1. Manuals
  2. Brands
  3. Watchguard Manuals
  4. Firewall
  5. SOHO SOHO and SOHO | tc
  6. User manual

Watchguard SOHO SOHO and SOHO | tc User Manual

Watchguard soho user guide soho and soho|tc 2.3
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
WatchGuard
®
SOHO User Guide
SOHO and SOHO|tc 2.3
WatchGuard SOHO and SOHO | tc

Advertisement

Table of Contents
loading

Related Manuals for Watchguard SOHO WatchGuard SOHO and SOHO | tc

Summary of Contents for Watchguard SOHO WatchGuard SOHO and SOHO | tc

  • Page 1 WatchGuard ® SOHO User Guide SOHO and SOHO|tc 2.3 WatchGuard SOHO and SOHO | tc...

  • Page 2: Registration And Identification Information

    Please keep this information in a secure place. Copyright and patent information Copyright © 1999-2001 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and LiveSecurity are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and other countries. Firebox is a trademark of WatchGuard Technologies, Inc.
  • Page 3 IMPORTANT - READ CAREFULLY BEFORE ACCESSING WATCHGUARD SOFTWARE This WatchGuard SOHO End-User License Agreement (“EULA”) is a legal agreement between you (either an individual or a single entity) and WatchGuard Technologies, Inc. (“WATCHGUARD”) for the WATCHGUARD SOHO software product you have purchased, which...
  • Page 4 LIMITED WARRANTY. WATCHGUARD makes the following limited warranties for a period of ninety (90) days from the date you obtained the SOFTWARE PRODUCT from WATCHGUARD or an authorized dealer; (A) Media. The disks and documentation will be free from defects in materials and workmanship under normal use. If the disks or documentation fail to conform to this warranty, you may, as your sole and exclusive remedy, obtain a replacement free of charge if you return the defective disk or documentation to WATCHGUARD or the authorized dealer from whom you obtained the SOFTWARE PRODUCT with a dated proof of purchase;...
  • Page 5 DFARS 227.7202-3 (Commercial Computer Software) and DFARS 252.227-7015(b) (Technical Data-Commercial Items) -- Restricted Rights Clause at FAR 52.227-19, as applicable. Manufacturer is WatchGuard Technologies, Incorporated, 505 Fifth Avenue, South, Suite 500, Seattle, WA 98104. EXPORT CONTROLS. You agree not to directly or indirectly transfer the SOFTWARE PRODUCT or documentation to any country to which such transfer would be prohibited by the U.S.
  • Page 6 Technologies applicable specifications. This warranty does not apply to any Hardware Product that has been: (i) altered, repaired or modified by any party other than WatchGuard Technologies; or (ii) damaged or destroyed by accidents, power spikes or similar events or by any intentional, reckless or negligent acts or omissions of any party.
  • Page 7 Warranty. This is the entire agreement between WatchGuard Technologies and you relating to the contents of this package, and supersedes any prior purchase order, communications, advertising or representations concerning the contents of this package AND BY USING THE HARDWARE PRODUCT YOU AGREE TO THESE TERMS.
  • Page 8 Welcome Congratulations on purchasing the ideal solution for providing secure access to the Internet–the WatchGuard SOHO or WatchGuard SOHO|tc. Your new security device will give you peace of mind when connecting to the Internet using a high-speed cable or DSL modem, a leased line, or ISDN. This User Guide applies to both the SOHO and SOHO|tc.

  • Page 9: Using This Guide

    Using this guide This manual assumes that you are familiar with your computer’s operating system. If you have questions about navigating in your computer’s environment, please refer to your system user manual. The following conventions are used throughout this guide. Convention Indication Bold type...

  • Page 11: Table Of Contents

    Table of Contents Installation CHAPTER 1 Before you begin Performing manual installation Physically connecting your SOHO Setting Up Your SOHO Network CHAPTER 2 How does a firewall work? Configuring your public network Configuring your private network Changing the SOHO system name and password Default factory settings Troubleshooting installation and network configuration ...
  • Page 12 Configuring Services for a SOHO CHAPTER 3 How does information travel on the internet? Allowing incoming services ...35 Blocking outgoing services Configuring Virtual Private Networking CHAPTER 4 Why create a virtual private network? What you will need Special considerations Frequently asked questions Additional SOHO Features CHAPTER 5 SOCKS for SOHO...

  • Page 13: Chapter 1 Installation

    Installation CHAPTER 1 Before you begin Pre-installation checklist Before installing your new WatchGuard SOHO please ensure that you have: • A 10BaseT Ethernet I/O network card installed in your computer. • A cable or DSL modem with a 10BaseT port. •...

  • Page 14: Performing Manual Installation

    Performing manual installation • An operational Internet connection. Setup of your SOHO requires access to the Internet. If your connection does not work, please contact your Internet service provider (ISP). When your connection has been established, you may proceed with installation and setup. •...
  • Page 15 Microsoft Windows NT or 2000 Click => Start Programs At the C:\ prompt, enter ipconfig/all. Press Enter your current TCP/IP settings in the chart provided below. Click Cancel Microsoft Windows 95 or 98 or ME Click => Start Run. At the C:\ prompt, enter Select the “Etherenet Adapter.”...
  • Page 16 Performing manual installation TCP/IP Setting IP Address Subnet Mask Default Gateway DHCP Enabled Primary WINS Server Secondary WINS Server DNS Server(s) If you are connecting more than one computer to the private network behind the SOHO, obtain the configuration TCP/IP information for each computer.
  • Page 17 the browser to Web pages located in other places. Disabling the HTTP will not prevent you from accessing your favorite Web sites, but it will allow you to access the special configuration pages that reside only on the SOHO. To disable the HTTP proxy in three commonly used browsers, see the instructions below.

  • Page 18: Physically Connecting Your Soho

    Physically connecting your SOHO Click at the bottom on the Configure Record the URL box information here: Click to save settings. Internet Explorer 5.0 Open Internet Explorer. Click => Tools Internet Options The Internet Options screen displays. Click the Advanced Scroll down the page to Clear all checkboxes.
  • Page 19 Complete the “Pre-installation checklist” on page 1. Turn off your computer. Unplug the power from your cable or DSL modem. Unplug the Ethernet cable that is connected from your cable or DSL modem to your computer. Connect it from your modem to the WAN port on the SOHO.
  • Page 20 Physically connecting your SOHO Turn on the power to your cable or DSL modem. Wait until the lights stop flashing, indicating that the modem is ready. Attach the power cord to the SOHO and plug it into an outlet. Restart your computer. For information on the factory default configuration options, see “Default factory settings”...
  • Page 21 The SOHO and SOHO|tc ship with a “10-seat” license. In other words, the SOHO allows up to ten computers on a network behind the SOHO to access the Internet. More than ten computers can exist on the network and communicate with each other, but only the first ten which attemtp to access the Internet will be allowed out.
  • Page 22 Physically connecting your SOHO Attach the power cord to the SOHO and plug it into an outlet. Restart your computer.

  • Page 23: Setting Up Your Soho Network

    Setting Up Your CHAPTER 2 SOHO Network How does a firewall work? Fundamentally, a firewall is a way of differentiating between, as well as protecting, “us” from “them”. On the public side of your SOHO firewall is the entire Internet. The Internet has many resources that you want to be able to reach, such as the Web, e- mail, and conferencing.

  • Page 24: Configuring Your Public Network

    Configuring your public network The configuration instructions in this chapter assume that you are using Windows 95/98/ME. If this is not the case, see your operating system help or user guide to locate the equivalent options and commands. Configuring your public network When you configure the public network, you establish how the SOHO communicates with your Internet service provider (ISP).
  • Page 25 of Ethernet and PPP by simulating a standard Dial-Up connection. It is popular among many ISPs because it enables them to use existing Dial-Up infrastructure such as billing, authentication, and security for DSL and cable modems. Determining whether your ISP uses dynamic or static addressing Most ISPs support both dynamic and static addressing.
  • Page 26 Configuring your public network If “Obtain an IP Address Automatically” is selected, your computer is configured for dynamic DHCP. If “Obtain an IP Address Automatically” is not checked, your computer is configured for static addressing. The actual wording on the menu may differ depending on your operating system, but all platforms differentiate somehow between dynamic and static addressing.
  • Page 27 Configuring your public network Configuring the SOHO public network for dynamic addressing Out of the box, the SOHO is configured to obtain its public address information automatically, using dynamic DHCP. So if your ISP assigns you an address automatically (or dynamically), the SOHO itself will obtain all the addressing information it needs when it powers on and attempts to connect to the Internet.
  • Page 28 Configuring your public network Configuring the SOHO public network for static addressing If you are assigned a static address, then you must transfer the permanent address assignment from your computer to the SOHO itself. Instead of communicating directly to your computer, the ISP will now communicate first through the SOHO.
  • Page 29 On most platforms, click OK until the Control Panel window closes. Shut down and reboot the computer. On the SOHO: Open your Web browser. Click Stop. At this point, the Internet connection is not fully configured, and the computer cannot load your home page from the Internet. However, the computer can access special configuration Web pages installed on the SOHO itself.
  • Page 30 Configuring your public network Enter the TCP/IP settings you copied from the computer when you started the install process. Click Submit. To complete SOHO Public Network configuration, see “Release and renew the IP configuration” on page 19. Configuring SOHO public network for PPPoE While less common, PPPoE is another method for an ISP to assign addresses.
  • Page 31 Enable the checkbox labelled Use PPPoE to obtain configuration. Enter the PPPoE login name supplied by your ISP. Enter the PPPoE password supplied by your ISP Enter the Inactivity Timeout period in minutes. Click Automatically restore lost connections. This enables a constant flow of “heartbeat’ traffic between the SOHO and the PPPoE server.

  • Page 32: Configuring Your Private Network

    Configuring your private network At the C:\ prompt, enter The IP Configuration dialog box appears. Verify that the information is displayed for "Ethernet Adapter," not for "PPP Adapter," which would apply for a dial-up telephone modem. Click the Release Your IP Configuration should look similar to the screenshot below. The values in the IP Configuration dialog box were obtained from the SOHO itself.
  • Page 33 To disable the SOHO DHCP server and assign addresses statically on your private network, open the SOHO Configuration menu, click Private Network, and disable the checkbox labelled Enable DHCP Server. This is not recommended for most SOHO users. Configure additional computers to the private network Up to four computers can be plugged directly into the four numbered ports (1-4) of the SOHO.

  • Page 34: Changing The Soho System Name And Password

    Changing the SOHO system name and password Changing the SOHO system name and password Passwords are a barrier between your computer and anyone trying to break in. They are the first line of defense in computer security. They are, unfortunately, the most frequently overlooked of all security measures.
  • Page 35 Check the Enable Password checkbox. Enter the system user name in the Name field. Enter the system password in the Password field. Enter the system password again in the Retype Password field. Click Submit. The configuration change is saved to the SOHO and a password confirmation page appears.

  • Page 36: Default Factory Settings

    Default factory settings • Public network settings use DHCP DHCP must be enabled for you to be able to access the SOHO device when it boots up. Private Network • Private network IP address: 192.168.111.1. • All computers on the private network automatically receive their addresses using dynamic DHCP.

  • Page 37: Troubleshooting Installation And Network Configuration

    Troubleshooting installation and network configuration Virtual Private Networking • IPSec VPN is not installed. The SOHO|tc comes with the VPN Feature Key, however you must first enable the VPN Feature Key in order to configure virtual private networking. The SOHO does not come with the VPN Feature Key; it can be purchased separately.
  • Page 38 Troubleshooting installation and network configuration GENERAL What do the ON and MODE lights signify on the SOHO? When the ON light is illuminated, the SOHO has power. When the MODE light is illuminated, the SOHO is operational. How do I register my SOHO? Registering your WatchGuard SOHO ensures that you receive all LiveSecurity alerts and software updates as soon as they are available.
  • Page 39 Troubleshooting installation and network configuration Click Reboot and wait for the SOHO to finish rebooting. The MODE and ON light flash at different times during boot, which takes about a minute. How do I change to a static private IP address? Before you can use a static IP address, you must have a base Private IP address and subnet mask.
  • Page 40 Troubleshooting installation and network configuration This is a major security risk. For instructions on how to allow any incoming services, refer to “Adding the Any service” on page 38 How do I allow incoming IP protocols? You will need the IP address of the computer that will be receiving the incoming data and the IP protocol number that corresponds to the specific incoming IP protocol.

  • Page 41: Vpn Management

    Troubleshooting installation and network configuration Click Add a Service and then click the service you want to add. For UDP, you will need to select UDP on the Forward drop list and enter the range of port numbers in the port fields. For all other services, enter the IP address of the computer that needs the incoming service.
  • Page 42 Troubleshooting installation and network configuration Click VPN Configuration. Click Configuring a SOHO to SOHO IPSec VPN Tunnel. Download and follow the instructions to configure your VPN tunnel. TECHNICAL How do I reboot my SOHO? Using your Web browser, go to http://192.168.111.1. Click System Information.
  • Page 43 Troubleshooting installation and network configuration factory defaults so connect cables in original configuration and power up again. How does the seat limitation on the SOHO work? The default user license on the SOHO is 10. The first 10 computers on the network behind the SOHO to attempt access are allowed through to the Internet.
  • Page 44 Troubleshooting installation and network configuration the LAN Link lights. They tell you if the SOHO is connected to a computer or hub through that LAN port. If the lights are not illuminated, the SOHO is not connected to the computer or hub. Check to make sure that both sides of the cable are connected and that the computer or hub has power.

  • Page 45: Configuring Services For A Soho

    Configuring Services CHAPTER 3 for a SOHO How does information travel on the internet? Each packet of information transported over the Internet must be packaged in a special way to ensure that it is able to travel from one computer to the next. A system called Internet Protocol (IP) takes chunks of information and wraps them up with a header identifying both where the information is going and how it should be handled enroute.

  • Page 46: Port Number

    How does information travel on the internet? address of the WatchGuard site is 209.191.160.60 while the domain name is www.watchguard.com. Protocol A protocol defines how a packet is bundled up and packaged for shipment across a network. The most commonly used protocols are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

  • Page 47: Allowing Incoming Services

    Allowing incoming services Allowing incoming services By default, the security stance of the SOHO is to deny unsolicited incoming packets to computers on the private network protected by the SOHO firewall. You can, however, selectively open your network to certain types of Internet connectivity. For example, if you would like to set up a Web server behind the SOHO, you can add an incoming Web service.
  • Page 48 Allowing incoming services violate the computer, they are stopped cold at the SOHO, never learning the true address of the computer. Adding a pre-configured incoming service Each service is defined by a combination of Internet protocols and port numbers to uniquely identify the connection type to applications and servers on the Internet.
  • Page 49 Click Submit. The configuration change is saved to the SOHO and the Show Incoming Rules page appears. The incoming service rules are identified by protocol, port, and destination on the private network. Creating a custom incoming service In addition to the pre-configured services provided by the WatchGuard SOHO Configuration interface, you can also create a custom service for a server on your private network.
  • Page 50 Allowing incoming services Click Submit. The configuration change is saved to the SOHO, and the Show Incoming Rules page appears. Adding an incoming service with another type of protocol In addition to TCP and UDP, there are several other types of Internet protocols.
  • Page 51 Unfortunately, the hole created using the Any service is indiscriminate. Any type of packet can enter through this service and be forwarded automatically to the private network address you provide. For security reasons, WatchGuard does not recommend enabling this feature. Using your Web browser, go to http://192.168.111.1.

  • Page 52: Blocking Outgoing Services

    Blocking outgoing services Click Remove a Service. A list of existing, incoming services appears. Services are identified by protocol, port number, and destination address. Enable the checkbox next to the services you would like to remove. You can disable multiple services simultaneously. Click Submit.
  • Page 53 Select Services. The Services menu appears. Select Blocked Outgoing Services. The Blocked Outgoing Services Menu appears. In addition, a list of blocked outgoing services is displayed beneath the menu identified by protocol and port number. Click Block TCP or UDP Service. The Block TCP or UDP Service menu appears.
  • Page 54 Blocking outgoing services Click Submit. The configuration change is saved to the SOHO and the Blocked Service List page appears. Removing a blocked outgoing service At any time, you can reopen a service now required by your network. You should do this when you seek to open access to a particular type of outgoing traffic as the removal increases the accessibility for users on your private network to resources on the Internet.

  • Page 55: Configuring Virtual Private Networking

    Configuring Virtual CHAPTER 4 Private Networking This chapter describes an optional feature of the WatchGuard SOHO: virtual private networking with IPSec. The following WatchGuard SOHOs support IPSec tunnels: •WatchGuard SOHO with VPN Feature Key •WatchGuard SOHO|tc Why create a virtual private network? Virtual Private Networking (VPN) tunnels enable you to simply and securely connect computers in two locations without requiring expensive, dedicated point-to-point data connections.

  • Page 56: What You Will Need

    What you will need encrypted Internet connection, a VPN connection eliminates any significant risk of data being read or altered by outside users as it traverses the Internet. What you will need One WatchGuard SOHO with VPN and an IPSec-compliant device.
  • Page 57 IP Address Table (example) Item Description Public IP The IP address that identifies the SOHO to the Internet. Address Site A: : : : 207.168.55.2 Site B: 68.130.44.15 Public Subnet The overlay of bits that determines which part of the IP Mask address identifies your network.
  • Page 58 What you will need About Feature Keys When you purchase a SOHO, the software for all extended features is provided with that installation regardless of whether you have actually purchased any of those features. Once you have purchased an extended feature, its Feature key allows you to enable its software.

  • Page 59: Special Considerations

    other IPSec-compliant devices. To download these instructions, open your Web browser to: http://www.watchguard.com/support/interopvpn.asp Special considerations Consider the following before configuring your WatchGuard SOHO VPN network: • You can connect only two devices together: a WatchGuard SOHO and either another SOHO or another IPSec-compliant device.

  • Page 60: Frequently Asked Questions

    Frequently asked questions Frequently asked questions Why do I need a static public address? To create a VPN connection, one SOHO must be able to find its partner device. If the addresses were allowed to change, the SOHO could not find its remote computer. How do I get a static public IP address? Contact your ISP.
  • Page 61 OK, ping is not working. If you cannot ping the local network address of the remote SOHO, take the following steps to classify the problem: Ping the public address of the remote SOHO. For example, at Site A, ping 68.130.44.15 (Site B). You should get a reply.
  • Page 62 Frequently asked questions...

  • Page 63: Additional Soho Features

    Additional SOHO CHAPTER 5 Features SOCKS for SOHO SOCKS is a network proxy filter that works with SOCKS-aware applications such as ICQ. A typical SOCKS-dependent application requires that several sockets be opened and made available to the Internet. When a SOCKS-aware application (ICQ is SOCKS-aware) registers with the SOCKS server, SOCKS is able to manage the need of the application to have many ports open.
  • Page 64 SOCKS for SOHO SOHO SOCKS implementation The SOHO SOCKS feature has the following characteristics and limitations: • SOHO supports SOCKS version 5 only. • It is a limited version of SOCKS and does not support authentication, nor does it support Domain Name System (DNS) resolution.
  • Page 65 • If you can choose different services or versions of SOCKS, choose SOCKS version 5.. • Select port 1080 for the application • For the SOCKS proxy, enter the URL or IP address of the SOHO private network. The default IP address is 192.168.111.0.

  • Page 66: Soho Logging

    SOHO logging Click Submit to register the change. The SOHO is enabled again as a Proxy server and ready to pass SOCKS packets. SOHO logging The WatchGuard SOHO generates an ongoing activity log stored on the SOHO. This log stores a maximum of 150 messages. When it reaches its maximum, the oldest message is deleted.

  • Page 67: Rebooting A Watchguard Soho

    Click System Administration. The System Administration menu appears. Select Remote Logging. The Secure Remote Logging page appears. Check the box labeled Enable Remote Logging. Enter the IP address of the WatchGuard log server that will be your remote secure log host. In the Pass Phrase field, enter a pass phrase that will serve as a password to gain access to the log server.
  • Page 68 Rebooting a WatchGuard SOHO • Send an FTP command to the remote SOHO device. Use an FTP application to connec to the SOHO device, then enter the command: quote rebt...

  • Page 69: Watchguard Soho Webblocker

    WatchGuard SOHO CHAPTER 6 WebBlocker WatchGuard SOHO WebBlocker is an optional feature of the WatchGuard SOHO and SOHO|tc that provides Web site filtering capabilities. It gives you precise control over the types of Web sites users on your private network are allowed to view. How WebBlocker works WebBlocker relies on a URL database, the CyberNOT list, built and maintained by CyberPatrol.

  • Page 70: Watchguard Webblocker Database Unavailable

    How WebBlocker works site, the SOHO queries the WatchGuard database and determines whether or not to block the site. The SOHO considers the following conditions in determining whether or not to block the site: Web site not in WebBlocker database If the site is not in the WatchGuard WebBlocker database, the Web browser opens the page for viewing.

  • Page 71: Purchasing And Enabling Soho Webblocker

    those members of your private network who should be able bypass WebBlocker. When a site is blocked or unavailable, the user has the option of entering the full access password. With the password entered, the browser displays the otherwise blocked site. After the password is entered, the user can browse any site on the Internet until either the Password Expiration duration passes or the individual closes the browser.

  • Page 72: Webblocker Categories

    WebBlocker categories Enable the checkbox labeled Enable Web Blocking. This turns on SOHO WebBlocker. Enter the full access password. The full access password gives selected users a password that bypasses otherwise blocked sites. Enter the password expiration duration in minutes. Setting the full access password expiration at, for example, 15 minutes, ensures that unattended Web browsers will be disconnected after sitting idle for 15 minutes.
  • Page 73 In all of the categories sites to be blocked are selected by advocacy rather than opinion or educational material. For example, the Drugs/Drug Culture category blocks sites describing how to grow and use marijuana but does not block sites discussing the historical use of marijuana. Alcohol/Tobacco Pictures or text advocating the sale, consumption, or production of alcoholic beverages and tobacco products.
  • Page 74 WebBlocker categories their primary purpose to alter the individual’s state of mind, such as glue sniffing. This does not include (that is, if selected these sites would not be WebBlocked under this category) currently illegal drugs legally prescribed for medicinal purposes (such as, drugs used to treat glaucoma or cancer).
  • Page 75 Search Engines Search engine sites such as AltaVista, InfoSeek, Yahoo!, and WebCrawler. Sports and Leisure Pictures or text describing sporting events, sports figures, or other entertainment activities. Sex Education Pictures or text advocating the proper use of contraceptives. Topic includes sites devoted to the explanation and description of condoms, oral contraceptives, intrauterine devices, and other types of contraceptives.

  • Page 76: Searching For Blocked Sites

    Searching for blocked sites sites hosted by museums such as the Guggenheim, the Louvre, or the Museum of Modern Art. Partial/Artistic Nudity Pictures exposing the female breast or full exposure of either male or female buttocks except when exposing genitalia which is handled under the Full Nudity category. Topic does not include swimsuits, including thongs.

  • Page 77: Index

    Index Adding incoming services Allowing incoming services Any service, adding Blocked outgoing service, removing blocked sites in WebBlocker Blocking alternative protocols Blocking outgoing services Browser Internet Explorer disabling HTTP proxy Netscape 4.0 disabling HTTP proxy Browsers, supported User Guide 2.3 Cables, required 37, 38 Cabling, new SOHO...
  • Page 78 Default gateway Default IP address, SOHO disabling HTTP proxy Disabling SOCKS 52, 53 DNS service primary IP address secondary IP address Domain name Encryption, SOHO External Network, default factory settings Factory settings, default Frequently asked questions HTTP proxy disabling ICQ, enable with SOCKS ICQ, IRC, AOL Messenger Identification Information Implementing SOCKS...
  • Page 79 private network default factory settings Network address Network Address Translation Outgoing services blocking blocking TCP blocking UDP Part number, SOHO Password changing saving Patent Information Ping Port 1080, configuring for SOCKS Port number, introduction PPPoE, configuring client Pre-configured service, adding Pre-installation, checklist Private network configure...
  • Page 80 Troubleshooting checking link LED connecting more than two offices pinging static IP address adding incoming blocking outgoing Unix, setting TCP/IP URL database Using the manual Virtual Private Networking introduction WebBlocker categories searching for blocked sites The Learning Company Windows ’95/’98/NT, disabling HTTP proxy...

This manual is also suitable for:

Soho 2.3Sohotc 2.3

Table of Contents