manualshive.com logo in svg

Watchguard SSL 1000, Руководство пользователя

Hardware manual для Watchguard SSL 1000 доступен для загрузки бесплатно на manualshive.com. Этот руководство позволит пользователям легко настроить и использовать устройство для обеспечения надежной защиты сети. Скачайте свой экземпляр прямо сейчас и ознакомьтесь с функциональностью продукта.

Поделиться
Скачать
background image

Troubleshooting

146

Firebox SSL VPN Gateway

Internal Failover

If internal failover is enabled and the administrator is connected to the Firebox SSL VPN Gateway, the 
Administration Tool cannot be reached over the connection. To fix this problem, enable IP pooling and 
then connect to the lowest IP address in the pool range on port 9001. For example, if the IP pool range 
starts at 10.10.3.50, connect to the Administration Tool using 10.10.3.50:9001. For information about 
configuring IP pools, see “Enabling IP Pooling” on page 94.

Certificate Signing

There are several server components that support SSL/TLS, such as the Firebox SSL VPN Gateway, 
Secure Gateway, and SSL Relay. All of these components support server certificates issued either by a 
public Certificate Authority (CA) or by a private Certificate Authority. Public CAs include organizations 
such as Verisign and Thawte. Private CAs are implemented by products such as Microsoft Certificate Ser-
vices.
Certificates signed by a private CA are sometimes described as 

enterprise certificates

 or 

self-signed certifi-

cates

. In this context, the term self-signed certificate is not technically accurate; such certificates are 

signed by the private CA. True self-signed certificates are not signed by any CA and are not supported 
by the server components, because there is no CA to provide a root of trust. However, as described 
above, certificates issued by a private CA are supported by the server components because the private 
CA is the root of trust.

Certificate Revocation Lists

Certificate Revocation Lists (CRLs) cannot be configured by the administrator. When a user connects to 
the Firebox SSL VPN Gateway using a client certificate, the Firebox SSL VPN Gateway uses the cRLDistri-
butionPoints extension in the client certificate, if it is present, to locate relevant CRLs using HTTP. The cli-
ent certificate is checked against those CRLs.

Retrieving CRLs using LDAP is not supported.

Network Messages to Non-Existent IPs

If an invalid sdconf.rec file is uploaded to the Firebox SSL VPN Gateway, this might cause the Firebox SSL 
VPN Gateway to send out messages to non-existent IPs. A network monitor might flag this activity as 
network spamming.
To correct the problem, upload a valid sdconf.rec file to the Firebox SSL VPN Gateway.

The Firebox SSL VPN Gateway Does not Start and the Serial Console Is Blank

Verify that the following are correctly set up:

• The serial console is using the correct port and the physical and logical ports match
• The cable is a null-modem cable
• The COM settings in your serial communication software are set to 9600 bits per second, 8 data 

bits, no parity, and 1 stop bit

The Administration Tool Is Inaccessible

If the Firebox SSL VPN Gateway is offline, the Administration Tool is not available. You can use the 
Administration Portal to perform tasks such as viewing the system log and restarting the Firebox SSL 
VPN Gateway.

Содержание SSL 1000

Страница 1: ...WatchGuard Firebox SSL VPN Gateway Administration Guide Firebox SSL VPN Gateway...

Страница 2: ...any means electronic or mechanical for any purpose without the express written permission of WatchGuard Technologies Inc Copyright Trademark and Patent Information Use of the product documented in th...

Страница 3: ...port 6 LiveSecurity Service technical support 6 LiveSecurity Gold 7 Firebox Installation Service 7 VPN Installation Service 7 Training and Certification 7 CHAPTER 2 Introduction to Firebox SSL VPN Gat...

Страница 4: ...ppliances for Load Balancing and Failover 20 Installing the Firebox SSL VPN Gateway for the First Time 20 Getting Ready to Install the Firebox SSL VPN Gateway 20 Setting Up the Firebox SSL VPN Gateway...

Страница 5: ...o work with the templates for Windows and Linux users 40 Using the ActiveX Control 40 Installing Custom Portal Files on the Firebox SSL VPN Gateway 40 Enabling Portal Page Authentication 41 To enable...

Страница 6: ...bling Split Tunneling 57 To enable split tunneling 58 Configuring User Groups 58 Denying Access to Groups without an ACL 58 To deny access to user groups without an ACL 59 Improving Voice over IP Conn...

Страница 7: ...s 78 Determining Attributes in your LDAP Directory 78 Using RSA SecurID for Authentication 79 To generate a sdconf rec file for the Firebox SSL VPN Gateway 80 Enable RSA SecurID authentication for the...

Страница 8: ...Generating a Secure Certificate for the Firebox SSL VPN Gateway 109 Digital Certificates and Firebox SSL VPN Gateway Operation 110 Overview of the Certificate Signing Request 110 Password Protected P...

Страница 9: ...enging 131 Supporting Secure Access Client 132 Managing Client Connections 133 Connection handling 133 Closing a connection to a resource 134 Disabling and enabling a user 134 Configuring Authenticati...

Страница 10: ...ining the Private Key with the Signed Certificate 155 To combine the private key with the signed certificate 156 Generating Trusted Certificates for Multiple Levels 156 To generate trusted certificate...

Страница 11: ...ng the Fire box SSL VPN Gateway This document assumes that the Firebox SSL VPN Gateway is connected to an existing network and that the administrator has experience configuring that network Operating...

Страница 12: ...o use your time to find new software Access to technical support and training You can find information about your WatchGuard products quickly with our many online resources You can also speak directly...

Страница 13: ...When necessary WatchGuard updates the WatchGuard System Manager software Product upgrades can include new features and patches When we release a software update you get an e mail with instructions on...

Страница 14: ...egister asp The Account page appears 3 Complete the LiveSecurity Activation page Use the TAB key or the mouse to move through the fields on the page You must complete all the fields to activate correc...

Страница 15: ...and web sites about network security The training is divided into parts which lets you use only the materials you feel necessary To learn more about online training browse to www watchguard com train...

Страница 16: ...ides to the web site at http www watchguard com help documentation Technical Support Your LiveSecurity Service subscription includes technical support for the WatchGuard System Man ager software and F...

Страница 17: ...ical problem when the support center is not open use the LiveSecurity Technical Support phone number to page a technician You can also send an incident on the web site at http www watchguard com suppo...

Страница 18: ...s also available at a location near you through a large group of Watch Guard Certified Training Partners WCTPs Training partners give training using certified training mate rials and with WatchGuard h...

Страница 19: ...user seamless secure access to authorized applications and network resources Remote users can work with files on network drives email intranet sites and applications just as if they are working insid...

Страница 20: ...and intranet access from restricted LANs such as wireless networks Network topography showing the Firebox SSL VPN Gateway in the DMZ The following illustration shows how the Firebox SSL VPN Gateway cr...

Страница 21: ...group based access control kiosk mode end point resources and polices portal pages and IP pools New Features The v5 5 software update for the Firebox SSL Core VPN Gateway includes the following new fe...

Страница 22: ...configure the Secure Access Client to disconnect from the Firebox SSL VPN Gateway if there is no user activity on the connection for a specific time interval You can also force a client disconnection...

Страница 23: ...menu There are new menu items on the serial console allowing you to change the Firebox SSL VPN Gateway administrator password set the duplex mode and network adapter speed and revert to the default c...

Страница 24: ...ces and policies Local users Authentication and Authorization Authentication and authorization are configured on the Authentication tab Double source authentication also known as two factor authentica...

Страница 25: ...ticationandAuthorization LDAP RADIUS RSASecurID local andSafewordPremierAccess Authentication Authentication Authentication Authorization LocalUsers Access Policy Manager InheritDefaultGroupProperties...

Страница 26: ...etworks such as wireless connections in hotels or airports Integrated end point scanning Ensures that the computer meets corporate standards to connect and remains safe for connection to the network H...

Страница 27: ...ox SSL VPN Gateway is quick and easy to deploy and simple to administer The most typical deployment configuration is to locate the Firebox SSL VPN Gateway behind your firewall or in the demil itarized...

Страница 28: ...l to connect to the Firebox SSL VPN Gateway By default clients use Secure Sockets Layer SSL on port 443 to establish this connection To support this connec tivity you must allow SSL on port 443 throug...

Страница 29: ...icate from a known Certificate Authority and upload it to the Firebox SSL VPN Gateway If you deploy the Firebox SSL VPN Gateway in any environment where the Firebox SSL VPN Gateway must operate as the...

Страница 30: ...ork infrastructure without requiring changes to the existing hardware or back end software It works with other networking products such as cache engines firewalls routers and IEEE 802 11 wireless devi...

Страница 31: ...figure the TCP IP settings using the instructions in Configuring TCP IP Settings for the Firebox SSL VPN Gateway Configuring TCP IP Settings for the Firebox SSL VPN Gateway The preconfigured IP addres...

Страница 32: ...nal Note HyperTerminal is not automatically installed on Windows 2000 Server or Windows Server 2003 To install HyperTerminal use Add Remove Programs in the Control Panel 3 Set the serial connection to...

Страница 33: ...ration Tool click Install the Firebox SSL VPN Gateway Administration Tool Follow the prompts to complete installation 4 Log on to the Administration Tool using the default user name and password 5 On...

Страница 34: ...utomatically redirect HTTP connection attempts on port 80 to be secure connections on port 443 or other secure port If a user attempts an unsecure connection on port 80 the Firebox SSL VPN Gateway aut...

Страница 35: ...can specify the proxy server s IP address and authentication credentials To configure a proxy server 1 To open the logon dialog box click the Secure Access Client icon on the desktop 2 In the Firebox...

Страница 36: ...e subject to administrative security policies that apply to a single application a sub set of applications or an entire intranet You use the Firebox SSL VPN Gateway Administration Tool to specify the...

Страница 37: ...Gateway then transmits the packets to the network Note If you run a packet sniffer such as Ethereal on the computer where the Secure Access Client is running you will see unencrypted traffic that app...

Страница 38: ...l net 3270 emulator Gaim instant messenging and VNC clients The icons are displayed in the bottom left corner of the window The applications are specified for each group For more information about con...

Страница 39: ...SL VPN Gateway to connect to the network see Configuring Network Information on page 47 To establish the physical connection connect the Firebox SSL VPN Gateway eth0 interface to the inter nal network...

Страница 40: ...Using the Firebox SSL VPN Gateway 30 Firebox SSL VPN Gateway...

Страница 41: ...policy it is closed Topics covered in this chapter include Firebox SSL VPN Gateway Administration Desktop Using the Administration Tool Using the Administration Portal Using the Serial Console Produc...

Страница 42: ...ere ipAddress is the IP address of your Firebox SSL VPN Gateway 9001 is the administration port of your Firebox SSL VPN Gateway 3 If a Security Alert dialog box appears click Yes 4 Type the user name...

Страница 43: ...for the Firebox SSL VPN Gateway This is the same log that is in the Administra tion Tool on the VPN Gateway Cluster Logging tab Maintenance Tab This tab provides you a place to do administrative task...

Страница 44: ...allows you to configure global settings once and then publish them to multiple Firebox SSL VPN Gateways on your network The left pane of the Administration Tool window displays Help information for t...

Страница 45: ...nchronization messages appear in the Sync Status field for each appliance In Sync The Firebox SSL VPN Gateway configuration is successfully published Not in Sync A change was made in the settings but...

Страница 46: ...until a user ends a session or the administrator uses the Firebox SSL VPN Gateway Real Time Monitor to close a connection thereby releasing a license For information about using the Real Time Monitor...

Страница 47: ...bout Your Licenses The Licensing tab displays information about the licenses that are installed on the Firebox SSL VPN Gateway This information includes Total number of licenses available Number of li...

Страница 48: ...al from outside the firewall To block access to the Administration Portal from the external adapter clear the check box for this option To block external access to the Administration Portal 1 Click th...

Страница 49: ...ted The portal page templates are available from the Downloads page of the Administration Portal in the section Sample Portal Page Templates Downloading and Working with Portal Page Templates The port...

Страница 50: ...5 Replace citrix logo gif with the filename of your image For example if your image file is named logo gif change the line to img src logo gif An image file must have a file type of GIF or JPG Do not...

Страница 51: ...fier in the list and click Remove Selected File Enabling Portal Page Authentication By default a user must log on to the portal page and then again to the Firebox SSL Secure Access Client or kiosk mod...

Страница 52: ...Manager tab right click a group in the left pane and then click Properties 2 On the Gateway Portal tab select Redirect to URL 3 In Portal homepage type the path of the server that is hosting the Web...

Страница 53: ...double source authentication see Configuring Double Source Authentication on page 85 Connecting Using a Web Address Users can connect to the Firebox SSL VPN Gateway using a Web browser by typing the W...

Страница 54: ...click Save Configuration 4 Save the file named config restore to your computer The entire Firebox SSL VPN Gateway configuration including system files uploaded licenses and uploaded server certificate...

Страница 55: ...estart or from the Administration Portal go to the Maintenance tab and next to Restart the Server click Restart Shutting Down the Firebox SSL VPN Gateway Never shut down the Firebox SSL VPN Gateway by...

Страница 56: ...etwork Time Protocol server To synchronize the Firebox SSL VPN Gateway with a Network Time Protocol server 1 In the Firebox SSL VPN Gateway Administration Tool click the VPN Gateway Cluster tab 2 Clic...

Страница 57: ...he configuration instructions throughout those topics assume the following setup The Firebox SSL VPN Gateway is installed The devices to which you are connecting the Firebox SSL VPN Gateway such as a...

Страница 58: ...al resources using Network Address Trans lation NAT The Firebox SSL VPN Gateway network adapter settings are as follows IP address and Subnet mask for Interface 0 and if used Interface 1 When connecti...

Страница 59: ...uplex Use the default setting auto unless you need to change it MTU The maximum transmission unit that defines the maximum size of each transmitted packet The default is 1500 Use the default setting u...

Страница 60: ...he Access Policy Manager tab in the left pane right click a group and click Properties 2 On the Networking tab select Enable split DNS The Firebox SSL VPN Gateway fails over to the local DNS only if t...

Страница 61: ...ket and its routing table does not contain a route for the destination address of the packet the Firebox SSL VPN Gateway sends the packet to the Default Gate way The routing capabilities of the Defaul...

Страница 62: ...irebox SSL VPN Gateway network adapter s to be used for dynamic routing Typically your routing server s are inside your firewall so you would choose the internal network adapter for this setting 5 Cli...

Страница 63: ...n you switch from dynamic routing to static routing allows you to maintain connectivity until you properly configure the static routes To save dynamic routes to the static route table 1 On the Firebox...

Страница 64: ...then click the Routes tab 2 In the Static Route table select each route that you want to delete 3 Click Remove Route Static Route Example Suppose the IP address of the eth0 port on your Firebox SSL VP...

Страница 65: ...make the connection The client performs a DNS lookup for the first failover appliance and tries to connect If the first failover Firebox SSL VPN Gate way is not available the client tries the next fai...

Страница 66: ...ess for groups After you configure your user groups you then configure network access for the groups This includes the network resources users in the group are allowed to access application policies k...

Страница 67: ...example you want to allow access to everything on the 10 0 x x network but need to deny access to the 10 0 20 x network Configure network access to 10 0 20 x first and then configure access to the 10...

Страница 68: ...User groups define the resources the user has access to when connecting to the corporate network through the Firebox SSL VPN Gateway Groups are associated with the local users list After adding local...

Страница 69: ...l IP Softphone Cisco IP Softphone Cisco IP Communicator Secure tunneling is supported between the manufacturer s IP PBX and the softphone software running on the client computer To enable the VoIP tra...

Страница 70: ...Select encryption type for client connections setting on the Global Cluster Policies tab The encryption ciphers are negotiated between the client computer and the Firebox SSL VPN Gateway in the order...

Страница 71: ...iguring RADIUS Authentication and Authorization Configuring RSA SecurID Authentication Configuring Secure Computing SafeWord Authentication Configuring NTLM Authentication and Authorization Configurin...

Страница 72: ...S server a Windows NT 4 0 server for NTLM authorization or the local group file if not available on the LDAP or RADIUS server If group information is available for the user the Firebox SSL VPN Gateway...

Страница 73: ...the Default realm for that type of authentication so that users do not have to enter a realm name when logging on Using a Local User List for Authentication For a new installation the Default realm is...

Страница 74: ...r on the Firebox SSL VPN Gateway 1 Click the Access Policy Manager tab 2 In the left pane right click Local Users and then click New User 3 In User Name type a user name User names can contain spaces...

Страница 75: ...up LDAP server settings see Determining Attributes in your LDAP Directory on page 78 Changing the Authentication Type of the Default Realm When a user logs on to the Default realm the user does not ha...

Страница 76: ...realm For example you want the Default realm to be used for authentication to an LDAP server If you want to use additional authentication methods for users such as RADIUS SafeWord RSA SecurID NTLM or...

Страница 77: ...ecure Computing products SafeWord PremierAccess SafeWord for Citrix SafeWord RemoteAccess Configuring the Firebox SSL VPN Gateway to authenticate using Secure Computing s SafeWord products can be done...

Страница 78: ...e SafeWord RADIUS server The default is 1812 This port must match the number you configured on the RADIUS server In Server Secret enter a RADIUS shared secret 6 The shared secret must match what is co...

Страница 79: ...RADIUS server port The default port numbers are 1812 and 1645 6 In Server Secret type a RADIUS share secret Note Make sure you use a strong shared secret A strong shared secret is one that is at leas...

Страница 80: ...olicies and then click New Remote Access Policy 8 Select Set up a custom policy 9 In Policy name give the policy a name and click Next 10 Under Policy Conditions click Add select Windows Groups and cl...

Страница 81: ...his default number 21 Click Yes It conforms and then click Configure Attribute 22 Under Vendor assigned attribute number type 0 This is the assigned number for the User Group attribute The attribute i...

Страница 82: ...ation tab and in Authorization Type select RADIUS Authorization You can use the following authorization types with RADIUS authentication RADIUS authorization Local authorization LDAP authorization No...

Страница 83: ...is sent to the server over the connection If the LDAP server supports Start TLS the connection is converted to a secure LDAP connection using TLS The standard port numbers for unsecure LDAP connection...

Страница 84: ...K The Realm dialog box opens 5 Click the Authentication tab 6 In Server IP Address type the IP address of the LDAP server 7 In Server Port type the port number The LDAP Server port defaults to 389 If...

Страница 85: ...d from the Bind DN by removing the user name and specifying the group where users are located Examples of syntax for Base DN ou users dc ace dc com cn Users dc ace dc com 12 In Server login name attri...

Страница 86: ...e LDAP servers enable only group objects such as the Lotus Domino LDAP server to contain infor mation about users The LDAP server does not enable the user object to contain information about groups Fo...

Страница 87: ...r using the administrator credentials and then searches for the user After locating the user the Firebox SSL VPN Gateway unbinds the administrator credentials and rebinds with the user credentials 8 I...

Страница 88: ...the name of the attribute The default is memberOf This attribute enables the Firebox SSL VPN Gateway to obtain the groups associated with a user during authorization 9 Click Submit Using certificates...

Страница 89: ...DAP server To look up LDAP attributes 1 In the left pane of the LDAP Browser select the profile name that you created 2 To look up the Base DN in the right pane locate the namingContexts attribute The...

Страница 90: ...e required settings for the Firebox SSL VPN Gateway Your site might have additional requirements Refer to the RSA ACE Server documentation for more information If the Firebox SSL VPN Gateway needs to...

Страница 91: ...you generated in the previous procedure on the Authentication tab click Upload sdconf rec file and use the dialog box to locate and upload the file The sdconf rec file is typically written to ace dat...

Страница 92: ...your RSA ACE Server Administration interface is installed go to Start Programs RSA ACE Server Database Administration Host Mode 2 In the RSA ACE Server Administration interface go to Agent Host Edit A...

Страница 93: ...cation you create an NTLM authentication realm that includes the address and port that the Firebox SSL VPN Gateway uses to connect to the Windows NT 4 0 domain controller You also specify a time out v...

Страница 94: ...SSL VPN Gateway finds a match the user is granted the authorization privileges to the internal networks that are associated with the user group on the Firebox SSL VPN Gateway To configure NTLM author...

Страница 95: ...her the Web browser or Secure Access Client they will see two password fields If they are logging on using only one authentication method the second password field is left blank For more information a...

Страница 96: ...ird party authentication types For example if users are required to authenticate using LDAP and Gemalto protiva strong authentication system RADIUS you can change the password labels to reflect what t...

Страница 97: ...ight want to create local user accounts for temporary users such as consultants or visitors without creating an entry for those users on the authentication server In that case you add the user to the...

Страница 98: ...k access within that session is determined by the Deny Access without ACL setting You can also add local groups that are not related to groups on authentication servers For example you might create a...

Страница 99: ...er groups can be created and configured When a new group is created the properties page appears that allows you to configure the settings for the group You can also add local groups that are not relat...

Страница 100: ...ble for the Default group To enable or disable Default group properties 1 Click the Access Policy Manager tab 2 In the left pane right click the user group and then click Properties 3 On the General t...

Страница 101: ...user s Windows logon credentials are passed to the Firebox SSL VPN Gate way for authentication Enabling single sign on for the Secure Access Client facilitates operations on the remote computer such a...

Страница 102: ...User session timeout If you enable this setting the Secure Access Client disconnects after the time out interval elapses regardless of what the user is doing There is no action the user can take to p...

Страница 103: ...tly logged on If you want to prevent a specific group of users from viewing the list of online users you can disable the desktop sharing feature for an Firebox SSL VPN Gateway user group Disabling des...

Страница 104: ...SSL VPN Gateway can assign a unique IP address alias to each client s session You can specify the gateway device to be used for IP pooling The gateway device can be the Firebox SSL VPN Gateway itself...

Страница 105: ...in addition to passing all other authentication rules that are con figured for that group For example the following criteria requires that the subject field of the client cer tificate provided by a us...

Страница 106: ...b 2 If an end point policy was created and configured under End Point Policies click the configured policy and drag it to Pre Authentication Policies in the left pane Note To create and configure end...

Страница 107: ...of time a user can stay logged on whether there is activity or not The specified time is absolute If the user has a 60 minute session time out the session ends at 60 minutes Users are given a one minu...

Страница 108: ...ny applications without policies check box selected the user inherits that setting IP pooling Users assume the IP address from the highest priority group that has IP pools enabled Inherit Default grou...

Страница 109: ...es Network resources define the locations that authorized users can access Resource groups are associ ated with user groups to form resource access control policies Network topology for resource group...

Страница 110: ...and click OK 4 In Network Subnet type the IP address subnet pair for the resource in the Subnets field You can use CIDR notation for the mask Use a space to separate entries 5 In Port or port range en...

Страница 111: ...e network resource is defined when Out look tries to start it checks for the network resource and end point policy if defined If it passes the user can log on and check email If it fails Outlook does...

Страница 112: ...is selected This check box denies all applications access to the corporate network To allow one application network access configure the application policy to accept the application following the step...

Страница 113: ...NFS 7 In Permissions specify whether you want remote users to have read write or read only permissions for the share Note Users can use the FTP protocol to send and receive files to the remote compute...

Страница 114: ...at a computer must have one some or all of the following A registry entry that matches the path entry type and value that you specify A file that matches the path filename and date that you specify Yo...

Страница 115: ...time To configure an end point policy for a group you specify a Boolean expression containing the end point resources that you want to apply to the group Suppose that you create the following end poi...

Страница 116: ...sales group appears before the support group in the User Groups list the sales group policies apply to the users who belong to both of those groups If the support group appears before the sales group...

Страница 117: ...created To set the priority of groups 1 Click the Group Priority tab 2 Select a group that you want to move and use the arrow keys to raise or lower the group in the list The group at the top of the l...

Страница 118: ...Setting the Priority of Groups 108 Firebox SSL VPN Gateway...

Страница 119: ...tificate Authority Install a digital X 509 certificate that belongs to your company and is signed by a Certificate Authority on the Firebox SSL VPN Gateway Your company can operate as its own Certific...

Страница 120: ...responding certificate on users computers Users can also disable the Security Alert through the Secure Access Connection Properties dialog box Overview of the Certificate Signing Request Before you ca...

Страница 121: ...tion Tool To create a Certificate Signing Request 1 Click the VPN Gateway Cluster tab and open the window for the appliance 2 On the Certificate Signing Request tab type the required information in th...

Страница 122: ...ay is not behind a load balancer the certificate must contain the FQDN of the Firebox SSL VPN Gateway If the Firebox SSL VPN Gateway is behind a load balancer each appliance must contain the same cert...

Страница 123: ...the new file save the text file in PEM format and then upload the file to the Firebox SSL VPN Gateway Creating Root Certificates Using a Command Prompt You can also create PEM formatted root certific...

Страница 124: ...is case the certificate is embedded within the smart card and read from a smart card reader attached to the network Note Note The Firebox SSL VPN Gateway is configured in the same way regardless of wh...

Страница 125: ...izard The certificate is installed in the Trusted Root Certification Authorities store for the local computer For information about root certificate availability and installation on platforms other th...

Страница 126: ...proper root certificates that are used to sign the server certificates To install root certificates On the Cluster Config tab select Administration Manage Trusted root CA certificates To require serv...

Страница 127: ...lient Applications Supporting Secure Access Client Managing Client Connections System Requirements The Secure Access Client is supported on the following operating systems and Web browsers Operating S...

Страница 128: ...cause no data is written to the user s computer However if you configure network shares a user can copy files from a shared network drive to the remote computer Note You can configure the Firebox SSL...

Страница 129: ...nt requires a running VPN daemon to connect to the Firebox SSL VPN Gateway To check the status of the VPN daemon type the following at a command prompt sbin service net6vpnd status To restart a stoppe...

Страница 130: ...the connection provides full access to the network resources that the user s group s have permission to access The access granted by the security policies enable users to work with the remote system j...

Страница 131: ...gani zations firewalls without creating any problems For example the connection can be made through an intermediate proxy such as an HTTP proxy by issuing a CONNECT HTTPS command to the intermediate p...

Страница 132: ...vpn_portal javaonly html The authentication realm name required for logon if you use realms other than the realm named Default Path to any network drives that the users can access which is done by map...

Страница 133: ...ode For more informa tion about logging on using double source authentication see Double source Authentication Portal Page on page 43 Note If you are using the Linux Client the connection window will...

Страница 134: ...is established a status window briefly appears and the Secure Access Client win dow is minimized to the notification area The icon indicates whether the connection is enabled or dis abled and flashes...

Страница 135: ...ction is enabled the Secure Access Client automatically changes client proxy settings to match settings stored in the operating system The Secure Access Client attempts to connect to the Firebox SSL V...

Страница 136: ...as Macintosh Windows 95 or Windows 98 computers kiosk mode is available through a Java applet For Macintosh computers to support kiosk mode the Safari browser and JRE 1 5 must be installed When the u...

Страница 137: ...es tab under Access options select Enable kiosk mode If this check box is clear users cannot use kiosk mode and the option is not available from the Web portal page When kiosk mode is enabled users ca...

Страница 138: ...ht pane right click File Share Resources click New File Share Resource type a name and click OK 3 In Share source type the path to the share source using the form server share 4 In Mount type select t...

Страница 139: ...ile Download dialog box navigate to the location where you want to copy the file and then click Open When the FTP transfer is complete a message window appears You cannot use FTP to transfer folders o...

Страница 140: ...To configure Remote Desktop 1 On the Access Policy Manager tab right click Kiosk Resources 2 Type a name for the resource and click OK 3 Select Remote Desktop and type the FQDN of the server in the t...

Страница 141: ...corner VNC Client The VNC client enables a user to remotely access the desktop of a VNC server The user s work remains on the remote server no files only images are sent to the user s computer To use...

Страница 142: ...etwork drive on their computer Any system requirements for running the Firebox SSL VPN Gateway Clients if you configured end point resources and policies Depending on the configuration of a remote use...

Страница 143: ...t ACL for the user s group and then close the TCP connection For more information about ACL management see Adding Local Users on page 87 If you do not correct the ACL before closing the connection the...

Страница 144: ...blish a connection from that MAC address until you reenable the user or restart the Firebox SSL VPN Gateway To enable a user at a particular MAC address 1 In the Administration Desktop window click th...

Страница 145: ...ction is briefly interrupted Authenticate upon system resume This option forces a user to log on again if the user s computer awakens from standby or hibernation This option provides additional securi...

Страница 146: ...Managing Client Connections 136 Firebox SSL VPN Gateway...

Страница 147: ...yslog server System message logs contain information that can help Firebox SSL VPN Gateway support personnel assist with troubleshooting By reviewing the information provided you can track unusual cha...

Страница 148: ...e downloads it can be unzipped to access the individual log files Forwarding System Messages to a Syslog Server The Firebox SSL VPN Gateway archives system messages as described in Viewing and Downloa...

Страница 149: ...he SNMP location This field is informational only 4 In SNMP Contact type the contact This field is informational only 5 In Community type the community This field is informational only 6 In Port type...

Страница 150: ...Step 2 is vpn myorg com tcpcurrestab html Viewing System Statistics To obtain general system statistics select the VPN Gateway Cluster tab and then click the Statistics tab The statistical informatio...

Страница 151: ...formation refer to the Help that is available from the Ethereal Network Analyzer window xNetTools Multi threaded network tool that includes a service scanner port scanner ping utility ping scan name s...

Страница 152: ...v 5 0 Release Notes go to https www watchguard com archive softwarecenter asp You must log in with your LiveSecurity user name and passphrase and select the Firebox SSL VPN Gateway support view From...

Страница 153: ...box SSL VPN Gateway You may need to log in to your LiveSecurity account at https www watchguard com archive getcredentials asp to get a copy of your feature key Troubleshooting The following informati...

Страница 154: ...ame to the domain name and user name Other Issues This section describes known issues and solutions for the Firebox SSL VPN Gateway License File Does not Match Firebox SSL VPN Gateway If you are tryin...

Страница 155: ...ends out the same ping command regardless of the options specified with the ping command from a client computer LDAP Authentication When the Firebox SSL VPN Gateway is configured to use LDAP authentic...

Страница 156: ...However as described above certificates issued by a private CA are supported by the server components because the private CA is the root of trust Certificate Revocation Lists Certificate Revocation L...

Страница 157: ...uploaded certificate file see Generating Trusted Certificates for Multiple Levels on page 156 H 323 Protocol The Firebox SSL VPN Gateway does not support the H 323 protocol Applications that use the...

Страница 158: ...authentication to proxy servers Only Basic authentica tion is supported for proxy servers WINS Entries When the Secure Access Client is disconnected WINS entries are not removed from the computer tha...

Страница 159: ...and Pro Versions Tiny Personal Firewall ZoneAlarm Pro Note The following sections are a supplement to the firewall manufacturer s documentation The recommended source for current information about fi...

Страница 160: ...ox SSL VPN Gateway To configure the settings open the BlackICE window and choose the following commands McAfee Personal Firewall Plus The following McAfee Personal Firewall Plus settings enable the Se...

Страница 161: ...cess through the Secure Access Client select the Remember my answer check box and click Yes when the prompt appears Tiny Personal Firewall The following Tiny Personal Firewall settings enable the Secu...

Страница 162: ...ss Client For each alert select the Create appropriate filter check box and click Permit ZoneAlarm Pro The following ZoneAlarm settings enable the Secure Access Client to reach the Internet and the re...

Страница 163: ...ust be in PEM format and must include a private key The signed certificate and private key must be unencrypted If Linux OpenSSL is not available install the Cygwin UNIX environment for Windows When yo...

Страница 164: ...es you need to use the alias name instead 5 Submit your CSR public csr to an authorized Certificate Authority such as Verisign When asked for the type of server that the certificate will be used with...

Страница 165: ...The certFile should not contain the private key when you run this command openssl verify verbose CApath tmp certFile If that command results in the following error message the file is not in PEM form...

Страница 166: ...https ipAddress httpPort www mypage com where ipAddress is the IP address of your Firebox SSL VPN Gateway httpPort is the Firebox SSL VPN Gateway port number 2 Double click the Lock symbol in the bott...

Страница 167: ...Administration Guide 157 Generating Trusted Certificates for Multiple Levels Intermediate Certificate 0 Intermediate Certificate 1 Intermediate Certificate 2...

Страница 168: ...Generating Trusted Certificates for Multiple Levels 158 Firebox SSL VPN Gateway...

Страница 169: ...ccess to the internal network this aspect of Firebox SSL VPN Gateway configuration is covered in four different sections of this book This appendix provides example user access scenarios and includes...

Страница 170: ...re user access in the following example scenario The organization uses a single LDAP directory as the user repository Remote users working for the Sales department must have access to an email server...

Страница 171: ...e in the network 10 10 0 0 24 The server containing the Sales Web application resides in the network 10 60 10 0 24 The single email server that remote users must access has the IP address 10 10 25 50...

Страница 172: ...garding the group membership of the users Identify groups on the LDAP directory that contain all of the members who need remote access to the internal networks If there are no existing groups that con...

Страница 173: ...e LDAP authentication and authorization configuration task When this task is complete the administrator has the following information The specific network locations of all network resources that the r...

Страница 174: ...ling When a user logs on to the Firebox SSL VPN Gateway the Firebox SSL VPN Gateway sends this list of networks to the Secure Access Client on the user s computer The Secure Access Client uses this li...

Страница 175: ...realm and creating a new Default realm for LDAP the administrator simplifies the logon process for the end user Users who authenticate using the Default realm do not need to enter the realm name as p...

Страница 176: ...access For more information about group properties and creating local groups see Configuring Properties for a User Group on page 90 Creating and Assigning Network Resources to the User Groups Creatin...

Страница 177: ...way Creating and Assigning Network Resources to the Engineering users This section briefly discusses how the administrator creates a network resource and assigns it to the Engineering users This proce...

Страница 178: ...erver Create an application policy that specifies the email application on the email server and assign the network resource containing the email server to this application policy Assign the applicatio...

Страница 179: ...ctory and on the Firebox SSL VPN Gateway Only users who are members of the Remote Sales group and the Remote Engineers group are authorized to access resources on the internal network Each of these gr...

Страница 180: ...ineering users with access to the Web conference server The Web conference server IP address is 10 10 50 60 Note In this example Silvio Branco and Lisa Marth are referred to as guest users because the...

Страница 181: ...enario for creating guest accounts using the Local Users list In this step the administrator creates a network resource that specifies only the Web conference server and then assigns this resource to...

Страница 182: ...sa Marth and Silvio Branco to the Remote Engineers group on the Firebox SSL VPN Gateway To assign local users Lisa Marth and Silvio Branco to the Remote Engineers group on the Firebox SSL VPN Gateway...

Страница 183: ...software is covered by the GNU Library General Public License instead You can apply it to your programs too When we speak of free software we are referring to freedom not price Our General Public Lice...

Страница 184: ...rk under copyright law that is to say a work containing the Program or a por tion of it either verbatim or with modifications and or translated into another language Hereinafter translation is include...

Страница 185: ...n you distribute the same sections as part of a whole which is a work based on the Program the distribution of the whole must be on the terms of this License whose permissions for other licensees exte...

Страница 186: ...es who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to accept this Licens...

Страница 187: ...ons of the General Public License from time to time Such new versions will be similar in spirit to the present version but may dif fer in detail to address new problems or concerns Each version is giv...

Страница 188: ...of each source file to most effectively convey the exclusion of warranty and each file should have at least the copyright line and a pointer to where the full notice is found one line to give the pro...

Страница 189: ...programmer or your school if any to sign a copy right disclaimer for the program if necessary Here is a sample alter the names Yoyodyne Inc hereby disclaims all copyright interest in the program Gnom...

Страница 190: ...180 Firebox SSL VPN Gateway...

Страница 191: ...ble networks 15 56 deny access without access control list 58 DNS split tunneling 57 limitations 145 specifying 57 Administration deployment overview 17 Administration Desktop 17 32 downloading or sta...

Страница 192: ...for portal page 39 closing connection 133 computer hibernate 90 suspend 90 configuration dynamic routes 52 network connections 47 restoring 15 44 saving 15 44 serial console 33 static routes 53 with...

Страница 193: ...cate 15 client certificates 114 deny access without ACL 57 88 100 deny network access 59 enable portal page authentication 15 41 internal failover 55 split tunneling 15 58 Voice over IP 15 global poli...

Страница 194: ...in the middle attacks 110 maximum transmission unit MTU 49 McAfee Personal Firewall Plus 150 membership groups 16 memory usage 141 monitoring tools 32 using 140 Multi Router Traffic Grapher 139 multi...

Страница 195: ...96 network 16 resource group network access 56 resource groups removing from user group 99 resources configuring for a user group 99 file share 103 file shares 16 restarting appliance 15 45 restarting...

Страница 196: ...support 6 Firebox Installation Services 7 LiveSecurity Gold Program 7 LiveSecurity Service 6 users forum 5 6 VPN Installation Services 7 Telnet 3270 Emulator client 28 131 templates downloading 39 tim...

Страница 197: ...date and time 45 upgrading 15 44 VPN Installation Services 7 W W3C formatted log 138 WatchGuard Certified Training Partners 8 WatchGuard users forum 5 6 WCTP 8 Web address of Administration Portal 32...

Страница 198: ...188 Firebox SSL VPN Gateway...

Отзывы:

Нет отзывов

Похожие инструкции для SSL 1000

Xylem optimyze Manual preview
optimyze
Бренд: Xylem Страницы: 24
Yacht Devices YDOG-01 User Manual preview
YDOG-01
Бренд: Yacht Devices Страницы: 32
Ubee UBC1301-AA00 User Manual preview
UBC1301-AA00
Бренд: Ubee Страницы: 99
Rose Point nemo Installation Manual preview
nemo
Бренд: Rose Point Страницы: 27
turck BL67-GW-EN How-To preview
BL67-GW-EN
Бренд: turck Страницы: 11
SpectraLink MOG600 Installation And Administration preview
MOG600
Бренд: SpectraLink Страницы: 35
VADcore GoIP4 User Manual preview
GoIP4
Бренд: VADcore Страницы: 51
Netphonic NG-48 Series User Manual preview
NG-48 Series
Бренд: Netphonic Страницы: 36
Netopia Cayman 3500 Series Quick Start Manual preview
Cayman 3500 Series
Бренд: Netopia Страницы: 2
Netopia 3347W Specifications preview
3347W
Бренд: Netopia Страницы: 2
Netscape NETSCAPE DIRECTORY SERVER 7.0 Reference preview
NETSCAPE DIRECTORY SERVER 7.0
Бренд: Netscape Страницы: 178
Aruba EC-10104 Installation Manual preview
EC-10104
Бренд: Aruba Страницы: 20
Fanvil ATA Quick Installation Manual preview
ATA
Бренд: Fanvil Страницы: 5
Hitron CGNVM User Manual preview
CGNVM
Бренд: Hitron Страницы: 128
Davolink DV-332 User Manual preview
DV-332
Бренд: Davolink Страницы: 105
Galaxy IPTV-DMG User & Installation Manual preview
IPTV-DMG
Бренд: Galaxy Страницы: 18
TVILIGHT Gateway 3.1 Installation Manual preview
Gateway 3.1
Бренд: TVILIGHT Страницы: 15
Technicolor TG587n v3 Setup And User Manual preview
TG587n v3
Бренд: Technicolor Страницы: 98

Бренды по названию

Популярные бренды

Загрузить еще бренды