Firewall User Guide Introduction Welcome to Multi-Tech's Dual Ethernet ProxyServer, model number MTPSR1-120 (hereafter, Firewall) a high speed Internet access device that provides firewall protection to your corporate secured (private) LAN and allows Internet access to the Internet Services Network (public LAN) that resides outside the firewall.
Page 7
Chapter 1 - Introduction and Description Chapter 4 - Firewall Software Chapter 4 describes the Firewall software package designed for the Windows ® environment. This chapter describes the Firewall software from an applications standpoint, and in so doing, not every screen is shown, nor is each field within a screen defined. For explanations and parameters of each field within a dialog box please refer to the online Help provided within the software.
Firewall User Guide Front Panel Description The front panel, shown in Figure 1-2, contains four groups of LEDs that provide the status of the LAN connection, link activity, and general status of the Firewall. The Ethernet 1 and Ethernet 2 LEDs display the activity of the public and private LANs, in whether the Firewall is connected to the LAN, transmitting or receiving packets, and if a collision is in progress.
Chapter 1 - Introduction and Description Back Panel Description The cable connections for the Firewall are made at the back panel. In addition to the Power connector, Three groups of connectors are used on the Firewall: the Command Port, Ethernet 1 &...
Firewall User Guide Specifications • Protocols - Point-To-Point Protocol (PPP), and Serial Line Internet Protocol (SLIP) Ethernet Ports • Two Ethernet Interface - 10Base-T (twisted pair) RJ-45 connectors. Command Port • Single 19.2K bps asynchronous Command Port using a short RJ-45 to DB-25 cable with a DB-25 female connector WAN Link •...
Firewall User Guide Safety Warnings Never install telephone wiring during a lightning storm. Never install telephone jacks in wet locations unless the jack is specifically designed for wet locations. Never touch uninsulated telephone wires or terminals unless the telephone line has been disconnected at the network interface.
Chapter 2 - Installation V.35 Shunt Procedure If you are using an external DCE device on the WAN RS232/V.35 port, and the connection will be a V.35 connection, the internal shunt must be moved from the RS232C (default) position prior to cabling and power-up.
Firewall User Guide Cabling Your Firewall Cabling your Firewall involves making the proper Power, Command Port, and Ethernet connections. An optional WAN connection is provided to connect to an external WAN device. Figure 2-4 shows the back panel connectors and the associated cable connections, and the table that follows details the procedures for connecting the cables to your Firewall.
Page 15
Chapter 2 - Installation Turn on power to the Firewall by placing the ON/OFF switch on the back panel to the ON position. Wait for the Fail LED on the Firewall to go OFF before proceeding. This may take a couple of minutes to go OFF. At this time your Firewall is completely cabled.
Firewall User Guide Loading Your Software The following loading procedure does not provide every screen or option in the process of installing the Firewall software. The assumption is that the installation is being performed by a technical person with a thorough knowledge of Windows and the software loading process. Additional information on the Firewall software is provided in the Chapter 4, and in the on-line help provided with your Firewall software.
Page 19
Chapter 3 - Software Loading and Configuration The Select Program Folder dialog box enables you to use the default or select a different name for the new program group for the Firewall 2.00 software. After accepting the default or selecting a different folder name, press Enter or click Next > to continue. The next dialog box enables you to designate the COM port of your PC that is connected to the Firewall.
Firewall User Guide Wizard Setup The Wizard Setup screen gives you a process for adding the basic information needed to configure your Firewall. This screen will guide you through entering the IP Address, Net Mask, and Default Route for your Secure (private) LAN. Then you can set up for static or dynamic addressing on the Internet LAN Port, set up the Gateway Parameters, and then do the same for the WAN port, if it is used.
Page 21
Chapter 3 - Software Loading and Configuration Internet LAN (LAN 2) Setup WAN Setup If a WAN device is connected to the WAN Port (marked RS-232/V.35), click the WAN option in the Select Port window, then either leave the “ISP Assigned Dynamic IP Address &...
Firewall User Guide Default WAN Link Configuration The Default WAN Link(s) Setup dialog box is used only if a device is connected to the RS-232/ V.35 connector on the back panel of the Firewall. This connection enables your Secure (private) LAN to be connected to a local ISP for Internet service.
Page 23
Chapter 3 - Software Loading and Configuration Check to ensure that the Fail LED on the Firewall is Off after the download is complete and the Firewall is rebooted. Win3.1 users - you are returned to your Program Manager where the Firewall 2.00 Program Group and Program Items (Windows icons) have been created.
DSL modem by connecting the Ethernet connector on the modem to the LAN 2 connection on the Firewall. Internet Cable/DSL Modem LAN 2 Public MTPSR1-120 Firewall IP Address 192.168.0.101 Mask 255.255.255.0 LAN 1 Private Private LAN Workstation IP Address 192.168.0.107...
Network, which already provides Internet services. This configuration provides firewall and gateway security for the LAN users, and supports Internet access restrictions based on IP address, client protocols, or a list of forbidden sites. Internet MTPSR1-120 Firewall IP Address 192.168.0.101 Internet LAN Mask 255.255.255.0 IP Address 204.26.12.9...
Web, FTP, etc. servers. The Internet connection is provided with a T1 DSU connected to the RS232 connection on the back of the unit. Internet T1 DSU WAN Port MTPSR1-120 Firewall IP Address 192.168.0.101 Mask 255.255.255.0 LAN 1 LAN 2...
Page 29
Chapter 4 - Firewall Software In the configuration shown in Figure 4-3, the Firewall is connected to the Secured (private) LAN via the LAN 1 connection of the back of the unit. The Internet (public) LAN is connected to the LAN 2 connector on the back of the unit.
Firewall User Guide Firewall Program Group This section describes the advanced features of your Firewall software. The major configuration parameters are set when the software is loaded into your PC and the setup configuration is downloaded to the Firewall at the conclusion of the software installation. Our intent is not to cover every dialog box nor every field within a dialog box.
Chapter 4 - Firewall Software Configuration Port Setup The Configuration Port Setup program allows you to set up and configure the configuration port on your Firewall. This dialog is included in the initial installation process. Although parameters can be changed, be sure to note the current status of the software before making any alterations. When you installed the Firewall software, you selected to configure the port as either an IP or COM Port.
Firewall User Guide Firewall Configuration To view or change your Firewall configuration in Windows 95/98/NT, click on the Start | Programs | Firewall | Firewall Configuration. After loading, the Firewall Setup menu will appear. The Firewall Setup menu consists of 13 buttons which allow you to display and change the protocol stacks, define the output of the Firewall, perform network management functions, test the communications link, print messages received from the target (the Firewall), and download setup information to the Firewall.
Chapter 4 - Firewall Software Changing IP Parameters The IP Setup dialog box establishes the IP addressing for your Secured (private) LAN, Internet (public) LAN, and, if the Firewall is directly connected to the Internet via the RS-232/V.35 connector, the WAN port. To change the IP Setup parameters that were configured during the Wizard Setup, click on the IP button in the Firewall Setup menu.
Page 34
Firewall User Guide DHCP Relay Agent - Enabling this option allows the Firewall to relay IP address requests from the Internet to the DHCP server through the WAN. If this option is enabled, the DHCP Server Address field becomes active, and the IP address of the DHCP server must be entered.
Chapter 4 - Firewall Software Changing WAN Port Parameters In order to change the WAN port parameters of a DCE device connected to the RS232/V.35 connector on the Firewall, click on the WAN button in the Firewall Setup menu. The WAN Port Setup dialog box is displayed.
Firewall User Guide Enabling PPP/SLIP If you wish to use Point to Point Protocol (PPP) or Serial Line IP Protocol (SLIP) on the WAN port, you can enable it in the PPP/SLIP menu. In order to configure these options, you must first enable the WAN port.
Page 37
Chapter 4 - Firewall Software Enabling SLIP If you wish to configure the port for use with SLIP, click on the Enable check box in the SLIP group. The following message appears: Click OK. This value was assigned in the initial software installation and was downloaded to the ProxyServer at the end of the installation.
Firewall User Guide Enabling the DHCP Server The DHCP Server feature of the Firewall manages all the IP address assignments on the Secured (private) LAN port. IP address management becomes completely transparent. To enable the DHCP Server ability in the Firewall, click on the DHCP Server button in the Firewall Setup menu.
Chapter 4 - Firewall Software Adding Proxy Applications Certain software on your LAN may require a TCP or UDP port usage that is not currently supported by the Firewall. If this is the case, you must refer to the software documentation to determine the proper port usage and number.
Firewall User Guide Filtering The Filters dialog lets you configure the Firewall so that IP packets that are received by the server can be selectively filtered or forwarded based on their addresses or by the protocol ports to which they are destined. The five filtering methods are: •...
Chapter 4 - Firewall Software Enabling Virtual Servers The Virtual Server Setup dialog box allows you to assign a virtual address to a statically assigned server. For example, if the ISP assigns static address of 200.2.9.1, you can set up a virtual server so that any requests sent to 200.2.9.1 will access 192.168.0.102.
Firewall User Guide Statistics The Firewall is capable of providing statistics for the WAN port and for the whole system. These statistics can be useful for troubleshooting and management purposes. To access this information, click Statistics in the Firewall Setup menu. The Statistics dialog box is displayed. From this menu, you can query the details of the WAN port or observe total system statistics such as total system Uptime, and total Calls.
Firewall User Guide Introduction This chapter provides procedures for viewing or changing the configuration of a remote Firewall unit. Two methods are provided to access a remote unit; the first method is modem-based and the second method uses IP. Within the IP method, three applications can be used: 1) LAN-based using Trivial File Transfer Protocol (TFTP), 2) Telnet as a client application, and 3) a standard Web browser on the Internet.
Page 45
Chapter 5 - Remote Configuration and Management The Firewall Setup dialog box is displayed. Verify that the Communication Type is set for COM Port and the Select Port field is set for the COM port of your local PC. In the Dial String field, enter the AT command for dialing (ATDT) plus the phone number of the remote ProxyServer.
Firewall User Guide LAN-Based The LAN-based remote configuration requires a Windows Sockets compliant TCP/IP stack. TCP/ IP protocol software must be installed and functional before the configuration program can be used. Local Workstation Remote Firewall TFTP, Telnet or Web Browser Internet Figure 5-2.
Page 47
Chapter 5 - Remote Configuration and Management After you have changed the configuration of the remote Firewall, click Download Setup to update the configuration. The remote Firewall will be brought down, the new configuration written to the unit, and the unit will reboot. Click Exit when the downloading is complete.
Firewall User Guide Remote Management This section describes typical client applications that can be used to configure the ProxyServer remotely. It is important to note that although any subsequent changes to configuration can be made using these applications, the initial setup and configuration of the ProxyServer must be done on the local PC, using the ProxyServer software provided with your unit.
Page 49
Chapter 5 - Remote Configuration and Management Firewall Management Menu The Firewall Management Menu provides two basic options: Firewall Configuration and WAN Device Configuration. A further option enables you to close the Telnet session from this menu by pressing the Esc key. Firewall Management Selecting Option 1 displays the Firewall Management menu with options that allow you to view statistics for IP, TCP, ARP, RARP, ICMP, UDP, WAN and PPP.
Firewall User Guide WEB Management The ProxyServer can be accessed, via a standard web-browser, from anywhere on the connected Internet. In order to provide this support, the WEB Server option has to be enabled in the Applications Setup dialog box (see Chapter 4 - Firewall Software, Applications).
Customer to MTS’s factory transportation prepaid. MTS WILL NOT BE LIABLE FOR CONSEQUENTIAL DAMAGES AND UNDER NO CIRCUMSTANCES WILL ITS LIABILITY EXCEED THE PURCHASE PRICE FOR DEFECTIVE PRODUCTS. On-line Warranty Registration To register your ProxyServer on-line, click on the following link: http://www.multitech.com/register...
Chapter 6 - Warranty, Service and Technical Support Tech Support Multi-Tech has an excellent staff of technical support personnel available to help you get the most out of your Multi-Tech product. If you have any questions about the operation of this unit, call 1- 800-972-2439.
Firewall User Guide Service If your tech support specialist decides that service is required, your ProxyServer may be sent (freight prepaid) to our factory. Return shipping charges will be paid by Multi-Tech Systems. Include the following with your ProxyServer: • a description of the problem.
Chapter 6 - Warranty, Service and Technical Support The Multi-Tech BBS For customers who do not have Internet access, Multi-Tech maintains a bulletin board system (BBS). Information available from the BBS includes new product information, product upgrade files, and problem-solving tips. The phone number for the Multi-Tech BBS is (800) 392-2432 (USA and Canada) or (612) 785-3702 (international and local).
Multi-Tech is a commercial user on the Internet, and we retrieve messages from our customers on a periodic basis. If you prefer to receive technical support via the Internet, you can contact Tech Support at the following address: http://www.multitech.com/_forms/email_tech_support.htm Multi-Tech’s presence includes a Web site at: http://www.multitech.com and an ftp site at: ftp://ftp.multitech.com...
First, choose a domain name for your company. A domain name is the unique Internet name, usually the name of your business, that identifies your company. For example, Multi-Tech’s domain name is multitech.com ( .com indicates this is a commercial organization; .edu denotes educational organizations, .gov denotes government organizations). Next, determine how many IP addresses you’ll need.
Page 59
Appendix A - TCP/IP Description UDP, described in RFC 768 (http://info.internet.isi.edu:80/in-notes/rfc/files/rfc768.txt) provides an end-to-end datagram (connectionless) service. Some applications, such as those that involve a simple query and response, are better suited to the datagram service of UDP because there is no time lost to virtual circuit establishment and termination.
Page 60
You first choose a domain name for your company. A domain name is the unique Internet name, usually the name of your business, that identifies your company. For example, Multi-Tech’s domain name is multitech.com (where .com indicates this is a commercial organization; .edu denotes educational organizations, .gov denotes government organizations).
Page 62
Firewall User Guide DB-25 (RS-232) to V.35 Adapter V.35 34-pin Connector Signal Designation Signal Designation Chassis Ground Signal Ground Request To Send Clear To Send Data Set Ready Data Carrier Detect Data Terminal Ready Send Data (A) Receive Data (A) Receive Data (B) Send Data (B) Terminal Timing (A)
Modem CE Mark EMC and Safety Compliance The CE mark is affixed to the enclosed MultiTech product to confirm compliance with the following European Community Directives: Council Directive 89/336/EEC of 3 May 1989 on the approximation of the laws of Member States relating to electromagnetic compatibility;...
Page 66
Firewall User Guide Access: The T1 line element made up of two pairs of wire that the telephone company brings to the customer premises. The Access portion ends with a connection at the local telco (LEC or RBOC). Accunet Spectrum of Digital Services (ASDS): The AT&T 56K bps leased (private) line service. Similar to services of MCI and Sprint.
Page 67
Glossary Basic Rate Interface (BRI): An ISDN access interface type comprised of two B-channels each at 64K bps and one D- channel at 64K bps (2B+D). Bell Operating Companies (BOC): The family of corporations created during the divestiture of AT&T. BOCs are independent companies which service a specific region of the US.
Page 68
Firewall User Guide Centrex: A multi-line service offered by operating telcos which provides, from the telco CO, functions and features comparable to those of a PBX for large business users. See also “Private Branch Exchange”, “Exchange”. Channel: A data communications path between two computer devices. Can refer to a physical medium (e.g., UTP or coax), or to a specific carrier frequency.
Page 69
Glossary Data Link Connection Identifier (DLCI): One of the six components of a frame relay frame. Its purpose is to distinguish separate virtual circuits across each access connection. Data coming into a frame relay node is thus allowed to be sent across the interface to the specified “address”. The DLCI is confirmed and relayed to its destination, or if the specification is in error, the frame is discarded.
Page 70
Firewall User Guide Encapsulation: A technique used by network-layer protocols in which a layer adds header information to the protocol data unit from the preceding layer. Also used in “enveloping” one protocol inside another for transmission. For example, IP inside IPX. Errored Seconds (ES): Any second of operation that all 1.544M bits are not received exactly as transmitted.
Page 71
Glossary Foreign Exchange Station (FXS): See FX, FXO. To generate a call from the computer telephony system to the POTS set, an FXS connection must be configured. Forward Explicit Congestion Notification (FECN): A bit that tells you that a certain frame on a particular logical connection has encountered heavy traffic.
Page 72
Firewall User Guide Internetwork Packet Exchange (IPX): A NetWare communications protocol used to route messages from one node to another. IPX packets include network addresses and can be routed from one network to another. An IPX packet can occasionally get lost when crossing networks, thus IPX does not guarantee delivery of a complete message. Either the application has to provide that control, or NetWare’s SPX protocol must be used.
Page 73
Glossary Local Exchange Carrier (LEC): The local phone company which provides local (i.e., not long distance) transmission services. AKA “telco”. LECs provide T1 or FT1 access to LDCs (unless the T1 circuit is completely intra-LATA). Inter- LATA T1 circuits are made up of a combination of Access and Long Haul facilities. Local Management Interface (LMI): A specification for frame relay equipment that defines status information exchange.
Page 74
Firewall User Guide Object-Oriented: A method for structuring programs as hierarchically organized classes describing the data and operations of objects that may interact with other objects. Office Channel Unit - Data Port (OCU-DP): The CO channel bank used as the interface between the customer’s DSU and the channel bank.
Page 75
Glossary Private Branch Exchange (PBX): A telephone exchange located on the customer’s premises. The PBX provides a circuit switching facility for telephone extension lines within the building, and access to the public telephone network. See also “Exchange”. PROM (Programmable Read Only Memory - pronounced “prom”): A permanent memory chip that can be programmed or filled by the customer after by the manufacturer has set initial values.
Page 76
Firewall User Guide Router: A device that connects two networks using the same networking protocol. It operates at the Network Layer (Layer 3) of the OSI model for forwarding decisions. Routing Information Protocol (RIP): A distance vector-based protocol that provides a measure of distance, or hops, from a transmitting workstation to a receiving workstation.
Page 77
Appendix C - Regulatory Information Systems Network Architecture (SNA): The description of the logical structure, formats, protocols, and operational sequences for transmitting information units through, and controlling the configuration and operation of networks. Tariff: The rate/availability schedule for telephone and ISDN services from a regulated service provider. TCP/IP: A set of communication protocols that support peer-to-peer connectivity functions for both local and wide area networks.
Page 78
Firewall User Guide Transport Protocol Data Unit (TPDU): A transport header, which is added to every message, contains destination and source addressing information that allows the end-to-end routing of messages in multi-layer NAC networks of high complexity. They are automatically added to messages as they enter the network and can be stripped off before being passed to the host or another device that does not support TPDU’s.
Index Index Gopher ............... 59 HTML ..............59 About the Internet ..........56 HTTP ..............59 About the Multi-Tech Fax-Back Service ....56 Adding Proxy Applications ........36 Applications ............42 Internet ............... 56 Archie ..............59 Internet Gateway Parameters ......34 Internet LAN Port Parameters ......
Page 80
Firewall User Guide Software ............. 26 Applications ............ 42 Configuration Port Setup ......... 31 DHCP Server ..........38 Download Firmware Update ......31 Filtering ............40 Firewall Configuration ........32 IP Parameters ..........33 Loading ............18 Program Group ..........30 Proxy Applications ...........