Multitech RouteFinder RF650VPN User Manual
RF650VPN
Internet Security Appliance
User Guide
User Guide
RouteFinder Model RF650VPN
S000219D Revision D
This publication may not be reproduced, in whole or in part, without prior expressed written permission
Multi-Tech Systems, Inc. All rights reserved.
from
Copyright © 2001-2002 by Multi-Tech Systems, Inc.
Multi-Tech Systems, Inc. makes no representations or warranty with respect to the contents hereof and
specifically disclaims any implied warranties of merchantability or fitness for any particular purpose.
Furthermore, Multi-Tech Systems, Inc. reserves the right to revise this publication and to make changes
from time to time in the content hereof without obligation of
organization of such revisions or changes.
Multi-Tech Systems, Inc. to notify any person or
Record of Revisions
Revision Date Description
A 09/05/01 Manual released for RouteFinder software version 1.92.
B 12/04/01 Manual revised for RouteFinder software version 2.00. Refer to Appendix
C for a description of changes.
C 02/25/02 Updated with changes to Appendixes A, E, and F.
D 10/09/09 Removed examples that are now covered in separated Reference
Guides.
Patents
This Product is covered by one or more of the following U.S. Patent Numbers: 6.219.708; 5.301.274;
5.309.562; 5.355.365; 5.355.653; 5.452.289; 5.453.986. Other Patents Pending.
Trademarks
Trademarks of Multi-Tech Systems, Inc.: Multi-Tech, the Multi-Tech logo, and RouteFinder.
Windows is a registered trademark of Microsoft Corporation in the United States and other countries.
All products or technologies are the trademarks or registered trademarks of their respective holders.
World Headquarters
Multi-Tech Systems, Inc.
2205 Woodale Drive
Mounds View, Minnesota 55112
(763) 785-3500 or (800) 328-9717
Fax 763-785-9874
Tech Support (800) 972-2439
Internet Address: http://www.multitech.com
Contents
Chapter 1 – Introduction and Description ................................................................................................5
Introduction................................................................................................................................................5
Product Description ...................................................................................................................................5
About this Manual and Related Manuals...................................................................................................5
Front Panel ................................................................................................................................................ 6
Back Panel................................................................................................................................................. 7
Ship Kit Contents....................................................................................................................................... 7
Features..................................................................................................................................................... 8
Specifications............................................................................................................................................. 8
Pre-Installation Planning - the Organizational Security Policy ..................................................................9
RF650VPN Technology...........................................................................................................................12
Chapter 2 - Installation .............................................................................................................................16
Introduction..............................................................................................................................................16
Address Table.......................................................................................................................................... 17
Safety Warnings ......................................................................................................................................18
Safety Recommendations for Rack Installations..................................................................................... 18
Hardware Installation Procedure ............................................................................................................. 19
Cabling Procedure ...................................................................................................................................19
Software Configuration............................................................................................................................20
Chapter 3 – RouteFinder Software Operation........................................................................................ 34
Introduction..............................................................................................................................................34
System..................................................................................................................................................... 35
Definitions (Networks and Services) ....................................................................................................... 63
Network (Network Settings).....................................................................................................................74
Proxies (Application Gateways)............................................................................................................. 111
VPN (Virtual Private Networks) .............................................................................................................121
Help (The Online Help Functions) ......................................................................................................... 158
Chapter 4 - Troubleshooting.................................................................................................................. 161
RouteFinder FAQs.................................................................................................................................161
Problem Solving .................................................................................................................................... 169
Error Messages .....................................................................................................................................171
Chapter 5 - PC Board Components, Upgrades, and Add-ons............................................................ 182
Introduction............................................................................................................................................182
PC Board Components.......................................................................................................................... 182
Top Cover Removal / Replacement ......................................................................................................184
Upgrades ............................................................................................................................................... 184
Rack Mounting.......................................................................................................................................185
Software Upgrades and Add-ons ..........................................................................................................186
License Keys .........................................................................................................................................187
RouteFinder Maintenance ..................................................................................................................... 188
Chapter 5 - Service, Warranty, and Technical Support .......................................................................190
Warranty ................................................................................................................................................ 190
On-line Warranty Registration ............................................................................................................... 190
Recording RouteFinder Information ......................................................................................................191
Contacting Tech Support via E-mail......................................................................................................191
Service...................................................................................................................................................192
Multi-Tech on the Internet...................................................................................................................... 192
Repair Procedures................................................................................................................................. 192
Ordering Accessories ............................................................................................................................194
Appendix A – Application Examples and How to Use Remote Syslog .............................................195
Appendix B – Cable Diagrams ............................................................................................................... 203
Appendix C - The WebAdmin Menu System ........................................................................................ 206
Appendix D - User Authentication Methods......................................................................................... 211
Appendix E – Regulatory Information................................................................................................... 214
Appendix F - License Agreements ........................................................................................................ 217
Glossary................................................................................................................................................... 226
Index......................................................................................................................................................... 239
Chapter 1 – Introduction and Description
Chapter 1 – Introduction and Description
Introduction
Welcome to Multi-Tech’s new RouteFinder, Model RF650VPN. The RouteFinder Internet security
appliance is an integrated VPN gateway/firewall designed to maximize network security without
compromising network performance. It uses data encryption, user authentication and the Internet to
securely connect telecommuters, remote offices, customers or suppliers to the corporate office while
avoiding the cost of private leased lines or dial-up charges.
Product Description
The RF650VPN is a 1U rackmountable hardware/software solution that provides advanced network
firewall (Stateful Packet Inspection and NAT), application firewall (DMZ, proxies, filter, optional email antivirus protection), VPN gateway (IPSec, PPTP, 3DES, authentication), and full router capabilities. The
RouteFinder’s three 10/100 Ethernet ports can provide connectivity to the user’s network, Internet access
via router, DSL, cable or dedicated line, and DMZ.
The RouteFinder’s DMZ port permits connecting of Voice over IP gateways, like MultiVOIPs, and public
servers such as email and web to be safely connected. And its full-featured router hardware allows the
entire network to share an Internet link by connecting to an existing cable modem, DSL modem or router.
An optional E-mail antivirus update feature includes protection against new virus types and security gaps
with automatically transferred updates.
The browser-based interface eases VPN configuration and management. The VPN functionality is based
on the IPSec and PPTP protocols and uses Triple DES 168-bit encryption to ensure that your information
remains private. In addition, the RF650VPN includes firewall security utilizing Stateful Packet Inspection,
and provides optional email anti-virus protection.
About this Manual and Related Manuals
This manual is provided on the RouteFinder RF650VPN System CD in Acrobat (.PDF) format. It can be
viewed, printed, and searched (
provided on the System CD as well.
Related manuals may include add-on product documentation for options such as the IPSec VPN client,
the E-mail Anti-Virus Protection Upgrade, etc.
This document contains links to sites on the Internet which are owned and operated by third parties. MultiTech Systems, Inc. is not responsible for the content of any such third-party site.
Multi-Tech RouteFinder RF650VPN User Guide 5
Ctl-F) effectively from Acrobat Reader 4 or 5. The Acrobat Reader is
Chapter 1 – Introduction and Description
Front Panel
The RF650VPN has 16 front panel LEDs that provide device and network operating status.
The RF650VPN Front Panel
The RF650VPN front panel LEDs are described below.
LED Description
LAN LEDs
LINK The LINK LED indicates link integrity for the LAN Ethernet port. If the Ethernet link
is valid at either 10 Mbps or 100Mbps, the LINK LED is lit. If the Ethernet link is invalid,
the LINK LED is off.
ACT The ACT (Activity) LED indicates either transmit or receive activity on the LAN
Ethernet port. When activity is present on the LAN Ethernet port, the ACT LED is lit.
When no activity is present on the LAN Ethernet port, the ACT LED is off.
100MB The 100MB LED indicates the speed of the LAN Ethernet port. The 100MB LED is
lit if the LAN Ethernet port is linked at 100Mbps. The 100MB LED is off at 10 Mbps.
WAN LEDs
LINK The LINK LED indicates link integrity for the WAN Ethernet port. If the link is valid
in either 10 Mbps or 100 Mbps, the LINK LED is on; if the WAN Ethernet link is invalid,
the LINK LED is off.
ACT The ACT (Activity) LED indicates either transmit or receive activity on the WAN
Ethernet port. When activity is present, the ACT LED is on; when no activity is present,
the ACT LED is off.
100MB The 100MB LED indicates the speed of the WAN Ethernet port. The 100MB LED is
lit if the WAN Ethernet port is linked at 100 MBps. The 100MB LED is off at 10 Mbps.
DMZ LEDs
ACT The ACT (Activity) LED indicates either transmit or receive activity on the DMZ
Ethernet port. When activity is present, the ACT LED is lit. When no DMZ Ethernet port
activity is present, the ACT LED is off.
100MB The 100MB LED indicates the speed of the DMZ Ethernet port. The 100MB LED is
lit if the DMZ Ethernet port is linked at 100 Mbps. The 100MB LED is off if the DMZ
Ethernet port is linked at 10 Mbps.
Modem LEDs (DCD, RD, DTR, TD): These LEDs are not
used.
System LEDs
HDD ACT The HDD ACT (Hard Disk Drive Activity) LED lights when the RF650VPN hard disk
drive is accessed.
ALERT The ALERT LED is not used.
POWER The POWER LED is off when the RF650VPN is in a reset state. When the POWER
LED is lit, the RF650VPN is not in a reset state.
Multi-Tech RouteFinder RF650VPN User Guide 6
Chapter 1 – Introduction and Description
Back Panel
The RF650VPN back panel has a fan, a power plug, the POWER Switch (| / o), an RJ-11 LINE jack, a
DB-9 COM1 jack, a DB-15 High-density DSUB (VIDEO) jack, two USB (Revision 1.1 compliant) jacks, an
RJ-45 DMZ jack, an RJ-45 (WAN) jack, and an RJ-45 (LAN) jack.
The RF650VPN back panel is illustrated and described below.
The RF650VPN Back panel
The back panel components are described in detail in the Cabling Procedure section in Chapter 2 of this
manual.
Ship Kit Contents
The RF650VPN is shipped with the following:
· one RF650VPN
· one or two power cords (two for Euro/UK model)
· one printed Quick Start Guide
· one 44-pin (m) to 40-pin (f) HDD-to-CDR adapter
· two Rack Mounting Brackets and four mounting screws
· one RF650VPN System CD with License Key
If any of these items are missing, contact Multi-Tech Systems or your dealer or distributor. Inspect the
contents for signs of any shipping damage. If damage is observed, do not power up the RF650VPN;
contact Multi-Tech’s Tech Support for advice.
Multi-Tech RouteFinder RF650VPN User Guide 7
Chapter 1 – Introduction and Description
Features
· Supports up to 256 IPSec and/or 128 PPTP VPN tunnels for secure LAN-to-LAN and Client-to-LAN
access over the Internet (Note: IPX and Netbeui not supported when using PPTP tunneling.)
· Utilizes 168-bit Triple Data Encryption Standard (3DES)
· 3DES encryption throughput of 15M bps
· Built-in Stateful Packet Inspection firewall with Network Address Translation (NAT)
· Automatic system updates to protect your network against the latest threats
· Application layer security using SMTP, HTTP, DNS and SOCKS proxies
· Improves network performance to frequently accessed web sites with built-in caching server
· Secure local or remote management using HTTPS or SSH
· Reporting function provides valuable troubleshooting information
· Three built-in 10/100 Ethernet ports (LAN, WAN, DMZ)
· Shared broadband or dedicated Internet access for up to 255+ LAN users with one IP address
· Internet access control tools provide client and site filtering
· Traffic monitoring and reporting
· IP address mapping/port forwarding and DMZ port
Specifications
LAN Ports: Number of Ports: 3 (LAN, WAN and DMZ port)
Interface: 10BaseT/100BaseT
Standards: 802.3
Encryption: Algorithms: 168-bit Triple Data Encryption Standard (3DES-CBC), MPPE 40-bit/128-bit
Throughput: 15M bps (3DES)
Protocols: Security: IPSec, IKE, NAT, PPTP, HTTPS, SSH, SCP
Authentication: Shared secret and built-in authentication server
Network: TCP/IP, DNS
Filtering: Protocol, port number, and IP address
Proxies: HTTP, SMTP, DNS, SOCKS
Processor: Pentium-class 566MHz processor (field upgradeable)
Memory: 128MB (field upgradeable)
Disk Space: 10 GB hard drive (field upgradeable)
Power: Voltage & Frequency: 100-240v AC, 50-60 Hz
Power Consumption: 30 Watts
Physical Description: 17" w × 1.75" h × 10.5" d; 10 lbs. (1U rackmountable)
(43.18 cm × 4.45 cm × 26.67 cm; 4.54 kg)
Operating Environment: Temperature Range: 32º – 120º F (0-50º C)
Humidity: 25-85% noncondensing
Approvals: FCC Part 68, FCC Part 15 (Class A), CE Mark, UL60950
Multi-Tech RouteFinder RF650VPN User Guide 8
Chapter 1 – Introduction and Description
Pre-Installation Planning - the Organizational
Security Policy
Having an organization-wide security policy is the first and perhaps most important step in general
security planning. Organizations without a well-devised top level security policy will not have ready
answers to questions such as:
· Who is allowed access to which servers ?
· Where are the backups stored ?
· What is the recovery procedure for a security breach ?
These questions must be answered in terms of security costs, useability, compatibility with internal
"culture", and alignment with your site's legal requirements.
Putting a security policy in place and keeping abreast of new security issues as they arise are paramount
to securing your network.
Security management is one of the categories defined by the ISO (International Standards
Organization) from http://www.iso.ch/welcome.html and http://www.iso.ch/iso/en/ISOOnline.frontpage .
Sources of security policy information include the SANS Institute, Microsoft, FreeSwan and other
sources.
The SANS (System Administration, Networking, and Security) Institute, founded in 1989, is a
cooperative research and education organization of more than 96,000 system administrators, security
professionals, and network administrators. The SANS community creates System and security alerts and
news updates, Special research projects and publications, In-depth education, and Certification. Contact
the SANS at http://www.sans.org/newlook/home.htm .
Linux FreeS/WAN is an implementation of IPSEC and IKE for Linux. Several companies are co-operating
in the S/WAN (Secure Wide Area Network) project to ensure that products will interoperate. There is
also a VPN Consortium fostering cooperation among companies in this area. FreeS/WAN source code is
freely-available, runs on a range of machines including cheap PCs, and is not subject to US or other
nations' export restrictions: http://www.freeswan.org/.
Microsoft Windows 2000 and Windows NT security and related HowTos, Problem Solving,
Documentation, Security Bulletins, and Troubleshooting are available at:
http://www.microsoft.com/technet/default.asp.
Attrition.org (http://www.attrition.org) is a computer security Web site dedicated to the collection,
dissemination and distribution of information about the industry for anyone interested in the subject. They
maintain one of the largest catalogs of security advisories, cryptography, text files, and denial of service
attack information. They are also known for the largest mirror of Web site defacements and their crusade
to expose industry frauds and inform the public about incorrect information in computer security articles.
ATTRITION.ORG is a privately owned and operated system hosted via Inficad Computing and Design.
Computer Security Index FAQ Home Page: http://web.superb.net/islander/crypto/alt-security-keydist-
FAQ.html
The CERT (Computer Emergency Reponse Team) site at ftp://info.cert.org/ lists all of the Coordination
Center (CERT-CC) past advisories, as well as 24-hour technical assistance in responding to computer
security incidents.
Multi-Tech RouteFinder RF650VPN User Guide 9
Chapter 1 – Introduction and Description
RISKS (Risks to the Public in the Use of Computers and Related Systems) is a moderated forum for
the discussion of risks to society from computers and computerization. Their web site is at
http://catless.ncl.ac.uk/Risks.
The NIAP (National Information Assurance Partnership) was created in 1997 to join the efforts of the
National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to meet
the security testing, evaluation, and assessment needs of both IT producers and consumers. Its long-term
goal is to boost consumer confidence in their information systems and networks. Agencies such as the
Federal Aviation Administration are starting to work with NIAP to better define their security requirements,
and NIAP is looking for other target communities where the organization can serve as a catalyst to spur
security requirements and standardization of rules.
See http://niap.nist.gov/niap/objectives.html
GASSP (Generally Accepted System Security Principles) began in mid-1992 in response to a 1990
recommendation from the National Research Council. The effort is sponsored by the International
Information Systems Security Certification Consortium (ISC2), an international common-criteria effort to
develop IT product-related information security principles.
Its objectives include promoting good practices and providing an authoritative point of reference for IT
professionals and a legal reference for the rest of the world for information security principles, practices,
and opinions. The GASSP Pervasive Principles have been developed, and work has begun on defining
and mapping the GASSP Broad Functional Principles.
Go to http://web.mit.edu/security/www/gassp1.html
The Center for Internet Security - The Center, founded in October 2000, is focused on helping
organizations worldwide manage information security risk efficiently. The group, which is vendor- neutral,
provides tools to measure, monitor, improve, and compare the security status of Internet-connected
systems and appliances. Some 200 members help identify the top security threats and participate in
creating practical methods to reduce those threats. The Center's web site is at http://www.cisecurity.org/.
The British Standard (BS) 7799 is an enterprise security policy standard popular in several European
countries. The BS 7799 standard has two main elements: a code of practice for information security
management and a specification for information security management systems. It prescribes a specific
process to determine what policies should be in place, how to document them, and how to develop those
that are not specifically identified in the model.
CASPR (Commonly Accepted Security Practices & Recommendations)
launched in August 2001,
CASPR focuses on distilling expert information via free papers available via the Internet. With the Open
Source movement as a guide, CASPR has approximately 100 certified security professionals involved
and is actively recruiting subject matter experts in all areas of information security.
http://www.caspr.org/aboutcaspr.php
IETF (Internet Engineering Task Force) the international standards body that has standardized the IP
protocol and most of the other successful protocols used on the Internet. The IETF web page is at
http://www.ietf.org/. To help get started with a security policy, try RFC2504 - Users' Security Handbook,
and RFC 2196 - Site Security Handbook.
Multi-Tech RouteFinder RF650VPN User Guide 10
Chapter 1 – Introduction and Description
All enterprises should have a carefully planned security policy that protects their network. Your security
policy should define both what should be protected as well as how it should be protected. A
comprehensive, clear and well-communicated security policy is an important first step in protecting any
network from the many threats associated with the power of the Internet.
A corporate Internet security policy should cover at least 6 major areas, including:
1.
Acceptable Use – here you must define the appropriate use of the network and other computing
resources by any and all users. This should include policy statements like: “password sharing is not
permitted"; "users may not share accounts"; and "users may not make copies of copyrighted
software.”
Remote Access – outlines acceptable (and unacceptable) means of remotely connecting to the
2.
internal network. Cover all of the possible ways that users remotely access the internal network, such
as dial-in, ISDN, DSL, cable modem, Telnet and others. Specify who is allowed to have remote
access as well as how users may obtain remote access. The security policy must also address who
is allowed high-speed remote access and any extra requirements associated with that privilege (e.g.,
all remote access via DSL requires that a firewall be installed). You will also want to define users' Email security here (e.g., in MS Outlook at Tools|Options|Security|Zone Settings|Security
Settings).
3.
Information Protection – provide guidelines to users that define the use of and transmission of
sensitive information to ensure the protection of your enterprise’s key elements of information (e.g.,
set a standard for encryption level (such as 3DES) for information sent over the Internet.
Firewall Management – define how firewall hardware and software is managed. This includes change
4.
requests and approval, periodic review of firewall configurations, and firewall access privilege setting.
5.
Special Access – provide guidelines for any special, non-standard needs for access to specialized
networks or systems.
6.
Network Connection – establish policies for adding new devices and new users to the network, with
an approval process, along with the associated security requirements.
The policy statements should be clear, easy to understand and supported by management.
Note: This document contains links to sites on the Internet which are owned and operated by third
parties. Multi-Tech Systems, Inc. is not responsible for the content of any such third-party site.
Multi-Tech RouteFinder RF650VPN User Guide 11
Chapter 1 – Introduction and Description
RF650VPN Technology
Before we look at how the RouteFinder works and how to use it, we will illustrate why the RouteFinder is
necessary for the protection of networks, as well as show which problems and risks exist without an
appropriate security system.
Networks
These days, the Internet is firmly established as the key technology for communication and information
procurement; as a storage medium for knowledge and experience values and as the market place for
information services. Since the beginning, its dimensions have multiplied and from 1995 to 2001, the
world wide increase in domains names has been almost exponential.
The systems in the global network communicate via the Internet Protocol Family (IP), including TCP, UDP
or ICMP. The IP addresses are the basis of this communication. They clearly identify all available units
within the network.
The Internet itself is actually just a collection of computer networks around the world of varying shape,
size and speed. Where two or more networks join, a whole host of tasks arise, which are dealt with by
routers, bridges or gateways. A special type of connection between two networks is called a firewall.
Generally speaking, three types of networks meet at the firewall:
1. External network/Wide Area Network (WAN)
2. Internal Network/Local Area Network (LAN)
3. De-Militarized Zone (DMZ)
Firewall Network Connections
Multi-Tech RouteFinder RF650VPN User Guide 12
Chapter 1 – Introduction and Description
The Firewall
The characteristic tasks of a firewall as a connection between WAN, LAN and DMZ are:
· Protection from unauthorized access
· Access control
· Ensure information integrity
· Perform analysis of protocols
· Alert the administrator of relevant network events
· Conceal internal network structure
· Decoupling of servers and clients via proxies
· Ensure confidentiality
There are several generic network components that, brought together under the heading Firewall, are
responsible for these tasks. The following sections provide a brief look at some of the forms and their
derivatives.
Network Layer Firewalls: Packet filter
As the name suggests, this is where IP packets (consisting of address information, some flags and the
payload) are filtered. With this kind of firewall you can grant or deny access to services, according to
different variables. Some of these variables are:
· The source address
· The target address
· The protocol (e.g. TCP, UDP, ICMP)
· The port number
The great advantage of a network layer firewall is its independence of both the operating system and the
applications running on the machine.
In more complex network layer firewall implementations, the packet filtering process includes the
interpretation of the packet payload. The status of every current connection is analyzed and recorded.
This process is called stateful inspection.
The packet filter records the state of every connection and only lets packets pass that meet the current
connection criteria. This is especially useful for establishing connections from a protected network to an
unprotected network.
If a system establishes a connection to a protected network, the Stateful Inspection Packet Filter lets a
host’s answer packet pass back into the protected network. If the original connection is closed, no system
from the unprotected network can send packets into the protected network any longer – unless you
explicitly allow it.
Well Known Ports are controlled and assigned by the IANA, and on most systems can only be used by
system (or root) processes or by programs run by privileged users. Ports are used in TCP (RFC793) to
name the ends of logical connections which carry long term conversations, and typically, these same port
assignments are used with UDP (RFC768). The assigned ports are in the range 0-1023. IETF RFC 1700
provides a list of the well-known port number assignments.
IETF RFCs are available on the Internet from a number of sources.
Multi-Tech RouteFinder RF650VPN User Guide 13
Chapter 1 – Introduction and Description
Application Layer Gateways: Proxies
A second significant type of firewall is the application layer gateway. It is responsible for buffering
connections between exterior systems and your own system. Here, the packets aren’t directly passed on,
but a sort of translation takes place, with the gateway acting as an intermediary stop and translator.
The application gateway buffering processes are called proxy servers, or, for short‚ proxies. Every proxy
can offer further security features for the task it is designed for. Proxies generally offer a wide range of
security and protocol options.
Each proxy serves only one or a few application protocols, allowing high-level security and extensive
logging and analysis of the protocol’s usage.
Examples of existing proxies are:
· The SMTP proxy, responsible for email distribution and virus-checking.
· The HTTP proxy, supporting Java, JavaScript, ActiveX-Filter, and ad banner filtering.
· The SOCKS proxy (the generic circuit-level proxy) which supports applications such as FTP
clients, ICQ, IRC, or streaming media.
Application level gateways offer the advantage of physical and logical separation of the protected and
unprotected networks. They make sure that no packet is allowed to flow directly between networks,
resulting in higher security.
Protection Mechanisms
Further mechanisms ensure added security. Specifically, the use of private IP addresses in combination
with Network Address Translation (NAT) in the form of
· Masquerading
· Source NAT (SNAT)
· Destination NAT (DNAT)
These allow a whole network to hide behind one or a few IP addresses, preventing the identification of
your network topology from the outside.
Firewall Connectivity
Multi-Tech RouteFinder RF650VPN User Guide 14
Chapter 1 – Introduction and Description
With these protection mechanisms in place, Internet connectivity remains available, but it is no longer
possible to identify individual machines from the outside.
By using Destination NAT (DNAT), it is still possible to place servers within the protected network/DMZ
and make them available for a certain service.
In the sample graphic above, a user with the IP 5.4.3.2, port 1111 sends a request to the web server in
the DMZ. Of course the user only knows the external IP (1.1.1.1, port 80). By using DNAT, the
RouteFinder now changes the external IP address to 10.10.10.99, port 80 and sends the request to the
web server. The Web server then sends off the answer with its IP address (10.10.10.99, port 80) and the
IP of the user. The RouteFinder recognizes the packet by the user address and changes the internal IP
(10.10.10.99, port 80) into the external IP address (1.1.1.1, port 80).
To satisfy today’s business world needs, the IT infrastructure must offer real-time communication and cooperate closely with business partners, consultants and branches. Increasingly, the demand for real-time
capability is leading to the creation of so called extranets, that operate either:
· via dedicated lines, or
· unencrypted via the Internet
Each of these methods has advantages and disadvantages, as there is a conflict between the resulting
costs and the security requirements.
Virtual Private Networking (VPN) establishs secure (i.e., encrypted) connections via the Internet, an
important function especially if your organization operates at several locations that have Internet
connections. Theses secure connections use the IPSec standard, derived from the IP protocol IPv6.
ISO Layers and TCP/IP
Once set up, this encrypted connection is used automatically (i.e., without extra configurations or
passwords at the client systems) regardless of the type of data that is to be transferred, so as to protect
the content during the transport. At the other end of the connection, the transferred data is transparently
decoded and is available for the recipient in its original form.
The RF650VPN uses a hybrid of the above listed basic forms of firewalls and combines the advantages of
both variations: the stateful inspection packet filter functionality offers platform-independent flexibility, and
the ability to define, enable or disable all necessary services.
Existing proxies make the RouteFinder an application gateway that secures vital client system services,
such as HTTP, Mail and DNS by using proxying. It also enables generic circuit-level proxying via SOCKS.
VPN, Source NAT, Destination NAT, masquerading and the ability to define static routes make the
dedicated firewall an efficient distribution and checkpoint in your network.
Multi-Tech RouteFinder RF650VPN User Guide 15
Chapter 2 – Installation
Chapter 2 - Installation
Introduction
RF650VPN installation is divided into three parts:
· Hardware installation and cabling
· Software initial configuration
· Software configuration
Additional WebAdmin information is provided in the online Help. The Help function is opened by clicking
the online Help button.
Note: Before installing, you should first plan your network and decide which computer is to have access
to which services. This simplifies the configuration and saves you a lot of time that you would otherwise
need for corrections and adjustments.
Note: Please print this document and use it to fill in your specific RouteFinder and network information
(e.g., the IP address used, e-mail lists, etc.). Enter the configuration information (e.g., the Default
Gateway and other IP addresses used) into the appropriate field of the Address Table later in this
chapter, and keep for future reference.
Administrator requirements to be met before installing the RF650VPN software:
· Correct configuration of the Default Gateway
· An HTTPS capable browser (e.g., Microsoft Internet Explorer 4.0 or higher, or Netscape
Communicator 4.0 or higher)
· JavaScript and Cascading Style Sheets must be activated
· No proxies may be entered in the browser
· If Secure Shell (SSH) is to be used, an SSH client program is required (e.g., PuTTY in Windows
2000, or the bundled SSH client in most Linux packages).
Multi-Tech RouteFinder RF650VPN User Guide 16
Chapter 2 – Installation
As shown below, the RouteFinder provides the connection between your internal network and the
external network.
RouteFinder Connections
Address Table
Enter the configuration information (e.g., the Default Gateway and other IP addresses used) into the
appropriate field of the Address Table below. Please print this document and use it to fill in your specific
RF650VPN and network information (e.g., the IP address used, e-mail lists, etc.) , and keep for future
reference.
IP Address Net Mask
Network Card connected
to the internal network ___.___.___.___ ___.___.___.___
(LAN on eth0)
Network Card connected
to the external network ___.___.___.___ ___.___.___.___ ___.___.___.___
(WAN on eth1)
Network Card
connected to the DMZ ___.___.___.___ ___.___.___.___
(eth2)
Default Gateway
Multi-Tech RouteFinder RF650VPN User Guide 17
Chapter 2 – Installation
Safety Warnings
1. Use this product only with UL- and CUL-listed computers.
2.
To reduce the risk of fire, use only 26 AWG or larger telephone wiring.
Never install telephone wiring during a lightning storm.
3.
Never install a telephone jack in a wet location unless the jack is specifically designed for wet
4.
locations.
5. Never touch uninsulated telephone wires or terminals unless the telephone line has been
disconnected at the network interface.
6.
Use caution when installing or modifying telephone lines.
7.
Avoid using a telephone (other than a cordless type) during an electrical storm; there is a risk of
electrical shock from lightning.
8.
Do not use a telephone in the vicinity of a gas leak.
* Caution: Danger of explosion if battery is incorrectly replaced. A lithium battery on the
RF650VPN pc board provides backup power for the time-keeping capability. The battery has
an estimated life expectancy of ten years. When the battery starts to weaken, the date and
time may be incorrect. If the battery fails, the board must be sent back to Multi-Tech
Systems for battery replacement.
* Caution: The Phone and Ethernet ports are not designed to be connected to a Public
Telecommunication Network.
Safety Recommendations for Rack Installations
Ensure proper installation of the RF650VPN in a closed or multi-unit enclosure by following the
recommended installation as defined by the enclosure manufacturer. Do not place the RF650VPN
directly on top of other equipment or place other equipment directly on top of the RF650VPN.
If installing the RF650VPN in a closed or multi-unit enclosure, ensure adequate airflow within the rack so
that the maximum recommended ambient temperature is not exceeded.
Ensure that the RF650VPN is properly connected to earth ground via a grounded power cord. If a power
strip is used, ensure that the power strip provides adequate grounding of the attached apparatus.
Ensure that the mains supply circuit is capable of handling the load of the RF650VPN. Refer to the power
label on the equipment for load requirements.
Maximum ambient temperature for the RF650VPN is 50 degrees Celsius (120 degrees Farenheit).
This equipment should only be installed by properly qualified service personnel.
Only connect like circuits. In other words, connect SELV (Secondary Extra Low Voltage) circuits to SELV
circuits and TN (Telecommunications Network) circuits to TN circuits.
Multi-Tech RouteFinder RF650VPN User Guide 18
Chapter 2 – Installation
Hardware Installation Procedure
The RF650VPN is designed to install either on a desktop or in a standard EIA 19“ rack, and is shipped
with the mounting hardware to install the RF650VPN in the rack. If installing in a rack,
use the provided mounting hardware and follow the rack enclosure manufacturer’s instructions to safely
and securely mount the RF650VPN in the rack enclosure. Proceed to the cabling procedure.
Cabling Procedure
Cabling your RF650VPN involves making the proper POWER, DMZ, WAN and LAN connections
as described and illustrated below.
FAN
Power
Plug
POWER
On/Off
(O/ |)
Switch
LINE
Jack
(Not
Used)
COM 1
DB-9
Jack
(Not
Used)
VIDEO
Jack
(DB-15
DSub)
USB
ports
(2)
(Not
Used)
DMZ
Ethernet
10/100
Mb
DMZ Port
WAN
Ethernet
10/100
Mb
WAN
LAN
Ethernet
10/100
Mb
LAN Port
Port
RF650VPN Back Panel Connections
1. Using an RJ-45 cable, connect the DMZ RJ-45 jack to the DMZ (optional – e.g., a Voice
over IP gateway, like MultiVOIPs or a public server such as e-mail or web).
2. Using an RJ-45 cable, connect the
3. Using an RJ-45 cable, connect the
4. With the RF650VPN Power switch in the off (O) position and using the supplied power
cord, connect the RF650VPN power plug to a live power outlet.
5. Place the RF650VPN Power switch to the on (|) position to turn on the RF650VPN. Wait for the
RF650VPN to beep a few times, indicating that it is ready to be configured with a web browser.
Caution: Never switch off RouteFinder Power until after you have performed the Shut down
process. Refer to System|Shut down in Chapter 3 of this manual). If the RouteFinder is not properly
shut down before switching off Power, the next start may take a little longer, or in the worst case, data
could be lost.
6. Proceed to the Software Configuration Procedure.
WAN RJ-45 jack to the external network.
LAN RJ-45 jack to the internal network.
Multi-Tech RouteFinder RF650VPN User Guide 19
Chapter 2 – Installation
Software Configuration
The RouteFinder software is pre-installed on your RF650VPN. Initial configuration is required in order for
you to run the WebAdmin program and begin operation. The browser-based interface eases VPN
configuration and management. The VPN functionality is based on IPSec and PPTP protocols and uses
Triple DES 168-bit encryption to ensure that your information remains private.
Note: Read the legal information and license agreement at the beginning of the installation.
Caution: Use a safe Password! Your first name spelled backwards is not a sufficiently safe password; a
password such as xfT35$4 is better.
Software Configuration Procedure
1. Connect a workstation to the RF650VPN's LAN port via Ethernet.
2. Set the workstation IP address to 192.168.2.x subnet.
3. Connect to the Internet at the RF650VPN WAN port.
4. Make an Internet PUBLIC IP address so it can be assigned to the
5. Turn on power to the RouteFinder. If you hear a continuous beep, cycle RouteFinder power, connect
an external monitor (refer to Chapter 5 of this manual), run BIOS and check for the hard drive. If you
hear 5 beeps, continue with step 6.
6. Bring up your web browser on the workstation. At the web browser's address line, type the default
Gateway address of https://192.168.2.1 and hit the Enter key. In some environments, one or more
Security Alert screen(s) display.
WAN port.
At the initial Security Alert screen, click Yes and follow any additional on-screen prompts. (This step
is eliminated when you have generated a CA certificate at System|User Authentication|WebAdmin
Site Certificate, described in Chapter 3 of this manual.)
Multi-Tech RouteFinder RF650VPN User Guide 20
Chapter 2 – Installation
If someone else is already logged in to the RouteFinder, the message below is displayed.
Click the Kick! Button. The Login screen is displayed.
7. Type the default User name as admin (all lower-case), tab to the Password entry and type the
default Password of admin (all lower-case). Click Login. The User and Password entries are case-
sensitive (both must be all lower-case) and can be up to 12 characters each.
Later, you will want to these default User and Password entries to something else.
(If Windows displays the AutoComplete screen, for security reasons, you may want to click No to tell
the Windows OS to not remember the Password.) The Welcome to WebAdmin screen is displayed.
Multi-Tech RouteFinder RF650VPN User Guide 21
Chapter 2 – Installation
You Can Now Configure the RouteFinder as Any or All of the
Following:
1. a Firewall
2. a PPTP server for VPN remote client access, and/or
3. an IPSec VPN Gateway
These configuration procedures are provided in the following sections. Note that many of the menus and
entry fields have onscreen status LEDs. A green status light next to a function indicates that the function
is enabled; to disable the function, click the Disable button next to the green status light. A red status
light next to a function indicates that the function is disabled; to enable the function, click the Enable
button next to the red status light.
Note that Appendix A of this manual contains application examples with additional information on
addressing, masking, and software setup.
1. Firewall - Configure the RF650VPN as a Firewall
Use this procedure to configure the RF650VPN firewall function as illustrated below.
Multi-Tech RouteFinder RF650VPN User Guide 22
Chapter 2 – Installation
1. At the Welcome to WebAdmin screen, click on System|Settings. The following screen displays.
a) Add your own email address for alerts and notification.
b) Remove the default email address.
c) Optional: you can change the password in WebAdmin as shown below.
Multi-Tech RouteFinder RF650VPN User Guide 23
d) Set the System Time and Date to match your current location.
2. Click Definitions|Networks.
Define the IP network that is configured on the LAN port (the Private LAN on eth0).
For example:
Name = LAN
IP address = 192.168.2.0
Subnet mask = 255.255.255.0
Chapter 2 – Installation
3. Click on Network | Interfaces. The Local Host screen displays.
Required changes:
a) Change the Default Gateway IP address; this is the IP address of the router that connects to the
Internet.
b) Change the Host name for the RouteFinder (can be anything).
c) Click Save on the Local host settings screen.
Multi-Tech RouteFinder RF650VPN User Guide 24
Chapter 2 – Installation
Optional changes:
d) Change the IP address on LAN port (eth0).
If you change this IP address, you must change the IP address on the workstation so it matches
the new IP address of the RouteFinder in order for you to configure the RouteFinder again.
You also need to reconfigure step 2 so your new IP network is defined.
e) Click Save on the Network card (eth0) settings.
Required changes:
f) Change the IP address on WAN port (eth1); this is the PUBLIC STATIC IP address.
g) Click Save for the Network card (eth1) settings.
Optional changes:
h) Change the IP address on DMZ port (eth2). This is the DMZ zone PUBLIC STATIC IP address.
i) Click Save for the Network card (eth2) settings.
Multi-Tech RouteFinder RF650VPN User Guide 25
Chapter 2 – Installation
4. Click on Network|Masquerading.
Select LAN|WAN and click Add; this will enable NAT between the LAN port and the WAN port.
5. Click on Packet Filter|Rules.
a) Add the rule Any – Any – Any – Allow. This allows any service from any server to any client.
Note: you will want to change this rule later.
b) Click on the red circle to enable the rule; the circle will turn green.
6. The RF650VPN is now configured as a Firewall.
Multi-Tech RouteFinder RF650VPN User Guide 26
Chapter 2 – Installation
2. PPTP Server for VPN Remote Cient Access
Configure the RF650VPN as a PPTP Server for VPN Remote Cient Access
Use this procedure to configure the RF650VPN as a PPTP server for VPN Remote Client Access (aka,
PPTP Roadwarrior configuration). (Note: IPX and Netbeui not supported when using PPTP tunneling.)
1. Check the following on the Microsoft web site for PPTP updates and patches:
http://support.microsoft.com/support/kb/articles/Q285/1/89.ASP and
http://support.microsoft.com/support/kb/articles/Q191/5/40.ASP
2. Check the following on Microsoft web site for PPTP 128-bit encryption updates:
For Windows 98/Me: http://windowsupdate.microsoft.com/ .
For WindowsNT: http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp .
For Windows 2000:
http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp
Multi-Tech RouteFinder RF650VPN User Guide 27
Chapter 2 – Installation
3. Click on VPN|PPTP Roadwarrior VPN. The PPTP Remote Access screen displays.
a) Enable PPTP Status.
b) Enable Debug.
c) Select an Encryption Strength and click Save.
d) Click on Definitions|Networks.
e) In the Command column on the PPTP-Pool line click on Edit to edit the PPTP-Pool settings.
Multi-Tech RouteFinder RF650VPN User Guide 28
Chapter 2 – Installation
f. The Edit network screen displays. Change the IP address and subnet mask so it is a subnet that
is part of the main IP network of the LAN port (private LAN). (You can assign up to 128
addresses.)
g. Click on Definitions|Users.
h. The User definition screen displays. Define a new user, check Remote access (PPTP), and click
Add.
i. You might have to change the
Any – Any – Any – Allow.
Packet filter rules if you do not already have it set to
Note: you will want to change this rule later.
Multi-Tech RouteFinder RF650VPN User Guide 29
Chapter 2 – Installation
3. IPSec VPN Gateway
Configure the RF650VPN as an IPSec VPN Gateway
The RF650VPN configured as an IPSec VPN Gateway supports both LAN-to-LAN and Client-to-LAN
connections. A Client-to-LAN configuration is shown below; a LAN-to-LAN configuration is shown at the
end of this section. The IPSec VPN Gateway Client-to-LAN configuration (aka, IPSec roadwarrior
configuration) is shown below.
The RF650VPN supports the following IPSec parameters and CAN NOT be changed:
- IKE negotiation using main mode
- Encryption using 3DES
- HASH using MD5
- Diffie-Helman using Group 2 (1024) or Group 5 (1536)
- Perfect Forwarding Secrecy (PFS)
Multi-Tech RouteFinder RF650VPN User Guide 30
IPSec Client-to-LAN configuration
Loading...