Quick Start Installation of CEQURUX Firewall/VPN Gateway version 4.1

The easiest type of installation is from CD-ROM. If you have a supported CD-ROM drive and an installation CD, there are 3 ways of starting the installation from it:

1. If you have a BIOS that allows for booting from CD-ROM (i.e. support for El Torito CD-ROM boot extensions), then you should be able to boot the CD-ROM directly once you have configured your BIOS appropriately.

2. If you have drivers which allow you to see your CD-ROM drive from DOS, first disable any fancy memory managers you may have configured (like HIMEM.SYS and EMM386.EXE), change the working directory to the CD-ROM (E:\ in the example below) and then type this:
   E> install
   and you should boot directly into the installation.

3. Build a boot floppy from the floppies/boot.flp file. Either use the "makeflp.bat" script from DOS or read floppies/README.TXT for more information on creating bootable floppies under different operating systems. Then you simply boot from the floppy and you should go into the installation.

Option A - Auto registration of firewall

Press "Defer Register". At the next prompt, press Enter to continue. You should be in a screen that says "System Setup" at the top. If your ethernet cards are not PCI, press "Setup Devices". For each network card that you have, press the space bar in the appropriate field, to select each card. If you have PCI ethernet cards, then these can be set to "None". You can also configure your SCSI controller and tape drive from this screen. If you don't have either, set to "None".

Pressing F2 from this screen allows you to set up the IRQs etc. on your hardware. This is normally only needed if you have non-PCI ethernet cards or SCSI controllers. PCI cards do not need to be configured and are automatically detected. Press "Done" (either once or twice) to get back to the "System Setup" screen. Position your cursor on the "Interface" boxes (under internal and external). Press the space bar to cycle through your configured and detected network cards. Then add your internal IP address and the appropriate netmasks.

Once you have set these, set your default route (gateway) to your router. Press "Done", "Quit", "Save & Exit". This will ask you to select your VPN key size. You should select 1024 bits here, otherwise you may have to wait a week for the key to be generated. A 1024 bit key will take about 15 minutes to generate on an average firewall. When that is finished, press "Quit". The firewall will automatically reboot.

After the reboot, it should once again be in the Registration Screen. This time press "Auto Register". On the next screen (which is entitled Remote Registration), don't change anything, just press "Done". If the Internet is functioning properly, then you should receive your activation key.

You'll know that auto registration has succeeded if you see the Activation screen with the "New Serial Number" and "New Activation Key" filled in. Press "Done" to exit the Activation screen. Press Enter to continue at the next prompt. You will find yourself in the System Setup screen again, but you should already have set up your devices, so press "Done", "Quit", and "Save & Exit" as many times as necessary (but don't press "Just Quit", because that will lose your changes). The firewall will display a message about "Building File Lists", and will then automatically reboot.

Installation is now complete. After the system reboots and performs some more automatic processing, you can switch to a login screen by pressing Alt-F2 (or Alt-F3 or Alt-F4) and you can return to the firewall log with Alt-F1. You can login as root (using the password that you set earlier), and run the configuration program (which is called "fwadmin").

NOTE: If you need to auto-register more than once for some reason (for example, if you used the wrong IP address the first time), then you should login as root and delete the /etc/cequrux.reg file before you try registration the second time. Failure to delete this file is likely to result in errors such as "Invalid Registration Region".

Option B - Manual registration of firewall

On the Registration screen, press "Manual Register", and after a while you'll see a screen with a serial number in it and a blank line asking for an activation key. Then phone your vendor or CEQURUX (+27 21 423 6065) and read the serial number over the phone. We'll then read you the activation key back, which you must type in. After typing in the activation key, press "Done". If you made a mistake, it'll bring you back to the same screen, if not it'll ask you for your VPN key size. Select 1024 bits.

At the next prompt, just press Enter to continue. You then get faced with a screen with three columns; inside, outside and dmz. Fill in your inside IP address, your netmasks for inside and outside, and your default gateway. If your ethernet cards are not PCI, press "setup devices". For each network card that you have, press the space bar in the appropriate field, to select each card. If you have PCI ethernet cards, then these can be set to "None".

You can also configure your SCSI controller and tape drive from this screen. If you don't have either, set to "None". Pressing F2 from this screen allows you to set up the IRQs etc. on your hardware. This is normally only needed if you have non-PCI ethernet cards or SCSI controllers. PCI cards do not need to be configured and are automatically detected.

When you are finished, press "Done" to return to the screen with three columns: inside, outside and dmz. Position the cursor on the "interface" boxes, and then press the space bar to cycle through your configured and detected ethernet cards.

Then save and exit by pressing "Done", "Quit", and "Save & Exit" as many times as necessary (but don't press "Just Quit", because that will lose your changes). The firewall will display a message about "Building File Lists", and will then automatically reboot.

Installation is now complete. After the system reboots and performs some more automatic processing, you can switch to a login screen by pressing Alt-F2 (or Alt-F3 or Alt-F4) and you can return to the firewall log with Alt-F1. You can login as root (using the password that you set earlier), and run the configuration program (which is called "fwadmin").

To set up webadmin

• Log in to the firewall as root. Run the cdsadmin program.

• Follow this sequence using the function keys: "other keys", "setup", "other keys", "remote admin".

• In this screen, fill in the port "8088".

• Exit the screen with "done" and then go "other keys", "access control", "services", "tcp proxies".

• In the form that you are presented with, in the service tab fill in "webadmin", in the address tab, your PC's IP address, and in bits, "32". Leave the other fields as they are (mostly blank).

• The press "done"/"quit" a few times, and then "save and exit" (Don't press "just quit"). After that "quit" and you're back at the shell prompt. The firewall will tell you that your configuration is questionable, because the webadmin service is accessible with weak authentication. Don't worry about that, because just now (under the remadmin heading) we are going to change the authentication to DSA, which is very strong. Additionally, the configuration isn't very insecure, because only someone who was sitting at a machine that has the IP address that you entered above, would be able to use webadmin.

• Then from your browser surf to the firewall on port 8088 (Something like http://citadel:8088/).

• If you want to use SSL, you can set the toggle to "YES" and surf to the webadmin port with protocol of type "https" (note the "s").

Setting up remadmin and keyadmin

• Log in to the firewall as root. Run the cdsadmin program.

• Follow this sequence using the function keys: "other keys", "setup", "other keys", "remote admin".

• In this screen, fill in the port 8089 for remadmin and 8090 for keyadmin.

• Exit the screen with "done" and then go "other keys", "access control".

• Change the "cache cipher successes" to 30 minutes. These numeric fields can be raised or lowered with "+" and "-".

• Then press "services", "tcp proxies". Press "next page" until you get a blank form.

• In the form that you are presented with, in the service tab fill in "remadmin", in the address field your PC's IP address, and in bits, "32". Leave the other fields as they are (mostly blank).

• Also add a tcp proxy for "keyadmin" for just your PC.

• The press "done" a few times, and then "save and exit" (Don't press "just quit"). Again there will be warnings that remadmin, keyadmin and webadmin are accessible with weak authentication, but that will be changed soon. After that "quit" and you're back at the shell prompt.

• On your PC, insert the CEQURUX CD-ROM. Under WIN32, there are two programs called admin-setup.exe and auth-setup.exe. Run admin-setup.exe to install the remadmin and keyadmin tools used by the firewall administrator. Run auth-setup.exe to install the authentication agent for end users. Once the programs have loaded, you can access them via the start menu.

• On your PC, insert the CEQURUX CD-ROM. Under WIN32, there are two subdirectories called Admin and Auth. In each one, run the setup program. Once the programs have loaded, you can access them via the start menu.

• Run the CEQURUX Authentication Agent. It will appear as a tiny yellow key on your task bar. Right click on the key and select properties from the menu. This will bring up the CEQURUX Authentication Agent Configuration Manager.

• Under the "Settings" tab, check "run at startup" and "cache passwords". Change the cache time to 10 minutes.

• Under the "DSA" tab, create yourself a DSA private/public key pair. Note that the property sheet will minimise itself, while it is searching for primes. Once it is done, click on "Copy", to make a copy of your DSA public key in the Windows clipboard.

• Under the "Firewalls" tab, click on "Add". As the IP address, put the internal interface of the firewall, put your username and check the radio button "DSA".

• Then say "OK" at the bottom, and the Authentication Agent Configuration Manager will disappear.

• Then using the start menu, run the Key Administration tool. Click on the "open folder" icon. This brings up a connection dialog box. For firewall, insert the internal interface of the firewall. Uncheck the SPEKE box. For port put 8090. Then click OK. The dialog box will disappear and you should watch the bottom line of Key Administration tool (status line) until it says "keys retrieved successfully". If any of this doesn't work, the console of the firewall will be printing log messages which will tell you what is wrong.

• Press the icon that has a + sign in it. Add a new DSA public key with your user name, and getting the DSA public key from the windows clipboard.

• Then press the save icon and your DSA public key should get saved back to the firewall.

• Run the CEQURUX Configuration Manager from the start menu. From now on, I'll refer to this program as "remadmin". Fill in the dialog box similarly to the Key Administration tool, except for port put 8089.

• When the program comes up, select "Access" from the radio buttons. Then select the "TCP proxies" from the tabs. Amongst the TCP proxies, you should see the three proxies for "webadmin", "remadmin" and "keyadmin". Select "keyadmin". Change the authentication type to "DSA". Click on the down arrow next to the user name. You will get asked if you want to load the key database from the firewall. Say yes. And you'll get a connection dialog. Fill out similarly to above, and for port, use the keyadmin port which is 8090.

• It should load the key database, and you should get a list of valid DSA users. Select your user name. Then remove that dialog box by clicking OK.

• Since we are now going to be using strong authentication, we could remove the source address restrictions on keyadmin. This would allow you to configure the firewall from any PC (say from home) that you had installed your DSA private key on. You would do that in the CEQURUX Authentication Agent with the "import" and "export" functions.

• Then save the configuration by clicking the "OK" at the bottom of the program.

• After saving, see if you can use keyadmin with the new DSA authentication. During the connection, you'll get a dialog box pop up that asks for your DSA password. Enter it.

• If keyadmin didn't manage to retrieve the keys, then debug the setup by consulting the log messages on the console of the firewall.

• If keyadmin successfully retrieves the keys, then use remadmin to change the authentication for "remadmin" and "webadmin" also to DSA.