background image

Scenario 1: Configuring LDAP Authentication and Authorization

164

Firebox SSL VPN Gateway

This task includes these five procedures: 

• Configuring accessible networks 
• Creating an LDAP authentication realm 
• Creating the appropriate groups on the Firebox SSL VPN Gateway 
• Creating and assigning network resources to the user groups 
• Creating an application policy for the email server 

Each of these procedures is discussed in detail below. 

Configuring Accessible Networks 

Configuring accessible networks is the first of five procedures the administrator performs to 
configure access to the internal network resources in the configuring LDAP authentication and 
authorization scenario. 
In this procedure, the administrator specifies the internal networks that contain the network 
resources that users must access using the Secure Access Client. 
In the previous task, the administrator determined that the remote Sales and Engineering users 
must have access to the resources on these specific internal networks: 

The Web conference server, file servers, and email server residing in the network 10.10.0.0/24 

The server containing the Sales Web application residing in the network 10.60.10.0/24 

The administrator specifies these networks as accessible networks. Specifying the accessible 
networks enables the Secure Access Client to support split tunneling. 
When a user logs on to the Firebox SSL VPN Gateway, the Firebox SSL VPN Gateway sends this list of 
networks to the Secure Access Client on the user's computer. The Secure Access Client uses this list 
of networks as a filter to determine which outbound packets should be sent to the Firebox SSL VPN 
Gateway and which should be sent elsewhere. The Secure Access Client transmits only the packets 
bound for the Firebox SSL VPN Gateway through the secure tunnel to the Firebox SSL VPN Gateway. 

  

Note

If you do not want to support split tunneling, you do not need to configure accessible networks. 

To configure accessible networks 

1

Open the Administration Tool. 

2

Click the 

Global Cluster Policies

 tab. 

3

If necessary, select 

Enable split tunneling

4

In the 

Accessible networks

 box, enter all of the internal networks that the Firebox SSL VPN 

Gateway must access. Separate each network entered with a space or a carriage return. In this 
example access scenario, the administrator would make these entries: 

 

10.10.0.0/24

 

10.60.10.0/24 

5

Select the 

Enable logon page authentication

 check box. This setting requires users to 

authenticate when accessing the portal page of the Firebox SSL VPN Gateway with a Web browser. 

6

To simplify this example, assume the administrator clears all other check boxes that appear on the 

Global Cluster Policies

 tab.

For more information about split tunneling, see “Enabling Split Tunneling” on page 57.
For more information about the 

Deny Access without ACL

 setting, see “Denying Access to Groups 

without an ACL” on page 58. 

Summary of Contents for SSL 1000

Page 1: ...WatchGuard Firebox SSL VPN Gateway Administration Guide Firebox SSL VPN Gateway...

Page 2: ...any means electronic or mechanical for any purpose without the express written permission of WatchGuard Technologies Inc Copyright Trademark and Patent Information Use of the product documented in th...

Page 3: ...port 6 LiveSecurity Service technical support 6 LiveSecurity Gold 7 Firebox Installation Service 7 VPN Installation Service 7 Training and Certification 7 CHAPTER 2 Introduction to Firebox SSL VPN Gat...

Page 4: ...ppliances for Load Balancing and Failover 20 Installing the Firebox SSL VPN Gateway for the First Time 20 Getting Ready to Install the Firebox SSL VPN Gateway 20 Setting Up the Firebox SSL VPN Gateway...

Page 5: ...o work with the templates for Windows and Linux users 40 Using the ActiveX Control 40 Installing Custom Portal Files on the Firebox SSL VPN Gateway 40 Enabling Portal Page Authentication 41 To enable...

Page 6: ...bling Split Tunneling 57 To enable split tunneling 58 Configuring User Groups 58 Denying Access to Groups without an ACL 58 To deny access to user groups without an ACL 59 Improving Voice over IP Conn...

Page 7: ...s 78 Determining Attributes in your LDAP Directory 78 Using RSA SecurID for Authentication 79 To generate a sdconf rec file for the Firebox SSL VPN Gateway 80 Enable RSA SecurID authentication for the...

Page 8: ...Generating a Secure Certificate for the Firebox SSL VPN Gateway 109 Digital Certificates and Firebox SSL VPN Gateway Operation 110 Overview of the Certificate Signing Request 110 Password Protected P...

Page 9: ...enging 131 Supporting Secure Access Client 132 Managing Client Connections 133 Connection handling 133 Closing a connection to a resource 134 Disabling and enabling a user 134 Configuring Authenticati...

Page 10: ...ining the Private Key with the Signed Certificate 155 To combine the private key with the signed certificate 156 Generating Trusted Certificates for Multiple Levels 156 To generate trusted certificate...

Page 11: ...ng the Fire box SSL VPN Gateway This document assumes that the Firebox SSL VPN Gateway is connected to an existing network and that the administrator has experience configuring that network Operating...

Page 12: ...o use your time to find new software Access to technical support and training You can find information about your WatchGuard products quickly with our many online resources You can also speak directly...

Page 13: ...When necessary WatchGuard updates the WatchGuard System Manager software Product upgrades can include new features and patches When we release a software update you get an e mail with instructions on...

Page 14: ...egister asp The Account page appears 3 Complete the LiveSecurity Activation page Use the TAB key or the mouse to move through the fields on the page You must complete all the fields to activate correc...

Page 15: ...and web sites about network security The training is divided into parts which lets you use only the materials you feel necessary To learn more about online training browse to www watchguard com train...

Page 16: ...ides to the web site at http www watchguard com help documentation Technical Support Your LiveSecurity Service subscription includes technical support for the WatchGuard System Man ager software and F...

Page 17: ...ical problem when the support center is not open use the LiveSecurity Technical Support phone number to page a technician You can also send an incident on the web site at http www watchguard com suppo...

Page 18: ...s also available at a location near you through a large group of Watch Guard Certified Training Partners WCTPs Training partners give training using certified training mate rials and with WatchGuard h...

Page 19: ...user seamless secure access to authorized applications and network resources Remote users can work with files on network drives email intranet sites and applications just as if they are working insid...

Page 20: ...and intranet access from restricted LANs such as wireless networks Network topography showing the Firebox SSL VPN Gateway in the DMZ The following illustration shows how the Firebox SSL VPN Gateway cr...

Page 21: ...group based access control kiosk mode end point resources and polices portal pages and IP pools New Features The v5 5 software update for the Firebox SSL Core VPN Gateway includes the following new fe...

Page 22: ...configure the Secure Access Client to disconnect from the Firebox SSL VPN Gateway if there is no user activity on the connection for a specific time interval You can also force a client disconnection...

Page 23: ...menu There are new menu items on the serial console allowing you to change the Firebox SSL VPN Gateway administrator password set the duplex mode and network adapter speed and revert to the default c...

Page 24: ...ces and policies Local users Authentication and Authorization Authentication and authorization are configured on the Authentication tab Double source authentication also known as two factor authentica...

Page 25: ...ticationandAuthorization LDAP RADIUS RSASecurID local andSafewordPremierAccess Authentication Authentication Authentication Authorization LocalUsers Access Policy Manager InheritDefaultGroupProperties...

Page 26: ...etworks such as wireless connections in hotels or airports Integrated end point scanning Ensures that the computer meets corporate standards to connect and remains safe for connection to the network H...

Page 27: ...ox SSL VPN Gateway is quick and easy to deploy and simple to administer The most typical deployment configuration is to locate the Firebox SSL VPN Gateway behind your firewall or in the demil itarized...

Page 28: ...l to connect to the Firebox SSL VPN Gateway By default clients use Secure Sockets Layer SSL on port 443 to establish this connection To support this connec tivity you must allow SSL on port 443 throug...

Page 29: ...icate from a known Certificate Authority and upload it to the Firebox SSL VPN Gateway If you deploy the Firebox SSL VPN Gateway in any environment where the Firebox SSL VPN Gateway must operate as the...

Page 30: ...ork infrastructure without requiring changes to the existing hardware or back end software It works with other networking products such as cache engines firewalls routers and IEEE 802 11 wireless devi...

Page 31: ...figure the TCP IP settings using the instructions in Configuring TCP IP Settings for the Firebox SSL VPN Gateway Configuring TCP IP Settings for the Firebox SSL VPN Gateway The preconfigured IP addres...

Page 32: ...nal Note HyperTerminal is not automatically installed on Windows 2000 Server or Windows Server 2003 To install HyperTerminal use Add Remove Programs in the Control Panel 3 Set the serial connection to...

Page 33: ...ration Tool click Install the Firebox SSL VPN Gateway Administration Tool Follow the prompts to complete installation 4 Log on to the Administration Tool using the default user name and password 5 On...

Page 34: ...utomatically redirect HTTP connection attempts on port 80 to be secure connections on port 443 or other secure port If a user attempts an unsecure connection on port 80 the Firebox SSL VPN Gateway aut...

Page 35: ...can specify the proxy server s IP address and authentication credentials To configure a proxy server 1 To open the logon dialog box click the Secure Access Client icon on the desktop 2 In the Firebox...

Page 36: ...e subject to administrative security policies that apply to a single application a sub set of applications or an entire intranet You use the Firebox SSL VPN Gateway Administration Tool to specify the...

Page 37: ...Gateway then transmits the packets to the network Note If you run a packet sniffer such as Ethereal on the computer where the Secure Access Client is running you will see unencrypted traffic that app...

Page 38: ...l net 3270 emulator Gaim instant messenging and VNC clients The icons are displayed in the bottom left corner of the window The applications are specified for each group For more information about con...

Page 39: ...SL VPN Gateway to connect to the network see Configuring Network Information on page 47 To establish the physical connection connect the Firebox SSL VPN Gateway eth0 interface to the inter nal network...

Page 40: ...Using the Firebox SSL VPN Gateway 30 Firebox SSL VPN Gateway...

Page 41: ...policy it is closed Topics covered in this chapter include Firebox SSL VPN Gateway Administration Desktop Using the Administration Tool Using the Administration Portal Using the Serial Console Produc...

Page 42: ...ere ipAddress is the IP address of your Firebox SSL VPN Gateway 9001 is the administration port of your Firebox SSL VPN Gateway 3 If a Security Alert dialog box appears click Yes 4 Type the user name...

Page 43: ...for the Firebox SSL VPN Gateway This is the same log that is in the Administra tion Tool on the VPN Gateway Cluster Logging tab Maintenance Tab This tab provides you a place to do administrative task...

Page 44: ...allows you to configure global settings once and then publish them to multiple Firebox SSL VPN Gateways on your network The left pane of the Administration Tool window displays Help information for t...

Page 45: ...nchronization messages appear in the Sync Status field for each appliance In Sync The Firebox SSL VPN Gateway configuration is successfully published Not in Sync A change was made in the settings but...

Page 46: ...until a user ends a session or the administrator uses the Firebox SSL VPN Gateway Real Time Monitor to close a connection thereby releasing a license For information about using the Real Time Monitor...

Page 47: ...bout Your Licenses The Licensing tab displays information about the licenses that are installed on the Firebox SSL VPN Gateway This information includes Total number of licenses available Number of li...

Page 48: ...al from outside the firewall To block access to the Administration Portal from the external adapter clear the check box for this option To block external access to the Administration Portal 1 Click th...

Page 49: ...ted The portal page templates are available from the Downloads page of the Administration Portal in the section Sample Portal Page Templates Downloading and Working with Portal Page Templates The port...

Page 50: ...5 Replace citrix logo gif with the filename of your image For example if your image file is named logo gif change the line to img src logo gif An image file must have a file type of GIF or JPG Do not...

Page 51: ...fier in the list and click Remove Selected File Enabling Portal Page Authentication By default a user must log on to the portal page and then again to the Firebox SSL Secure Access Client or kiosk mod...

Page 52: ...Manager tab right click a group in the left pane and then click Properties 2 On the Gateway Portal tab select Redirect to URL 3 In Portal homepage type the path of the server that is hosting the Web...

Page 53: ...double source authentication see Configuring Double Source Authentication on page 85 Connecting Using a Web Address Users can connect to the Firebox SSL VPN Gateway using a Web browser by typing the W...

Page 54: ...click Save Configuration 4 Save the file named config restore to your computer The entire Firebox SSL VPN Gateway configuration including system files uploaded licenses and uploaded server certificate...

Page 55: ...estart or from the Administration Portal go to the Maintenance tab and next to Restart the Server click Restart Shutting Down the Firebox SSL VPN Gateway Never shut down the Firebox SSL VPN Gateway by...

Page 56: ...etwork Time Protocol server To synchronize the Firebox SSL VPN Gateway with a Network Time Protocol server 1 In the Firebox SSL VPN Gateway Administration Tool click the VPN Gateway Cluster tab 2 Clic...

Page 57: ...he configuration instructions throughout those topics assume the following setup The Firebox SSL VPN Gateway is installed The devices to which you are connecting the Firebox SSL VPN Gateway such as a...

Page 58: ...al resources using Network Address Trans lation NAT The Firebox SSL VPN Gateway network adapter settings are as follows IP address and Subnet mask for Interface 0 and if used Interface 1 When connecti...

Page 59: ...uplex Use the default setting auto unless you need to change it MTU The maximum transmission unit that defines the maximum size of each transmitted packet The default is 1500 Use the default setting u...

Page 60: ...he Access Policy Manager tab in the left pane right click a group and click Properties 2 On the Networking tab select Enable split DNS The Firebox SSL VPN Gateway fails over to the local DNS only if t...

Page 61: ...ket and its routing table does not contain a route for the destination address of the packet the Firebox SSL VPN Gateway sends the packet to the Default Gate way The routing capabilities of the Defaul...

Page 62: ...irebox SSL VPN Gateway network adapter s to be used for dynamic routing Typically your routing server s are inside your firewall so you would choose the internal network adapter for this setting 5 Cli...

Page 63: ...n you switch from dynamic routing to static routing allows you to maintain connectivity until you properly configure the static routes To save dynamic routes to the static route table 1 On the Firebox...

Page 64: ...then click the Routes tab 2 In the Static Route table select each route that you want to delete 3 Click Remove Route Static Route Example Suppose the IP address of the eth0 port on your Firebox SSL VP...

Page 65: ...make the connection The client performs a DNS lookup for the first failover appliance and tries to connect If the first failover Firebox SSL VPN Gate way is not available the client tries the next fai...

Page 66: ...ess for groups After you configure your user groups you then configure network access for the groups This includes the network resources users in the group are allowed to access application policies k...

Page 67: ...example you want to allow access to everything on the 10 0 x x network but need to deny access to the 10 0 20 x network Configure network access to 10 0 20 x first and then configure access to the 10...

Page 68: ...User groups define the resources the user has access to when connecting to the corporate network through the Firebox SSL VPN Gateway Groups are associated with the local users list After adding local...

Page 69: ...l IP Softphone Cisco IP Softphone Cisco IP Communicator Secure tunneling is supported between the manufacturer s IP PBX and the softphone software running on the client computer To enable the VoIP tra...

Page 70: ...Select encryption type for client connections setting on the Global Cluster Policies tab The encryption ciphers are negotiated between the client computer and the Firebox SSL VPN Gateway in the order...

Page 71: ...iguring RADIUS Authentication and Authorization Configuring RSA SecurID Authentication Configuring Secure Computing SafeWord Authentication Configuring NTLM Authentication and Authorization Configurin...

Page 72: ...S server a Windows NT 4 0 server for NTLM authorization or the local group file if not available on the LDAP or RADIUS server If group information is available for the user the Firebox SSL VPN Gateway...

Page 73: ...the Default realm for that type of authentication so that users do not have to enter a realm name when logging on Using a Local User List for Authentication For a new installation the Default realm is...

Page 74: ...r on the Firebox SSL VPN Gateway 1 Click the Access Policy Manager tab 2 In the left pane right click Local Users and then click New User 3 In User Name type a user name User names can contain spaces...

Page 75: ...up LDAP server settings see Determining Attributes in your LDAP Directory on page 78 Changing the Authentication Type of the Default Realm When a user logs on to the Default realm the user does not ha...

Page 76: ...realm For example you want the Default realm to be used for authentication to an LDAP server If you want to use additional authentication methods for users such as RADIUS SafeWord RSA SecurID NTLM or...

Page 77: ...ecure Computing products SafeWord PremierAccess SafeWord for Citrix SafeWord RemoteAccess Configuring the Firebox SSL VPN Gateway to authenticate using Secure Computing s SafeWord products can be done...

Page 78: ...e SafeWord RADIUS server The default is 1812 This port must match the number you configured on the RADIUS server In Server Secret enter a RADIUS shared secret 6 The shared secret must match what is co...

Page 79: ...RADIUS server port The default port numbers are 1812 and 1645 6 In Server Secret type a RADIUS share secret Note Make sure you use a strong shared secret A strong shared secret is one that is at leas...

Page 80: ...olicies and then click New Remote Access Policy 8 Select Set up a custom policy 9 In Policy name give the policy a name and click Next 10 Under Policy Conditions click Add select Windows Groups and cl...

Page 81: ...his default number 21 Click Yes It conforms and then click Configure Attribute 22 Under Vendor assigned attribute number type 0 This is the assigned number for the User Group attribute The attribute i...

Page 82: ...ation tab and in Authorization Type select RADIUS Authorization You can use the following authorization types with RADIUS authentication RADIUS authorization Local authorization LDAP authorization No...

Page 83: ...is sent to the server over the connection If the LDAP server supports Start TLS the connection is converted to a secure LDAP connection using TLS The standard port numbers for unsecure LDAP connection...

Page 84: ...K The Realm dialog box opens 5 Click the Authentication tab 6 In Server IP Address type the IP address of the LDAP server 7 In Server Port type the port number The LDAP Server port defaults to 389 If...

Page 85: ...d from the Bind DN by removing the user name and specifying the group where users are located Examples of syntax for Base DN ou users dc ace dc com cn Users dc ace dc com 12 In Server login name attri...

Page 86: ...e LDAP servers enable only group objects such as the Lotus Domino LDAP server to contain infor mation about users The LDAP server does not enable the user object to contain information about groups Fo...

Page 87: ...r using the administrator credentials and then searches for the user After locating the user the Firebox SSL VPN Gateway unbinds the administrator credentials and rebinds with the user credentials 8 I...

Page 88: ...the name of the attribute The default is memberOf This attribute enables the Firebox SSL VPN Gateway to obtain the groups associated with a user during authorization 9 Click Submit Using certificates...

Page 89: ...DAP server To look up LDAP attributes 1 In the left pane of the LDAP Browser select the profile name that you created 2 To look up the Base DN in the right pane locate the namingContexts attribute The...

Page 90: ...e required settings for the Firebox SSL VPN Gateway Your site might have additional requirements Refer to the RSA ACE Server documentation for more information If the Firebox SSL VPN Gateway needs to...

Page 91: ...you generated in the previous procedure on the Authentication tab click Upload sdconf rec file and use the dialog box to locate and upload the file The sdconf rec file is typically written to ace dat...

Page 92: ...your RSA ACE Server Administration interface is installed go to Start Programs RSA ACE Server Database Administration Host Mode 2 In the RSA ACE Server Administration interface go to Agent Host Edit A...

Page 93: ...cation you create an NTLM authentication realm that includes the address and port that the Firebox SSL VPN Gateway uses to connect to the Windows NT 4 0 domain controller You also specify a time out v...

Page 94: ...SSL VPN Gateway finds a match the user is granted the authorization privileges to the internal networks that are associated with the user group on the Firebox SSL VPN Gateway To configure NTLM author...

Page 95: ...her the Web browser or Secure Access Client they will see two password fields If they are logging on using only one authentication method the second password field is left blank For more information a...

Page 96: ...ird party authentication types For example if users are required to authenticate using LDAP and Gemalto protiva strong authentication system RADIUS you can change the password labels to reflect what t...

Page 97: ...ight want to create local user accounts for temporary users such as consultants or visitors without creating an entry for those users on the authentication server In that case you add the user to the...

Page 98: ...k access within that session is determined by the Deny Access without ACL setting You can also add local groups that are not related to groups on authentication servers For example you might create a...

Page 99: ...er groups can be created and configured When a new group is created the properties page appears that allows you to configure the settings for the group You can also add local groups that are not relat...

Page 100: ...ble for the Default group To enable or disable Default group properties 1 Click the Access Policy Manager tab 2 In the left pane right click the user group and then click Properties 3 On the General t...

Page 101: ...user s Windows logon credentials are passed to the Firebox SSL VPN Gate way for authentication Enabling single sign on for the Secure Access Client facilitates operations on the remote computer such a...

Page 102: ...User session timeout If you enable this setting the Secure Access Client disconnects after the time out interval elapses regardless of what the user is doing There is no action the user can take to p...

Page 103: ...tly logged on If you want to prevent a specific group of users from viewing the list of online users you can disable the desktop sharing feature for an Firebox SSL VPN Gateway user group Disabling des...

Page 104: ...SSL VPN Gateway can assign a unique IP address alias to each client s session You can specify the gateway device to be used for IP pooling The gateway device can be the Firebox SSL VPN Gateway itself...

Page 105: ...in addition to passing all other authentication rules that are con figured for that group For example the following criteria requires that the subject field of the client cer tificate provided by a us...

Page 106: ...b 2 If an end point policy was created and configured under End Point Policies click the configured policy and drag it to Pre Authentication Policies in the left pane Note To create and configure end...

Page 107: ...of time a user can stay logged on whether there is activity or not The specified time is absolute If the user has a 60 minute session time out the session ends at 60 minutes Users are given a one minu...

Page 108: ...ny applications without policies check box selected the user inherits that setting IP pooling Users assume the IP address from the highest priority group that has IP pools enabled Inherit Default grou...

Page 109: ...es Network resources define the locations that authorized users can access Resource groups are associ ated with user groups to form resource access control policies Network topology for resource group...

Page 110: ...and click OK 4 In Network Subnet type the IP address subnet pair for the resource in the Subnets field You can use CIDR notation for the mask Use a space to separate entries 5 In Port or port range en...

Page 111: ...e network resource is defined when Out look tries to start it checks for the network resource and end point policy if defined If it passes the user can log on and check email If it fails Outlook does...

Page 112: ...is selected This check box denies all applications access to the corporate network To allow one application network access configure the application policy to accept the application following the step...

Page 113: ...NFS 7 In Permissions specify whether you want remote users to have read write or read only permissions for the share Note Users can use the FTP protocol to send and receive files to the remote compute...

Page 114: ...at a computer must have one some or all of the following A registry entry that matches the path entry type and value that you specify A file that matches the path filename and date that you specify Yo...

Page 115: ...time To configure an end point policy for a group you specify a Boolean expression containing the end point resources that you want to apply to the group Suppose that you create the following end poi...

Page 116: ...sales group appears before the support group in the User Groups list the sales group policies apply to the users who belong to both of those groups If the support group appears before the sales group...

Page 117: ...created To set the priority of groups 1 Click the Group Priority tab 2 Select a group that you want to move and use the arrow keys to raise or lower the group in the list The group at the top of the l...

Page 118: ...Setting the Priority of Groups 108 Firebox SSL VPN Gateway...

Page 119: ...tificate Authority Install a digital X 509 certificate that belongs to your company and is signed by a Certificate Authority on the Firebox SSL VPN Gateway Your company can operate as its own Certific...

Page 120: ...responding certificate on users computers Users can also disable the Security Alert through the Secure Access Connection Properties dialog box Overview of the Certificate Signing Request Before you ca...

Page 121: ...tion Tool To create a Certificate Signing Request 1 Click the VPN Gateway Cluster tab and open the window for the appliance 2 On the Certificate Signing Request tab type the required information in th...

Page 122: ...ay is not behind a load balancer the certificate must contain the FQDN of the Firebox SSL VPN Gateway If the Firebox SSL VPN Gateway is behind a load balancer each appliance must contain the same cert...

Page 123: ...the new file save the text file in PEM format and then upload the file to the Firebox SSL VPN Gateway Creating Root Certificates Using a Command Prompt You can also create PEM formatted root certific...

Page 124: ...is case the certificate is embedded within the smart card and read from a smart card reader attached to the network Note Note The Firebox SSL VPN Gateway is configured in the same way regardless of wh...

Page 125: ...izard The certificate is installed in the Trusted Root Certification Authorities store for the local computer For information about root certificate availability and installation on platforms other th...

Page 126: ...proper root certificates that are used to sign the server certificates To install root certificates On the Cluster Config tab select Administration Manage Trusted root CA certificates To require serv...

Page 127: ...lient Applications Supporting Secure Access Client Managing Client Connections System Requirements The Secure Access Client is supported on the following operating systems and Web browsers Operating S...

Page 128: ...cause no data is written to the user s computer However if you configure network shares a user can copy files from a shared network drive to the remote computer Note You can configure the Firebox SSL...

Page 129: ...nt requires a running VPN daemon to connect to the Firebox SSL VPN Gateway To check the status of the VPN daemon type the following at a command prompt sbin service net6vpnd status To restart a stoppe...

Page 130: ...the connection provides full access to the network resources that the user s group s have permission to access The access granted by the security policies enable users to work with the remote system j...

Page 131: ...gani zations firewalls without creating any problems For example the connection can be made through an intermediate proxy such as an HTTP proxy by issuing a CONNECT HTTPS command to the intermediate p...

Page 132: ...vpn_portal javaonly html The authentication realm name required for logon if you use realms other than the realm named Default Path to any network drives that the users can access which is done by map...

Page 133: ...ode For more informa tion about logging on using double source authentication see Double source Authentication Portal Page on page 43 Note If you are using the Linux Client the connection window will...

Page 134: ...is established a status window briefly appears and the Secure Access Client win dow is minimized to the notification area The icon indicates whether the connection is enabled or dis abled and flashes...

Page 135: ...ction is enabled the Secure Access Client automatically changes client proxy settings to match settings stored in the operating system The Secure Access Client attempts to connect to the Firebox SSL V...

Page 136: ...as Macintosh Windows 95 or Windows 98 computers kiosk mode is available through a Java applet For Macintosh computers to support kiosk mode the Safari browser and JRE 1 5 must be installed When the u...

Page 137: ...es tab under Access options select Enable kiosk mode If this check box is clear users cannot use kiosk mode and the option is not available from the Web portal page When kiosk mode is enabled users ca...

Page 138: ...ht pane right click File Share Resources click New File Share Resource type a name and click OK 3 In Share source type the path to the share source using the form server share 4 In Mount type select t...

Page 139: ...ile Download dialog box navigate to the location where you want to copy the file and then click Open When the FTP transfer is complete a message window appears You cannot use FTP to transfer folders o...

Page 140: ...To configure Remote Desktop 1 On the Access Policy Manager tab right click Kiosk Resources 2 Type a name for the resource and click OK 3 Select Remote Desktop and type the FQDN of the server in the t...

Page 141: ...corner VNC Client The VNC client enables a user to remotely access the desktop of a VNC server The user s work remains on the remote server no files only images are sent to the user s computer To use...

Page 142: ...etwork drive on their computer Any system requirements for running the Firebox SSL VPN Gateway Clients if you configured end point resources and policies Depending on the configuration of a remote use...

Page 143: ...t ACL for the user s group and then close the TCP connection For more information about ACL management see Adding Local Users on page 87 If you do not correct the ACL before closing the connection the...

Page 144: ...blish a connection from that MAC address until you reenable the user or restart the Firebox SSL VPN Gateway To enable a user at a particular MAC address 1 In the Administration Desktop window click th...

Page 145: ...ction is briefly interrupted Authenticate upon system resume This option forces a user to log on again if the user s computer awakens from standby or hibernation This option provides additional securi...

Page 146: ...Managing Client Connections 136 Firebox SSL VPN Gateway...

Page 147: ...yslog server System message logs contain information that can help Firebox SSL VPN Gateway support personnel assist with troubleshooting By reviewing the information provided you can track unusual cha...

Page 148: ...e downloads it can be unzipped to access the individual log files Forwarding System Messages to a Syslog Server The Firebox SSL VPN Gateway archives system messages as described in Viewing and Downloa...

Page 149: ...he SNMP location This field is informational only 4 In SNMP Contact type the contact This field is informational only 5 In Community type the community This field is informational only 6 In Port type...

Page 150: ...Step 2 is vpn myorg com tcpcurrestab html Viewing System Statistics To obtain general system statistics select the VPN Gateway Cluster tab and then click the Statistics tab The statistical informatio...

Page 151: ...formation refer to the Help that is available from the Ethereal Network Analyzer window xNetTools Multi threaded network tool that includes a service scanner port scanner ping utility ping scan name s...

Page 152: ...v 5 0 Release Notes go to https www watchguard com archive softwarecenter asp You must log in with your LiveSecurity user name and passphrase and select the Firebox SSL VPN Gateway support view From...

Page 153: ...box SSL VPN Gateway You may need to log in to your LiveSecurity account at https www watchguard com archive getcredentials asp to get a copy of your feature key Troubleshooting The following informati...

Page 154: ...ame to the domain name and user name Other Issues This section describes known issues and solutions for the Firebox SSL VPN Gateway License File Does not Match Firebox SSL VPN Gateway If you are tryin...

Page 155: ...ends out the same ping command regardless of the options specified with the ping command from a client computer LDAP Authentication When the Firebox SSL VPN Gateway is configured to use LDAP authentic...

Page 156: ...However as described above certificates issued by a private CA are supported by the server components because the private CA is the root of trust Certificate Revocation Lists Certificate Revocation L...

Page 157: ...uploaded certificate file see Generating Trusted Certificates for Multiple Levels on page 156 H 323 Protocol The Firebox SSL VPN Gateway does not support the H 323 protocol Applications that use the...

Page 158: ...authentication to proxy servers Only Basic authentica tion is supported for proxy servers WINS Entries When the Secure Access Client is disconnected WINS entries are not removed from the computer tha...

Page 159: ...and Pro Versions Tiny Personal Firewall ZoneAlarm Pro Note The following sections are a supplement to the firewall manufacturer s documentation The recommended source for current information about fi...

Page 160: ...ox SSL VPN Gateway To configure the settings open the BlackICE window and choose the following commands McAfee Personal Firewall Plus The following McAfee Personal Firewall Plus settings enable the Se...

Page 161: ...cess through the Secure Access Client select the Remember my answer check box and click Yes when the prompt appears Tiny Personal Firewall The following Tiny Personal Firewall settings enable the Secu...

Page 162: ...ss Client For each alert select the Create appropriate filter check box and click Permit ZoneAlarm Pro The following ZoneAlarm settings enable the Secure Access Client to reach the Internet and the re...

Page 163: ...ust be in PEM format and must include a private key The signed certificate and private key must be unencrypted If Linux OpenSSL is not available install the Cygwin UNIX environment for Windows When yo...

Page 164: ...es you need to use the alias name instead 5 Submit your CSR public csr to an authorized Certificate Authority such as Verisign When asked for the type of server that the certificate will be used with...

Page 165: ...The certFile should not contain the private key when you run this command openssl verify verbose CApath tmp certFile If that command results in the following error message the file is not in PEM form...

Page 166: ...https ipAddress httpPort www mypage com where ipAddress is the IP address of your Firebox SSL VPN Gateway httpPort is the Firebox SSL VPN Gateway port number 2 Double click the Lock symbol in the bott...

Page 167: ...Administration Guide 157 Generating Trusted Certificates for Multiple Levels Intermediate Certificate 0 Intermediate Certificate 1 Intermediate Certificate 2...

Page 168: ...Generating Trusted Certificates for Multiple Levels 158 Firebox SSL VPN Gateway...

Page 169: ...ccess to the internal network this aspect of Firebox SSL VPN Gateway configuration is covered in four different sections of this book This appendix provides example user access scenarios and includes...

Page 170: ...re user access in the following example scenario The organization uses a single LDAP directory as the user repository Remote users working for the Sales department must have access to an email server...

Page 171: ...e in the network 10 10 0 0 24 The server containing the Sales Web application resides in the network 10 60 10 0 24 The single email server that remote users must access has the IP address 10 10 25 50...

Page 172: ...garding the group membership of the users Identify groups on the LDAP directory that contain all of the members who need remote access to the internal networks If there are no existing groups that con...

Page 173: ...e LDAP authentication and authorization configuration task When this task is complete the administrator has the following information The specific network locations of all network resources that the r...

Page 174: ...ling When a user logs on to the Firebox SSL VPN Gateway the Firebox SSL VPN Gateway sends this list of networks to the Secure Access Client on the user s computer The Secure Access Client uses this li...

Page 175: ...realm and creating a new Default realm for LDAP the administrator simplifies the logon process for the end user Users who authenticate using the Default realm do not need to enter the realm name as p...

Page 176: ...access For more information about group properties and creating local groups see Configuring Properties for a User Group on page 90 Creating and Assigning Network Resources to the User Groups Creatin...

Page 177: ...way Creating and Assigning Network Resources to the Engineering users This section briefly discusses how the administrator creates a network resource and assigns it to the Engineering users This proce...

Page 178: ...erver Create an application policy that specifies the email application on the email server and assign the network resource containing the email server to this application policy Assign the applicatio...

Page 179: ...ctory and on the Firebox SSL VPN Gateway Only users who are members of the Remote Sales group and the Remote Engineers group are authorized to access resources on the internal network Each of these gr...

Page 180: ...ineering users with access to the Web conference server The Web conference server IP address is 10 10 50 60 Note In this example Silvio Branco and Lisa Marth are referred to as guest users because the...

Page 181: ...enario for creating guest accounts using the Local Users list In this step the administrator creates a network resource that specifies only the Web conference server and then assigns this resource to...

Page 182: ...sa Marth and Silvio Branco to the Remote Engineers group on the Firebox SSL VPN Gateway To assign local users Lisa Marth and Silvio Branco to the Remote Engineers group on the Firebox SSL VPN Gateway...

Page 183: ...software is covered by the GNU Library General Public License instead You can apply it to your programs too When we speak of free software we are referring to freedom not price Our General Public Lice...

Page 184: ...rk under copyright law that is to say a work containing the Program or a por tion of it either verbatim or with modifications and or translated into another language Hereinafter translation is include...

Page 185: ...n you distribute the same sections as part of a whole which is a work based on the Program the distribution of the whole must be on the terms of this License whose permissions for other licensees exte...

Page 186: ...es who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to accept this Licens...

Page 187: ...ons of the General Public License from time to time Such new versions will be similar in spirit to the present version but may dif fer in detail to address new problems or concerns Each version is giv...

Page 188: ...of each source file to most effectively convey the exclusion of warranty and each file should have at least the copyright line and a pointer to where the full notice is found one line to give the pro...

Page 189: ...programmer or your school if any to sign a copy right disclaimer for the program if necessary Here is a sample alter the names Yoyodyne Inc hereby disclaims all copyright interest in the program Gnom...

Page 190: ...180 Firebox SSL VPN Gateway...

Page 191: ...ble networks 15 56 deny access without access control list 58 DNS split tunneling 57 limitations 145 specifying 57 Administration deployment overview 17 Administration Desktop 17 32 downloading or sta...

Page 192: ...for portal page 39 closing connection 133 computer hibernate 90 suspend 90 configuration dynamic routes 52 network connections 47 restoring 15 44 saving 15 44 serial console 33 static routes 53 with...

Page 193: ...cate 15 client certificates 114 deny access without ACL 57 88 100 deny network access 59 enable portal page authentication 15 41 internal failover 55 split tunneling 15 58 Voice over IP 15 global poli...

Page 194: ...in the middle attacks 110 maximum transmission unit MTU 49 McAfee Personal Firewall Plus 150 membership groups 16 memory usage 141 monitoring tools 32 using 140 Multi Router Traffic Grapher 139 multi...

Page 195: ...96 network 16 resource group network access 56 resource groups removing from user group 99 resources configuring for a user group 99 file share 103 file shares 16 restarting appliance 15 45 restarting...

Page 196: ...support 6 Firebox Installation Services 7 LiveSecurity Gold Program 7 LiveSecurity Service 6 users forum 5 6 VPN Installation Services 7 Telnet 3270 Emulator client 28 131 templates downloading 39 tim...

Page 197: ...date and time 45 upgrading 15 44 VPN Installation Services 7 W W3C formatted log 138 WatchGuard Certified Training Partners 8 WatchGuard users forum 5 6 WCTP 8 Web address of Administration Portal 32...

Page 198: ...188 Firebox SSL VPN Gateway...

Reviews: