
	TIS Firewall Toolkit MBone Proxy Configuration 
	April 18, 1997


The MBone proxy is an optional fwtk component. The MBone proxy 
can be configured to allow users inside the firewall, using specific 
MBone applications (sdr, vic, vat, wb, nt) to conference with users 
outside the firewall.

In addition to configuring the MBone proxy on the firewall, 
client software must also be installed on all client systems which will 
use the MBone applications.

For information about the MBone security concerns and the MBone proxy, 
see the research paper titled "An MBone Proxy for an Application Gateway 
Firewall" at:
http://www.tis.com/docs/research/network/mbone/mboneabs.html .


Firewall Configuration

1. Add the mbone-gw directory to the fwtk directory; put the mbone-gw
source files there.

2. Modify mbone-gw.h to specify your firewall's inside and outside
interfaces.  If the firewall only has one interface, make inside and
outside the same address.

3. Build mbone-gw.

4. Add mbonesrv to the /etc/services file:
   Example: 
	mbonesrv	8765/tcp

5. Add mbone-gw to inetd.conf or rc.local
   inetd.conf example:
	mbonesrv stream tcp nowait root /usr/local/etc/netacl in.mboned

   rc.local example:
	/usr/local/etc/mbone-gw -daemon &

6. Add mbone-gw specific netperm-table entries. 
   Examples:
	netacl-in.mboned: permit-hosts * -exec /usr/local/etc/mbone-gw
	mbone-gw: timeout 3600
	mbone-gw: timelimit 28800
	mbone-gw: permit-hosts 192.33.112.*
	mbone-gw: permit-hosts 192.34.113.* -auth 



Client Configuration

1. Copy the modified mbone-gw.h to the directory where the client wrapper
sources are located.

2. Determine how the users are to start the applications.  Modify
wrapper.h.
	Two options (using vic as example):
	a. vic 224.2.197.230/49162
		vic must be a symbolic link to wrapper.
		The real vic application is specified in MBONE_APPL_DIRECTORY.
	b. wrapper vic 224.2.197.230/49162
		The real vic application is found from the user's PATH,
		or specified in MBONE_APPL_DIRECTORY.
		
The proxy has been tested with sdr, vic, vat, wb, and nt.  
However, other applications may also work; add other applications to wrapper.h.
Some modification to the wrapper may be needed (like specify if use RTP).

3. Build wrapper applications.


