firebox System include:None (no encryption), DES-CBC (56-bit), and 3DES-CBC (168-bit).11 Click Next. Click Finish.The wizard closes and the username appears in the Remote User VPN Setup dialog box on theMobile User tab Users list.12 Click OK.138
Configuring the Firebox for Mobile User VPNModifying an existing Mobile User VPN entryUse the Mobile User VPN wizard to generate a new .exp file every time you want tochange the end-user configuration file. Reasons to change an end-user configurationinclude:• Modifying the shared key• Adding access to additional hosts or networks• Restricting access to a single destination port, source port, or protocol• Modifying the encryption or authentication parametersFrom Policy Manager:1 Select Network => Remote User.2 In the Users list on the Mobile User VPN tab, click the username.3 Click Edit.The Mobile User VPN wizard appears, displaying the User Name and Pass Phrase form.4 Use Next to step through the wizard, reconfiguring the end-user configurationaccording to your security policy preferences.5 To add access to a new network or host, proceed to the Multiple PolicyConfiguration step in the Mobile User VPN wizard. Click Add.You can also use the Multiple Policy Configuration step to change the virtual IP address assignedto the remote user.6 Use the drop list to select Network or Host. Type the IP address. Use the Dst Port,Protocol, and Src Port options to restrict access. Click OK.The new IP address appears in the Configured Policies list.7 Step completely through the wizard until the final screen. Click Finish.You must click Finish to ensure that the wizard creates a new .exp file and writes the modifiedsettings to the Firebox configuration file.8 Click OK.Saving the configuration to a FireboxTo activate new Mobile User configuration settings, you must save the configurationfile to the primary area of the Firebox flash disk. For instructions, see “Saving aconfiguration to the Firebox” on page 24.Distributing the software and configuration filesWatchGuard recommends distributing end-user configuration files on a floppy diskor by encrypted e-mail. Each client machine needs the following:• Remote client installation packageThe packages are located on the WatchGuard LiveSecurity Service Web site athttp://www.watchguard.com/support.Enter the Service Web site using your LiveSecurity username and password. Clickthe Mobile User VPN link.• .exp end-user configuration fileUser Guide 139
- Page 98 and 99: Configuring Firebox authenticationC
- Page 100 and 101: Configuring CRYPTOCard server authe
- Page 102 and 103: Using authentication to define remo
- Page 104 and 105: Firebox MonitorsSetting Firebox Mon
- Page 106 and 107: Firebox MonitorsLogging optionsLogg
- Page 108 and 109: HostWatchARP tableA snapshot of the
- Page 110 and 111: HostWatch6 To change playback prope
- Page 112 and 113: HostWatch102
- Page 114 and 115: Viewing files with LogViewer2 Confi
- Page 116 and 117: Working with log filesIP header len
- Page 118 and 119: Working with log files108
- Page 120 and 121: Specifying report sectionsCreating
- Page 122 and 123: Exporting reports6 Enter the number
- Page 124 and 125: Scheduling and running reportsDelet
- Page 126 and 127: Report sections and consolidated se
- Page 128 and 129: Report sections and consolidated se
- Page 130 and 131: 120
- Page 132 and 133: Using DVCP to connect to devices•
- Page 134 and 135: Branch office VPN with IPSecFrom Po
- Page 136 and 137: Branch office VPN with IPSecdescrib
- Page 138 and 139: Branch office VPN with IPSecbe acce
- Page 140 and 141: Configuring WatchGuard VPNConfiguri
- Page 142 and 143: Configuring WatchGuard VPN• Watch
- Page 144 and 145: Configuring shared servers for RUVP
- Page 146 and 147: Configuring the Firebox for Remote
- Page 150 and 151: Configuring debugging optionsA prom
- Page 152 and 153: Preparing the client computers• P
- Page 154 and 155: Preparing the client computers10 Cl
- Page 156 and 157: Using Remote User PPTPInstalling a
- Page 158 and 159: Configuring debugging options148
- Page 160 and 161: CChangingan interface IP address 39
- Page 162 and 163: monitors 2, 32, 93BandwidthMeter 94
- Page 164 and 165: for blocked sites 44global preferen
- Page 166 and 167: pull-down menus 32services arena 32
- Page 168 and 169: introduction 37Routes 97network con
- Page 170: manager 17mobile user 18multiple-bo
Configuring the <strong>Firebox</strong> for Mobile <strong>User</strong> VPNEntering license keysThe first step in configuring the <strong>Firebox</strong> for Mobile <strong>User</strong> VPN is to enter the licensekey(s) into the <strong>Firebox</strong> configuration file. The <strong>Firebox</strong> automatically restricts thenumber of Mobile <strong>User</strong> VPN connections to the sum of the number of seats eachlicense key provides. From Policy Manager:1 Select Network => Remote <strong>User</strong>. Click the Mobile <strong>User</strong> Licenses tab.2 Enter the license key in the text field to the left of the Add button. Click Add.The license key appears in the list of client licenses configured for use with the <strong>Firebox</strong>. Repeatthe add-license process until you have added all of your keys.Preparing Mobile <strong>User</strong> VPN configuration filesWith Mobile <strong>User</strong> VPN, the network security administrator controls end-userconfiguration settings. Use Policy Manager to define an end-user and generate aconfiguration file with the extension .exp. The .exp file contains the shared key, useridentification, IP addresses, and settings required to create a secure tunnel betweenthe remote computer and the <strong>Firebox</strong>.Defining a new mobile userFrom Policy Manager:1 Select Network => Remote <strong>User</strong>. Click the Mobile <strong>User</strong> VPN tab.2 Click Add.The Mobile <strong>User</strong> VPN wizard appears.3 Click Next.4 Use the Select <strong>User</strong> Name drop list to select a user.The only names that appear in the drop list are users who have not already been configured forMobile <strong>User</strong> VPN. To add a new user, click Add New. For more information on adding a newuser, see “Adding a member to built-in RUVPN user groups” on page 134.5 Enter the shared key.The shared key is not the same as the <strong>Firebox</strong> <strong>User</strong>s authentication password. However, you canenter the same value for both the key and the password.6 Click Next.The Allowed Resource and Virtual IP Address form appears. By default, the IP address of theTrusted network appears in the Allow <strong>User</strong> Access To field. This provides the Mobile <strong>User</strong> VPNuser with access to the Trusted network.7 Enter the end-user virtual IP address. Click Next.8 Use the Type drop list to select an encryption method.Options include: ESP (Encapsulated Security Protocol) and/or AH (Authenticated Headers) orAH Only.9 Use the Authentication drop list to select an authentication method.Options include: None (no authentication), MD5-HMAC (128-bit algorithm), or SHA1-HMAC(160-bit algorithm).10 Use the Encryption drop list to select an encryption method.Options available with the strong encryption version of <strong>WatchGuard</strong> <strong>Firebox</strong> <strong>System</strong> include:None (no encryption), DES-CBC (56-bit), and 3DES-CBC (168-bit).11 Click Next. Click Finish.The wizard closes and the username appears in the Remote <strong>User</strong> VPN Setup dialog box on theMobile <strong>User</strong> tab <strong>User</strong>s list.12 Click OK.138