WatchGuard Mobile User VPN Guide

WatchGuard Mobile User VPN Guide Mobile User VPN establishes a secure connection between an unsecured remote host and a protected network over an unsecured network using Internet Protocol Security (IPSec). In other words, Mobile User VPN connects an employee on the road or working from home to trusted and optional networks behind a Firebox using a standard Internet dial-up connection without compromising security. The central Firebox be approved and upgrade to strong or medium encryption level. Configuration of the Firebox and the creation of end-user configuration files This guide describes how to configure a remote host for Mobile User VPN including instructions on how to install the Mobile User VPN client. For information on configuring the Firebox, see the User Guide, Configuring the Firebox for Mobile User VPN on page 229. Mobile User VPN 1.0 1

Preparing the Client Computers Every computer used as a Mobile User VPN remote host must first be prepared with the proper: Device drivers Internet Service Provider account Windows 95/98 Platform Preparation From the Windows desktop: 1. Select Start 56 Settings 56 Control Panel. Double-click Network. 2. Verify that Client for Microsoft Networks is installed. If Client for Microsoft Networks is not installed, you must install it. For instructions, see Installing Client for Microsoft Networks on page 2. 3. Click the Identification tab. 4. Enter a name for the remote client. This must be a unique name on the remote network. 5. Enter the domain name you are connecting to. This should be the same as the Log on to Windows NT domain value. 6. Enter a description for your computer (optional). 7. Click OK. Click OK to close and save changes to the Network control panel. Click Cancel if you do not want to save any changes. 8. Reboot the machine. Installing Client for Microsoft Networks From the Networks dialog box: 1. Click the Configuration tab. Click Add. 2. Select Client. Click Add. 3. Select Microsoft from the list on the left. Select Client for Microsoft Networks from the list on the right. Click OK. 4. Select Client for Microsoft Networks. 5. Click Properties. 6. Check Log on to Windows NT domain. 7. In the Windows NT Domain field, type the domain name. For example, your domains might be sales, office, and warehouse. 8. Check Logon and Restore Network Connections. 2 WatchGuard LiveSecurity System

Preparing the Client Computers Windows NT Platform Preparation Adding a Domain Name to a Windows NT Workstation Often remote clients need to connect to a domain behind the firewall. To do this, the remote client must be able to recognize the domains to which they belong. Adding a domain requires the installation of the Computer Browser Network Service. From the Windows NT desktop: Installing Computer Browser 1. Select Start 56 Settings 56 Control Panel. Double-click Network. The Network dialog box appears. 2. Click the Services tab. 3. Click Add. 4. Select Computer Browser. 5. Browse to locate the installation directory. Click OK. 6. Reboot the workstation. Adding a New Domain 1. Select Start 56 Settings 56 Control Panel. Double-click Network. The Network dialog box appears. 2. Click the Protocols tab. 3. Select Computer Browser. Click Properties. 4. Add the remote network domain name. You can add multiple domain names during the same configuration session. 5. Click OK. 6. Reboot the workstation. Requirements for Installing Mobile User VPN In addition to basic platform preparation, Mobile User VPN requires the installation of the Mobile User VPN client software. For each remote host, the network administrator must supply the following: Remote client installation package The packages are located on the WatchGuard LiveSecurity archive at: KWWSVZZZZDWFKJXDUGFRPDUFKLYH Enter the archive using your LiveSecurity user name and password. Click the Mobile User VPN Client link. Select and download the appropriate platform type and encryption level. Mobile User VPN 1.0 3

Configuration file A file containing the user name, shared key, and settings that enable a remote computer to connect securely over the Internet to a protected private computer network. The configuration file should have the filename: XVHUQDPHH[S. Shared password When remote host connects to the network, the user is prompted for a password. This password enables the Mobile User VPN Client to encrypt traffic between the remote host and the protected network. Installing the Mobile User VPN Client Install Mobile User VPN Client software on each remote host. The software installation package is available from the LiveSecurity Web site download archive. There are six versions based on encryption level and platform. The installation process consists of two steps: installing the software and setting up the client. Installing the Mobile User VPN Client Software 1. Copy the client installation package to the remote host. 2. Copy the end-user configuration file to the remote host s root directory. The Policy Manager creates an end-user configuration file when you add a new user to the Firebox configuration file. For more information, see the User Guide, Configuring the Firebox for Mobile User VPN, on page 229. 3. Locate and double-click the installation executable. 4. Click Setup. The WatchGuard Mobile User VPN Client Installation wizard opens. 4 WatchGuard LiveSecurity System

Connecting Using the Mobile User VPN Client 5. Click Next. The installation wizard looks for an end-user configuration file at &?. If it does not find one, you must browse to locate and select an H[S file. 6. Click Next. The installation wizard expands and installs the Mobile User VPN Client software on the remote host. It then automatically runs the Mobile User VPN Client Setup wizard. Setting Up the Mobile User VPN Client 1. From the Mobile User VPN Client Setup installation wizard, click Next. The Software Licence Agreement appears. 2. Click Yes. 3. Verify the end-user and company name. Click Next. 4. Click Next to install the client in the default directory. 5. Click Next to create a program icon on the Windows desktop Start menu. The Mobile User VPN Client Setup installation wizard configures the Mobile User VPN Client software to connect to the Firebox using the settings in the end-user configuration file. 6. Click Finish. The installation wizard completes the setup process and reboots the computer. The remote host is now ready to use Mobile User VPN. Connecting Using the Mobile User VPN Client Mobile User VPN client enables the remote host to establish a secure, encrypted connection to a protected network over the Internet. To do this, the remote host must first connect to the Internet and then use the Mobile User VPN client to connect to the protected network. From the Windows desktop: 1. Establish an Internet connection through either Dial-Up Networking or directly through a LAN or WAN. 2. Select Start 56 Programs 56 Mobile User VPN Client 56 Mobile User VPN Client Manager. Mobile User VPN 1.0 5

3. Use the drop list or type the user name. Enter the password. Click OK. The Mobile User VPN Client establishes a secure tunnel between the remote host and the Firebox. A Mobile User VPN icon appears in the Windows desktop tray. You can now exchange information, use an e-mail application, or browse the Network Neighborhood. 7KHUHPD\EHDVKRUWLQLWLDOGHOD\ZKLOHWXQQHOQHJRWLDWLRQRFFXUV Closing the Mobile User VPN Tunnel The IPSec tunnel is independent of the Internet connection. Close the IPSec Client tunnel when the remote host: Loses the Internet connection No longer needs the IPSec tunnel From the Windows desktop: 1. Right-click the Mobile User VPN Client icon in the Windows desktop tray. 2. Select Exit. The Mobile User VPN Client closes the tunnel. This process does not effect your connection to the Internet. You must disconnect from the Internet separately. Uninstalling the Mobile User VPN Client For the end-user, the easiest way to reconfigure the Mobile User VPN client software is to uninstall the application and, with a new end-user con- 6 WatchGuard LiveSecurity System

Manually Reconfiguring Mobile User VPN Hosts figuration file, reinstall the application. Examples of when it might be necessary to reconfigure a remote host include when: The shared key changes The network configuration changes The remote host is transferred to a new end-user First, use the Policy Manager to edit the Firebox IPSec configuration and generate a new end-user configuration file. For more information, see the User Guide on Modifying an Existing Mobile User VPN Entry, page 233. Then, from the Windows desktop on the remote host: 1. Select Start 56 Programs 56 Mobile User VPN Client 56 Uninstall Mobile User. The Uninstall Shield opens and removes the Mobile User VPN Client software. 2. Click Finish. The remote host reboots. To update the remote host configuration, copy the new enduser configuration file to &? and run the Mobile User VPN Client software installation wizard. For more information, see Installing the Mobile User VPN Client on page 4. Manually Reconfiguring Mobile User VPN Hosts WatchGuard recommends using the Uninstall/Reinstall method to reconfigure a remote host for Mobile User VPN. This ensures that the configuration settings created for the Firebox are identical to those used by the remote host. However, it is possible to manually reconfigure the remote host using the Mobile User VPN Client software and Windows Control Panel utilities. 8VHWKH3ROLF\0DQDJHUWRPLUURUDQ\FKDQJHVPDGHWRWKHUHPRWH KRVWFRQILJXUDWLRQRQWKH)LUHER[,IWKHFRQILJXUDWLRQRQWKHUHPRWH KRVWDQGWKH)LUHER[DUHQRWLGHQWLFDOWKHUHPRWHFRPSXWHUZLOOEH XQDEOHWRHVWDEOLVKDWXQQHO)RUPRUHLQIRUPDWLRQVHHWKH8VHU *XLGH 0RGLI\LQJDQ([LVWLQJ0RELOH8VHU931(QWU\µSDJH Creating a Hardware Profile In some configurations, the VPCom Adaptor used by the Mobile User VPN client causes conflicts with other network adaptors resulting in net- Mobile User VPN 1.0 7

work resources being inaccessible when the client is not running. In other words, remote hosts directly connected to the network may be unable to browse Network Neighborhood or receive e-mail. A common workaround is to create a separate hardware profile for the office environment which disables VPCom Adaptor. A hardware profile is used as a way to group multiple hardware drivers together. It enables the user to choose at boot time a profile optimized for a particular task or work environment. Hardware profiles are commonly used on laptops to differentiate between working at the office connected to a docking station or working on the road or from home. Making a Windows 95/98 Hardware Profile From the Windows 95/98 desktop: 1. Select Start 56 Settings 56 Control Panel. 2. Double-click System. 3. Click the Hardware Profiles tab. 4. Click the profile normally used to connect directly to the office network. 5. Click Copy. A new profile appears. 6. Rename the new profile to distinguish it as the configuration with VPCom Adaptor enabled. The profile names appear during the boot process. Make the names easy to distinguish. e.g. At Office and On the Road. 7. Click the Device Manager tab. Expand the Network Adaptors tree. 8. Double-click VPCom Adaptor. 9. Check the Disable in this hardware profile checkbox. 10. Click OK to close the VPCom Adaptor Properties dialog box. Click OK to close the System Properties dialog box. Restart the computer. When you restart the computer, you will be prompted to select a hardware profile. The message will look similar to the following: :LQGRZVÃFDQQRWÃGHWHUPLQHÃZKDWÃFRQILJXUDWLRQÃ\RXUÃFRPSXWHUÃLVÃLQ 6HOHFWÃRQHÃRIÃWKHÃIROORZLQJ Ã$WÃWKHÃ2IILFH Ã2QÃWKHÃ5RDG Ã1RQHÃRIÃWKHÃDERYH (QWHUÃ\RXUÃFKRLFH 8 WatchGuard LiveSecurity System

Manually Reconfiguring Mobile User VPN Hosts Making a Windows NT Hardware Profile From the Windows NT desktop: 1. Select 56 Settings 56 Control Panel. 2. Double-click System. 3. Click the Hardware Profiles tab. 4. Click the profile normally used to connect directly to the office network. 5. Click Copy. A new profile appears. 6. Rename the new profile to distinguish as the configuration with VPCom Adaptor enabled. The profile names appear during the boot process. Make the names easy to distinguish. e.g. At Office and On the Road. 7. Click OK to close the System Properties dialog box. 8. In the Control Panel, double-click Devices. 9. Click VPCom Adaptor. Click HW Profiles. The Device dialog box appears. 10. Select the office configuration. Click Disable. 11. Click OK to close the Device dialog box. Click Close to close the Devices dialog box. Restart the computer. When you restart the computer, you will be prompted to select a hardware profile. The message will look similar to the following: :LQGRZVÃFDQQRWÃGHWHUPLQHÃZKDWÃFRQILJXUDWLRQÃ\RXUÃFRPSXWHUÃLVÃLQ 6HOHFWÃRQHÃRIÃWKHÃIROORZLQJ Ã$WÃWKHÃ2IILFH Ã2QÃWKHÃ5RDG Ã1RQHÃRIÃWKHÃDERYH (QWHUÃ\RXUÃFKRLFH Configuring with the Mobile User VPN Client Manager You can manually change Mobile User IPSec configuration settings using the Mobile User VPN Client Manager. From the Windows desktop: 1. Start the Mobile User VPN Client Manager. Select Start 56Programs 56Mobile User VPN Client 56Mobile User VPN Client Manager. Select a User Profile. Enter the password. Click OK. 2. Double-click the Mobile User VPN Client icon in the Windows desktop tray. Mobile User VPN 1.0 9

Changing the Shared Key If your network is compromised in any way, you may want to change the shared key between the Firebox and remote hosts using IPSec. Reconfigure the Firebox and generate a new end-user configuration for each remote host. Then reconfigure the remote hosts using one of the following methods: Uninstall the Mobile User VPN Client software on the remote host. Reinstall the client using the new H[S file. Manually modify the shared key on the remote host. From Mobile User VPN Client Manager: 1. Right-click the Firebox icon. Click Edit. 10 WatchGuard LiveSecurity System

Manually Reconfiguring Mobile User VPN Hosts 2. Enter the new shared key. Click OK. Creating a New Profile The H[S file automatically adds a profile to the remote host during installation. This end-user name appears in the VP Credential dialog box when you start the Mobile User VPN Client software. If no name appears in the User Name drop list, you must re-install with a new H[S file. Modifying Remote Gateway Settings You modify the remote gateway settings. Enter the IP address of the Firebox External interface as well as the correct shared key. From the Mobile User VPN Client Manager: 1. Right-click the Firebox icon. Click Edit. 2. Enter the IP address of the Firebox External interface in Information IP Address field. Click OK. Renegotiating a Tunnel Manually There may be times the end-user wants to manually (re)negotiate a tunnel and its keys. From the Mobile User VPN Client Manager: 1. Click the Firebox IP address. Click Negotiate. 2. Expand the gateway IP address. 3. Click the Wildcard Connections policy entry. Click Negotiate. Mobile User VPN 1.0 11

Changing Resource Settings There should be a network resource defined for each and every network protected by the Firebox you want to access from the remote host. Each resource must have a proper IP address and subnet mask defined. From the Mobile User VPN Client Manager: To add a new resource 1. Click the Firebox icon. 2. Click Resources. 3. Enter the resource description, IP address, and subnet mask. Click OK. The new resource appears in the list of resources defined for the Firebox. To edit an existing resource 1. In the list of resources defined for the Firebox, double-click the resource IP address. The Resources from Remote Host dialog box appears displaying settings for the selected resource. 2. Edit the description, IP address, and/or subnet mask. Click OK. The modified resource appears in the list of resources defined for the Firebox. Changing Encryption and Authentication Settings If you change the encryption or authentication settings on the Firebox, you must mirror the changes on the remote host. From the Mobile User VPN Client Manager: To modify IKE settings 1. Click IKE Setup. Click the IKE Configuration tab. 12 WatchGuard LiveSecurity System

Manually Reconfiguring Mobile User VPN Hosts 2. Modify the IKE settings according to your Mobile User VPN requirements. 3. Click OK. To modify the IPSec tunnel settings 1. Expand a policy. 2. Right-click the Wildcard Connections policy. Click Edit. 3. Click Security. Mobile User VPN 1.0 13

4. Modify IP security configurations according to your security policy requirements. 5. Click OK to close the IP Security Configuration dialog box. Click OK to close the Add Policy dialog box. Setting up the Network There are several changes to network settings made during the Mobile User VPN Client installation process. These can be manually modified or configured using the Windows Control Panel Network utility. From the Windows desktop, select Start 56Settings 56Control Panel. Double-click Network. Verify the following: You must have the VPCom Adaptor and the TCP/IP adaptor to use the Mobile User VPN client. If you wish to use Network Neighborhood browsing, you must also have the Client for Microsoft Networks correctly installed and configured. Check the values for the DNS Servers, IP Address, Subnet Mask, and Primary WINS Server. These should all reflect the same entries that have been entered for the Firebox. For aliased lookups to be successful, you must manually add the proper domain suffixes that are used on the Trusted side of the Firebox. 14 WatchGuard LiveSecurity System

Troubleshooting Mobile User VPN Troubleshooting Mobile User VPN WatchGuard maintains an FAQ on the configuring and using the Mobile User VPN client. This is available from our Technical FAQ page at: KWWSZZZZDWFKJXDUGFRPIDTV A few of the most common issues found in installing, configuring, and using the Mobile User VPN client are described below. Why do I have to enter my network log in information even when I m not connected to the network? When you start your computer, you are prompted to enter your Windows network user name, password and domain. It is very important that you enter this information correctly, just as you would if you were at the office connected to the network. Windows stores the information for use by network adapters and networked applications. Later, when you connect to your ISP and start the Mobile User IPSec client, your computer uses the stored user name, password, and domain to connect to the company network. Why do I get two user name and password prompts when I turn my computer on? The first prompt is for access to Windows networking. You must enter the correct user name, password, and domain for later use by the networked applications including the Mobile User IPSec Client. If you create multiple profiles or password protection on your computer using a different name and/or password than that used for Windows networking, you will receive a second prompt when you start your computer. This second prompt is for access to your local hard drive. How can I tell if Mobile User IPSec tunnel is working? There are several ways to determine whether or not the tunnel is working. If after 30 seconds, no green slash appears through the Mobile User IPSec desktop tray icon, the tunnel is working. Ping a computer on your company network. Select Start 56 Run. Type ping and the IP address of a computer on your company network. Renegotiate the tunnels. Mobile User VPN 1.0 15

See Renegotiating a Tunnel Manually on page 11. What is TCP/IP and how do I install and configure it? TCP/IP is a protocol that enables very diverse computer types to communicate over a network. In other words, it enables a remote computer running Windows 95/98/NT to send information over Internet machines running far different, mainframe operating systems. TCP/IP must be installed to establish a connection with your Internet service provider. You may need to install and configure TCP/IP if your computer has never before been networked. Windows 95/98 1. From the Windows desktop, select Start 56 Settings 56 Control Panel. The Control Panel window opens. 2. Double-click Network. The Network dialog box opens. 3. Click Add. 4. Select Protocol. Click Add. 5. Select Microsoft from the manufacturers list. Select TCP/IP from the Network Protocols list. 6. Click OK. The Networks dialog box closes. 7. Restart your computer. How do I get Outlook to read my company e-mail? If you have never used your computer to read company e-mail using Microsoft Outlook 97/98, you may need to add or reconfigure the Microsoft Exchange Server service. Your network administrator can provide you with the information needed to complete Microsoft Exchange Server configuration. 1. Start Outlook. 2. Select Tools 56 Services. The Services dialog box opens. 3. If Microsoft Exchange Server is installed, click Properties. Verify Microsoft Exchange Server properties. 4. If Microsoft Exchange Server is not installed, click Add. 5. Select Microsoft Exchange Server. Click OK. 6. Enter Microsoft Exchange Server properties as supplied by your network administrator. 16 WatchGuard LiveSecurity System

Troubleshooting Mobile User VPN 7. Click OK. You must exit Outlook and restart the application before the settings will take effect. Why do my mapped drives have a red X through them? Windows 95/98/NT checks and maps networks drives automatically when the computer starts. Because there is no way for you to establish a remote session with the company network before the computer actually starts, drive mapping fails during the boot process and a red X appears on the drive icon. Establish a Mobile User IPSec tunnel and open the network drive. The red X will disappear. How do I map a network drive? Due to a Windows operating system limitation, mapped network drives disappear when you work remotely. To remap a network drive: 1. From the Windows desktop, right-click Network Neighborhood. 2. Select Map Network Drive. The Map Network Drive dialog box appears. 3. Use a drop list to select a drive letter. 4. Either use the drop list or type a network drive path. For example: \\salesforce\share2\jacktransom 5. Click OK. The mapped drive appears in the My Computer window. Even if you enable the Reconnect at Logon checkbox, the mapped drive will not appear the next time you start your computer unless it is physically connected to the network. Why do I sometimes get prompted for a password when I am browsing the company network? Due to a Windows networking limitation, remote user virtual private networking products only allow access to a single network domain. If your company is large enough to require subnetting (multiple networks connected together), you will only be able to browse your own domain. Attempts to access other domains will result in a password prompt. Unfortunately, even providing the correct information will not open these additional networks. Why does it take so long to shut down the computer after using Mobile User IPSec? If you open and browse a mapped network drive during a Mobile User IPSec session, the Windows operating system waits for a signal from the network before it times out and completes the shut down cycle. Mobile User VPN 1.0 17

I clicked OK and the Remote User Profile dialog box went away but nothing happened. Actually, something did happen. Mobile User IPSec negotiated a tunnel between your computer and your company network. A small icon should appear in the Windows desktop tray. I lost the connection to my ISP, and now I can t use the company network. If you lose Internet connection long enough, Mobile User IPSec also loses the secure tunnel. Follow the steps to close the tunnel. Then connect to the Internet and restart Mobile User IPSec. No matter what I do, I can t use the company network. There may be a problem with the configuration file or shared passwords. Why is there a green slash through the Mobile User IPSec client icon in the Windows desktop tray? A green slash indicates that the tunnel between your computer and the network is down. Exit and restart the client. To exit the client, right-click the desktop tray icon and select Exit. Why can t I browse the network when I take my laptop to the office? You may need to create a hardware profile that disables the Mobile User IPSec network adapter when you are working at the office. Copyright and Patent Information Copyright 1998-2000 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, Firebox, and LiveSecurity are either a trademark or registered trademark of WatchGuard Technologies, Inc. in the United States and other countries. This product is covered by one or more pending patent applications. DocVer S-1.0-Mobile User-1 18 WatchGuard LiveSecurity System