   .
   .
   .                                                           GATEWAY.TXT
   .                                                     InJoy Gateway 1.2
   .                                                        August 1, 1999
   .                          
   .
   .
   .
   .
   .  ___           _
   . |_ _|_ __     | | ___  _   _
   .  | || '_ \ _  | |/ _ \| | | |
   .  | || | | | |_| | (_) | |_| |
   . |___|_| |_|\___/ \___/ \__, |
   .                        |___/
   .
   .   ____       _
   .  / ___| __ _| |_ _____      ____ _ _   _
   . | |  _ / _` | __/ _ \ \ /\ / / _` | | | |
   . | |_| | (_| | ||  __/\ V  V / (_| | |_| |
   .  \____|\__,_|\__\___| \_/\_/ \__,_|\__, |
   .                                    |___/
   .
   .
   .
   .
   .                                                    F/X Communications
   .                                                       DK-4300 Holbaek
   .                                                               Denmark
   .                                                 E-mail: support@fx.dk
   .                                                      http://www.fx.dk
   .
   .
   .
   .
   .
   .
   .
   .
   .
   .
   .
   .     Copyright (c) 1999-2000, F/X Communications, All Rights Reserved.
   .     Your usage of this product and its documentation are subject to
   .     your acceptance of the license agreement included with this product.
   .
   .     IBM and OS/2 are registered trademarks of International
   .     Business Machines, Inc. All other trademarks, registered trade
   .     marks, service marks and other registered marks are the property
   .     of their respective owners.




==========================================================================
 	C O N T E N T S
==========================================================================



   1.  Introduction
   2.  System Requirements
   3.  Before Installation
   4.  Installing the InJoy Gateway
   5.  Installing the Device Driver
   6.  Running the InJoy Gateway
   7.  Configuring LAN clients
   8.  Network Interface Configuration
   9.  Gateway Configuration File
   10. Command Line Parameters
   11. Uninstalling
   12. Registration
   13. Troubleshooting
   14. Acknowledgments
   15. Contacts



==========================================================================
 1. 	I N T R O D U C T I O N
==========================================================================



   The InJoy Gateway is the base module of the InJoy Firewall product.
   It allows corporations using the IBM OS/2 operating system to 
   securely connect the computers of a private LAN to the Internet.

   The InJoy Gateway was designed with Cable Modems in mind and with
   minimal effort, you can share the Cable connection among multiple
   work stations. You can run most standard networking applications 
   on the LAN clients, without any reconfiguration of those applications.

   Implemented as a native, low-level Internet gateway solution, the
   InJoy Gateway makes full use of the OS/2 system capabilities such as: 
   32-bit code, the layered NDIS communications model, OS/2 multi-
   threading and the robust OS/2 TCP/IP Stack (incl. DHCP).
   
   Operating beneath the routing layer, on raw packets, the InJoy Gateway
   offers a powerful platform for providing industry leading security and
   the best possible performance.

   Used in combination with the InJoy Firewall Plugin and sound security 
   policies, the InJoy Gateway turns into a powerful firewall providing
   a secure technology to regulate both in-bound and out-bound 
   communications. Add on the IPSec Plugin, and you have a unique OS/2
   product, supporting today's predominant VPN standard for interconnecting
   private networks over the Internet.

   This manual describes how to install, configure and operate the
   InJoy Gateway. For more information about installation and configuration
   of the Filter and Firewall plugins, please refer to the FILTER.TXT and
   FIREWALL.TXT respectively. For more information about the IPSec Plugin,
   please click the appropriate icon in the documentation folder.



==========================================================================
 2. 	S Y S T E M   R E Q U I R E M E N T S
==========================================================================



   o IBM OS/2 3.0
   o 386SX
   o 8 MB total memory
   o 20 MB free disk space
   o TCP/IP for OS/2 3.0 or newer
   o LAN-to-LAN connection to the Internet
   o At least one 10/100 Mb Network Interface Card



==========================================================================
 3. 	B E F O R E   I N S T A L L A T I O N
==========================================================================


   o Caution:

   You are about to install a product that adds a new device driver to
   your OS/2 system. The device driver layers with existing device drivers
   shipped with your LAN adapter(s) and incompatibility or bugs in these 
   drivers CAN (potentially) cause hazard to your OS/2 system. 

   If you are NOT experienced in the following areas:

        * TCP/IP networking and routing
        * OS/2 recovery options (i.e. the Maintenance Desktop)

   THEN please backup critical data before installing this software
   and/or consult a local expert or seek help on the Internet. F/X 
   Communications will in no way be held responsible for malfunctions or 
   data loss inflected by our software.


   o MPTS

   Installation of FXWRAP.SYS makes it impossible for MPTS.EXE to
   correctly process PROTOCOL.INI. If you need to use MPTS to change
   your network and protocol configuration, then uninstall FXWRAP,
   make MPTS changes, and then reinstall FXWRAP. Simply use INSTALL.CMD 
   to install and uninstall FXWRAP. Takes only a few seconds.


   o The Private LAN

   The InJoy Gateway REQUIRES a properly configured private LAN. 
   The computer running the InJoy Gateway MUST have two network interfaces
   defined (NOT neccessarily 2 LAN adapters). One network interface reflects
   the internal network and the other interface reflects the connection to
   the external network (Internet/ISP).

   If you wonder how such a LAN is configured or whether your existing
   configuration is supported, then jump to the "Network Interface 
   Configuration" section.


   o Using proper IP addresses

   Make sure your internal LAN is properly configured to use Private
   IP addresses as specified in RFC1918.

   Private IP address space include these 3 segments:

	10.x.x.x
	172.16.x.x
	192.168.x.x:


   o Testing your LAN

   In an OS/2 window, run the ping command and ping the machines connected
   to your OS/2 gateway PC. The machines you wish to get on the Internet
   must be pingable.


   o Testing your ISP connection

   Try to ping any desired host on the Internet, e.g:

	www.ibm.com
        www.netscape.com
	www.fx.dk

   If you get no response, then try a few more more known hosts and if
   you still get no response, then your networking configuration is 
   incorrect and you should fix it before continuing.



==========================================================================
 4. 	I N S T A L L I N G   T H E   I N J O Y   G A T E W A Y
==========================================================================



   This InJoy Gateway evaluation software distributes as a zipped archive. 
   To install, copy the archive into a directory of your choice and extract
   the files using Info-Zip's UNZIP.EXE.

   If the archive unzips without errors, you can be sure the downloaded 
   archive is intact. 

   With the files in place, run FOLDER.CMD to have a desktop folder created.

   Finally, you are ready to install the device driver. See next section.



==========================================================================
 5. 	I N S T A L L I N G   T H E   D E V I C E   D R I V E R 
==========================================================================



   Run INSTALL.CMD from the product directory. 

   INSTALL.CMD will show a list of installed LAN adapters and you
   should choose the LAN adapter that is connected to the external
   network (i.e. Internet Link / ISP).

   INSTALL.CMD backs up CONFIG.SYS and PROTOCOL.INI before updating
   the files with the required changes. 

   The FXWRAP.SYS file will be automatically copied from the product 
   directory to x:\IBMCOM\MACS, where x: is the drive where MPTN is installed.

   o Reboot System.

   To load the newly installed device driver, please reboot your system.

   IMPORTANT: A new device driver can potentially cause malfunction and
   failure to boot. This can be caused by conflict with hardware or other 
   device drivers and although unlikely, this may happen to you.
   If you experience such troubles, you need to use OS/2 Warp's Maintenance 
   Desktop to recover your system. When you boot OS/2, you will see a white 
   box in the upper left hand corner followed by "OS/2." Hit ALT-F1, and a 
   menu pops up with several options such as immediately dropping to a 
   command line. Dropping to a command line allows you to manually uninstall
   (see troubleshooting section). Having done that you be able to reboot 
   normally and contact F/X Communications for further help.



==========================================================================
 6. 	R U N N I N G   T H E   I N J O Y   G A T E W A Y
==========================================================================



   After installing the device driver and rebooting, simply execute 
   GATEWAY.EXE directly from the product directory. If you prefer to run 
   the software via a desktop icon, then run FOLDER.CMD from the product 
   directory to have icons created.

   o Testing the Gateway

   First step in testing the (running) gateway is to ping a desired host
   on the Internet. Pinging should work, just like it did before you
   installed the InJoy Gateway.

   Once able to access Internet servers, you can proceed to set up the
   LAN clients.



==========================================================================
 7. 	C O N F I G U R I N G   L A N   C L I E N T S
==========================================================================



   There is no master check list as your current configuration 
   affects what steps you have to take (like, do you already have
   TCP/IP configured?).

   How to configure the many TCP/IP stacks available for the various
   Operating Systems is outside the scope of this document, but in
   general all you need to configure on the LAN clients is:

   1) Clients MUST reference an external name server (as it will now have 
      Internet access).

   2) Clients must have the InJoy Gateway PC configured as the default 
      route (a.k.a. default gateway).

   Unlike proxy based solutions, you do not need to reconfigure
   the various TCP/IP applications running on the LAN clients.

   With this configuration in place, you should now be able to use
   the Internet through your copy of the InJoy Gateway. If you can't
   then please study the "Network Interface Configuration" and the
   troubleshooting section. As always, the F/X support crew is only
   an e-mail away (support@fx.dk).



==========================================================================
 8. 	N E T W O R K   I N T E R F A C E   C O N F I G U R A T I O N
==========================================================================



   There are two possible LAN configurations in which this product
   will work:

	1) Using one (1) LAN adapter in the Gateway PC and using a hub for 
           the external connection to the Internet.

	2) Using two (2 - or more) LAN adapters in the Gateway PC, with
           one LAN adapter connected directly to the external interface
           and the other connected to your internal interface.

   Using 2 LAN adapters is the more secure option as it physically separates
   the Internet & your intranet into 2 collision domains.
   This product handles both of the above setups identically, but the
   TCP/IP stack must be configured with respect to your setup.

   If in doubt about the network configuration to choose, concider
   the following 2 scenarios:

	* It is a typical 2-NIC installation if there are real-world
          IP addresses present inside the internal network.
          
          The reason:
          If a router is connected to the same network-hub as your
          internal network, then the router can bypass the Firewall
          and instead send packets directly to the internal clients.
          In this case, hackers on the Internet will have transparent 
          access to the internal PC.

          Internal computers using internal IP addresses are generally
          not at risk, as they are not directly addressable from the 
          Internet (unless the ISP cannot be trusted - see next scenario).

          Using two NICs, all packets must pass through the Firewall and
          access attempts for the internal real-world IP addresses will be
          denied - unless specifically allowed by rule.

	* It is a typical 2-NIC installation if there are no real-world 
          IP addresses on the internal network, but the ISP is concidered
          an untrusted interface.

          The reason:
          Many of the the Cable Internet Providers have thousands of
          customers connected into one big common network. On this
          network, internal IP addresses are likely to be somewhat valid
          and on account of faulty routing and lack of filtering, a route
          to your network could potentially be left open.

          Packets with internal IP addresses (e.g. 192.168.x.x) are not
          valid, nor routed over the public Internet, but within an ISP
          they could be broadcasted around or routed directly. Using the
          appropriate tools, a hacker can easily scan for openings
          and follow up with an attack using only internal IP addresses.

          If packets with internal IP addresses hit your network-hub, 
          then they can be routed further to your internal LAN clients,
          bypassing the firewall.

          Such attacks are very dangerous and also very hard to track
          down, but in a 2-NIC installation they are are rendered
          completely harmless.

   In your network scenario does does not match the above, then a 
   1-LAN setup is probably acceptable, but if in doubt, go for the
   dual NIC setup.


   1) Using 1 LAN adapter
                                                 ___
                                                |___|  PC with
                    HUB/Switch                  |___|  InJoy Firewall
        Uplink     __________                   | _ |
        ______    |+_+_+_+_+_|                  | _ |
              \____| | | | |____________________| _ |
                     |   |                    __|___|__
                     |...|________
                     |             To other PCs
                     |____________

   The gateway PC should be configured with two TCP/IP network interfaces. 
   First network interface is for the uplink connection to the ISP. This 
   net is typically configured via DHCP.

   Second network interface is the internal net using IP addresses from 
   the private internet address space (e.g. 192.168.x.x).

   Example (based on the following values):

         uplink IP address is 123.45.67.2      (IP address ISP)
         uplink netmask is 255.255.255.252
         our IP address is 123.45.67.1         (ISP assigned)
         our interface name is lan0
         internal net is 192.168.1.0
         internal IP address is 192.168.1.254  (RFC1918-style IP address)
         internal netmask is 255.255.255.0

   Step by step configuration:

   NOTE: In case of DHCP you can skip first two steps.

       	 Configure interface:

          ifconfig lan0 123.45.67.1 netmask 255.255.255.252

       	 Set default route to uplink:

          route add default 123.45.67.2 1

       	 Configure alias interface for internal net:

          ifconfig lan0 192.168.1.254 netmask 255.255.255.0 alias

          'alias' parameter at the end of command allows two different 
          nets within one real LAN adapter.

	 Enable forwarding:

          ipgate on

   You can use the OS/2 TCP/IP GUI to update your configuration, but many 
   find it easier to update SETUP.CMD located in \MPTN\BIN). SETUP.CMD
   should include these lines after configuration:

	ifconfig lan0 123.45.67.1 netmask 255.255.255.252
	route add default 123.45.67.2 1
	ifconfig lan0 192.168.1.254 netmask 255.255.255.0 alias
	ipgate on


   2) Using 2 (or more) LAN adapters:

                  ___  PC with InJoy Firewall
                 |___|
                 | _ |       HUB/Switch
        Uplink   | _ |      __________
        ______   | _ |     |+_+_+_+_+_|
              \__| _ |______| | | | |______
               __|___|__      |   |
                              |...|________
                              |             To other PCs
                              |____________


   For this configuration it is required for the Gateway PC to have 
   two (or more) LAN adapters installed.

   Example (based on following values):

         uplink IP address is 123.45.67.2      (IP address ISP)
         uplink netmask is 255.255.255.252
         our IP address is 123.45.67.1         (ISP assigned)
         our interface name is lan0
         internal net is 192.168.1.0
         internal IP address is 192.168.1.254  (RFC1918-style IP address)
         internal netmask is 255.255.255.0
         name of internal net is lan1

   Step by step configuration:

   NOTE: In case of DHCP you can skip first two steps.

         Configure interface:

          ifconfig lan0 123.45.67.1 netmask 255.255.255.252

         Set default route to uplink:

          route add default 123.45.67.2 1

         Configure alias interface for internal net:

          ifconfig lan1 192.168.1.254 netmask 255.255.255.0

         Enable forwarding:

          ipgate on

   You can use the OS/2 TCP/IP GUI to update your configuration, but many 
   find it easier to update SETUP.CMD located in \MPTN\BIN). SETUP.CMD
   should include these lines after configuration:

	ifconfig lan0 123.45.67.1 netmask 255.255.255.252
	route add default 123.45.67.2 1
        ifconfig lan1 192.168.1.254 netmask 255.255.255.0
	ipgate on



===========================================================================
 9. 	G A T E W A Y   C O N F I G U R A T I O N   F I L E
===========================================================================



   The InJoy Gateway is a daemon process, receiving its configuration
   parameters from a configuration file:

   The distribution archive contains the file "GATEWAY.CF_", which can 
   optionally be put into effect by removing the trailing underscore from 
   the file name (i.e. "copy gateway.cf_ gateway.cf").

   The GATEWAY.CF_ includes several optional configuration sections:

   [net]

      This section contains two parameters:

	 internal_net
         netmask

      These parameters are used to limit the set of IP addresses that are
      considered "internal" by the InJoy Gateway. In other words, only packets 
      with a source IP address matching the net defined by the two variables
      are masqueraded (by the NAT).

      If one or both of the above parameters are omitted, then all packets 
      going to the external network will be masqueraded - which should work
      well too. The drawback of the latter solution is that IP packets that
      are incorrectly routed to your system will also take up slots in your
      NAT table and maybe even prevent your own internal PC's from using the
      gateway.

   [license]

      This section is used to specify license name and licensee code.

         name
         code
         filter
         firewall
       
      Gateway itself and each plugin have separate registration codes.
      Please, refer to REGISTER.TXT for more information.

      Notice, the registration information is sent in a form which allows
      you to simply copy it directly from the source into the GATEWAY.CF file.

   [GUI]

      The [GUI] section includes variables telling the gateway whether to
      accept connections from the (yet unreleased) Java GUI.

         allow_remote
         port
         userid
         password

      The "allow_remote" variable specifies whether only local Java GUI's
      can connect to the gateway or also GUI's running on remote systems.
      Per default, there is no access to your system from remote computers.

      The "port" variable specifies which tcp port to utilize for
      incoming TCP/IP connections from the Java GUI.

      Setting this variable to 0 will completely disable Java GUI access, 
      even from the PC where the gateway is running.

      The "userid" and "password" set the authentication parameters. A
      Java GUI operator must know this information to gain GUI access to
      your system.

   [identd]

      Identd is an authentication server (protocol) used to authenticate IRC 
      clients. Standard NAT does NOT provide for incoming identd requests to
      pass through the gateway, so to allow authentication of internal IRC 
      clients an ident daemon must be started (on the Gateway PC). The InJoy 
      Gateway includes such an identd, capable of acting as a proxy for 
      the other PCs on your private LAN.

      The [identd] section contains these variables:

	 Enable
         UserID

      Set "Enable = Yes" to have the built-in identd automatically started.
      With the identd daemon running, incoming identd requests are first
      received by the built-in daemon and then forwarded to the appropriate
      LAN client. Notice, a possible identd (built into most IRC clients) 
      running on your LAN client STILL gets to do the real authentication.

      There can be only one identd daemon running on a single PC, so if you 
      use our built-in identd, then you can't run another identd on the
      gateway PC. This means that our identd daemon must be fully capable
      of authenticating IRC clients running on the gateway PC and to provide
      this feature, you have the possibility to specify the 'UserID' to be
      used in this case (see the sample configuration file).

   [hardware]

      The [hardware] section contains this variable:

	 SMC_fix

      SMC 8417T (10base-T, SMC8000 driver) NIC can give TRAP-E's under
      heavy load.  Enable the work-around if you use this card.

      NOTE for InJoy Gateway version 1.0 users, variables: 

	 delay
	 dest_hw_address

      Are obsoleted and no longer supported. Remove (or comment out) from
      your gateway.cf file.


   [filter]

      This section contains the following variable:

         filter_rules

      This variable instructs the filter plugin where to find the 
      filtering rules.

   [firewall]

      This section contains the following variable:

         firewall_config

      This variable instructs the firewall plugin where to find
      its configuration files.

  [ipsec]

      This section contains the following variable:

         enable

      Set "Enable = Yes" to have the IPSec Plugin automatically loaded.

      Refer to the IPSec documentation for more information.


   NOTE: Editing the GATEWAY.CF file should be done in a text editor 
         that preserves the ASCII format of file. For example you can 
         use OS/2 System Editor for this purpose (E.EXE).



===========================================================================
10. 	C O M M A N D   L I N E   P A R A M E T E R S
===========================================================================



   This product is intended to be run WITHOUT command line parameters,
   but the following parameters are available.

   o Command Line Parameters

	-?  or -h   Show help message                     (text version only)
	-t          Enable packet tracing                 (text version only)
        -p<xx>      Priority from 1 to 100 (100 is max)   (text version only)
        -f<file>    Override default configuration file   (text version only)
	-l[<file>]  Log messages into file                (PM version only)
        -d          Extra debug info to output screen     (both versions)

    Option -t (trace)

     Enables packet tracing and should be used for diagnostic purposes
     only. Enabling this option in a production environment will 
     significantly reduce product performance.

    Option -p (priority)

     The priority parameter specifies the priority that OS/2 will assign 
     to the InJoy Firewall. 

       -- Any value larger than 75 percent, will register the gateway as 
          a time critical process. Being time critical is a logic choice
          for a program handling the CPU demanding COM port.

       -- However, raising the value much above 75 percent may cause
          system hangs as the OS/2 scheduler will not allow other 
          processes to "wake up" when they are really needed.

    Option -f (set config file)

      Gives possibility to override default configuration file (gateway.cf).


===========================================================================
11. 	U N I N S T A L L I N G
===========================================================================



   Uninstalling is done in three simple steps:

	1) Uninstall Device Driver
        2) Uninstall Gateway software
        3) Reboot


   o Uninstall FXWRAP.SYS

   Uninstalling FXWRAP.SYS is done using the UNINSTAL.CMD and when running
   it, you will be prompted for an action:

          <I> to install FXWRAP
          <U> to uninstall previously installed FXWRAP

   Press 'U' followed by <Enter> to start uninstalling the device
   driver. The files CONFIG.SYS and PROTOCOL.INI will be updated.


   o Uninstall Gateway

   In order to uninstall the InJoy Gateway, simply delete files from 
   from the product directory.


   o Reboot System



===========================================================================
12. 	R E G I S T R A T I O N
===========================================================================



   After successful evaluation of this product, you can register
   it by obtaining a registration key from one of the resellers.
   Reseller information can be found in:

	1) REGISTER.TXT from the distribution archive

   Most current pricing information and online registration services are
   available at the following address:

        2) http://www.fx.dk/firewall/register.htm

   Once registered, you need to fill your registration code into the
   gateway.cf file - for example:

	[license]
	name=Joe Pepper
	code=1cdf3ade75679893
        filter=1cdf3ade75679894
        firewall=1cdf3ade734329894
   
   NOTICE: Above name and codes are presented as an example. These are NOT
           numbers, so don't try ...

   For more information contact sales@fx.dk



===========================================================================
 13.	T R O U B L E S H O O T I N G
===========================================================================


>  Everything installed successfully! Had Internet access before installing,
>  but now gateway PC and client systems cannot access the Internet.

   Q:  I have installed everything successfully, but the gateway PC
       and the clients CANNOT access the Internet.
   A:  Check if it helps to stop the GATEWAY.EXE daemon.

   Q:  Stopping GATEWAY.EXE does not help.
   A:  Seems FXWRAP.SYS or PROTOCOL.INI changes are harming your system. 
       Uninstall and contact support@fx.dk

   Q:  Stopping GATEWAY.EXE does help.
   A:  Check if the auto detected information in the output of GATEWAY.EXE
       looks correct. If it doesn't, contact support@fx.dk

   Q:  Auto detected information looks good and GATEWAY.EXE reports no errors.
   A:  Did you specify an 'internal_net' and 'netmask' in the .cf file?
       If you did, try to comment out those variables.

   Q:  I even removed my GATEWAY.CF file, but still NO Internet access.
   A:  Did you install FXWRAP for the proper LAN adapter? The LAN adapter
       which is connected to the external interface!

   Q:  I did install to the right LAN adapter, I'm sure.
   A:  Uninstall and contact support@fx.dk


>  Everything installed successfully and the gateway PC has Internet access,
>  but client systems CANNOT access the Internet.

   Q:  I have installed everything successfully, but clients are unable
       to ping an outside server.
   A:  Check if the gateway itself can access servers on the Internet
       (with the GATEWAY.EXE daemon running).

   Q:  Gateway PC is definitely okay, only clients won't work!
   A:  Did you remember to enable IP forwarding ("ipgate on" in SETUP.CMD).

   Q:  The client PC just stalls when it tries to access a host name on
       the Internet. I can ping IP numbers on the Internet.
   A:  Your name server on the client PC is not specified correctly. You
       need to specify a real name server that is able to resolve names on
       the Internet. Use the same one as your gateway computer.

   Q:  Everything looks okay, but still clients cannot get out.
   A:  You must specify the Gateway PC as being the default route (a.k.a
       default gateway) for your client system.

   Q:  Everything looks okay, but still clients cannot get out.
   A:  If you have only one LAN adapter in the gateway PC, then you must
       define your internal ip address using the 'alias' parameter.

       E.g: "ifconfig lan0 192.168.1.1 alias"

       Check /mptn/bin/setup.cmd

   Q:  My routing really seems okay, but still no clients can get out.
   A:  Contact support@fx.dk


>  I want to UNinstall the FXWRAP.SYS device driver, but INSTALL.CMD
>  doesn't seem to do the job right.

   Q:  Uninstalling fails for some reason, but I did make backup copies 
       of CONFIG.SYS and PROTOCOL.INI before installing.
   A:  Good, restore the system so it uses your old backup copies and
       reboot.

   Q:  Uninstalling fails for some reason, but I did NOT make any backup
       copies of CONFIG.SYS and PROTOCOL.INI before installing.
   A:  INSTALL.CMD backs up these files. Locate the files and restore
       your system. Then reboot.

   Q:  I wish to uninstall the changes manually.
   A:  Caution: Your networking won't work if you uninstall the wrong way, 
       but step by step instructions follow (use at your own risk):

       1) Locate PROTOCOL.INI (usually located at in \IBMCOM directory).
       2) Open PROTOCOL.INI in OS/2 System editor.
       3) Locate FXWRAP section - should look like this:

               [FXWRAP_nif]
               Drivername = FXWRAP1$
               Bindings   = DC21X4

          Note Bindings parameter 
          (DC21X4 is the network card used in our example).

          Walk through PROTOCOL.INI, in order to locate the Bindings 
          parameter in each section. If a Binding parameter exists and
          it points to FXWRAP, then replace each occurrence of FXWRAP_nif 
          with DC21X4.

          Now, remove the FXWRAP_nif section and save PROTOCOL.INI.

       4) Open CONFIG.SYS in OS/2 System editor.
       5) Locate line where FXWRAP.SYS is installed and remove this line.
       6) Save CONFIG.SYS and close editor.
       7) Reboot your computer to deactivate FXWRAP.SYS

       If you see error messages during boot-up or your network does not 
       work properly, then you should reboot into the Maintenance Desktop
       and start a command line window. Using the command line window you
       should check your uninstallation.


>After some time of operation, the gateway produces the message:
>"Error: NAT table full - no more clients accepted!"
>but my number of clients doesn't exceed the number of clients licensed.

   Q:  How to avoid this error?
   A:  Uncomment and set the variables 'internal_net' and 'netmask' 
       in the [net] section of gateway.cf.



>I have ADSM processing backup of my PC and experienced trap 0D (or trap 0E)
>when backup process is started and gateway is running.

   Q:  Is this trap produced by bug in gateway?
   A:  No. This is a bug in TCP/IP stack 4.1.
       But FXWRAP.SYS can make this bug appear more often because
       of more intensive use of TCP/IP stack.

   Q:  How do I avoid the trap?
   A:  Install most recent update of TCP/IP 4.1.
       Available at:
       http://service.software.ibm.com/pbin-usa-ps/
              getobj.pl?/pdocs-usa/latest41.html



==========================================================================
14.	A C K N O W L E D G M E N T S
==========================================================================



   F/X would like to thank all the people who helped during the development
   phase and the testing phase.

   Daryl Pilkington "The PC Therapist" darylp@senet.com.au



==========================================================================
 15.	C O N T A C T S
==========================================================================



   The below resources are pointers to where you might find more help in
   using InJoy products.

   Support:       Our FREE mail list has more than 400 people connected
                  and they will gladly take a stab at almost any problem. 
                  See below for help on subscribing to the list.

   Mailing lists: Subscribe at http://www.fx.dk/contadd.html

   Support:       support@fx.dk

   Web:           http://www.fx.dk/firewall

                  The most recent news about this product is posted at 
                  the F/X Communications site.





        Copyright (c) 1999 F/X Communications.  All rights reserved.




