Supplemental SunScreen EFS 3.0 Documentation

The following information was not included in the documentation when the SunScreen EFS 3.0 documents were printed.

For future documentation updates, see http://docs.sun.com.

SunScreen EFS 3.0 Reference Manual

The following supplements the SunScreen EFS 3.0 Reference Manual.

HA in Stealth Mode

Chapter 2 of the SunScreen EFS 3.0 Reference Manual states that HA is supported only in routing mode. SunScreen EFS 3.0 supports HA in routing mode and in stealth mode.

When you activate the configuration for HA in stealth mode, the console displays a list of error messages. You can disregard these messages; the Screen is functioning properly. For more information, see "Error Message When Activating HA Stealth Configuration (4252244)".

Mixed Interfaces

SunScreen EFS 3.0 supports both routing and stealth interfaces on a single Screen. You can model a Screen with a mixture of routing and stealth interfaces as though it were two completely separate Screens, one containing the stealth interfaces and the other containing routing interfaces. If you configure your Screen in this way, you must have at least two interfaces of each type.

The following sections show two supported configurations.

Separate Network

The separate network configuration consists of a Screen that has two stealth interfaces and two routing interfaces. Although both types of interfaces are on the same machine, packets cannot pass between the stealth and routing interfaces.

Figure 1-1 Separate Network Configuration

This configuration is subject to the following restrictions:

• Packets do not flow between the routing and stealth interfaces.

• NAT can be performed only in the networks connected to the stealth interfaces.

• Computers on the stealth network cannot use proxies.

Proxied Stealth

The proxied stealth configuration consists of a Screen that has two stealth interfaces, two routing interfaces, and a router that passes packets from a stealth interface to a routing interface. Use this type of configuration if you want to use proxy services with a stealth machine.

Figure 1-2 Proxied Stealth Configuration

This configuration is subject to the following restrictions:

• NAT can be performed only in the networks connected to the stealth interfaces.

• FTP and Telnet between the stealth and routing networks work only if you use proxies for this type of communication.

SunScreen EFS 3.0 Administration Guide

The following information updates the HTML version of the SunScreen EFS 3.0 Administration Guide.

Figure Updates

Some figures in the HTML version of the SunScreen EFS 3.0 Administration Guide are incorrect. Refer to the PDF, included on the CD, or the printed versions of the SunScreen EFS 3.0 Administration Guide to see the correct figures.

The following figures in chapters 3 and 6 in the HTML version of the SunScreen EFS 3.0 Administration Guide are incorrect:

• Figure 3-11

• Figure 6-18

• Figure 6-21

• Figure 6-22

• Figure 6-23

• Figure 6-24

SunScreen EFS 3.0 Installation Guide

The following information updates the SunScreen EFS 3.0 Installation Guide.

Installing SunScreen EFS 3.0 in Stealth Mode (4252799)

The procedure shown in Chapter 5 of the SunScreen EFS 3.0 Installation Guide for installing the software on the Screen using self-generated certificates contains steps that do not apply when you install SunScreen EFS 3.0 in stealth mode.

Omit steps 17 through 19 when you use the procedure for installing the software on the Screen using self-generated certificates.

Upgrading From SunScreen EFS 3.0, Revision A, to SunScreen EFS 3.0, Revision B, on the Administration Station

The following procedures describe how to upgrade to SunScreen EFS 3.0, revision B, from SunScreen EFS 3.0, revision A, on the Administration Station. These procedures are necessary only if you have previously installed and are running SunScreen EFS 3.0, revision A.

Identify the software version by typing:

# pkginfo -l SUNWicgSS

This upgrade requires that the Administration Station be disconnected from the Screen while these procedures are performed.

To Remove the SunScreen EFS 3.0, Revision A, Software From the Administration Station

1. Backup your Administration Station's configurations and store this backup in a secure location. It contains secret information like private keys.

   ---

   Note -

   Backing up your Administration Station's configuration is a safety precaution only. The configuration and keys are maintained during the upgrade.

   ---

2. On the Administration Station, open a terminal window and become root.

3. If you have installed any SunScreen EFS 3.0 patches, remove them.

   1. For SPARC systems, type:

      # patchrm 107849-01

   2. For x86 systems, type:

      # patchrm 107850-01

4. Remove the SunScreen EFS 3.0, revision A, packages.

   ---

   Note -

   If you did not install all of these packages, omit the ones you did not install from the command, or remove the packages one at a time.

   ---

   1. For SPARC systems, type:

      # pkgrm SUNWbdc SUNWbdcx SUNWdthj SUNWes SUNWesx \ SUNWicgSA SUNWicgSM SUNWsman

   2. For x86 systems, type:

      # pkgrm SUNWbdc SUNWdthj SUNWes SUNWicgSA SUNWicgSM SUNWsman

5. Follow the program prompts and answer all the questions with y.

   The pkgrm program ends with the statement: Removal of name_of_package was successful.

6. Remove the SKIP software packages.

   ---

   Note -

   Use the following command if you installed all possible SKIP packages. If you have not installed all of the following SKIP packages, remove only the packages that you installed.

   ---

   1. For SPARC systems, type:

      # pkgrm SUNWkeymg SUNWkisup SUNWrc2 SUNWrc4 SUNWrc4x

   2. For x86 systems, type:

      # pkgrm SUNWkeymg SUNWkisup SUNWrc2 SUNWrc4

7. Follow the program prompts and answer all the questions with y.

   The pkgrm program ends with the statement: Removal of name_of_package was successful.

8. Remove SKIP upgrade packages if you have installed them.

   ---

   Note -

   Use the following command if you installed all the possible SKIP upgrade packages. If you have not installed all of the following SKIP upgrade packages, remove only the packages that you installed.

   ---

   1. For SPARC systems, type:

      # pkgrm SUNWkusup SUNWdes SUNWdesx SUNWkdsup SUNW3des \ SUNW3desx SUNWrc4s SUNWrc4sx SUNWsafe SUNWsafex

   2. For x86 systems, type:

      # pkgrm SUNWkusup SUNWdes SUNWkdsup SUNW3des SUNWrc4s SUNWsafe

9. Follow the program prompts and answer all the questions with y.

   The pkgrm program ends with the statement: Removal of name_of_package was successful.

10. Reboot by typing:

    # sync; init 6

To Install the SunScreen EFS 3.0, Revision B, Software on the Administration Station

1. Open a terminal window on the Administration Station and become root.

   ---

   Caution -

   Verify that the File Manager is not running because it interferes with the operation of the volcheck command used for installation.

   ---

2. Install the required Solaris patches listed in Chapter 2 of the SunScreen EFS 3.0 Installation Guide, as necessary.

3. Insert the SunScreen EFS 3.0, revision B, CD-ROM into the Administration Station's CD-ROM drive.

4. Mount the CD-ROM by typing:

   # volcheck

5. Add the SunScreen EFS 3.0, revision B, packages. Follow step 6 for SPARC systems and step 7 for x86 systems.

   ---

   Caution -

   Do not use the AdminInstaller to install SunScreen EFS 3.0, revision B, if you are upgrading from SunScreen EFS 3.0, revision A. If the AdminInstaller is used, your previous configurations can be corrupted!

   ---

6. For SPARC systems:

   1. Run the package add command by typing:

      # pkgadd -d /cdrom/cdrom0/sparc

      You are prompted with a menu of packages to install.

   2. Select the SunScreen EFS 3.0, revision B, packages to be installed by typing:

      # 1-5,8,10,12-17

   For SPARC systems, the package menu that displays is as follows:

   The following packages are available: 1 SUNWbdc SKIP Bulk Data Crypt (sparc) 1.5_revB 2 SUNWbdcx SKIP Bulk Data Crypt (64-bit) (sparc) 1.5_revB 3 SUNWdthj HotJava Browser for Solaris (sparc) 1.1.5,REV=1998.12.03 4 SUNWes SKIP End System (sparc) 1.5_revB 5 SUNWesx SKIP End System (64-bit) (sparc) 1.5_revB 6 SUNWfwcnv SunScreen Firewall conversion (sparc) 3.0_revB=19990714 7 SUNWhttp Sun WebServer daemon and supporting binaries (sparc) 2.0 8 SUNWicgSA SunScreen Administration Software (sparc) 3.0_revB=19990714 9 SUNWicgSD SunScreen online documentation (sparc) 3.0_revB=19990714 10 SUNWicgSM SunScreen man pages (sparc) 3.0_revB=19990714 ... 7 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWicgSS SunScreen Firewall (sparc) 3.0_revB=19990714 12 SUNWkeymg SKIP Key Manager Tools (sparc) 1.5_revB 13 SUNWkisup SKIP I-Support module (sparc) 1.5_revB 14 SUNWrc2 SKIP RC2 Crypto Module (sparc) 1.5_revB 15 SUNWrc4 SKIP RC4 Crypto Module (sparc) 1.5_revB 16 SUNWrc4x SKIP RC4 Crypto Module (64-bit) (sparc) 1.5_revB 17 SUNWsman SKIP Man Pages (sparc) 1.5_revB Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 1-5,8,10,12-17

   ---

   Note -

   The revision information in the package menu shown in this document might differ from what is displayed in your terminal window. The package names, however, will remain identical.

   ---

7. For x86 systems:

   1. Run the package add command by typing:

      # pkgadd -d /cdrom/cdrom0/i386

      You are prompted with a menu of packages to install.

   2. Select the SunScreen EFS 3.0, revision B, packages to be installed by typing:

      # 1-3,6,8,10-14

   For x86 systems, the package menu that displays is as follows:

   The following packages are available: 1 SUNWbdc SKIP Bulk Data Crypt (i386) 1.5_revB 2 SUNWdthj HotJava Browser for Solaris (i386) 1.1.5,REV=1998.12.03 3 SUNWes SKIP End System (i386) 1.5_revB 4 SUNWfwcnv SunScreen Firewall conversion (i386) 3.0_revB=19990714 5 SUNWhttp Sun WebServer daemon and supporting binaries (i386) 2.0 6 SUNWicgSA SunScreen Administration Software (i386) 3.0_revB=19990714 7 SUNWicgSD SunScreen online documentation (i386) 3.0_revB=19990714 8 SUNWicgSM SunScreen man pages (i386) 3.0_revB=19990714 9 SUNWicgSS SunScreen Firewall (i386) 3.0_revB=19990714 10 SUNWkeymg SKIP Key Manager Tools (i386) 1.5_revB ... 4 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWkisup SKIP I-Support module (i386) 1.5_revB 12 SUNWrc2 SKIP RC2 Crypto Module (i386) 1.5_revB 13 SUNWrc4 SKIP RC4 Crypto Module (i386) 1.5_revB 14 SUNWsman SKIP Man Pages (i386) 1.5_revB Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 1-3,6,8,10-14

   ---

   Note -

   The revision information in the package menu shown in this document might differ from what is displayed in your terminal window. The package names, however, will remain identical.

   ---

8. Follow the program prompts, answering all the questions with y.

   When completed, you return to the same menu of packages.

9. Type q to quit pkgadd.

10. Eject the CD-ROM from the Administration Station's CD-ROM drive by typing:

    # eject cdrom0

11. Install any SKIP upgrade packages (Export Controlled [1024-bit] or U.S. and Canada Use Only [4096-bit] keys) as instructed in the documentation that is included with the upgrade SKIP CD-ROM.

    See Appendix B of the SunScreen EFS 3.0 Installation Guide for additional information.

12. Reboot by typing:

    # sync; init 6

Upgrading From SunScreen EFS 3.0, Revision A, to SunScreen EFS 3.0, Revision B, on the Screen

The following procedures describe how to upgrade to SunScreen EFS 3.0, revision B, from SunScreen EFS 3.0, revision A, on the Screen. These procedures are necessary only if you have previously installed and are running SunScreen EFS 3.0, revision A.

Identify the software version by typing:

# pkginfo -l SUNWicgSS

This upgrade requires that the firewall be taken off-line while these procedures are performed.

To Remove the SunScreen EFS 3.0, Revision A, Software From the Screen

1. Backup your Screen's configurations and store this backup in a secure location, as it contains secret information like private keys.

   ---

   Note -

   Backing up your Screen's configuration is a safety precaution only. The configuration and keys are maintained during the upgrade.

   ---

2. Open a terminal window on the Screen and become root.

3. If you have installed any SunScreen EFS 3.0 patches, remove them.

   1. For SPARC systems, type:

      # patchrm 107849-01

   2. For x86 systems, type:

      # patchrm 107850-01

4. Remove SKIP upgrade packages if they are installed (Export Controlled [1024-bit] or US and Canada Use Only [4096-bit] keys).

   ---

   Note -

   Use the following command if you installed all possible upgrade packages. If you have not installed all of the following upgrade packages, remove only the packages that you installed.

   ---

   1. For SPARC systems, type:

      # pkgrm SUNW3desx SUNW3des SUNWdes SUNWdesx \ SUNWideax SUNWidea SUNWsafex SUNWsafe \ SUNWkusup SUNWkdsup

   2. For x86 systems, type:

      # pkgrm SUNW3des SUNWdes SUNWidea SUNWsafe \ SUNWkusup SUNWkdsup

5. Follow the program prompts, answering all the questions with a y.

   The pkgrm program ends with the statement: Removal of name_of_package was successful.

6. Remove the base SKIP packages.

   ---

   Note -

   Use the following command if you installed all possible SKIP packages. If you have not installed all of the following SKIP packages, remove only the packages that you installed.

   ---

   1. For SPARC systems, type:

      # pkgrm SUNWrc4sx SUNWrc4s SUNWrc2 SUNWrc4x \ SUNWrc4 SUNWbdcx SUNWbdc \ SUNWkisup SUNWkeymg

   2. For x86 systems, type:

      # pkgrm SUNWrc4s SUNWrc2 SUNWrc4 SUNWbdc \ SUNWkisup SUNWkeymg

7. Follow the program prompts, answering all the questions with a y.

   The pkgrm program ends with the statement: Removal of name_of_package was successful.

8. Remove the base SunScreen EFS 3.0, revision A, software. For SPARC and x86 systems type:

   # pkgrm SUNWicgSM SUNWicgSA SUNWicgSS \ SUNWhttp SUNWicgSD

   ---

   Note -

   Remove the SUNWes or SUNWesxs packages if they are installed.

   ---

9. Follow the program prompts, answering all the questions with a y.

   The pkgrm program ends with the statement: Removal of name_of_package was successful.

10. Remove the Firewall-1 Migration package if you have installed it. For SPARC and x86 systems, type:

    # pkgrm SUNWfwcnv

11. Follow the program prompts, answering all the questions with a y.

    The pkgrm program ends with the statement: Removal of name_of_package was successful.

12. Reboot by typing:

    # sync; init 6

    ---

    Caution -

    Your machine will no longer be filtering traffic until you have completed step the final step in the procedure "To Install the SunScreen EFS 3.0, Revision B, Software on the Screen". For security reasons, this upgrade should be done offline.

    ---

To Install the SunScreen EFS 3.0, Revision B, Software on the Screen

1. Open a terminal window on the Screen and become root.

2. Install the required Solaris patches listed in Chapter 2 of the SunScreen EFS 3.0 Installation Guide, as necessary.

3. Insert the SunScreen EFS 3.0, revision B, CD-ROM into the Screen's CD-ROM drive.

4. Mount the CD-ROM by typing:

   # volcheck

5. Add the SunScreen EFS 3.0, revision B, packages. Follow step 6 for SPARC systems; follow step 7 for x86 systems.

   ---

   Caution -

   Do not use the ScreenInstaller to install SunScreen EFS 3.0, revision B, if you are upgrading from SunScreen EFS 3.0, revision A. If used, your previous configuration can be corrupted.

   ---

6. For SPARC systems:

   1. Run the package add command by typing:

      # pkgadd -d /cdrom/cdrom0/sparc

      You are prompted with a menu of packages to install.

   2. Select the SunScreen EFS 3.0, revision B, packages to be installed by typing:

      # 1-2, 7-16

   For SPARC systems, the package menu that displays is as follows:

   The following packages are available: 1 SUNWbdc SKIP Bulk Data Crypt (sparc) 1.5_revB 2 SUNWbdcx SKIP Bulk Data Crypt (64-bit) (sparc) 1.5_revB 3 SUNWdthj HotJava Browser for Solaris (sparc) 1.1.5,REV=1998.12.03 4 SUNWes SKIP End System (sparc) 1.5_revB 5 SUNWesx SKIP End System (64-bit) (sparc) 1.5_revB 6 SUNWfwcnv SunScreen Firewall conversion (sparc) 3.0_revB=19990714 7 SUNWhttp Sun WebServer daemon and supporting binaries (sparc) 2.0 8 SUNWicgSA SunScreen Administration Software (sparc) 3.0_revB=19990714 9 SUNWicgSD SunScreen online documentation (sparc) 3.0_revB=19990714 10 SUNWicgSM SunScreen man pages (sparc) 3.0_revB=19990714 ... 7 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWicgSS SunScreen Firewall (sparc) 3.0_revB=19990714 12 SUNWkeymg SKIP Key Manager Tools (sparc) 1.5_revB 13 SUNWkisup SKIP I-Support module (sparc) 1.5_revB 14 SUNWrc2 SKIP RC2 Crypto Module (sparc) 1.5_revB 15 SUNWrc4 SKIP RC4 Crypto Module (sparc) 1.5_revB 16 SUNWrc4x SKIP RC4 Crypto Module (64-bit) (sparc) 1.5_revB 17 SUNWsman SKIP Man Pages (sparc) 1.5_revB Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 1-2, 7-16

   ---

   Note -

   The revision information in the package menu shown in this document might differ from what is displayed in your terminal window. The package names, however, will remain identical.

   ---

7. For x86 systems:

   1. Run the package add command by typing:

      # pkgadd -d /cdrom/cdrom0/i386

   2. Select the SunScreen EFS 3.0, revision B, packages to be installed by typing:

      # 1, 5-13

   For x86 systems, the package menu that displays is as follows:

   The following packages are available: 1 SUNWbdc SKIP Bulk Data Crypt (i386) 1.5_revB 2 SUNWdthj HotJava Browser for Solaris (i386) 1.1.5,REV=1998.12.03 3 SUNWes SKIP End System (i386) 1.5_revB 4 SUNWfwcnv SunScreen Firewall conversion (i386) 3.0_revB=19990714 5 SUNWhttp Sun WebServer daemon and supporting binaries (i386) 2.0 6 SUNWicgSA SunScreen Administration Software (i386) 3.0_revB=19990714 7 SUNWicgSD SunScreen online documentation (i386) 3.0_revB=19990714 8 SUNWicgSM SunScreen man pages (i386) 3.0_revB=19990714 9 SUNWicgSS SunScreen Firewall (i386) 3.0_revB=19990714 10 SUNWkeymg SKIP Key Manager Tools (i386) 1.5_revB ... 4 more menu choices to follow; <RETURN> for more choices, <CTRL-D> to stop display: 11 SUNWkisup SKIP I-Support module (i386) 1.5_revB 12 SUNWrc2 SKIP RC2 Crypto Module (i386) 1.5_revB 13 SUNWrc4 SKIP RC4 Crypto Module (i386) 1.5_revB 14 SUNWsman SKIP Man Pages (i386) 1.5_revB Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 1, 5-13

   ---

   Note -

   The revision information in the package menu shown in this document might differ from what is displayed in your terminal window. The package names, however, will remain identical.

   ---

8. Follow the program prompts, answering all the questions with a y.

   When completed, you return to the same menu of packages.

9. Type q to quit pkgadd.

10. Eject the CD-ROM from the CD-ROM drive by typing:

    # eject cdrom0

11. Install any SKIP upgrades (Export Controlled [1024-bit] or US and Canada Use Only [4096-bit] keys) as instructed in the documentation included with the upgrade SKIP CD-ROM.

12. Reboot by typing:

    # sync; init 6

13. Activate the desired configuration according to the procedures found in the SunScreen EFS 3.0 Administration Guide.