   .
   .
   .                                                           GATEWAY.TXT
   .                                                    InJoy Gateway 1.00
   .                                                      December 1, 1998
   .                          
   .
   .
   .
   .
   .  ___           _
   . |_ _|_ __     | | ___  _   _
   .  | || '_ \ _  | |/ _ \| | | |
   .  | || | | | |_| | (_) | |_| |
   . |___|_| |_|\___/ \___/ \__, |
   .                        |___/
   .
   .   ____       _
   .  / ___| __ _| |_ _____      ____ _ _   _
   . | |  _ / _` | __/ _ \ \ /\ / / _` | | | |
   . | |_| | (_| | ||  __/\ V  V / (_| | |_| |
   .  \____|\__,_|\__\___| \_/\_/ \__,_|\__, |
   .                                    |___/
   .
   .
   .
   .
   .                                                    F/X Communications
   .                                                       DK-4300 Holbaek
   .                                                               Denmark
   .                                                 E-mail: support@fx.dk
   .                                                      http://www.fx.dk
   .
   .
   .
   .
   .
   .
   .
   .
   .
   .
   .
   .     Copyright (c) 1998, F/X Communications, All Rights Reserved.
   .     Your usage of this product and its documentation are subject to
   .     your acceptance of the license agreement included with this product.
   .
   .     IBM and OS/2 are registered trademarks of International
   .     Business Machines, Inc. All other trademarks, registered trade
   .     marks, service marks and other registered marks are the property
   .     of their respective owners.




==========================================================================
 	C O N T E N T S
==========================================================================



   1.  Introduction
   2.  System Requirements
   3.  Before Installation
   4.  Installing the InJoy Gateway
   5.  Installing the Device Driver
   6.  Running the InJoy Gateway
   7.  Configuring LAN clients
   8.  Network Interface Configuration
   9.  Gateway Configuration File
   10. Command Line Parameters
   11. Uninstalling
   12. Registration
   13. Troubleshooting
   14. Acknowledgments
   15. Contacts



==========================================================================
 1. 	I N T R O D U C T I O N
==========================================================================



   The InJoy Gateway is the base module of the InJoy Firewall product.

   The InJoy Gateway solution allows corporations using the IBM OS/2
   operating system to connect the computers of a private LAN to the 
   Internet.

   The InJoy Gateway is designed with Cable Modems in mind and with
   minimal effort, you can share the Cable connection among multiple
   work stations. You can run most standard networking applications 
   on the LAN clients, without any reconfiguration of those applications.

   The InJoy Gateway is implemented as a native, low-level Internet gateway
   solution, making full use of the OS/2 system capabilities such as: 
   fully 32 bit code, OS/2 multi-threading and the robust OS/2 TCP/IP Stack.

   Used in combination with the InJoy Firewall plugin and sound security 
   policies, the InJoy Gateway turns into a powerful firewall providing
   a secure technology to regulate both in-bound and out-bound 
   communications.

   This manual describes how to install, configure and operate the
   InJoy Gateway.



==========================================================================
 2. 	S Y S T E M   R E Q U I R E M E N T S
==========================================================================



   o IBM OS/2 3.0
   o 386SX
   o 4 MB total memory
   o Up to 4 MB free disk space
   o TCP/IP for OS/2 4.0e or newer (inetver.exe)
     (Check by typing inetver at an OS/2 Window)
   o LAN-to-LAN connection to the Internet
   o At least one network adapter



==========================================================================
 3. 	B E F O R E   I N S T A L L A T I O N
==========================================================================


   o Caution:

   You are about to install a product that adds a new device driver to
   your OS/2 system. The device driver layers with existing device drivers
   shipped with your LAN adapter(s) and incompability or bugs in these 
   drivers CAN (potentially) cause hazard to your OS/2 system. 

   If you are NOT experienced in the following areas:

        * TCP/IP networking and routing
        * OS/2 recovery options (i.e. the Maintenance Desktop)

   THEN please backup critical data before installing this software
   and/or consult a local expert or seek help on the Internet. F/X 
   Communciations will in no way be held responsible for malfunctions or 
   data loss inflected by the InJoy Gateway.


   o The Private LAN

   The InJoy Gateway REQUIRES a properly configured private LAN. 
   The computer running the InJoy Gateway MUST have two network interfaces
   defined (NOT neccessarily 2 LAN adapters). One network interface reflects
   the internal network and the other interface reflects the connection to
   the external network (Internet/ISP).

   If you wonder how such a LAN is configured or whether your existing
   configuration is supported, then jump to the "Network Interface 
   Configuration" section.


   o Using proper IP addresses

   Make sure your internal LAN is properly configured to use Private
   IP addresses as specified in RFC1918

   Private IP address space include these 3 segments:

	10.x.x.x
	172.16.x.x
	192.168.x.x:


   o Testing your LAN

   In an OS/2 window, run the ping command and ping the machines connected
   to your OS/2 gateway PC. The machines you wish to get on the Internet
   must be pingable.


   o Testing your ISP connection

   Try to ping any desired host on the Internet, e.g:

	www.ibm.com
        www.netscape.com
	www.fx.dk

   If you get no response, then try a few more more known hosts and if
   you still get no response, then your networking configuration is 
   incorrect and you should fix it before continuing.



==========================================================================
 4. 	I N S T A L L I N G   T H E   I N J O Y   G A T E W A Y
==========================================================================



   This InJoy Gateway evaluation software distributes as a zipped archive. 
   To install, copy the archive into a directory of your choice and extract
   the files using Info-Zip's UNZIP.EXE.

   If the archive unzips without errors, you can be sure the downloaded 
   archive is intact. 

   With the files in place, run FOLDER.CMD to have a desktop folder created.

   Finally, you are ready to install the device driver. See next section.



==========================================================================
 5. 	I N S T A L L I N G   T H E   D E V I C E   D R I V E R 
==========================================================================



   Run INSTALL.CMD from the product directory. 

   INSTALL.CMD will show a list of installed LAN adapters and you
   should choose the LAN adapter that is connected to the external
   network (i.e. Internet Link / ISP).

   INSTALL.CMD backs up CONFIG.SYS and PROTOCOL.INI before updating
   the files with the required changes. 

   The FXWRAP.SYS file will be automatically copied from the product 
   directory to x:\IBMCOM\MACS, where x: is the drive where MPTN is installed.

   o Reboot System.

   To load the newly installed device driver, please reboot your system.

   IMPORTANT: A new device driver can potentially cause malfunction and
   failure to boot. This can be caused by conflict with hardware or other 
   device drivers and although unlikely, this may happen to you.
   If you experience such troubles, you need to use OS/2 Warp's Maintenance 
   Desktop to recover your system. When you boot OS/2, you will see a white 
   box in the upper left hand corner followed by "OS/2." Hit ALT-F1, and a 
   menu pops up with several options such as immediately dropping to a 
   command line. Dropping to a command line allows you to manually uninstall
   (see troubleshooting section). Having done that you be able to reboot 
   normally and contact F/X Communications for further help.



==========================================================================
 6. 	R U N N I N G   T H E   I N J O Y   G A T E W A Y
==========================================================================



   After installing the device driver and rebooting, simply execute 
   GATEWAY.EXE directly from the product directory. If you prefer to run 
   the software via a desktop icon, then run FOLDER.CMD from the product 
   directory to have icons created.

   o Testing the Gateway

   First step in testing the (running) gateway is to ping a desired host
   on the Internet. Pinging should work, just like it did before you
   installed the InJoy Gateway.

   Once able to access Internet servers, you can proceed to set up the
   LAN clients.



==========================================================================
 7. 	C O N F I G U R I N G   L A N   C L I E N T S
==========================================================================



   There is no master check list as your current configuration 
   affects what steps you have to take (like, do you already have
   TCP/IP configured?).

   How to configure the many TCP/IP stacks available for the various
   Operating Systems is outside the scope of this document, but in
   general all you need to configure on ANY LAN client is:

   1) Clients MUST reference an external name server (as it will now have 
      Internet access).

   2) Clients must have the InJoy Gateway PC configured as the default 
      gateway (a.k.a. default route).

   Unlike proxy based solutions, you do not need to reconfigure
   the various TCP/IP applications running on the client.

   With this configuration in place, you should now be able to use
   the Internet through your copy of the InJoy Gateway. If you can't
   then please study the "Network Interface Configuration" and the
   troubleshooting section. As always, the F/X support crew is only
   an e-mail away (support@fx.dk).



==========================================================================
 8. 	N E T W O R K   I N T E R F A C E   C O N F I G U R A T I O N
==========================================================================



   There are two possible LAN configurations in which this product
   will work:

	1) Using one (1) LAN adapter in the Gateway PC and using a hub for 
          the external connection to the Internet.

	2) Using two (2 - or more) LAN adapters in the Gateway PC, with
           one LAN adapter connected directly to the external interface.

   Using 2 LAN adapters is the more secure option as it physically separates
   the Internet & your intranet into 2 collision domains.
   This product handles both of the above setups identically, but the
   TCP/IP stack must be configured with respect to your setup.


   1) Using 1 LAN adapter
                                                 ___
                                                |___|  PC with
                    HUB/Switch                  |___|  InJoy Firewall
        Uplink     __________                   | _ |
        ______    |+_+_+_+_+_|                  | _ |
              \____| | | | |____________________| _ |
                     |   |                    __|___|__
                     |...|________
                     |             To other PCs
                     |____________

   The gateway PC should be configured with two TCP/IP network interfaces. 
   First network interface is for the uplink connection to the ISP. This 
   net is typically configured via DHCP.

   Second network interface is the internal net using IP addresses from 
   the private internet address space (e.g. 192.168.x.x).

   Example (based on the following values):

         uplink IP address is 123.45.67.2      (IP address ISP)
         uplink netmask is 255.255.255.252
         our IP address is 123.45.67.1         (ISP assigned)
         our interface name is lan0
         internal net is 192.168.1.0
         internal IP address is 192.168.1.254  (RFC1918-style IP address)
         internal netmask is 255.255.255.0

   Step by step configuration:

   NOTE: In case of DHCP you can skip first two steps.

       	 Configure interface:

          ifconfig lan0 123.45.67.1 netmask 255.255.255.252

       	 Set default route to uplink:

          route add default 123.45.67.2 1

       	 Configure alias interface for internal net:

          ifconfig lan0 192.168.1.254 netmask 255.255.255.0 alias

          'alias' parameter at the end of command allows two different 
          nets within one real LAN adapter.

	 Enable forwarding:

          ipgate on

   You can use the OS/2 TCP/IP GUI to update your configuration, but many 
   find it easier to update SETUP.CMD located in \MPTN\BIN). SETUP.CMD
   should include these lines after configuration:

	ifconfig lan0 123.45.67.1 netmask 255.255.255.252
	route add default 123.45.67.2 1
	ifconfig lan0 192.168.1.254 netmask 255.255.255.0 alias
	ipgate on


   2) Using 2 (or more) LAN adapters:

                  ___  PC with InJoy Firewall
                 |___|
                 | _ |       HUB/Switch
        Uplink   | _ |      __________
        ______   | _ |     |+_+_+_+_+_|
              \__| _ |______| | | | |______
               __|___|__      |   |
                              |...|________
                              |             To other PCs
                              |____________


   For this configuration it is required for the Gateway PC to have 
   two (or more) LAN adapters installed.

   Example (based on following values):

         uplink IP address is 123.45.67.2      (IP address ISP)
         uplink netmask is 255.255.255.252
         our IP address is 123.45.67.1         (ISP assigned)
         our interface name is lan0
         internal net is 192.168.1.0
         internal IP address is 192.168.1.254  (RFC1918-style IP address)
         internal netmask is 255.255.255.0
         name of internal net is lan1

   Step by step configuration:

   NOTE: In case of DHCP you can skip first two steps.

         Configure interface:

          ifconfig lan0 123.45.67.1 netmask 255.255.255.252

         Set default route to uplink:

          route add default 123.45.67.2 1

         Configure alias interface for internal net:

          ifconfig lan1 192.168.1.254 netmask 255.255.255.0

         Enable forwarding:

          ipgate on

   You can use the OS/2 TCP/IP GUI to update your configuration, but many 
   find it easier to update SETUP.CMD located in \MPTN\BIN). SETUP.CMD
   should include these lines after configuration:

	ifconfig lan0 123.45.67.1 netmask 255.255.255.252
	route add default 123.45.67.2 1
        ifconfig lan1 192.168.1.254 netmask 255.255.255.0
	ipgate on



===========================================================================
 9. 	G A T E W A Y   C O N F I G U R A T I O N   F I L E
===========================================================================



   The InJoy Gateway is a daemon process, receiving its configuration
   parameters from a configuration file:

   The distribution archive contains the file "GATEWAY.CF_", which can 
   optionally be put into effect by removing the trailing underscore from 
   the file name (i.e. "copy gateway.cf_ gateway.cf").

   The GATEWAY.CF_ includes three optional configuration sections:

   [net]

      This section contains two parameters:

	 internal_net
         netmask

      These parameters are used to limit the set of IP addresses that are
      considered "internal" by the InJoy Gateway. In other words, only packets 
      with a source IP address matching the net defined by the two variables
      are masqueraded (by the NAT).

      If one or both of the above parameters are omitted, then all packets 
      going to/from external gateway will be masqueraded - which should work
      well too.

   [hardware]

      This section contains the following hardware related parameters.

         delay
         dest_hw_address

      The 'delay' parameter should always be set to 0 unless otherwise
      advised by by the F/X support team.

      The 'dest_hw_address' is used to specify the hardware address
      of the external gateway. This parameter should only be specified
      if the external gateway is different from the default route or if
      auto detection fails. You can determine (and verify) the auto detected
      hardware address by comparing the output of GATEWAY.EXE with the
      the output of the command "ARP -a". Simply search the output of
      ARP for an entry matching the IP address of your ISP. Next to that 
      IP address is the hardware address which should match the auto 
      detected value which you find in the GATEWAY.EXE output.

   [license]

      This section is used to specify license name and licensee code.

         name
         code

      Notice, the registration information is sent in a form which allows
      you to simply copy it directly from the source into the GATEWAY.CF file.


    NOTE: Editing the GATEWAY.CF file should be done in a text editor 
          that preserves the ASCII format of file. For example you can 
          use OS/2 System Editor for this purpose (E.EXE).



===========================================================================
10. 	C O M M A N D   L I N E   P A R A M E T E R S
===========================================================================



   This product is intended to be run WITHOUT command line parameters,
   but the following diagnostic parameters are available.

   o Command Line Parameters

	-?  or -h   Show help message
	-t          Enable packet tracing
        -q          Disable additional information messages
        -p<xx>      Priority from 1 to 100 (100 being the maximum).

    Option -t (trace)

     Enables packet tracing and should be used for diagnostic purposes
     only. Enabling this option in a production environment will 
     significantly reduce product performance.

    Option -q (quiet)

     Disables informational messages such as the device driver version, 
     auto detection messages and various warnings. This option should 
     ONLY be used if specifically advised by F/X support.

    Option -p (priority)

     The priority parameter specifies the priority that OS/2 will assign 
     to the InJoy Firewall. 

       -- Any value larger than 75 percent, will register the gateway as 
          a time critical process. Being time critical is a logic choice
          for a program handling the CPU demanding COM port.

       -- However, raising the value much above 75 percent may cause
          system hangs as the OS/2 scheduler will not allow other 
          processes to "wake up" when they are really needed.



===========================================================================
11. 	U N I N S T A L L I N G
===========================================================================



   Uninstalling is done in three simple steps:

	1) Uninstall Device Driver
        2) Uninstall Gateway software
        3) Reboot


   o Uninstall FXWRAP.SYS

   Uninstalling FXWRAP.SYS is done using the UNINSTAL.CMD and when running
   it, you will be prompted for an action:

          <I> to install FXWRAP
          <U> to uninstall previously installed FXWRAP

   Press 'U' followed by <Enter> to start uninstalling the device
   driver. The files CONFIG.SYS and PROTOCOL.INI will be updated.


   o Uninstall Gateway

   In order to uninstall the InJoy Gateway, simply delete files from 
   from the product directory.


   o Reboot System



===========================================================================
12. 	R E G I S T R A T I O N
===========================================================================



   After successful evaluation of this product, you can register
   it by obtaining a registration key from one of the resellers.
   Reseller information can be found in:

	1) REGISTER.TXT from the distribution archive

   Most current pricing information and online registration services are
   available at the following address:

        2) http://www.fx.dk/firewall/register.htm

   Once registered, you need to fill your registration code into the
   gateway.cf file - for example:

	[license]
	name=Joe Pepper
	code=1cdf3ade75679893
   
   NOTICE: Above name and code is presented only as an example. This is NOT
           a correct license number, so don't try to use the code.

   For more information contact sales@fx.dk



===========================================================================
 13.	T R O U B L E S H O O T I N G
===========================================================================


>  Everything installed successfully! Had Internet access before installing,
>  but now gateway PC and client systems cannot access the Internet.

   Q:  I have installed everything successfully, but the gateway PC
       and the clients CANNOT access the Internet.
   A:  Check if it helps to stop the GATEWAY.EXE daemon.

   Q:  Stopping GATEWAY.EXE does not help.
   A:  Seems FXWRAP.SYS or PROTOCOL is harming your system. 
       Uninstall and contact support@fx.dk

   Q:  Stopping GATEWAY.EXE does help.
   A:  Check if the auto detected information in the output of GATEWAY.EXE
       looks correct. If it doesn't, contact support@fx.dk

   Q:  Auto detected information looks good and GATEWAY.EXE reports no errors.
   A:  Did you specify an 'internal_net' and 'netmask' in the .cf file?
       If you did, try to comment out those variables.

   Q:  I even removed my GATEWAY.CF file, but still NO Internet access.
   A:  Did you install FXWRAP for the proper LAN adapter? The LAN adapter
       which is connected to the external interface!

   Q:  I did install to the right LAN adapter, I'm sure.
   A:  Uninstall and contact support@fx.dk


>  Everything installed successfully and the gateway PC has Internet access,
>  but client systems CANNOT access the Internet.

   Q:  I have installed everything successfully, but clients are unable
       to ping an outside server.
   A:  Check if the gateway itself can access servers on the Internet
       (with the GATEWAY.EXE daemon running).

   Q:  Gateway PC is definitely okay, only clients won't work!
   A:  Did you remember to enable IP forwarding ("ipgate on" in SETUP.CMD).

   Q:  I enabled IP forwarding, but clients still cannot get out.
   A:  Check your routing on the gateway. Both external and internal
       interfaces must have proper netmasks. This has proven extremely
       important. Also, you may want to add routes for a specific LAN
       client, e.g:

       route add net <ipaddr of external interface> 
                     <ip of internal interface> 0

   Q:  Everything looks okay, but still clients cannot get out.
   A:  If you have only one LAN adapter in the gateway PC, you should
       remember that one of your interfaces must be configured using
       the 'alias' parameter.

   Q:  Everything looks okay, but still clients cannot get out.
   A:  Make absolutely sure that your SETUP.CMD does NOT contain redundant
       route commands like those below:

       route add net 123.45.67.0 netmask 255.0.0.0
       route add net 123.45.67.0 netmask 255.255.255.0

   Q:  My routing really seems okay, but still no clients can get out.
   A:  Contact support@fx.dk


>  I want to UNinstall the FXWRAP.SYS device driver, but INSTALL.CMD
>  doesn't seem to do the job right.

   Q:  Uninstalling fails for some reason, but I did make backup copies 
       of CONFIG.SYS and PROTOCOL.INI before installing.
   A:  Good, restore the system so it uses your old backup copies and
       reboot.

   Q:  Uninstalling fails for some reason, but I did NOT make any backup
       copies of CONFIG.SYS and PROTOCOL.INI before installing.
   A:  INSTALL.CMD backs up these files. Locate the files and restore
       your system. Then reboot.

   Q:  I wish to uninstall the changes manually.
   A:  Caution: Your networking won't work if you uninstall the wrong way, 
       but step by step instructions follow (use at your own risk):

       1) Locate PROTOCOL.INI (usually located at in \IBMCOM directory).
       2) Open PROTOCOL.INI in OS/2 System editor.
       3) Locate FXWRAP section - should look like this:

               [FXWRAP_nif]
               Drivername = FXWRAP1$
               Bindings   = DC21X4

          Note Bindings parameter 
          (DC21X4 is the network card used in our example).

          Walk through PROTOCOL.INI, in order to locate the Bindings 
          parameter in each section. If a Binding parameter exists and
          it points to FXWRAP, then replace each occurrence of FXWRAP_nif 
          with DC21X4.

          Now, remove the FXWRAP_nif section and save PROTOCOL.INI.

       4) Open CONFIG.SYS in OS/2 System editor.
       5) Locate line where FXWRAP.SYS is installed and remove this line.
       6) Save CONFIG.SYS and close editor.
       7) Reboot your computer to deactivate FXWRAP.SYS

       If you see error messages during boot-up or your network does not 
       work properly, then you should reboot into the Maintenance Desktop
       and start a command line window. Using the command line window you
       should check your uninstallation.



==========================================================================
14.	A C K N O W L E D G M E N T S
==========================================================================



   F/X would like to thank all the people who helped during the development
   phase and the testing phase.

   Daryl Pilkington "The PC Therapist" darylp@senet.com.au



==========================================================================
 15.	C O N T A C T S
==========================================================================



   The below resources are pointers to where you might find more help in
   using InJoy products.

   Support:       Our FREE mail list has more than 400 people connected
                  and they will gladly take a stab at almost any problem. 
                  See below for help on subscribing to the list.

   Mailing lists: Subscribe at http://www.fx.dk/contadd.html

   Support:       support@fx.dk

   Web:           http://www.fx.dk/firewall

                  The most recent news about this product is posted at 
                  the F/X Communications site.





        Copyright (c) 1998 F/X Communications.  All rights reserved.




