manualshive.com logo in svg

Watchguard Firebox SSL Series, User Manual

The Watchguard Firebox SSL Series user manual is a comprehensive guide for users seeking complete information about this esteemed product. Easily downloadable for free from our website, it provides step-by-step instructions and essential details to maximize the benefits of your Watchguard Firebox SSL Series.

Share
Download
background image

Using RADIUS Servers for Authentication and Authorization

70

Firebox SSL VPN Gateway

• Type  is  the  vendor-assigned attribute number.
• Attribute name is the type of attribute name that is defined in IAS. The default name is 

CTXSUserGroups=

.

• Separator is defined if multiple user groups are included in the RADIUS configuration. A separator 

can be a space, a period, a semicolon, or a colon.

To configure IAS so the Firebox SSL VPN Gateway can use RADIUS authorization, follow the steps below. 
These steps assume that IAS is installed from the Add/Remove Programs Control Panel. For more infor-
mation about installing IAS, see Windows Help.

To configure Microsoft Internet Authentication Service for Windows 2000 Server

1

Open the Microsoft Management Console (MMC) by clicking 

Start > Run

.

2

In 

Open

, type 

MMC

.

3

In the MMC console, on the 

File 

menu, click 

Add/Remove Snap-in

.

4

Click 

Add

 and in the 

Add/Remove Snap-in

 dialog box, select 

Internet Authentication Service

 

and click 

Add

.

5

Select 

Local computer

 and click 

Finish

.

6

Click 

Close

 and then click 

OK

.

7

Right-click 

Remote Access Policies 

and then click 

New Remote Access Policy

.

8

Select 

Set up a custom policy

.

9

In 

Policy name

, give the policy a name and click 

Next

.

10 Under 

Policy Conditions

, click 

Add

, select 

Windows-Groups

, and click 

Add

.

11 In 

Select Groups

, click 

Add

, and then type the name of the group.

12 A summary of conditions to match the policy is shown. To add more conditions, click 

Add

otherwise, click 

Next

.

13 In the 

Edit Dial-In Profile

 dialog box, on the 

Authentication

 tab, select 

Encrypted 

Authentication (CHAP)

 and 

Unencrypted Authentication (PAP, SPAP)

.

  

Note

Password Authentication Protocol (PAP) is an authentication protocol that allows Point-to-Point 
Protocol (PPP) peers to authenticate one another. PAP passes the password and host name or user name 
unencrypted. PAP does not prevent unauthorized access but identifies the remote end.

14 Clear 

Microsoft Encrypted Authentication version 2 (MS-CHAP v2)

 and 

Microsoft Encrypted 

Authentication (MS-CHAP)

.

15 Click 

OK

.

The Firebox SSL VPN Gateway needs the Vendor-Specific Attribute to match the users defined in the group on the 

server with those on the Firebox SSL VPN Gateway. This is done by sending the Vendor-Specific Attributes to the 

Firebox SSL VPN Gateway.

16 In the 

Edit Dial-in Profile

 dialog box, click the 

Advanced

 tab.

17 Click 

Add

.

Summary of Contents for Firebox SSL Series

Page 1: ...WatchGuard Firebox SSL VPN Gateway Administration Guide Firebox SSL VPN Gateway ...

Page 2: ...y any means electronic or mechanical for any purpose without the express written permission of WatchGuard Technologies Inc Copyright Trademark and Patent Information Use of the product documented in this guide is subject to your prior acceptance of the WatchGuard End User License Agreement applicable to this product You will be prompted to read and accept the End User License Agreement when you re...

Page 3: ...pport 6 LiveSecurity Service technical support 6 LiveSecurity Gold 7 Firebox Installation Service 7 VPN Installation Service 7 Training and Certification 7 CHAPTER 2 Introduction to Firebox SSL VPN Gateway 9 Overview 9 New Features 11 Authentication and one time passwords 11 New versions of the Secure Access Client 11 Configurable symmetric encryption ciphers 11 Automatic detection of proxy server...

Page 4: ...Appliances for Load Balancing and Failover 20 Installing the Firebox SSL VPN Gateway for the First Time 20 Getting Ready to Install the Firebox SSL VPN Gateway 20 Setting Up the Firebox SSL VPN Gateway Hardware 21 Configuring TCP IP Settings for the Firebox SSL VPN Gateway 21 Redirecting Connections on Port 80 to a Secure Port 24 Using the Firebox SSL VPN Gateway 24 The Firebox SSL VPN Gateway ope...

Page 5: ...To work with the templates for Windows and Linux users 40 Using the ActiveX Control 40 Installing Custom Portal Files on the Firebox SSL VPN Gateway 40 Enabling Portal Page Authentication 41 To enable portal page authentication 41 Linking to Clients from Your Web Site 41 To include links to the Firebox SSL Secure Access Client and kiosk mode on your Web site 41 Multiple Log On Options using the Po...

Page 6: ...abling Split Tunneling 57 To enable split tunneling 58 Configuring User Groups 58 Denying Access to Groups without an ACL 58 To deny access to user groups without an ACL 59 Improving Voice over IP Connections 59 Enabling Improving Voice over IP Connections 59 To improve latency for UDP traffic 60 CHAPTER 5 Configuring Authentication and Authorization 61 Configuring Authentication and Authorization...

Page 7: ...ns 78 Determining Attributes in your LDAP Directory 78 Using RSA SecurID for Authentication 79 To generate a sdconf rec file for the Firebox SSL VPN Gateway 80 Enable RSA SecurID authentication for the Firebox SSL VPN Gateway 81 Configuring RSA Settings for a Cluster 82 Resetting the node secret 82 Configuring Gemalto Protiva Authentication 82 Configuring NTLM Authentication and Authorization 83 C...

Page 8: ...9 Generating a Secure Certificate for the Firebox SSL VPN Gateway 109 Digital Certificates and Firebox SSL VPN Gateway Operation 110 Overview of the Certificate Signing Request 110 Password Protected Private Keys 110 Creating a Certificate Signing Request 111 Installing a Certificate and Private Key from a Windows Computer 112 Installing Root Certificates on the Firebox SSL VPN Gateway 112 Install...

Page 9: ...senging 131 Supporting Secure Access Client 132 Managing Client Connections 133 Connection handling 133 Closing a connection to a resource 134 Disabling and enabling a user 134 Configuring Authentication Requirements after Network Interruption 134 APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting 137 Viewing and Downloading System Message Logs 137 To view and filter the system log ...

Page 10: ...bining the Private Key with the Signed Certificate 155 To combine the private key with the signed certificate 156 Generating Trusted Certificates for Multiple Levels 156 To generate trusted certificates for multiple levels 156 APPENDIX D Examples of Configuring Network Access 159 Scenario 1 Configuring LDAP Authentication and Authorization 160 Preparing for the LDAP Authentication and Authorizatio...

Page 11: ...ing the Fire box SSL VPN Gateway This document assumes that the Firebox SSL VPN Gateway is connected to an existing network and that the administrator has experience configuring that network Operating System Requirements The Firebox SSL VPN Gateway Administration Tool and Secure Access Client software can run on the fol lowing operating systems Windows 2000 Professional Windows 2000 Server Windows...

Page 12: ...to use your time to find new software Access to technical support and training You can find information about your WatchGuard products quickly with our many online resources You can also speak directly to one of the WatchGuard technical support personnel Use our online training to Convention Meaning Boldface Commands names of interface items such as text boxes option buttons and user input Italics...

Page 13: ... When necessary WatchGuard updates the WatchGuard System Manager software Product upgrades can include new features and patches When we release a software update you get an e mail with instructions on how to download and install your upgrade Editorial Each week top network security personnel come together with the WatchGuard Rapid Response Team to write about network security This continuous suppl...

Page 14: ...register asp The Account page appears 3 Complete the LiveSecurity Activation page Use the TAB key or the mouse to move through the fields on the page You must complete all the fields to activate correctly This information helps WatchGuard to send you the information and software updates that are applicable to your products 4 Make sure that your e mail address is correct Your LiveSecurity e mails a...

Page 15: ...s and web sites about network security The training is divided into parts which lets you use only the materials you feel necessary To learn more about online training browse to www watchguard com training courses_online asp Learn About Learn About is a list of all resources available for a specified product or feature It is a site map for the feature Product Documentation The WatchGuard web site h...

Page 16: ...uides to the web site at http www watchguard com help documentation Technical Support Your LiveSecurity Service subscription includes technical support for the WatchGuard System Man ager software and Firebox hardware To learn more about WatchGuard Technical Support browse to the WatchGuard web site at http www watchguard com support Note You must activate LiveSecurity Service before you can get te...

Page 17: ...tical problem when the support center is not open use the LiveSecurity Technical Support phone number to page a technician You can also send an incident on the web site at http www watchguard com support incidents newincident asp Firebox Installation Service WatchGuard Remote Firebox Installation Service helps you to install and configure your Firebox You can schedule two hours with a WatchGuard T...

Page 18: ...is also available at a location near you through a large group of Watch Guard Certified Training Partners WCTPs Training partners give training using certified training mate rials and with WatchGuard hardware You can install and configure the products with an advanced instructor and system administrator to help you learn To find a training partner go to http www watchguard com training partners_lo...

Page 19: ...e user seamless secure access to authorized applications and network resources Remote users can work with files on network drives email intranet sites and applications just as if they are working inside of their organization s firewall The Firebox SSL VPN Gateway also provides kiosk mode which opens a virtual network computing like connection to the Firebox SSL VPN Gateway Kiosk mode can include s...

Page 20: ... and intranet access from restricted LANs such as wireless networks Network topography showing the Firebox SSL VPN Gateway in the DMZ The following illustration shows how the Firebox SSL VPN Gateway creates a secure virtual TCP circuit between the client computer running the Secure Access Client and the Firebox SSL VPN Gateway Network topology showing the TCP circuit ...

Page 21: ... group based access control kiosk mode end point resources and polices portal pages and IP pools New Features The v5 5 software update for the Firebox SSL Core VPN Gateway includes the following new features Authentication and one time passwords You can configure the Firebox SSL VPN Gateway to prevent caching of one time passwords such as those used by an RSA SecurID When this feature is enabled i...

Page 22: ...n configure the Secure Access Client to disconnect from the Firebox SSL VPN Gateway if there is no user activity on the connection for a specific time interval You can also force a client disconnection if the connection remains active for a specific time interval or if the Firebox SSL VPN Gateway does not detect keyboard or mouse activity Disable kiosk mode In this release you can disable kiosk mo...

Page 23: ...e menu There are new menu items on the serial console allowing you to change the Firebox SSL VPN Gateway administrator password set the duplex mode and network adapter speed and revert to the default cer tificate that comes with the Firebox SSL VPN Gateway Enhanced End point and application access poli cies Features Administration Tool The Firebox SSL VPN Gateway provides the Administration Tool t...

Page 24: ...rces and policies Local users Authentication and Authorization Authentication and authorization are configured on the Authentication tab Double source authentication also known as two factor authentication is new for this release of the Firebox SSL VPN Gateway Firebox SSL VPN Gateway Settings The following table maps the Firebox SSL VPN Gateway settings Note To configure group settings on the Acce...

Page 25: ...nticationandAuthorization LDAP RADIUS RSASecurID local andSafewordPremierAccess Authentication Authentication Authentication Authorization LocalUsers Access Policy Manager InheritDefaultGroupProperties Access Policy Manager User Groups Properties General Authenticationafternetworkinterruption Access Policy Manager User Groups Properties General Authenticateuponsystemresume EnableSingleSign On Acce...

Page 26: ...networks such as wireless connections in hotels or airports Integrated end point scanning Ensures that the computer meets corporate standards to connect and remains safe for connection to the network Hides internal IP addresses There is no IP stack or routing table entry so internal IP addresses are hidden reducing the threat of worms propagating The User Experience The Firebox SSL VPN Gateway pro...

Page 27: ...box SSL VPN Gateway is quick and easy to deploy and simple to administer The most typical deployment configuration is to locate the Firebox SSL VPN Gateway behind your firewall or in the demil itarized zone DMZ More complex deployments such as with a server load balancer are also sup ported and described in this chapter The first time the Firebox SSL VPN Gateway is started use the Firebox SSL VPN ...

Page 28: ...ll to connect to the Firebox SSL VPN Gateway By default clients use Secure Sockets Layer SSL on port 443 to establish this connection To support this connec tivity you must allow SSL on port 443 through the first firewall Note You can change the port clients use to connect to the Firebox SSL VPN Gateway by altering the port setting in the Administration Tool This port setting is discussed in Confi...

Page 29: ...ficate from a known Certificate Authority and upload it to the Firebox SSL VPN Gateway If you deploy the Firebox SSL VPN Gateway in any environment where the Firebox SSL VPN Gateway must operate as the client in an SSL handshake initiate encrypted connections with another server you must also install a trusted root certificate on the Firebox SSL VPN Gateway For more information about root certific...

Page 30: ...work infrastructure without requiring changes to the existing hardware or back end software It works with other networking products such as cache engines firewalls routers and IEEE 802 11 wireless devices WatchGuard recommends installing the Firebox SSL VPN Gateway in the corporate demilitarized zone DMZ When installed in the DMZ the Firebox SSL VPN Gateway participates on two networks a private n...

Page 31: ...nfigure the TCP IP settings using the instructions in Configuring TCP IP Settings for the Firebox SSL VPN Gateway Configuring TCP IP Settings for the Firebox SSL VPN Gateway The preconfigured IP address of the Firebox SSL VPN Gateway is 10 20 30 40 The IP address can be changed using a serial cable and a terminal emulation program or by connecting the Firebox SSL VPN Gateway using network cables a...

Page 32: ...inal Note HyperTerminal is not automatically installed on Windows 2000 Server or Windows Server 2003 To install HyperTerminal use Add Remove Programs in the Control Panel 3 Set the serial connection to 9600 bits per second 8 data bits no parity 1 stop bit Hardware flow control is optional 4 Turn on the Firebox SSL VPN The serial console appears on the computer terminal after about three minutes 5 ...

Page 33: ...tration Tool click Install the Firebox SSL VPN Gateway Administration Tool Follow the prompts to complete installation 4 Log on to the Administration Tool using the default user name and password 5 On the Firebox SSL VPN Gateway Cluster tab open the window for the Firebox SSL VPN Gateway 6 On the General Networking tab under Interface 0 and Interface 1 next to IP Address type the new IP addresses ...

Page 34: ...automatically redirect HTTP connection attempts on port 80 to be secure connections on port 443 or other secure port If a user attempts an unsecure connection on port 80 the Firebox SSL VPN Gateway automatically con verts this connection attempt into a secure SSL encrypted connection on port 443 To redirect unsecure connections 1 Click the Firebox SSL VPN Gateway Cluster tab and open the window fo...

Page 35: ... can specify the proxy server s IP address and authentication credentials To configure a proxy server 1 To open the logon dialog box click the Secure Access Client icon on the desktop 2 In the Firebox SSL Secure Access logon dialog box right click anywhere in the dialog box and select Advanced Options 3 In the Firebox SSL Secure Access Options dialog box under Proxy Settings select Use Proxy Host ...

Page 36: ...re subject to administrative security policies that apply to a single application a sub set of applications or an entire intranet You use the Firebox SSL VPN Gateway Administration Tool to specify the resources ranges of IP address subnet pairs that remote users can access through the VPN connection If the device is configured todo this all IP packets regardless of protocol are intercepted and tra...

Page 37: ...N Gateway then transmits the packets to the network Note If you run a packet sniffer such as Ethereal on the computer where the Secure Access Client is running you will see unencrypted traffic that appears to be between the client and the Firebox SSL VPN Gateway That unencrypted traffic however is not over the tunnel between the client and the Firebox SSL VPN Gateway but rather the tunnel to the l...

Page 38: ...el net 3270 emulator Gaim instant messenging and VNC clients The icons are displayed in the bottom left corner of the window The applications are specified for each group For more information about configuring applications for kiosk mode see Configuring kiosk mode on page 103 The Web browser window also provides access to shared network drives The Firebox SSL VPN Gateway administrator configures t...

Page 39: ...SSL VPN Gateway to connect to the network see Configuring Network Information on page 47 To establish the physical connection connect the Firebox SSL VPN Gateway eth0 interface to the inter nal network Use the Firebox SSL VPN Gateway Administration Tool to configure network settings Spec ify the IP address of the server load balancer as the default gateway on the Firebox SSL VPN Gateway VPN Gatewa...

Page 40: ...Using the Firebox SSL VPN Gateway 30 Firebox SSL VPN Gateway ...

Page 41: ...w policy it is closed Topics covered in this chapter include Firebox SSL VPN Gateway Administration Desktop Using the Administration Tool Using the Administration Portal Using the Serial Console Product Activation and Licensing Managing Licenses Blocking External Access to the Administration Portal Using Portal Pages Linking to Clients from Your Web Site Saving and Restoring the Configuration Rest...

Page 42: ...here ipAddress is the IP address of your Firebox SSL VPN Gateway 9001 is the administration port of your Firebox SSL VPN Gateway 3 If a Security Alert dialog box appears click Yes 4 Type the user name and password The defaults are root and rootadmin 5 The Firebox SSL VPN Gateway Administration Portal appears 6 Click Launch Firebox SSL VPN Gateway Administrative Desktop 7 In the WatchGuard Firebox ...

Page 43: ...g for the Firebox SSL VPN Gateway This is the same log that is in the Administra tion Tool on the VPN Gateway Cluster Logging tab Maintenance Tab This tab provides you a place to do administrative tasks These are Uploading a signed certificate Uploading a private key and certificate Uploading a saved configuration or appliance upgrade Saving the appliance configuration Restarting and shutting down...

Page 44: ...l allows you to configure global settings once and then publish them to multiple Firebox SSL VPN Gateways on your network The left pane of the Administration Tool window displays Help information for the current tab The online Help corresponds to the task you are completing The Administration Tool is downloaded and installed from the Administration Portal You can also download documentation portal...

Page 45: ...ynchronization messages appear in the Sync Status field for each appliance In Sync The Firebox SSL VPN Gateway configuration is successfully published Not in Sync A change was made in the settings but is not published Sync Failed Unable to synchronize the Firebox SSL VPN Gateway Check the appliance and try the synchronization again Unknown Status The status of the Firebox SSL VPN Gateway cannot be...

Page 46: ... until a user ends a session or the administrator uses the Firebox SSL VPN Gateway Real Time Monitor to close a connection thereby releasing a license For information about using the Real Time Monitor to close connections see Man aging Client Connections on page 133 Licenses for the Firebox SSL VPN Gateway are installed using the Administration Tool License files are generated based on the host na...

Page 47: ...about Your Licenses The Licensing tab displays information about the licenses that are installed on the Firebox SSL VPN Gateway This information includes Total number of licenses available Number of licenses currently in use In addition you can download license logs that provide you with detailed information about license use When the logs are downloaded they are in a compressed file called licens...

Page 48: ...tal from outside the firewall To block access to the Administration Portal from the external adapter clear the check box for this option To block external access to the Administration Portal 1 Click the VPN Gateway Cluster tab 2 On the Administration tab clear the check box for Enable External Administration 3 Click Apply Change Using Portal Pages The Firebox SSL VPN Gateway provides logon access ...

Page 49: ...rted The portal page templates are available from the Downloads page of the Administration Portal in the section Sample Portal Page Templates Downloading and Working with Portal Page Templates The portal page templates include variables that the Firebox SSL VPN Gateway replaces with the current user name and with links that are appropriate for the connecting computer Windows 2000 or higher or Linu...

Page 50: ...f 5 Replace citrix logo gif with the filename of your image For example if your image file is named logo gif change the line to img src logo gif An image file must have a file type of GIF or JPG Do not change other characters on that line 6 Save the file Using the ActiveX Control If you would like to use the ActiveX control to start the client portal page insert the following code into the portal ...

Page 51: ...ifier in the list and click Remove Selected File Enabling Portal Page Authentication By default a user must log on to the portal page and then again to the Firebox SSL Secure Access Client or kiosk mode You can eliminate the portal page logon step using either of the following methods You can set a global policy that disables authentication for the portal page and that specifies the portal page th...

Page 52: ...y Manager tab right click a group in the left pane and then click Properties 2 On the Gateway Portal tab select Redirect to URL 3 In Portal homepage type the path of the server that is hosting the Web Interface 4 In Proxy Server type the IP address or FQDN of the server that is hosting the Web Interface 5 To secure the connection click Use SSL TLS 6 To provide Secure Access Client log on select Sh...

Page 53: ... double source authentication see Configuring Double Source Authentication on page 85 Connecting Using a Web Address Users can connect to the Firebox SSL VPN Gateway using a Web browser by typing the Web address such as https vpn mycompany com When the IP address or FQDN of the Firebox SSL VPN Gateway is entered and double source authentication is configured users are routed automatically to the l...

Page 54: ... click Save Configuration 4 Save the file named config restore to your computer The entire Firebox SSL VPN Gateway configuration including system files uploaded licenses and uploaded server certificates is saved To restore a saved configuration 1 In the Administration Tool click the VPN Gateway Cluster tab 2 On the Administration tab by Upload a Server Upgrade or saved Config click Browse 3 Locate...

Page 55: ...Restart or from the Administration Portal go to the Maintenance tab and next to Restart the Server click Restart Shutting Down the Firebox SSL VPN Gateway Never shut down the Firebox SSL VPN Gateway by powering it off Use the command in the Administra tion Tool to shut down the device Use the power switch only to power on the device To shut down the Firebox SSL VPN Gateway 1 From the Administratio...

Page 56: ...Network Time Protocol server To synchronize the Firebox SSL VPN Gateway with a Network Time Protocol server 1 In the Firebox SSL VPN Gateway Administration Tool click the VPN Gateway Cluster tab 2 Click the Date tab 3 In Synchronization Mode click Network Time Protocol NTP 4 In NTP Server type the FQDN of the server 5 In Synchronization Interval select a schedule to perform updates Allowing ICMP t...

Page 57: ...The configuration instructions throughout those topics assume the following setup The Firebox SSL VPN Gateway is installed The devices to which you are connecting the Firebox SSL VPN Gateway such as a firewall or server load balancer are already part of a working configuration This guide does not cover the steps for configuring application or Web servers firewalls or a server farm with a server lo...

Page 58: ...nal resources using Network Address Trans lation NAT The Firebox SSL VPN Gateway network adapter settings are as follows IP address and Subnet mask for Interface 0 and if used Interface 1 When connecting the Firebox SSL VPN Gateway to your network you typically place it either inside of a firewall inside of a server load balancer or connected to two physical networks along side your firewall strad...

Page 59: ...duplex Use the default setting auto unless you need to change it MTU The maximum transmission unit that defines the maximum size of each transmitted packet The default is 1500 Use the default setting unless you need to change it VPN port This is the incoming port on the Firebox SSL VPN Gateway that is used for VPN connections The default is port 443 The Default Gateway has the following two settin...

Page 60: ...the Access Policy Manager tab in the left pane right click a group and click Properties 2 On the Networking tab select Enable split DNS The Firebox SSL VPN Gateway fails over to the local DNS only if the specified DNS servers cannot be contacted but not if there is a negative response To edit the HOSTS file You can add entries to the Firebox SSL VPN Gateway HOSTS file from the Name Service Provide...

Page 61: ...cket and its routing table does not contain a route for the destination address of the packet the Firebox SSL VPN Gateway sends the packet to the Default Gate way The routing capabilities of the Default Gateway then determine how the packet is routed The Firebox SSL VPN Gateway routing table must contain the routes necessary to route data to any internal network resource that a user may need to ac...

Page 62: ...Firebox SSL VPN Gateway network adapter s to be used for dynamic routing Typically your routing server s are inside your firewall so you would choose the internal network adapter for this setting 5 Click Submit Dynamic routes are not displayed in the Firebox SSL VPN Gateway routing table Enabling RIP Authentication for Dynamic Routing To enhance security for dynamic routing you can configure the F...

Page 63: ...en you switch from dynamic routing to static routing allows you to maintain connectivity until you properly configure the static routes To save dynamic routes to the static route table 1 On the Firebox SSL VPN Gateway Cluster tab open the window for the appliance 2 Click the Routes tab 3 Click Save to static routes After you save the dynamic route you can switch to static routing Configuring a Sta...

Page 64: ... then click the Routes tab 2 In the Static Route table select each route that you want to delete 3 Click Remove Route Static Route Example Suppose the IP address of the eth0 port on your Firebox SSL VPN Gateway is 10 0 16 20 and there is a request to access information at 129 6 0 20 to which you currently do not have a path You can create a static route through the network adapter that is not set ...

Page 65: ... make the connection The client performs a DNS lookup for the first failover appliance and tries to connect If the first failover Firebox SSL VPN Gate way is not available the client tries the next failover appliance When the client successfully connects to a failover Firebox SSL VPN Gateway the client is prompted to log on To specify Firebox SSL VPN Gateway failover 1 Click the VPN Gateway Cluste...

Page 66: ...cess for groups After you configure your user groups you then configure network access for the groups This includes the network resources users in the group are allowed to access application policies kiosk connections and end point policies For more information about configuring accessible networks user groups and network access for users see Adding and Configuring Local Users and User Groups on p...

Page 67: ...r example you want to allow access to everything on the 10 0 x x network but need to deny access to the 10 0 20 x network Configure network access to 10 0 20 x first and then configure access to the 10 0 x x network To give the Firebox SSL VPN Gateway access to a network 1 Click the Global Cluster Policies tab 2 Under Access Options in Accessible Networks type a list of networks Use a space or car...

Page 68: ...s User groups define the resources the user has access to when connecting to the corporate network through the Firebox SSL VPN Gateway Groups are associated with the local users list After adding local users to a group you can then define the resources they have access to on the Access Policy Manager tab For more information about configuring local users see Configuring Properties for a User Group...

Page 69: ...el IP Softphone Cisco IP Softphone Cisco IP Communicator Secure tunneling is supported between the manufacturer s IP PBX and the softphone software running on the client computer To enable the VoIP traffic to traverse the secure tunnel you must install the Secure Access Client and one of the softphones listed above on the same system When the VoIP traffic is tunneled over the secure tunnel the fol...

Page 70: ...e Select encryption type for client connections setting on the Global Cluster Policies tab The encryption ciphers are negotiated between the client computer and the Firebox SSL VPN Gateway in the order listed The first accepted method is the one chosen for the session To improve latency for UDP traffic 1 Click the Global Cluster Policies tab 2 Under SSL Options select Improve latency for Voice ove...

Page 71: ...figuring RADIUS Authentication and Authorization Configuring RSA SecurID Authentication Configuring Secure Computing SafeWord Authentication Configuring NTLM Authentication and Authorization Configuring Double Source Authentication Configuring Authentication and Authorization By default the Firebox SSL VPN Gateway authenticates users against a user list stored locally on the Fire box SSL VPN Gatew...

Page 72: ...US server a Windows NT 4 0 server for NTLM authorization or the local group file if not available on the LDAP or RADIUS server If group information is available for the user the Firebox SSL VPN Gateway then checks the network resources allowed for the group LDAP authorization works with all supported authentication methods You can configure the Firebox SSL VPN Gateway to obtain an authenticated us...

Page 73: ... the Default realm for that type of authentication so that users do not have to enter a realm name when logging on Using a Local User List for Authentication For a new installation the Default realm is set to local authentication This enables users to log on to the Firebox SSL VPN Gateway without having to enter a realm name If some users authenticate only against the local user list on the Firebo...

Page 74: ...er on the Firebox SSL VPN Gateway 1 Click the Access Policy Manager tab 2 In the left pane right click Local Users and then click New User 3 In User Name type a user name User names can contain spaces Note Note User names are not case sensitive Do not use a forward slash in the user name or password Passwords cannot begin or end with a space 4 In Password and Verify Password type the password for ...

Page 75: ... up LDAP server settings see Determining Attributes in your LDAP Directory on page 78 Changing the Authentication Type of the Default Realm When a user logs on to the Default realm the user does not have to specify a realm name For any other realm the user must specify a realm name when logging on Thus if most users are logging on to a non local authentication realm change the authentication type ...

Page 76: ... realm For example you want the Default realm to be used for authentication to an LDAP server If you want to use additional authentication methods for users such as RADIUS SafeWord RSA SecurID NTLM or locally on the appliance you can create realms for each of these When the user logs on to realms that are not the Default realm they need to type the realm name and their user name such as realm name...

Page 77: ...Secure Computing products SafeWord PremierAccess SafeWord for Citrix SafeWord RemoteAccess Configuring the Firebox SSL VPN Gateway to authenticate using Secure Computing s SafeWord products can be done in several ways Configure authentication to use a PremierAccess RADIUS server that is installed as part of SafeWord PremierAccess and allow it to handle authentication Configure authentication to us...

Page 78: ...he SafeWord RADIUS server The default is 1812 This port must match the number you configured on the RADIUS server In Server Secret enter a RADIUS shared secret 6 The shared secret must match what is configured on the RADIUS server 7 If there is a second SafeWord server configure the settings in Secondary SafeWord Server Settings To disable Firebox SSL VPN Gateway authentication On the Global Clust...

Page 79: ...S RADIUS server port The default port numbers are 1812 and 1645 6 In Server Secret type a RADIUS share secret Note Make sure you use a strong shared secret A strong shared secret is one that is at least eight characters and includes a combination of letters numbers and symbols 7 If there is a secondary IAS RADIUS server configure the settings for the server in Secondary Radius Server The RADIUS po...

Page 80: ...Policies and then click New Remote Access Policy 8 Select Set up a custom policy 9 In Policy name give the policy a name and click Next 10 Under Policy Conditions click Add select Windows Groups and click Add 11 In Select Groups click Add and then type the name of the group 12 A summary of conditions to match the policy is shown To add more conditions click Add otherwise click Next 13 In the Edit ...

Page 81: ...this default number 21 Click Yes It conforms and then click Configure Attribute 22 Under Vendor assigned attribute number type 0 This is the assigned number for the User Group attribute The attribute is in string format The default is 0 23 In Attribute format select String 24 In Attribute value type the attribute name and the groups For the Firebox SSL VPN Gateway the attribute value is CTXSUserGr...

Page 82: ...zation tab and in Authorization Type select RADIUS Authorization You can use the following authorization types with RADIUS authentication RADIUS authorization Local authorization LDAP authorization No authorization 2 Complete the settings using the attributes defined in IAS For more information about the values for these fields see To configure Microsoft Internet Authentication Service for Windows...

Page 83: ... is sent to the server over the connection If the LDAP server supports Start TLS the connection is converted to a secure LDAP connection using TLS The standard port numbers for unsecure LDAP connections is 389 The port number for secure LDAP connections with SSL TLS is 636 LDAP connections that use the StartTLS command use port number 389 The Microsoft port numbers for unsecure and secure LDAP con...

Page 84: ...OK The Realm dialog box opens 5 Click the Authentication tab 6 In Server IP Address type the IP address of the LDAP server 7 In Server Port type the port number The LDAP Server port defaults to 389 If you are using an indexed database such as Microsoft Active Directory with a Global Catalog changing the LDAP Server port to 3268 significantly increases the speed of the LDAP queries If your director...

Page 85: ...ed from the Bind DN by removing the user name and specifying the group where users are located Examples of syntax for Base DN ou users dc ace dc com cn Users dc ace dc com 12 In Server login name attribute type the attribute under which the Firebox SSL VPN Gateway should look for user logon names for the LDAP server that you are configuring The default is sAMAccountName If you are using other dire...

Page 86: ...me LDAP servers enable only group objects such as the Lotus Domino LDAP server to contain infor mation about users The LDAP server does not enable the user object to contain information about groups For this type of LDAP server group membership searches are performed by locating the user on the member list of groups LDAP authorization group attribute fields The following table contains examples of...

Page 87: ...er using the administrator credentials and then searches for the user After locating the user the Firebox SSL VPN Gateway unbinds the administrator credentials and rebinds with the user credentials 8 In Administrator Password type the password 9 In Base DN where users are located type the Base DN under which users are located Base DN is usually derived from the Bind DN by removing the user name an...

Page 88: ... the name of the attribute The default is memberOf This attribute enables the Firebox SSL VPN Gateway to obtain the groups associated with a user during authorization 9 Click Submit Using certificates for secure LDAP connections You can use a secure client certificate with LDAP authentication and authorization To use a client certif icate you must have an enterprise Certificate Authority such as C...

Page 89: ...LDAP server To look up LDAP attributes 1 In the left pane of the LDAP Browser select the profile name that you created 2 To look up the Base DN in the right pane locate the namingContexts attribute The value of that attribute is the Base DN for your site The Base DN is typically dc myDomain dc com if your directory tree is based on Internet domain names or ou domain o myOrg c country 3 Navigate th...

Page 90: ...he required settings for the Firebox SSL VPN Gateway Your site might have additional requirements Refer to the RSA ACE Server documentation for more information If the Firebox SSL VPN Gateway needs to be imaged again see Resetting the node secret on page 82 To generate a sdconf rec file for the Firebox SSL VPN Gateway 1 On the computer where your RSA ACE Server Administration interface is installe...

Page 91: ...t you generated in the previous procedure on the Authentication tab click Upload sdconf rec file and use the dialog box to locate and upload the file The sdconf rec file is typically written to ace data config_files and to windows system32 Note If an invalid sdconf rec file is uploaded to the Firebox SSL VPN Gateway it might cause the Firebox SSL VPN Gateway to send out messages to non existent IP...

Page 92: ... your RSA ACE Server Administration interface is installed go to Start Programs RSA ACE Server Database Administration Host Mode 2 In the RSA ACE Server Administration interface go to Agent Host Edit Agent Host 3 Select the Firebox SSL VPN Gateway IP address from the list of agent hosts 4 Clear the Node Secret Created check box and save the change 5 The RSA server sends the node secret on the next...

Page 93: ...ication you create an NTLM authentication realm that includes the address and port that the Firebox SSL VPN Gateway uses to connect to the Windows NT 4 0 domain controller You also specify a time out value in which an authentication attempt to the server must complete When a user logs on to the Firebox SSL VPN Gateway the user enters the user name and password main tained in the domain user accoun...

Page 94: ...x SSL VPN Gateway finds a match the user is granted the authorization privileges to the internal networks that are associated with the user group on the Firebox SSL VPN Gateway To configure NTLM authorization 1 Click the Authentication tab and open the authentication realm for which you want to enable NTLM authorization 2 Click the Authorization tab 3 In Authorization type select NTLM authorizatio...

Page 95: ...ther the Web browser or Secure Access Client they will see two password fields If they are logging on using only one authentication method the second password field is left blank For more information about logging on using the Web based portal page see Double source Authen tication Portal Page on page 43 To create and configure a double source authentication realm 1 On the Authentication tab click...

Page 96: ...hird party authentication types For example if users are required to authenticate using LDAP and Gemalto protiva strong authentication system RADIUS you can change the password labels to reflect what the user needs to type in the fields Instead of the labels Password and Secondary Password the labels could be Windows domain pass word and Gemalto protiva passcode The labels can be changed if you ar...

Page 97: ...might want to create local user accounts for temporary users such as consultants or visitors without creating an entry for those users on the authentication server In that case you add the user to the Firebox SSL VPN Gateway local user list as described in this section If you associate more than one group with a user account the properties of the first group that you select for the user is used To...

Page 98: ...rk access within that session is determined by the Deny Access without ACL setting You can also add local groups that are not related to groups on authentication servers For example you might create a local group to set up a contractor or visitor to whom you want to provide temporary access without having to create an entry on the authentication server For information about creating a local user s...

Page 99: ...ser groups can be created and configured When a new group is created the properties page appears that allows you to configure the settings for the group You can also add local groups that are not related to groups on authentication serv ers After the settings are complete resources can be added to the group Note If you create a user group that has more than 127 characters and then delete that user...

Page 100: ...able for the Default group To enable or disable Default group properties 1 Click the Access Policy Manager tab 2 In the left pane right click the user group and then click Properties 3 On the General tab do one of the following To prevent users from inheriting the Default group settings clear Inherit properties from the Default Group To allow users to inherit the Default group settings select Inhe...

Page 101: ... user s Windows logon credentials are passed to the Firebox SSL VPN Gate way for authentication Enabling single sign on for the Secure Access Client facilitates operations on the remote computer such as installation scripts and automatic drive mapping To configure Secure Access Client for single sign on 1 Click the Access Policy Manager tab 2 In the left pane right click a group and then click Pro...

Page 102: ...e User session timeout If you enable this setting the Secure Access Client disconnects after the time out interval elapses regardless of what the user is doing There is no action the user can take to prevent the disconnection from occurring when the time out interval elapses Network inactivity timeout If you enable this setting the Secure Access Client disconnects if no network packets are sent fr...

Page 103: ...ntly logged on If you want to prevent a specific group of users from viewing the list of online users you can disable the desktop sharing feature for an Firebox SSL VPN Gateway user group Disabling desktop sharing for a user group causes the following to occur When a member of the user group right clicks the Secure Access Client icon in the Windows notification area the Share Desktop option is not...

Page 104: ...x SSL VPN Gateway can assign a unique IP address alias to each client s session You can specify the gateway device to be used for IP pooling The gateway device can be the Firebox SSL VPN Gateway itself or some other device If you do not specify a gateway an Firebox SSL VPN Gateway interface is used based on the General Networking settings as follows If you configured only Interface 0 the Firebox S...

Page 105: ... in addition to passing all other authentication rules that are con figured for that group For example the following criteria requires that the subject field of the client cer tificate provided by a user has the Organization Unit OU set to Accounting and the Common Name CN attribute set to a value matching the user s local user name on the Firebox SSL VPN Gateway client_cert_end_user_subject_organ...

Page 106: ...ab 2 If an end point policy was created and configured under End Point Policies click the configured policy and drag it to Pre Authentication Policies in the left pane Note To create and configure end point resources and policies see End point resources and policies on page 104 Configuring Resources for a User Group Note For background information about network access see Controlling Network Acces...

Page 107: ... of time a user can stay logged on whether there is activity or not The specified time is absolute If the user has a 60 minute session time out the session ends at 60 minutes Users are given a one minute warning that their session is about to end Network activity time out where the user is logged off after a specified amount of time during which network activity from the client device over the VPN...

Page 108: ...eny applications without policies check box selected the user inherits that setting IP pooling Users assume the IP address from the highest priority group that has IP pools enabled Inherit Default group settings If any of the groups that a user is a part of has the Inherit properties from the Default Group check box selected the user inherits that setting Allowing and denying network resources and...

Page 109: ...ces Network resources define the locations that authorized users can access Resource groups are associ ated with user groups to form resource access control policies Network topology for resource groups and authentication Suppose that you want to provide a user group with secure access to the following The 10 10 x x subnet The 10 20 10 x subnet The IP addresses of 10 50 0 60 and 10 60 0 10 To prov...

Page 110: ... and click OK 4 In Network Subnet type the IP address subnet pair for the resource in the Subnets field You can use CIDR notation for the mask Use a space to separate entries 5 In Port or port range enter the port or ports that the Firebox SSL VPN Gateway can use to establish connections with the network resource s You have these options when entering ports Enter a 0 zero to use all ports Enter a ...

Page 111: ...he network resource is defined when Out look tries to start it checks for the network resource and end point policy if defined If it passes the user can log on and check email If it fails Outlook does not start If the application is open before connecting to the Firebox SSL VPN Gateway the application remains open however the policies take effect and the user cannot use the application If an appli...

Page 112: ... is selected This check box denies all applications access to the corporate network To allow one application network access configure the application policy to accept the application following the steps in the previous procedure Users obtain access to the application only to the internal site that is specifically allowed No other appli cations from the client computers are allowed access to the in...

Page 113: ... NFS 7 In Permissions specify whether you want remote users to have read write or read only permissions for the share Note Users can use the FTP protocol to send and receive files to the remote computer 8 Click OK To add a share to a group the share must be added to the kiosk resource first Then the kiosk resource is dragged and dropped to the group in the left pane To remove a share On the Access...

Page 114: ...hat a computer must have one some or all of the following A registry entry that matches the path entry type and value that you specify A file that matches the path filename and date that you specify You can also specify a checksum for the file A running process that you specify You can also specify a checksum for the file End point policies are applied to each group by specifying a Boolean express...

Page 115: ...y time To configure an end point policy for a group you specify a Boolean expression containing the end point resources that you want to apply to the group Suppose that you create the following end point policies CorpAssetRegistryEntry AntiVirusProcess1 AntiVirusProcess2 Your end point policy expression might specify that a registry check must verify that the resource attempting to connect is a co...

Page 116: ... sales group appears before the support group in the User Groups list the sales group policies apply to the users who belong to both of those groups If the support group appears before the sales group in the list the support group policies take precedence The policies that are affected by the Group Priority setting are as follows Portal page configuration which determines the portal page the user ...

Page 117: ... created To set the priority of groups 1 Click the Group Priority tab 2 Select a group that you want to move and use the arrow keys to raise or lower the group in the list The group at the top of the list has the highest priority To view the group priorities for a user In the Firebox SSL VPN Gateway Administration Desktop click the Real time Monitor icon The display lists all groups to which the u...

Page 118: ...Setting the Priority of Groups 108 Firebox SSL VPN Gateway ...

Page 119: ...rtificate Authority Install a digital X 509 certificate that belongs to your company and is signed by a Certificate Authority on the Firebox SSL VPN Gateway Your company can operate as its own Certificate Authority or you can obtain a digital certificate from a commercial Certificate Authority such as Verisign and Thawte Note Operating the Firebox SSL VPN Gateway without a digital certificate sign...

Page 120: ...rresponding certificate on users computers Users can also disable the Security Alert through the Secure Access Connection Properties dialog box Overview of the Certificate Signing Request Before you can upload a certificate to the Firebox SSL VPN Gateway you need to generate a Certificate Signing Request CSR and private key The CSR is created using the Certificate Request Generator included in the...

Page 121: ...ation Tool To create a Certificate Signing Request 1 Click the VPN Gateway Cluster tab and open the window for the appliance 2 On the Certificate Signing Request tab type the required information in the fields and then click Generate Request Note Note In the field VPN Gateway FQDN type the same FQDN that is on the General Networking tab In Password type the password for the private key 3 A csr fil...

Page 122: ...way is not behind a load balancer the certificate must contain the FQDN of the Firebox SSL VPN Gateway If the Firebox SSL VPN Gateway is behind a load balancer each appliance must contain the same certificate and private key For more information see Connecting to a Server Load Balancer on page 28 To install a certificate and private key from a Windows computer 1 Click the Firebox SSL VPN Gateway C...

Page 123: ...o the new file save the text file in PEM format and then upload the file to the Firebox SSL VPN Gateway Creating Root Certificates Using a Command Prompt You can also create PEM formatted root certificates using a DOS command prompt For example if you have three PEM root certificates you can use the following command to create one file that contains all three certificates type root1 pem root2 pem ...

Page 124: ...his case the certificate is embedded within the smart card and read from a smart card reader attached to the network Note Note The Firebox SSL VPN Gateway is configured in the same way regardless of whether the certificates are stored in the Windows operating system or on a smart card No special If clients are connecting using kiosk mode or from a Linux computer client side certificates are not su...

Page 125: ...wizard The certificate is installed in the Trusted Root Certification Authorities store for the local computer For information about root certificate availability and installation on platforms other than 32 bit Win dows refer to product documentation appropriate for the operating system you are using Selecting an Encryption Type for Client Connections All communications between the Secure Access C...

Page 126: ...e proper root certificates that are used to sign the server certificates To install root certificates On the Cluster Config tab select Administration Manage Trusted root CA certificates To require server certificates for internal client connections On the Global Cluster Policies tab under SSL Options select Validate SSL Certificates for Internal Connections Wildcard Certificates The Firebox SSL VP...

Page 127: ...Client Applications Supporting Secure Access Client Managing Client Connections System Requirements The Secure Access Client is supported on the following operating systems and Web browsers Operating Systems The Secure Access Client is supported on the following Windows operating systems Windows XP Home Edition Windows XP Professional Windows 2000 Server Windows Server 2003 Windows Vista 32 bit We...

Page 128: ...ecause no data is written to the user s computer However if you configure network shares a user can copy files from a shared network drive to the remote computer Note You can configure the Firebox SSL VPN Gateway Administration Tool so that users do not have the option to connect from a public computer For more information see End point resources and policies on page 104 To connect using the defau...

Page 129: ...ent requires a running VPN daemon to connect to the Firebox SSL VPN Gateway To check the status of the VPN daemon type the following at a command prompt sbin service net6vpnd status To restart a stopped daemon type the following sbin service net6vpnd start Then click Disconnect and reenter your logon credentials To remove the Linux VPN client At the command prompt type the following sbin service n...

Page 130: ... the connection provides full access to the network resources that the user s group s have permission to access The access granted by the security policies enable users to work with the remote system just as if they are logged on locally For example users might be granted permission to applications including Web client server and peer to peer such as Instant Messaging video conferencing and real t...

Page 131: ...rgani zations firewalls without creating any problems For example the connection can be made through an intermediate proxy such as an HTTP proxy by issuing a CONNECT HTTPS command to the intermediate proxy Any credentials requested by the inter mediate proxy are in turn obtained from the remote user by using single sign on information or by requesting the information from the remote user and prese...

Page 132: ... vpn_portal javaonly html The authentication realm name required for logon if you use realms other than the realm named Default Path to any network drives that the users can access which is done by mapping a network drive on their computer Any system requirements for running the Secure Access Client if you configured end point resources and policies Depending on the configuration of a remote user ...

Page 133: ...code For more informa tion about logging on using double source authentication see Double source Authentication Portal Page on page 43 Note If you are using the Linux Client the connection window will not include the options described in the following procedure The Secure Access Client is installed the first time the user logs on to the portal Web page To log on to the Firebox SSL VPN Gateway 1 In...

Page 134: ...n is established a status window briefly appears and the Secure Access Client win dow is minimized to the notification area The icon indicates whether the connection is enabled or dis abled and flashes during activity A shortcut to the Secure Access Client is placed on the desktop To use the Secure Access Client status properties 1 To open the window double click the connection icon in the notific...

Page 135: ...ection is enabled the Secure Access Client automatically changes client proxy settings to match settings stored in the operating system The Secure Access Client attempts to connect to the Firebox SSL VPN Gateway download pre authentication policies and then prompt the users for their logon credentials If the Secure Access Client cannot automatically detect the client proxy settings it resorts to a...

Page 136: ...h as Macintosh Windows 95 or Windows 98 computers kiosk mode is available through a Java applet For Macintosh computers to support kiosk mode the Safari browser and JRE 1 5 must be installed When the user is logged on using kiosk mode the Firebox SSL VPN Gateway sends images only no data over the connection As a result there is no risk of leaving temporary files or cookies on the public computer B...

Page 137: ...ies tab under Access options select Enable kiosk mode If this check box is clear users cannot use kiosk mode and the option is not available from the Web portal page When kiosk mode is enabled users can connect using the Web portal page To log on to the Firebox SSL VPN Gateway using kiosk mode 1 Use the logon page to connect as described in Connecting Using a Web Address Click A public computer Th...

Page 138: ...ght pane right click File Share Resources click New File Share Resource type a name and click OK 3 In Share source type the path to the share source using the form server share 4 In Mount type select the file sharing network protocol either CIFS SMB or NFS Note Note CIFS SMB is the Common Internet File System Server Message Block network protocol used for file sharing in Microsoft Windows NFS is t...

Page 139: ...File Download dialog box navigate to the location where you want to copy the file and then click Open When the FTP transfer is complete a message window appears You cannot use FTP to transfer folders or copy files back to the shared network drive Client Applications When users are logged on using kiosk mode you can allow them to use different applications The applications include Firefox web brows...

Page 140: ...d To configure Remote Desktop 1 On the Access Policy Manager tab right click Kiosk Resources 2 Type a name for the resource and click OK 3 Select Remote Desktop and type the FQDN of the server in the text box Click OK Remote Desktop provides the user with full access to a remote computer s resources including files applications and network resources Thus the user can remotely control the computer ...

Page 141: ...t corner VNC Client The VNC client enables a user to remotely access the desktop of a VNC server The user s work remains on the remote server no files only images are sent to the user s computer To use the VNC client 1 From the portal page choose A public computer and log on 2 In the Web browser click the VNC icon 3 In VNC Host type the IP address of the VNC host and in Password type the password ...

Page 142: ...network drive on their computer Any system requirements for running the Firebox SSL VPN Gateway Clients if you configured end point resources and policies Depending on the configuration of a remote user s system you might also need to provide additional information To start the Secure Access Client Windows 2000 users must be an administrator to install programs on their computer This restriction a...

Page 143: ...st ACL for the user s group and then close the TCP connection For more information about ACL management see Adding Local Users on page 87 If you do not correct the ACL before closing the connection the user can reestablish the TCP connection Note The Firebox SSL VPN Gateway maintains connections to Target IP 0 0 0 0 that are required for VPN operations Closing any of those connections temporarily ...

Page 144: ...ablish a connection from that MAC address until you reenable the user or restart the Firebox SSL VPN Gateway To enable a user at a particular MAC address 1 In the Administration Desktop window click the Real time Monitor icon 2 Right click the user s entry and choose Enable User from MAC The user can establish a connection provided that there is an available license Configuring Authentication Requ...

Page 145: ...ection is briefly interrupted Authenticate upon system resume This option forces a user to log on again if the user s computer awakens from standby or hibernation This option provides additional security for unattended computers 4 Click OK Note Note If you want to close a connection and prevent a user or group from reconnecting automatically you must select the Authenticate after network interrupt...

Page 146: ...Managing Client Connections 136 Firebox SSL VPN Gateway ...

Page 147: ...syslog server System message logs contain information that can help Firebox SSL VPN Gateway support personnel assist with troubleshooting By reviewing the information provided you can track unusual changes that can affect the stability and performance of the Firebox SSL VPN Gateway System message logs are archived on the Firebox SSL VPN Gateway for 30 days The oldest log is then replaced with the ...

Page 148: ...le downloads it can be unzipped to access the individual log files Forwarding System Messages to a Syslog Server The Firebox SSL VPN Gateway archives system messages as described in Viewing and Downloading System Message Logs on page 137 You can also have the Firebox SSL VPN Gateway forward system messages to a syslog server To forward Firebox SSL VPN Gateway system messages to a syslog server 1 C...

Page 149: ...the SNMP location This field is informational only 4 In SNMP Contact type the contact This field is informational only 5 In Community type the community This field is informational only 6 In Port type the port 7 Click Submit Multi Router Traffic Grapher Example The Multi Router Traffic Grapher is a tool used to monitor SNMP data such as traffic load Multi Router Traffic Grapher generates HTML page...

Page 150: ...n Step 2 is vpn myorg com tcpcurrestab html Viewing System Statistics To obtain general system statistics select the VPN Gateway Cluster tab and then click the Statistics tab The statistical information provides an overview of the Firebox SSL VPN Gateway and includes Length of time the Firebox SSL VPN Gateway has been running Memory usage Maximum and used connections Maximum connections represent ...

Page 151: ...nformation refer to the Help that is available from the Ethereal Network Analyzer window xNetTools Multi threaded network tool that includes a service scanner port scanner ping utility ping scan name scan whois query and finger query This is located on the Tools menu Traceroute Combines the functionality of the traceroute and ping commands in one network diagnostic tool As Traceroute starts it inv...

Page 152: ...d v 5 0 Release Notes go to https www watchguard com archive softwarecenter asp You must log in with your LiveSecurity user name and passphrase and select the Firebox SSL VPN Gateway support view From your current Firebox SSL VPN Gateway running v 4 9 you can upgrade to SSL v 5 0 in one of two ways From the v 4 9 Administration Tool Interface go to the Administration tab and Maintenance sub tab Cl...

Page 153: ...ebox SSL VPN Gateway You may need to log in to your LiveSecurity account at https www watchguard com archive getcredentials asp to get a copy of your feature key Troubleshooting The following information explains how to deal with problems you might encounter when setting up and using the Firebox SSL VPN Gateway Troubleshooting the Web Interface This section describes issues you might have with con...

Page 154: ...name to the domain name and user name Other Issues This section describes known issues and solutions for the Firebox SSL VPN Gateway License File Does not Match Firebox SSL VPN Gateway If you are trying to install a license file on the Firebox SSL VPN Gateway you might receive the error mes sage License file does not match any Firebox SSL VPN Gateway s A license file is already installed on the Fi...

Page 155: ...sends out the same ping command regardless of the options specified with the ping command from a client computer LDAP Authentication When the Firebox SSL VPN Gateway is configured to use LDAP authentication and authorization the LDAP group information is not used to automatically populate the group field in the Administration Tool End Point Policies When the Firebox SSL VPN Gateway is evaluating t...

Page 156: ...t However as described above certificates issued by a private CA are supported by the server components because the private CA is the root of trust Certificate Revocation Lists Certificate Revocation Lists CRLs cannot be configured by the administrator When a user connects to the Firebox SSL VPN Gateway using a client certificate the Firebox SSL VPN Gateway uses the cRLDistri butionPoints extensio...

Page 157: ...e uploaded certificate file see Generating Trusted Certificates for Multiple Levels on page 156 H 323 Protocol The Firebox SSL VPN Gateway does not support the H 323 protocol Applications that use the H 323 pro tocol such as Microsoft s NetMeeting cannot be used with the Firebox SSL VPN Gateway Certificates Using 512 bit keypairs When configuring certificates do not use 512 bit keypairs They are s...

Page 158: ...M authentication to proxy servers Only Basic authentica tion is supported for proxy servers WINS Entries When the Secure Access Client is disconnected WINS entries are not removed from the computer that is running the client Using Third Party Client Software If a user s computer is running Secure Access Client and also has a third party VPN software application installed on the computer and connec...

Page 159: ...e and Pro Versions Tiny Personal Firewall ZoneAlarm Pro Note The following sections are a supplement to the firewall manufacturer s documentation The recommended source for current information about firewall applications and configuration is the manufacturer s documentation WatchGuard recommends that the user s personal firewall allow full access for the Secure Access Client If you do not want to ...

Page 160: ...box SSL VPN Gateway To configure the settings open the BlackICE window and choose the following commands McAfee Personal Firewall Plus The following McAfee Personal Firewall Plus settings enable the Secure Access Client to reach the Inter net and the resources allowed by the Firebox SSL VPN Gateway To configure the settings open the McAfee Security Center window click the Personal Firewall tab and...

Page 161: ...ccess through the Secure Access Client select the Remember my answer check box and click Yes when the prompt appears Tiny Personal Firewall The following Tiny Personal Firewall settings enable the Secure Access Client to reach the Internet and the resources allowed by the Firebox SSL VPN Gateway Note One method to configure Tiny Personal Firewall is to respond to the prompts displayed when the fir...

Page 162: ...ess Client For each alert select the Create appropriate filter check box and click Permit ZoneAlarm Pro The following ZoneAlarm settings enable the Secure Access Client to reach the Internet and the resources allowed by the Firebox SSL VPN Gateway To configure the settings choose the tabs indicated in the following table Add To permit the IP address or range of allowed resources use the following ...

Page 163: ...must be in PEM format and must include a private key The signed certificate and private key must be unencrypted If Linux OpenSSL is not available install the Cygwin UNIX environment for Windows When you install Cygwin you must choose the OpenSSL modules as described in the following steps To install Cygwin 1 Use a Web browser to navigate to http www cygwin com and click Install Cygwin Now 2 Follow...

Page 164: ...mes you need to use the alias name instead 5 Submit your CSR public csr to an authorized Certificate Authority such as Verisign When asked for the type of server that the certificate will be used with select Apache Note If you select Microsoft the certificate might be in PKCS7 format and you will need to follow the procedure in Converting to a PEM Formatted Certificate on page 155 to convert the c...

Page 165: ...t The certFile should not contain the private key when you run this command openssl verify verbose CApath tmp certFile If that command results in the following error message the file is not in PEM format certFile unable to load certificate file 4840 error 0906D064 PEM routines PEM_read_bio bad base64 decode pem_lib c 781 To convert the certificate from PKCS7 to PEM format 1 Run the command openssl...

Page 166: ... https ipAddress httpPort www mypage com where ipAddress is the IP address of your Firebox SSL VPN Gateway httpPort is the Firebox SSL VPN Gateway port number 2 Double click the Lock symbol in the bottom right corner of the browser 3 Switch to the Certificate Path window pane at the top of the screen 4 Double click the first path level to bring up the certificate information for the first level an...

Page 167: ...Administration Guide 157 Generating Trusted Certificates for Multiple Levels Intermediate Certificate 0 Intermediate Certificate 1 Intermediate Certificate 2 ...

Page 168: ...Generating Trusted Certificates for Multiple Levels 158 Firebox SSL VPN Gateway ...

Page 169: ...access to the internal network this aspect of Firebox SSL VPN Gateway configuration is covered in four different sections of this book This appendix provides example user access scenarios and includes step by step instructions for configuring the Firebox SSL VPN Gateway to support the access scenarios These scenarios are intended as tutorials to help you understand how to use the features of the A...

Page 170: ...ure user access in the following example scenario The organization uses a single LDAP directory as the user repository Remote users working for the Sales department must have access to an email server a Web conference server a Sales Web application and several file servers residing on the internal network Remote users working for the Engineering department must have access to an email server a Web...

Page 171: ...de in the network 10 10 0 0 24 The server containing the Sales Web application resides in the network 10 60 10 0 24 The single email server that remote users must access has the IP address 10 10 25 50 Determining the Sales and Engineering Users Who Need Remote Access Determining the Sales and Engineering users who need remote access is the second of three procedures the administrator performs to p...

Page 172: ...egarding the group membership of the users Identify groups on the LDAP directory that contain all of the members who need remote access to the internal networks If there are no existing groups that contain all of the appropriate members the administrator can create new groups in the LDAP directory and add the appropriate members to these groups In this example we assume that the administrator crea...

Page 173: ...he LDAP authentication and authorization configuration task When this task is complete the administrator has the following information The specific network locations of all network resources that the remote Sales and Engineering users must access The names of the user groups in the LDAP directory that contain the Sales and Engineering users who require remote access Remote Sales and Remote Enginee...

Page 174: ...eling When a user logs on to the Firebox SSL VPN Gateway the Firebox SSL VPN Gateway sends this list of networks to the Secure Access Client on the user s computer The Secure Access Client uses this list of networks as a filter to determine which outbound packets should be sent to the Firebox SSL VPN Gateway and which should be sent elsewhere The Secure Access Client transmits only the packets bou...

Page 175: ...t realm and creating a new Default realm for LDAP the administrator simplifies the logon process for the end user Users who authenticate using the Default realm do not need to enter the realm name as part of their logon credentials For more information about realms authentication and authorization see Configuring Authentication and Authorization on page 61 To complete this procedure the administra...

Page 176: ...r access For more information about group properties and creating local groups see Configuring Properties for a User Group on page 90 Creating and Assigning Network Resources to the User Groups Creating and assigning network resources to the user groups is the fourth of five procedures the administrator performs to configure access to the internal network resources in the configuring LDAP authenti...

Page 177: ...eway Creating and Assigning Network Resources to the Engineering users This section briefly discusses how the administrator creates a network resource and assigns it to the Engineering users This procedure is essentially the same as the procedure completed for the Sales users in the previous step except the administrator does not provide the engineering users with access to the Sales Web applicati...

Page 178: ...server Create an application policy that specifies the email application on the email server and assign the network resource containing the email server to this application policy Assign the application policy to the user groups in the Firebox SSL VPN Gateway In this example the administrator creates a network resource named Email Server that includes only IP address 10 10 25 50 32 the email serve...

Page 179: ...ectory and on the Firebox SSL VPN Gateway Only users who are members of the Remote Sales group and the Remote Engineers group are authorized to access resources on the internal network Each of these groups must exist both in the LDAP directory and on the Firebox SSL VPN Gateway Users in the Remote Sales group are authorized to access the Web conference server and file servers in the 10 10 0 0 24 n...

Page 180: ...gineering users with access to the Web conference server The Web conference server IP address is 10 10 50 60 Note In this example Silvio Branco and Lisa Marth are referred to as guest users because they are not employed by the corporation and are not listed in the corporate directory To provide Silvio Branco and Lisa Marth with access to the Web conference server the administrator per forms these ...

Page 181: ...cenario for creating guest accounts using the Local Users list In this step the administrator creates a network resource that specifies only the Web conference server and then assigns this resource to the Default user group 1 From the right pane of the Access Policy Manager tab in the Administration Tool create a new network resource named Guest Resource Specify only the IP address of the Web conf...

Page 182: ...isa Marth and Silvio Branco to the Remote Engineers group on the Firebox SSL VPN Gateway To assign local users Lisa Marth and Silvio Branco to the Remote Engineers group on the Firebox SSL VPN Gateway the administrator performs this procedure 1 Click the Access Policy Manager tab 2 Expand User Groups and then expand Local Users 3 Under Local Users click the name Lisa Marth and drag her name to Loc...

Page 183: ... software is covered by the GNU Library General Public License instead You can apply it to your programs too When we speak of free software we are referring to freedom not price Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that y...

Page 184: ...ork under copyright law that is to say a work containing the Program or a por tion of it either verbatim or with modifications and or translated into another language Hereinafter translation is included without limitation in the term modification Each licensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outside its scope ...

Page 185: ...en you distribute the same sections as part of a whole which is a work based on the Program the distribution of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rath...

Page 186: ...ies who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are pro hibited by law if you do not accept this Li...

Page 187: ...ions of the General Public License from time to time Such new versions will be similar in spirit to the present version but may dif fer in detail to address new problems or concerns Each version is given a distinguishing version number If the Program specifies a version number of this License which applies to it and any later version you have the option of following the terms and condi tions eithe...

Page 188: ...t of each source file to most effectively convey the exclusion of warranty and each file should have at least the copyright line and a pointer to where the full notice is found one line to give the program s name and a brief idea of what it does Copyright C 19yy name of author This program is free software you can redistribute it and or modify it under the terms of the GNU Gen eral Public License ...

Page 189: ...a programmer or your school if any to sign a copy right disclaimer for the program if necessary Here is a sample alter the names Yoyodyne Inc hereby disclaims all copyright interest in the program Gnomovision which makes passes at compilers written by James Hacker signature of Ty Coon 1 April 1989 Ty Coon President of Vice This General Public License does not permit incorporating your program into...

Page 190: ...180 Firebox SSL VPN Gateway ...

Page 191: ...ible networks 15 56 deny access without access control list 58 DNS split tunneling 57 limitations 145 specifying 57 Administration deployment overview 17 Administration Desktop 17 32 downloading or starting 32 Ethereal Network Analyzer 141 fnetload 141 group priorities 107 monitoring tools 140 My traceroute 141 opening 32 141 Real time Monitor 141 System Monitor 141 xNetTools 141 Administration Po...

Page 192: ...s for portal page 39 closing connection 133 computer hibernate 90 suspend 90 configuration dynamic routes 52 network connections 47 restoring 15 44 saving 15 44 serial console 33 static routes 53 with Administration Tool 34 configuring for a group 105 connection client cannot connect 147 closing 134 handling 133 managing 133 connection failure 147 Connection Properties 94 CPU usage 141 CRLs see Ce...

Page 193: ...icate 15 client certificates 114 deny access without ACL 57 88 100 deny network access 59 enable portal page authentication 15 41 internal failover 55 split tunneling 15 58 Voice over IP 15 global policies 16 group membership 16 group priority 16 106 Group Priority tab 89 107 H H 323 protocol 147 hibernate forcing user authentication 90 host check rules see end point resource I IAS see Internet Au...

Page 194: ...n in the middle attacks 110 maximum transmission unit MTU 49 McAfee Personal Firewall Plus 150 membership groups 16 memory usage 141 monitoring tools 32 using 140 Multi Router Traffic Grapher 139 multiple log on options portal page 42 My traceroute tool 141 N name scanner 141 Name Service Providers 14 50 148 NetMeeting 147 network 147 access 56 accessible networks 57 activity level graph 140 addre...

Page 195: ... 96 network 16 resource group network access 56 resource groups removing from user group 99 resources configuring for a user group 99 file share 103 file shares 16 restarting appliance 15 45 restarting server 147 restoring a configuration 44 restoring configuration 44 routes 48 dynamic 52 static and dynamic 14 RSA ACE Server 25 configuration file 79 generating sdconf rec file 80 resetting node sec...

Page 196: ... support 6 Firebox Installation Services 7 LiveSecurity Gold Program 7 LiveSecurity Service 6 users forum 5 6 VPN Installation Services 7 Telnet 3270 Emulator client 28 131 templates downloading 39 time synchronizing 15 time zone changing 45 Tiny Personal Firewall 151 TLS 26 tools network monitoring 17 Traceroute 17 training and certification 5 7 troubleshooting 143 U UDP connections 59 upgrades a...

Page 197: ... date and time 45 upgrading 15 44 VPN Installation Services 7 W W3C formatted log 138 WatchGuard Certified Training Partners 8 WatchGuard users forum 5 6 WCTP 8 Web address of Administration Portal 32 of Java client 126 Web Interface access without credentials 143 applications not available 143 configuring as portal page 15 invalid credentials 144 single sign on 15 troubleshooting 143 whois query ...

Page 198: ...188 Firebox SSL VPN Gateway ...

Reviews:

No comments

Related manuals for Firebox SSL Series

D-Link DG-102S Quick Start Manual preview
DG-102S
Brand: D-Link Pages: 8
D-Link DG-102S Quick Install Manual preview
DG-102S
Brand: D-Link Pages: 12
HMS Networks Ewon Flexy 205 Application Note preview
Ewon Flexy 205
Brand: HMS Networks Pages: 20
ZyXEL Communications P-870H Series Quick Start Manual preview
P-870H Series
Brand: ZyXEL Communications Pages: 12
Extron electronics ShareLink 200 N User Manual preview
ShareLink 200 N
Brand: Extron electronics Pages: 45
4G Systems XSJack T3i User Manual preview
XSJack T3i
Brand: 4G Systems Pages: 60
Gefen EXT-DVI-FO-141 User Manual preview
EXT-DVI-FO-141
Brand: Gefen Pages: 13
PEHA 940/16 MLS-G Installation And Operating Instructions preview
940/16 MLS-G
Brand: PEHA Pages: 4
M2M IDG500AM-0T001 User Manual preview
IDG500AM-0T001
Brand: M2M Pages: 357
BAB TECHNOLOGIE DUODMX Series Manual preview
DUODMX Series
Brand: BAB TECHNOLOGIE Pages: 75
RTA 460ESBM-N700 Product User Manual preview
460ESBM-N700
Brand: RTA Pages: 71
XLOCK G3 Ethernnet Instruction Manual preview
G3 Ethernnet
Brand: XLOCK Pages: 2
BURG WATCHER TSE 5001 Assembly And User'S Manual preview
TSE 5001
Brand: BURG WATCHER Pages: 21
Qiagen QIAsphere Base Installation Manual preview
QIAsphere Base
Brand: Qiagen Pages: 22
VADcore GoIP4 User Manual preview
GoIP4
Brand: VADcore Pages: 51
SST Automation GT200-MT-DN User Manual preview
GT200-MT-DN
Brand: SST Automation Pages: 44
Aluratek CDW530AM User Manual preview
CDW530AM
Brand: Aluratek Pages: 63
Planet Networking & Communication WPG-130N Quick Installation Manual preview
WPG-130N
Brand: Planet Networking & Communication Pages: 2

Brands by name

Popular brands

Load more brands