F5 FirePass Administrator'S Manual Download Page 77 | Manualshive

Page: 77 / 182

F5 FirePass Administrator'S Manual Download Page 77

Setting Up FirePass Server Security

FirePass

™

Server Administrator Guide

3 - 31

11. Unzip the zip file and send the certificate request file (called

newcert.csr) to a known Certificate Authority to be signed. When
asked by the Certificate authority, specify the type of the certificate
as mod_ssl.

Installing or renewing a server certificate

When you receive a new signed certificate from the Certificate Authority,
you must install the certificate and, if you requested one, the new private
key.

To install or renew a server certificate

1. Under the Server tab on the left side of the Administrative Console,

click the Maintenance link.

2. Navigate to Network Configuration/Web Services.

Click the Configure SSL Certificates link.

3. Select the certificate you want to renew and click the Edit link, or

click the Add New Certificate button.

4. Copy the new signed certificate to the clipboard and then paste into

the upper text box.

5. If you generated a new key, paste it into the middle text box, and

then enter the encryption password you specified when you
generated the certificate request.

6. If your certificate comes from a chained Certificate Authority, paste

the intermediate certificate chain in the lower text box.

7. Click the Go button.

Using client certificates to authenticate a user’s computer

The server certificate verifies the server’s identity to a user’s computer. You
also can require client certificates verifying the identity of a user’s computer
to the server, or limiting access to particular FirePass Webifyers. Client
certificates can be used as part of a two-factor authentication system, where
users must have a valid client certificate installed on their computer in
addition to knowing their user name and password. Alternatively, valid
client certificates can be used to restrict access to particular Webifyers. For
example, access to the FirePass server SSL VPN service can be limited to a
laptop computer equipped with a valid client certificate. The user then
would have access to the SSL VPN service from the laptop, but would not
have access from other locations such as public access kiosks.

To use client certificates, you must have a server configured as a Certificate
Authority (CA) that can generate a client root certificate and the client
certificates based on the client root certificate. Or, you can purchase the
client root certificate and client certificates from an external CA.

«
...
75
76
77
78
79
...
»

Summary of Contents for FirePass

Page 1: ...FirePassTM Server Administrator Guide version 4 0 MAN 0081 00 ...

Page 2: ......

Page 3: ...roduct or service except as permitted in writing by F5 Export Regulation Notice This product may include cryptographic software Under the Export Administration Act the United States government may consider it a criminal offense to export this product from the United States Export Warning This is a Class A product In a domestic environment this product may cause radio interference in which case the...

Page 4: ...ii ...

Page 5: ...Table of Contents ...

Page 6: ......

Page 7: ...ing the FirePass server 2 12 Installing the FirePass server in an equipment rack 2 12 Connecting the FirePass server to a network and powering up 2 12 Performing the initial FirePass IP configuration 2 14 Testing network connectivity 2 16 Using the Administrative Console to configure the FirePass server 2 17 Logging Into the Administrative Console 2 17 Changing the superuser password 2 18 Installi...

Page 8: ...s to the Network Folder Favorites 4 3 Enabling virus scanning and file uploading for the My Files Webifyer 4 4 Configuring advanced settings for the My Files Webifyer 4 4 Using client certification validation for the My Files Webifyer 4 5 Configuring the My NFS Webifyer 4 6 Defining favorites for the My NFS Webifyer 4 6 Defining NFS shared folders for the My NFS Webifyer 4 7 Limiting a group s acc...

Page 9: ...Configuring the Guest Access Webifyer 4 33 Configuring the X Windows Access Webifyer 4 35 Configuring X Windows hosts for remote access 4 35 Using client certificate validation for Webifyers 4 38 5 Managing Monitoring and Maintaining the FirePass Server Maintaining the network configuration settings 5 1 Configuring IP addresses and subnets 5 1 Configuring routing tables and rules 5 2 Configuring D...

Page 10: ...ts 6 5 Using the Application Log report 6 6 Using the Summary report 6 7 Using the Group report 6 8 7 Configuring FirePass Failover Servers and Cluster Servers Using FirePass failover servers 7 1 Installing FirePass failover servers 7 1 Configuring the IP addresses for failover servers 7 1 Powering up failover servers 7 2 Configuring the failover settings 7 3 Making a standby server the active ser...

Page 11: ...1 Introducing the FirePass Server The FirePass remote access solution The FirePass server models The FirePass server features About this guide Finding help and technical support resources ...

Page 12: ......

Page 13: ...poration or organization to extend secure remote access easily and cost effectively to anyone connected to the Internet with no special software or configuration on the remote device Also no additions or changes are necessary to the back end resources being accessed This approach eliminates the IPSec VPN support burden and adds application functionality well beyond mere connectivity The FirePass s...

Page 14: ...users With FirePass server s access controls you can restrict individuals and groups to particular resources For example partners can be have restricted access to an extranet server only while sales staff can connect to email the company Intranet and the CRM system Availability Unlike IPSec VPNs Web based remote access works over all ISP connections and works from behind other firewalls ISPs canno...

Page 15: ...file and Intranet access client server application access legacy host application access mainframe AS 400 X Windows and Telnet and Terminal Services Citrix application access Mobile device access FirePass server provides email file and Intranet access from mini browsers on mobile devices These include Internet enabled WAP and iMode telephones PDAs PalmOS and Pocket PC and RIM Blackberries Administ...

Page 16: ... single logical server About this guide This FirePass Administrator Guide provides information and step by step instructions for installing and administering the FirePass 1000 and 4000 servers This guide is available as an Adobe Acrobat file pdf To install a free version of Adobe Acrobat Reader see http www adobe com Audience This guide is for system and network administrators who install and conf...

Page 17: ...d Wide Web The F5 Networks Technical Support web site http tech f5 com provides the latest technical notes answers to frequently asked questions updates for the Administrator Kit in PDF format updates for the release notes and the Ask F5 natural language question and answer engine Conventions used in this manual Information that you type appears in a bold monospace font For example admin A Tip sug...

Page 18: ...Chapter 1 1 6 ...

Page 19: ...rewall to work with the FirePass server Understanding name resolution issues for FirePass servers with a private IP address Installing the FirePass server Testing network connectivity Using the Administrative Console to configure the FirePass server Using the Maintenance Console What s next ...

Page 20: ......

Page 21: ...ble as a backup Using the Administrative Console to configure the FirePass server on page 2 17 Connect the FirePass server to the network Test that the FirePass server is accessible on the network and test DNS resolution of the FirePass server s host name inside and outside firewall Testing network connectivity on page 2 16 After the FirePass server is up and running and the network connections ar...

Page 22: ...application services the server must access There are some ports that must be open in all situations such as ports 80 and 443 for HTTP and HTTPS on the external firewall between the FirePass server and remote Web browsers If the FirePass server is installed in a DMZ with an internal firewall separating it from the corporate network you also have to open other ports as necessary to allow access to ...

Page 23: ...llow traffic on ports 80 443 and 661 To verify that the FirePass server has access to DNS and SMTP services after you have opened the ports and installed the FirePass server you can use the instructions in Testing network connectivity on page 2 16 After you have verified that the FirePass server has access to DNS and SMTP services and that you can access the server from a Web browser from either s...

Page 24: ... acknowledgement bit set for those protocols For completeness the following tables list the types of traffic in pairs of request and response that must be allowed through the firewalls for each category of FirePass server functionality All traffic associated with the FirePass server falls into in one of these categories Traffic between the remote user s browser and the FirePass server See About th...

Page 25: ...ur Maintenance Console using Secure Shell SSH To allow this access while blocking routine SSH access the FirePass server provides temporary encrypted keys further protected by a passphrase For more information about providing SSH access to Technical Support see Providing SSH access for Technical Support on page 5 31 Traffic Type Protocol Source Destination Ack bit Comment Address Ports Address Por...

Page 26: ...rePass servers with a private IP address on page 2 11 Traffic Type Protocol Source Destination Ack bit Comment Address Ports Address Ports DNS TCP Local LAN 1025 to 65535 FirePass server 53 DNS response TCP FirePass server 53 Local LAN 1025 to 65535 Yes NTP UDP Local LAN 1025 to 65535 FirePass server 123 NTP response UDP FirePass server 123 Local LAN 1025 to 65535 SSH TCP Local LAN 1025 to 65535 F...

Page 27: ... default port assignments Your network may vary Microsoft Networking requires four ports two TCP IP ports and two UDP ports Port 135 is the RPC port port 139 is the NetBIOS session port 137 is the NetBIOS name service and port 138 is the datagram These ports must be configured to allow users to use the My Files Webifyer to view network file shares A WINS server helps address resolution from NetBIO...

Page 28: ...r 1025 to 65535 Yes Required for email Microsoft Networking TCP FirePass server 1025 to 65535 Local LAN 135 139 Required for File services Microsoft Networking Response TCP Local LAN 135 139 FirePass server 1025 to 65535 Yes Required for File services Microsoft Networking UDP FirePass server 1025 to 65535 Local LAN 137 138 Required for File services Microsoft Networking Response UDP Local LAN 137 ...

Page 29: ...t 661 which allows the FirePass server to initiate a session with the FirePass Desktop Agent The FirePass server communicates with the Agent on port 443 Note The port numbers in the following table are default values which you can change For more information see Configuring the My Desktop Webifyer on page 4 31 Client Server applications response TCP Local LAN User defined TCP FirePass server 1025 ...

Page 30: ...5 Yes Required for My Desktop Host Activation Protocol HAP TCP FirePass server 1025 to 65535 Local LAN 661 Required for My Desktop Host Activation Protocol HAP response TCP Local LAN 661 FirePass server 1025 to 65535 Yes Required for My Desktop HTTPS TCP FirePass server 1025 to 65535 Local LAN 443 HTTPS response TCP Local LAN 443 FirePass server 1025 to 65535 Yes Table 2 5 Traffic between FirePass...

Page 31: ...nd then add an A record to that zone that resolves to the FirePass server s private address such as 10 0 0 8 If you have a WINS server add a static entry for the FirePass server name If you have a firewall that supports a DNS alias feature such as the CISCO PIX set up the firewall to redirect internal FirePass server traffic originating from the corporate LAN to the FirePass server s private IP ad...

Page 32: ...e FirePass server After unpacking the FirePass server you should have the following items FirePass server 120 VAC power cord Network cable Installing the FirePass server in an equipment rack Install a FirePass 1000 server in a standard 1U equipment rack and a FirePass 4000 server in a standard 2U equipment rack Make sure that the rack has adequate ventilation and power We strongly recommend using ...

Page 33: ...n configuring FirePass server clusters see Using FirePass server clusters on page 7 5 4 Plug in the power cable into a 120 VAC wall outlet and into the Power connector on the rear panel of the FirePass server 5 Turn on the Power switch on the front panel of the FirePass server Note If you are powering up a server cluster always power up the Master server first If the Master server is not available...

Page 34: ...with a web browser Connect them directly using a cross over Ethernet cable or indirectly with a standard Ethernet cable and an isolated hub or switch Enter the default URL Setting Factory default value Admin Console User Name admin Admin Console password admin Maintenance Console User Name maintenance Maintenance Console password no password Server name firepass company xyz Server IP Address Mask ...

Page 35: ...own restart Now shut down and restart FirePass For more information see Shutting down and restarting FirePass on page 5 17 6 Connect to your network Disconnect the FirePass server from the isolated network and reconnect it to your network Test the network connections by following the instructions in Testing network connectivity on page 2 16 7 Finish configuring your FirePass server following the s...

Page 36: ... ping fully qualified server name Outside the firewall this name should resolve to the FirePass server s public IP address Note You may not receive pings back from outside the firewall if the firewall is not configured to pass ICMP packets 4 Test accessing the server from a Web browser by entering the URL for the FirePass server on computers both inside and outside the firewall For example enter h...

Page 37: ...k you can use the Administrative Console in a Web browser to administer the server and change configuration settings as necessary You can run the Administrative Console on any computer that can access the FirePass server over the network Logging Into the Administrative Console To log into the Administrative Console 1 Enter the following URL in a Web browser on a computer that can access the FirePa...

Page 38: ...ou should do is change the default password for the preconfigured Administrator superuser account To change the superuser password 1 Under the Server tab on the left side of the Administrative Console click the Security link 2 Click the Password link The Change Superuser Password screen opens 3 In the Old Password text box type the current password 4 In the Password and Confirm Password text boxes...

Page 39: ...If so follow the directions in the email If not contact Support support f5 com to make sure your license is ready Licenses are time limited for security reasons Install your license as soon as you receive it Make sure that your firewall allows outbound Internet connections to port 443 Navigate to Server Settings Then click on the Pick up new license link If your license is ready and the server can...

Page 40: ... click the Telnet Session to the Maintenance Account link 4 At the Login prompt enter the following maintenance No password is required 5 Enter Y to agree to the conditions on the screen The Maintenance Console menu appears Logging out of the Administrative Console If you do not log out of the Administrative Console the FirePass server automatically times you out after a period of inactivity This ...

Page 41: ...mputer s serial port to the FirePass server s serial port and then use a terminal emulation program Connect a monitor and keyboard directly to the FirePass server FirePass 4000 only To use the Maintenance Console to configure the FirePass server 1 Use a 9 pin D style null modem cable to connect the serial port on a serial terminal or on a computer to the FirePass server s serial console port on th...

Page 42: ...Console running in a Web browser on the network But you can also use the other Maintenance Console commands at a later time to configure other settings 7 At the Network Configuration prompts enter the appropriate information or press the Enter key to accept the current setting 8 After you finish entering the settings enter Y at the confirmation prompt 9 For some configuration changes the server pr...

Page 43: ...ng and Maintaining the FirePass Server for directions Install the license signature You may have received an email from the F5 entitlement server describing how to install your license If so use those directions If not contact technical support support f5 com to make sure your license is ready Then navigate to Server Settings License and click on the link to pick up your new license signature Conf...

Page 44: ...Chapter 2 2 24 ...

Page 45: ...ity Overview of setting up FirePass server security Working with groups Working with user accounts Setting up FirePass server authentication Setting up certificates Limiting access to the administrative console by IP address What s next ...

Page 46: ......

Page 47: ...FirePass server synchronized with the groups on the Windows Domain server or LDAP server That is if a user is moved to a different group on the Windows Domain or LDAP server FirePass server automatically moves the user to the corresponding mapped group in its internal database the next time the user logs into FirePass server If you also choose to use a signup template for new FirePass server users...

Page 48: ...revocation list CRL and configure the FirePass server to validate client certificates installed at each user s computer You can use the client certificates as part of a two factor authentication system or to limit access to particular FirePass Webifyers For more information on changing the server name and setting up server and client certificates see Setting up certificates on page 3 29 Working wi...

Page 49: ...ole click the Groups link The Group Management screen opens 2 In the New group name box in the Create New Group section enter a name for the group Only alphanumeric symbols are allowed 3 From the Copy settings from list select the group whose settings you want to copy to the new group All settings for authentication methods Webifyers and signup templates are copied from the selected group to the n...

Page 50: ... a different group 1 In the Move Users section of the Group Management panel select the group from the Move Users to Group drop down list to which you want to move users 2 Click the Select Users button 3 In the Move Users panel select the users you want to move by clicking the check box next to each name 4 Click the Move To Group button Showing a list of all users in a group To show a list of all ...

Page 51: ... Windows domain based group mapping 1 In the LDAP and Windows Domain Based Grouping section of the Group Management panel select the Use Windows Domain Group to Map Group option 2 In the Domain Name box specify the name of the Windows domain you want to map users against 3 Optional In the PDC Server Name box specify the name of the Primary Domain Controller PDC server if the domain or PDC is on a ...

Page 52: ... have FirePass server query a LDAP or Windows Domain server for each user s group membership and automatically add the new user to the mapped group in FirePass server s internal database For more information on LDAP configuration see Setting up LDAP server authentication on page 3 27 There are two methods you can use to map LDAP groups Based on LDAP user object information such as DN or any attrib...

Page 53: ...p Group option if your LDAP schema has an attribute that corresponds to a FirePass server group Select the Use Parent DN to Map Group option if the user s parent DN corresponds to a FirePass server group 10 Click Update to display the appropriate mapping table next to the Mapping option you just selected 11 Do one of the following If you selected the Use Attribute to Map Group option and if the at...

Page 54: ... DN values selecting the FirePass server group from the menu and then clicking Add For example suppose you have these three container objects in your LDAP schema to store users for each department ou Financial o MyCompany ou Marketing o MyCompany ou Sales o MyCompany In that example you map these DN values to groups as follows 12 In the text boxes in the LDAP Attributes to Obtain Personal Informat...

Page 55: ...et of options appears 2 From the For the group drop down list choose the FirePass server group that you want to map to 3 Click the Add to List button to add the selected group to the mapping list 4 Click Edit next to the group you added to set up mapping parameters for that group A new set of options appears 5 In the LDAP Server box enter the name of an LDAP server 6 In the LDAP Port box enter an ...

Page 56: ...sert a user name For example CN Marketing uniqueMember UID logon OU People O MyCompany 13 In the Attribute for Dynamic Members box specify an attribute for dynamic members 14 In the Search Base DN for User box specify a Search Base DN For example OU People O MyCompany 15 Click the Update button to store the mapping parameters for the selected group 16 Optional To test the mapping parameters enter ...

Page 57: ...ge 3 15 Import users into each group from a text file See Importing user accounts from a comma or tab delimited text file on page 3 16 Allow a signup template for each group to automatically adds users when they log in for the first time if the user has an existing account in a RADIUS LDAP or Windows Domain server See Using signup templates to add user accounts on page 3 16 All of these methods cr...

Page 58: ...ail address 7 Do one of the following If the authentication for the selected group is handled by the FirePass server s internal database enter the user s password in the Password and Validate text boxes If the authentication is handled by an external VASCO server enter the user s Token ID in the Token ID text box See Setting Up VASCO DigiPass authentication on page 3 28 If the authentication is ha...

Page 59: ...r the MyNetwork Access option 12 Click the Add User button 13 If you chose the option to generate a key click the Click to Pick Up the Key button in the next panel that appears The installation key for the user is listed in the Existing FirePass server Installation Keys panel 14 Do one of the following Write down the installation key so you or the user can use it later for installing the My Deskto...

Page 60: ...ss server logon user name select the FirePass Logon Formatted as DOMAIN Username option Note This option is only necessary if there are FirePass server users with identical user login names belonging to different domains If you select this option during an import process each imported user must log in to the FirePass server using the format of DOMAIN username 10 To automatically generate appropria...

Page 61: ...es a draft user list which is basically the list of matching DNs The search query must be a valid LDAP query expression 10 Click the Query button The LDAP import screen opens 11 Choose entries from the drop down menus under the LDAP Attribute heading to map the LDAP attributes into FirePass server values such as user name first and last names and email address Note that the first and last names ca...

Page 62: ...sers select the users you want to import by clicking the check box next to their logon or name 7 Optional As necessary select the options to force the user to change their password on the initial logon email the password to the user force periodic password changes or deactivate the account after a specified period of time 8 To grant access permissions for the user select the MyDesktop Access optio...

Page 63: ...ick the Signup templates link 2 From the For the group drop down list select the group that you want to use a signup template with The group must use RADIUS LDAP or Windows Domain authentication 3 Select the Allow Authenticated Signup by Template option 4 Select a user mode option for the user A Manager can view the FirePass server system statistics A User cannot view statistics 5 To grant access ...

Page 64: ...k The Import NFS Settings screen opens 3 Copy the contents of a UNIX password file that contains the user IDs and group IDs you want to import 4 Paste the contents of a UNIX password file into the text box on the Import NFS Settings panel 5 Click the Import button The NFS user permissions are listed on the next panel next to each FirePass server user s logon name Note User IDs below 100 are ignore...

Page 65: ...tivate deactivate or delete 2 Do one of the following To activate or deactivate the users click the Activate Deactivate Selected button A lock icon is placed next to user accounts that are deactivated Click the Delete Selected button and then click the Delete button to confirm the deletion Assigning administrative privileges to a user account By default the FirePass server includes a superuser acc...

Page 66: ...es until you explicitly assign them 5 To assign administrative privileges for features in the Administration Console click the Edit link in the Feature Access column next to the user s name The Feature Access screen opens 6 Do any of the following To allow access to all tabs panels and features in the Administrative Console select the Allow Access to All Features option and then click the Save but...

Page 67: ...ctly by using the URL https server name company com stats Searching for user accounts You can limit the scope and the size of the list of users on the User Management panel by searching for logon name email or group To search for user accounts 1 In the User Management panel choose Logon Name email or Group from the Search By drop down list 2 In the text box next to the Search By drop down list ent...

Page 68: ...ser s account do not select the option to generate an installation key 2 Using the user s computer log into the Administration Console 3 Generate a new key by following the instructions in the previous section Generating a My Desktop client software installation key on page 3 21 4 In the Existing FirePass Installation Keys panel select the key right click and then choose Copy from the context menu...

Page 69: ...tication following RADIUS server You can use a RADIUS server at your site that supports RSA s SecurID technology Each user is issued a SecurID token See Setting up RADIUS server authentication on page 3 24 Windows domain server You can use a Windows domain server for authentication See Setting up Windows domain server authentication on page 3 25 LDAP server You can use an LDAP server for authentic...

Page 70: ...ly supports RSA extensions for RADIUS and is RSA certified To set up RADIUS server authentication 1 Under the Server tab click the Authentication link 2 From the For the group drop down list select the group that you want to set up authentication for 3 Click the RADIUS authentication link from the list of options toward the bottom of the panel 4 In the Timeout box enter the number of seconds befor...

Page 71: ...e FirePass server On all Secure ID servers the SecurID server needs to be made a client of itself to make the RADIUS server function The RADIUS service functions as a standalone process and if the SecurID server is not set up as a client of itself it rejects the authentication request and not store anything in the logs making this problem difficult at best to diagnose The FirePass server merely re...

Page 72: ...e box enter the name of the Windows domain 5 Optional In the PDC Server Name box specify the name of the Primary Domain Controller PDC server if you want to use a particular PDC when joining the Windows domain or if the PDC is on a different subnet than the FirePass server 6 Optional In the WINS Server IP Address box specify the IP address of the WINS server to aid in name resolution of the config...

Page 73: ...ication Scheme screen opens 2 From the For the group drop down list select the group that you want to set up authentication for 3 Click the LDAP Authentication link in the list of options 4 In the Host box enter the name or IP address of an LDAP server 5 In the Port box enter an LDAP port such as 389 6 If you want to use SSL select the Use SSL Connection option 7 Do either of the following Select ...

Page 74: ...nder the Server tab click the Authentication link The Authentication Scheme screen opens 2 From the Group drop down list choose the group that you want to set up authentication for 3 Click the VASCO DigiPass Authentication link at the bottom of the panel The VASCO DigiPass Authentication Scheme screen opens The tokens are listed in the Tokens section 4 Optional To import additional tokens from a V...

Page 75: ...own and that the certificate name does not match that of your server Generating a new certificate request When you deploy the FirePass server into production you must purchase and install a digital certificate matching the FirePass server s configured host name You can use the FirePass Administrative Console to generate a request to a Certificate Authority for a valid certificate See Generating a ...

Page 76: ...te request 1 Under the Server tab on the left side of the Administrative Console click the Maintenance link The Maintenance screen opens 2 Click the Network Configuration link 3 Click the Web Services link at the top of the screen 4 Click the Configure link for the host name you intend to use 5 On the configuration screen check the Use SSL box 6 Two new links now appear below this box Edit certifi...

Page 77: ...e comes from a chained Certificate Authority paste the intermediate certificate chain in the lower text box 7 Click the Go button Using client certificates to authenticate a user s computer The server certificate verifies the server s identity to a user s computer You also can require client certificates verifying the identity of a user s computer to the server or limiting access to particular Fir...

Page 78: ...rtificates for users who you want to deny access to the FirePass server For example you can exclude the client certificates for users who have left your company See Installing a certificate revocation list on page 3 34 Installing a client root certificate To install a client root certificate on the FirePass server 1 Under the Server tab on the left side of the Administrative Console click the Secu...

Page 79: ...ter a valid password to gain access to the FirePass server Configuring client certificate authentication After installing the client root certificate and enabling the validation of client certificates you can configure client certificate validation as part of the authentication for a group To configure client certificate authentication 1 Under the Server tab click the Authentication link From the ...

Page 80: ...er name on the Login panel must match the common name CN of the client certificate select the Login Username Must Match Certificate Common Name option Installing a certificate revocation list To install a certificate revocation list CRL on the FirePass server 1 Under the Server tab on the left side of the Administrative Console click the Security link 2 Click the Certificates link The Certificates...

Page 81: ...h a blank space Use the format xxx yyy zzz www for an explicit address or xxx yyy zzz www vv for an address mask You can also use this alternative form for a subnet xxx yyy zzz For example 192 168 2 1 192 168 2 3 192 168 2 1 16 192 168 2 4 Click the Go button next to the Option 1 text box 5 If you want to allow unlimited access to all IP addresses again click the Go button next to the Option 2 tex...

Page 82: ...Chapter 3 3 36 ...

Page 83: ...r Configuring the My Intranet Webifyer Configuring the My E mail Webifyer Configuring the Terminal Services Webifyer Configuring the AppTunnels Webifyer Configuring the Host Access Webifyer Configuring SSL VPN Configuring the My Desktop Webifyer Configuring the X Windows Access Webifyer Using client certificate validation for Webifyers ...

Page 84: ......

Page 85: ...UNIX NFS servers See Configuring the My NFS Webifyer on page 4 6 My Intranet Allows remote users access to internal Web servers including Outlook Web Access email servers See Configuring the My Intranet Webifyer on page 4 8 My E mail Allows remote users access to POP IMAP SMTP email servers and LDAP address books using a Web browser Users can send and receive messages download attachments and atta...

Page 86: ...software or configuration on the remote user s computer and no server side changes are required See Configuring SSL VPN on page 4 23 My Desktop Provides employees with full remote control access to their desktop computers on the internal LAN See Configuring the My Desktop Webifyer on page 4 31 X Windows Access Provides remote users with access to X Windows applications hosted on UNIX and Linux ser...

Page 87: ...that appears specify a name for the file share that you are defining as a My Files Favorite This name is displayed as a label for the My Files Favorite in each user s Web browser under the My Network Files icon For example Company Literature Important The Administration Console does not verify the path you specify so be sure to enter it correctly 5 In the Path box specify a path for the file share...

Page 88: ...select the VirusSignatures credo file and then click the Upload button To enable file uploading for the My Files Webifyer 1 In the File Upload section of the My Files screen select the Enable File Upload option Configuring advanced settings for the My Files Webifyer If the FirePass server contains two NICs it is important to configure a broadcast address for the internal NIC If there is a WINS ser...

Page 89: ... FirePass server Important The Default Domain Workgroup setting is required for deployments where the IP address of the FirePass server is not on the target LAN 4 To have the FirePass server attempt to automatically log into My Files servers and shares using each user s FirePass login user name and password select the Auto login to My Network shares using FirePass user login credentials option Usi...

Page 90: ... browsing directories above the level of the specified server share Note FirePass users cannot access NFS shares until they have been assigned a UNIX style User ID and Group ID See Using NFS user permissions from a UNIX password file on page 3 17 Defining favorites for the My NFS Webifyer To define a NFS favorite for the My NFS Webifyer Under the Webifyers tab click the My NFS link to open the My ...

Page 91: ...r for any exported file systems To define a NFS shared folder for the My NFS Webifyer 1 In the NFS Shared Folders section of the My NFS screen click the Add New link 2 In the Name box enter the name for the path that you are defining as a My NFS shared folder This name is displayed as a label for the NFS shared folder in the user s Web browser For example Public 3 In the Path box specify a path fo...

Page 92: ...eb sites and URLs You can set any of these links or the Favorites screen as the default screen that users see when displaying My Intranet for the first time during a session You can also specify whether you want a Web site to open inside the existing browser window or in a separate window To define an Intranet favorite for the My Intranet Webifyer Under the Webifyers tab click the My Intranet link...

Page 93: ...sword For example suppose you specify this URL http server company com and these URL variables show_custom_content 1 user username company com For a FirePass user named johndoe these variables would result in an actual Favorite link of http server company com show_custom_content 1 user john doe company com 5 Optional If you want the URL variables you specified to be POSTed instead of appended to t...

Page 94: ...list Limiting a group s access to the Intranet Favorites If you want to limit a group s access to the Intranet Favorites you specified select the Limit MyNetwork Access to Intranet Favorites Only option Using client certification validation for the My Intranet Webifyer You can restrict access to the My Intranet Webifyer to users in a group who have a valid client certificate installed on their com...

Page 95: ...ad of using the default list of FirePass users Configuring an email account To configure an email account Under the Webifyers tab click the My E mail link to open the My E mail Webifyer screen 1 From the For the group drop down list select the group that you want to configure the My E mail Webifyer for 2 Select the Enable corporate mail account option 3 In the Account name box enter a name such as...

Page 96: ...al database Use LDAP query for mail server display and login information Select this option to obtain each user s email information based on an LDAP query See Obtaining email addresses from an LDAP server on page 4 13 8 Click the Update button Obtaining each user s email information based on an LDAP query You can dynamically obtain the mail server name display name and login information for each u...

Page 97: ... In the Attribute for user s logon box enter the attribute in the LDAP schema that contains the user s logon 13 Click the Update button Disabling email attachment downloads By default email attachment downloads are enabled If necessary you can disable attachment downloads To disable email attachment downloads 1 In the Message Settings section of the My E mail Webifyer screen select the Disable att...

Page 98: ...xample cn Recipients ou Exchange o FirePass server 8 In the Filter template box enter a search filter template For example objectclass person cn s where s is substituted by user s FirePass logon name 9 In the Name Attribute box specify the name attribute which is typically cn 10 In the Address Attribute box enter the email address attribute which is typically mail 11 Click the Update button Using ...

Page 99: ...r includes Support for native Terminal Server hosted applications Support for Citrix MetaFrame applications Automatic download and installation of the correct Terminal Services or Citrix remote platform client component if it is needed but has not yet been installed For each user group you can assign options and create a set of favorite links to appropriate servers You can also specify whether you...

Page 100: ... Browser and VNC The FirePass server attempts to use the first entry in the list and if that entry fails the server proceeds with other entries in the list until a working server is found 6 From the drop down list next to the Port box select a server type After you select the server type the appropriate default value for the port is automatically entered in the Port text box If necessary you can e...

Page 101: ...avorites you specified select the Limit MyNetwork Access to Terminal Service Favorites only option Using client certification validation for the Terminal Service Webifyer You can restrict access to the Terminal Services Webifyer to users in a group who have a valid client certificate installed on their computer For more information see Using client certificate validation for Webifyers on page 4 38...

Page 102: ...otocol with SSL as the transport As a result the AppTunnels Webifyer works through all HTTP proxies including public access points and private LANs and over networks and ISPs that do not support traditional IPSec VPN clients The first time users access the AppTunnels Webifyer an ActiveX control is automatically installed in their Internet Explorer browser or a plug in is automatically installed in...

Page 103: ... 5 In the text box next to the drop down list enter the remote host IP address or the host name as appropriate Note If you specify a host name the HOSTS file at the access point is temporarily patched for the duration of access This temporary patch allows the AppTunnels Webifyer to temporarily override the port settings while preserving the usual LAN settings for the applications The original HOST...

Page 104: ...IP address or the host name Click the Add New button next to the subtunnel s information 11 To rearrange the order in which the tunnels are activated click the Move Up or Move Down buttons next to the tunnels in the Favorite AppTunnels section Compressing traffic between the client and the FirePass server To compress all traffic between the client and the FirePass server using the GZip deflate met...

Page 105: ...stall on the host system or server The following formats are supported VT320 Telnet in Java VT320 Telnet in HTML TN3270 80x24 in Java TN3270 80x32 in Java TN3270 132x27 in Java TN5250 80x32 as ActiveX control self installed plug in You can also use a password based SSH connection Configuring Host Access Favorites Under the Webifyers tab click the Host Access link to open the Host Access Webifyer s...

Page 106: ...the Host Webifyer screen the Administration Console displays the number of host sessions that are currently in progress If necessary you can restart the host access server by clicking the Restart The Host Access Server button Limiting a group s access to the host access favorites If you want to limit a group s access to the host access favorites you specified select the Limit MyNetwork Access to H...

Page 107: ...re any pre installed pre configured software on the remote system Field staff and travelers can access their applications without needing any individual setup or configuration of their computers The SSL VPN Webifyer supports UDP and TCP applications Simple maintenance Upgrades or replacement of field computers do not require any additional VPN related maintenance and changes to the host network or...

Page 108: ...cess LAN option To use a virtual subnet disable the Use NAPT to Access LAN option Here is a comparison of the two methods of using the Use NAPT to Access LAN option to configure a VPN back end For example use NAPT when you only need to provide Outlook users with complete Exchange access VPN configuration is completely limited to the FirePass server The use of a virtual network ensures complete tra...

Page 109: ... rules are applied top to bottom in the order you create them on the VPN Settings screen WARNING If you enable the packet filter but no rules are defined all traffic is rejected To configure the global packet filter rules 1 On the VPN Settings screen select the Use packet filter to access LAN option The VPN Settings screen displays the Packet Filter Rules section 2 In the Packet Filter Rules secti...

Page 110: ...4 or 192 168 2 0 255 255 255 0 For any address and mask use 0 0 6 From the Action drop down list select an action for the rule Accept or Reject 7 Click the Save button to save the rule 8 Click the Apply these rules now button to apply the rules Configuring global SSL VPN client appearance You can configure global settings that determine how the SSL VPN client appears on each remote user s computer...

Page 111: ... This name is displayed as a label for the SSL VPN Favorite in each user s Web browser under the SSL VPN icon 3 In the DNS address box enter a space separated list of IP addresses for the internal company DNS servers These are conveyed to the remote user s access point 4 In the WINS address box enter a space separated list of IP addresses for the internal company WINS servers These are conveyed to...

Page 112: ...ternet Explorer 5 0 or later to be installed on the user s computer or access point 9 Click the Update button to update the screen 10 If you selected the Client proxy settings option do the following a In the Address box and the Port box enter the IP address and port number of the proxy server you want the SSL VPN client to use to connect to the Internet b To use the proxy server for all local Int...

Page 113: ...he Use Packet Filter to Access LAN option on SSL VPN Settings screen under the Server tab click the Security link then click the SSL VPN option See Configuring global SSL VPN packet filter rules on page 4 25 2 In the Group Packet Filter section of the SSL VPN Webifyer screen click the Add new rule link 3 From the Proto drop down list select a single protocol or all protocols 4 In the Port box ente...

Page 114: ...N client settings screen To launch applications automatically 1 In the App Path box of the Launch Applications section of the SSL VPN screen enter the complete path and file name of the application you want to launch For example iexplore http 127 3 54 34 sales automation pl 2 In the Parameters box enter any required parameters for the application 3 Click the Add button 4 To display a message befor...

Page 115: ...ok and Notes desktop clients with rich functionality over slow connections or small format remote devices My Explorer and Internet Favorites Users can use their desktop computers to access Intranet Internet sites and desktop Internet shortcuts Note For information on downloading the My Desktop software see Installing My Desktop client software at a user s computer on page 3 22 Configuring the My D...

Page 116: ...er configuration For more information on clusters see Using FirePass server clusters on page 7 5 Disabling bridge access to desktops The bridge is a highly scalable dynamic port forwarding mechanism that uses a range of high ports on the FirePass server to tunnel the HTTPS traffic directly to the server The resulting SSL session is between the Web browser and the desktop computer The bridge is a s...

Page 117: ...equiring client certificate for access option 5 Select the My Desktop Webifyer 6 To require that the user name on the Login screen must match the common name CN of the client certificate select the Login username must match certificate common name option Configuring the Guest Access Webifyer The Guest Access Webifyer provides users with collaborative features for the My Desktop Webifyer For exampl...

Page 118: ... enable the Guest Access Webifyer for the selected group select the Allow Guest Access option 3 From the drop down list select a method for how users send an invitation to their guest users 4 If you chose Internet mail enter the name or IP address of the SMTP mail server for the desktop computer 5 Click the Apply button ...

Page 119: ... collective list of favorites If group members are permitted to add their own individual favorites they configure them in the same way an administrator configures favorites for the group using an identical interface Configuring X Windows hosts for remote access You can configure or add an X Windows application host for FirePass remote access Remember that each Group needs to be separately configur...

Page 120: ... automatically using the credentials supplied in the Login Password box below If this box is unchecked the FirePass server presents a signon screen to the user at the time of access 9 In the Login Password boxes provide the default logon and password to be used These credentials are used only if the Remember login password box above is checked 10 In the Xwindow type box select an option If the hos...

Page 121: ...ide or modify access in the For the group list 2 To modify the configuration details click The server name The green X icon to the left of the server name The I edit icon to the right of the server name 3 Edit the host or logon details as needed Deleting a host You can use the My X Windows Webifyer screen to remove a host from the Favorites list To delete a host from the Favorites list 1 Click the...

Page 122: ...et My E Mail Terminal Services AppTunnels Host Access My Desktop SSL VPN To use client certification for a Webifyer 1 Install and enable client certification for Webifyers for the selected group See Using client certificates to authenticate a user s computer on page 3 31 2 Under the Webifyers tab click the link for the Webifyer you want to restrict access to Note For information on using client ce...

Page 123: ...g FirePass Backing up and restoring the FirePass server Specifying the email server Specifying the FirePass administrator s email address Granting Administrator privileges to other users Specifying the time time zone and NTP server Configuring client caching and compression settings Managing log files Updating the FirePass server s firmware Adding definitions for other types of browsers Monitoring...

Page 124: ......

Page 125: ...1 Under the Server tab on the left side of the Administrative Console click the Maintenance link 2 Click the Network Configuration link 3 Click the IP Config link at the top of the screen 4 Add additional IP addresses in the Add New IP region of the panel Edit or delete any existing IP addresses displayed in the IP Configuration table For each IP Address you can specify or edit the following value...

Page 126: ...You also can create rules applying to particular addresses These rules specify which routing table to use and the priority of the rule itself Use the Maintenance Network Configuration Routing screen to add entries to the FirePass routing table The Routing screen has two modes light where you can maintain the main routing table advanced where you also can maintain routing rules and you can add and ...

Page 127: ...hich table to modify Note A route with all zeros in the destination IP field is applied to any packet whose destination does not match that of another route Editing and deleting routes advanced mode only If you are in light mode switch to advanced mode by clicking the link toggle Click the link to display the routing tables To edit a route change the value in the table and click the Update button ...

Page 128: ...ggle Click the link to display the routing tables To edit a rule change the value in the table and click the Update button To delete a route from the table click the check box to the left of the rule and click the Delete Selected button at the bottom of the table Note You cannot delete two predefined rules identifiable by their priorities of 32766 and 32767 no check box appears next to those rules...

Page 129: ...New Static Hostname section Click the Add New Hostname button to add the local host name to the list in the Static HostNames section Static host names are stored in a local table and are used only when you need to augment or override your Domain Name Server FirePass uses the local table to locate an IP Address for a domain name before consulting the DNS Configuring services Your server provides fo...

Page 130: ...n below the table 1 Select the service s IP address from the list of addresses configured for this server and specify the port to use for this service in the Port box 2 Assign a name to the service or specify the fully qualified domain name of an Apache server listening on this port 3 Click the SSL check box to specify encrypted communications imperative for services involving access from outside ...

Page 131: ...kets Layer communication for example mini browsers on some internet phones and PDAs Redirect To redirect sessions to another service specify the name of a server or service to which to forward the session You can leave this field blank User Login Check this box to allow an end user to log in using this IP address name If this box is not checked the user is redirected to the administrator user inte...

Page 132: ...irewall Desktop agent host To specify a host for the Desktop Agent software and online help and to select which server side certificate to use on behalf of the desktop system click the Server tab on the left of the Administrative Console and navigate to Maintenance Network Configuration Desktop Desktop Agent ports By default the Desktop Agent server resident on the user s PC uses the standard TCP ...

Page 133: ...a new IPSec connection 1 Under the Server tab on the left side of the Administrative Console click the Security link 2 Click the IPSec Configuration link 3 Click the New Connection button to create a new IPSec connection The IPSec Configuration screen opens 4 In the Connection Name text box enter the name to identify the IPSec connection The name cannot contain any blank spaces 5 In the Local Endp...

Page 134: ...o use improved randomness in the generation of data encryption keys Note If this feature is supported by the remote endpoint we recommend enabling this option 12 Do one of the following If the endpoint IDs are the same as the endpoint IP addresses which is the default setting leave the Remote Endpoint ID text box blank If the security gateway lets you specify a different endpoint ID enter this end...

Page 135: ...re your license is ready Licenses are time limited for security reasons Install your license as soon as you receive it Installing your license To install a new or replacement license 1 Make sure that your firewall allows outbound Internet connections to port 443 2 Navigate to Server Settings on the Administrative Console 3 Click the Pick up new license link If your license is ready and your server...

Page 136: ... Webifyer you must specify the host name or the IP address of the NFS server The FirePass server can then query the NFS server for any exported file systems For information on how to define NFS servers using the My NFS Webifyer see Configuring the My NFS Webifyer on page 4 6 Map FirePass users to NFS users Mapping FirePass users to NFS users is important in order to have the FirePass server correc...

Page 137: ...rePass user is not defined as a local NFS user or a NIS user To map FirePass users to NFS users 1 Under the Server tab on the left side of the Administrative Console click the Maintenance link The Maintenance screen opens 2 Click the NFS Configuration link The NFS Configuration screen opens 3 To use an NIS server select the Enable NIS option in the NIS Settings section 4 In the NIS Domain box ente...

Page 138: ...ies link The HTTP and SSL Proxies screen opens 3 Do one or both of the following To enable an HTTP proxy select the Enable HTTP Proxy option In the Address text box enter the HTTP proxy s IP address and in the Port text box enter the HTTP proxy s port number To enable an SSL proxy select the Enable SSL Proxy option In the Address text box enter the SSL proxy s IP address and in the Port text box e...

Page 139: ...lick the Maintenance link The Maintenance screen opens 2 Click the SNMP link The SNMP screen opens 3 Select the Run SNMP Agent on Port option and enter a port number in the text box The standard SNMP port is 161 Important If you use a non standard port make sure that your SNMP management tool is configured appropriately It is highly recommended to make sure this port is only accessible from the in...

Page 140: ...ocation The string anywhere The string nowhere A list of space separated host names IP addresses or IP address netmask pairs Important We recommend restricting the access location to that of your SNMP management tool 9 In the Community Name text box in the Traps Configuration section enter the community name that is configured in your SNMP management tool This is a standard SNMP access token 10 In...

Page 141: ...tive Console click the Maintenance link The Maintenance screen opens 2 Click the Restart Services link The Restart Services screen opens 3 Click the Shutdown Server link To shut the FirePass server down using the Maintenance Console In the Maintenance Console select the Shutdown Server command Restarting the FirePass server or services You can restart the FirePass server hardware using the Adminis...

Page 142: ...e My Desktop Webifyer on page 4 31 The bridge provides a point to point secure connection between the remote user s Web browser and a desktop computer on the internal LAN If the bridge is stopped the FirePass server constantly encrypts and decrypts data The bridge highly improves the scalability of the My Desktop Webifyer To stop and start the bridge 1 Under the Server tab on the left side of the ...

Page 143: ...ses on page 5 11 To back up and restore FirePass server configuration information 1 Under the Server tab on the left side of the Administrative Console click the Maintenance link The Maintenance screen opens 2 Click the Backup Restore link The Backup Restore screen opens 3 Do one of the following To back up the current configuration excluding user and group accounts Webifyer settings and favorites...

Page 144: ...the mail server such as mailserver company com 4 Click the Go button 5 To test the email server connection enter an email address in the lower text box on the screen and then click the Send button Specifying the FirePass administrator s email address You can specify to whom you want the FirePass server to send notification To specify the FirePass administrator s email address 1 Under the Server ta...

Page 145: ...ot be given access to Server maintenance functions To create an administrator alias Create a new user login name for example Sales Admin on the User Management screen To add administrative privileges 1 Enter the name of a user or the role based user alias in the Enter existing username to assign administrative privileges link Click Add You see a list of user IDs with administrator privileges 2 Add...

Page 146: ... Server tab on the left side of the Administrative Console click the Maintenance link The Maintenance screen opens 2 Click the Time Server link The Time Settings screen opens 3 To specify a time zone for the FirePass server choose a time zone from the list box and then click the Apply button 4 To specify an NTP server enter the server name in the New NTP Server text box and then click the Apply bu...

Page 147: ...owser when users log out select the Inject ActiveX to Force Cache Cleanup in Logout panel option 4 Select the following cache options as necessary Each option is a trade off of performance versus security Don t cache anything except Style Sheets and JavaScript includes Good compromise between security and performance By default the My Intranet Webifyer marks every panel as non cacheable with the e...

Page 148: ...tions that use JavaScript in the browser to manipulate cookies Block Content Disposition headers Select this option to block content disposition headers This option might be useful to force in line handling of attachments as opposed to saving them at the remote end Translate hidden form parameters if they look like URLs Select this option to translate hidden form parameters if they appear as a URL...

Page 149: ...pens 3 To enable a periodic and automatic purge of the log files select the Enable to Purge Logs option 4 Click the Update button A new set of Log options appears on the Logs screen 5 Set the frequency of the purge process by selecting a time period from the Keep Logs For drop down list 6 To create an archive of the purged log files select the Create Archive option Note If this option is not selec...

Page 150: ... Reports link 11 If you do not select the Send archive using email option you can download the log file in the server s temporary archive storage by clicking the Download link and storing the log file on an external computer 12 To remove the log file from the temporary archive storage click the Delete link 13 To expand the archive into the archive database and replace the previous archive database...

Page 151: ...e install it and restart itself Important Whenever you upgrade the firmware you must update all clustered and failover servers to the new version at the same time To update the FirePass server s firmware 1 Under the Server tab on the left side of the Administrative Console click the Maintenance link The Maintenance screen opens 2 Click the Update link The list of currently available firmware updat...

Page 152: ...ce link The Maintenance screen opens 2 Click the New Browsers link The Classify New Browser Type screen opens 3 In the User Agent text box enter the user agent string for the new browser type 4 From the Type drop down list select a browser type 5 To support images in the browser select the Supports Images option 6 To support colors in the browser select the Supports Color option 7 Click the Add bu...

Page 153: ...on in the FirePass reports For more information on reports see Chapter 6 Using FirePass Reports Monitoring the load on a FirePass server You can display the real time load on the FirePass server To monitor the load on the FirePass server 1 Under the Server tab on the left side of the Administrative Console click the Load Monitor link The Load Monitor screen opens 2 Scroll down to see more graphs o...

Page 154: ...istrative Console click the Maintenance link The Maintenance screen opens 2 Click the Low level link 3 From the Packet type drop down list in the Network Packet Dump section select whether you want to capture all types of packets UDP packets only or TCP packets only 4 Do either of the following To capture traffic that has a particular destination IP address enter the destination IP address in the ...

Page 155: ...the user s home page You can also specify which Webifyers are available and the order in which they appear To customize the user s home page 1 Under the Server tab on the left side of the Administrative Console click the Customization link 2 For more information about the customization options see Online Help for the Customization panel Providing SSH access for Technical Support A Secure Shell SSH...

Page 156: ...Chapter 5 5 32 ...

Page 157: ...Overview of FirePass server reports Using the Logon report Using the My Desktop Activations report Using the Session report Using HTTP Log reports Using the Application Log report Using the Summary report Using the Group report ...

Page 158: ......

Page 159: ...l active user sessions and a history of sessions along with the corresponding user names logons times and status For more information see Using the Session report on page 6 4 HTTP Log report Provides various types of low level server logs such as a HTTP server access log HTTP server error log and a SSL engine log For more information see Using HTTP Log reports on page 6 5 Application Log report Pr...

Page 160: ...splay the Logon report Under the Reports tab on the left side of the Administrative Console click the Logons link to open the Logons Report 1 You can do any of the following To filter the report for unsuccessful attempts click the Show Failures link To show all attempts again click the Show All link To display details about a user click the link for the user s name To display additional records in...

Page 161: ... Administrative Console click the Activations link 2 Do any of the following To filter the report for any type of My Desktop failed activation click the Show Failures link To filter the report for failed activations of My Desktop that were not the result of an incorrect password click the Show non password Failures link To show all attempts again click the Show All link To display additional recor...

Page 162: ...ssions link To show a list of a history of sessions click the Complete History link To show a list of currently active sessions click the Currently Active link To show daily aggregate session counts click the Daily Averages link To show monthly aggregates click the Monthly Averages link To display details about a particular user s session such as browser type or IP address click the date in the St...

Page 163: ...lick the HTTP Logs link To change the type of log in the report select a log type from the Select Log File drop down list and then click the Go button or the icon 2 Click the icon to display the calendar Then do any of the following To display a particular page enter the page number in the Select Page box and then click the Go button To specify the number of records per page enter the number of re...

Page 164: ...owing To filter the report for a particular user click the link in the Logon column for the user s name To show all users again click the Show all records link at the top of the report To display details about a particular session click the link in the Session ID column for the session To display additional records in the report click the arrow buttons at the top of the screen for Previous Next Fi...

Page 165: ...k the Summary Report link 2 From the For the group drop down list select the FirePass server group that you want to create a Summary report for 3 Do any of the following To specify a particular date range for the Summary report select starting and ending dates from the Reporting period from and To inclusive drop down lists Then click the icon You can also click the Last Week Last 2 Weeks Last Mont...

Page 166: ...nk 2 With the Group report you can do any of the following To specify a particular date range for the Group report select starting and ending dates from the Reporting period from and To inclusive drop down lists Then click the icon You can also click the Last Week Last 2 Weeks Last Month or Last Year links To download and save the report as an Microsoft Excel xls file click the Download Report Dat...

Page 167: ...7 Configuring FirePass Failover Servers and Cluster Servers Using FirePass failover servers Using FirePass server clusters ...

Page 168: ......

Page 169: ...ervers you need to obtain new licenses Contact your sales representative or Technical Support and provide them with the serial numbers of the servers to be configured as a failover pair or request a new license for each server by navigating to Server Settings and clicking the link to request a new license For more information see Managing FirePass licenses on page 5 11 If you are installing two si...

Page 170: ... configuration panel is the IP address and port of the NIC in each server This address must be unique in each server in the failover pair Note that the Local Name IP addresses for the two failover servers must be on the same subnet For example the Local Name IP address might be set to 10 4 10 191 24 in one of the failover servers and the Local Name IP address might be set to 10 4 10 192 24 in the ...

Page 171: ...eartbeat configuration The current active member of a failover pair sends regular I am alive signals or heartbeats to the standby member of the pair Heartbeat settings tell this server what IP address and port to use for the heartbeat while it is the active member of the pair The destination of the signal must be the other member of the failover pair Ordinarily you provide heartbeat settings for e...

Page 172: ...ntil you commit them using the Finalize screen Making a standby server the active server To make a standby server the active server 1 Using a Web browser enter the fully qualified domain name for the failover server pair and log in as Administrator The active server responds to the request 2 Under the Failover tab on the left side of the Administrative Console click the Settings link 3 Click the R...

Page 173: ...make this possible the slaves report their number of currently active sessions as a part of the synchronization process You cannot change some configuration settings on slave servers These changes must be made on the master so they are replicated across all slaves during synchronization When you use the Administration Console to connect to a slave server the configuration options that you cannot c...

Page 174: ...rvers to remain synchronized you must also have configured at least one Synchronization service on each server in the cluster To configure a service for synchronization navigate to Server Network Configuration Web Services For more about configuring services see Configuring services on page 5 5 Load balancing To configure Load Balancing you must also have defined at least one User service allowing...

Page 175: ...k the Network Configuration link 3 Click the Clustering link at the top of the screen 4 Complete the Load Balancing table as follows If this is the master in a cluster the screen displays a table with a column for each node in the cluster beginning with the master Each row corresponds to an HTTP enabled User service on the master In each cell of each slave column enter the host name and port of a ...

Page 176: ...er and displays the slave server s settings within the console window 4 Under the Clustering tab on the left side of the Administrative Console click the Settings link The slave Settings panel for the master server appears Note To return to the master server enter the fully qualified domain name for the master server in your Web browser and then log in Displaying statistics for a FirePass server c...

Page 177: ...Index ...

Page 178: ......

Page 179: ...ion of user s computer 3 31 Host Access webifyer 4 22 My Desktop webifyer 4 33 My E mail webifyer 4 14 My Files 4 5 My Intranet 4 10 My NFS 4 7 SSL VPN webifyer 4 30 Terminal Services webifyer 4 17 webifyers using 4 38 Clustered servers accessing Slave from Master 7 8 certificates 7 5 configuration changes 7 5 configuring synchronization 7 7 domain names 7 5 installing 7 5 operational statistics 7...

Page 180: ... based mapping 3 6 moving users to 3 4 overview of 3 2 showing users in 3 4 Windows domain based mapping 3 4 Guest webifyer configuring 4 33 H heartbeat failover 7 1 home page appearance customizing 5 31 Host Access webifyer 4 2 4 21 active host sessions displaying 4 22 client certificates 4 22 favorites 4 21 limiting access 4 22 HTTP Logs report 6 1 6 5 HTTP proxies using 5 14 I importing NFS per...

Page 181: ...server name 2 11 network broadcast IP address to use 5 8 network packets capturing 5 30 NFS user mapping 5 13 NFS permissions manually assigning 3 18 mapping users from NFS servers 5 12 using 3 17 NIS server using 5 12 NTP server specifying 5 22 null modem cable 2 21 O overview of FirePass 1 1 P password superuser changing 2 18 users 3 12 Power switch 2 13 proxies HTTP and SSL 5 14 R RADIUS server...

Page 182: ... Timeout inactivity 2 20 troubleshooting using network packets 5 30 U unsuccessful attempts to log on reports 6 2 updating server firmware 5 27 user accounts activating and deactivating 3 19 administrative privileges assigning 3 19 changing 3 19 generating keys for My Desktop webifyer 3 21 importing from an LDAP server 3 15 importing from Windows domain server 3 13 importing permissions from NFS 3...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands