Denying Access to Groups without an ACL
58
Firebox SSL VPN Gateway
When you enable split tunneling, you must enter a list of accessible networks on the
Global Cluster
Policies
tab. The list of accessible networks must include all internal networks and subnetworks that the
user may need to access with the Secure Access Client.
The Secure Access Client uses the list of accessible networks as a filter to determine whether or not
packets transmitted from the client computer should be sent to the Firebox SSL VPN Gateway.
When the Secure Access Client starts, it obtains the list of accessible networks from the Firebox SSL
VPN Gateway. The Secure Access Client examines all packets transmitted on the network from the cli-
ent computer and compares the addresses within the packets to the list of accessible networks. If the
destination address in the packet is within one of the accessible networks, the Secure Access Client
sends the packet through the VPN tunnel to the Firebox SSL VPN Gateway. If the destination address
is not in an accessible network, the packet is not encrypted and the client routes the packet appropri-
ately.
To enable split tunneling
1
Click the
Global Cluster Policies
tab.
2
Under
Access Options
, click
Enable Split Tunneling
.
3
In
Accessible Networks
, type the IP addresses. Use a space or carriage return to separate the list of
networks.
4
Click
Submit
.
Configuring User Groups
User groups define the resources the user has access to when connecting to the corporate network
through the Firebox SSL VPN Gateway. Groups are associated with the local users list. After adding local
users to a group, you can then define the resources they have access to on the
Access Policy Manager
tab. For more information about configuring local users, see “Configuring Properties for a User Group”
on page 90.
When you enable authorization on the Firebox SSL VPN Gateway, user group information is obtained
from the authentication server after a user is authenticated. If the group name that is obtained from the
authentication server matches a group name created locally on the Firebox SSL VPN Gateway, the prop-
erties of the local group are used for the matching group obtained from the authentication servers.
Note
Important:
Group names on authentication servers and on the Firebox SSL VPN Gateway must be
identical and they are case-sensitive
Denying Access to Groups without an ACL
Each user should belong to at least one group that is defined locally on the Firebox SSL VPN Gateway. If
a user does not belong to a group, the overall access of the user is determined by using access control
lists (ACLs) that are defined by the
Deny access without access control list (ACL)
setting as follows:
If the Deny Access option is enabled, the user cannot establish a connection
If the Deny Access option is disabled, the user has full network access
In either case, the user can use kiosk mode, but network access within that session is determined by the
Deny access without access control list (ACL)
setting.
Summary of Contents for Firebox SSL Series
Page 1: ...WatchGuard Firebox SSL VPN Gateway Administration Guide Firebox SSL VPN Gateway ...
Page 40: ...Using the Firebox SSL VPN Gateway 30 Firebox SSL VPN Gateway ...
Page 118: ...Setting the Priority of Groups 108 Firebox SSL VPN Gateway ...
Page 146: ...Managing Client Connections 136 Firebox SSL VPN Gateway ...
Page 168: ...Generating Trusted Certificates for Multiple Levels 158 Firebox SSL VPN Gateway ...
Page 190: ...180 Firebox SSL VPN Gateway ...
Page 198: ...188 Firebox SSL VPN Gateway ...