VPN (Virtual
Private Network) SetupVPN (Virtual
Private Network) SetupIf you run a VPN client, ZoneAlarm Pro examines outgoing packets before encryption, and incoming packets after decryption. This prevents malicious traffic from making its way into the VPN tunnel from your computer. It also prevents any malicious traffic that might arrive on your computer via the VPN tunnel from doing any damage.
The following table lists the VPN-related networking protocols that are recognized by ZoneAlarm Pro.
|
Networking Protocol |
Explanation and Comments |
| AH | Authentication Header Protocol |
| DES and 3DES | 56-biot and 168-bit Data Encryption Standards |
| ESP | Encapsulating Security Payload protocol |
| GRE | Generic Routing Encapsulation protocol |
| H.323 RAS | H.323 Registartion-Admission-Status. H.323 is an unbrella recommnetation fromt he International Telecommunications Union (ITU) for multimedia communications over Local Area Networks (LANs). |
| IKE | Internet Key Exchange protocol. |
| IPSec | IP Security protocol. Only the Windows 2000 VPN client automatically includes IPSec support. |
| L2F, L2TP | Layer 2 Forwarding protocol, Layer 2 Tunneling Protocol. L2TP is a more secure variation of PPTP. |
| LDAP | Lightweight Directory Access Protocol |
| PPTP | Point-to-Point Tunneling Protocol |
| RADIUS | Remote Authentication Dial-In User Service |
| SKIP | Simple Key Management for Internet Protcol. |
|
XAUTH |
Extended Authentication |
Step 1: Identify VPN-related network resources
To enable your computer to communicate with VPN gateways, DNS servers, or other VPN-related network resources, add those resources to the Trusted Zone. How?
|
Required Resources. These are required by all VPN client computers and must be added to the Trusted Zone. |
|
VPN Concentrator |
|
Remote host computers connected to the VPN client (if not included in the subnet definitions for the corporate network) |
| Corporate Wide Area Network (WAN) subnets that will be accessed by the VPN client computer |
| Corporate LANS that will be accessed by the VPN client computer |
|
Other Resources. These may or may not be required, depending on your specific VPN implementation. |
|
DNS Servers |
| Local host computer's NIC loopback address (depending on Windows version). If you specify a local host loopback address of 127.0.0.1, do not run proxy software on the local host. |
|
Internet Gateway |
|
Local subnets |
|
Security servers (for example, RADIUS, ACE, or TACACS servers) |
Step 2: Grant access permission to trusted VPN-related programs
Next, grant access permission to the VPN client program and any related programs. How?
Note:
If any VPN-related programs use an operating system program (such as services.exe)
to perform DNS lookup, that operating system program must have access permission
as well.
Step 3: Allow VPN protocols
Finally, configure ZoneAlarm Pro to allow specific VPN protocols through the firewall at hight securing. To do this, go to the Security tab (Advanced Settings dialog box) and select select the check box labeled Allow VPN protocols at high security. If your VPN uses protocols other than GRE, ESP, and AH, also select the check box labeled Allow uncommon protocols at high security.
Use the following features to faciliate troubleshooting when you are configuring ZoneAlarm Pro for VPN access.
Automatic network detection
If you are confident that your computer will come into contact only with VPN-related networks during initial setup, you can set ZoneAlarm Pro to automatically add detected networks to the Trusted Zone. This keeps you from having to add VPN-related networks to the Trusted Zone manually.
To do this, go to the Network settings area in the Security tab (Advanced Settings dialog box), and select the check box labeled Include networks in the Trusted Zone on detection.
Program Learning mode
If you are confident that your computer contains no malicious programs, you can set ZoneAlarm Pro to Program Learning mode. In this mode, ZoneAlarm Pro will automatically grant access permission to programs (such as your VPN client) that access the Internet.
To enable Program Learning mode, set the slider in the Main tab of the Program Control panel to Low.
Alert logging
If problems occur during your VPN setup, the ZoneAlarm Pro alert log can provide useful troubleshooting information. Use the Main tab of the Alerts & Logs panel to enable logging.
Security tab (Advanced Settings
dialog box)
Adding to the Trusted Zone