Implementing a StoneGate VPN-only Setup - Forcepoint · HOW-TO GUIDELINES 2 SGHWTO_n_29/07/2004 Introduction This document tells you how to set up StoneGate for use as VPN-only software.

Version 3.0

HOW-TO GUIDELINES

SGHOW-TO_29/07/2004

Implementing a StoneGate VPN-only

Setup

IntroductionThis document tells you how to set up StoneGate for use as VPN-only software. It is intended for administrators or other technical personnel who want to use StoneGate as a VPN solution, without using its firewall capabilities. Specifically, this document describes how a StoneGate VPN-only setup can be used in a situation where the branch office does not need firewall capabilities, but only a VPN connection to the headquarter network.This document is not a comprehensive VPN tutorial, therefore you should use this document in conjunction with the regular StoneGate documentation.

StoneGate VPN-only: Important IssuesThis section describes important things to remember when setting up StoneGate VPN-only. Additionally, this section also describes how a StoneGate VPN-only setup differs from a standard StoneGate setup.

Full IPsec VPN with MultiLink™ SupportStoneGate VPN-only has all of the VPN functionality of standard StoneGate including clustering and MultiLink VPN. It is the same software restricted only by the licensing. One standard LAN-to-LAN IPsec VPN and one Mobile-to-LAN IPsec VPN can be configured. It also benefits from the unique StoneGate feature of MultiLink VPN technology, helping in load balancing through several NetLinks or ISPs.

Authentication SupportStoneGate VPN-only supports all of the same authentication methods as StoneGate for a group of users predefined in the integrated User Manager directory of the Management System.

No firewall featureA standard StoneGate license includes both Firewall and VPN functionality. As the name suggests, StoneGate VPN-only processes VPN traffic only, with no firewall capabilities. It lets traffic flow between the predefined local and remote protected sites without any risk of allowing anything but traffic between these sites. The traffic filtering stateless mode enforced by StoneGate VPN-only guarantees that no traffic is blocked because of some levels of stateful TCP handling that may drop packets in some specific situations.

No NATStoneGate VPN-only does not perform Network Address Translation (NAT) inside the VPN. But, of course, it works with external NAT devices sitting between StoneGate devices.

HOW-TO GUIDELINES 2

SGHWTO_n_29/07/2004

Only pre-defined VPN elements (Corporate VPN, Mobile User VPN) allowedIn the standard StoneGate version, it is possible for administrators to define VPN elements in the VPN Manager. In the StoneGate VPN-only version, two pre-defined VPN elements are provided to handle all the virtual private networking needs at the corporate level. These pre-defined VPN elements cannot be renamed or deleted. At least the Corporate VPN element must be fully configured before the security policy can be installed.

Configuration simplified by definition of AliasesYou must define a few aliases before the Management System can produce a configuration and security policy for a new StoneGate VPN-only.The aliases in Table 1 must be defined when they are not set to an appropriate default value.

TABLE 1 Required Aliases and their Definitions

Aliases Definitions

$ Local Protected Sites

defines networks allowed to go out or to be reached through the VPN tunnel enforced by the access rule entries in the StoneGate "Security Policy for VPN-only". These networks can be only adjacent networks to the local security gateway or adjacent networks and their router connected networks.

$ Local Protected Sites for Mobile Users

defines networks that mobile users are allowed to go out or to be reached through the VPN tunnel enforced by the access rule entry in the StoneGate "Security Policy for VPN-only". These networks can be only adjacent networks to the local security gateway or adjacent networks and their router connected networks. Define this alias as NONE if you do not need VPN client access.

$ Remote Protected Sitesdefines networks allowed to come in or to be reached through the VPN tunnel enforced by the access rule entry in the StoneGate VPN-only security gateway. These networks represent the other end of the VPN.

$ Allowed SSH Local Sources defines source IP addresses allowed to initiate a SSH connection directly to the local StoneGate VPN-only security gateway, probably part of the $ Local Protected Sites.

$ Allowed SSH Remote Sourcesdefines source IP addresses allowed to initiate a SSH connection through the VPN tunnel in destination of the local StoneGate VPN-only security gateway, probably part of the $ Remote Protected Sites.

$ Allowed ICMP Local Sources defines source IP addresses allowed to ping the local StoneGate VPN-only security gateway probably part of the $ Local Protected Sites.

$ Allowed ICMP Remote Sources defines source IP addresses allowed to ping the local StoneGate VPN-only security gateway through the VPN tunnel probably part of the $ Remote Protected Sites.

$ Remote Destinations That Local Gateway Must Encrypt

defines destination IP addresses, part of the $ Remote Protected Sites, that StoneGate VPN-only gateway itself must reach through the VPN. See the "Security Policy for VPN only" policy for the traffic that can be matched with this rule.

HOW-TO GUIDELINES 3

SGHWTO_n_29/07/2004

Note � These pre-defined elements should not be renamed and cannot be deleted.

Note � It is possible to define these aliases as NONE.

Special StoneGate VPN-only “Security Policy for VPN only” security policyStoneGate VPN-only is activated when you install the compulsory �Security Policy for VPN only� security policy on it. This is not just another firewall security policy, but the mandatory one a StoneGate VPN-only must enforce. It basically tells the StoneGate VPN-only engine how to behave in order to enforce the license restriction (i.e., like a VPN and not a firewall). It cannot be deleted or modified.

Configuration OverviewTo get started you need to do the following:� Install StoneGate� Perform Initial Configuration� Configure RoutingFor more information about these initial steps, see the Installation Guide and the Administrator�s Guide.Once you have your initially configured StoneGate up and running, you have to complete the following steps in order to create a StoneGate VPN:1. (Optional) If you do not need mobile VPN access to the Branch Office network then

change the Alias �Local Protected Sites for Mobile Users� to NONE. Typically, one would use a VPN-only license only for a GW-to-GW VPN. By setting this alias to NONE one does not need to create certificate for the VPN-only gateway.

2. Define Security Gateways (SGWs).3. Associate Sites with SGWs.4. Associate SGWs with the Corporate VPN and, if needed, then also with Mobile VPN.5. Define the Encryption Policy.6. Install StoneGate VPN-only security policy.

Example ScenarioIn this example, we will configure a VPN between a corporate headquarters and a branch office. A diagram of the scenario is shown in Figure 1.

HOW-TO GUIDELINES 4

SGHWTO_n_29/07/2004

FIGURE 1 Example Scenario

Quick Facts: Example Scenario� HQ uses two ISPs to connect to the Internet (Multi-link).� Branch office uses one ISP.� HQ and the branch office use the same management server (all SGWs are Internal).� Pre-Shared Key authentication is used.

Configuring a VPN

▼ To define a single firewall element1. In the Resource Manager, click open the Network Element icon and then on the

Firewalls right-click and select New→Single Firewall.

HOW-TO GUIDELINES 5

SGHWTO_n_29/07/2004

ILLUSTRATION 1.1 Completed Single Firewall Properties

2. In the opened Single Firewall properties dialog box enter a name for the firewall (e.g., Branch Office Firewall).

3. Select the firewall�s Log Server from the list (e.g., HQ Log Server).4. Continue defining network interfaces as explained in the following section.

Defining Network Interfaces

▼ To define a network interface for a single firewall1. Define the Branch Office external interface. In the Single Firewall Properties window,

select Firewall Node tab.2. Click Add Interface.

HOW-TO GUIDELINES 6

SGHWTO_n_29/07/2004

ILLUSTRATION 1.2 Network Interface Properties

3. In the Interface Mode box, there are two settings:3.1 To use the interface�s IP address for Management Server�s control connections, select

Control IP Address.� To define the primary control IP address, select Primary. Only one IP address

can be selected as primary for the control connections.� To define the IP address used for control connections if the primary address is

unavailable, select Backup. There can be multiple backup control IP addresses defined for different interfaces.

4. Select the NIC ID from the drop-down menu (e.g., 1).5. Enter the unicast IP Address for this interface (e.g., 212.20.2.254).6. Enter the appropriate Netmask (255.255.255.0).7. Click OK to apply the changes.8. Repeat steps 1 through 7 for the Branch Office internal network. Give it an IP address of

172.16.2.1, NIC ID of 0, and a Netmask of 255.255.255.0.

Defining Aliases(Optional) If you do not want to create a mobile VPN set the $ Local Protected Sites for Mobile Users to NONE.If you do want to create a mobile VPN you need to create certificate request and sign it. For more information on creating certificate requests please see the Administrator�s Guide.

▼ To modify an Alias element1. In the firewall properties go to the Aliases tab.

HOW-TO GUIDELINES 7

SGHWTO_n_29/07/2004

ILLUSTRATION 1.3 Alias Element Properties for the Branch Office

2. In the Aliases field select the Alias you want to modify (e.g., $ Local Protected Sites).3. Under the Resources tab below, select the Network Element you wish to include (e.g.,

network 172.16.2.0/24) and then select Add.4. Modify the following Aliases accordingly:

� $ Allowed ICMP Local Sources: network 172.16.2.0/24� $ Allowed ICMP Remote Sources: network 192.168.10.0/24� $ Allowed SSH Local Sources: NONE� $ Allowed SSH Remote Source: NONE� $ Local Protected Site for Mobile Users: NONE� $ Remote Destinations That Local Gateway Must Encrypt: NONE� $ Remote Protected Sites: network 192.168.10.0/24

5. You now have the basic firewall properties defined. Click OK to close the window.

Defining the Contact AddressBecause the management system will be placed behind a NAT address you need to tell the Branch Office FW what is the management system�s externally visible address. This has to be done for both the Management Server and the Log Server because they are both behind a NAT address.

HOW-TO GUIDELINES 8

SGHWTO_n_29/07/2004

ILLUSTRATION 1.4 Contact Address

▼ To define a Contact Address1. In the Resource Manager go to the Server properties and open up the Local Management

Server properties.2. Under Contact Addresses select Edit.3. From the Point Of View drop-down box select the Branch Office FW and click Add.4. In the new row that appears below, click on the Contact Address cell and add the

Management Server�s externally visible IP address (e.g., 212.20.1.200).5. Click OK to close the Contact Addresses window.6. Repeat steps 1 through 5, but for the HQ Log Server (i.e., again Branch Office FW and

212.20.1.200).

Defining a Default Route for Basic RoutingWhen you use basic routing, you only need to define one default route to the Internet. The Branch Office firewall in our example scenario uses basic routing.

▼ To define a default route for basic routing1. In the Resource Manager�s Routing View, expand the tree displaying the firewall interfaces

by clicking on the plus signs (+) next to each item until the protected network is displayed below each interface.

2. In the Resource Panel, select the Router that will act as the default gateway to the Internet (e.g., Branch Office Internet Router) then drag and drop it on the correct external network (e.g., 212.20.2.0/24) in the Routing View.

3. Drag and drop the default Any Network element onto the Router element. This concludes configuring the default route (see Illustration 1.5).

HOW-TO GUIDELINES 9

SGHWTO_n_29/07/2004

ILLUSTRATION 1.5 Routing View

Caution � Placing the Any network element behind two different basic router elements does not create true router redundancy and load balancing. You need to use the NetLink elements to achieve that.

Defining SGWsOur first task is to define security gateways for the VPN. Because both of the SGWs in our example (HQ, Branch Office) are managed by a single management server located in HQ, they are both internal SGWs. The following procedure shows you how to set up the two internal SGWs in our example scenario.

▼ To define the general properties of the Branch Office gateway:1. Click the VPN Manager icon on the Control Panel. The main screen of the VPN Manager

opens.

HOW-TO GUIDELINES 10

SGHWTO_n_29/07/2004

ILLUSTRATION 1.6 Main Screen of the VPN Manager

2. Go to File→New→Internal Security Gateway to open the Internal Security Gateway Properties dialog box.

ILLUSTRATION 1.7 Internal Security Gateway Properties Dialog Box

3. On the General tab, enter the name of the gateway in the Name field. (In this example, we use the Branch Office SGW).

4. Select the appropriate firewall (or firewall cluster) from the Firewall selection box (in this case, your Branch Office firewall node).

HOW-TO GUIDELINES 11

SGHWTO_n_29/07/2004

▼ To define static end-points of internal gateways:1. Switch to the End-Points tab.2. Specify an informative name in the End-Point Data Name field, if you like (e.g., Branch

Office).3. Select the IP address for the end-point for the End-Point Data IP Address selection box.

The available IP addresses correspond to the external interface defined for the associated firewall (in this example, 212.20.2.254).

4. Click the Add button to set the VPN end-point. The name and address appear in the End-Points list.

5. Click OK to validate the local SGW element.

▼ To define a Headquarters SGW:1. Define the Headquarters SGW similarly. In the General tab of the Internal Security

Gateway Properties, define a name for it (e.g., Headquarters SGW).2. Associate the remote SGW with the remote firewall (in this example, the HQ Cluster).3. In the End-Points tab, add an end-point for this SGW (in this case ISP A end-point with

address 212.20.1.254).4. Add a second end-point for this SGW (i.e., ISP B end-point with address 129.40.1.254).

HOW-TO GUIDELINES 12

SGHWTO_n_29/07/2004

ILLUSTRATION 1.8 End-Points Tab of Internal Gateways

5. Your completed SGW should look like Illustration 1.8. Click OK to validate the remote SGW.

Associating Sites with SGWsWhen setting a new security gateway as described above, a default site is automatically added under the gateway icon in the Security Gateway View. The site is configurable and named after the gateway name. The network elements belonging to that site form the encryption domain protected by the gateway.

▼ To add network elements to the encryption domain1. Click on the Gateways tab of the VPN Manager.2. Select the Network Elements view on the left panel to display the existing network

elements.3. Select the network element(s) you want to have in the encryption domain protected by

your internal SGW. Drag them on to the default site icon under your internal SGW in the

HOW-TO GUIDELINES 13

SGHWTO_n_29/07/2004

Security Gateways panel. You can add as many elements in a site as needed. For this example, we�re including the Headquarters� internal networks (e.g., 192.168.10.0/24).

4. Add the required network elements to the default site for the remote SGW as well (in this example, the Branch Office�s internal network). Illustration 1.9 shows an example of encryption domains (e.g., 172.16.2.0/24).

ILLUSTRATION 1.9 Encryption Domain

Assigning SGWs to a VPNYou can define a VPN only after the security gateways and their connected sites are configured.

Defining the VPN architectureYou must determine which security gateways can communicate through the same VPN. Once a VPN element has been created, you need to specify the sites and gateways associated with the VPN.

Note � With the VPN-Only license your only option is to use the predefined "Corporate VPN".

▼ To define the VPN architecture1. Click on the VPN tab of the VPN Manager.

HOW-TO GUIDELINES 14

SGHWTO_n_29/07/2004

2. Select your local SGW (e.g., Headquarters SGW) under the Gateways view on the left panel and drag its icon on the VPN element under the VPN tab (e.g., Corporate VPN).

3. The selected SGW and the site(s) associated with it appear under the VPN icon.4. Repeat for the remote SGW element (e.g., the Branch Office under the Corporate VPN). 5. Right-click on the local SGW (e.g., Headquarters SGW Site) and deselect the Spoke

option. Illustration 1.10 exemplifies a completed VPN architecture.

ILLUSTRATION 1.10 VPN Defined

Defining the Encryption PolicyThe VPN encryption policy can be configured for all sites connected through the same VPN. You can override the global default encryption policy, if required.

▼ To define the VPN encryption policy1. In the VPN tab, select your VPN.2. Right-click and choose Properties. The VPN Properties dialog box appears with the

following information: � The Logical Tunnels panel shows all tunnels automatically generated between each pair

of sites. � The Connections Between Site End-Points panel shows all possible connection paths

(i.e., subtunnels) belonging to the selected logical tunnel.

HOW-TO GUIDELINES 15

SGHWTO_n_29/07/2004

Note � Initially, the subtunnels are shown as Invalid. You need to define a valid IKE proposal first. Follow the instructions below.

ILLUSTRATION 1.11 VPN Properties Window

Note � The Disable NAT with this VPN checkbox is selected by default. Refer to Configuring Mobile User VPNs in the Administrator�s Guide for more information.

3. Select a tunnel in the Logical Tunnels panel.

HOW-TO GUIDELINES 16

SGHWTO_n_29/07/2004

ILLUSTRATION 1.12 IKE Phase 1 Settings

4. Click the IKE Proposal button to open the IKE Phase 1 dialog box. Here you need to define the parameters affecting the IKE phase 1 negotiation for that tunnel. For this example, we�re using the following parameters:� Cipher Algorithm: AES-128� Message Digest Algorithm: SHA-1� Authentication Method: Pre-Shared Keys� Diffie-Hellman Group for IKE: 5

Caution � Diffie-Hellman group 1 may not be secure enough in certain mission critical implementations. In such a situation, consider using Diffie-Hellman group 2 or 5 instead.

� IKE SA Lifetime: 1440 minutes (default)� IKE Negotiation Mode: Main

Note � Please refer to Administrator�s Reference for more information on the IKE Phase 1, Pre-Shared Key, or any other VPN settings.

5. Go to Pre-Shared Key tab and type in your previously defined key.

HOW-TO GUIDELINES 17

SGHWTO_n_29/07/2004

6. Click OK to validate the IKE phase 1 settings for the selected tunnel.7. In the VPN Properties window, check the Mode of each subtunnel in the Connections

Between Site End-Points panel. Place the cursor over the Mode icon to see a text box summarizing the current encryption policy for the subtunnel.

8. Select Normal as the mode for the subtunnels that are to be used for the VPN. The subtunnel state modes are summarized in Table 2.

Note � If the Mode shows as Invalid, place the cursor over the Mode icon to display a text box telling the reason for the problem. Modify the settings accordingly.

9. Click Close.

Related Tasks

! For information on troubleshooting VPNs, please see the section Troubleshooting VPN Setting in the Administrator�s Guide.

Installing the Security PolicyNow that you have defined your VPN settings, you must use the Security Policy Manager to install the Security Policy for VPN only.

Note � Tunnels must be defined for both the Corporate and Mobile VPNs and all required aliases must be defined before you can install this security policy. For more information, see Configuring a VPN, on page 5.

TABLE 2 States of VPN Connections

Icons State Description

Normal The VPN connection operates normally between the pairs of end-points of each site.

Standby The VPN connection between a pair of end-point is on standby and will be taken into use only in case all functional connections should fail.

Invalid VPN configuration parameters conflict and the VPN connection cannot be established before the parameters are changed.

Disabled The VPN connection between a pair of end-point has been disabled manually.

HOW-TO GUIDELINES 18

SGHWTO_n_29/07/2004

To install the Branch Office Node Policy1. Open the Security Policy Manager.2. Select the �Security Policy for VPN only� rule base then go to File→Install. 3. Select the firewall you want to install the rule base on (e.g., Branch Office Firewall).4. Click Close to close the attendant window. Illustration 1.13 shows a successful

installation.

ILLUSTRATION 1.13 Successful Installation

Defining the HQ Cluster-VPN Policy

ILLUSTRATION 1.14 HQ Cluster-VPN

▼ To create a Management NAT HostFirst we need to define a host element for the externally-visible address of the Management Server. We need this element in the HQ security policy access rules and NAT rules in order to allow management connections from the Management Server to the Branch Office VPN-only gateway. In our example, the Management Server and the Log Server are on the same internal host so we need only one host object.

HOW-TO GUIDELINES 19

SGHWTO_n_29/07/2004

1. In the Resource Manager, click the Network Elements icon in the toolbar.2. Select New Host from the list.

ILLUSTRATION 1.15 Management Host Properties

3. In the opened properties window, name the new Host element and type in the appropriate IP address. (In our example, Management NAT and 212.20.1.200, which is the �private� IP address we want to conceal with static NAT.). See Illustration 1.15.

4. Click OK.

▼ To create a VPN rule1. Open the Security Policy Manager and go to File→New→Firewall Rulebase. Use the

Default template.2. Name the new firewall rule base (e.g., �HQ Cluster-VPN Policy�).3. Permits connections from the management system to the Branch Office SGW. Configure

the first Access Rule as follows:� Source: Local Management Server� Destination: Branch Office Firewall� Service: Echo request; ldaps (ldap protocol over TLS/SSL); SG-init; SG-mgmt; SG-

monitor; SG-remote-upgrade� Action: Allow� Options: Logging: Stored, Accounted

HOW-TO GUIDELINES 20

SGHWTO_n_29/07/2004

4. Permits regular VPN traffic from Headquarters to the Branch Office SGW. Configure the second Access Rule as follows:� Source: 192.168.10.0/24� Destination: 172.16.2.0/24� Service: ANY� Action: Enforce VPN Corporate VPN� Options: Logging: Stored, Accounted

5. Permits regular VPN traffic from Branch Office to Headquarters. Configure the third Access Rule as follows:� Source: 172.16.2.0/24� Destination: 192.168.10.0/24� Service: ANY� Action: Enforce VPN Corporate VPN� Options: Logging: Stored, Accounted

6. Permits connections from the Branch Office SGW to the externally-visible address of the Management Server. Configure the fourth Access Rule as follows:� Source: Branch Office Firewall� Destination: Management NAT� Service: Ping; ldaps (ldap protocol over TLS/SSL); SG-init; SG-log; SG-mgmt; SG-

monitor; SG-remote-upgrade� Action: Allow� Options: Logging: Stored, Accounted

7. Continue with NAT rules, as explained below.

▼ To specify NAT rules for the management connections1. In your rule base, switch to the NAT rules tab.2. Make the management system visible with the management system�s externally-visible

address when the management system contacts the Branch Office FW. Configure the first NAT rule as follows:� Source: Local Management Server� Destination: Branch Office Firewall� Service: ANY� NAT: Source: Static from Local Management Server to Management NAT� Used on: ANY

3. Makes the connections from the Branch Office FW to the management system�s externally visible IP address to reach the management system�s internal address. Configure the second NAT rule as follows:

HOW-TO GUIDELINES 21

SGHWTO_n_29/07/2004

� Source: Branch Office Firewall� Destination: Management NAT� Service: ANY� NAT: Destination: Static from Management NAT to Local Management Server� Used on: ANY

ILLUSTRATION 1.16 NAT Settings for HQ Cluster-VPN Only

4. Save the rule base by clicking the Save icon. Your completed rules should look like Illustration 1.14.

5. Select the �HQ Cluster-VPN� rule base then go to File→Install. 6. Select the firewall you want to install the rule base on (e.g., Headquarters Cluster).7. Click Close to close the attendant window.

ILLUSTRATION 1.17 VPN Connection

8. To test whether your VPN connection is working ping each end of the VPN tunnel. See Illustration 1.17 for an example of this.

HOW-TO GUIDELINES 22

SGHWTO_n_29/07/2004

www.stonesoft .com

Trademarks/PatentsStonesoft, the Stonesoft logo, StoneBeat, FullCluster, ServerCluster, StoneGate�, and WebCluster are trademarks or registeredtrademarks of Stonesoft Corporation in the United States and/or other countries. Multi-link technology, multi-link VPN, and theStoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patentapplications in the U.S. and other countries.

Sun�, Sun Microsystems, the Sun Logo, Solaris�, and Java� are trademarks or registered trademarks of Sun Microsystems, Inc. inthe United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks ofSPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon anarchitecture developed by Sun Microsystems, Inc. Windows®, Windows NT®, and Microsoft® are trademarks or registeredtrademarks of Microsoft Corporation in the United States and/or other countries. Linux® is a registered trademark of Linus Torvalds.IBM®, Redbooks, zSeries® and z/VM® are trademarks or registered trademarks of the International Business Machines Corporationin the United States and/or other countries. Syntax is a registered trademark of Linotype-Hell AG and/or its subsidiaries.

All other trademarks or registered trademarks are property of their respective owners.

The products described in this documentation are also protected by one or more of U.S. Patents and European Patents: U.S. Patent No.6,650,621, European Patents No. 1065844, 1289202, and may be protected by other U.S. Patents, foreign patents, or pendingapplications.

DisclaimerAlthough every precaution has been taken to prepare these materials, Stonesoft assumes no responsibility for errors, omissions, orresulting damages from the use of the information contained herein. All IP addresses in these materials were chosen at random and areused for illustrative purposes only. They are not intended to represent the IP addresses of any specific individual or organization.THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMATIONCONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION OR TECHNIQUES CONTAINED IN THESE MATERIALS. IN NO EVENTSHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUDING, BUTNOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IFADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES.

International HeadquartersStonesoft Corp.Itälahdenkatu 22aFIN-00210 Helsinki, Finland+358-9-4767 11 tel.+358-9-4767 1234 [email protected]

Business ID: 0837548-0VAT number: FI08375480

Americas HeadquartersStonesoft Inc.115 Perimeter Center PlaceSouth Terraces, Suite 1000Atlanta, GA 30346770 668-1125 tel.770 668-1131 [email protected]

Asia Pacific HeadquartersStonesoft Corp.90 Cecil Street #13-01069531 Singapore+65 63251390 tel.+65 63251399 [email protected]