manualshive.com logo in svg

Vasco aXsGUARD Gatekeeper, Как использовать

Поделиться
Скачать
Vasco aXsGUARD Gatekeeper Скачать руководство пользователя страница 12

• Authentication: The VPN server verifies the VPN client’s identity and

restricts VPN access to authorized users only (MS-CHAP and MS-CHAP v2).
The VPN server may also provide audit and accounting capabilities to
monitor who accessed which information and when.

• Tunneling: A technology that enables one network to send its data via

another network’s connections. Tunneling works by encapsulating a
network protocol within packets carried by another network. Tunneling is
also referred to as encapsulation (see

Section 2.3.1, “Protocol

Description”

) and is achieved by the GRE and PPP protocol.

• Encryption: To insure privacy, data transmission via the VPN over the

Internet is rendered unreadable to unauthorized clients through
encryption (MPPE).

• Compression: The process of reducing the amount of information

necessary to transmit data.

Authentication.

PPTP VPN servers use two authentication protocols:

• PAP: The Password Authentication Protocol is a simple authentication

protocol to authenticate a user with a Network Access Server. PAP sends
user names and passwords over the network in cleartext and is therefore
insecure.

• CHAP: Stands for Challenge Handshake Authentication Protocol and

functions as follows:

1. The PPTP VPN server sends a challenge to the requesting client.
2. The client uses this challenge and the password to calculate a response,

which is sent to the server.

3. The PPTP VPN server checks the provided response against its own

calculation of the expected response. If the received response matches,
the server acknowledges the authentication; if not, the connection is
terminated.

• PAP is not supported by the aXsGUARD Gatekeeper because it

is insecure. Only MS-CHAP is supported.

• VASCO recommends DIGIPASS authentication, as this is the

most secure option.

Tunneling.

A VPN uses an IP tunneling mechanism where the packet formats

and the addressing used by the VPN might be unrelated to the packet formats
and addressing which is used to route the tunneled packet across the Internet
(see

Section 2.5, “Routing Scenarios”

for more information about PPTP and

Routing). For this reason, PPTP uses the Generic Routing Encapsulation (GRE)
protocol. The GRE protocol is defined per

RFC-1701

,

1702

and

2784

and is

identified as IP Protocol 47. GRE is used to implement several categories of
encryption and network security. In its most basic form, GRE allows any
network-layer protocol (or in some cases, protocols from other layers, e.g.
Ethernet frames) to be encapsulated in any other network-layer protocol. In its
current form, GRE has been implemented in most UNIX network stacks, routers
and other network equipment and is widely supported.

Ecryption.

PPTP supports PPP-based data encryption mechanisms. The

Microsoft implementation of PPTP supports optional use of Microsoft Point-to-
Point Encryption (MPPE), based on the RSA/RC4 algorithm. 40 bit encryption is
supported, but highly insecure (see

Section 3.3, “General Configuration

© VASCO Data Security 2011

11

Содержание aXsGUARD Gatekeeper

Страница 1: ...aXsGUARD Gatekeeper PPTP How To 1 7 ...

Страница 2: ... Source and Destination Address in Different IP Ranges 2 5 3 Source and Destination address in the Same IP Range 2 6 Firewalls and PPTP 3 PPTP Server Configuration 3 1 Overview 3 2 Activating the PPTP Server 3 3 General Configuration Settings 3 4 Authentication Settings 3 4 1 Recommended Method 3 4 2 Supported Authentication Methods 3 4 3 Configuring the Authentication Method 3 5 User Settings 3 6...

Страница 3: ...n 4 4 Windows Vista Configuration 4 5 Windows 7 Configuration 5 Troubleshooting 5 1 Client Side Troubleshooting 5 2 Server Side Troubleshooting 6 Support 6 1 Overview 6 2 If you encounter a problem 6 3 Return procedure if you have a hardware failure Alphabetical Index VASCO Data Security 2011 2 ...

Страница 4: ...te Connection 4 4 Connection Name 4 5 VPN Server Selection 4 6 PPTP VPN Properties 4 7 Require Data Encryption 4 8 Windows Vista PPTP Setup 4 9 Set up a Connection or Network 4 10 Connect to a Workplace 4 11 Use My Internet Connection 4 12 Connection IP and Description 4 13 User Name and Password Screen 4 14 Final Configuration Step 4 15 Connecting to the PPTP Server 4 16 Connection Successful 4 1...

Страница 5: ...List of Tables 3 1 PPTP General Settings 3 2 PPTP User Settings 3 3 User Level Firewall Settings VASCO Data Security 2011 4 ...

Страница 6: ...List of Examples 3 1 Restricting access to two LAN servers VASCO Data Security 2011 5 ...

Страница 7: ...CIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS Intellectual Property and Copyright VASCO Products contain proprietary and confidential information VASCO Data Security Inc and or VASCO Data Security International GmbH own or are licensed under all title rights and interest in VASCO Products updates and upgrades thereof including copyrights patent rights trade secret r...

Страница 8: ...ered to solve difficulties In Chapter 6 Support we explain how to request support and return hardware for replacement As software development is an ongoing process the screens included in this guide may slightly differ from the software version installed on your aXsGUARD Gatekeeper appliance Other documents in the set of aXsGUARD Gatekeeper documentation include aXsGUARD Gatekeeper Installation Gu...

Страница 9: ...sily be integrated into existing IT infrastructures as a stand alone authentication appliance or as a gateway providing both authentication services and Internet Security Authentication and other features such as firewall e mail and Web access are managed by security policies which implement a combination of rules for example whether a user must use a DIGIPASS One Time Password in combination with...

Страница 10: ... network infrastructure such as the Internet to provide a private secured connection between hosts and network applications A VPN also ensures the integrity of data as it traverses the Internet through authentication tunneling and encryption In other words a VPN allows roaming or remote users to securely connect to corporate LAN resources such as shared folders applications databases or e mail Sev...

Страница 11: ...to as tunneling or encapsulation PPTP in its barest form works by encapsulating packets inside PPP packets which are in turn encapsulated in Generic Routing Encapsulation GRE packets The GRE packets are sent over IP to the destination PPTP server and back again The image below shows the structure of a PPTP network packet The PPTP protocol provides the following key security elements 2 3 What is PP...

Страница 12: ...he PPTP VPN server checks the provided response against its own calculation of the expected response If the received response matches the server acknowledges the authentication if not the connection is terminated PAP is not supported by the aXsGUARD Gatekeeper because it is insecure Only MS CHAP is supported VASCO recommends DIGIPASS authentication as this is the most secure option Tunneling A VPN...

Страница 13: ...client on the Internet and the aXsGUARD Gatekeeper PPTP server A TCP connection is therefore made to the PPTP server on TCP port 1723 as shown in the illustration below This control channel is used to negotiate tunnel parameters such as the encryption method and the compression algorithm see Section 2 3 2 Key Elements of PPTP Security The PPTP control channel also establishes manages and releases ...

Страница 14: ... PPTP client and server see Section 2 6 Firewalls and PPTP and Section 3 6 PPTP Firewall Settings On the server side only PPTP traffic is routed through this interface Different routing scenarios apply depending on the network address which is assigned to the client s PPP interface These are explained in the following sections The client s PPP interface has an IP address in a different IP range th...

Страница 15: ... than the aXsGUARD Gatekeeper LAN the packet is automatically routed through the PPP interface gateway of the aXsGUARD Gatekeeper The client s PPP interface has an IP address in the same IP range as the LAN IP of the PPTP server as shown in the image below Traffic can only be routed correctly using Proxy ARP which is explained below Figure 2 5 PPTP Client and PPTP Server with different IP ranges 2...

Страница 16: ...tes the traffic back to the requesting host Proxy ARP is defined per RFC 1027 For more information about ARP see the appropriate online resources It is highly recommended to configure the aXsGUARD Gatekeeper Firewall so that only required network resources can be accessed by the client This also improves security in case a client s computer is hijacked illustrated below The default system wide Fir...

Страница 17: ...ct separate aXsGUARD Gatekeeper Firewall Policies for PPTP VPN access on a user group basis in agreement with your company policies as explained above The aXsGUARD Gatekeeper PPTP Firewall configuration is explained in Section 3 6 PPTP Firewall Settings Use a strong hardware or software Firewall on the client side Ensure that outgoing traffic to TCP port 1723 and the GRE protocol are allowed other...

Страница 18: ...ended Firewall Policies Before you can access the PPTP configuration settings you must activate the PPTP feature on the aXsGUARD Gatekeeper 1 Log on to the aXsGUARD Gatekeeper as explained in the System Administration How To 2 Navigate to System Feature Activation 3 Expand the VPN RAS tree 4 Check the Do you use the aXsGUARD Gatekeeper PPTP Server option 5 Click on Update Chapter 3 PPTP Server Con...

Страница 19: ... How To 2 Navigate to VPN RAS PPTP General A screen as shown below is displayed 3 Configure the settings as explained in the table below 4 Click on Update when finished 3 3 General Configuration Settings Figure 3 2 PPTP General Configuration Settings VASCO Data Security 2011 18 ...

Страница 20: ...ter sharing can be installed on the client so that the printer can be accessed by the terminal server Accept 40 bit encryption insecure 40 bit encryption produces less encryption overhead but is highly insecure This setting is not recommended Start IP address The first IP address of the address pool available for PPTP clients The client acquires this address via DHCP End IP address The last IP add...

Страница 21: ...Gatekeeper needs to resolve the domain workgroup name to the IP address of the AD Server AD Authentication is only possible if the Directory Services module is activated and configured For more information consult the aXsGUARD Gatekeeper Directory Services How To which is available via the Documentation button in the Administrator Tool To set or adjust the authentication settings for the PPTP serv...

Страница 22: ...nistrator Tool The following VPN settings can be edited at the user level Authorization or denial to use the VPN service The password used to authenticate with the VPN server The user s VPN Firewall settings explained separately in Section 3 6 PPTP Firewall Settings To adjust a user s VPN settings 1 Navigate to Users Groups Users 2 Select the appropriate user name 3 Select the Remote Access tab an...

Страница 23: ...n You can specify a different Local Password in combination with DIGIPASS Authentication The user then must enter the specified password followed by the DIGIPASS OTP You cannot overrule the Active Directory Password with a Local Password Password This field only appears when the option above is checked Enter the VPN password twice for verification PPTP VPN RAS Check to enable PPTP access for the u...

Страница 24: ...ured in two stages Allow PPTP traffic and enforce Strong Authentication e g DIGIPASS Implement strict PPTP VPN Firewall Rules and restrict access to the needed resources Both stages of the PPTP Firewall configuration are explained in Section 3 6 2 Allowing PPTP Traffic and Section 3 6 3 Firewall Rights An example is provided in Section 3 6 4 Example of Firewall Settings for PPTP PPTP traffic must ...

Страница 25: ...active by default is available in the Firewall How To This document can be accessed via the on screen Documentation button in the Administrator Tool You can also click on a Firewall Rule Policy to view its contents User Group Firewall Rights As mentioned in Section 2 6 Firewalls and PPTP VASCO highly recommends the use of a strong client side firewall and the creation of dedicated Firewall Policie...

Страница 26: ...s for allowed traffic 1 Navigate to Firewall Rules Through 2 Search for the fwd access lan Rule and click to view its contents 3 Click on the Edit as New button 4 Provide a name and description for the new Rule 5 Check the enabled option 6 Do not specify a Source IP Figure 3 7 User Level Firewall Settings Option Description Use Group Firewall Policies Select this option if you wish to apply the sa...

Страница 27: ...rst followed by the drop Rule 6 Save the Firewall Policy Add the Firewall Policy to the VPN RAS Group Settings of the user 1 Add the new Firewall Policy to the user s VPN Group Policy add it separately or overrule the user s VPN Firewall policy see above Ensure that this Firewall Policy is the only one in the list 2 Update your settings As a result only network traffic towards the specific servers...

Страница 28: ...rminated The public IP address of the remote client The PPP IP address used by the remote client The authentication information Information about encryption The type of compression Useful error messages for troubleshooting Figure 3 8 PPTP Log entries VASCO Data Security 2011 27 ...

Страница 29: ...lowed on the client Firewall otherwise you will not be able to connect to the aXsGUARD Gatekeeper PPTP server Refer to your Firewall s documentation if necessary 1 Click on Start Control Panel Network and Internet Connections Network Connections A screen as shown below should appear 2 Click on Create a new connection in the left pane Chapter 4 PPTP Client Configuration 4 1 Overview 4 2 Client Side...

Страница 30: ...network at my workplace and click on Next 4 Select Virtual Private Network Connection and click on Next Figure 4 1 Windows XP Network Connections Figure 4 2 Connecting to the Network at my Workplace VASCO Data Security 2011 29 ...

Страница 31: ...5 Enter a Connection Name and click on Next Figure 4 3 Virtual Private Connection Figure 4 4 Connection Name VASCO Data Security 2011 30 ...

Страница 32: ...IP address or the public FQDN of the aXsGUARD Gatekeeper PPTP server and click on Next Afterwards click on Finish 7 In the connection screen click on Properties Figure 4 5 VPN Server Selection VASCO Data Security 2011 31 ...

Страница 33: ...8 Select the Security Tab and check the Require data encryption option Click on OK to continue Figure 4 6 PPTP VPN Properties VASCO Data Security 2011 32 ...

Страница 34: ... button The connection should be up after a few seconds You can verify the status of the VPN connection by navigating to the Network Connections screen see step 1 1 From the Start button select Connect To Figure 4 7 Require Data Encryption 4 4 Windows Vista Configuration VASCO Data Security 2011 33 ...

Страница 35: ...2 Select Set up a connection or network Figure 4 8 Windows Vista PPTP Setup VASCO Data Security 2011 34 ...

Страница 36: ...3 Select Connect to a workplace 4 Click on Next Figure 4 9 Set up a Connection or Network Figure 4 10 Connect to a Workplace VASCO Data Security 2011 35 ...

Страница 37: ...ection and click on Next 6 In the Internet Address field type the external IP address or the FQDN of the aXsGUARD Gatekeeper PPTP server 7 In the Destination Name field type a description for your PPTP VPN Connection 8 Select the Don t connect now option and click on Next Figure 4 11 Use My Internet Connection VASCO Data Security 2011 36 ...

Страница 38: ...Enter the username and password provided by your system administrator Do not enter a password if you are using DIGIPASS authentication Figure 4 12 Connection IP and Description VASCO Data Security 2011 37 ...

Страница 39: ...10 Click on the Create button and then the Close button Figure 4 13 User Name and Password Screen Figure 4 14 Final Configuration Step VASCO Data Security 2011 38 ...

Страница 40: ...onnect to 12 Select the VPN connection in the window and click on Connect 13 Enter the user name and password provided by your system administrator and click on the Connect button The connection should be up after a few seconds Figure 4 15 Connecting to the PPTP Server VASCO Data Security 2011 39 ...

Страница 41: ...Network Icon in the lower right corner of your Windows desktop see the image below 1 Click on the Start button and navigate to the Control Panel Figure 4 16 Connection Successful Figure 4 17 PPTP Connection Status 4 5 Windows 7 Configuration VASCO Data Security 2011 40 ...

Страница 42: ...2 In the Control Panel select Network and Internet Figure 4 18 Windows 7 Control Panel VASCO Data Security 2011 41 ...

Страница 43: ...3 Select Network and Sharing Center 4 Click on Set up a new connection or network Figure 4 19 Windows 7 Control Panel Figure 4 20 Windows 7 Network and Sharing Center VASCO Data Security 2011 42 ...

Страница 44: ...a Workplace and click on Next 6 Select the first option create a new connection as shown below and click on Next Figure 4 21 Set up a New Connection or Network Figure 4 22 Connect to a Workplace VASCO Data Security 2011 43 ...

Страница 45: ...7 Click on Use my Internet connection Figure 4 23 Creating a New Connection Figure 4 24 Creating a New Connection VASCO Data Security 2011 44 ...

Страница 46: ...nd enter a name for the connection e g office 9 Leave the other options open and click on Next 10 Enter the user name and password provided by your system administrator to connect to the remote aXsGUARD Gatekeeper PPTP server 11 Enter the domain you are connecting to optional Figure 4 25 PPTP Connection Settings VASCO Data Security 2011 45 ...

Страница 47: ...depending on the speed of your Internet connection You can verify the status of the VPN connection by clicking on the Network Icon in the lower right corner of your Windows desktop see the image below Figure 4 26 PPTP Connection Settings VASCO Data Security 2011 46 ...

Страница 48: ...Figure 4 27 PPTP Status VASCO Data Security 2011 47 ...

Страница 49: ...tination address in the Same IP Range Modify the IP address range of the client accordingly Refer to the documentation of the Operating System if necessary PPTP error Your credentials have failed remote network authentication 1 Your username or password may be incorrect Contact your system administrator 2 Check if the connecting PC is in a Windows domain If this is the case check the properties of...

Страница 50: ...computer does not support the required data encryption type See error 734 above PPTP Error 769 The specified destination is not reachable The hostname or IP address of the machine you are connecting to is incorrect Check your settings and or contact your system adminstrator if necessary PPTP Error 678 There was no answer See error 769 above PPTP Error 619 the specified port is not connected If you...

Страница 51: ...ones WINS successor should work as well WINS is slowly getting phased out by Microsoft being and being replaced by GlobalNames zones On MS server 2008 WINS is no longer a role but has become a feature The WINS configuration itself is exactly the same as on MS server 2003 For more information about setting up a WINS server consult your Microsoft documentation Information can also be found on this M...

Страница 52: ...ault Make sure this option is enabled 2 Server firewall Make sure the aXsGUARD Gatekeeper PPTP server can receive a connection on port 1723 and that protocol 47 is being allowed see Section 2 6 Firewalls and PPTP and Section 3 6 PPTP Firewall Settings Protocol 47 is not the same as port 47 This is a simple but common problem Do not get port 47 confused with protocol 47 Opening port 47 on your fire...

Страница 53: ...lution in the Knowledge Base please contact the company which supplied you with the VASCO product 3 If your supplier is unable to solve your problem they will automatically contact the appropriate VASCO expert For details about support capabilities by user visit http www vasco com support support_services types_of_customes aspx If you experience a hardware failure contact your VASCO supplier Chapt...

Страница 54: ...ilable Guides E Encapsulation Protocol Description F Firewall rights Firewall Rights G GRE Key Elements of PPTP Security I ipconfig Overview M MPPE Key Elements of PPTP Security P PAP Key Elements of PPTP Security Point to Point Tunneling Protocol Protocol Description Port 1723 Standard PPTP Deployment PPTP Protocol Description Proxy ARP Source and Destination address in the Same IP Range Alphabet...

Страница 55: ...rview S Support Support T Troubleshooting Troubleshooting Tunneling Protocol Description V Virtual private network What is a Virtual Private Network VPN What is a Virtual Private Network VASCO Data Security 2011 54 ...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды