InterServe Firewall
Quick-Start Guide
January 1998
DSA077920
Warranties and Liabilities
The information and the software discussed in this document are subject to change without notice and should not be considered commitments by
Intergraph Computer Systems. Intergraph Computer Systems assumes no responsibility for any errors in this document.
The software discussed in this document is furnished under a license and may be used or copied only in accordance with the terms of the license. No
responsibility is assumed by Intergraph Computer Systems for the use or reliability of software on equipment that is not supplied by Intergraph
Computer Systems or its affiliated companies.
All warranties given by Intergraph Computer Systems about equipment or software are set forth in your purchase contract, and nothing stated in, or
implied by, this document or its contents shall be considered or deemed a modification or amendment of such warranties.
Copyright
1998, Intergraph Computer Systems including this documentation, and any software and its file formats and audio-visual displays described herein;
all rights reserved; may only be used pursuant to the applicable software license agreement; contains confidential and proprietary information of
Intergraph Computer Systems and/or other third parties which is protected by copyright, trade secret and trademark law and may not be provided or
otherwise made available without prior written authorization.
Restricted Rights Legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subdivision (c)(1)(ii) of the rights in technical
data and computer software clause at DFARS 252.227-7013.
Unpublished rights reserved under the copyright laws of the United States.
Intergraph Computer Systems, Huntsville AL 35894-0001
Trademarks
Intergraph and the Intergraph logo are registered trademarks of Intergraph Corporation. InterServe is a trademark of Intergraph Corporation.
Other brands and product names are trademarks of their respective owners.
Contents
Introduction..................................................................................................................................... 1
Getting Started................................................................................................................................ 2
Connecting to the Internet................................................................................................................. 2
Configuring Windows NT Server ...................................................................................................... 3
Installing and Configuring Eagle NT.............................................................................................. 4
Troubleshooting the Configuration................................................................................................. 5
Frequently Asked Questions .............................................................................................................. 5
Troubleshooting Techniques .............................................................................................................. 6
Introduction
Welcome to the world of Internet computing! Intergraph Computer Systems’ InterServe Firewall is a
server system configured for use as a security device known as a network firewall. InterServe
Firewall controls external network access to and from your organization’s internal Transmission
Control Protocol/Internet Protocol (TCP/IP) network.
Your InterServe Firewall was delivered with the Microsoft Windows NT Server operating system and
associated system software. The system was also delivered with Raptor Systems Eagle NT firewalldedicated software to help you set up and run a network firewall. Eagle NT acts as a security wall
and gateway between a secure, internal network and networks that are not secure (such as the
Internet). Eagle NT offers bidirectional Internet security -- simultaneously prohibiting unwanted
intruders from accessing the corporate network and managing internal users' Internet access
privileges.
Use this Quick-Start Guide to help you configure your new InterServe Firewall and its Eagle NT
software. Along with this document, you should refer to the following documents delivered with the
system:
u System Setup provides instructions for unpacking, setting up, and configuring the hardware and
system software for your InterServe Firewall system. Use this Quick-Start Guide along with
System Setup to perform initial setup and configuration of the system.
1
u For basic information about your system’s hardware, an introduction to your new system is
provided in the online System Introduction, which covers subjects such as system features, system
controls and connections, and Intergraph Computer Systems customer support. System
Introduction is delivered on the system disk; see System Setup for more information.
u Detailed hardware reference information for your new system is available in the System
Reference. The System Reference covers subjects such as system components, system wiring
diagrams, functional block diagrams, system board descriptions, and upgrading and servicing
procedures. The System Reference is delivered on the system disk; see System Setup for more
information.
u Microsoft’s Windows NT Server Start Here and online Help provide detailed Windows NT Server
information.
u Raptor Systems’ Eagle NT Installation Guide and Eagle NT Configuration Guide provide
instructions for installing, configuring, and managing Eagle NT.
2
Getting Started
To set up and configure your InterServe Firewall and its firewall-dedicated software:
1. Read this Quick-Start Guide completely to understand what you need to do and when you need to
do it.
2. Read “Connecting to the Internet” in this document and gather the required networking
information.
3. Unpack and set up the system according to the instructions in the System Setup document
delivered with the system hardware.
4. Configure Windows NT Server as described in System Setup and Microsoft’s Windows NT Server
Start Here, taking the additional steps described in this document.
5. Configure the Raptor Systems Eagle NT software as described in this document and in the Raptor
documentation.
Steps 2, 4, and 5 are covered in this document.
Connecting to the Internet
Your system was delivered with two installed network adapters, to provide two physical Ethernet
network interfaces. One interface is connected to the external (or outside) network, while the other
interface is connected to the internal (or inside) network:
u The on-board Ethernet interface auto-detects the type of network (10/100Base-T), and has an
RJ45 connector. Intergraph Computer Systems recommends that this interface serve as the
external network interface.
u The second physical interface is a 10/100Base-T auto-sense interface with an RJ45 connector.
Intergraph Computer Systems recommends that this interface serve as the internal network
interface.
Before you can configure your InterServe Firewall and connect it to the Internet, you must have at
least one valid Internet Protocol (IP) address and a registered Internet domain name. A valid IP
address is one which has been issued to you by an Internet Service Provider (ISP) or by the Internet
Network Information Center (InterNIC).
NOTE If your site already has an Internet connection and a registered Internet domain name, or if you plan to
connect the InterServe Firewall system to an internal IP network, you can obtain IP address and
domain name from your site’s network administrator. Otherwise, use the following instructions to
obtain an IP address and domain name.
Domain Name Service (DNS) provides IP address to system name translation (for example,
129.135.1.2 is represented by www.intergraph.com). Domain name registration lets outside systems
on the Internet connect to your network systems by system name. If you do not have a registered
domain name, outside systems can only access your systems by IP address.
Domain name registration can be coordinated with your Internet service provider, or by registration
with the InterNIC. The registration process generally takes three to six weeks.
For more information about obtaining an IP address and domain name registration, refer to the
InterNIC Web site at http://www.internic.net or contact an Internet service provider.
Obtain and record the following Transmission Control Protocol/Internet Protocol (TCP/IP)
networking information:
u External IP address for your system:
u External IP subnet mask for your system:
u Internal IP address for your system:
u Internal IP subnet mask for your system:
u IP domain name for your network:
3
u External IP address for your network’s default
gateway:
u IP addresses for your network’s DNS servers, if
any:
Refer to the Eagle NT Installation Guide and Eagle NT Configuration Guide for detailed information
on configuring and using TCP/IP and DNS.
Configuring Windows NT Server
After you have unpacked and set up the system as described in System Setup, you may complete the
installation of Windows NT Server. Use the instructions provided in System Setup and the Windows
NT Setup dialogs, taking the following additional steps:
u Select Standalone Server as the security role for the system.
u When you reach the networking portion of Setup, select the following options:
− Select Wired to the Network for the connection type.
− During network configuration, you will see references to the Dynamic Host Configuration
Protocol (DHCP). Select No for the DHCP option.
− In the TCP/IP Properties dialog, select the onboard Ethernet adapter and enter the external
IP address, subnet mask, and default gateway as recorded previously.
− Select the 10/100Base-T auxiliary Ethernet adapter, and enter the internal IP address and
subnet mask as recorded previously. Verify the system name and domain name are correct.
− When installation is complete, increase the size of the Windows NT pagefile to at least 300
MB. For instructions on increasing the pagefile size, refer to the operating system
documentation and online Help.
u When installation is complete, install the Windows NT Server 4.0 Service Pack 3 (or higher)
software, delivered on CD-ROM with the InterServe Firewall.
4
Installing and Configuring Eagle NT
After initial configuration of Windows NT Server is complete, you can install and configure Eagle
NT.
NOTE Before attempting to install Eagle NT, you must log on to the system as Administrator. Logging on
to another user account with Administrator privileges will not work.
NOTE The following steps are described in detail in the Eagle NT Installation Guide and the Eagle NT
Configuration Guide; refer to these documents for detailed instructions on completing a specific step.
Intergraph Computer Systems recommends that you read these documents before beginning
installation and configuration of Eagle NT.
To install and configure Eagle NT:
1. Develop a security policy for your site as described in the Installation Guide. Use the guidelines
provided to develop a detailed plan for implementing network security at your site.
NOTE Eagle NT requires Windows NT Server 4.0 Service Pack 3 (or higher) software, delivered on CD with
your system. Make sure Service Pack 3 (or higher) software is installed on your system before
installing Eagle NT.Review Raptor Systems’ Eagle NT release notes.
2. Install Eagle NT as described in the Eagle NT Installation Guide.
3. Define Eagle NT gateway characteristics as described in the Eagle NT Configuration Guide. The
characteristics you choose will depend on the security policy for your site.
4. Set the notifications policy for your site as described in the Configuration Guide. The
notifications policy defines who will be notified in response to alert messages generated by Eagle
NT. You can configure Eagle NT to take actions such as sending email to certain users, playing
audio recordings, or sending notifications to digital pagers.
5. Create network entities as described in the Configuration Guide. Network entities include the
groups, domains, subnets, and hosts you will be using to implement your site’s security policy.
6. If you plan to use gateway authentification on the firewall, define users and groups of users as
described in the Configuration Guide. Placing users in groups allows you to implement your
site’s security policy by writing security rules that apply to a number of users. All users must be
defined in a group.
7. Create authorization rules as described in the Configuration Guide. The primary function of
Eagle NT is enforcing the authorization rules you define for your site, as detailed in your site’s
security policy.
8. Configure any Generic Service Passer (GSP) protocols required for your site as described in the
Configuration Guide. Eagle NT provides a set of standard application proxies to handle
commonly used services like File Transfer Protocol (FTP) and Telnet. All other services are
handled by the GSP.
9. Complete any other configuration tasks required for your site as defined in your site’s security
policy. Refer to the Configuration Guide and Installation Guide for more details on other
features provided by Eagle NT.
Troubleshooting the Configuration
This section contains answers to frequently asked questions and a list of troubleshooting techniques to
help you if you have problems with your Eagle NT configuration. Refer to the Eagle NT
Configuration Guide for more information.
Frequently Asked Questions
Nothing works, what’s wrong?
Determine if the problem is due to connectivity, routing, TCP/IP, DNS, or the Eagle NT firewall
software. Use a combination of the following tools:
u Check the Eagle NT Logfile as described in the Configuration Guide to see if systems are
reaching the firewall. If a network packet comes to the firewall, it is always logged. If there is
no log entry for a packet, then the packet never reached the firewall. If this is the case, then the
problem may be due to a DNS or routing problem. Check that your DNS and routing
configurations are configured as described in the Configuration Guide..
5
u nslookup verifies the configuration of DNS. If nslookup returns correct information, then DNS
is configured properly. Otherwise, the DNS configuration files must be updated to reflect the
correct information.
u Check the Windows NT Event Viewer as described in the operating system documentation and
online Help. Verify that the Eagle NT services and DNS are starting properly, as described in
the Configuration Guide.
u ping is a basic connectivity tester. You can ping internal and external systems from the firewall
to see if your TCP/IP connections are working. If the connections are not working, TCP/IP may
not be configured properly. Verify that TCP/IP is configured properly as described in the
Configuration Guide.
I can surf the Web, but I can’t get to my Web server.
This problem usually occurs when the inside DNS domain name is the same as the external DNS
domain name. The inside client has queried the internal DNS server for the address of the external
Web server. Since the internal DNS server is authoritative for the domain and does not know the
address of the requested node, the query will fail. To correct the problem, ensure that you put the
entries for the Web server in the internal DNS files.
I created a rule to FTP, Telnet, and Hypertext Transport Protocol (HTTP)
with “universe” as the source and destination, but I get “authorization
failed” messages.
“Universe” as the source and destination implies the same network entity on both sides of the firewall.
In this case, Eagle NT will not allow this because the default rule (DENY) applies. If another, lessstringent rule is configured for this relationship, it will default to the most stringent (DENY). If you do
this, you will see the message 'EXPLICIT DENY FROM RULE 1' in the log.
6
Why can’t I ping through the firewall?
ping is an Internet Control Message Protocol (ICMP) message type, not a TCP message type. ICMP
message types are not allowed to run through the firewall. A tunnel can be created to pass ICMP, but
this is not recommended. Tunnel creation is described in the Eagle NT Configuration Guide.
Can I put a firewall between a Primary Domain Controller and a Backup
Domain Controller, or between trusted Windows NT domains?
Yes. You do this by creating a local tunnel.
FTP and Telnet are fast, but HTTP is slow. Why?
There are various reasons for this problem. First, make sure you have the latest version of the
software and all the latest patches. Determine if there is a reverse DNS lookup problem (HTTP is one
of a few TCP/IP applications that does a reverse DNS lookup). Many HTTP servers perform a reverse
DNS lookup to log the TCP host name that is requesting a connection.
Can I mount a share to the Web server outside the firewall?
Yes. See the filter descriptions in the Eagle NT Configuration Guide.
Can I put a Web server inside the firewall?
Yes, but the internal address for the Web server must be advertised outside the firewall, or you must
use a virtual address.
Troubleshooting Techniques
Do the following to troubleshoot the configuration and operation of the firewall:
u Consult the support section of Raptor’s Web site at www.raptor.com.
u If connecting to an outside Web server (for example, www.intergraph.com) does not work from
an inside client, try connecting by its IP address. If the IP address works, it is probably a DNS
problem. If the IP address does not work, check the firewall logfile. If there is no entry for the
attempted connection, there is a routing problem. If there is a log entry, there is not a valid allow
rule. Create an allow rule as described in the Configuration Guide.
u Try pinging an outside Web server (for example, www.intergraph.com) from the firewall. If
this does not work, but pinging by address works, there is most likely a problem on the internal
DNS server; you’ve configured a dual-zone DNS (described in the Eagle NT Configuration
Guide). The query from the firewall should go to the internal DNS server. (Remember that, for
Eagle NT to resolve internal DNS names, it must query the internal server.)
Since the internal DNS server will not find an entry for the outside Web server, it will forward
the request back to the DNS server on the firewall. The firewall then queries a root server.
When the firewall receives the response, it forwards it back to the internal DNS server, which
then sends the results back to the firewall.
u Always make sure you have the correct version of software and all the latest patches.
u If you install Eagle NT and later make the system a dual-boot system, the system’s volume ID
will change and the Raptor key will then be invalid.
u The inside NIC gateway address should be blank.
u Every inbound and outbound connection at the firewall should be logged.
u Shut down the Eagle Service on the InterServe Firewall using the command net stop eagle when
configuring notifications.
u When making changes to the Hawk service, always issue the command update, followed by the
comand save.
u Most problems relate to DNS. Always check the event log when DNS is initially configured.
Utilities like nslookup are very useful in troubleshooting DNS problems.
7
8
Loading...