Watchguard Technologies Water Heater Ssl Vpn Users Manual VPN_AdminGuide

SSL VPN to the manual 0a25791b-a4e0-4c84-96ef-d6db2500041d

2015-02-02

: Watchguard-Technologies Watchguard-Technologies-Watchguard-Technologies-Water-Heater-Ssl-Vpn-Users-Manual-454226 watchguard-technologies-watchguard-technologies-water-heater-ssl-vpn-users-manual-454226 watchguard-technologies pdf

Open the PDF directly: View PDF PDF.
Page Count: 198

DownloadWatchguard-Technologies Watchguard-Technologies-Watchguard-Technologies-Water-Heater-Ssl-Vpn-Users-Manual- VPN_AdminGuide  Watchguard-technologies-watchguard-technologies-water-heater-ssl-vpn-users-manual
Open PDF In BrowserView PDF
®
®
WatchGuard Firebox SSL VPN

Gateway Administration Guide

Firebox SSL VPN Gateway

Notice to Users
Information in this guide is subject to change without notice. Companies, names, and data used in examples
herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any
form or by any means, electronic or mechanical, for any purpose, without the express written permission of
WatchGuard Technologies, Inc.
Copyright, Trademark, and Patent Information
Use of the product documented in this guide is subject to your prior acceptance of the WatchGuard End User
License Agreement applicable to this product. You will be prompted to read and accept the End User License
Agreement when you register your Firebox on the WatchGuard website.
Copyright© 2008 Citrix Systems, Inc. All rights reserved.
Copyright© 2008 WatchGuard Technologies, Inc. All rights reserved
WatchGuard, Firebox, LiveSecurity and any other word listed as a trademark in the “Terms of Use” portion of
the WatchGuard website that is used herein are registered trademarks or trademarks of WatchGuard
Technologies, Inc. in the United States and/or other countries.
Citrix is a registered trademark of Citrix Systems, Inc in the U.S.A. and other countries.
Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
All other trade names referred to are the Servicemark, Trademark, or Registered Trademark of the respective
manufacturers.
The Firebox SSL Firebox SSL VPN Gateway software is distributed with source code covered under the GNU
General Public License (GPL). To obtain source code covered under the GPL, please contact WatchGuard
Technical Support at:
877.232.3531 in the United States and Canada
+1.206.613.0456 in all other countries

This source code is free to download. There is a $35 charge to ship the CD.
See Appendix E, “Legal and Copyright Information” on page 173 of this guide for the complete text of the
GPL.
VPN Gateway Software: 5.5
Document Version: 352-2784-001

ADDRESS:

ABOUT WATCHGUARD

WatchGuard is a leading provider of network security solutions for small- to midsized enterprises worldwide, delivering integrated products and services that are
robust as well as easy to buy, deploy and manage. The company’s Firebox X family of
expandable integrated security appliances is designed to be fully upgradeable as an
SUPPORT:
organization grows and to deliver the industry’s best combination of security,
www.watchguard.com/support
support@watchguard.com
performance, intuitive interface and value. WatchGuard Intelligent Layered Security
U.S. and Canada +877.232.3531
architecture protects against emerging threats effectively and efficiently and provides
All Other Countries +1.206.613.0456
the flexibility to integrate additional security functionality and services offered
through WatchGuard. Every WatchGuard product comes with an initial LiveSecurity
SALES:
U.S. and Canada +1.800.734.9905 Service subscription to help customers stay on top of the security landscape with
All Other Countries +1.206.521.8340 vulnerability alerts, software updates, expert security instruction and superior
customer care. For more information, please call (206) 521-8340 or visit
www.watchguard.com.
505 Fifth Avenue South
Suite 500
Seattle, WA 98104

ii

Firebox SSL VPN Gateway

Contents

CHAPTER 1 Getting Started with Firebox SSL VPN Gateway

.................................................... 1
Audience ..................................................................................................................................................... 1
Operating System Requirements ...................................................................................................... 1
Document Conventions ........................................................................................................................ 2
LiveSecurity Service Solutions ............................................................................................................ 2
LiveSecurity Service Broadcasts ......................................................................................................... 3
Activating LiveSecurity Service .......................................................................................................... 4
LiveSecurity Service Self Help Tools ................................................................................................. 4
WatchGuard Users Forum ..................................................................................................................... 5
Online Help ................................................................................................................................................ 6
Product Documentation ....................................................................................................................... 6
Technical Support ................................................................................................................................... 6
LiveSecurity Service technical support ............................................................................................. 6
LiveSecurity Gold .................................................................................................................................. 7
Firebox Installation Service ................................................................................................................. 7
VPN Installation Service ...................................................................................................................... 7
Training and Certification ..................................................................................................................... 7

CHAPTER 2 Introduction to Firebox SSL VPN Gateway

............................................................... 9
Overview .................................................................................................................................................... 9
New Features .......................................................................................................................................... 11
Authentication and one-time passwords ...................................................................................... 11
New versions of the Secure Access Client ....................................................................................... 11
Configurable symmetric encryption ciphers ................................................................................. 11
Automatic detection of proxy server settings ............................................................................... 11
Secure Access Client connections .................................................................................................... 12
Automatic port redirection ............................................................................................................... 12
Disable desktop sharing .................................................................................................................... 12
Additional control over Secure Access Client connections ......................................................... 12

Admin Guide

iii

Disable kiosk mode ............................................................................................................................ 12
Specify multiple ports and port ranges for network resources ..................................................12
Voice over IP softphone support ...................................................................................................... 12
Editable HOSTS file ............................................................................................................................. 12
NTLM authentication and authorization support. ...................................................................... 13
Added challenge-response to RADIUS user authentication ....................................................... 13
SafeWord PremierAccess changed to support standards-based RADIUS token user
authentication .............................................................................................................................. 13
Updated serial console menu ........................................................................................................... 13
Features ..................................................................................................................................................... 13
Administration Tool ............................................................................................................................ 13
Firebox SSL VPN Gateway Settings .................................................................................................. 14
Feature Summary ............................................................................................................................... 16
The User Experience ............................................................................................................................. 16
Deployment and Administration ..................................................................................................... 17
Planning your deployment ................................................................................................................ 18
Deploying the Firebox SSL VPN Gateway in the Network DMZ ................................................. 18
Deploying the Firebox SSL VPN Gateway in a Secure Network ................................................. 18
Planning for Security with the Firebox SSL VPN Gateway ...................................................... 19
Configuring Secure Certificate Management ............................................................................... 19
Authentication Support .................................................................................................................... 19
Deploying Additional Appliances for Load Balancing and Failover ......................................... 20
Installing the Firebox SSL VPN Gateway for the First Time ..................................................... 20
Getting Ready to Install the Firebox SSL VPN Gateway ............................................................... 20
Setting Up the Firebox SSL VPN Gateway Hardware ................................................................... 21
Configuring TCP/IP Settings for the Firebox SSL VPN Gateway ................................................. 21
Redirecting Connections on Port 80 to a Secure Port .................................................................. 24
Using the Firebox SSL VPN Gateway .............................................................................................. 24
The Firebox SSL VPN Gateway operates as follows: ..................................................................... 24
Starting the Secure Access Client ..................................................................................................... 25
Enabling Single Sign-On Operation for the Secure Access Client ............................................. 25
Establishing the Secure Tunnel ........................................................................................................ 26
Tunneling Destination Private Address Traffic over SSL or TLS ..................................................26
Operation through Firewalls and Proxies ...................................................................................... 26
Terminating the Secure Tunnel and Returning Packets to the Client ....................................... 27
Using Kiosk Mode ............................................................................................................................... 28
Connecting to a Server Load Balancer ........................................................................................... 28

CHAPTER 3 Configuring Basic Settings

............................................................................................. 31
Firebox SSL VPN Gateway Administration Desktop .................................................................. 32
To open the Administration Portal and Administrative Desktop .............................................. 32
Using the Administration Portal .......................................................................................................32
Downloads Tab ................................................................................................................................... 32
Admin Users Tab ................................................................................................................................. 33
Logging Tab ......................................................................................................................................... 33
Maintenance Tab ................................................................................................................................ 33

iv

WatchGuard SSL VPN Gateway

Using the Serial Console .....................................................................................................................33
To open the serial console ................................................................................................................. 34
Using the Administration Tool .......................................................................................................... 34
To download and install the Administration Tool ........................................................................ 34
Publishing Settings to Multiple Firebox SSL VPN Gateways ..................................................35
To publish Firebox SSL VPN Gateway settings ............................................................................... 35
Product Activation and Licensing ................................................................................................... 35
Upgrading the tunnel and tunnel upgrade license ...................................................................... 35
Upgrading the LiveSecurity Renewal and Tunnel Renewal license ........................................... 36
Managing Licenses ............................................................................................................................... 36
To manage licenses on the Firebox SSL VPN Gateway ................................................................36
To install a license file ......................................................................................................................... 37
Information about Your Licenses .................................................................................................... 37
Testing Your License Installation ..................................................................................................... 37
Blocking External Access to the Administration Portal ........................................................... 38
To block external access to the Administration Portal ................................................................38
Using Portal Pages ................................................................................................................................ 38
Using the Default Portal Page .......................................................................................................... 38
Downloading and Working with Portal Page Templates ........................................................ 39
To download the portal page templates to your local computer ............................................. 40
To work with the templates for Windows and Linux users ......................................................... 40
Using the ActiveX Control ................................................................................................................. 40
Installing Custom Portal Files on the Firebox SSL VPN Gateway ............................................... 40
Enabling Portal Page Authentication ............................................................................................. 41
To enable portal page authentication ........................................................................................... 41
Linking to Clients from Your Web Site ........................................................................................... 41
To include links to the Firebox SSL Secure Access Client and kiosk mode on your Web site . 41
Multiple Log On Options using the Portal Page ........................................................................... 42
Pre-Authentication Policy Portal Page ........................................................................................... 42
Double-source Authentication Portal Page .................................................................................. 43
Connecting Using a Web Address .................................................................................................. 43
Connecting Using Secure Access Client ........................................................................................ 43
Saving and Restoring the Configuration ...................................................................................... 44
To save the Firebox SSL VPN Gateway configuration .................................................................. 44
To restore a saved configuration ..................................................................................................... 44
Upgrading the Firebox SSL VPN Gateway Software ................................................................. 44
To upgrade the Firebox SSL VPN Gateway ..................................................................................... 44
Restarting the Firebox SSL VPN Gateway ..................................................................................... 45
To restart the Firebox SSL VPN Gateway ........................................................................................ 45
Shutting Down the Firebox SSL VPN Gateway ........................................................................... 45
To shut down the Firebox SSL VPN Gateway ................................................................................. 45
Firebox SSL VPN Gateway System Date and Time ..................................................................... 45
To change the system date and time .............................................................................................. 46
Network Time Protocol ...................................................................................................................... 46

Admin Guide

v

Allowing ICMP traffic ............................................................................................................................ 46
To enable ICMP traffic ........................................................................................................................ 46

CHAPTER 4 Configuring Firebox SSL VPN Gateway Network Connections

................... 47
Configuring Network Information .................................................................................................. 47
General Networking ............................................................................................................................. 48
Name Service Providers ...................................................................................................................... 50
To enable split DNS ............................................................................................................................. 50
To edit the HOSTS file ......................................................................................................................... 50
Dynamic and Static Routing .............................................................................................................. 51
Configuring Network Routing .......................................................................................................... 51
Configuring Dynamic Routing ......................................................................................................... 52
Enabling RIP Authentication for Dynamic Routing ..................................................................... 52
Changing from Dynamic Routing to Static Routing ................................................................... 53
Configuring a Static Route ................................................................................................................ 53
Static Route Example ......................................................................................................................... 54
Configuring Firebox SSL VPN Gateway Failover ......................................................................... 55
To specify Firebox SSL VPN Gateway failover ................................................................................ 55
Configuring Internal Failover ........................................................................................................... 55
Controlling Network Access .............................................................................................................. 56
Configuring Network Access ............................................................................................................ 56
Specifying Accessible Networks .......................................................................................................57
Enabling Split Tunneling .....................................................................................................................57
To enable split tunneling ................................................................................................................... 58
Configuring User Groups ................................................................................................................... 58
Denying Access to Groups without an ACL ................................................................................. 58
To deny access to user groups without an ACL ............................................................................. 59
Improving Voice over IP Connections ............................................................................................ 59
Enabling Improving Voice over IP Connections ............................................................................ 59
To improve latency for UDP traffic .................................................................................................. 60

CHAPTER 5 Configuring Authentication and Authorization

..................................................61
Configuring Authentication and Authorization ......................................................................... 61
Configuring Authentication without Authorization .................................................................... 63
The Default Realm .............................................................................................................................. 63
Using a Local User List for Authentication ..................................................................................... 63
Configuring Local Users .....................................................................................................................64
Adding Users to Multiple Groups ..................................................................................................... 64
Changing Password for Users .......................................................................................................... 64
Using LDAP Authorization with Local Authentication ................................................................65
Changing the Authentication Type of the Default Realm ...................................................... 65
Configuring the Default Realm ........................................................................................................ 65
Creating Additional Realms .............................................................................................................. 66
Removing Realms ............................................................................................................................... 67
Using SafeWord for Authentication ................................................................................................ 67
Configuring Secure Computing SafeWord Authentication ........................................................ 67
Configuring SafeWord Settings on the Access Gateway ............................................................. 67

vi

WatchGuard SSL VPN Gateway

To disable Firebox SSL VPN Gateway authentication .................................................................. 68
SafeWord PremierAccess Authorization ........................................................................................ 68
Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication ...................... 68
To configure the IAS RADIUS realm ................................................................................................. 69
Using RADIUS Servers for Authentication and Authorization ............................................... 69
To configure Microsoft Internet Authentication Service for Windows 2000 Server ............... 70
To specify RADIUS server authentication ....................................................................................... 72
To configure RADIUS authorization ................................................................................................ 72
Choosing RADIUS Authentication Protocols ................................................................................. 72
Using LDAP Servers for Authentication and Authorization ................................................... 73
LDAP authentication .......................................................................................................................... 73
To configure LDAP authentication .................................................................................................. 74
LDAP Authorization .............................................................................................................................. 75
Group memberships from group objects working evaluations ................................................ 76
Group memberships from group objects non-working evaluations ........................................ 76
LDAP authorization group attribute fields .................................................................................... 76
To configure LDAP authentication .................................................................................................. 76
To configure LDAP authorization .................................................................................................... 77
Using certificates for secure LDAP connections ............................................................................ 78
Determining Attributes in your LDAP Directory ........................................................................... 78
Using RSA SecurID for Authentication ........................................................................................... 79
To generate a sdconf.rec file for the Firebox SSL VPN Gateway ................................................. 80
Enable RSA SecurID authentication for the Firebox SSL VPN Gateway .................................... 81
Configuring RSA Settings for a Cluster ........................................................................................... 82
Resetting the node secret .................................................................................................................. 82
Configuring Gemalto Protiva Authentication ............................................................................... 82
Configuring NTLM Authentication and Authorization ............................................................... 83
Configuring NTLM Authorization .................................................................................................... 84
Configuring Authentication to use One-Time Passwords ........................................................... 84
Configuring Double-Source Authentication ............................................................................... 85
To create and configure a double-source authentication realm .............................................. 85
Changing Password Labels ............................................................................................................... 86

CHAPTER 6 Adding and Configuring Local Users and User Groups

................................... 87
Adding Local Users ............................................................................................................................... 87
To create a user on the Firebox SSL VPN Gateway ........................................................................ 87
To delete a user from the Firebox SSL VPN Gateway .................................................................... 88
User Group Overview ........................................................................................................................... 88
Creating User Groups ........................................................................................................................... 89
To create a local user group .............................................................................................................. 89
To remove a user group .....................................................................................................................89
Configuring Properties for a User Group ...................................................................................... 90
Default group properties ................................................................................................................... 90
Forcing Users to Log on Again .......................................................................................................... 90
Configuring Secure Access Client for single sign-on .................................................................... 91
Enabling domain logon scripts ........................................................................................................ 91

Admin Guide

vii

Enabling session time-out ................................................................................................................ 92
Configuring Web Session Time-Outs .............................................................................................. 93
Disabling Desktop Sharing ............................................................................................................... 93
Setting Application Options ............................................................................................................. 93
Enabling Split DNS .............................................................................................................................. 94
Enabling IP Pooling ............................................................................................................................ 94
Choosing a portal page for a group ................................................................................................ 95
Client certificate criteria configuration .......................................................................................... 95
Global policies ..................................................................................................................................... 96
Configuring Resources for a User Group ....................................................................................... 96
Adding Users to Multiple Groups ..................................................................................................... 98
Allowing and denying network resources and application policies ......................................... 98
Defining network resources .............................................................................................................. 99
Allowing and Denying Network Resources and Application Policies .....................................100
Application policies ..........................................................................................................................101
Configuring file share resources ....................................................................................................102
Configuring kiosk mode ..................................................................................................................103
End point resources and policies ...................................................................................................104
Configuring an end point policy for a group ...............................................................................105
Setting the Priority of Groups .........................................................................................................106
Configuring Pre-Authentication Policies ......................................................................................107

CHAPTER 7 Creating and Installing Secure Certificates

..........................................................109
Generating a Secure Certificate for the Firebox SSL VPN Gateway ...................................109
Digital Certificates and Firebox SSL VPN Gateway Operation .............................................110
Overview of the Certificate Signing Request ............................................................................110
Password-Protected Private Keys ...................................................................................................110
Creating a Certificate Signing Request .........................................................................................111
Installing a Certificate and Private Key from a Windows Computer ......................................112
Installing Root Certificates on the Firebox SSL VPN Gateway ..................................................112
Installing Multiple Root Certificates ..............................................................................................113
Creating Root Certificates Using a Command Prompt .............................................................113
Resetting the Certificate to the Default Setting ..........................................................................113
Client Certificates ................................................................................................................................114
To require client certificates ............................................................................................................114
Installing Root Certificates .............................................................................................................115
Obtaining a Root Certificate from a CertificateAuthority ........................................................115
Installing Root Certificates on a Client Device ............................................................................115
Selecting an Encryption Type for Client Connections ................................................................115
Requiring Certificates from Internal Connections ...................................................................116
To require server certificates for internal client connections ....................................................116
Wildcard Certificates ..........................................................................................................................116

CHAPTER 8 Working with Client Connections

.............................................................................117
System Requirements ........................................................................................................................117
Operating Systems ...........................................................................................................................117
Web Browsers ....................................................................................................................................117

viii

WatchGuard SSL VPN Gateway

Using the Access Portal .....................................................................................................................118
To connect using the default portal page ....................................................................................118
Connecting from a Private Computer ..........................................................................................119
Tunneling Private Network Traffic over Secure Connections ...................................................120
Operation through Firewalls and Proxies ....................................................................................121
Terminating the Secure Tunnel and Returning Packets to the Client .....................................121
ActiveX Helper ...................................................................................................................................122
Using the Secure Access Client Window .......................................................................................122
Configuring Proxy Servers for the Secure Access Client ............................................................125
Configuring Secure Access Client to Work with Non-Administrative Users ..........................126
Connecting from a Public Computer ..........................................................................................126
Connections Using Kiosk Mode ......................................................................................................126
Creating a Kiosk Mode Resource ...................................................................................................127
Working with File Share Resources ................................................................................................128
Client Applications ..............................................................................................................................129
To enable client applications ..........................................................................................................129
Firefox Web Browser .........................................................................................................................130
Remote Desktop client .....................................................................................................................130
SSH Client ...........................................................................................................................................130
Telnet 3270 Emulator Client ...........................................................................................................131
VNC Client ..........................................................................................................................................131
Gaim Instant Messenging ...............................................................................................................131
Supporting Secure Access Client ...................................................................................................132
Managing Client Connections ........................................................................................................133
Connection handling .......................................................................................................................133
Closing a connection to a resource ...............................................................................................134
Disabling and enabling a user .......................................................................................................134
Configuring Authentication Requirements after Network Interruption ................................134

APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting

..................137
Viewing and Downloading System Message Logs ..................................................................137
To view and filter the system log ....................................................................................................137
Forwarding System Messages to a Syslog Server .......................................................................138
To forward Firebox SSL VPN Gateway system messages to a syslog server ..........................138
Viewing the W3C-Formatted Request Log ...................................................................................138
Enabling and Viewing SNMP Logs ................................................................................................139
To enable logging of SNMP messages ..........................................................................................139
Multi Router Traffic Grapher Example ..........................................................................................139
Viewing System Statistics .................................................................................................................140
Monitoring Firebox SSL VPN Gateway Operations ..................................................................140
To open the Firebox SSL VPN Gateway Administration Desktop .............................................141
Recovering from a Failure of the Firebox SSL VPN Gateway ................................................141
Reinstalling v 4.9 application software ........................................................................................142
Backing up your configuration settings .......................................................................................142
Upgrading to SSL v 5.0 .....................................................................................................................142
Upgrading to SSL v 5.5 .....................................................................................................................142

Admin Guide

ix

Launching the v 5.5 Administration Tool .....................................................................................143
Troubleshooting ..................................................................................................................................143
Troubleshooting the Web Interface ...............................................................................................143
Other Issues ........................................................................................................................................144

APPENDIX B Using Firewalls with Firebox SSL VPN Gateway

...............................................149
BlackICE PC Protection ......................................................................................................................150
McAfee Personal Firewall Plus .........................................................................................................150
Norton Personal Firewall ...................................................................................................................151
Sygate Personal Firewall (Free and Pro Versions) .....................................................................151
Tiny Personal Firewall .........................................................................................................................151
ZoneAlarm Pro ......................................................................................................................................152

APPENDIX C Installing Windows Certificates

...............................................................................153
To install Cygwin ...............................................................................................................................153
Unencrypting the Private Key .........................................................................................................154
To unencrypt the private key ..........................................................................................................154
Converting to a PEM-Formatted Certificate ...............................................................................155
To convert the certificate from PKCS7 to PEM format ...............................................................155
Combining the Private Key with the Signed Certificate ........................................................155
To combine the private key with the signed certificate .............................................................156
Generating Trusted Certificates for Multiple Levels ................................................................156
To generate trusted certificates for multiple levels .....................................................................156

APPENDIX D Examples of Configuring Network Access

.........................................................159
Scenario 1: Configuring LDAP Authentication and Authorization ....................................160
Preparing for the LDAP Authentication and Authorization Configuration ..........................160
Configuring the Firebox SSL VPN Gateway to Support Access to the Internal Network
Resources ......................................................................................................................................163
Scenario 2: Creating Guest Accounts Using the Local Users List ........................................169
Creating a Guest User Authentication Realm .............................................................................170
Creating Local Users .........................................................................................................................171
Creating and Assigning a Network Resource to the Default User Group ..............................171
Scenario 3: Configuring Local Authorization for Local Users ..............................................172

APPENDIX E Legal and Copyright Information

x

............................................................................173

WatchGuard SSL VPN Gateway

CHAPTER 1

Getting Started with Firebox SSL
VPN Gateway

This chapter describes who should read the Firebox SSL VPN Gateway Administration Guide, how it is
organized, and its document conventions.

Audience
This user guide is intended for system administrators responsible for installing and configuring the Firebox SSL VPN Gateway. This document assumes that the Firebox SSL VPN Gateway is connected to an
existing network and that the administrator has experience configuring that network.

Operating System Requirements
The Firebox SSL VPN Gateway Administration Tool and Secure Access Client software can run on the following operating systems:
• Windows 2000 Professional
• Windows 2000 Server
• Windows XP Home Edition
• Windows XP Professional
• Windows Server 2003
• Windows Vista 32-bit
• Linux 2.4 platforms (all distributions)

Administration Guide

1

Document Conventions

Document Conventions
Firebox SSL VPN Gateway documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:
Convention

Meaning

Boldface

Commands, names of interface items such as text boxes, option buttons, and user
input.

Italics

Placeholders for information or parameters that you provide. For example, filename in
a procedure means you type the actual name of a file. Italics also are used for new
terms and the titles of books.

%SystemRoot%

The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or other
name you specify when you install Windows.

Monospace

Text displayed in a text file.

{ braces }

A series of items, one of which is required in command statements. For example, { yes |
no } means you must type yes or no. Do not type the braces themselves.

[ brackets ]

Optional items in command statements. For example, [/ping] means that you can type
/ping with the command. Do not type the brackets themselves.

| (vertical bar)

A separator between items in braces or brackets in command statements. For example,
{ /hold | /release | /delete } means you type /hold or /release or /delete.

… (ellipsis)

You can repeat the previous item or items in command statements. For example, /
route:devicename[,…] means you can type additional devicenames separated by
commas.

LiveSecurity Service Solutions
The number of new security problems and the volume of information about network security continues
to increase. We know that a firewall is only the first component in a full security solution. The WatchGuard® Rapid Response Team is a dedicated group of network security personnel who can help you to
control the problem of too much security information. They monitor the Internet security web sites to
identify new security problems.

Threat responses, alerts, and expert advice
After a new threat is identified, the WatchGuard Rapid Response Team sends you an e-mail to tell you
about the problem. Each message gives full information about the type of security problem and the
procedure you must use to make sure that your network is safe from attack.

Easy software updates
LiveSecurity® Service saves you time because you receive an e-mail when we release new version of
your software. These continued updates make sure that you do not have to use your time to find new
software.

Access to technical support and training
You can find information about your WatchGuard products quickly with our many online resources. You
can also speak directly to one of the WatchGuard technical support personnel. Use our online training to

2

Firebox SSL VPN Gateway

LiveSecurity Service Broadcasts

learn more about your WatchGuard Firebox® and network security, or find a WatchGuard Certified Training Center in your area.

LiveSecurity Service Broadcasts
The WatchGuard® Rapid Response Team regularly sends messages and software information directly to
your computer desktop by e-mail. We divide the messages into categories to help you to identify and
make use of incoming information immediately.

Information Alert
Information Alerts give you a fast view of the newest information and threats to Internet
security. The WatchGuard Rapid Response Team frequently recommends that you make a
security policy change to protect against the new threat. When necessary, the Information Alert
includes instructions on the procedure.
Threat Response
If a new security threat makes it necessary, the WatchGuard Rapid Response Team transmits a
software update for your Firebox®. The Threat Response includes information about the security
threat and instructions on how to download a software update and install it on your Firebox
and management station.
Software Update
When necessary, WatchGuard updates the WatchGuard System Manager software. Product
upgrades can include new features and patches. When we release a software update, you get
an e-mail with instructions on how to download and install your upgrade.
Editorial
Each week, top network security personnel come together with the WatchGuard Rapid
Response Team to write about network security. This continuous supply of information can help
your network be safe and secure.
Foundations
The WatchGuard Rapid Response Team also writes information specially for security
administrators, employees, and other personnel that are new to this technology.
Loopback
At the end of each month LiveSecurity® Service sends you an e-mail with a summary of the
information sent that month.
Support Flash
These short training messages can help you to operate WatchGuard products. They are an
added resource to the other online resources:
• Online Help
• FAQs
• Known Issues pages on the Technical Support web site
Virus Alert
WatchGuard has come together with antivirus vendor McAfee to give you the most current
information about computer viruses. Each week, we send you a message with a summary of the
virus traffic on the Internet. When a hacker releases a dangerous virus on the Internet, we send
a special virus alert to help you protect your network.

Administration Guide

3

LiveSecurity Service Self Help Tools

New from WatchGuard
When WatchGuard releases a new product, we first tell you — our customers. You can learn
about new features and services, product upgrades, hardware releases, and promotions.

Activating LiveSecurity Service
You can activate LiveSecurity® Service through the activation section of the LiveSecurity web pages.

Note
To activate LiveSecurity Service, you must enable JavaScript on your browser.

To activate LiveSecurity Service through the Internet:
1 Make sure that you have your Firebox® serial number. This is necessary during the LiveSecurity
activation procedure.
• You can find the Firebox serial number on a label on the rear side of the Firebox below the
Universal Product Code (UPC), or on a label on the bottom of the Firebox.
• The license key numbers for LiveSecurity and LiveSecurity Tunnel Renewals are on the
WatchGuard LiveSecurity License Key certificate. Make sure that you enter the license key in
all capital letters and include hyphens.
2 Use your web browser to go to:
www.watchguard.com/account/register.asp
The Account page appears.

3

Complete the LiveSecurity Activation page. Use the TAB key or the mouse to move through the
fields on the page.
You must complete all the fields to activate correctly. This information helps WatchGuard to send you the
information and software updates that are applicable to your products.

4

5

Make sure that your e-mail address is correct. Your LiveSecurity e-mails about product updates and
threat responses come to this address. After you complete the procedure, you get an e-mail
message that tells you that you activated LiveSecurity Service succesfully.
Click Register.

LiveSecurity Service Self Help Tools
Online Self Help Tools enable you to get the best performance from your WatchGuard® products.

Note
You must activate LiveSecurity® Service before you can access online resources.

Instant Answers
Instant Answers is a guided Help tool designed to give solutions to product questions very
quickly. Instant Answers asks you questions and then gives you to the best solution based on
the answers you give.
Basic FAQs
The Basic FAQs (frequently asked questions) give you general information about the Firebox®
and the WatchGuard System Manager software. They are written for the customer who is new
to network security and to WatchGuard products.

4

Firebox SSL VPN Gateway

WatchGuard Users Forum

Advanced FAQs
The Advanced FAQs (frequently asked questions) give you important information about
configuration options and operation of systems or products. They add to the information you
can find in this User Guide and in the Online Help system.
Fireware® “How To”’s
The Fireware How To documentation helps you to quickly find procedures for configuration
tasks specific to Fireware appliance software.
Known Issues
This Known Issues tool monitors WatchGuard product problems and software updates.
WatchGuard Users Forum
The WatchGuard Technical Support team operates a web site where customers can help each
other with WatchGuard products. Technical Support monitors this forum to make sure you get
accurate information.
Online Training
Browse to the online training section to learn more about network security and WatchGuard
products. You can read training materials and get a certification in WatchGuard products. The
training includes links to a wide range of documents and web sites about network security. The
training is divided into parts, which lets you use only the materials you feel necessary. To learn
more about online training, browse to:
www.watchguard.com/training/courses_online.asp
Learn About
Learn About is a list of all resources available for a specified product or feature. It is a site map
for the feature.
Product Documentation
The WatchGuard web site has a copy of each product user guide, including user guides for
software versions that are no longer supported. The user guides are in .pdf format.
General Firebox X Edge and Firebox SOHO Resources
This section of the web site shows basic information and links for Firebox X Edge and Firebox
SOHO customers. It can help you to install and use the Firebox X Edge and SOHO hardware.
To get access to the LiveSecurity Service Self Help Tools:
1 Start your web browser. In the address bar, type:
http://www.watchguard.com/support
2 Click Self Help Tools.
You must log in.

3

Click your selection.

WatchGuard Users Forum
The WatchGuard® Users Forum is an online group. It lets users of WatchGuard products interchange
product information about:
• Configuration
• Connecting WatchGuard products and those of other companies
• Network policies

Administration Guide

5

Online Help

This forum has different categories that you can use to look for information. The Technical Support team
controls the forum during regular work hours. You do not get special help from Technical Support when
you use the forum. To contact Technical Support directly from the web, log in to your LiveSecurity
account. Click on the Incidents link to send a Technical Support incident.

Using the WatchGuard Users Forum
To use the WatchGuard Users Forum you must first create an account. Browse to http://www.watchguard.com/forum for instructions.

Online Help
Online Help for the Firebox SSL VPN Gateway is included in the application software. It is available in the
pane on the left side of your application window.

Product Documentation
We copy all user guides to the web site at http://www.watchguard.com/help/documentation.

Technical Support
Your LiveSecurity® Service subscription includes technical support for the WatchGuard® System Manager software and Firebox® hardware. To learn more about WatchGuard Technical Support, browse to
the WatchGuard web site at:
http://www.watchguard.com/support

Note
You must activate LiveSecurity Service before you can get technical support.

LiveSecurity Service technical support
All new Firebox products include the WatchGuard LiveSecurity Technical Support Service. You can speak
with a member of the WatchGuard Technical Support team when you have a problem with the installation, management, or configuration of your Firebox.

Hours
WatchGuard LiveSecurity Technical Support operates from 6:00 AM to 6:00 PM in your local
time zone, Monday through Friday.
Telephone number
877.232.3531 (select option #2) in United States and Canada
+1.206.613.0456 in all other countries
Web site
http://www.watchguard.com/support

6

Firebox SSL VPN Gateway

Training and Certification

Service time
We try for a maximum response time of four hours.
Single Incident Priority Response Upgrade (SIPRU) and Single Incident After Hours Upgrade (SIAU) are
also available. For more data about these upgrades, refer to the WatchGuard web site at:
http://www.watchguard.com/support

LiveSecurity Gold
WatchGuard Gold LiveSecurity Technical Support adds to your standard LiveSecurity Service. We recommend that you get this upgrade if you use the Internet or VPN tunnels for most of your work.
With WatchGuard Gold LiveSecurity Technical Support you get:
• Technical support 24 hours a day, seven days a week, including holidays.
• The Technical Support Team operates the support center from 7 PM Sunday to 7 PM Friday
(Pacific Time). For weekend support for critical problems, use the on-call paging system.
• We try for a maximum response time of one hour.
• To create a support incident, call WatchGuard LiveSecurity Technical Support. A Customer Care
representative records the problem and gives you an incident number. A Priority Support
technician calls you as quickly as possible. If you have a critical problem when the support center
is not open, use the LiveSecurity Technical Support phone number to page a technician.
You can also send an incident on the web site at: http://www.watchguard.com/support/
incidents/newincident.asp.

Firebox Installation Service
WatchGuard Remote Firebox Installation Service helps you to install and configure your Firebox. You can
schedule two hours with a WatchGuard Technical Support team member. The technician helps you to:
• Do an analysis of your network and security policy
• Install the WatchGuard System Manager software and Firebox hardware
• Align your configuration with your company security policy
This service does not include VPN installation.

VPN Installation Service
WatchGuard Remote VPN Installation Service helps you through a full VPN installation. You can schedule a two-hour time with one of the WatchGuard Technical Support team. During this time, the technician helps:
• Do an analysis of your VPN policy
• Configure your VPN tunnels
• Do a test of your VPN configuration
You can use this service after you correctly install and configure your Firebox devices.

Training and Certification
WatchGuard® product training is available online to help you learn more about network security and
WatchGuard products. You can find training materials on the Technical Support web site and prepare for

Administration Guide

7

Training and Certification

a certification exam. The training materials include links to books and web sites with more information
about network security.
WatchGuard product training is also available at a location near you through a large group of WatchGuard Certified Training Partners (WCTPs). Training partners give training using certified training materials and with WatchGuard hardware. You can install and configure the products with an advanced
instructor and system administrator to help you learn. To find a training partner, go to
http://www.watchguard.com/training/partners_locate.asp

8

Firebox SSL VPN Gateway

CHAPTER 2

Introduction to Firebox SSL VPN
Gateway

WatchGuard Firebox SSL VPN Gateway is a universal Secure Socket Layer (SSL) virtual private network
(VPN) appliance that provides a secure single point-of-access to any information resource — both data
and voice. Combining the best features of Internet Protocol Security (IPSec) and SSL VPN, without the
costly and cumbersome implementation and management, Firebox SSL VPN Gateway works through
any firewall and supports all applications and protocols. It is fast, simple, and cost-effective to deploy
and maintain with a Web-deployed and automatically updating client. Users receive a consistent desklike user experience with “always-on” connectivity, an integrated worm-blocking client, and integrated
end-point scanning. With the Firebox SSL VPN Gateway, organizations can quickly and easily deploy one
product for all of their secure remote access needs.
The Firebox SSL VPN Gateway gives the remote user seamless, secure access to authorized applications
and network resources. Remote users can work with files on network drives, email, intranet sites, and
applications just as if they are working inside of their organization’s firewall.
The Firebox SSL VPN Gateway also provides kiosk mode, which opens a virtual network computing-like
connection to the Firebox SSL VPN Gateway. Kiosk mode can include shared network drives, a variety of
built-in clients, servers running Windows Terminal Services (Remote Desktop), and client applications.
The following topics provide an overview to the Firebox SSL VPN Gateway:
• Overview
• New Features
• The User Experience
• Deployment and Administration
• Using the Firebox SSL VPN Gateway
• Using Kiosk Mode

Overview
The Firebox SSL VPN Gateway is typically installed in the network demilitarized zone (DMZ) between the
public and private networks. Placing the Firebox SSL VPN Gateway in front of the private network protects internal server and IT resources. The Firebox SSL VPN Gateway can also partition internal local area
networks for access control and security between any two networks, such as wired/wireless and data/
voice networks.

Administration Guide

9

Overview

As shown in the following illustration, the Firebox SSL VPN Gateway is appropriate for employees
accessing the organization remotely and intranet access from restricted LANs such as wireless networks.

Network topography showing the Firebox SSL VPN Gateway in the DMZ.
The following illustration shows how the Firebox SSL VPN Gateway creates a secure virtual TCP circuit
between the client computer running the Secure Access Client and the Firebox SSL VPN Gateway.

Network topology showing the TCP circuit.

10

Firebox SSL VPN Gateway

New Features

The virtual TCP circuit is using industry standard Secure Socket Layer (SSL) and Transport Layer Security
(TLS) encryption. All packets destined for the private network are transported over the virtual TCP circuit. The Firebox SSL VPN Gateway is essentially acting as a low-level packet filter with encryption. It
drops traffic that does not have authentication or does not have permission for a particular network.
The Firebox SSL VPN Gateway opens up the following ports:
• Port 443 is opened for VPN network traffic
• Ports 9001 and 9002 are opened for administrator traffic for the Administration Portal and
Administration Tool
The first time the Firebox SSL VPN Gateway is started, use the Firebox SSL VPN Gateway Administration
Tool to configure the basic settings that are specific to your corporate network, such as the IP address,
subnet mask, default gateway IP address, and DNS address. After you complete the basic connection,
you then configure the settings specific to Firebox SSL VPN Gateway operation, such as the options for
authentication, authorization, and group-based access control, kiosk mode, end point resources and
polices, portal pages, and IP pools.

New Features
The v5.5 software update for the Firebox SSL Core VPN Gateway includes the following new features:

Authentication and one-time passwords
You can configure the Firebox SSL VPN Gateway to prevent caching of one-time passwords, such as
those used by an RSA SecurID. When this feature is enabled, it prevents users from being locked out of
their accounts in the event of a network interruption.

New versions of the Secure Access Client
There is a new version of the Secure Access Client for Windows Vista. This version of the Secure Access
Client is installed with the same ease-of-use as other versions of the Secure Access Client.

Configurable symmetric encryption ciphers
You can select the specific cipher that the Firebox SSL VPN Gateway uses for symmetric data encryption
on an SSL connection. You can select one of these three encryption ciphers:
RC4 128 Bit, MD5/SHA
3DES, SHA
AES 128/256 Bit, SHA

Automatic detection of proxy server settings
In this release, the Secure Access Client automatically detects the proxy server settings specified in the
operating system and when users are using Internet Explorer. Proxy server settings specified in proxy
autoconfiguration files are not supported.

Administration Guide

11

New Features

Secure Access Client connections
The Secure Access Client included in this release can connect to earlier versions of the Firebox SSL VPN
Gateway. Also,earlier versions of the Secure Access Client can connect to this release of the Firebox SSL
VPN Gateway if enabled on the Global Cluster Policies tab.

Automatic port redirection
You can configure the Firebox SSL VPN Gateway so that any unsecure HTTP connection attempt on port
80 is automatically redirected by the Firebox SSL VPN Gateway to a secure HTTPS connection attempt
on port 443 (or other administrator-specified port).

Disable desktop sharing
You can disable the desktop sharing feature of the Secure Access Client for a user group. The Secure
Access Client desktop sharing feature allows a user to view a list of all other users who are logged on. If
this capability causes privacy concerns for your organization, you can disable the desktop sharing feature to prevent a specific group of users from viewing the list of online users.

Additional control over Secure Access Client connections
You can configure the Secure Access Client to disconnect from the Firebox SSL VPN Gateway if there is
no user activity on the connection for a specific time interval. You can also force a client disconnection if
the connection remains active for a specific time interval or if the Firebox SSL VPN Gateway does not
detect keyboard or mouse activity.

Disable kiosk mode
In this release, you can disable kiosk mode for client connections. When kiosk mode is disabled, users do
not see the kiosk link on the Web portal page. Users are only allowed to log on using the full Secure
Access Client.

Specify multiple ports and port ranges for network resources
This release allows you to configure port ranges. You have four options when configuring the ports the
Firebox SSL VPN Gateway uses to connect to internal network resources. You can specify a single port,
multiple individual ports, a range of ports, or all ports.

Voice over IP softphone support
The Firebox SSL VPN Gateway supports voice over IP softphones from Avaya, Nortel, and Cisco.

Editable HOSTS file
You can edit the HOSTS file on the Firebox SSL VPN Gateway from the user interface of the Administration Tool. The Firebox SSL VPN Gateway uses the HOSTS file in conjunction with DNS servers to force
DNS resolution to translate host names to IP addresses.

12

Firebox SSL VPN Gateway

Features

NTLM authentication and authorization support.
If your environment includes Windows NT 4.0 domain controllers, the Firebox SSL VPN Gateway can
authenticate users against the user domain accounts maintained on the Windows NT server. The Firebox SSL VPN Gateway can also authorize users to access internal network resources based on a user’s
group memberships on the Windows NT 4.0 domain controller.

Added challenge-response to RADIUS user authentication
The Access Gateway now supports challenge-response token authentication with new PIN and next
token modes when RSA SecurID authentication is used with RADIUS.

SafeWord PremierAccess changed to support standards-based RADIUS token user
authentication
The proprietary PremierAccess configuration file has been removed and replaced using RADIUS server
support. Legacy SafeWord PremierAccess realms are converted when the Firebox SSL VPN Gateway is
upgraded to Version 5.5. SafeWord authentication is configured using RADIUS-style parameters.

Updated serial console menu
There are new menu items on the serial console allowing you to change the Firebox SSL VPN Gateway
administrator password, set the duplex mode and network adapter speed, and revert to the default certificate that comes with the Firebox SSL VPN Gateway. Enhanced End-point and application access policies

Features
Administration Tool
The Firebox SSL VPN Gateway provides the Administration Tool to configure all of the settings for one or
more Firebox SSL VPN Gateway appliances. If you have more than one Firebox SSL VPN Gateway
installed, you can configure the settings once and then publish them to all of the appliances.
The Administration Tool is downloaded from the Firebox SSL VPN Gateway Administration Portal and
installed on a Windows computer that is located in the secure network. A desktop icon allows you to
start the Administration Tool without going to the Administration Portal.
The following sections describe the Administration Tool and where to configure the settings.

Networking, Logging, and Administration
Whether you deploy one or more appliances, basic administration of each Firebox SSL VPN Gateway is
done using the VPN Gateway Cluster tab. This includes:
• Network configuration
• Logging
• Administration
• Statistics
• Licensing

Administration Guide

13

Features

•
•
•
•

Date and time configuration
Certificate generation and installation
Restarting and shutting down the Firebox SSL VPN Gateway
Saving and reinstalling configuration settings

Note
If the Firebox SSL VPN Gateway is upgraded to Version 5.5 from an earlier version, you must uninstall
and then reinstall the latest Administration Tool. You can uninstall the earlier version of the
Administration Tool using Add/Remove Programs in Control Panel.

User Groups, Local Users, and Resources
User groups, local users, and policies are configured on the Access Policy Manager tab. On this tab, you
can configure the following:
• Network resources
• Application policies
• File sharing
• Kiosk resources
• End point resources and policies
• Local users

Authentication and Authorization
Authentication and authorization are configured on the Authentication tab.
Double-source authentication (also known as two-factor authentication) is new for this release of the
Firebox SSL VPN Gateway.

Firebox SSL VPN Gateway Settings
The following table maps the Firebox SSL VPN Gateway settings.

Note
To configure group settings on the Access Policy Manager tab, right-click a group and then click
Properties.

Feature

Firebox SSL VPN Gateway

General Networking

VPN Gateway Cluster > General Networking

DNS/WINS

VPN Gateway Cluster > Name Service Providers

Dynamic and Static Routing

VPN Gateway Cluster > Routes

Firebox SSL VPN Gateway Failover Servers (includes internal
failover)

VPN Gateway Cluster > Failover Servers

Logging Information

VPN Gateway Cluster > Logging/Settings

Certificate Requests

VPN Gateway Cluster > Generate CSR

Certificate Installation

VPN Gateway Cluster > Administration

14

Firebox SSL VPN Gateway

Features

Feature

Firebox SSL VPN Gateway

Server Upgrade

VPN Gateway Cluster > Administration

Server Restart

VPN Gateway Cluster > Administration

Server Shut Down

VPN Gateway Cluster > Administration

Server Statistics

VPN Gateway Cluster > Statistics

Licensing

VPN Gateway Cluster > Licensing

Date and Time

VPN Gateway Cluster > Date

Enable External Administration

VPN Gateway Cluster > Administration

Saving and Restoring Server Configuration

VPN Gateway Cluster > Administration

Enable Split Tunneling

Global Cluster Policies

Accessible Networks

Global Cluster Policies

Deny Access without ACL

Global Cluster Policies

Require SSL Client Certificates

Global Cluster Policies

Validate SSL Certificates for Internal Connections

Global Cluster Policies

Improve Latency for Voice over IP Traffic

Global Cluster Policies

Internal Failover

Global Cluster Polices

Enable Portal Page Authentication

Global Cluster Policies

Configuration of Double Source Authentication

Two Source radio button

Authentication and Authorization (LDAP, RADIUS, RSA SecurID, Authentication > Authentication
Authentication > Authorization
local, and Safeword PremierAccess)
Local Users

Access Policy Manager

Inherit Default Group Properties

Access Policy Manager > User Groups > Properties > General

Authentication after network interruption

Access Policy Manager > User Groups > Properties > General

Authenticate upon system resume
Enable Single Sign-On

Access Policy Manager > User Groups > Properties > General

Run Logon Scripts

Access Policy Manager > User Groups > Properties > General

Session Time-out

Access Policy Manager > User Groups > Properties > General

Deny Applications without Policies

Access Policy Manager > User Groups > Properties > General

Enable Split DNS

Access Policy Manager > User Groups > Properties >
Networking

Enable IP pools

Access Policy Manager > User Groups > Properties >
Networking

Custom Portal Page

Access Policy Manager > User Groups > Properties > Gateway
Portal

Web Interface Configuration (defines portal homepage and
proxy server)

Access Policy Manager > User Groups > Properties > Gateway
Portal

Passthrough Authentication

Access Policy Manager > User Groups > Properties > Gateway
Portal

Administration Guide

15

The User Experience

Feature

Firebox SSL VPN Gateway

Use SSL/TLS
Local Group Users

Access Policy Manager > User Groups > Properties >
Members

Client Certificate Criteria Expression

Access Policy Manager > User Groups > Properties > Client
Certificates

Network Resource Groups

Access Policy Manager > Network Resources

Application Policies

Access Policy Manager > Application Policies

File Share Resources

Access Policy Manager > File Share Resources

Kiosk Resources and Policies

Access Policy Manager > Kiosk Resources

End Point Resource and Policies

Access Policy Manger > End Point Resources
Access Policy Manager > End Point Policies

Pre-Authentication Policies

Access Policy Manager > Global Policies

Portal Page Configuration

Portal Page Configuration

Group Priority

Group Priority

Publish

Publish

Feature Summary
The following are key Firebox SSL VPN Gateway features:
• Universal SSL VPN. Supports all applications and protocols that improve productivity by
providing users with access to the applications and resources they need, without the need for
customization or converting the content for Web access.
• Standards-based security. Information is kept private and protected using industry standard SSL/
TLS encryption. Users are authenticated using standards such as LDAP, RADIUS, double-source
authentication, and client and server certificates.
• Web-deployed client. There is no need to preinstall or manage complex client software, reducing
the cost of ownership. (Note that a user must have Administrator access on the Windows
computer to install the client from the Web).
• Desk-like access. Users receive the same network experience and application access as if
physically connected to the corporate network.
• Always-on access. Automatically reconnects users to the appliance as soon as the network
connection is restored. Reduces user frustration when using public networks, such as wireless
connections in hotels or airports.
• Integrated end-point scanning. Ensures that the computer meets corporate standards to connect
and remains safe for connection to the network.
• Hides internal IP addresses. There is no IP stack or routing table entry, so internal IP addresses are
hidden, reducing the threat of worms propagating.

The User Experience
The Firebox SSL VPN Gateway provides users with the desk-like network experience that they have with
an IPSec VPN, but does so without any need to pre-install or configure a client. The user starts the

16

Firebox SSL VPN Gateway

Deployment and Administration

Secure Access Client by typing a secure Web address in a standard Web browser and providing authentication credentials.
Because the Firebox SSL VPN Gateway encrypts traffic using standard SSL/TLS, it can traverse firewalls
and proxy servers, regardless of the client location. For a more detailed description of the user experience, see “Connecting from a Private Computer” on page 119.
The following illustration shows the Windows version of the Access Portal.

Connecting to the Firebox SSL Access Portal.

Note
The Firebox SSL Access Portal can be customized. For more information, see “Using Portal Pages” on
page 38. You can also include a link to the clients on a Web site. For more information, see “Linking to
Clients from Your Web Site” on page 41.

After a successful logon, the user can work with network shares and use applications just as if the user
were sitting in the office.

Deployment and Administration
The Firebox SSL VPN Gateway is quick and easy to deploy and simple to administer. The most typical
deployment configuration is to locate the Firebox SSL VPN Gateway behind your firewall or in the demilitarized zone (DMZ). More complex deployments, such as with a server load balancer, are also supported and described in this chapter.
The first time the Firebox SSL VPN Gateway is started, use the Firebox SSL VPN Gateway Administration
Tool to configure the basic settings that are specific to your corporate network, such as the Firebox SSL
VPN Gateway IP address, subnet mask, default gateway IP address, and DNS address. After you complete
the basic connection, you then configure the settings specific to Firebox SSL VPN Gateway operation,
such as the options for authentication, authorization, and group-based access control; kiosk mode, end
point resources and polices, portal pages, and IP pools.
Firebox SSL VPN Gateway monitoring is performed through the Firebox SSL VPN Gateway Administration Desktop, providing access to a variety of standard network monitoring tools, including Ethereal
Network Monitor, xNetTools, Traceroute, fnetload, and System Monitor. The Firebox SSL VPN Gateway

Administration Guide

17

Planning your deployment

Administration Desktop also provides access to the Real-Time Monitor, where you can view a list of current users and close the connection for any user.

Planning your deployment
This chapter discusses deployment scenarios for the Firebox SSL VPN Gateway. You can deploy the Firebox SSL VPN Gateway at the perimeter of your organization’s internal network (or intranet) to provide a
secure single point-of-access to the servers, applications, and other network resources residing in the
internal network. All remote users must connect to the Firebox SSL VPN Gateway before they can access
any resources on the internal network.
This section discusses the following Firebox SSL VPN Gateway deployments:
• Deploying the Firebox SSL VPN Gateway in the network demilitarized zone (DMZ)
• Deploying the Firebox SSL VPN Gateway in a secure network that does not have a DMZ

Deploying the Firebox SSL VPN Gateway in the Network DMZ
Many organizations protect their internal network with a DMZ. A DMZ is a subnet that lies between an
organization’s secure internal network and the Internet (or any external network). When the Firebox SSL
VPN Gateway is deployed in the DMZ, users access it using the Secure Access Client or the kiosk client.
In this configuration, you install the Firebox SSL VPN Gateway in the DMZ and configure it to connect to
both the Internet and the internal network. When you deploy the Firebox SSL VPN Gateway in the DMZ,
client connections must traverse the first firewall to connect to the Firebox SSL VPN Gateway. By default,
clients use Secure Sockets Layer (SSL) on port 443 to establish this connection. To support this connectivity, you must allow SSL on port 443 through the first firewall.

Note
You can change the port clients use to connect to the Firebox SSL VPN Gateway by altering the port
setting in the Administration Tool. This port setting is discussed in “Configuring TCP/IP Settings Using
Network Cables”.

. The Firebox SSL VPN Gateway decrypts the SSL connections from the client and establishes a connection on behalf of the client to the network resources behind the second firewall. The ports that must be
open through the second firewall are dependent on the network resources that you authorize external
users to access.
For example, if you authorize external users to access a Web server in the internal network, and this
server listens for HTTP connections on port 80, you must allow HTTP on port 80 through the second firewall. The Firebox SSL VPN Gateway establishes the connection through the second firewall to the HTTP
server on the internal network on behalf of the external clients.
The Firebox SSL VPN Gateway administrative tools available on the Firebox SSL VPN Gateway also listen
for connections on these ports:
• Port 9001 - Connections to the Administration Portal occur on this port.
• Port 9002 - Connections to the Administration Tool occur on this port

Deploying the Firebox SSL VPN Gateway in a Secure Network
You can install the Firebox SSL VPN Gateway in the secure network. In this scenario, there is typically one
firewall between the Internet and the secure network. The Firebox SSL VPN Gateway resides inside the
firewall to control access to the network resources.

18

Firebox SSL VPN Gateway

Planning for Security with the Firebox SSL VPN Gateway

When an Firebox SSL VPN Gateway is deployed in the secure network, the Secure Access Client or kiosk
client connections must traverse the firewall to connect to the Firebox SSL VPN Gateway. By default,
both of these clients use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall.

Note
You can change the port on which clients connect to the Firebox SSL VPN Gateway by altering the port
setting in the Administration Tool. This port setting is discussed in “Configuring TCP/IP Settings Using
Network Cables”.

Planning for Security with the Firebox SSL VPN Gateway
When planning any type of Firebox SSL VPN Gateway deployment, there are basic security issues associated with certificates, authentication, and authorization that you should understand.

Configuring Secure Certificate Management
By default, the Firebox SSL VPN Gateway includes a self-signed SSL server certificate that enables it to
complete SSL handshakes. Self-signed certificates are adequate for testing or sample deployments, but
are not recommended for production environments.
Before you deploy the Firebox SSL VPN Gateway in a production environment, WatchGuard recommends that you request and receive a signed SSL server certificate from a known Certificate Authority
and upload it to the Firebox SSL VPN Gateway.
If you deploy the Firebox SSL VPN Gateway in any environment where the Firebox SSL VPN Gateway
must operate as the client in an SSL handshake (initiate encrypted connections with another server),
you must also install a trusted root certificate on the Firebox SSL VPN Gateway. For more information
about root certificates, see “Installing Root Certificates on the Firebox SSL VPN Gateway” on page 112.
For more information about certificates, see “Creating and Installing Secure Certificates” on page 109.

Authentication Support
You can configure the Firebox SSL VPN Gateway to authenticate users and control the level of access (or
authorization) that users have to the network resources on the internal network.
Before deploying the Firebox SSL VPN Gateway, your network environment should have the corporate
directories and authentication servers in place to support one of these authentication types:
• LDAP
• RADIUS
• RSA SecurID
• NTLM
• Secure Computing SafeWord products
If your environment supports none of the authentication types listed above, or you have a small population of remote users, you can create a list of local users on the Firebox SSL VPN Gateway and configure
the Firebox SSL VPN Gateway to authenticate users against this local list. With this configuration, it is not
necessary to maintain user accounts in a separate, external directory.
For more information about authentication and authorization, see “Configuring Authentication and
Authorization” on page 61.

Administration Guide

19

Installing the Firebox SSL VPN Gateway for the First Time

Deploying Additional Appliances for Load Balancing and Failover
You can install multiple Firebox SSL VPN Gateway appliances into your environment for one or both of
these reasons:
• Scalability. If you have a large remote user population, install additional Firebox SSL VPN
Gateway appliances to accommodate the user load.
• High Availability. If an Firebox SSL VPN Gateway fails, you can install an additional Firebox SSL
VPN Gateway to ensure that the internal network remains available to remote users.

Note
To support only high availability, you can configure one Firebox SSL VPN Gateway as the primary
Firebox SSL VPN Gateway and one (or more) Firebox SSL VPN Gateway appliances as a failover device. If
the primary Firebox SSL VPN Gateway fails, client connections are directed to the failover Firebox SSL
VPN Gateway. For more information about this configuration, see “Configuring Firebox SSL VPN
Gateway Failover” on page 55.

To support both scalability and high availability, you can install a load balancer and then install multiple
Firebox SSL VPN Gateway appliances behind the load balancer. Deploying multiple appliances behind a
load balancer enables you to support a large population of remote users and maintain high availability
of the internal network to the users.

Installing the Firebox SSL VPN Gateway for the First Time
The Firebox SSL VPN Gateway installs in any network infrastructure without requiring changes to the
existing hardware or back-end software. It works with other networking products such as cache
engines, firewalls, routers, and IEEE 802.11 wireless devices.
WatchGuard recommends installing the Firebox SSL VPN Gateway in the corporate demilitarized zone
(DMZ). When installed in the DMZ, the Firebox SSL VPN Gateway participates on two networks: a private
network and a public network with a publicly routable IP address. Typically, the private network is the
corporate network and the public one is the Internet. You can also use the Firebox SSL VPN Gateway to
partition local area networks internally in the organization for access control and security. You can create partitions between wired or wireless networks and data and voice networks.

Getting Ready to Install the Firebox SSL VPN Gateway
Before installing the Firebox SSL VPN Gateway, collect materials for the initial configuration and for the
connection to your network.
For initial configuration, use one of the following setups:
• A cross-over cable and a Windows computer
• Two network cables, a network switch, and a Windows computer
• A serial cable and a computer with terminal emulation software
For a connection to a local area network, use the following items:
• One network cable to connect the Firebox SSL VPN Gateway inside of a firewall.
• Two network cables to connect the Firebox SSL VPN Gateway located in the demilitarized zone
(DMZ) to the Internet and private networks
Collect the following network information for appliances:
• The Firebox SSL VPN Gateway internal IP address and subnet mask
• The Firebox SSL VPN Gateway external IP address and subnet mask

20

Firebox SSL VPN Gateway

Installing the Firebox SSL VPN Gateway for the First Time

• The Firebox SSL VPN Gateway FQDN for network address translation (NAT)
• The IP address of the default gateway device
• The port to be used for connections
If connecting the Firebox SSL VPN Gateway to a server load balancer:
• The Firebox SSL VPN Gateway IP address and subnet mask.
• The settings of the server load balancer as the default gateway device (if required). See the load
balancer manufacturer’s documentation for more information.
• The FQDN of the server load balancer to be used as the external public address of the Firebox SSL
VPN Gateway.
• The port to be used for connections.

Note
The Firebox SSL VPN Gateway does not work with Dynamic Host Configuration Protocol (DHCP). The
Firebox SSL VPN Gateway requires the use of static IP addresses.

Setting Up the Firebox SSL VPN Gateway Hardware
This section provides procedures for setting up the Firebox SSL VPN Gateway for the first time.

To physically connect the Firebox SSL VPN Gateway
1
2
3
4

Install the Firebox SSL VPN Gateway in a rack if it is rack-mounted.
Connect the power cord to the AC power receptacle.
Connect either the serial cable to a Windows computer, a cross-over cable to a Windows computer,
or an RJ-45 network cable to a network switch and the Access Gateway.
Configure the TCP/IP settings using the instructions in “Configuring TCP/IP Settings for the Firebox
SSL VPN Gateway”

Configuring TCP/IP Settings for the Firebox SSL VPN Gateway
The preconfigured IP address of the Firebox SSL VPN Gateway is 10.20.30.40. The IP address can be
changed using a serial cable and a terminal emulation program, or by connecting the Firebox SSL VPN
Gateway using network cables and the Administration Tool.
You can use the serial console to set the IP address and subnet of the Firebox SSL VPN Gateway Interface
0, as well as the IP address of the default gateway device. All other configuration must be done using the
Administration Tool. You can also use the serial console to test a connection with the ping command. If
you want to reach the Firebox SSL VPN Gateway through the serial console before making any configuration settings, use a serial cable to connect the Firebox SSL VPN Gateway to a computer that has terminal emulation software.
The serial console provides the following options for configuring the Firebox SSL VPN Gateway:
• [0] Express Setup configures the TCP/IP settings for Interface 0 on the Firebox SSL VPN
Gateway Cluster > General Networking tab
• [1] Ping is used to ping other network devices to check for connectivity
• [2] Link Modes is used to set the duplex mode and speed mode for Interface 0 on the Firebox
SSL VPN Gateway Cluster > General Networking tab
• [3] External Administration Port enables or disables connections to the Administration Tool
from a remote computer

Administration Guide

21

Installing the Firebox SSL VPN Gateway for the First Time

• [4] Display Log displays the Firebox SSL VPN Gateway log
• [5] Reset Certificate resets the certificate to the default certificate that comes with the Firebox
SSL VPN Gateway
• [6] Change Administrative Password allows you to change the default administrator password
of rootadmin

Note
Important: WatchGuard recommends changing the administrator password before connecting the
Firebox SSL VPN Gateway to your network. The new password can be six to 127 characters long and
cannot begin or end with a space.

• [7] Help displays help information
• [8] Log Out logs off from the Firebox SSL VPN Gateway

Note
WatchGuard recommends using both network adapters on the appliance. After configuring the TCP/IP
settings for Interface 0, use the Administration Tool to configure TCP/IP settings for Interface 1.

To configure TCP/IP settings using a serial cable

1
2

Connect the serial cable to the 9-pin serial port on the Firebox SSL VPN and connect the cable to a
computer that is capable of running terminal emulation software.
On the computer, start a terminal emulation application such as HyperTerminal.

Note
HyperTerminal is not automatically installed on Windows 2000 Server or Windows Server 2003. To install
HyperTerminal, use Add/Remove Programs in the Control Panel.

3
4
5
6

Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1 stop bit. Hardware flow
control is optional.
Turn on the Firebox SSL VPN. The serial console appears on the computer terminal after about three
minutes.
If using HyperTerminal, press the Enter key.
On the serial console, enter the default administrator credentials. The user name is root and the
password is rootadmin.

Note
Important: Watchguard recommends changing the administrator password. You can do this using the
Administration Portal or the serial console.

To set the IP address and subnet mask and the default gateway device for Interface 0, type 0 and
press Enter to choose Express Setup. After you respond to the prompts, the information you
entered appears. To commit your changes, type y; the Access Gateway restarts.
8 To verify that the Firebox SSL VPN can ping a connected network device, type 1 and enter the IP
address of the device.
9 Remove the serial cable and connect the Firebox SSL VPN using either a cross-over cable to a
Windows computer or a network cable to a network switch and then turn on the Firebox SSL VPN.
Additional Firebox SSL VPN settings are configured using the Administration Tool.

7

22

Firebox SSL VPN Gateway

Installing the Firebox SSL VPN Gateway for the First Time

To configure TCP/IP Settings Using Network Cables
The Firebox SSL VPN Gateway has two network adapters installed. One network adapter communicates
with the Internet and client computers that are not inside the corporate network. The other network
adapter communicates with the internal network.
WatchGuard recommends that both network adapters be configured for maximum security. If only one
network adapter is used, it has to be routable for internal resources using Network Address Translation
(NAT). Also, if only one network adapter is used, throughput of network traffic is cut in half and can
cause a bottleneck of network traffic.
You can install the Firebox SSL VPN Gateway and configure TCP/IP settings using network cables, such
as two RJ-45 network cables, or cross-over cables. The RJ-45 cables are connected to a network switch
and to the Firebox SSL VPN Gateway. The cross-over cables are connected to a Windows computer and
the Firebox SSL VPN Gateway.

To configure TCP/IP settings using network cables
1

Power on the Firebox SSL VPN Gateway.
After about three minutes, the Firebox SSL VPN Gateway is ready for its initial configuration with your network.

2
3

Open a Web browser and type https://10.20.30.40:9001 to open the Administration Portal. Use the
default user name and password of root and rootadmin.
On the Downloads tab, under Firebox SSL VPN Gateway Administration Tool, click Install the
Firebox SSL VPN Gateway Administration Tool.
Follow the prompts to complete installation.

4
5
6
7
8

Log on to the Administration Tool using the default user name and password.
On the Firebox SSL VPN Gateway Cluster tab, open the window for the Firebox SSL VPN Gateway.
On the General Networking tab, under Interface 0 and Interface 1, next to IP Address, type the
new IP addresses of the appliance.
In Subnet mask, enter the subnet mask that is appropriate for the IP address entered for the
interface(s).
In External FQDN, type the fully qualified domain name.

Note
Important: The FQDN must match what is on the digital certificate and the license for the Firebox SSL
VPN Gateway.

In Duplex Mode select the direction of the transmission data. The default setting is auto. You can
also select full duplex or half duplex.
10 In Speed Mode select the network speed of the adapter.

9

The default setting is auto. You can also select 10Mbps, 100Mbps, or 1000Mbps.

11 In Maximum Transmission Unit (MTU), select the maximum transmission unit that defines the
maximum size of the transmitted packet.
The default setting is 1500.

12 In Port, select the incoming port that is used for connections. The default is 443.
13 To configure a default gateway, in IP address, type the IP address of the gateway. In Interface,
select the network adapter on the Firebox SSL VPN Gateway with which the Default Gateway
communicates.
The IP address is the default gateway device, such as the main router, firewall, or server load
balancers, depending on your network configuration. This should be the same as the Default
Gateway setting that is on computers on the same subnet.

Administration Guide

23

Using the Firebox SSL VPN Gateway

For information about the relationship between the Default Gateway and dynamic or static routing,
see “Dynamic and Static Routing” on page 51.
After you configure your network settings on the Firebox SSL VPN Gateway, you need to restart the
appliance.

Note
Note: You do not need to restart the Firebox SSL VPN Gateway until you complete all configuration
steps.These include configuring network access for the appliance and installing certificates and licenses.
For more information about configuring additional network settings, see“Configuring Firebox SSL VPN
Gateway Network Connections” on page 47.

Redirecting Connections on Port 80 to a Secure Port
By default, the Firebox SSL VPN Gateway does not accept unsecure connections on port 80. If a user
attempts to connect to the Firebox SSL VPN Gateway using HTTP on port 80, the connection attempt
fails.
You can configure the Firebox SSL VPN Gateway to automatically redirect HTTP connection attempts on
port 80 to be secure connections on port 443 (or other secure port).
If a user attempts an unsecure connection on port 80, the Firebox SSL VPN Gateway automatically converts this connection attempt into a secure (SSL-encrypted) connection on port 443.

To redirect unsecure connections
1
2
3
4
5

Click the Firebox SSL VPN Gateway Cluster tab and open the window for the Firebox SSL VPN
Gateway.
Click the General Networking tab.
Click the Advanced button.
Click Redirect any requests for port 80 to a secure port.
Click OK.

Note
Note: If you use the default setting of Do not accept connections on port 80, all user connection
attempts on port 80 fail and there is no attempt to redirect them to port 443.

Using the Firebox SSL VPN Gateway
The Firebox SSL VPN Gateway performs the following functions:
• Authentication
• Termination of encrypted sessions
• Access control (based on permissions)
• Data traffic relay (when the first three functions are met)

The Firebox SSL VPN Gateway operates as follows:
• A remote user downloads the Secure Access Client by connecting to a secure Web address and
providing authentication credentials.

24

Firebox SSL VPN Gateway

Using the Firebox SSL VPN Gateway

• After downloading the Secure Access Client, the user logs on. When the user successfully
authenticates, the Firebox SSL VPN Gateway establishes a secure tunnel.
• As the remote user attempts to access network resources across the VPN tunnel, the Secure
Access Client encrypts all network traffic destined for the organization’s intranet and forwards the
packets to the Firebox SSL VPN Gateway.
• The Firebox SSL VPN Gateway terminates the SSL tunnel, accepts any incoming traffic destined
for the private network, and forwards the traffic to the private network. The Firebox SSL VPN
Gateway sends traffic back to the remote computer over a secure tunnel.

Starting the Secure Access Client
A remote user installs the Secure Access Client by typing a secure Web address, typically the fully qualified domain name (FQDN) of the Firebox SSL VPN Gateway. The Firebox SSL VPN Gateway prompts the
user for authentication over HTTP 401 Basic or Digest. The Firebox SSL VPN Gateway authenticates the
credentials using one of the following authentication methods: local authentication, RSA SecureID, SafeWord PremierAccess, LDAP, or RADIUS. If the credentials are correct, the Firebox SSL VPN Gateway finishes the handshake with the client. This logon step is required only when a user initially downloads the
Secure Access Client.
If the user is behind a proxy server, the user can specify the proxy server’s IP address and authentication
credentials.

To configure a proxy server
1
2
3
4
5

To open the logon dialog box, click the Secure Access Client icon on the desktop.
In the Firebox SSL Secure Access logon dialog box, right-click anywhere in the dialog box and
select Advanced Options.
In the Firebox SSL Secure Access Options dialog box, under Proxy Settings, select Use Proxy
Host.
In Proxy Address and Proxy Port, type the IP address and port number.
If the authentication is required by the server, select Proxy server requires authentication.

The Secure Access Client is installed on the user’s computer. After the first connection, the remote user
can subsequently use a desktop shortcut to start the Secure Access Client.
The Advanced Options dialog box can also be opened by right-clicking the Firebox SSL Secure Access
icon on the desktop and then clicking Properties.

Enabling Single Sign-On Operation for the Secure Access Client
If the Secure Access Client is configured for single sign-on operation, it automatically starts after the
user logs on to Windows. The user’s Windows logon credentials are passed to the Firebox SSL VPN Gateway for authentication. Enabling single sign-on for the Secure Access Client facilitates operations on the
remote computer such as installation scripts and automatic drive mapping.
For more information about configuring single sign-on, see “Configuring Secure Access Client for single
sign-on” on page 91.

Note
Users must be logged on as a local administrator or be a member of the Administrators group to use
single sign-on for Secure Access Client.

Administration Guide

25

Using the Firebox SSL VPN Gateway

Establishing the Secure Tunnel
After the Secure Access Client is started, it establishes a secure tunnel over port 443 (or any configured
port on the Firebox SSL VPN Gateway) and sends authentication information. When the tunnel is established, the Firebox SSL VPN Gateway sends configuration information to the Secure Access Client
describing the networks to be secured and containing an IP address if you enabled IP pool visibility.

Tunneling Destination Private Address Traffic over SSL or TLS
After the Secure Access Client is authenticated and started, all network traffic destined for specified private networks is captured and redirected over the secure tunnel to the Firebox SSL VPN Gateway.
The Firebox SSL VPN Gateway intercepts connections that are to be tunneled (usually trafic to your
according to your policy, and multiplexes/tunnels them over SSL to the Firebox SSL VPN Gateway.
where the traffic is demultiplexed and the connections are forwarded to the correct host and port combination.
The connections are subject to administrative security policies that apply to a single application, a subset of applications, or an entire intranet. You use the Firebox SSL VPN Gateway Administration Tool to
specify the resources (ranges of IP address/subnet pairs) that remote users can access through the VPN
connection.
If the device is configured todo this, all IP packets, regardless of protocol, are intercepted and transmitted over the secure link. Connections from local applications on the client computer are securely tunneled to the Firebox SSL VPN Gateway, which reestablishes the connections to the target server. Target
servers view connections as originating from the local Firebox SSL VPN Gateway on the private network,
thus hiding the client IP address. This is also called reverse Network Address Translation (NAT). Hiding IP
addresses adds security to source locations.
Locally, on the client computer, all connection-related traffic (such as SYN-ACK, PUSH, ACK, and FIN
packets) are recreated by the Secure Access Client to appear from the private server.

Operation through Firewalls and Proxies
Users of Secure Access Client are sometimes located inside of another organization’s firewall, as shown
in the following illustration.

Network topology connecting through an external corporate firewall.

26

Firebox SSL VPN Gateway

Using the Firebox SSL VPN Gateway

NAT firewalls maintain a table that allows them to route secure packets from the Firebox SSL VPN Gateway back to the client computer. For circuit-oriented connections, the Firebox SSL VPN Gateway maintains a port-mapped, reverse NAT translation table. The reverse NAT translation table enables the
Firebox SSL VPN Gateway to match connections and send packets back over the tunnel to the client
with the correct port numbers so that the packets return to the correct application.
The Firebox SSL VPN Gateway tunnel is established using industry-standard connection establishment
techniques such as HTTPS, Proxy HTTPS, and SOCKS. This operation makes the Firebox SSL VPN Gateway
firewall friendly and allows remote computers to access private networks from behind other organizations’ firewalls without creating any problems.
For example, the connection can be made through an intermediate proxy, such as an HTTP proxy, by
issuing a CONNECT HTTPS command to the intermediate proxy. Any credentials requested by the intermediate proxy, are in turn obtained from the remote user (by using single sign-on information or by
requesting the information from the remote user) and presented to the intermediate proxy server.
When the HTTPS session is established, the payload of the session is encrypted and carries secure packets to the Firebox SSL VPN Gateway.

Terminating the Secure Tunnel and Returning Packets to the Client
The Firebox SSL VPN Gateway terminates the SSL tunnel and accepts any incoming packets destined for
the private network. If the packets meet the authorization and access control criteria, the Firebox SSL
VPN Gateway regenerates the packet IP headers so that they appear to originate from the Firebox SSL
VPN Gateway’s private network IP address range or the client-assigned private IP address. The Firebox
SSL VPN Gateway then transmits the packets to the network.

Note
If you run a packet sniffer such as Ethereal on the computer where the Secure Access Client is running,
you will see unencrypted traffic that appears to be between the client and the Firebox SSL VPN
Gateway. That unencrypted traffic, however, is not over the tunnel between the client and the Firebox
SSL VPN Gateway but rather the tunnel to the local applications.
The Secure Access Client maintains two tunnels: an SSL tunnel over which data is sent to the Firebox SSL
VPN Gateway (the sniffer also detects this tunnel) and a tunnel between the client and local
applications. The encrypted data that arrives over the SSL tunnel is then decrypted before being sent to
the local application over the second tunnel. The packet sniffer sees the second tunnel’s traffic, which
appears to be from the Firebox SSL VPN Gateway, after the traffic is already decrypted.

When an application client connects to its application server, certain protocols may require that the
application server in turn attempt to create a new connection with the client. In this case, the client
sends its known local IP address to the server by means of a custom client-server protocol. For these
applications, the Secure Access Client provides the local client application a private IP address representation, which the Firebox SSL VPN Gateway uses on the internal network. Many real-time voice applications and FTP use this feature.

Performance and Real-Time Traffic
Real-time applications, such as voice and video, are implemented over UDP, because TCP is not appropriate for real-time traffic due to the delay introduced by acknowledgements and retransmission of lost
packets. It is more important to deliver packets in real time than to ensure that all packets are delivered.
However, with any tunneling technology over TCP, such real-time performances cannot be met.
The Firebox SSL VPN Gateway overcomes this issue by routing UDP packets over the secure tunnel as
special IP packets that do not require TCP acknowledgements. Even if the packets get lost in the net-

Administration Guide

27

Using the Firebox SSL VPN Gateway

work, no attempt is made by either the client or the server applications to regenerate them, so real-time
(UDP like) performance is achieved over a secure TCP-based tunnel.
For more information about improving latency with UDP connections and Voice over IP, see “Improving
Voice over IP Connections” on page 59.

Using Kiosk Mode
The Firebox SSL VPN Gateway provides secure access to a corporate network from a public computer
using kiosk mode. When users select A public computer on the Firebox SSL Access Portal page, the
Web browser opens. The user logs on and then can access applications provided in the browser window.
• For computers running Windows 2000 and above, kiosk mode is available through the Access
Portal. The link can be removed from the Access Portal on a group basis.
• For computers running JVM 1.5 or higher (such as Macintosh,
Windows 95, or Windows 98 computers), kiosk mode is available through a Java applet. For
Macintosh, Safari is the supported browser.
When the user is logged on using kiosk mode, the Firebox SSL VPN Gateway sends images only (no
data) over the connection. As a result, there is no risk of leaving temporary files or cookies on the public
computer. Both temporary files and cookies are maintained on the Firebox SSL VPN Gateway for the session.
The browser defaults to a Web address that is configured per group through the Firebox SSL VPN Gateway Administration Tool. The Web browser window can also include icons for Remote Desktop, SSH, Telnet 3270 emulator, Gaim instant messenging, and VNC clients. The icons are displayed in the bottomleft corner of the window. The applications are specified for each group. For more information about
configuring applications for kiosk mode, see “Configuring kiosk mode” on page 103.
The Web browser window also provides access to shared network drives. The Firebox SSL VPN Gateway
administrator configures the permissions granted (read-only or read/write) to each shared network
drive. For more information about configuring network shares, see “Configuring file share resources” on
page 102.
Users can copy files from the network share to their computer simply by dragging the file onto the
KioskFTP icon and selecting the destination in the File Download dialog box.

Note
End point policies are not supported or enforced when users are logged on using kiosk mode.

Connecting to a Server Load Balancer
You can connect one or more Firebox SSL VPN Gateways to a server load balancer. Characteristics of this
configuration include the following:
• Incoming Web traffic is intercepted by the server load balancer and load balanced among
multiple Firebox SSL VPN Gateways.
• For optimal load balancing, configure the settings to balance connections based on SSL session
identifiers (IDs). Load balancing based on source IP (Src IP) is also supported.
• For optimal performance, the server load balancer is configured with a fully qualified domain
name (FQDN). The FQDN is used by the Firebox SSL VPN Gateway when reestablishing a
connection to the server load balancer.
• The Firebox SSL VPN Gateway external public address is the external-facing (public) FQDN of the
server load balancer. The Firebox SSL VPN Gateway modifies all requests to include the external

28

Firebox SSL VPN Gateway

Using the Firebox SSL VPN Gateway

public address. The external public address ensures that the redirected client returns to the
Firebox SSL VPN Gateway it first encountered, providing session stickiness. The association
between a particular request and the Firebox SSL VPN Gateway is broken only when the client
makes a new connection. To configure the Firebox SSL VPN Gateway to connect to the network,
see “Configuring Network Information” on page 47.
To establish the physical connection, connect the Firebox SSL VPN Gateway eth0 interface to the internal network. Use the Firebox SSL VPN Gateway Administration Tool to configure network settings. Specify the IP address of the server load balancer as the default gateway on the Firebox SSL VPN Gateway
VPN Gateway Cluster > General Networking tab.

Note
SSL sessions must terminate at the Firebox SSL VPN Gateway. In-line SSL acceleration hardware
appliances and bridging proxy servers cannot be used.

Administration Guide

29

Using the Firebox SSL VPN Gateway

30

Firebox SSL VPN Gateway

CHAPTER 3

Configuring Basic Settings

This chapter describes Firebox SSL VPN Gateway basic administration, including connecting to the Firebox SSL VPN Gateway, using the Administration Desktop, and using the Administration Tool to configure the Firebox SSL VPN Gateway.

Note
All submitted configuration changes are applied automatically to the Firebox SSL VPN Gateway and do
not cause a disruption for users connected to the Firebox SSL VPN Gateway. Policy changes take effect
immediately; if a connection violates a new policy, it is closed.

Topics covered in this chapter include:
• Firebox SSL VPN Gateway Administration Desktop
• Using the Administration Tool
• Using the Administration Portal
• Using the Serial Console
• Product Activation and Licensing
• Managing Licenses
• Blocking External Access to the Administration Portal
• Using Portal Pages
• Linking to Clients from Your Web Site
• Saving and Restoring the Configuration
• Restarting the Firebox SSL VPN Gateway
• Restarting the Firebox SSL VPN Gateway
• Shutting Down the Firebox SSL VPN Gateway
• Firebox SSL VPN Gateway System Date and Time

Note
This chapter assumes that you set up the Firebox SSL VPN Gateway hardware and performed the initial
configuration as described in “Getting Started with Firebox SSL VPN Gateway.”.

Administration Guide

31

Firebox SSL VPN Gateway Administration Desktop

Firebox SSL VPN Gateway Administration Desktop
The Firebox SSL VPN Gateway Administration Desktop provides Firebox SSL VPN Gateway monitoring
tools. The taskbar includes one-click access to a variety of standard Linux monitoring applications as
well as the Real-Time Monitor, used to view and manage open connections, and the system time and
date.
The Administration Desktop includes features for monitoring, including the Real-Time Monitor, and
icons for monitoring applications. The middle of the taskbar has buttons for switching the work space
and task bar buttons. The right side of the taskbar contains processor and network usage information
and displays the system time and date.
The Administration Desktop is opened from the Administration Portal.

To open the Administration Portal and Administrative Desktop
1
2

3
4
5
6
7

Make sure that the Firebox SSL VPN Gateway is running.
From a Web browser, connect to the Firebox SSL VPN Gateway by entering the Web address:
https://ipAddress:9001
where:
ipAddress is the IP address of your Firebox SSL VPN Gateway.
9001 is the administration port of your Firebox SSL VPN Gateway.
If a Security Alert dialog box appears, click Yes.
Type the user name and password. The defaults are root and rootadmin.
The Firebox SSL VPN Gateway Administration Portal appears.
Click Launch Firebox SSL VPN Gateway Administrative Desktop.
In the WatchGuard Firebox SSL Remote Admin Terminal dialog box, type your user name and
password.

Note
By default, if you configure the Firebox SSL VPN Gateway to use both network adapters, the
Administration Portal can be accessed from either adapter. To block administrative access from the
network adapter that connects externally, see “Blocking External Access to the Administration Portal”
on page 38.

Using the Administration Portal
The Administration Portal provides a Web-based interface for administrators. There are several tabs in
the Administration Portal that provide a convenient place to do some administrative tasks of the Firebox
SSL VPN Gateway.

Downloads Tab
On this tab, you can do the following:
• Download the Administration Tool
• Download and install, or start, the Administration Desktop
• Download the Firebox SSL VPN Gateway Documentation
• Download portal page templates

32

Firebox SSL VPN Gateway

Using the Serial Console

• Download a sample email for users

Admin Users Tab
The Firebox SSL VPN Gateway has a default administrative user account with full access to the Firebox
SSL VPN Gateway. To protect the Firebox SSL VPN Gateway from unauthorized access, change the
default password during your initial configuration.

Note
To reset the root administrative password to its default, you must reinstall the Firebox SSL VPN Gateway
server software.

The Firebox SSL VPN Gateway is preconfigured with the default user name of root and password of
rootadmin.

To change the administrator password
1
2
3

In the Firebox SSL VPN Gateway Administration Portal, on the Administration tab, click Admin
Users.
Under Administrator Password, type the new password in the fields provided.
Click Change Password.

Logging Tab
This tab displays the log for the Firebox SSL VPN Gateway. This is the same log that is in the Administration Tool on the VPN Gateway Cluster > Logging tab.

Maintenance Tab
This tab provides you a place to do administrative tasks. These are:
• Uploading a signed certificate
• Uploading a private key and certificate
• Uploading a saved configuration or appliance upgrade
• Saving the appliance configuration
• Restarting and shutting down the appliance
You can also log off from the Administration Portal by clicking Log Out.

Using the Serial Console
You can use the serial console to set the IP address and subnet of the Firebox SSL VPN Gateway Interface
0, as well as the IP address of the default gateway device. All other configuration must be done using the
Administration Tool. You can also use the serial console to test a connection with the ping command.
If you want to reach the Firebox SSL VPN Gateway through the serial console before making any configuration settings, use a serial cable to connect the Firebox SSL VPN Gateway to a computer that has terminal emulation software.

Administration Guide

33

Using the Administration Tool

To open the serial console
1
2
3

4
5

Connect the RS232 cable to the serial port on the Firebox SSL VPN Gateway and to the serial port on
the computer.
Make sure that the Firebox SSL VPN Gateway is running.
Start a terminal emulation application (such as HyperTerminal or Putty) and create the following
settings:
If the serial console does not open, check the settings in the terminal emulation application. Set the
serial connection to 115,200 bits per second, 8 data bits, no parity, and 1 stop bit. The flow control
should be hardware. Set the terminal emulation to ANSI or Auto. Set the application to send a
delete operation when the backspace key is depressed.
Press Enter twice in the terminal emulation application. The Firebox SSL VPN Gateway Banner
appears, along with the logon prompt.
Enter the default administrative user name root and password rootadmin.
The Serial Console menu appears.

Using the Administration Tool
The Administration Tool contains all Firebox SSL VPN Gateway configuration controls, except for administrative user account management, which is available only from the Administration Portal.
The Administration Tool allows you to configure global settings once and then publish them to multiple
Firebox SSL VPN Gateways on your network.
The left pane of the Administration Tool window displays Help information for the current tab. The
online Help corresponds to the task you are completing.
The Administration Tool is downloaded and installed from the Administration Portal. You can also
download documentation, portal page templates, and a sample email that can be customized with
instructions for users.

Note
If you upgraded from a previous version of the Firebox SSL VPN Gateway, you must uninstall the
Administration Tool using Add/Remove Programs in Control Panel and then install the latest version
from the Administration Portal.

To download and install the Administration Tool
1
2
3

In the Firebox SSL VPN Gateway Administration Portal, click Downloads.
Under Administration, click Download Firebox SSL VPN Gateway Administration Tool Installer.
Select a location to save the installation application and click Save.
The installation tool is downloaded to your computer.

4
5
6

34

After downloading the file, navigate to the location where it was saved and then double-click the
file.
To install the Administration Tool, follow the instructions in the wizard.
To start the Administration Tool, click Start > Programs > WatchGuard> Firebox SSL VPN
Gateway Adminstration Tool > Firebox SSL VPN Gateway Administration Tool.

Firebox SSL VPN Gateway

Publishing Settings to Multiple Firebox SSL VPN Gateways

7

In Username and Password, type the Firebox SSL VPN Gateway administrator credentials. The
default user name and password are root and rootadmin. You can change the administrative
password as described in “To change the administrator password” on page 33.

Publishing Settings to Multiple Firebox SSL VPN Gateways
If you have multiple Firebox SSL VPN Gateway appliances in your network, you can configure the settings once and then publish them to all of the appliances on the network. The settings on the VPN
Gateway Cluster tab apply to individual Firebox SSL VPN Gateways. The general networking, logging,
administration, certificate generation and installation, and licensing are configured on the VPN Gateway Cluster tab. The settings on all other tabs in the Administration Tool can be published to multiple
Firebox SSL VPN Gateways.

To publish Firebox SSL VPN Gateway settings
1
2

Click the Publish tab.
Click Publish to all gateways.
Each Firebox SSL VPN Gateway configured on the VPN Gateway Cluster tab is listed on the Publish
tab. The following synchronization messages appear in the Sync Status field for each appliance:

In Sync
The Firebox SSL VPN Gateway configuration is successfully published.
Not in Sync
A change was made in the settings but is not published.
Sync Failed
Unable to synchronize the Firebox SSL VPN Gateway. Check the appliance and try the
synchronization again.
Unknown Status
The status of the Firebox SSL VPN Gateway cannot be determined. Check the appliance and try
the synchronization again.

Product Activation and Licensing
For new product installations, you will need to activate your Firebox SSL VPN Gateway by submitting the
included license key codes to your Live Security account. You access your LiveSecurity account by
browsing to the WatchGuard website at http://www.watchguard.com, then clicking LiveSecurity® Service
on the left.
There are two types of included license key codes with your Firebox SSL VPN Gateway: Tunnel and tunnel upgrade capacity, and LiveSecurity Renewal and Tunnel Renewal.

Upgrading the tunnel and tunnel upgrade license
In your Live Security account, under the Activation Center, you activate your product with the tunnel
and tunnel upgrade license key codes. Upon submittal and processing, you will receive license files or
feature keys that you must apply to the Firebox SSL VPN Gateway. You apply these license files using the

Administration Guide

35

Managing Licenses

Firebox SSL VPN Gateway Administration Tool. To apply these license files, see “Managing Licenses” on
page 36.
For future tunnel capacity upgrades, you will follow these same steps to increase the capacity of your
Firebox® SSL VPN Gateway.

Upgrading the LiveSecurity Renewal and Tunnel Renewal license
In your Live Security account, under Your Activated Products, you can activate and extend your Live
Security support service by submitting the Live Security Renewal and Tunnel Renewal license keys. This
allows you continued access to the Live Security service for the Firebox SSL VPN Gateway appliance.
Chapter 1, “Getting Started with Firebox SSL VPN Gateway,” for more information about the LiveSecurity
Service.

Note
You must have a current Live Security account to upgrade your software or to add more tunnel capacity.

Managing Licenses
Firebox SSL VPN Gateway licensing limits the number of concurrent user sessions to the number of
licenses purchased. If you purchase 100 licenses, you can have 100 concurrent sessions at any time.
When a user ends a session, that license is released for the next user. A user who logs onto the Firebox
SSL VPN Gateway from more than one computer occupies a license for each session.
If all licenses are occupied, no additional connections can be opened until a user ends a session or the
administrator uses the Firebox SSL VPN Gateway Real-Time Monitor to close a connection, thereby
releasing a license. For information about using the Real-Time Monitor to close connections, see “Managing Client Connections” on page 133.
Licenses for the Firebox SSL VPN Gateway are installed using the Administration Tool. License files are
generated based on the host name, using either the external IP address or FQDN of the Firebox SSL VPN
Gateway. When the license is uploaded to the primary Firebox SSL VPN Gateway, the host identifier of
the license file is compared with the host names of each Firebox SSL VPN Gateway installed on the same
network. If a match is found, the license file is accepted. When the license is installed, it can then be published to all of the appliances in the cluster.

To manage licenses on the Firebox SSL VPN Gateway
1
2

On the administrative computer where you run the Firebox SSL VPN Gateway Administration Tool,
create a license directory.
Copy the license file (.lic) that you downloaded to the license directory.

Note
It is recommended that you retain a local copy of all license files that you receive. When you save a
backup copy of the configuration file, all uploaded license files are included in the backup. If you need
to reinstall the Firebox SSL VPN Gateway server software and do not have a backup of the configuration,
you will need the original license files. Store the license files on the administrative computer where you
run the Administration Tool.

36

Firebox SSL VPN Gateway

Managing Licenses

Do not overwrite any .lic files in the license directory. If another file in that directory has the same name,
rename the newly received file. The Firebox SSL VPN Gateway software calculates your licensed features
based on all .lic files that are uploaded to the Firebox SSL VPN Gateway.
Do not edit a .lic file or the Firebox SSL VPN Gateway software ignores any features associated with that
license file. The contents of the file are encrypted and must remain intact. Should you copy, rename, or
insert a license file multiple times, the Firebox SSL VPN Gateway uses only the original file and ignores
any duplicate files.

To install a license file
1
2
3
4

Click the VPN Gateway Cluster tab and then click the Licensing tab.
Next to Upload a license file, click Browse and locate the .lic file that you want to upload.
Select the .lic file and then click Open to upload the license file.
If more than one Firebox SSL VPN Gateway is installed on the same network, on the Publish tab,
click Publish to all gateways.

To remove the licenses, next to Clear all licensing, click Remove All.

Information about Your Licenses
The Licensing tab displays information about the licenses that are installed on the Firebox SSL VPN
Gateway. This information includes:
• Total number of licenses available
• Number of licenses currently in use
In addition, you can download license logs that provide you with detailed information about license
use. When the logs are downloaded, they are in a compressed file called license_logs.zip.

To download license logs
1
2
3

On the Firebox SSL VPN Gateway Cluster tab, click the Licensing tab.
Under Information about this Firebox SSL VPN Gateway, next to Download licensing logs, click
Download All.
Select the location to download the files and then click Save.

When you make changes to licensing on the Firebox SSL VPN Gateway, you can refresh the information that is displayed on the Licensing tab.

Testing Your License Installation
To test that licensing is configured correctly, create a test user and then log on using the Secure Access
Client and credentials that you set up for the user.

To test your configuration
1
2
3
4

Open the Administration Tool.
Click the Access Policy Manager tab.
Right-click the Local Users folder in the left pane and click New User.
In the New User dialog box, in User Name, type a user name, and in Password and Verify
Password, type the same password in each field, and click OK.

Administration Guide

37

Blocking External Access to the Administration Portal

5

6
7

In a Web browser, type the address of the Firebox SSL VPN Gateway using either the IP address or
fully qualified domain name (FQDN) to connect to either the internal or external interface. The
format should be either https://ipaddress or https://FQDN.
Type the logon credentials. The WatchGuard Firebox SSL VPN Gateway portal page appears.
Click My own computer and then click Connect.
The Secure Access Client connection icon appears in the notification area, indicating a successful connection.

The initial configuration is complete. After completing the initial configuration, you can configure accessible networks so you can connect to all of your network resources, such as email, Web servers, and file
shares as if you are in the office. To test your configuration, try connecting to the applications and
resources that are available from the corporate network.

Blocking External Access to the Administration Portal
By default, if the Firebox SSL VPN Gateway is configured to use both network adapters, the external
adapter can be used to access the Administration Portal from outside the firewall. To block access to the
Administration Portal from the external adapter, clear the check box for this option.

To block external access to the Administration Portal
1
2
3

Click the VPN Gateway Cluster tab.
On the Administration tab, clear the check box for Enable External Administration.
Click Apply Change.

Using Portal Pages
The Firebox SSL VPN Gateway provides logon access using five portal pages. The portal page users see
depends on the configuration of the Firebox SSL VPN Gateway. These include:
• Using the default portal page that provides full Secure Access Client and kiosk mode options. The
default portal page is the only one that can be customized with your company name and logo.
• Redirecting the user to the Web Interface logon page.
• Providing a portal page that allows users the choice of logging on using Secure Access Client, the
Web Interface, or kiosk mode.
• Pre-authentication Web page that appears when a pre-authentication policy is configured on the
Firebox SSL VPN Gateway.
• Redirection to a Web page when double-source authentication is configured on the Firebox SSL
VPN Gateway and the user logs on using Web access.

Using the Default Portal Page
Note
You can also include links to the Secure Access Client and kiosk mode on your Web site, as described in
“Linking to Clients from Your Web Site” on page 41.

38

Firebox SSL VPN Gateway

Downloading and Working with Portal Page Templates

By default, users see a WatchGuard Firebox SSL VPN Gateway portal page when they open
https://Firebox SSL VPN Gateway_IP_or_hostname. For samples of the default portal pages for Windows,
Linux, and Java, see “Using the Access Portal” on page 118.
Several portal page templates that can be customized are provided. One of the templates includes links
to both the Firebox SSL Secure Access Client and kiosk mode. Customization of the default portal page
can be as simple as replacing the logo.
The text for My own computer and A public computer uses a variable to insert the text into the template. The text in these two sections cannot be changed.
The other two templates include links to just one of the clients. You choose a template based on the
access that you want to provide on a group basis. For example, you might want to provide access to
both clients to some users and access only to the Firebox SSL Secure Access Client or kiosk mode for
other users. You can do that by adding custom portal pages to the Firebox SSL VPN Gateway and then
specifying the portal page to be used for each user group.

Note
If you want to add text to the template or make format changes, you need to consult with someone who
is familiar with HTML. Changes to the templates other than those described in this section are not
supported.

The portal page templates are available from the Downloads page of the Administration Portal in the
section Sample Portal Page Templates.

Downloading and Working with Portal Page Templates
The portal page templates include variables that the Firebox SSL VPN Gateway replaces with the current
user name and with links that are appropriate for the connecting computer (Windows 2000 or higher, or
Linux).
If you also have users on platforms such as Macintosh, Windows 95, or Windows 98, you can provide
them access to the Java-based kiosk mode by inserting the appropriate variable in the template(s) used
by those groups, as described in this section. The variables that can be used in templates are described
in the following table.
Variable

Content inserted by variable

$citrix_username;

Name of logged on user.

$citrix_portal;

Links to both the Firebox SSL Secure Access Client and kiosk mode.

$citrix_portal_full_client_only;

Link to the Firebox SSL Secure Access Client only.

$citrix_portal_kiosk_client_only; Link to kiosk mode only.
$citrix_activex_object_include

Inserts the ActiveX control that starts the client portal page.

A template can include only one of the three variables that start with $citrix_portal.
When choosing a template that is appropriate for a group, you need to know only whether the group
should have access to both the Firebox SSL Secure Access Client and kiosk mode or just one of the clients. The Firebox SSL VPN Gateway detects the user’s platform (Windows, Linux, Java) and inserts the
appropriate links into the templates that you upload to the Firebox SSL VPN Gateway.

Administration Guide

39

Downloading and Working with Portal Page Templates

To download the portal page templates to your local computer
1
2

In the Firebox SSL VPN Gateway Administration Portal, click Downloads.
Under Sample Portal Page Templates, right-click one of the links, click Save Target as, and specify
a location in the dialog box.

To work with the templates for Windows and Linux users
1

2
3
4
5

Determine how many custom portal pages that you need. You can use the same portal page for
multiple groups.
Use this portal page:

To include links to these clients:

vpnAndKioskClients.html

Firebox SSL Secure Access Client and kiosk mode.

vpnClientOnly.html

Firebox SSL Secure Access Client only.

kioskClientOnly.html

Kiosk mode only.

Make a copy of each template that you will use and name the template, using the extension .html.
Open the file in Notepad or an HTML editing application.
To replace the WatchGuard image, locate the following line in the template:

Replace citrix-logo.gif with the filename of your image. For example, if your image file is named
logo.gif, change the line to:

An image file must have a file type of GIF or JPG. Do not change other characters on that line.

6

Save the file.

Using the ActiveX Control
If you would like to use the ActiveX control to start the client portal page, insert the following code into
the portal page template.


Hello $citrix_username;
$citrix_activex_object_include;





Hello $citrix_username;,

$citrix_portal; Installing Custom Portal Files on the Firebox SSL VPN Gateway Custom portal pages and referenced image files must be installed on the Firebox SSL VPN Gateway. 40 Firebox SSL VPN Gateway Enabling Portal Page Authentication To install a custom portal page or image on the Firebox SSL VPN Gateway 1 2 3 Click the Portal Page Configuration tab. Click Add File. In File Identifier, type a name that is descriptive of the types of users who use the portal page. The file name can help you later when you need to associate the portal page with a group. For example, you might have a primary portal page used by many groups and a separate portal page used only by guests. In that case, you might identify the files as Primary Portal and Guest Portal. Alternatively, you might have several portal pages that correspond to user groups and use names such as Admin Portal, Student Portal, IT Portal. 4 5 6 7 In File Type, select the type. Portal pages must be an HTML file. Any images referenced from an HTML page must be either GIF or JPG files. Click Upload File. Navigate to the file and click Open. The file is loaded on the Firebox SSL VPN Gateway. To remove a portal file from the Firebox SSL VPN Gateway On the Portal Page Configuration tab, select the page identifier in the list and click Remove Selected File. Enabling Portal Page Authentication By default, a user must log on to the portal page and then again to the Firebox SSL Secure Access Client or kiosk mode. You can eliminate the portal page logon step using either of the following methods: • You can set a global policy that disables authentication for the portal page and that specifies the portal page that displays for all users. This global policy overrides any portal page selections for groups. • You can include links to the Firebox SSL Secure Access Client and kiosk mode directly on your Web site, as described in “Linking to Clients from Your Web Site” on page 41. To enable portal page authentication 1 2 3 Click the Global Cluster Policies tab. Under Advanced Options, select Enable Portal Page Authentication. Click Submit. Linking to Clients from Your Web Site You can also provide your users links to the Firebox SSL Secure Access Client and kiosk mode from your Web site. The links launch the clients for Windows or direct the user to a page that explains how to download and install the client for Linux. To include links to the Firebox SSL Secure Access Client and kiosk mode on your Web site 1 Add the following code to the HEAD tag of the Web page that is to contain the links: Administration Guide 41 Linking to Clients from Your Web Site 2 Add the links as follows to the Web page. Client: Link to: Firebox SSL Secure Access Client (Windows/Java) https://ipAddress/CitrixSAClient.exe Kiosk mode (Windows/Java) https://ipAddress/net6javakiosk_applet.html Firebox SSL Secure Access Client (Linux) https://ipAddress/full_linux_instructions.html where ipAddress is the address of the Firebox SSL VPN Gateway. This page includes a link to the Linux installer executable. Multiple Log On Options using the Portal Page Users can have the option to log on using Secure Access Client, the Web Interface, or kiosk mode from one Web page. This portal page cannot be configured like the default portal page. The user is presented with three icons and users can choose which method they want to use to log on to the Firebox SSL VPN Gateway. These are: Secure Desktop Access This icon starts the Secure Access Client. Secure Application Access This icon redirects the user to the Web Interface to log on. Secure Kiosk Access This icon logs on using kiosk mode. This portal page is displayed only when the Redirect to URL and Show “Launch Client” option page check boxes are selected on the Gateway Portal tab. To configure multiple log on options 1 2 3 4 5 6 On the Access Policy Manager tab, right-click a group in the left pane and then click Properties. On the Gateway Portal tab, select Redirect to URL. In Portal homepage, type the path of the server that is hosting the Web Interface. In Proxy Server, type the IP address or FQDN of the server that is hosting the Web Interface. To secure the connection, click Use SSL/TLS. To provide Secure Access Client log on, select Show “Launch Client” option page. Pre-Authentication Policy Portal Page If a pre-authentication policy is configured on the Firebox SSL VPN Gateway, when the user connects using a Web address, a Web page appears while the policy is checked against the user’s computer. If the client computer passes the pre-authentication policy check, users are then connected to the portal page where they can connect to the Firebox SSL VPN Gateway using their credentials. If the pre-authen- 42 Firebox SSL VPN Gateway Connecting Using a Web Address tication policy check fails, the users receive an error message instructing them to contact their system administrator. For more information about pre-authentication policies, see “Global policies” on page 96. Double-source Authentication Portal Page When the Firebox SSL VPN Gateway is configured to require users to log on using two types of authentication, such as LDAP and RSA SecurID, they are directed automatically to the Web page or Secure Access Client dialog box and users enter their user name and passwords. Note When a user logs on using double authentication, the authentication is checked in the opposite order that is configured in the realm.For example, if the primary authentication type is LDAP and the secondary is RSA SecurID, the SecureID credentials are checked first, and then the LDAP credentials. If the user log on fails the first authentication, the second authentication is not checked. For more information about double-source authentication, see “Configuring Double-Source Authentication” on page 85. Connecting Using a Web Address Users can connect to the Firebox SSL VPN Gateway using a Web browser by typing the Web address, such as https://vpn.mycompany.com. When the IP address or FQDN of the Firebox SSL VPN Gateway is entered and double-source authentication is configured, users are routed automatically to the logon portal page as shown below. Double-source authentication portal page After entering the user name, the user then enters the passwords for each authentication type. After the credentials are entered, the specified portal page appears and the user completes the connection from this portal page. The connection can be either full access or kiosk mode. The double-source authentication portal page cannot be customized. Connecting Using Secure Access Client Users can connect to the Firebox SSL VPN Gateway using the Secure Access Client that is downloaded and installed on their computer. When double-source authentication is configured, users see a dialog box that requires their user name and passwords for each authentication type. After the users enter the credentials, they click Connect. Administration Guide 43 Saving and Restoring the Configuration Saving and Restoring the Configuration When you upgrade the Firebox SSL VPN Gateway, all of your configuration settings, including uploaded certificates, licenses, and portal pages, are restore automatically. However, if you reinstall the Firebox SSL VPN Gateway software, you must manually restore your configuration settings. Note Before using the Recovery CD to reinstall the Firebox SSL VPN Gateway software, save your configuration. Reinstalling the Firebox SSL VPN Gateway software returns the Firebox SSL VPN Gateway to its preconfigured state. If you saved your configuration settings, as described in this section, you can easily restore them. Note You can also save and restore configuration settings from the Maintenance tab of the Administration Portal. To save the Firebox SSL VPN Gateway configuration 1 2 3 4 In the Administration Tool, click the VPN Gateway Cluster tab. Open the dialog box for the appliance. On the Administration tab, by Save the current configuration, click Save Configuration. Save the file, named config.restore, to your computer. The entire Firebox SSL VPN Gateway configuration, including system files, uploaded licenses, and uploaded server certificates, is saved. To restore a saved configuration 1 2 3 In the Administration Tool, click the VPN Gateway Cluster tab. On the Administration tab, by Upload a Server Upgrade or saved Config, click Browse. Locate the file named config.restore and click Open. After the configuration file is uploaded, the Firebox SSL VPN Gateway restarts. All of your configuration settings, licenses, and certificates are restored. 4 If you use RSA SecurID authentication, you must reset the node secret on the RSA ACE/Server, as described in “Resetting the node secret” on page 82. Because the Firebox SSL VPN Gateway was reimaged, the node secret no longer resides on it and attempts to authenticate with the RSA ACE/ Server fail. Upgrading the Firebox SSL VPN Gateway Software The software that resides on the Firebox SSL VPN Gateway can be upgraded when new releases are made available. To upgrade the Firebox SSL VPN Gateway 1 44 In the Firebox SSL VPN Gateway Administration Tool, click the VPN Gateway Cluster tab, select the appliance, and then click the Administration tab. Firebox SSL VPN Gateway Restarting the Firebox SSL VPN Gateway 2 3 In Upload a Server Upgrade or Saved Config, click Browse. Locate the upgrade file that you want to upload and click Open. The file is uploaded and the Firebox SSL VPN Gateway restarts automatically. When you upgrade the Firebox SSL VPN Gateway, all of your configuration settings are saved. For information about saving and restoring a configuration, see “Saving and Restoring the Configuration” on page 44. Restarting the Firebox SSL VPN Gateway After making changes to the Firebox SSL VPN Gateway, you might need to restart the service. To restart the Firebox SSL VPN Gateway 1 2 From the Administration Tool, click the VPN Gateway Cluster tab and select the appliance that needs to be restarted. On the Administration tab, next to Restart the server, click Restart, or from the Administration Portal, go to the Maintenance tab and next to Restart the Server, click Restart. Shutting Down the Firebox SSL VPN Gateway Never shut down the Firebox SSL VPN Gateway by powering it off. Use the command in the Administration Tool to shut down the device. Use the power switch only to power on the device. To shut down the Firebox SSL VPN Gateway 1 2 3 From the Administration Tool, click the VPN Gateway Cluster tab, and select the appliance that needs to be shut down. On the Administration tab, next to Shut down the server, click Shut down. Use the power switch to switch off the device. Note You can also shut down and restart the Firebox SSL VPN Gateway from the Maintenance page of Administration Portal. Firebox SSL VPN Gateway System Date and Time The system time displays on the right side of the taskbar in the Administration Desktop window. To view the system date, mouse over the system time. To view a calendar, click the system time. Click the system time again to hide the calendar. Administration Guide 45 Allowing ICMP traffic To change the system date and time 1 2 3 4 In the Administration Tool, click the VPN Gateway Cluster tab, select the appliance, and then click the Date tab. In Time Zone, select a time zone. In Date, type the date and time. Click Submit. Network Time Protocol The Network Time Protocol transmits and receives time over TCP/IP networks. The Network Time Protocol is useful for synchronizing the internal clock of computers on the network to a common time source. If you have a Network Time Protocol server in your secure network, you can use the Firebox SSL VPN Gateway Administration Tool to configure the Firebox SSL VPN Gateway to synchronize the time with the Network Time Protocol server. To synchronize the Firebox SSL VPN Gateway with a Network Time Protocol server 1 2 3 4 5 In the Firebox SSL VPN Gateway Administration Tool, click the VPN Gateway Cluster tab. Click the Date tab. In Synchronization Mode, click Network Time Protocol (NTP). In NTP Server, type the FQDN of the server. In Synchronization Interval, select a schedule to perform updates. Allowing ICMP traffic Internet Control Message Protocol (ICMP) traffic to the Firebox SSL VPN Gateway is disabled by default. To enable ICMP traffic, use the VPN Gateway Cluster > Administration tab. When ICMP traffic is enabled, users can ping servers on the internal, secure network. The Firebox SSL VPN Gateway itself cannot receive ICMP traffic. To enable ICMP traffic 1 2 3 46 In the Administration Tool, click the VPN Gateway Cluster tab and select the appliance. On the Administration tab, select Enable ping. Click Apply Change. Firebox SSL VPN Gateway CHAPTER 4 Configuring Firebox SSL VPN Gateway Network Connections The Firebox SSL VPN Gateway has two network adapters that can be configured to work on your network. The VPN Gateway Cluster > General Networking tabs in the Administration Tool are used to configure most network settings. The following topics describe how to configure Firebox SSL VPN Gateway network connections: • Configuring Network Information • Configuring Firebox SSL VPN Gateway Failover • Controlling Network Access • Enabling Split Tunneling • Denying Access to Groups without an ACL Note When you have a working configuration, it is recommended that you back up the configuration as described in “Saving and Restoring the Configuration” on page 44. The configuration instructions throughout those topics assume the following setup: • The Firebox SSL VPN Gateway is installed. • The devices to which you are connecting the Firebox SSL VPN Gateway, such as a firewall or server load balancer, are already part of a working configuration. This guide does not cover the steps for configuring application or Web servers, firewalls, or a server farm with a server load balancer. Configuring Network Information You define the connections between the Firebox SSL VPN Gateway and your network on the Network tab. The network adapter settings are configured on the VPN Gateway Cluster tab in the Firebox SSL VPN Gateway Administration Tool. On the VPN Gateway Cluster tab, you can configure the following: • The General Networking tab is where the network adapters that are installed on the Firebox SSL VPN Gateway are configured • The Name Service Providers tab is where the DNS and WINS servers are configured Administration Guide 47 General Networking • The Routes tab is where dynamic and static routes are configured • The Failover Servers tab is where multiple Firebox SSL VPN Gateway’s are configured General Networking The Firebox SSL VPN Gateway has two network adapters installed. If two network adapters are used, then one network adapter communicates with the Internet and computers that are not inside the corporate network. The other network adapter communicates with the internal network. If one network adapter is used, it has to be routable for internal resources using Network Address Translation (NAT). The Firebox SSL VPN Gateway network adapter settings are as follows: IP address and Subnet mask for Interface 0 and, if used, Interface 1 When connecting the Firebox SSL VPN Gateway to your network, you typically place it either inside of a firewall, inside of a server load balancer, or connected to two physical networks along side your firewall (“straddling” a firewall). If the Firebox SSL VPN Gateway is inside a firewall or connected to a server load balancer, choose Use Only Interface 0. The Firebox SSL VPN Gateway located inside the firewall. If the Firebox SSL VPN Gateway is in the DMZ, choose Use both interfaces. Use Interface 0 for the external connection and Interface 1 for the internal connection. 48 Firebox SSL VPN Gateway General Networking The Firebox SSL VPN Gateway in the DMZ. For more information, see “Connecting to a Server Load Balancer” on page 28. External Public FQDN The Firebox SSL VPN Gateway uses the external IP address or FQDN to send its response to a request back to the correct network connection. If the external IP address is not specified, the Firebox SSL VPN Gateway sends responses out through the interface where the gateway is identified. If the external IP address is specified, the Firebox SSL VPN Gateway sends all connections to the interface with the specified host name or IP address. Duplex mode This is the direction of the transmission of data. Choices are either auto, full duplex, or half duplex. Use the default setting, auto, unless you need to change it. MTU The maximum transmission unit that defines the maximum size of each transmitted packet. The default is 1500. Use the default setting unless you need to change it. VPN port This is the incoming port on the Firebox SSL VPN Gateway that is used for VPN connections. The default is port 443. The Default Gateway has the following two settings: IP address This is the IP address of the default gateway device, such as the main router, firewall, or server load balancer, depending on your network configuration. This should be the same as the Default Gateway setting that is on computers on the same subnet. For information about the relationship between the Default Gateway and dynamic or static routing, see “Dynamic and Static Routing” on page 51. Gateway Interface This is the network adapter on the Firebox SSL VPN Gateway with which the Default Gateway communicates. Administration Guide 49 Name Service Providers Note IP pooling is configured per groups, as described in “Enabling IP Pooling” on page 94. Name Service Providers Name resolution is configured on the Name Service Providers tab. You can specify the following: DNS Server 1, DNS Server 2, DNS Server 3 These are the IP address of the first, second, and third DNS servers. DNS suffixes These are the DNS suffixes of the servers. Each entry in the list is separated by a space. Each entry should follow the format of site.com. Do not precede a suffix with a dot (“.”), such as .site.com. By default, the Firebox SSL VPN Gateway checks a user’s remote DNS only. If you want to allow failover to a user’s local DNS, you need to enable split DNS. WINS Server This is the IP address of the WINS server. To have client connections communicate with the WINS Server, the IP address must be manually added to the Accessible Networks list on the Global Cluster Policies tab. For more information, see “Controlling Network Access” on page 56. The IP address must also be added as a network resource on the Access Policy Manager tab and added to the user group(s). For more information, see “Defining network resources” on page 99. To enable split DNS 1 2 On the Access Policy Manager tab, in the left pane, right-click a group and click Properties. On the Networking tab, select Enable split-DNS. The Firebox SSL VPN Gateway fails over to the local DNS only if the specified DNS servers cannot be contacted, but not if there is a negative response. To edit the HOSTS file You can add entries to the Firebox SSL VPN Gateway HOSTS file from the Name Service Providers tab. The Firebox SSL VPN Gateway uses the entries in the HOSTS file to resolve FQDNs to IP addresses. When the Firebox SSL VPN Gateway attempts to translate an FQDN to an IP address, the Firebox SSL VPN Gateway checks its HOSTS file before connecting to DNS to perform the address translation. If the Firebox SSL VPN Gateway can translate the FQDN to an IP address using the information in the HOSTS file, it does not use DNS to perform the address translation. You might want to add entries to the HOSTS file in an Firebox SSL VPN Gateway deployment where the network configuration prevents the Firebox SSL VPN Gateway from connecting to DNS to perform address translations. Also, adding entries to the HOSTS file can optimize performance because the Firebox SSL VPN Gateway does not have to connect to a different server to perform the address translations. To add an entry to the HOSTS file 1 2 50 On the Firebox SSL VPN Gateway Cluster tab, open the window for an appliance. Click the Name Service Providers tab. Firebox SSL VPN Gateway Dynamic and Static Routing 3 4 5 Under Edit the HOSTS file, in IP address, enter the IP address that you want to associate with an FQDN. In FQDN, enter the FQDN you want to associate with the IP address you entered in the previous step. Click Add. The IP address and HOSTS name pair appears in the Host Table. To remove an entry from the HOSTS file 1 2 Under Host Table, click the IP address and HOSTS name pair you want to delete. Click Remove. Dynamic and Static Routing Configuring Network Routing To provide access to internal network resources, the Firebox SSL VPN Gateway must be capable of routing data to the internal networks. The networks to which the Firebox SSL VPN Gateway can route data are determined by the configuration of the Firebox SSL VPN Gateway routing table and the Default Gateway specified for the Firebox SSL VPN Gateway. When the Firebox SSL VPN Gateway receives a packet, it checks its routing table. If the destination address of the packet is within a network for which a route exists in the routing table, the packet is routed to that network. If the Firebox SSL VPN Gateway receives a packet, and its routing table does not contain a route for the destination address of the packet, the Firebox SSL VPN Gateway sends the packet to the Default Gateway. The routing capabilities of the Default Gateway then determine how the packet is routed. The Firebox SSL VPN Gateway routing table must contain the routes necessary to route data to any internal network resource that a user may need to access. You control how the Firebox SSL VPN Gateway routing tables are configured. You can select a Routing Information Protocol (RIP) option so that the routes are configured automatically by a RIP server, or you can select a static routing option and manually configure the routes. You can configure the Firebox SSL VPN Gateway to listen for the routes published by your routing server(s) or to use static routes that you specify. The Firebox SSL VPN Gateway supports the Routing Information Protocol (RIP and RIP 2). The Default Gateway field on the General Networking tab is relevant to both dynamic and static routing. Enable Dynamic Gateway If this option is enabled, the default gateway is based on the routing table, not on the value entered in the Default Gateway field on the General Networking tab. Static Routing If you add a static route, choose the Firebox SSL VPN Gateway network adapter that is not being used by the default gateway. Administration Guide 51 Dynamic and Static Routing Configuring Dynamic Routing When dynamic routing is selected, the Firebox SSL VPN Gateway operates as follows: • It listens for route information published through RIP and automatically populates its routing table. • If the Dynamic Gateway option is enabled, the Firebox SSL VPN Gateway uses the Default Gateway provided by dynamic routing, rather than the value specified on the General Networking tab. • It disables any static routes created for the Firebox SSL VPN Gateway. If you later choose to disable dynamic routing, any previously created static routes appear again in the Firebox SSL VPN Gateway routing table. To configure dynamic routing 1 2 Click the VPN Gateway Cluster tab and then click the Routes tab. In Select routing type, select Dynamic Routing (RIP). Selecting this option disables the static routes area. If static routes are defined, they do not display in the routing table although they are still available if you want to switch back to static routing. 3 Click Enable Dynamic Gateway to use the default gateway provided by the routing server(s). Selecting this check box disables use of the Default Gateway that is specified on the General Networking tab. In Routing Interface, choose the Firebox SSL VPN Gateway network adapter(s) to be used for dynamic routing. Typically, your routing server(s) are inside your firewall, so you would choose the internal network adapter for this setting. 5 Click Submit. Dynamic routes are not displayed in the Firebox SSL VPN Gateway routing table. 4 Enabling RIP Authentication for Dynamic Routing To enhance security for dynamic routing, you can configure the Firebox SSL VPN Gateway to support RIP authentication. Note Your RIP server must transmit RIP 2 packets to use RIP authentication. RIP 1 does not support authentication. To support RIP authentication, both the RIP server and the Firebox SSL VPN Gateway must be configured to use a specific authentication string. The RIP server can transmit this string as plain text or encrypt the string with MD5. If the RIP server encrypts the authentication string with MD5, you must also select the MD5 option on the Firebox SSL VPN Gateway. You can configure the Firebox SSL VPN Gateway to listen for the RIP authentication string on Interface 0, Interface 1, or both interfaces. To enable RIP authentication for dynamic routing 1 2 3 4 52 On the Firebox SSL VPN Gateway Cluster tab, open the window for an appliance. Click the Routes tab. In Routing Interface, select either Interface 0, Interface 1, or Both to specify the interface(s) on which the Firebox SSL VPN Gateway listens for the RIP authentication string. Select the RIP Authentication String for Interface check box. Firebox SSL VPN Gateway Dynamic and Static Routing 5 6 In the text box, type a text string that is an exact, case-sensitive match to the authentication string transmitted by the RIP server. Select the Enable RIP MD5 Authentication for Interface check box if the RIP server transmits the authentication string encrypted with MD5. Do not select this option if the RIP server transmits the authentication string using plain text. 7 Click Submit. Changing from Dynamic Routing to Static Routing Before you change from dynamic routing to static routing, you may want to save your dynamic routes to the static route table. Selecting this option saves the current RIP dynamic routing information as static routes. If you change from dynamic routing to static routing, and you previously created static routes, the static routes reappear in the Firebox SSL VPN Gateway routing table. If these static routes are no longer valid, or if no static routes were created previously, you might lose remote access to the Administration Tool and users could lose access to the internal network resources until you manually configure the static routes. Saving the current RIP dynamic routing information as static routes when you switch from dynamic routing to static routing allows you to maintain connectivity until you properly configure the static routes. To save dynamic routes to the static route table 1 On the Firebox SSL VPN Gateway Cluster tab, open the window for the appliance. 2 Click the Routes tab. 3 Click Save to static routes. After you save the dynamic route, you can switch to static routing. Configuring a Static Route When setting up communication with another host or network, a static route might need to be added from the Firebox SSL VPN Gateway to the new destination if you do not use dynamic routing. Set up static routes on the Firebox SSL VPN Gateway adapter not being used by the Default Gateway that is specified on the General Networking tab. For an example static route setup, see “Static Route Example” on page 54. To add a static route 1 2 3 4 5 6 7 Click the VPN Gateway Cluster tab and then click the Routes tab. In Select routing type, select Static Routing. Under Add Static Route, in Destination LAN IP Address, type the IP address of the destination local area network. In Subnet Mask, type the subnet mask for the gateway device. In Gateway, type the IP address for the default gateway. If you do not specify a gateway, the Firebox SSL VPN Gateway can access content only on the local network. In Interface, select the network adapter for the static route. The default is eth0. Click Add Static Route. Administration Guide 53 Dynamic and Static Routing 8 On the General Networking tab, click Submit. The route name appears in the Static Routes list. To test a static route 1 2 From the Firebox SSL VPN Gateway serial console, type 1 (ping). Enter the host IP address for the device you want to ping and press Enter. If you are successfully communicating with the other device, messages appear saying that the same number of packets were transmitted and received, and zero packets were lost. If you are not communicating with the other device, the status messages indicate that zero packets were received and all the packets were lost. Return to Step 1 and recreate the static route. To remove a static route 1 2 3 Click the VPN Gateway Cluster tab and then click the Routes tab. In the Static Route table, select each route that you want to delete. Click Remove Route. Static Route Example Suppose the IP address of the eth0 port on your Firebox SSL VPN Gateway is 10.0.16.20 and there is a request to access information at 129.6.0.20 to which you currently do not have a path. You can create a static route through the network adapter that is not set as your Firebox SSL VPN Gateway default gateway, and out to the requested network address, as shown in the following figure: Network topology showing a static route. This shows these connections: • The eth0 adapter (10.0.16.20) leads to the default gateway (10.0.16.1), which connects to the rest of the 10.0.0.0 network. • The eth1 adapter (192.168.0.20) is set to communicate with the 192.168.0.0 network and its gateway (192.168.0.1). Through this gateway, the eth1 port can communicate with the 129.6.0.0 network and the server at IP address 129.6.0.20. 54 Firebox SSL VPN Gateway Configuring Firebox SSL VPN Gateway Failover To set up the static route, you need to establish the path between the eth1 adapter and IP address 129.6.0.20. To set up the example static route 1 2 3 4 5 6 Click the VPN Gateway Cluster tab and then click the Routes tab. In Destination LAN IP Address, set the IP address of the destination LAN to 129.6.0.0. In Subnet Mask, set the subnet mask for the gateway device. In Gateway, set the IP address of the default gateway to 192.168.0.1. In Interface, select eth1 as the gateway device adapter. Click Add Static Route. Configuring Firebox SSL VPN Gateway Failover The Firebox SSL VPN Gateway can be configured to fail over to multiple Firebox SSL VPN Gateway appliances. Because Firebox SSL VPN Gateway failover is active/active, you can use each Firebox SSL VPN Gateway as a primary gateway for a different set of users. During the initial connection from the Secure Access Client, the Firebox SSL VPN Gateway provides the failover list to the client. If the client loses the connection to the primary Firebox SSL VPN Gateway, it iterates through the list of failover appliances. If the primary Firebox SSL VPN Gateway fails, the connection waits for 20 seconds and then goes to the failover list to make the connection. The client performs a DNS lookup for the first failover appliance and tries to connect. If the first failover Firebox SSL VPN Gateway is not available, the client tries the next failover appliance. When the client successfully connects to a failover Firebox SSL VPN Gateway, the client is prompted to log on. To specify Firebox SSL VPN Gateway failover 1 2 Click the VPN Gateway Cluster tab and then click the Failover Servers tab. In Failover Server 1, Failover Server 2, and/or Failover Server 3, type the external IP address or the fully qualified domain name (FQDN) of the Firebox SSL VPN Gateway(s) to be used for failover operation. The Firebox SSL VPN Gateways are used for failover in the order listed. 3 4 In Port, type the port number. The default is 443. Click Submit. Configuring Internal Failover Configuring the client’s local DNS settings enables the Secure Access Client to connect to the Firebox SSL VPN Gateway from inside the firewall. When internal failover is configured, the client will failover to the internal IP address of the Firebox SSL VPN Gateway if the external IP address cannot be reached. To enable internal failover 1 Click the Global Cluster Policies tab. 2 Under Advanced Options, select Enable Internal Failover. When this check box is selected, the internal IP address of the Firebox SSL VPN Gateway is added to the failover list. If you disabled external administrator access, port 9001 is unavailable. If you want to con- Administration Guide 55 Controlling Network Access nect to port 9001 when you are logged on from an external connection, configure IP pools and connect to the lowest IP address in the IP pool. Controlling Network Access Configuring Network Access After you configure the appliance to operate in your network environment, the next step is to configure network access for the appliance and for groups and users. The steps to configure network access are: • Step 1: Configuring networks to which clients can connect. By default, clients cannot connect to any networks. The first step in configuring network access is to specify the networks that clients can connect to, using the Global Cluster Policies tab. • Step 2: Configuring authentication and authorization. Authentication defines how users log on and is configured using realms. Authentication types include local, NTLM, LDAP, RADIUS, RSA SecurID, and SafeWord. Authorization types include local, LDAP, RADIUS, NTLM, or no authorization. For more information about configuring authentication and authorization, see“Configuring Authentication and Authorization” on page 61. • Step 3: Configuring user groups. User groups are used in conjunction with authorization. For example, if your users are connecting using LDAP, create an LDAP authentication realm, and then create a group. The names of the user group must be the same as that on the LDAP server. In addition, you can create local users on the Firebox SSL VPN Gateway for local authentication. Local users are then added to user groups. For information about configuring local users, see “Adding and Configuring Local Users and User Groups” on page 87. • Step 4: Configuring network access for groups. After you configure your user groups, you then configure network access for the groups. This includes the network resources users in the group are allowed to access, application policies, kiosk connections, and end point policies. For more information about configuring accessible networks, user groups, and network access for users, see“Adding and Configuring Local Users and User Groups” on page 87. By default, the Firebox SSL VPN Gateway is blocked from accessing any networks. You must specify the networks that the Firebox SSL VPN Gateway can access, referred to as accessible networks. You then control user access to those networks as follows: • You create network resource groups. A network resource group includes one or more network locations. For example, a resource group might provide access to a single application, a subset of applications, a range of IP addresses, or an entire intranet. What you include in a network resource group depends largely on the varying access requirements of your users. You might want to provide some user groups with access to many resources and other user groups with access to smaller subsets of resources. By allowing and denying a user group access to network resource groups, you create an access control list (ACL) for that user group. • You specify whether or not any user group without an ACL has full access to all of the accessible networks defined for the Firebox SSL VPN Gateway. By default, user groups without an ACL have access to all of the accessible networks defined for the Firebox SSL VPN Gateway. This default operation provides simple configuration if most of your user groups are to have full network access. By retaining this default operation, you need to configure an ACL only for the user groups that should have more restricted access. The default operation can also be useful for initial testing. 56 Firebox SSL VPN Gateway Enabling Split Tunneling You can change the default operation so that user groups are denied network access unless they are allowed access to one or more network resource groups. • You configure ACLs for user groups by specifying which network resources are allowed or denied per user group. By default, all network resource groups are allowed and network access is controlled by the Deny Access without ACL option on the Global Cluster Policies tab. When you allow or deny one resource group, all other resource groups are denied automatically and the network access for the user group is controlled only through its ACL. If a resource group includes a resource that you do not want a user group to access, you can create a separate resource group for just that resource and deny the user group access to it. The options just discussed are summarized in the following table. ACL set for user group? Deny access without ACL? User group can access: No No All accessible networks Yes No Allowed resource groups No Yes Nothing Yes Yes Allowed resource groups Specifying Accessible Networks You must specify which networks the Firebox SSL VPN Gateway can access. When configuring network access, the most restrictive policy must be configured first and the least restrictive last; for example, you want to allow access to everything on the 10.0.x.x network, but need to deny access to the 10.0.20.x network. Configure network access to 10.0.20.x first and then configure access to the 10.0.x.x network. To give the Firebox SSL VPN Gateway access to a network 1 2 3 Click the Global Cluster Policies tab. Under Access Options, in Accessible Networks, type a list of networks. Use a space or carriage return to separate the list of networks. Click Submit. Enabling Split Tunneling You can enable split tunneling on the Global Cluster Policies tab to prevent the Secure Access Client from sending unnecessary network traffic to the Firebox SSL VPN Gateway. When split tunneling is not enabled, the Secure Access Client captures all network traffic originating from a client computer, and sends the traffic through the VPN tunnel to the Firebox SSL VPN Gateway. If you enable split tunneling, the Secure Access Client sends only traffic destined for networks protected by the Firebox SSL VPN Gateway through the VPN tunnel. The Secure Access Client does not send network traffic destined for unprotected networks to the Firebox SSL VPN Gateway. Administration Guide 57 Denying Access to Groups without an ACL When you enable split tunneling, you must enter a list of accessible networks on the Global Cluster Policies tab. The list of accessible networks must include all internal networks and subnetworks that the user may need to access with the Secure Access Client. The Secure Access Client uses the list of accessible networks as a filter to determine whether or not packets transmitted from the client computer should be sent to the Firebox SSL VPN Gateway. When the Secure Access Client starts, it obtains the list of accessible networks from the Firebox SSL VPN Gateway. The Secure Access Client examines all packets transmitted on the network from the client computer and compares the addresses within the packets to the list of accessible networks. If the destination address in the packet is within one of the accessible networks, the Secure Access Client sends the packet through the VPN tunnel to the Firebox SSL VPN Gateway. If the destination address is not in an accessible network, the packet is not encrypted and the client routes the packet appropriately. To enable split tunneling 1 2 3 4 Click the Global Cluster Policies tab. Under Access Options, click Enable Split Tunneling. In Accessible Networks, type the IP addresses. Use a space or carriage return to separate the list of networks. Click Submit. Configuring User Groups User groups define the resources the user has access to when connecting to the corporate network through the Firebox SSL VPN Gateway. Groups are associated with the local users list. After adding local users to a group, you can then define the resources they have access to on the Access Policy Manager tab. For more information about configuring local users, see “Configuring Properties for a User Group” on page 90. When you enable authorization on the Firebox SSL VPN Gateway, user group information is obtained from the authentication server after a user is authenticated. If the group name that is obtained from the authentication server matches a group name created locally on the Firebox SSL VPN Gateway, the properties of the local group are used for the matching group obtained from the authentication servers. Note Important: Group names on authentication servers and on the Firebox SSL VPN Gateway must be identical and they are case-sensitive Denying Access to Groups without an ACL Each user should belong to at least one group that is defined locally on the Firebox SSL VPN Gateway. If a user does not belong to a group, the overall access of the user is determined by using access control lists (ACLs) that are defined by the Deny access without access control list (ACL) setting as follows: If the Deny Access option is enabled, the user cannot establish a connection If the Deny Access option is disabled, the user has full network access In either case, the user can use kiosk mode, but network access within that session is determined by the Deny access without access control list (ACL) setting. 58 Firebox SSL VPN Gateway Improving Voice over IP Connections To deny access to user groups without an ACL 1 2 3 Click the Global Cluster Policies tab. Under Access Options, select Deny Access without ACL. Click Submit. Improving Voice over IP Connections Real-time applications, such as voice and video, are implemented over UDP. TCP is not appropriate for real-time traffic due to the delay introduced by acknowledgements and retransmission of lost packets. It is more important to deliver packets in real time than to ensure that all packets are delivered. However, with any tunneling technology over TCP, such real-time performances cannot be met. The Firebox SSL VPN Gateway overcomes this issue by routing UDP packets over the secure tunnel as special IP packets that do not require TCP acknowledgements. Even if the packets get lost in the network, no attempt is made by either the client or the server applications to regenerate them, so real-time (UDP like) performance is achieved over a secure TCP-based tunnel. When the Firebox SSL VPN Gateway is installed as a stand alone appliance, and users connect using the Secure Access Client, two-way communication is supported with the following voice over IP (VoIP) softphones: • Avaya IP Softphone • Nortel IP Softphone • Cisco IP Softphone • Cisco IP Communicator Secure tunneling is supported between the manufacturer’s IP PBX and the softphone software running on the client computer. To enable the VoIP traffic to traverse the secure tunnel, you must install the Secure Access Client and one of the softphones listed above on the same system. When the VoIP traffic is tunneled over the secure tunnel, the following softphone features are supported: • Outgoing calls that are placed from the IP softphone • Incoming calls that are placed to the IP softphone • Bidirectional voice traffic Enabling Improving Voice over IP Connections Voice over IP (VoIP) traffic is carried over the UDP protocol. This kind of traffic is very sensitive to latency. The Firebox SSL VPN Gateway tunnels the UDP traffic through SSL connections. If you experience latency in your VoIP application, you can select the Improving Voice over IP Connections setting to minimize latency and improve the audio quality. When you select this setting, the Firebox SSL VPN Gateway employs weaker encryption ciphers (56-bit). These weaker ciphers are used for all traffic that is transmitted using the UDP protocol, not just the VoIP traffic. Before selecting this option, you might want to consider the security implications of using these weaker ciphers to encrypt the UDP traffic. The specific ciphers used to encrypt the UDP traffic include • RSA EXP 1024, RC4 56 Bit, MD5 • RSA EXP 1024, RC4 56 Bit, SHA Administration Guide 59 Improving Voice over IP Connections Note If the Improving Voice over IP Connections setting is not selected, the UDP traffic is encrypted using the symmetric encryption cipher that is specified in the Select encryption type for client connections setting on the Global Cluster Policies tab. The encryption ciphers are negotiated between the client computer and the Firebox SSL VPN Gateway in the order listed. The first accepted method is the one chosen for the session. To improve latency for UDP traffic 1 2 3 60 Click the Global Cluster Policies tab. Under SSL Options, select Improve latency for Voice over IP traffic. Click Submit. Firebox SSL VPN Gateway Configuring Authentication and Authorization CHAPTER 5 The Firebox SSL VPN Gateway supports several authentication types including LDAP, RADIUS, RSA SecurID, NTLM, and Secure Computing’s SafeWord products. The following topics describe how to configure Firebox SSL VPN Gateway authentication: • • • • • • • • • • Choosing When to Configure Authentication on the Firebox SSL VPN Gateway Configuring Authentication on the Firebox SSL VPN Gateway Configuring Local Authentication Configuring Local Users Configuring LDAP Authentication and Authorization Configuring RADIUS Authentication and Authorization Configuring RSA SecurID Authentication Configuring Secure Computing SafeWord Authentication Configuring NTLM Authentication and Authorization Configuring Double-Source Authentication Configuring Authentication and Authorization By default the Firebox SSL VPN Gateway authenticates users against a user list stored locally on the Firebox SSL VPN Gateway. You can configure the Firebox SSL VPN Gateway to use LDAP, RADIUS, RSA SecurID, SafeWord, or NTLM (Windows NT 4.0) authentication servers. The Firebox SSL VPN Gateway supports realm-based authentication to accommodate sites with more than one LDAP or RADIUS server or with a combination of SafeWord, LDAP, RADIUS, NTLM, and/or RSA SecurID authentication servers. Administration Guide 61 Configuring Authentication and Authorization Communications between the Firebox SSL VPN Gateway and authentication servers. If a user is not located on an authentication server or fails authentication on that server, the Firebox SSL VPN Gateway checks the user against the local user list, if the check box Use the local user database on the Firebox SSL VPN Gateway is selected on the Authentication > Settings tab. Communication between the client, the Firebox SSL VPN Gateway, and the local user account. After a user is authenticated, the Firebox SSL VPN Gateway performs a group authorization check by obtaining the user’s group information from either an LDAP server, a RADIUS server, a Windows NT 4.0 server (for NTLM authorization), or the local group file (if not available on the LDAP or RADIUS server). If group information is available for the user, the Firebox SSL VPN Gateway then checks the network resources allowed for the group. LDAP authorization works with all supported authentication methods. You can configure the Firebox SSL VPN Gateway to obtain an authenticated user’s group(s) from an LDAP server. If the user is not located on the LDAP server, the Firebox SSL VPN Gateway checks its local group file if the check box Use the local user database on the Firebox SSL VPN Gateway is selected on the Authentication > Settings tab. The group names obtained from the LDAP server are compared with the group names created locally on the Firebox SSL VPN Gateway. If the two group names match, the properties of the local group apply to the group obtained from the LDAP server. 62 Firebox SSL VPN Gateway Configuring Authentication and Authorization Configuring Authentication without Authorization The Firebox SSL VPN Gateway can be configured to authenticate users without requiring authorization. When users are not authorized, the Firebox SSL VPN Gateway does not perform a group authorization check. The settings from the Default user group are assigned to the user. To remove authorization requirements from the Firebox SSL VPN Gateway 1 2 On the Authentication tab, select an authorization realm. On the Authorization tab, in Authorization type, select No authorization. The Default Realm The Firebox SSL VPN Gateway has a permanent realm named Default with the following characteristics: • For a new installation, the Default realm is configured for local authentication. • The authentication type of the Default realm can be changed. • The Default realm cannot be removed unless you immediately replace it with a new Default realm. • The Default realm is assumed when a user enters only a user name when logging on to the Firebox SSL VPN Gateway. When a user logs on to any other realm, the user must log on using realmName\userName. Therefore, if all of your users are authenticated against one authentication server, configure the Default realm for that type of authentication so that users do not have to enter a realm name when logging on. Using a Local User List for Authentication For a new installation, the Default realm is set to local authentication. This enables users to log on to the Firebox SSL VPN Gateway without having to enter a realm name. If some users authenticate only against the local user list on the Firebox SSL VPN Gateway, you can keep the Default realm set to local authentication. Alternatively, you can create a different realm for local authentication and use the Default realm for another authentication type, as described in “To remove and create a Default realm”. If all users authenticate against authentication servers, you do not need a realm for local authentication. The Firebox SSL VPN Gateway can check the local user database on the appliance for authentication information if a user fails to authenticate on another authentication server. For example, If you are using LDAP and the authentication fails, users can log on using the local user database. To authenticate using the local user list on the Firebox SSL VPN Gateway 1 2 3 4 5 On the Authentication tab, open the authentication realm on which you want to configure local authentication. Click the Settings tab. Select Use the local user database on the Firebox SSL VPN Gateway. Click Submit. Note This check box is unavailable if the realm is configured for local authentication Administration Guide 63 Configuring Authentication and Authorization Configuring Local Users You can create user accounts locally on the Firebox SSL VPN Gateway to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary users, such as consultants or visitors, without creating an entry for those users on the authentication server. In that case, you add the user to the Firebox SSL VPN Gateway local user list as described in this section. To add a user to another group, under Local Users, click and drag the user to the appropriate user group. If a user is not a member of a group or groups you defined on the Firebox SSL VPN Gateway, the user receives the settings for the Default user group. If a user is part of a group other than the Default group, the user inherits only the settings of the Default group if the group is configured to receive those settings. For more information, see “Default group properties” on page 90. To create a user on the Firebox SSL VPN Gateway 1 2 3 Click the Access Policy Manager tab. In the left-pane, right-click Local Users and then click New User. In User Name, type a user name. User names can contain spaces. Note Note: User names are not case-sensitive. Do not use a forward slash (/) in the user name or password. Passwords cannot begin or end with a space. 4 In Password and Verify Password, type the password for the user. A user enters this password when logging on. A password must be six or more characters up to a maximum of 127 characters. 5 Click OK. To delete a user from the Firebox SSL VPN Gateway 1 2 Click the Access Policy Manager tab. In the left pane, right-click the user in the Local Users list and click Remove. Adding Users to Multiple Groups After creating the local user list, you can then add the users to groups that you created on the Firebox SSL VPN Gateway. If you associate more than one group with a user account, the properties of the first group that you select on the Group Priority tab is used for the user. To add a user to a group Click the user in the Local Users list and drag it to a group. Changing Password for Users You can change the password for a user in the Administration tool. 64 Firebox SSL VPN Gateway Changing the Authentication Type of the Default Realm To change a user’s password 1 2 On the Access Policy Manager tab, right-click a user, and click Set Password. Type the password twice and then click OK. Using LDAP Authorization with Local Authentication By default, the Firebox SSL VPN Gateway obtains an authenticated user’s group(s) from the local group file stored on the Firebox SSL VPN Gateway. Alternatively, you can configure the Firebox SSL VPN Gateway to obtain an authenticated user’s group(s) from an LDAP server. If the user is not located on the LDAP server, the Firebox SSL VPN Gateway checks its local group file. To use LDAP authorization with local authentication 1 2 3 4 5 In the Firebox SSL VPN Gateway Administration Tool, click the Authentication tab. Open the window for the realm that is configured for local authentication. This is the Default realm unless the authentication type was changed. Click the Authorization tab. In Authorization Type, select LDAP Authorization. Complete the information for the LDAP server. For a description of LDAP server settings, see “Using LDAP Servers for Authentication and Authorization” on page 73. For information about looking up LDAP server settings, see “Determining Attributes in your LDAP Directory” on page 78. Changing the Authentication Type of the Default Realm When a user logs on to the Default realm, the user does not have to specify a realm name. For any other realm, the user must specify a realm name when logging on. Thus, if most users are logging on to a nonlocal authentication realm, change the authentication type of the Default realm. To change the authentication type of the Default realm, remove the Default realm and then immediately create a new one. Configuring the Default Realm The Firebox SSL VPN Gateway has a permanent realm named Default. The Default realm is preconfigured for local authentication. If you want to change the authentication method of the Default realm, it must be immediately replaced with a new Default realm. The Default realm is assumed when a user enters only a user name when logging on to the Access Gateway. For any other realm, the user must specify a realm name when logging on. Thus, if most users are logging on to a non-local authentication realm, change the authentication type of the Default realm. To change the authentication type of the Default realm, remove the Default realm and then immediately create a new realm with the appropriate authentication configuration. To remove and create a Default realm 1 2 Click the Authentication tab. Open the window for the Default realm. Administration Guide 65 Changing the Authentication Type of the Default Realm 3 On the Action menu, select Remove Default realm. A warning message appears. Click Yes. 4 Under Add an Authentication Realm, in Realm name, type Default. Note Important: When creating a new Default realm, the word Default is case-sensitive and an uppercase D must be used. 5 6 7 Do one of the following: • If configuring one authentication type, select One Source and click Add. • If configuring double-source authentication, select Two Source and click Add. In Authentication type, select the type of authentication and then click OK. Configure the authentication settings. For more information, see: • “Using a Local User List for Authentication” on page 63 • “Using LDAP Servers for Authentication and Authorization” on page 73 • “Using RADIUS Servers for Authentication and Authorization” on page 69 • “Using RSA SecurID for Authentication” on page 79 • “Using SafeWord for Authentication” on page 67 • “Configuring NTLM Authentication and Authorization” on page 83 Creating Additional Realms You can create realms in addition to the Default realm. For example, you want the Default realm to be used for authentication to an LDAP server. If you want to use additional authentication methods for users, such as RADIUS, SafeWord, RSA SecurID, NTLM, or locally on the appliance, you can create realms for each of these. When the user logs on to realms that are not the Default realm, they need to type the realm name and their user name, such as realm name\user name. Note Note: Watchguard recommends that realm names map to their corresponding domain names. This enables users to log on using either realm name\user name or user name@realm name. To create a realm 1 On the Authentication tab, under Add an Authentication Realm, in Realm name, type the name of 2 Do one of the following: If users have one authentication type, click One Source. -orIf users have two authentication types, click Two Source. Click Add. In Authentication type, select the authentication method, and click OK. If you are configuring double-source authentication, in Primary authentication type, select the type the realm. 3 4 that users will log on to first. In Secondary authentication type, select the type that users will log on to second. For more information, see “Configuring Double-Source Authentication” on page 85. 5 66 Configure the settings for the realm and then click Submit. Firebox SSL VPN Gateway Using SafeWord for Authentication Removing Realms If you are retiring an authentication server or removing a domain server, you can remove any realm except for the realm named Default. You can remove the Default realm only if you immediately create a new realm named Default. For more information, see “Configuring the Default Realm” on page 65. To remove a realm 1 2 On the Authentication tab, open the realm you want to remove. On the Action menu, click Remove realm name realm. The realm is removed. Note If you remove the Default realm and do not immediately replace it as described above, the Firebox SSL VPN Gateway retains the Default realm that you attempted to remove. Using SafeWord for Authentication Configuring Secure Computing SafeWord Authentication The SafeWord product line provides secure authentication using a token-based passcode. After the passcode is used, it is immediately invalidated by SafeWord and cannot be used again. The Firebox SSL VPN Gateway supports SafeWord authentication to the following Secure Computing products: • SafeWord PremierAccess • SafeWord for Citrix • SafeWord RemoteAccess Configuring the Firebox SSL VPN Gateway to authenticate using Secure Computing’s SafeWord products can be done in several ways: • Configure authentication to use a PremierAccess RADIUS server that is installed as part of SafeWord PremierAccess and allow it to handle authentication. • Configure authentication to use the SafeWord IAS agent, which is a component of SafeWord RemoteAccess, SafeWord for WatchGuard, and SafeWord PremierAccess 4.0. • Install the SafeWord Web Interface Agent to work with the WatchGuard Web Interface. Authentication does not have to be configured on the Firebox SSL VPN Gateway and can be handled by the WatchGuard Web Interface. This configuration does not use the PremierAccess RADIUS server or the SafeWord IAS Agent. Configuring SafeWord Settings on the Access Gateway When configuring the SafeWord server, you need the following information: • The IP address of the Firebox SSL VPN Gateway. This should be the same as what is configured on the RADIUS server client configuration. • A shared secret. This secret is also configured on the Authentication tab on the Firebox SSL VPN Gateway. • The IP address and port of the SafeWord server. Administration Guide 67 Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Configure a SafeWord realm to authenticate users. The Firebox SSL VPN Gateway acts as a SafeWord agent authenticating on behalf of users logged on using Secure Access Client. If a user is not located on the SafeWord server or fails authentication, the Access Gateway checks the user against the local user list if Use the local user database on the Access Gateway is selected on the Settings tab. To use SafeWord as the Default realm, remove the current Default realm and create a new one as described in “To remove and create a Default realm” To configure SafeWord on the Access Gateway 1 2 3 4 5 6 7 In the Administration Tool, click the Authentication tab. Under Add an Authentication Realm, in Realm name, type a name. Select One Source and then click Add. In Authentication type, select SafeWord authentication and click OK. For the Primary SafeWord server Settings, enter the following settings: • In IP Address, type the IP address of the SafeWord server. • In Port, type the port number for the SafeWord RADIUS server. The default is 1812. This port must match the number you configured on the RADIUS server. • In Server Secret, enter a RADIUS shared secret. The shared secret must match what is configured on the RADIUS server. If there is a second SafeWord server, configure the settings in Secondary SafeWord Server Settings. To disable Firebox SSL VPN Gateway authentication On the Global Cluster Policies tab, under Advanced Options, clear Enable Portal Page Authentication. SafeWord PremierAccess Authorization If you are using SafeWord PremierAccess for authentication, you can use the following authorization types: • LDAP • Local user list • RADIUS • No authorization To configure LDAP authorization, see “To configure LDAP authorization” on page 77. Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Both Safeword for Citrix and SafeWord RemoteAccess use Microsoft’s Internet Authentication Server (IAS) to provide RADIUS authentication service to the Firebox SSL VPN Gateway. The IAS RADIUS server receives authentication requests from the Firebox SSL VPN Gateway and sends the user’s credentials to SafeWord for verification using an installed SafeWord agent for IAS. Multiple instances of IAS (with the SafeWord agent for IAS) can be deployed for redundancy. 68 Firebox SSL VPN Gateway Using RADIUS Servers for Authentication and Authorization If you are already using SafeWord for Citrix or SafeWord RemoteAccess in your configuration to authenticate using the Web Interface, you need to do the following: • Install and configure the SafeWord IAS Agent • Configure the IAS RADIUS server to recognize the Firebox SSL VPN Gateway as a RADIUS client • Configure the Firebox SSL VPN Gateway to send RADIUS authentication requests to the IAS RADIUS server To install and configure the IAS Agent and the IAS RADIUS server, see the SafeWord for Citrix or SafeWord Remote Access product documentation. If you are not currently using SafeWord for Citrix or SafeWord RemoteAccess, you should first install one of these servers following the product documentation. To configure the Firebox SSL VPN Gateway to send RADIUS authentication requests to the IAS RADIUS server, follow the instructions in “Using RADIUS Servers for Authentication and Authorization” on page 69. To configure the IAS RADIUS realm 1 2 3 4 5 6 Click the Authentication tab. In Realm Name, type a name for the authentication realm that you will create, select One Source, and then click Add. In Select Authentication Type, in Authentication Type, select RADIUS Authentication and click OK. On the Authentication tab, in Server IP Address, type the IAS RADIUS server IP address. In Server Port, type the IAS RADIUS server port. The default port numbers are 1812 and 1645. In Server Secret, type a RADIUS share secret. Note Make sure you use a strong shared secret. A strong shared secret is one that is at least eight characters and includes a combination of letters, numbers, and symbols. 7 If there is a secondary IAS RADIUS server, configure the settings for the server in Secondary Radius Server. The RADIUS port number and the RADIUS server secret configured on the Firebox SSL VPN Gateway must match those configured on the IAS RADIUS server. Using RADIUS Servers for Authentication and Authorization You can configure the Firebox SSL VPN Gateway to authenticate user access with one or more RADIUS servers. For each RADIUS realm that you use for authentication, you can configure both primary and secondary RADIUS servers. If the primary RADIUS server is unavailable, the Firebox SSL VPN Gateway attempts to authenticate against the secondary RADIUS server for that realm. If a user is not located on the RADIUS servers or fails authentication, the Firebox SSL VPN Gateway checks the user against the user information stored locally on the Firebox SSL VPN Gateway if the Enable Local Database lookup check box is selected on the Settings tab of the realm. The Firebox SSL VPN Gateway software also includes RADIUS authorization, which is configured using Remote Access Policy in Microsoft Internet Authentication Service (IAS). During configuration of the Firebox SSL VPN Gateway, the following information needs to be provided: • Vendor ID is the vendor-specific code number that was entered in IAS. Administration Guide 69 Using RADIUS Servers for Authentication and Authorization • Type is the vendor-assigned attribute number. • Attribute name is the type of attribute name that is defined in IAS. The default name is CTXSUserGroups=. • Separator is defined if multiple user groups are included in the RADIUS configuration. A separator can be a space, a period, a semicolon, or a colon. To configure IAS so the Firebox SSL VPN Gateway can use RADIUS authorization, follow the steps below. These steps assume that IAS is installed from the Add/Remove Programs Control Panel. For more information about installing IAS, see Windows Help. To configure Microsoft Internet Authentication Service for Windows 2000 Server 1 2 3 4 5 6 7 8 9 10 11 12 13 Open the Microsoft Management Console (MMC) by clicking Start > Run. In Open, type MMC. In the MMC console, on the File menu, click Add/Remove Snap-in. Click Add and in the Add/Remove Snap-in dialog box, select Internet Authentication Service and click Add. Select Local computer and click Finish. Click Close and then click OK. Right-click Remote Access Policies and then click New Remote Access Policy. Select Set up a custom policy. In Policy name, give the policy a name and click Next. Under Policy Conditions, click Add, select Windows-Groups, and click Add. In Select Groups, click Add, and then type the name of the group. A summary of conditions to match the policy is shown. To add more conditions, click Add, otherwise, click Next. In the Edit Dial-In Profile dialog box, on the Authentication tab, select Encrypted Authentication (CHAP) and Unencrypted Authentication (PAP, SPAP). Note Password Authentication Protocol (PAP) is an authentication protocol that allows Point-to-Point Protocol (PPP) peers to authenticate one another. PAP passes the password and host name or user name unencrypted. PAP does not prevent unauthorized access but identifies the remote end. 14 Clear Microsoft Encrypted Authentication version 2 (MS-CHAP v2) and Microsoft Encrypted Authentication (MS-CHAP). 15 Click OK. The Firebox SSL VPN Gateway needs the Vendor-Specific Attribute to match the users defined in the group on the server with those on the Firebox SSL VPN Gateway. This is done by sending the Vendor-Specific Attributes to the Firebox SSL VPN Gateway. 16 In the Edit Dial-in Profile dialog box, click the Advanced tab. 17 Click Add. 70 Firebox SSL VPN Gateway Using RADIUS Servers for Authentication and Authorization 18 In the Add Attributes dialog box, select Vendor-Specific and click Add. 19 In the Vendor-Specific Attribute Information dialog box, choose Select from list and accept the default RADIUS=Standard. The Firebox SSL VPN Gateway needs the Vendor-Specific Attribute to match the users defined in the group on the server with those on the Firebox SSL VPN Gateway. This is done by sending the Vendor-Specific Attributes to the Firebox SSL VPN Gateway 20 The RADIUS default is 0. When configuring RADIUS authorization on the Firebox SSL VPN Gateway, in the field Vendor Code, use this default number. 21 Click Yes. It conforms and then click Configure Attribute. 22 Under Vendor-assigned attribute number, type 0. This is the assigned number for the User Group attribute. The attribute is in string format. The default is 0. 23 In Attribute format, select String. 24 In Attribute value, type the attribute name and the groups. For the Firebox SSL VPN Gateway, the attribute value is CTXSUserGroups=groupname. If two groups are defined, such as sales and finance, the attribute value is CTXSUserGroups=sales;finance. Separate each group with a semicolon. 25 Click OK. 26 In the Edit Dial-in Profile dialog box, remove all the other entries, leaving the one that says Vendor-Specific. 27 Click OK. When you are finished configuring the Remote Access Policy in IAS, go to the Firebox SSL VPN Gateway and configure the RADIUS authentication and authorization. Administration Guide 71 Using RADIUS Servers for Authentication and Authorization To specify RADIUS server authentication 1 2 Click the Authentication tab. In Realm Name, type a name for the authentication realm that you will create, select One Source, and then click Add. If your site has multiple authentication realms, use a name that identifies the RADIUS realm for which you will specify settings. Realm names are case-sensitive and can contain spaces. Note If you want the Default realm to use RADIUS authentication, remove the Default realm as described in “Changing the Authentication Type of the Default Realm” on page 65. 3 In Select Authentication Type, choose RADIUS Authentication and click OK. The dialog box for the authentication realm opens. 4 5 6 7 In Server IP Address, type the IP address of the RADIUS server. In Server Port, type the port number. The default port number is 1812. In Server Secret, type the RADIUS server secret. The server secret is configured manually on the RADIUS server and on the Firebox SSL VPN Gateway. If you use a secondary RADIUS server, enter its IP address, port, and server secret. Note Make sure you use a strong shared secret. A strong shared secret is one that is at least eight characters and includes a combination of letters, number, and symbols. To configure RADIUS authorization 1 Click the Authorization tab and in Authorization Type, select RADIUS Authorization. You can use the following authorization types with RADIUS authentication: • RADIUS authorization • Local authorization • LDAP authorization • No authorization 2 Complete the settings using the attributes defined in IAS. For more information about the values for these fields, see “To configure Microsoft Internet Authentication Service for Windows 2000 Server” on page 70. 3 Click Submit. Choosing RADIUS Authentication Protocols The Firebox SSL VPN Gateway supports implementations of RADIUS that are configured to use the Password Authentication Protocol (PAP) for user authentication. Other authentication protocols such as the Challenge-Handshake Authentication Protocol (CHAP) are not supported. If your deployment of Firebox SSL VPN Gateway is configured to use RADIUS authentication and your RADIUS server is configured to use PAP, you can strengthen user authentication by assigning a strong shared secret to the RADIUS server. Strong RADIUS shared secrets consist of random sequences of uppercase and lowercase letters, numbers, and punctuation and are at least 22 keyboard characters long. If possible, use a random character generation program to determine RADIUS shared secrets. To further protect RADIUS traffic, assign a different shared secret to each Firebox SSL VPN Gateway appliance. When you define clients on the RADIUS server, you can also assign a separate shared secret to each client. If you do this, you must configure separately each Firebox SSL VPN Gateway realm that uses 72 Firebox SSL VPN Gateway Using LDAP Servers for Authentication and Authorization RADIUS authentication. If you synchronize configurations among several Firebox SSL VPN Gateway appliances in a cluster, all the appliances are configured with the same secret. Shared secrets are configured on the Firebox SSL VPN Gateway when a RADIUS realm is created. Using LDAP Servers for Authentication and Authorization You can configure the Firebox SSL VPN Gateway to authenticate user access with an LDAP server. If a user is not located in an LDAP directory or fails authentication on a server, the Firebox SSL VPN Gateway checks the user against the user information stored locally on the Firebox SSL VPN Gateway. LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on the Firebox SSL VPN Gateway. The characters and case must also be the same. LDAP authentication Starting with Version 5.0 of the Firebox SSL VPN Gateway, LDAP authentication, by default, is secure using SSL/TLS. There are two types of secure LDAP connections. With one type, the LDAP server accepts the SSL/TLS connection on a port separate from the port used to accept clear LDAP connections. After a client establishes the SSL/TLS connection, LDAP traffic can be sent over the connection. The second type allows both unsecure and secure LDAP connections and is handled by a single port on the server. In this scenario, to create a secure connection, the client first establishes a clear LDAP connection. Then, the LDAP command StartTLS is sent to the server over the connection. If the LDAP server supports StartTLS, the connection is converted to a secure LDAP connection using TLS. The standard port numbers for unsecure LDAP connections is 389. The port number for secure LDAP connections with SSL/TLS is 636. LDAP connections that use the StartTLS command use port number 389. The Microsoft port numbers for unsecure and secure LDAP connections are 3268 and 3269. If port numbers 389 or 3268 are configured on the Firebox SSL VPN Gateway, it tries to use StartTLS to make the connection. If any other port number is used, connection attempts are made using SSL/TLS. When configuring the Firebox SSL VPN Gateway to use LDAP authentication and the check box Allow Unsecure Traffic is selected, LDAP connections are unsecure. Note When upgrading the Firebox SSL VPN Gateway from an earlier version, and an LDAP realm is already configured, LDAP connections are unsecure by default. If this is a new installation of the Firebox SSL VPN Gateway, or you are creating a new LDAP realm, LDAP connections are secure by default. When configuring the LDAP server, the letter case must match what is on the server and what is on the Firebox SSL VPN Gateway. If the root directory of the LDAP server is specified, all of the subdirectories are also searched to find the user attribute. In large directories, this can affect performance; we recommend that you use a specific organizational unit (OU). The following table contains examples of user attribute fields for LDAP servers. LDAP Server User Attribute Case Sensitive Microsoft Active Directory Server sAMAccountName No Novell eDirectory cn Yes IBM Directory Server uid Lotus Domino CN Sun ONE directory (formerly iPlanet) uid or cn Administration Guide Yes 73 Using LDAP Servers for Authentication and Authorization This table contains examples of the base dn Microsoft Active Directory Server DC=citrix, DC=local Novell eDirectory dc=citrix,dc=net IBM Directory Server Lotus Domino OU=City, O=Citrix, C=US Sun ONE directory (formerly iPlanet) ou=People,dc=citrix,dc=com The following table contains examples of bind dn: Microsoft Active Directory Server CN=Administrator, CN=Users, DC=citrix, DC=local Novell eDirectory cn=admin, dc=citrix, dc=net IBM Directory Server Lotus Domino CN=Notes Administrator, O=Citrix, C=US Sun ONE directory (formerly iPlanet) uid=admin,ou=Administrators, ou=TopologyManagement,o=NetscapeRoot Note For further information to determine the LDAP server settings, see “Determining Attributes in your LDAP Directory” on page 78. To configure LDAP authentication 1 2 Click the Authentication tab. In Realm Name, type a name for the authentication realm. If your site has multiple authentication realms, you might use a name that identifies the LDAP realm for which you specify settings. Realm names are case-sensitive and can contain spaces. Note If you want the Default realm to use LDAP authentication, remove the Default realm as described in “Changing the Authentication Type of the Default Realm” on page 65. 3 4 Select One Source and click Add. In Select Authentication Type, in Authentication Type, choose LDAP Authentication and click OK. The Realm dialog box opens. 5 6 7 74 Click the Authentication tab. In Server IP Address, type the IP address of the LDAP server. In Server Port, type the port number. The LDAP Server port defaults to 389. If you are using an indexed database, such as Microsoft Active Directory with a Global Catalog, changing the LDAP Server port to 3268 significantly increases the speed of the LDAP queries. If your directory is not indexed, use an administrative connection rather than an anonymous connection from the Firebox SSL VPN Gateway to the database. Download performance improves when you use an administrative connection. Firebox SSL VPN Gateway LDAP Authorization 8 Select Allow Unsecure Traffic to allow unsecure LDAP connections. When this check box is clear, all LDAP connections are secure. In Administrator Bind DN, type the Administrator Bind DN for queries to your LDAP directory. The following are examples of syntax for Bind DN: “domain/user name” “ou=administrator,dc=ace,dc=com” “user@domain.name” (for Active Directory) “cn=Administrator,cn=Users,dc=ace,dc=com” For Active Directory, the group name specified as cn=groupname is required. The group name that is defined in the Firebox SSL VPN Gateway must be identical to the group name that is defined on the LDAP server. For other LDAP directories, the group name either is not required or, if required, is specified as ou=groupname. The Firebox SSL VPN Gateway binds to the LDAP server using the administrator credentials and then searches for the user. After locating the user, the Firebox SSL VPN Gateway unbinds the administrator credentials and rebinds with the user credentials. 10 In Administrator Password, type the password. 11 In Base DN (where users are located), type the Base DN under which users are located. Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located. Examples of syntax for Base DN: “ou=users,dc=ace,dc=com” “cn=Users,dc=ace,dc=com” 12 In Server login name attribute, type the attribute under which the Firebox SSL VPN Gateway should look for user logon names for the LDAP server that you are configuring. The default is sAMAccountName. If you are using other directories, use cn. 13 Click Submit. If a user is not located in an LDAP directory or fails authentication on a server, the Firebox SSL VPN Gateway checks the user against the user information stored locally on the Firebox SSL VPN Gateway. LDAP authorization requires identical group names in Active Directory, on the Firebox SSL VPN Gateway, and on the LDAP server. The characters and case must also be the same. 9 Note For further information to determine the LDAP server settings, see “Determining Attributes in your LDAP Directory” on page 78. LDAP Authorization The following is a discussion of LDAP group memberships attributes that will and will not work with Firebox SSL VPN Gateway authorization. You can use the following authorization types with LDAP authentication: • Local authorization • LDAP authorization • No authorization If you are using double-source authentication, authorization is based on the primary authentication method, not the secondary authentication method. Administration Guide 75 LDAP Authorization Group memberships from group objects working evaluations LDAP servers that evaluate group memberships from group objects indirectly work with Firebox SSL VPN Gateway authorization. Some LDAP servers enable user objects to contain information about groups to which they belong, such as Active Directory or eDirectory. A user’s group membership can be computable attributes from the user object, such as IBM Directory Server or Sun ONE directory server. In some LDAP servers, this attribute can be used to include a user’s dynamic group membership, nesting group membership, and static group membership to locate all group memberships from a single attribute. For example, in IBM Directory Server, all group memberships, including the static, dynamic, and nested groups, can be returned using the ibm-allGroups attribute. In Sun ONE, all roles, including managed, filtered, and nested, are calculated using the nsRole attribute. Group memberships from group objects non-working evaluations LDAP servers that evaluate group memberships from group objects indirectly will not work with Firebox SSL VPN Gateway authorization. Some LDAP servers enable only group objects such as the Lotus Domino LDAP server to contain information about users. The LDAP server does not enable the user object to contain information about groups. For this type of LDAP server, group membership searches are performed by locating the user on the member list of groups. LDAP authorization group attribute fields The following table contains examples of LDAP group attribute fields. Microsoft Active Directory Server memberOf Novell eDirectory groupMembership IBM Directory Server ibm-allGroups Sun ONE directory (formerly iPlanet)* nsRole To configure LDAP authentication 1 2 Click the Authentication tab. In Realm Name, type a name for the authentication realm that you will create, select One Source, and then click Add. If your site has multiple authentication realms, you might use a name that identifies the LDAP realm for which you will specify settings. Realm names are case-sensitive and can contain spaces. Note If you want the Default realm to use LDAP authentication, remove the Default realm as described in “Changing the Authentication Type of the Default Realm” on page 65. 3 In Select Authentication Type, choose LDAP Authentication and click OK. The Realm dialog box opens. 4 5 6 76 Click the Authentication tab. In Server IP Address, type the IP address of the LDAP server. In Server Port, type the port number. Firebox SSL VPN Gateway LDAP Authorization The LDAP Server port defaults to 389. If you are using an indexed database, such as Microsoft Active Directory with a Global Catalog, changing the LDAP Server port to 3268 significantly increases the speed of the LDAP queries. If your directory is not indexed, use an administrative connection rather than an anonymous connection from the Firebox SSL VPN Gateway to the database. Download performance improves when you use an administrative connection. 7 In Administrator Bind DN, type the Administrator Bind DN for queries to your LDAP directory. The following are examples of syntax for Bind DN: “domain/user name” “ou=administrator,dc=ace,dc=com” “user@domain.name” (for Active Directory) “cn=Administrator,cn=Users,dc=ace,dc=com” For Active Directory, the group name specified as cn=groupname is required. The group name that is defined in the Firebox SSL VPN Gateway must be identical to the group name that is defined on the LDAP server. For other LDAP directories, the group name either is not required or, if required, is specified as ou=groupname. The Firebox SSL VPN Gateway binds to the LDAP server using the administrator credentials and then searches for the user. After locating the user, the Firebox SSL VPN Gateway unbinds the administrator credentials and rebinds with the user credentials. 8 In Administrator Password, type the password. 9 In Base DN (where users are located), type the Base DN under which users are located. Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located. Examples of syntax for Base DN: “ou=users,dc=ace,dc=com” “cn=Users,dc=ace,dc=com” 10 In Server login name attribute type the attribute under which the Firebox SSL VPN Gateway should look for user logon names for the LDAP server that you are configuring. The default is sAMAccountName. If you are using other directories, use cn. 11 Click Submit. After configuring LDAP authentication, configure LDAP authorization. To configure LDAP authorization 1 2 3 4 Click the Authorization tab. In LDAP Server IP Address, type the IP address of the LDAP server. In LDAP Server Port, type the port number. The default port number is 389. In LDAP Administrator Bind DN, type the Administrator Bind DN for queries to your LDAP directory. The following are examples of syntax for Bind DN: domain/user name “ou=administrator,dc=ace,dc=com” “user@domain.name” (for Active Directory) “cn=Administrator,cn=Users,dc=ace,dc=com” Administration Guide 77 LDAP Authorization 5 6 7 8 9 For Active Directory, the group name specified as cn=groupname is required. The group name that is defined in the Firebox SSL VPN Gateway must be identical to the group name that is defined on the LDAP server. For other LDAP directories, the group name either is not required or, if required, is specified as ou=groupname. The Firebox SSL VPN Gateway binds to the LDAP server using the administrator credentials and then searches for the user. After locating the user, the Firebox SSL VPN Gateway unbinds the administrator credentials and rebinds with the user credentials. In LDAP Administrator Password, type the password. In LDAP Base DN (where users are located), type the Base DN under which users are located. Base DN is usually derived from the Bind DN by removing the user name and specifying the group where users are located. The following are examples of syntax for Base DN: “ou=Users,dc=ace,dc=com” “cn=Users,dc=ace,dc=com” In LDAP Server login name attribute, type the attribute under which the Firebox SSL VPN Gateway should look for user logon names for the LDAP server that you are configuring. The default is cn. If Active Directory is used, type the attribute sAMAccountName. In LDAP Group Attribute, type the name of the attribute. The default is “memberOf.” This attribute enables the Firebox SSL VPN Gateway to obtain the groups associated with a user during authorization. Click Submit. Using certificates for secure LDAP connections You can use a secure client certificate with LDAP authentication and authorization. To use a client certificate, you must have an enterprise Certificate Authority, such as Certificate Services in Windows Server 2003, running on the same computer that is running Active Directory. You can create a client certificate using the Certificate Authority. To use a client certificate with LDAP authentication and authorization, it must be a secure certificate using SSL. Secure client certificates for LDAP are uploaded to the Firebox SSL VPN Gateway. To upload a secure client certificate for LDAP 1 2 3 On the VPN Gateway Cluster tab, click the Administration tab. Next to Upload Private Key + Client Certificate for LDAP, click Browse. Navigate to the client certificate and click Open. Determining Attributes in your LDAP Directory If you need help determining your LDAP Directory attributes, you can easily look them up with the free LDAP Browser from Softerra. To install and set up the LDAP Browser 1 2 3 78 Download the free LDAP Browser application from the Softerra LDAP Administrator Web site http:// www.ldapbrowser.com. Install LDAP Browser and open it. From the LDAP Browser window, choose File > New Profile and specify the following settings: Firebox SSL VPN Gateway Using RSA SecurID for Authentication Host Host name or IP address of your LDAP server. Port Defaults to 389. Base DN You can leave this field blank. (The information provided by the LDAP Browser will help you determine the Base DN needed for the Authentication tab.) 4 Anonymous Bind Select the check box if the LDAP server does not require credentials to connect to it. If the LDAP server requires credentials, leave the check box cleared, click Next, and enter the credentials. Click Finish. The LDAP Browser displays the profile name that you just created in the left pane of the LDAP Browser window and connects to the LDAP server. To look up LDAP attributes 1 2 In the left pane of the LDAP Browser, select the profile name that you created. To look up the Base DN, in the right pane, locate the namingContexts attribute. The value of that attribute is the Base DN for your site. The Base DN is typically dc=myDomain,dc=com (if your directory tree is based on Internet domain names) or ou=domain,o=myOrg,c=country. 3 Navigate through the browser to locate other attributes. Using RSA SecurID for Authentication If your site uses an RSA ACE/Server and SecurID for authentication, you can configure the Firebox SSL VPN Gateway to authenticate user access with the RSA ACE/Server. The Firebox SSL VPN Gateway acts as an RSA Agent Host, authenticating on behalf of the users who use Secure Access to log on. The Firebox SSL VPN Gateway supports the use of one RSA ACE/Server. Administration Guide 79 Using RSA SecurID for Authentication The Firebox SSL VPN Gateway supports RSA ACE/Server Version 5.2 and higher. The Firebox SSL VPN Gateway also supports replication servers. Replication server configuration is completed on the RSA ACE/Server and is part of the sdconf.rec file that is uploaded to the Firebox SSL VPN Gateway. If this is configured on the RSA ACE/Server, the Firebox SSL VPN Gateway attempts to connect to the replication servers if there is a failure or network connection loss with the primary server. Note If you are running a RADIUS server on an RSA server, configure RADIUS authentication as described in “Using RADIUS Servers for Authentication and Authorization” on page 69. If a user is not located on the RSA ACE/Server or fails authentication on that server, the Firebox SSL VPN Gateway checks the user against the user information stored locally on the Firebox SSL VPN Gateway, if the check box Use the local user database on the Access Gateway is checked on the Settings tab. The Firebox SSL VPN Gateway supports Next Token Mode. If a user enters three incorrect passwords, the Secure Access Client prompts the user to wait until the next token is active before logging on. If a user logs on too many times with an incorrect password, the RSA server might disable the user’s account. To contact the RSA ACE/Server, the Firebox SSL VPN Gateway must include a copy of the ACE Agent Host sdconf.rec configuration file that is generated by the RSA ACE/Server. The following procedures describe how to generate and upload that file. Note The following steps describe the required settings for the Firebox SSL VPN Gateway. Your site might have additional requirements. Refer to the RSA ACE/ Server documentation for more information. If the Firebox SSL VPN Gateway needs to be imaged again, see “Resetting the node secret” on page 82. To generate a sdconf.rec file for the Firebox SSL VPN Gateway 1 2 3 4 5 6 7 80 On the computer where your RSA ACE/Server Administration interface is installed, go to Start > Programs > RSA ACE Server > Database Administration - Host Mode. In the RSA ACE/Server Administration interface, go to Agent Host > Add Agent Host (or, if you are changing an Agent Host, Edit Agent Host). In the Name field, enter a descriptive name for the Firebox SSL VPN Gateway (the Agent Host for which you are creating a configuration file). In the Network address field, enter the internal Firebox SSL VPN Gateway IP address. For Agent type, select UNIX Agent. Make sure that the Node Secret Created check box is clear and inactive when you are creating an Agent Host. The RSA ACE/Server sends the Node Secret to the Firebox SSL VPN Gateway the first time that it authenticates a request from the Firebox SSL VPN Gateway. After that, the Node Secret Created check box is selected. By clearing the check box and generating and uploading a new configuration file, you can force the RSA ACE/Server to send a new Node Secret to the Firebox SSL VPN Gateway. Indicate which users can be authenticated through the Firebox SSL VPN Gateway through one of the following methods: • To configure the Firebox SSL VPN Gateway as an open Agent Host, click Open to All Locally Known Users and then click OK. • To select the users to be authenticated, click OK, go to Agent Host > Edit Agent Host, select the Firebox SSL VPN Gateway host, and then click OK. In the dialog box, click the User Activations button and select the users. Firebox SSL VPN Gateway Using RSA SecurID for Authentication 8 To create the configuration file for the new or changed Agent Host, go to Agent Host > Generate Configuration Files. The file that you generate (sdconf.rec) is what you will upload to the Firebox SSL VPN Gateway, as described in the next procedure. Enable RSA SecurID authentication for the Firebox SSL VPN Gateway You can use the following authorization types with RSA SecureID authentication: • RSA authorization • Local authorization • LDAP authorization • No authorization To enable RSA SecurID authentication 1 2 3 Click the Authentication tab. In Realm Name, type a name to identify the RSA ACE/Server. Realm names are case-sensitive and can contain spaces. Select One Source and click Add. Note If you want the Default realm to use RSA authentication, remove the Default realm as described in “Changing the Authentication Type of the Default Realm” on page 65. 4 5 In the Select Authentication Type dialog box, in Authentication Type, select RSA SecurID Authentication. Click OK. A dialog box for the authentication realm opens. 6 To upload the sdconf.rec file that you generated in the previous procedure, on the Authentication tab, click Upload sdconf.rec file and use the dialog box to locate and upload the file. The sdconf.rec file is typically written to ace\data\config_files and to windows\system32. Note If an invalid sdconf.rec file is uploaded to the Firebox SSL VPN Gateway, it might cause the Firebox SSL VPN Gateway to send out messages to non-existent IP addresses. This might be flagged in a network monitor as network spamming. 7 • The file status message indicates whether or not an sdconf.rec file was uploaded. If one was uploaded and you need to replace it, click Upload sdconf.rec file and use the dialog box to locate and upload the file. • The first time that a client is successfully authenticated, the RSA ACE/Server writes some configuration files to the Firebox SSL VPN Gateway. If you subsequently change the IP address of the Firebox SSL VPN Gateway, click Remove ACE Configuration Files, restart when prompted, and then upload a new sdconf.rec file. To use LDAP for authorization, click the Authorization tab and complete the settings. For more information about LDAP settings, see “Using LDAP Servers for Authentication and Authorization” on page 73. For looking up LDAP server settings, see “Determining Attributes in your LDAP Directory” on page 78. 8 Click Submit. Administration Guide 81 Using RSA SecurID for Authentication Configuring RSA Settings for a Cluster If you have two or more appliances configured as a cluster, the sdconf.rec file needs to contain the FQDNs of all the appliances. The sdconf.rec file is installed on one Access Gateway and then published. This allows all of the appliances to connect to the RSA server. You can also limit connections to the RSA server from user connections. For example, you have three appliances in your cluster. If the FQDNs of the first and second appliances are included in the sdconf.rec file and the third appliance is not, users can connect only to the RSA server using the first two appliances. Resetting the node secret If you reimaged the Firebox SSL VPN Gateway, giving it the same IP address as before, and restored your configuration, you must also reset the node secret on the RSA ACE/Server. Because the Firebox SSL VPN Gateway was reimaged, the node secret no longer resides on it and an attempt to authenticate with the RSA ACE/Server fails. After you reset the server secret on the RSA ACE/Server, the next authentication attempt prompts the RSA ACE/Server to send a node secret to the Firebox SSL VPN Gateway. To reset the node secret on the RSA ACE/Server 1 2 3 4 5 On the computer where your RSA ACE/Server Administration interface is installed, go to Start > Programs > RSA ACE Server > Database Administration - Host Mode. In the RSA ACE/Server Administration interface, go to Agent Host > Edit Agent Host. Select the Firebox SSL VPN Gateway IP address from the list of agent hosts. Clear the Node Secret Created check box and save the change. The RSA server sends the node secret on the next authentication attempt from the Firebox SSL VPN Gateway. Configuring Gemalto Protiva Authentication Protiva is a strong authentication platform that was developed to use the strengths of Gemalto’s smart card authentication. With Protiva, users log on with a user name, password, and one-time password generated by the Protiva device. Similar to RSA SecurID, the authentication request is sent to the Protiva Authentication Server and the password is either validated or rejected. To configure Gemalto Protiva to work with the Access Gateway, use the following guidelines: • Install the Protiva server. • Install the Protiva Internet Authentication Server (IAS) agent plug-in on a Microsoft IAS RADIUS server. Make sure you note the IP address and port number of the IAS server • Configure a realm on the Access Gateway to use RADIUS authentication and enter the settings of the Protiva server. To configure a Gemalto Protiva realm 1 2 3 82 In the Administration Tool, click the Authentication tab. Under Add an Authentication Realm, in Realm name, type a name. Select One Source and then click Add. Firebox SSL VPN Gateway Using RSA SecurID for Authentication Note Note: If you are configuring double-source authentication, click Two Source and then click Add. For more information about configuring double-source authentication, see “Configuring Double-Source Authentication” on page 85. 4 5 6 7 In IP address type the IP address of the RADIUS IAS server. In Port, type the port number. In Server secret, type the node secret of the RADIUS IAS server. Select Use the password one time and click Submit Configuring NTLM Authentication and Authorization You can configure the Firebox SSL VPN Gateway to use Windows NT LAN Manager (NTLM) authentication to authenticate users against the user database on a Windows NT 4.0 domain controller. If a user is not located in the user database on the Windows NT 4.0 domain controllers, or fails authentication, the Firebox SSL VPN Gateway can check for the user name in the Local Users list on the Firebox SSL VPN Gateway and authenticate the user against the local list if Use the local user database on the Firebox SSL VPN Gateway check box is selected on the Settings tab. A Windows NT 4.0 domain controller maintains domain user accounts in a database on the Windows NT 4.0 server. A domain user account includes a user name and password and other information about the user. To configure NTLM authentication, you create an NTLM authentication realm that includes the address and port that the Firebox SSL VPN Gateway uses to connect to the Windows NT 4.0 domain controller. You also specify a time-out value in which an authentication attempt to the server must complete. When a user logs on to the Firebox SSL VPN Gateway, the user enters the user name and password maintained in the domain user account on the Windows NT 4.0 server. The Firebox SSL VPN Gateway connects to the Windows NT 4.0 server and passes these credentials to the server. The server authenticates the user. To configure NTLM authentication 1 2 Click the Authentication tab. Under Add an Authentication Realm, in Realm name, type a name for the authentication realm. If your site has multiple authentication realms, you might use a name that identifies the NTLM realm for which you specify settings. Realm names are case-sensitive and can contain spaces. Note Note: If you want the Default realm to use NTLM authentication, remove the Default realm as described in “To remove and create a Default realm” on page 70. 3 4 Select One Source and click Add. In Select Authentication Type, in Authentication type, choose NTLM authentication and click OK. The Realm dialog box opens. 5 6 7 Click the Authentication tab. In IP Address or FQDN, type the IP address of the Windows NT 4.0 domain controller. In Port, type the port number on which the Windows NT 4.0 domain controller listens for the NTLM authentication connection. The default port entry for NTLM authentication connections is 139. Administration Guide 83 Using RSA SecurID for Authentication Note Note: When 0 (zero) is entered as the port, the Access Gateway attempts to automatically detect a port number for this connection. 8 9 In Time-out (in seconds), enter the number of seconds within which the authentication attempt must complete. If the authentication does not complete within this time interval, it fails. Click Submit. Configuring NTLM Authorization A Windows NT 4.0 domain controller maintains group accounts. A group account is a collection of individual user domain accounts (and other accounts). To configure NTLM authorization, you click the Authorization tab in the authentication realm and enter the address and port that the Firebox SSL VPN Gateway uses to connect to the Windows NT 4.0 domain controller. You also specify a time-out value in which an authorization attempt to the Windows NT server must complete. After a user successfully authenticates, the domain controller returns to the Firebox SSL VPN Gateway a list of all global groups of which the authenticated user is a member. The Firebox SSL VPN Gateway then looks for a user group name on the Firebox SSL VPN Gateway that matches the name of a Windows NT 4.0 global group to which the user belongs. If the Firebox SSL VPN Gateway finds a match, the user is granted the authorization privileges to the internal networks that are associated with the user group on the Firebox SSL VPN Gateway. To configure NTLM authorization 1 Click the Authentication tab and open the authentication realm for which you want to enable NTLM authorization. 2 3 4 5 Click the Authorization tab. In Authorization type, select NTLM authorization. In Server IP Address or FQDN, type the FQDN or IP address of the Windows NT 4.0 domain controller that will perform the NTLM authorization. In Server Port, type the port number. The default port entry for NTLM authentication connections is 139. Note Note: When 0 (zero) is entered as the port, the Firebox SSL VPN Gateway attempts to automatically detect a port number for this connection. 6 In Timeout (in seconds), enter the number of seconds within which the authorization attempt must complete before the authentication attempt is abandoned. 7 Click Submit. Configuring Authentication to use One-Time Passwords If authentication on the Firebox SSL VPN Gateway is configured to use a one-time password with RADIUS, such as provided by an RSA SecurID token, the Firebox SSL VPN Gateway attempts to reauthenticate users using the cached password. This occurs when changes are made to the Firebox SSL VPN Gateway using the Administration Tool or if the connection between the Secure Access Client and the Firebox SSL VPN Gateway is interrupted and then restored. 84 Firebox SSL VPN Gateway Configuring Double-Source Authentication You can prevent the storage of one-time passwords in cache, which forces the user to enter their credentials again. To prevent caching of one-time passwords 1 2 3 In the Administration Tool, click the Authentication tab. Open the authentication realm that uses the one-time password. Select Use the password one time and click Submit. Configuring Double-Source Authentication The Firebox SSL VPN Gateway supports double-source authentication. On the Authentication tab, you can configure two types of authentication, such as LDAP and RSA SecurID for one realm. When users log on to the Firebox SSL VPN Gateway using a Web browser, and double-source authentication is configured, they are redirected automatically to a logon Web portal page. There, they type in their user name and passwords for each type of authentication. If they are using the Secure Access Client to log on, the Secure Access dialog box appears requesting the same information as the Web page. There can be a mix of double-source authentication realms. For example, you can have one or more realms for single authentication and then have one or more realms configured for double-source authentication. In a mixed authentication environment, when users log on using either the Web browser or Secure Access Client, they will see two password fields. If they are logging on using only one authentication method, the second password field is left blank. For more information about logging on using the Web-based portal page, see “Double-source Authentication Portal Page” on page 43. To create and configure a double-source authentication realm 1 2 3 4 5 6 7 8 On the Authentication tab, click Authentication. In Realm Name, type a name. Select Two Source and then click Add. In the Select Authentication Type dialog box, select the authentication types in Primary Authentication Type and Secondary Authentication Type. Click Add. On the Primary Authentication tab, configure the settings for the first authentication type and click Submit. On the Secondary Authentication tab, configure the settings for the second authentication type and click Submit. On the Authorization tab, in Authorization Type, select the authorization type you want to use, configure the settings, and click Submit. Double-source authentication works in reverse of how it is configured on the Firebox SSL VPN Gateway. For example, if you configured RSA SecurID on the Secondary Authentication tab and LDAP on the Primary Authentication tab, when users log on, they type their LDAP password in the first password field and the RSA SecurID personal identification number (PIN) and passcode in the second password field. When users click Connect, the Firebox SSL VPN Gateway authenticates using the RSA SecureID PIN Administration Guide 85 Configuring Double-Source Authentication and passcode first and then the LDAP password second. Whatever is typed in the first password field is done last and the second password field is done first. Changing Password Labels You can change the password labels to accurately reflect the authentication type with which the user is logging on and to provide the correct prompt for what the user needs to type. This is useful when the Firebox SSL VPN Gateway is configured to support third-party authentication types. For example, if users are required to authenticate using LDAP and Gemalto protiva strong authentication system (RADIUS), you can change the password labels to reflect what the user needs to type in the fields. Instead of the labels, Password and Secondary Password, the labels could be Windows domain password and Gemalto protiva passcode. The labels can be changed if you are using one-source or double-source authentication. To change the password labels 1 Click the Authentication tab, and under Add an Authentication Realm, click Advanced. 2 In Password label and Secondary password label, type the values for the labels. 3 Click OK When users log on, they see the new password labels. 86 Firebox SSL VPN Gateway CHAPTER 6 Adding and Configuring Local Users and User Groups User groups define the resources the user has access to when connecting to the corporate network through the Firebox SSL VPN Gateway. Groups are associated with the local users list. After adding local users, you can then define the resources they have access to on the Access Policy Manager tab. This chapter discusses the following group settings: • Adding Local Users • User Group Overview • Creating User Groups • Configuring Properties for a User Group • Configuring Resources for a User Group • Setting the Priority of Groups Adding Local Users You can create user accounts locally on the Firebox SSL VPN Gateway to supplement the users on authentication servers. For example, you might want to create local user accounts for temporary users, such as consultants or visitors, without creating an entry for those users on the authentication server. In that case, you add the user to the Firebox SSL VPN Gateway local user list as described in this section. If you associate more than one group with a user account, the properties of the first group that you select for the user is used. To create a user on the Firebox SSL VPN Gateway 1 2 3 Click the Access Policy Manager tab. 4 In Password and Verify Password, type a password for the user in the two fields. In the left-pane, right-click Local Users and then click New User. In User name, type a user name. This is the logon name the user needs when logging onto Secure Access. User names can contain spaces. A user enters this password when logging onto Secure Access. A password must be six or more characters up to a maximum of 128 characters. Do not use a forward slash (/) in the user name or password. Administration Guide 87 User Group Overview 5 All users are members of the Default resource group. To add a user to another group, under Local Users, click and drag the user to the user group to which you want the user to belong. To delete a user from the Firebox SSL VPN Gateway Right-click the user in the Local Users list and click Remove. User Group Overview When you enable authorization on the Firebox SSL VPN Gateway, user group information is obtained from the authentication server after a user is authenticated. If the group name that is obtained from the authentication server matches a group name created locally on the Firebox SSL VPN Gateway, the properties of the local group are used for the matching group obtained from the authentication servers. Note Group names on authentication servers and on the Firebox SSL VPN Gateway must be identical and they are case sensitive. Each user should belong to at least one group that is defined locally on the Firebox SSL VPN Gateway. If a user does not belong to a group, the overall access of the user is determined by the Deny Access without ACL setting on the Global Cluster Policies tab, as follows: • If the Deny Access option is enabled, the user cannot establish a connection • If the Deny Access option is disabled, the user has full network access • In either case, the user can use kiosk mode, but network access within that session is determined by the Deny Access without ACL setting You can also add local groups that are not related to groups on authentication servers. For example, you might create a local group to set up a contractor or visitor to whom you want to provide temporary access without having to create an entry on the authentication server. For information about creating a local user, see “Adding Local Users” on page 87. Several aspects of Firebox SSL VPN Gateway operation are configured at the group level. These are separated between group properties and group resources. Group properties include: • Groups that inherit properties from the default group. • Requiring users to log on again if there is a network interruption or if the computer is coming out of standby or hibernate. • Enabling single sign-on. • Running logon scrips when a user logs on using domain credentials. • Denying access to applications to the network that do not have a defined application policy. • Specify the length of time a session is active. If the user has a 60 minute session time-out, the session ends at 60 minutes. Users are given a one minute warning that their session is about to end. • Enabling Split DNS allows local DNS servers to be contacted if the DNS servers for the remote client are non-responsive. • IP pooling where a unique IP address is assigned to each client’s session. • Portal page usage that defines the portal page the user sees when logging on. The portal page can be one of the provided templates, modified for individual companies. • Requiring client certificates. 88 Firebox SSL VPN Gateway Creating User Groups Group resources include: • Network resources that define the networks to which clients can connect. • Application policies that define the applications users can use when connected. In addition to selecting the application, you can further define which networks the application has access to and if any end point policies need to be met when connecting. • File share resources that define which file shares the user can connect to when logged on in kiosk mode. • Kiosk resources that defines how the user can log on, the Web address the user needs, and which file shares and applications the user can use when logged on. • End point resources and policies that define the required and option parameters that must be on the user’s computer when logging on. If a user belongs to more than one group, group policies are applied to the user based on the group priorities set on the Group Priority tab, as described in “Setting the Priority of Groups” on page 106. Creating User Groups User groups are created on the Access Policy Manager tab. Multiple user groups can be created and configured. When a new group is created, the properties page appears that allows you to configure the settings for the group. You can also add local groups that are not related to groups on authentication servers. After the settings are complete, resources can be added to the group. Note If you create a user group that has more than 127 characters and then delete that user group, it still appears on the Group Priority tab after deletion. To resolve this problem, user group names should have fewer than 127 characters. Any characters over this limit are truncated. To create a local user group 1 2 3 Click the Access Policy Manager tab. In the left pane, right-click User Groups and then click New Group. In Group Name, type a descriptive name for the group, such as “Temp Employees” or “accounting” and then click OK. A dialog box for the added group appears. Note If you want the group’s properties to be used for authentication obtained from authentication servers, the group name must match the authentication server group name, including case and use of spaces. 4 To configure the group, see “Configuring Properties for a User Group” on page 90. To remove a user group On the Access Policy Manager tab, in the left-pane, right-click a group and then click Delete. Administration Guide 89 Configuring Properties for a User Group Configuring Properties for a User Group Group properties include configuring access, networking, portal pages, and client certificates. Properties are configured by right-clicking a group and then clicking Properties. Settings for the group are configured on the General, Networking, Gateway Portal, Members, and Client Certificates tabs. Default group properties If the only group that is configured on the Firebox SSL VPN Gateway is the Default user group, all local users receive the settings configured for this group. You can control access to the Default user group settings by configuring additional groups on the Firebox SSL VPN Gateway and then restricting access to the Default user group. For example, two users are part of a group for contractors. They are allowed to connect to specific corporate resources, such as an Exchange server and a file server. If they inherit the settings from the Default group, you might have unintentionally configured these users to have access to resources that are only for permanent employees. You can allow or deny users to inherit the Default group settings in the user group properties. This check box is not available for the Default group. To enable or disable Default group properties 1 2 3 4 Click the Access Policy Manager tab. In the left pane, right-click the user group and then click Properties. On the General tab, do one of the following: • To prevent users from inheriting the Default group settings, clear Inherit properties from the Default Group • To allow users to inherit the Default group settings, select Inherit properties from the Default Group Click OK. Forcing Users to Log on Again By default, if a user’s network connection is briefly interrupted, the user does not have to log on again when the connection is restored. You can require that users log on after interruptions such as when a computer comes out of hibernate or standby, when the user switches to a different wireless network, or when a connection is forcefully closed. To force users to log on after a network interruption or on system resume 1 2 3 4 90 Click the Access Policy Manager tab. In the left pane, right-click a group and click Properties. On the General tab, under Session Options, select one or both of the following: • Authenticate after network interruption. This option forces a user to log on again if the network connection is briefly interrupted. • Authenticate upon system resume. This option forces a user to log on again if the user’s computer awakens from stand by or hibernate. This option provides additional security for unattended computers. Click OK. Firebox SSL VPN Gateway Configuring Properties for a User Group Note If you want to close a connection and prevent a user or group from reconnecting automatically, you must select the Authenticate after network interruption setting. Otherwise, users immediately reconnect without being prompted for their credentials. For more information, see “Managing Client Connections” on page 133. Configuring Secure Access Client for single sign-on By default, Windows users open a connection by launching the Secure Access Client from the desktop. You can specify that the Secure Access Client start automatically after the user logs onto Windows by enabling single sign-on. Users’ Windows logon credentials are passed to the Firebox SSL VPN Gateway for authentication. Enable single sign-on only if users’ computers are logging on to your organization’s domain. If single sign-on is enabled and a user connects from a computer that is not on your domain, the user is prompted to log on. Note Users must be logged on as a Power User or be a member of the Power Users group to use single signon to Windows. If the Secure Access Client is configured for single sign-on with Windows, it automatically starts after the user logs on to Windows. The user’s Windows logon credentials are passed to the Firebox SSL VPN Gateway for authentication. Enabling single sign-on for the Secure Access Client facilitates operations on the remote computer such as installation scripts and automatic drive mapping To configure Secure Access Client for single sign-on 1 2 3 4 Click the Access Policy Manager tab. In the left pane, right-click a group and then click Properties. On the General tab, under Session Options, click Enable single sign-on. Click OK. Note If you configured double-source authentication, you cannot use single sign-on. Enabling domain logon scripts In your network, you may have logon scripts that run on the client computer after a successful log on. If logon scripts are enabled on the Firebox SSL VPN Gateway, after authentication, the Firebox SSL VPN Gateway establishes the connection, obtains Windows logon scripts from the domain controller, and then runs the logon scripts to perform operations such as automatic drive mapping. If the domain controller cannot be contacted, the Firebox SSL VPN Gateway connection is completed but the logon scripts are not run. Note Clients that want to use single sign-on to Windows and logon scripts must be logged on as a Power User or be a member of the Power Users group. The Firebox SSL VPN Gateway can run logon scripts that are defined in the user’s Windows profile. Logon scripts that are defined in Active Directory are not Administration Guide 91 Configuring Properties for a User Group supported and do not run. If the domain controller cannot be contacted, the Firebox SSL VPN Gateway connection is completed but the logon scripts are not run. Note Important: The client computer must be a domain member in order to run domain logon scripts. To enable logon scripts 1 2 3 4 Click the Access Policy Manager tab. In the left pane, right-click a group and click Properties. On the General tab, under Session Options, select Run logon scripts. Click OK. Note Logon script support is restricted to scripts that are executed by the command processor, such as executables and batch files. Visual Basic and JavaScript logon scripts are not supported. Enabling session time-out You can configure the Secure Access Client to force a disconnection with the Firebox SSL VPN Gateway if there is no activity on the connection for a specified number of minutes. One minute before a session times out (disconnects), the user receives an alert indicating the session will close. If the session closes, the user must log on again. There are three different options when configuring a session time-out value: • User session timeout. If you enable this setting, the Secure Access Client disconnects after the time-out interval elapses regardless of what the user is doing. There is no action the user can take to prevent the disconnection from occurring when the time-out interval elapses. • Network inactivity timeout. If you enable this setting, the Secure Access Client disconnects if no network packets are sent from the client to the Firebox SSL VPN Gateway for the specified interval. • Idle session timeout. If you enable this setting, the user session times out if there is no mouse or keyboard activity on the client for the specified interval. You can enable any of these settings by entering a value between 1 and 65536 to specify a number of minutes for the time-out interval. You can disable any of these settings by entering a 0 (zero). If you enter a 0, the time-out session is not activated and the setting has no effect on client connections. If you enable more than one of these settings, the first time-out interval to elapse closes the client connection. To enable session time-out 1 2 3 4 92 Click the Access Policy Manager tab. In the left pane, right-click a group and then click Properties. On the General tab, under Session options, type the number of minutes in any of these settings: • User session timeout • Network inactivity timeout • Idle session timeout Click OK. Firebox SSL VPN Gateway Configuring Properties for a User Group Configuring Web Session Time-Outs When a user is logged on to the Firebox SSL VPN Gateway and using a Web browser to connect to Web sites in the secure network, cookies are set to determine if a user’s Web session is still active on the Firebox SSL VPN Gateway. If the Firebox SSL VPN Gateway cookie expires and logon page authentication is enabled, the end user is prompted to enter authentication credentials to resume the Web session. This provides a measure of security for limiting the amount of time network attacks could occur during an unattended Web session. To enable Web session time-outs 1 2 Click the Global Cluster Policies tab. Under Access options, type the number of minutes in Web session time-out. To disable Web session time-outs, type 0 in the text box. Disabling Desktop Sharing The Secure Access Client includes a desktop sharing feature. A user can right-click the Secure Access Client icon in the Windows notification area and select Share Desktop. Selecting this option displays a list of all other users who are logged on to the Firebox SSL VPN Gateway from a Secure Access Client. In some organizations, this feature may cause privacy concerns because it allows any user who logged on through the Secure Access Client to view a list of all other users who are currently logged on. If you want to prevent a specific group of users from viewing the list of online users, you can disable the desktop sharing feature for an Firebox SSL VPN Gateway user group. Disabling desktop sharing for a user group causes the following to occur: • When a member of the user group right-clicks the Secure Access Client icon in the Windows notification area, the Share Desktop option is not on the menu. Users in this group cannot display a list of the other online users from the Secure Access Client icon (or use the desktop sharing feature). • Members of the user group do not appear in the online lists of other users for whom desktop sharing is enabled. To disable desktop sharing 1 2 3 4 Click the Access Policy Manager tab. In the left pane, right-click a group and click Properties. On the General tab, under Application options, select Disable desktop sharing. Click OK. Setting Application Options Application policies limit the network access further by assigning individual network resources to specific applications. Application policies define the network path and endpoint policies for a specific application. When an application policy is created and then added to a user group, the application can use only the specified network path and endpoint policy. This does not prevent other applications from using these resources. To prevent applications from using these network resources, you can deny access to the network. To deny applications without policies 1 On the Access Policy Manager tab, right-click a user group and click Properties. Administration Guide 93 Configuring Properties for a User Group 2 On the General tab, under Application Options, select Deny applications without policies. For more information about application policies, see “Application policies” on page 101. For more information about endpoint policies, see “End point resources and policies” on page 104. Enabling Split DNS By default, the Firebox SSL VPN Gateway checks a user’s remote DNS only. You can allow failover to a user’s local DNS by enabling split DNS. A user can override this setting using the Connection Properties dialog box from the Secure Access logon screen. To allow failover to a user’s local DNS 1 2 3 Click the Access Policy Manager tab. In the left pane, right-click a group and click Properties. On the Networking tab, click Enable split-DNS. The Firebox SSL VPN Gateway fails over to the local DNS only if the specified DNS servers cannot be contacted but not if there is a negative response. 4 Click OK. Enabling IP Pooling In some situations, users connecting using Secure Access Client need a unique IP address for the Firebox SSL VPN Gateway. For example, in a Samba environment, each user connecting to a mapped network drive needs to appear to originate from a different IP address. When you enable IP pooling for a group, the Firebox SSL VPN Gateway can assign a unique IP address alias to each client’s session. You can specify the gateway device to be used for IP pooling. The gateway device can be the Firebox SSL VPN Gateway itself or some other device. If you do not specify a gateway, an Firebox SSL VPN Gateway interface is used, based on the General Networking settings, as follows: • If you configured only Interface 0 (the Firebox SSL VPN Gateway is inside your firewall), the Interface 0 IP address is used as the gateway. • If you configured Interfaces 0 and 1 (the Firebox SSL VPN Gateway is in the DMZ), the Interface 1 IP address is used as the gateway. (Interface 1 is considered the internal interface in this scenario.) To configure IP pooling for a group 1 2 3 4 5 6 Click the Access Policy Manager tab. 7 In Default Gateway, type the gateway IP address. In the left pane, right-click a user group and click Properties On the Networking tab, click Enable IP pools. Under IP Pool Configuration, right-click a gateway and then click Modify Gateway Pool. In Starting IP Address, type the starting IP address for the pool. In Number of IP Addresses, type the number of IP address aliases. You can have as many as 2000 IP addresses total in all IP pools. If you leave this field blank, an Firebox SSL VPN Gateway network adapter is used, as described earlier in this section. If you specify some other device as the gateway, the Firebox SSL VPN Gateway adds an entry for that route in the Firebox SSL VPN Gateway routing table. 8 94 Click OK. Firebox SSL VPN Gateway Configuring Properties for a User Group Choosing a portal page for a group By default, all users log on to the Firebox SSL VPN Gateway using the Secure Access Client from the default portal page or by downloading and installing the Secure Access Client on their computer. You can load custom portal pages on the Firebox SSL VPN Gateway, as described in “Using Portal Pages” on page 38, and then select a portal page for each group. This enables you to control which of the Firebox SSL VPN Gateway clients are available by group. Note Disabling portal page authentication on the Global Policies page overrides the Portal Page setting for all groups. For more information, see “Enabling Portal Page Authentication” on page 41. To specify a portal page for a group 1 2 3 4 On the Access Policy Manager tab, under User Groups, right-click a group and click Properties. On the Gateway Portal tab, under Portal Configuration, click Use Custom Portal Page. In Use this custom portal page, select the page. Click OK. Client certificate criteria configuration To specify criteria that client certificates must meet, use a Boolean expression. To belong to a group, the user must meet the certificate criteria in addition to passing all other authentication rules that are configured for that group. For example, the following criteria requires that the subject field of the client certificate provided by a user has the Organization Unit (OU) set to Accounting and the Common Name (CN) attribute set to a value matching the user’s local user name on the Firebox SSL VPN Gateway. client_cert_end_user_subject_organizational_unit=“Accouting” and username=client_cert_end_user_subject_common_name. Valid operators for the client certificate are as follows: and logical AND = equality test Valid constants for the criteria are: true logical TRUE Valid variables for the criteria are: username local user name on the Firebox SSL VPN Gateway client_cert_end_user_subject_common_name CN attribute of the Subject of the client certificate client_cert_end_user_subject_organizational_unit OU attribute of the Subject of the client certificate client_cert_end_user_subject_organization O attribute of the Subject of the client certificate Values for the client certificate criteria on the User Groups tab require quotation marks around them to work. Correct and incorrect examples are: The Boolean expression client_cert_end_user_subject_common_name=“clients.gateways.watchguard.com” is valid and it works. The Boolean expression client_cert_end_user_subject_common_name=clients.gateways.watchguard.com is not valid and does not work Administration Guide 95 Configuring Resources for a User Group Note Client certificate configuration is not available for the default user group. To specify client certificate configuration 1 2 On the Access Policy Manager tab, right-click a group that is not the default group. 3 Click OK. On the Client Certificates tab, under Client Certificate Criteria Expression, type the certificate information. Global policies Users can be restricted from logging on to the Firebox SSL VPN Gateway using Global Policies. When users utilize a Web browser to connect to the Firebox SSL VPN Gateway, before they receive the logon dialog box, the end point policy scans the client computer. If the scan fails, users are prevented from logging on. To log on to the Web portal, the client needs to install the correct applications. To create pre-authentication policies 1 2 Click the Access Policy Manager tab. If an end point policy was created and configured, under End Point Policies, click the configured policy and drag it to Pre-Authentication Policies in the left pane. Note To create and configure end point resources and policies, see “End point resources and policies” on page 104. Configuring Resources for a User Group Note For background information about network access, see “Controlling Network Access” on page 56. Inform users about which resources they can access. A sample email with instructions that you can customize is available from the Administration Portal Downloads page. After making the appropriate changes, send the email to your users. Resources for user groups are configured on the Access Policy Manager tab. The resources include: • Network Resources • Application Policies • File Share Resources • Kiosk Resources • End Point Resources • End Point Policies • Pre-Authentication Policies Resources are configured in the right pane of the Access Policy Manager tab. When the settings are complete, the resource is dragged to the group in the left pane. For example, you configured and saved 96 Firebox SSL VPN Gateway Configuring Resources for a User Group a network resource specifying the networks to which users can connect. If you have a restricted group for contractors, drag the resource to this group and then deny the default setting. For each user group, you can create an access control list (ACL) by specifying the resources that are to be allowed or denied for the group. Resource groups are defined as described in “Defining network resources” on page 99. ACLs for all groups that users are a part of are combined and applied to the user. Unless you want to provide all users with full access to all accessible networks, you must associate user groups with resource groups. Several aspects of Firebox SSL VPN Gateway operation are configured at the group level. These are separated between group properties and group resources. Group properties include: • Groups that inherit properties from the Default group. • Requiring users to log on again if there is a network interruption or if the computer is coming out of standby or hibernate. • Enabling single sign-on to Windows. • Enabling single sign-on to the Web Interface. • Running logon scripts when a user logs on using domain credentials. • Denying application access to the network that does not have a defined application policy. • Disable the desktop sharing feature of the Secure Access Client. • Access configuration to specify the length of time a session is active. There are three types of session time-outs: - User session time-out, which specifies the length of time a user can stay logged on, whether there is activity or not. The specified time is absolute. If the user has a 60 minute session time-out, the session ends at 60 minutes. Users are given a one minute warning that their session is about to end. - Network activity time-out where the user is logged off after a specified amount of time, during which network activity from the client device over the VPN tunnel is not detected. Network activity from the local area network is not considered. - Idle session time-out where network activity is detected, but user activity is not detected. User activities are keyboard strokes or mouse movement. • Enabling split DNS where the client sends only the traffic destined for the secured network through the VPN tunnel. • IP pooling where a unique IP address is assigned to each client. • Logon and portal page usage that defines the page the user sees when logging on. The logon page can be a page provided by WatchGuard and can be modified for individual companies. If your company is using WatchGuard Presentation Server, the logon page can be the Web Interface. If you want to give the user options of how to log on, use the multiple logon option page. For more information, see “Configuring a Portal Page with Multiple Logon Options” Group resources include: • Network resources that define the networks to which clients can connect. • Application policies that define the applications users can use when connected. In addition to selecting the application, you can further define which networks the application has access to and if any end point policies need to be met when connecting. • File share resources that define which file shares the user can connect to when logged on in kiosk mode. Administration Guide 97 Configuring Resources for a User Group • Kiosk resources that define how the user can log on and which file shares and applications are accessible to the user when logged on. If the user is allowed to use the Firefox Web browser in kiosk mode, the Web address the user is allowed to use is also defined. • End point resources and policies that define the required and optional parameters that must be on the user’s computer when logging on. If a user belongs to more than one group, group policies are applied to the user based on the group priorities set on the Group Priority tab, as described in “Setting the Priority of Groups”. Adding Users to Multiple Groups When a user is a member of multiple groups, some group settings are unioned together. These settings are: • Network Resources • Application Policies • Kiosk Resources • End Point Policies Settings that are not unioned are based on group priority. These include: • Authenticating after network interruption or on system resume • Enabling single sign-on • Running logon scripts • Session time-out • Split DNS • Portal page authentication Exceptions to the unionized settings are: • Deny applications without policies. If any of the groups that a user is a member of has the Deny applications without policies check box selected, the user inherits that setting. • IP pooling. Users assume the IP address from the highest priority group that has IP pools enabled. • Inherit Default group settings. If any of the groups that a user is a part of has the Inherit properties from the Default Group check box selected, the user inherits that setting. Allowing and denying network resources and application policies By default, all network resources and application policies are allowed. When you deny one resource group, all other resource groups are denied automatically and the network access for the user group is controlled only through its ACL. The Firebox SSL VPN Gateway interprets allow or deny as follows: • The Firebox SSL VPN Gateway denies access to any network resource or application policy that is not explicitly allowed. Thus, if you want to provide a particular user group with access to only one resource group, you allow access only to that resource group. • Deny rules take precedence over allow rules. This enables you to allow access to a range of resources and to also deny access to selected resources within that range. For example, you might want to allow a group access to a resource group that includes 10.20.10.0/24, but need to deny that user group access to 10.20.10.30. To handle this, you create a resource group that includes 10.20.10.30. Access to that resource is denied unless you specifically allow it. 98 Firebox SSL VPN Gateway Configuring Resources for a User Group To configure resource access control for a group 1 2 3 4 Click the Access Policy Manager tab. In the right pane, configure the group resources. When the resource is configured, click the resource and drag it to the group in the left pane. To allow or deny a resource, in the left pane, right-click the network resource or application policy and then click Allow or Deny. To remove a resource from a user group 1 2 Click the Access Policy Manager tab. In the left pane, right-click the resource you want to remove and then click Remove. Defining network resources Network resources define the locations that authorized users can access. Resource groups are associated with user groups to form resource access control policies. Network topology for resource groups and authentication . Suppose that you want to provide a user group with secure access to the following: • The 10.10.x.x subnet • The 10.20.10.x subnet • The IP addresses of 10.50.0.60 and 10.60.0.10 To provide that access, create a network resource group by specifying the following IP address/subnet pairs: 10.10.0.0/255.255.0.0 10.20.10.0/255.255.255.0 10.50.0.60/255.255.255.255 10.60.0.10/255.255.255.255 You can specify the mask in Classless Inter Domain Routing (CIDR) notation. For example, in the above example, you could specify 10.60.0.10/32 for the last entry. Additional tips for working with resource groups follow. Administration Guide 99 Configuring Resources for a User Group • You can further restrict access by specifying a port and protocol for an IP address/subnet pair. For example, you might specify that a resource can use only port 80 and the TCP protocol. • When you configure resource group access for a user group, you can allow or deny access to any resource group. This enables you to exclude a portion of an otherwise allowed resource. For example, you might want to allow a user group access to 10.20.10.0/24 but deny that user group access to 10.20.10.30. Deny rules take precedence over allow rules. • The easiest method to provide all user groups with access to all network resources is to not create any resource groups and to disable the Deny Access without ACL option on the Global Cluster Policies tab. All user groups then have access to the accessible networks listed on the Global Cluster Policies tab. • If you have one or more user groups that should have access to all network resources, a shortcut to adding each resource group to those user groups is to create a resource group for 0.0.0.0/ 0.0.0.0 and allow that one resource group for those user groups. For all other user groups, you will need to allow or deny individual resource groups as needed. To create and configure a network resource 1 2 3 4 5 Click the Access Policy Manager tab. In the right pane, right-click Network Resources and then click New Network Resource. Type a name for the group and click OK. In Network/Subnet, type the IP address/subnet pair for the resource in the Subnets field. You can use CIDR notation for the mask. Use a space to separate entries. In Port or port range, enter the port or ports that the Firebox SSL VPN Gateway can use to establish connections with the network resource(s). You have these options when entering ports: • Enter a 0 (zero) to use all ports. • Enter a single port or multiple ports that are not in a range. If you enter multiple ports, separate each port with a comma. For example, to allow connections on ports 22, 80, and 8088, enter: 22, 80, 8080 • Enter a range of ports. Separate the starting and ending ports in the range with a hyphen (-). For example, to allow connections on any port from 110 through 120, enter: 110-120 • You can also enter a combination of single ports and a port range. For example, to allow connections on ports 22, 80, 8088 and 110 through 120, enter: 22, 80, 8080, 110-120 6 7 In Protocol, select the protocols that can be used to establish connections on the specified ports. Click OK. Allowing and Denying Network Resources and Application Policies By default, all network resources and application policies are allowed. When you deny one resource group, all other resource groups are denied automatically and the network access for the user group is controlled only through its ACL. The Firebox SSL VPN Gateway interprets allow or deny as follows: • The Firebox SSL VPN Gateway denies access to any network resource or application policy that is not explicitly allowed. Thus, if you want to provide a particular user group with access to only one resource group, you allow access only to that resource group. 100 Firebox SSL VPN Gateway Configuring Resources for a User Group • Deny rules take precedence over allow rules. This enables you to allow access to a range of resources and to also deny access to selected resources within that range. For example, you might want to allow a group access to a resource group that includes 10.20.10.0/24, but need to deny that user group access to 10.20.10.30. To handle this, you create two network resources; one that includes the 10.20.10.0/24 subnet and a group that includes 10.20.10.30. Access to that resource is denied unless you specifically allow it. To add a network resource to a group 1 On the Access Policy Manager tab, in the right-pane, under Network Resources, click the resource you want to add and then drag it to the user group in the left pane. 2 To allow or deny access, right-click the network resource and then click Allow or Deny. To remove a network resource 1 2 3 Click the Access Policy Manager tab. In the right pane, under Network Resources, right-click the resource group you want to remove. Click Remove. Application policies Application policies put constraints on the network path applications can access. For example, a user is using Microsoft Outlook 2003 for corporate email. You can configure the application to use a specific network resource to the Microsoft Exchange Server. When the network resource is defined, when Outlook tries to start, it checks for the network resource and end point policy (if defined). If it passes, the user can log on and check email. If it fails, Outlook does not start. If the application is open before connecting to the Firebox SSL VPN Gateway, the application remains open; however, the policies take effect and the user cannot use the application. If an application policy does not have a network resource or end point policy configured, and if the checkbox Deny applications without policies is selected on the General tab of the group properties, the application is denied access to the network. To configure an application policy 1 2 3 Click the Access Policy Manager tab. In the right pane, right-click Application Policies and then click New Application Policy. In Application, type the name of the application or click Browse to navigate to the application. The MD5 field is populated automatically with the binary sum of the application. 4 To restrict the application to specific networks or require an end point policy, under Application Constraints do one or both of the following: • To add a network resource to the application policy, under Network Resources, click the resource and drag it to Application Network Policies. • To add an end point policy to the application policy, under End Point Policies, click the policy and drag it to Application End Point Policies. 5 Click OK. When a user disconnects from the Firebox SSL VPN Gateway, any applications that are open can be closed automatically. Administration Guide 101 Configuring Resources for a User Group To add an application policy to a group 1 On the Access Policy Manager tab, in the right-pane, under Application Policies, click the resource you want to add and then drag it to the user group in the left pane. 2 To allow or deny access, right-click the network resource and then click Allow or Deny. When an application policy is created and then added to a user group, the application can use only the specified network path and end point policy. This does not prevent other applications from using these resources. To prevent applications from using these network resources, you can deny access to the network. To deny applications without policies 1 On the Access Policy Manager tab, right-click a user group and click Properties. 2 On the General tab, under Application options, select Deny applications without policies. You can deny one application access to the network, while allowing access to all other applications. A user can get access with this application to all internal networks that were assigned to that user, but the application is denied access to the denied network. You can also deny all applications access to the network, but allow one to have restricted access to a specific network path. The procedure is the same as “To deny one application network access”. The difference is instead of clearing the check box Deny applications without policies, it is selected. This check box denies all applications access to the corporate network. To allow one application network access, configure the application policy to accept the application, following the steps in the previous procedure. Users obtain access to the application only to the internal site that is specifically allowed. No other applications from the client computers are allowed access to the internal network. To deny one application network access 1 2 3 4 5 6 On the Access Policy Manager tab, right-click a user group and click Properties. On the General tab, under Application Options, select Deny applications without policies. Click OK and close the Properties dialog box. In the right pane, right-click Application Policies and then click New Application Policy. Type a name for the policy and click OK. Under Application Resource, in Application, type the application name. When this field is complete, the MD5 field is populated automatically. To restrict the application to a specific network path, under Network Resources, click a network resource and drag and drop it on Application Network Policies. Other configured network resources must already be added to a user group and set to deny. To do so, in the left pane, under Network Policies in the group, right-click a network resource and click Deny. Click OK. 7 8 Click OK. Click the application policy and drag it to the user group to which it applies. Configuring file share resources When a user connects from a public computer, the Firebox SSL VPN Gateway opens a kiosk mode connection. The network shares available to the user are configured on the Access Policy Manager tab. 102 Firebox SSL VPN Gateway Configuring Resources for a User Group To create a file share resource 1 2 Click the Access Policy Manager tab. 3 In Share Source, type the path to the share source using the form: //server/share. 4 In Mount Type, select the file sharing network protocol, either CIFS/SMB or NFS. In the right pane, right-click File Share Resources, click New File Share Resource, type a name, and click OK. Note CIFS/SMB is the Common Internet File System/Server Message Block network protocol used for file sharing in Microsoft Windows. NFS is the Network File System that allows you to mount a disk partition on a remote computer as if it was on the hard drive on the local computer. NFS is typically used with Linux computers. 5 If administrative user credentials are required to mount a CIFS/SMB drive, in User Name, specify the user name and in Password, type a password. These fields are not enabled for NFS. All users who access the share have the rights of this user. You might want to create a dummy domain user, like “sslvpn_share” to use for ssl vpn share access. 6 7 In Domain, type the Active Directory domain of the share. This field is not enabled for NFS. In Permissions, specify whether you want remote users to have read/write or read-only permissions for the share. Note Users can use the FTP protocol to send and receive files to the remote computer. 8 Click OK. To add a share to a group, the share must be added to the kiosk resource first. Then the kiosk resource is dragged and dropped to the group in the left pane. To remove a share On the Access Policy Manager tab, in the right-pane, right-click the file share and click Remove. Configuring kiosk mode Kiosk mode is configured using kiosk resources that define the network shares and applications users have access to when they log on in kiosk mode. By default, kiosk mode is disabled. To enable it, the resources are configured and then added to user groups. For more information about client connections, see “Working with Client Connections” on page 117. Kiosk mode is configured on the Access Policy Manager tab and then added to the groups in the left pane. Note If the user has general Internet access before making a connection, the user can browse the Internet from the Firefox browser in the Web browser window, unless a network resource is defined that denies access to the Internet. To create and configure a kiosk resource 1 2 Click the Access Policy Manager tab. In the right pane, right-click Kiosk Resources and then click New Kiosk Resource. Administration Guide 103 Configuring Resources for a User Group 3 4 5 To add a file share, under File Share Resources, drag the resource to Shares under File Shares. 6 7 Click OK. Select the applications users are allowed to use in kiosk mode. Click Kiosk Persistence (Save Application Settings) to retain Firefox preferences between sessions. The preferences are saved on the remote server (hosting the session). To add a kiosk resource to a group, click the resource and drag it to the group or groups to which the policy applies. End point resources and policies This section describes how to configure end point resources and then create an end point policy. Configuring end point resources End point resources provide another layer of security, helping to ensure that users are connecting to the Firebox SSL VPN Gateway on a computer that meets certain criteria. For example, you can require that a computer has particular registry entries, files, and/or active processes. and, optionally, is running one of several specified firewalls. Each end point rule specifies that a computer must have one, some, or all of the following: • A registry entry that matches the path, entry type, and value that you specify. • A file that matches the path, filename, and date that you specify. You can also specify a checksum for the file. • A running process that you specify. You can also specify a checksum for the file. End point policies are applied to each group by specifying a Boolean expression that uses end point resource names. For more information, see “Configuring an end point policy for a group” on page 105. To create an end point resource 104 1 2 3 4 5 6 Click the Access Policy Manager tab. 7 To create a File Rule, do the following: - Click File Rule. - In File Name, type the path and file name or click Browse to navigate to the file. The MD5 field is completed automatically when a file name is entered. - In Date, type the date in mm/dd/yyyy format. - Click OK. In the right pane, right-click End Point Resources and then click New End Point Resource. Type a name and then click OK. In End point scan type, select the rule type. Click Add. To create a registry rule, do the following: - Click Registry Rule. - In Registry Path, type the path and select a key type. - In Registry Entry, type the key name. - In Registry Value, type the value to which that key must be set. - Click OK. Firebox SSL VPN Gateway Configuring Resources for a User Group 8 If you selected Process Rule, do the following: - Click Process Rule. - In Process Name, type the name of the process or click Browse to navigate to the file. The MD5 field is automatically completed when a process name is entered. 9 Click OK. Note For information about adding an end point policy to a user group, see “Configuring an end point policy for a group” on page 105. To delete an end point resource 1 2 Click the Access Policy Manager tab. In the right-pane, right-click the end point resource you want to remove and then click Remove. Configuring an end point policy for a group The Firebox SSL VPN Gateway Administration Tool allows you to construct an expression by dragging and dropping the end point resource into the End Point Policy Expression Generator. When you drag and drop resources into the generator, the Boolean expression is created automatically for you. Expressions can be modified at any time. To configure an end point policy for a group, you specify a Boolean expression containing the end point resources that you want to apply to the group. Suppose that you create the following end point policies: • CorpAssetRegistryEntry • AntiVirusProcess1 • AntiVirusProcess2 Your end point policy expression might specify that a registry check must verify that the resource attempting to connect is a corporate asset and that the resource must have one of the antivirus processes running. That Boolean expression is: (CorpAssetRegistryEntry & (AntiVirusProcess1 | AntiVirusProcess2)) Valid operators for end point policy expressions are as follows: () - used to nest expressions to control their evaluation & - logical AND | - logical OR ! - logical NOT For users without administrative privileges, end point policies fail if the policy includes a file in a restricted zone (such as C:\Documents and Settings\Administrator) or if the policy includes a restricted registry key. If a user belongs to more than one group, the end point policy applied to the user is the union of the expression for each of the user’s groups. To create an end point policy for a group 1 Click the Access Policy Manager tab. Administration Guide 105 Setting the Priority of Groups 2 In the right pane, right-click End Point Policies and then click New End Point Policy. 3 Type a name and click OK. When the policy is created, create the expression by dragging and dropping the end point resources into the Expression Root. To build an end point policy expression 1 2 Click the Access Policy Manager tab. In the right pane, right-click an end point policy and click Properties. The property page opens and the resources pane moves to the left. 3 4 Under End Point Scan Expression, select Auto-build. 5 The expression is built using the AND identifier. To change the identifier, right-click one of the resources and then select the identifier from the menu. From End Point Resources, click and drag a resource to ()Expression Root in Expression Generator. 6 Click OK. The end point policy expression is configured automatically. If you want to manually edit the expression, click to clear Auto-build. The Auto-build check box should remain selected to prevent errors in the expression. Setting the Priority of Groups For users who belong to more than one group, you can determine which group’s policies apply to a user by specifying the priority of groups. For example, suppose that some users belong to both the “sales” group and the “support” group. If the sales group appears before the support group in the User Groups list, the sales group policies apply to the users who belong to both of those groups. If the support group appears before the sales group in the list, the support group policies take precedence. The policies that are affected by the Group Priority setting are as follows: • Portal page configuration, which determines the portal page the user sees when making a connection. The portal page can be the template provided with the Firebox SSL VPN Gateway or it can point to the Web Interface. • User time-outs that specify the length of time a session can stay active. Time-outs include: - Session time-outs where the connection is closed after a specified amount of time - Network activity time-outs where the Secure Access Client does not detect network traffic for a specified amount of time - Idle session time-out where the Secure Access Client does not detect mouse or keyboard activity for a specified amount of time • Enabling split DNS that allows failover to the user’s local DNS • Forcing the user to log on again if there was a network interruption or when the computer comes out of hibernate or standby The Firebox SSL VPN Gateway looks at all of the user groups. If a user is a member of multiple groups, if the Deny applications without policies check box is selected or if Disable desktop sharing check box is selected in one group, the user’s applications will be denied and desktop sharing will be disabled, regardless of the settings in the other groups. 106 Firebox SSL VPN Gateway Setting the Priority of Groups The following two settings are unioned together. For these settings, they are combined among all of the groups of which the user is a member. When these are combined, these are the enforced set of rules applied to the user. For example, if a user is a member of the sales and support groups, if the sales group has notepad.exe and calc.exe defined as an end point policy, and if the support groups have just Internet Explorer defined, all of the policies are enforced for the user. • Kiosk mode configuration, which includes persistent mode, the applications the user can use, and the default Web address with which the user connects • End point policies that specify registry settings, processes, or files that must be on the client computer If users are members of multiple groups, and IP pooling is enabled in one of those groups, the Firebox SSL VPN Gateway allocates an IP address from the pool for the first group that has IP pooling enabled. Groups are initially listed in the order in which they are created. To set the priority of groups 1 2 Click the Group Priority tab. Select a group that you want to move and use the arrow keys to raise or lower the group in the list. The group at the top of the list has the highest priority. To view the group priorities for a user In the Firebox SSL VPN Gateway Administration Desktop, click the Real-time Monitor icon. The display lists all groups to which the user belongs and the group with the highest priority. Configuring Pre-Authentication Policies Users can be restricted from logging on to the Firebox SSL VPN Gateway using pre-authentication policies. When users use a Web browser to connect to the Firebox SSL VPN Gateway, before they receive the logon dialog box, the pre-authentication policy scans the client computer. If the scan fails, users are prevented from logging on. To log on to the Web portal, the client needs to install the correct applications. To create pre-authentication policies 1 2 Click the Access Policy Manager tab. Under End Point Policies, click the configured policy and drag it to Pre-Authentication Policies in the left pane (located under the Global Policies policy node). To create and configure end point resources and policies, see “Configuring End Point Policies and Resources”. Administration Guide 107 Setting the Priority of Groups 108 Firebox SSL VPN Gateway CHAPTER 7 Creating and Installing Secure Certificates The Firebox SSL VPN Gateway uses certificates for authentication. In the Firebox SSL VPN Gateway Administration Tool, you can create a certificate to be signed by a Certificate Authority. Then, when the signed certificate is received, it can be installed on the Firebox SSL VPN Gateway. This chapter covers the following topics: • Generating a Secure Certificate for the Firebox SSL VPN Gateway • Digital Certificates and Firebox SSL VPN Gateway Operation • Overview of the Certificate Signing Request • Client Certificates Note When configuring certificates do not use 512-bit keypairs. They are subject to brute force attacks. Generating a Secure Certificate for the Firebox SSL VPN Gateway The Firebox SSL VPN Gateway includes a digital certificate that is not signed by a trusted Certificate Authority. Install a digital X.509 certificate that belongs to your company and is signed by a Certificate Authority on the Firebox SSL VPN Gateway. Your company can operate as its own Certificate Authority, or you can obtain a digital certificate from a commercial Certificate Authority such as Verisign and Thawte. Note Operating the Firebox SSL VPN Gateway without a digital certificate signed by a Certificate Authority can subject VPN connections to malicious attacks. There are two ways to install a secure certificate and private key on the Firebox SSL VPN Gateway: • Generate a Certificate Signing Request using the the Administration Tool. When the request is generated, a certificate and private key are created. The private key remains on the Firebox SSL VPN Gateway and the certificate is sent to a CA for signing. When the certificate is received back, it is installed on the appliance. During installation it is paired with the password-protected private key. WatchGuard recommends using this method to create and install secure certificates. Administration Guide 109 Digital Certificates and Firebox SSL VPN Gateway Operation • Install a PEM certificate and private key from a Windows computer. This methods uploads a signed certificate and private key together. The certificate is signed by a CA and it is paired with the private key. Digital Certificates and Firebox SSL VPN Gateway Operation The Firebox SSL VPN Gateway uses digital certificates to encrypt and authenticate traffic over a connection. If the digital certificate installed on the Firebox SSL VPN Gateway is not signed by a Certificate Authority, the traffic is encrypted but not authenticated. A digital certificate must be signed by a Certificate Authority to also authenticate the traffic. When traffic over a connection is not authenticated, the connection can be compromised through a “man in the middle” attack. In such an attack, a third party intercepts the public key sent by the Firebox SSL VPN Gateway to the Secure Access Client and uses it to impersonate the Firebox SSL VPN Gateway. As a result, the user unknowingly sends authentication credentials to the attacker, who could then connect to the Firebox SSL VPN Gateway. A certificate that is signed by a Certificate Authority prevents such attacks. If the certificate installed on the Firebox SSL VPN Gateway is not signed by a Certificate Authority, Secure Access users see a security alert when attempting to log on. Secure Access users see security warnings unless you install a certificate that is signed by a Certificate Authority on the Firebox SSL VPN Gateway and a corresponding certificate on users’ computers. Users can also disable the Security Alert through the Secure Access Connection Properties dialog box. Overview of the Certificate Signing Request Before you can upload a certificate to the Firebox SSL VPN Gateway, you need to generate a Certificate Signing Request (CSR) and private key. The CSR is created using the Certificate Request Generator included in the Administration Tool. The Certificate Request Generator is a wizard that creates a .csr file. When the file is created, it is emailed to the Certificate Authority for signing. The Certificate Authority signs the certificate and returns it to you at the email address you provided. When it is received, you can install it on the Firebox SSL VPN Gateway. To provide secure communications using SSL/TLS, a server certificate is required on the Firebox SSL VPN Gateway. The steps required to obtain and install a server certificate on the Firebox SSL VPN Gateway are as follows: • Generate a CSR (myreq.csr) and private key (private.key) using the Certificate Request Generator as described in “Creating a Certificate Signing Request”. • Email the myreq.csr file to an authorized certificate provider. • When you receive the signed certificate file from your Certificate Authority, upload the certificate using the Administration Tool. The Administration Tool automatically converts the certificate to the PEM format, which is required by the Access Gateway. Password-Protected Private Keys Private keys that are generated with the Certificate Signing Request are stored in an encrypted and password-protected format on the Firebox SSL VPN Gateway. When creating the Certificate Signing Request, you are asked to provide a password for the private key. The password is used to protect the 110 Firebox SSL VPN Gateway Overview of the Certificate Signing Request private key from tampering and it is also required when restoring a saved configuration to the Firebox SSL VPN Gateway. Passwords are used whether the private key is encrypted or unencrypted. Note Caution: When you upgrade to Version 6.0 and save the configuration file, it cannot be used on earlier versions of the Firebox SSL VPN Gateway. If you attempt to upload the Version 6.0 configuration file to an earlier version, the Firebox SSL VPN Gateway becomes inoperable. You can also import a password-protected certificate and private key pairs in the PKCS12 format. This allows encrypted and password-protected private keys and certificates created on the Firebox SSL VPN Gateway to be imported. Note Caution: If you save the configuration on Version 4.5 of the Firebox SSL VPN Gateway, do not install it on an earlier version of the appliance. Because the private key is encrypted in Version 4.5, older versions cannot decrypt it and the appliance becomes inoperable. Creating a Certificate Signing Request The CSR is generated using the Certificate Request Generator in the Firebox SSL VPN Gateway Administration Tool. To create a Certificate Signing Request 1 2 Click the VPN Gateway Cluster tab and open the window for the appliance. On the Certificate Signing Request tab, type the required information in the fields and then click Generate Request. Note Note: In the field VPN Gateway FQDN, type the same FQDN that is on the General Networking tab. In Password, type the password for the private key. 3 A .csr file is created. Save the certificate request on the local computer. 4 Email the certificate to your Certificate Authority The certificate provider returns a signed certificate to you by email. When you receive the signed certificate, install it on the Firebox SSL VPN Gateway. After you create the certificate request and send it to the Certificate Authority, refrain from performing the following tasks on the Firebox SSL VPN Gateway until you receive the signed certificate back and install it on the appliance: • Generating another Certificate Signing Request • Uploading a saved configuration file • Publishing configuration settings from another appliance in the cluster Note Important: When the certificate is generated and sent to the Certificate Authority, do not create another Certificate Signing Request. The Firebox SSL VPN Gateway stores one private key. If the Certificate Signing Request is run again, the private key is overwritten and the signed certificate will not match. Administration Guide 111 Overview of the Certificate Signing Request Note When you save the Firebox SSL VPN Gateway configuration, any certificates that are already installed are included in the backup. To install a certificate file using the Administration Tool 1 2 Click the VPN Gateway Cluster tab. On the Administration tab, next to Upload a signed Certificate (.crt), click Browse. This button is used only when you are installing a signed certificate generated on the Certificate Signing Request tab. 3 Locate the file you want to upload and click Open. Note When the client certificate is uploaded, it is converted automatically to PEM format. You can also upload the certificate using the Administration Portal. To upload a certificate using the Administration Portal 1 2 3 On the Administration Portal main page, click Maintenance. Next to Upload Signed Certificate (.crt), click Browse. Navigate to the certificate and upload the file. Installing a Certificate and Private Key from a Windows Computer If you are using a load balancer or you have a signed digital certificate with the private key that is stored on a Windows computer, you can upload this to the Firebox SSL VPN Gateway. If the Firebox SSL VPN Gateway is not behind a load balancer, the certificate must contain the FQDN of the Firebox SSL VPN Gateway. If the Firebox SSL VPN Gateway is behind a load balancer, each appliance must contain the same certificate and private key. For more information, see “Connecting to a Server Load Balancer” on page 28. To install a certificate and private key from a Windows computer 1 2 3 4 Click the Firebox SSL VPN Gateway Cluster tab and open the window for the appliance. Click the Administration tab. Next to Upload a .pem private key and signed certificate, click Browse. Navigate to the certificate and then click Open. When you upload the certificate to the Firebox SSL VPN Gateway, you are asked for a password to encrypt the private key. Installing Root Certificates on the Firebox SSL VPN Gateway Root certificates are provided by the CA and are used by SSL clients to validate certificates presented by an SSL server.When an SSL client attempts to connect to an SSL server, the server presents a certificate. The client consults its root certificate store to see if the certificate that the SSL server presented is signed by a CA that the root certificate trusts. If you deploy the Firebox SSL VPN Gateway in any environment where the Firebox SSL VPN Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), install a trusted root certificate on the Firebox SSL VPN Gateway. 112 Firebox SSL VPN Gateway Overview of the Certificate Signing Request The root certificate that is installed on the Firebox SSL VPN Gateway has to be in PEM format. On Windows, the file extension .cer is sometimes used to indicate that the root certificate is in PEM format. If you are validating certificates on internal connections, the Firebox SSL VPN Gateway must have a root certificate installed. To install a root certificate on the Firebox SSL VPN Gateway 1 2 3 4 On the Firebox SSL VPN Gateway Cluster tab, open the window for an appliance. On the Administration tab, next to Manage trusted root certificates, click Manage. On the Manage tab, click Upload Trusted Root Certificate. Navigate to the file and then click Open. To remove the root certificate, click Remove Trusted Root Certificate. Installing Multiple Root Certificates Multiple root certificates can be installed on the Firebox SSL VPN Gateway, however they must be in one file. For example, you can create a text file in a plain text editor (such as Notepad) that contains all of the root certificates. Open each root certificate in another plain text editor window and then copy and paste the contents of each certificate below the last line in the new text window. When all of the certificates are copied to the new file, save the text file in PEM format, and then upload the file to the Firebox SSL VPN Gateway. Creating Root Certificates Using a Command Prompt You can also create PEM-formatted root certificates using a DOS command prompt. For example, if you have three PEM root certificates, you can use the following command to create one file that contains all three certificates: type root1.pem root2.pem root3.pem > current-roots.pem If you want to add additional root certificates to an existing file, use the following command: type root4.pem root5.pem >> current-roots.pem When this command is executed, all five root certificates are in the file current-roots.pem. The double greater than symbol (>>) appends the the contents of root4.pem and root5.pem to the existing contents of current-roots.pem. Resetting the Certificate to the Default Setting The Firebox SSL VPN Gateway comes with a certificate that is not digitally signed by a Certificate Authority. If you need to reimage the appliance, you can reset the certificate to the default certificate that came with the Firebox SSL VPN Gateway. You can do this by using the serial console and selecting the option to reset the certificate. To reset the default certificate 1 2 Connect the serial cable to the 9-pin serial port on the Firebox SSL VPN Gateway and connect the cable to a computer that is capable of running terminal emulation software. On the computer, start a terminal emulation application such as HyperTerminal. Administration Guide 113 Client Certificates Note Note: HyperTerminal is not installed automatically on Windows 2000 Server or Windows Server 2003. To install HyperTerminal, use Add/Remove Programs in Control Panel. 3 4 5 6 Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1 stop bit. Hardware flow control is optional. Turn on the Firebox SSL VPN Gateway. The serial console appears on the computer terminal after about three minutes. If using HyperTerminal, press the Enter key. To reset the default certificate, type 5 and press Enter. Client Certificates If you want additional authentication, you can configure the Firebox SSL VPN Gateway to require client certificates for authentication. The Firebox SSL VPN Gateway can authenticate a client certificate that is stored in either of these locations: • In the certificate store of the Windows operating system on a client computer. In this case, the client certificate is installed separately in the certificate store using the Microsoft Management Console. • In a smart card or a hardware token. In this case, the certificate is embedded within the smart card and read from a smart card reader attached to the network. Note Note: The Firebox SSL VPN Gateway is configured in the same way regardless of whether the certificates are stored in the Windows operating system or on a smart card. No special If clients are connecting using kiosk mode or from a Linux computer, client side certificates are not supported. If client certificates are enabled in the Firebox SSL VPN Gateway, Linux Clients and kiosk mode do not work. If a client certificate is required, it must be provided by the network administrator. The certificate is installed separately into the certificate store using the Microsoft Management Console. When this requirement is enforced, every computer that logs on through the Firebox SSL VPN Gateway must have an SSL client certificate that is in P12 format. To require client certificates 1 2 3 Click the Global Cluster Policies tab. Under Select security Options, select Require secure client certificates. Click Submit. Note Connections using ICA or session reliability do not support client certificates. When client certificates are enabled, the Firebox SSL VPN Gateway accepts only secure connections from applications that can present the client certificate. 114 Firebox SSL VPN Gateway Client Certificates Installing Root Certificates Support for most trusted root authorities is already built into the Windows operating system and Internet Explorer. Therefore, there is no need to obtain and install root certificates on the client device if you are using these CAs. However, if you decide to use a different CA, you need to obtain and install the root certificates yourself. Obtaining a Root Certificate from a CertificateAuthority Root certificates are available from the same Certificate Authorities (CAs) that issue server certificates. Well-known or trusted CAs include Verisign, Baltimore, Entrust, and their respective affiliates. Certificate authorities tend to assume that you already have the appropriate root certificates (most Web browsers have root certificates built-in). However, if you are using certificates from a CA that is not already included on the client computer, you need to specifically request the root certificate. Several types of root certificates are available. For example, VeriSign has approximately 12 root certificates that they use for different purposes, so it is important to ensure that you obtain the correct root certificate from the CA. Installing Root Certificates on a Client Device Root certificates are installed using the Microsoft Management Console (MMC) in Windows. When installing a root certificate to the MMC, use the Certificate Import wizard. The certificate is installed in the Trusted Root Certification Authorities store for the local computer. For information about root certificate availability and installation on platforms other than 32-bit Windows, refer to product documentation appropriate for the operating system you are using. Selecting an Encryption Type for Client Connections All communications between the Secure Access Client and the Firebox SSL VPN Gateway are encrypted with SSL. The SSL protocol allows two computers to negotiate encryption ciphers to accomplish the symmetric encryption of data over a secure connection. You can select the specific cipher that the Firebox SSL VPN Gateway uses for the symmetric data encryption on an SSL connection. Selecting a strong cipher reduces the possibility of malicious attack. The security policies of your organization may also require you to select a specific symmetric encryption cipher for secure connections. You can select RC4, 3DES, or AES encryption ciphers for SSL connections. The default setting is RC4 128bit. The MD5 or SHA hash algorithm is negotiated between the client and the server. The Firebox SSL VPN Gateway uses RSA for public key encryption in a secure connection. The encryption ciphers and hash algorithms that you can select for symmetric encryption are listed below: • RC4 128-bit, MD5/SHA • 3DES, SHA • AES 128/256-bit, SHA To select an encryption type for client connections 1 2 Click the Global Cluster Policies tab. Under Select security options, in Select encryption type for client connections, select the bulk encryption cipher you want to use for secure connections. Administration Guide 115 Requiring Certificates from Internal Connections 3 Click Submit. Requiring Certificates from Internal Connections To increase security for connections originating from the Firebox SSL VPN Gateway to your internal network, you can require the Firebox SSL VPN Gateway to validate SSL server certificates. Previous versions of the Firebox SSL VPN Gateway did not validate the SSL server certificate presented by the Web Interface and the Secure Ticket Authority. Validating SSL server certificates is an important security measure as it can help prevent security breaches, such as man-in-the-middle attacks. The Firebox SSL VPN Gateway requires installing the proper root certificates that are used to sign the server certificates. To install root certificates, On the Cluster Config tab, select Administration > Manage Trusted root CA certificates To require server certificates for internal client connections On the Global Cluster Policies tab, under SSL Options, select Validate SSL Certificates for Internal Connections. Wildcard Certificates The Firebox SSL VPN Gateway supports validation of wildcard certificates for Secure Access Clients. The wildcard certificate has an asterisk (*) in the certificate name. Wildcard certificates can be formatted in one of two ways, such as *.mycompany.com or www*.mycompany.com. When a wildcard certificate is used, clients can choose different Web addresses, such as http://www1.mycompany.com or http://www2.mycompany.com. The use of a wildcard certificate allows several Web sites to be covered by a single certificate. 116 Firebox SSL VPN Gateway CHAPTER 8 Working with Client Connections Clients can access resources on the corporate network by connecting through the Firebox SSL VPN Gateway from their own computer or from a public computer. The following topics describe how client connections work: • Using the Access Portal • Connecting from a Private Computer • Connecting from a Public Computer • Client Applications • Supporting Secure Access Client • Managing Client Connections System Requirements The Secure Access Client is supported on the following operating systems and Web browsers. Operating Systems The Secure Access Client is supported on the following Windows operating systems: • Windows XP Home Edition • Windows XP Professional • Windows 2000 Server • Windows Server 2003 • Windows Vista 32-bit Web Browsers The Secure Access Client is supported on the following Web browsers: • Microsoft Internet Explorer, Versions 6.x and 7.x • Mozilla Firefox Version 1.5 and later versions Administration Guide 117 Using the Access Portal If clients are using Mozilla Firefox to connect, pages that require ActiveX, such as the pre-authentication page, are not able to run. If clients are going to connect using the kiosk, they must have Sun Java Runtime Environment (JRE) Version 1.5.0_06 installed on their computer. Using the Access Portal The Access Portal is an HTML page that enables a user to choose the type of connection to be established from a remote computer. Users can either connect from the portal page or they can use the Secure Access Client that is installed on their computer from the portal page. Note You can customize the portal page templates provided with the Firebox SSL VPN Gateway and assign them on a group basis, as described in “Using Portal Pages” on page 38 and “Client certificate criteria configuration” on page 95. You can also include a link to the Firebox SSL VPN Gateway Clients on a Web site, as described in “Linking to Clients from Your Web Site” on page 41. From the portal page, the user either starts the Secure Access Client or kiosk mode. • The Secure Access Client is intended for connections from a private computer because data is transferred from the network to which the user is connecting to the user’s computer. • Kiosk mode is useful for connections from a public computer because no data is written to the user’s computer. However, if you configure network shares, a user can copy files from a shared network drive to the remote computer. Note You can configure the Firebox SSL VPN Gateway Administration Tool so that users do not have the option to connect from a public computer. For more information, see “End point resources and policies” on page 104 To connect using the default portal page 1 Use Internet Explorer to access the Web address of the Firebox SSL VPN Gateway; for example: https://vpn.mycompany.com. 2 If the Firebox SSL VPN Gateway does not have a signed certificate installed, a Security Alert dialog box appears. Click Yes to continue. 3 Type the network user name and password and then click Connect. The default portal page opens. 4 If connecting from a Windows computer, choose the type of connection: • If connecting from a secure computer, click My own computer. The first time a connection is made, the File Download dialog box appears. Click Save and then click Open. The file downloads to the client computer. The first time that you connect to the Firebox SSL VPN Gateway, the Terms and Conditions of Use dialog box appears. You must click “I Accept” to install the driver. When the driver is installed, the user can subsequently start the Secure Access Client without going through the portal page. If you configured the Secure Access Client to start automatically, the client starts after the users enter their Windows logon credentials, which are also used for the Secure Access Client. Thus, when 118 Firebox SSL VPN Gateway Connecting from a Private Computer the computer is started, users do not have to do anything to create the connection, provided that they have a network connection and can log onto Windows. The connection enables users to work with the connected site just as if they were logged on at the site. Data can be transferred between the remote computer and the connected site. For more information, see “Connecting from a Private Computer” on page 119. If connecting from a public computer, click A public computer. The Web browser opens in one of two configured modes, as described in “Connecting from a Public Computer” on page 126. 5 If connecting from a Linux computer, click the Linux download link to start the download and view instructions about how to install the client. Note The Linux tcl and tk packages are required for the Secure Access Client.. In addition to the command net6vpn --login, which opens the logon dialog box for the Secure Access Client, you can also type net6vpn to see a list of other command-line options. If you lose the connection, the VPN daemon may be stopped. The Secure Access Client requires a running VPN daemon to connect to the Firebox SSL VPN Gateway. To check the status of the VPN daemon, type the following at a command prompt: /sbin/service net6vpnd status To restart a stopped daemon, type the following: /sbin/service net6vpnd start Then, click Disconnect and reenter your logon credentials. To remove the Linux VPN client At the command prompt, type the following: /sbin/service net6vpnd stop /sbin/chkconfig --del net6vpnd rm -rf /etc/net6vpn.conf /etc/init.d/net6vpnd /usr/bin/net6vpn /usr/sbin/net6vpnd /usr/local/ net6vpn/ Connecting from a Private Computer If a user chooses the My own computer option in the Access Portal page, the connection provides full access to the network resources that the user’s group(s) have permission to access. The Firebox SSL VPN Gateway operates as follows: • When a user firsts connects using a Web address, the Secure Access Client is downloaded and installed onto the client computer. • After downloading the Secure Access Client, the user logs on. When the user successfully authenticates, the Firebox SSL VPN Gateway establishes a secure tunnel. • As the remote user attempts to access network resources across the VPN tunnel, the Secure Access Client encrypts all network traffic destined for the organization’s intranet and forwards the packets to the Firebox SSL VPN Gateway. Administration Guide 119 Connecting from a Private Computer • The Firebox SSL VPN Gateway terminates the SSL tunnel, accepts any incoming traffic destined for the private network, and forwards the traffic to the private network. The Firebox SSL VPN Gateway sends traffic back to the remote computer over a secure tunnel. When a remote user logs on using the Secure Access Client, the Firebox SSL VPN Gateway prompts the user for authentication over HTTP 401 Basic or Digest. The Firebox SSL VPN Gateway authenticates the credentials using an authentication type such as local authentication, RSA SecurID, SafeWord, LDAP, NTLM, or RADIUS. If the credentials are correct, the Firebox SSL VPN Gateway finishes the handshake with the client. This logon step is required only when a user initially downloads the Secure Access Client. If the user is behind a proxy server, the user can specify the proxy server and authentication credentials. For more information, see “Configuring Proxy Servers for the Secure Access Client” on page 125. The Secure Access Client is installed on the user’s computer. After the first connection, the remote user can subsequently use a desktop shortcut to start the Secure Access Client. The Advanced Options dialog box, which is used to configure client computer settings, can also be opened by right-clicking the Secure Access Client icon on the desktop and then clicking Properties. If users are connecting using a Web page, they are either prompted to log on or are taken directly to a portal page where they can connect using Secure Access Client. If the Firebox SSL VPN Gateway is configured to have users log on before making a connection with Secure Access Client, they type their user name and password and then log on. A portal page appears that provides the choice to log on using the full Secure Access Client or in kiosk mode (if enabled). If a user chooses to log on using Secure Access Client, the connection provides full access to the network resources that the user’s group(s) have permission to access. The access granted by the security policies enable users to work with the remote system just as if they are logged on locally. For example, users might be granted permission to applications, including Web, client-server, and peer-to-peer such as Instant Messaging, video conferencing, and real-time Voice over IP applications. Users can also map network drives to access allowed network resources, including shared folders and printers. While connected to an Firebox SSL VPN Gateway, remote users cannot see network information from the site to which they are connected. For example, while connected to the Firebox SSL VPN Gateway, type the following at a command prompt: ipconfig/all or route print You will not see network information from the corporate network. Establishing the Secure Tunnel After the Secure Access Client is started, it establishes a secure tunnel over port 443 (or any configured port on the Firebox SSL VPN Gateway) and sends authentication information. When the tunnel is established, the Firebox SSL VPN Gateway sends configuration information to the Secure Access Client describing the networks to be secured and containing an IP address if you enabled IP pooling. For more information about IP pooling see “Enabling IP Pooling” on page 94. Tunneling Private Network Traffic over Secure Connections When the Secure Access Client is started and the user is authenticated, all network traffic destined for specified private networks is captured and redirected over the secure tunnel to the Firebox SSL VPN Gateway. The Firebox SSL VPN Gateway intercepts all network connections made by the client device and multiplexes/tunnels them over SSL to the Firebox SSL VPN Gateway, where the traffic is demultiplexed and the connections are forwarded to the correct host and port combination. The connections are subject to administrative security policies that apply to a single application, a subset of applications, or an entire intranet. You specify the resources (ranges of IP address/subnet pairs) 120 Firebox SSL VPN Gateway Connecting from a Private Computer that remote users can access through the VPN connection. For more information, see “Configuring Resources for a User Group” on page 96. All IP packets, regardless of protocol, are intercepted and transmitted over the secure link. Connections from local applications on the client computer are securely tunneled to the Firebox SSL VPN Gateway, which reestablishes the connections to the target server. Target servers view connections as originating from the local Firebox SSL VPN Gateway on the private network, thus hiding the client IP address. This is also called reverse Network Address Translation (NAT). Hiding IP addresses adds security to source locations. Locally, on the client computer, all connection-related traffic (such as SYN-ACK, PUSH, ACK, and FIN packets) is recreated by the Secure Access Client to appear from the private server. Operation through Firewalls and Proxies Users of Secure Access Client are sometimes located inside another organization’s firewall. NAT firewalls maintain a table that allows them to route secure packets from the Firebox SSL VPN Gateway back to the client computer. For circuit-oriented connections, the Firebox SSL VPN Gateway maintains a portmapped, reverse NAT translation table. The reverse NAT translation table enables the Firebox SSL VPN Gateway to match connections and send packets back over the tunnel to the client with the correct port numbers so that the packets return to the correct application. The Firebox SSL VPN Gateway tunnel is established using industry-standard connection establishment techniques such as HTTPS, Proxy HTTPS, and SOCKS. This operation makes the Firebox SSL VPN Gateway firewall accessible and allows remote computers to access private networks from behind other organizations’ firewalls without creating any problems. For example, the connection can be made through an intermediate proxy, such as an HTTP proxy, by issuing a CONNECT HTTPS command to the intermediate proxy. Any credentials requested by the intermediate proxy are in turn obtained from the remote user (by using single sign-on information or by requesting the information from the remote user) and presented to the intermediate proxy server. When the HTTPS session is established, the payload of the session is encrypted and carries secure packets to the Firebox SSL VPN Gateway. Terminating the Secure Tunnel and Returning Packets to the Client The Firebox SSL VPN Gateway terminates the SSL tunnel and accepts any incoming packets destined for the private network. If the packets meet the authorization and access control criteria, the Firebox SSL VPN Gateway regenerates the packet IP headers so that they appear to originate from the Firebox SSL VPN Gateway’s private network IP address range or the client-assigned private IP address. The Firebox SSL VPN Gateway then transmits the packets to the network. Note Note: The Secure Access Client maintains two tunnels: an SSL tunnel over which data is sent to the Firebox SSL VPN Gateway and a tunnel between the client and local applications. The encrypted data that arrives over the SSL tunnel is then decrypted before being sent to the local application over the second tunnel. If you run a packet sniffer such as Ethereal on the computer where the Secure Access Client is running, you will see unencrypted traffic that appears to be between the client and the Firebox SSL VPN Gateway. That unencrypted traffic, however, is not over the tunnel between the client and the Firebox SSL VPN Gateway but rather the tunnel to the local applications. When an application client connects to its application server, certain protocols may require that the application server in turn attempt to create a new connection with the client. In this case, the client Administration Guide 121 Connecting from a Private Computer sends its known local IP address to the server by means of a custom client-server protocol. For these applications, the Secure Access Client provides the local client application a private IP address representation, which the Firebox SSL VPN Gateway uses on the internal network. Many real-time voice applications and FTP use this feature. Clients can access resources on the corporate network by connecting through the Firebox SSL VPN Gateway from their own computer or from a public computer. ActiveX Helper When the user connects to the Web Interface portion of the Firebox SSL VPN Gateway and logs on, net6helper.cab and ActiveX control are installed. This file provides three main functions: • It launches the client from the Web page instead of having to manually download the executable and then launching the Secure Access Client. • It performs pre-authentication checks for the Web page. • It provides single sign-on. When the Secure Access Client is started from the Web page, the Secure Access Client does not prompt the user to log on again. Using the Secure Access Client Window To enable users to connect to and use the Firebox SSL VPN Gateway, you need to provide them with the following information: • Firebox SSL VPN Gateway Web address, such as https://AccessGatewayFQDN/. If a user needs access from a computer that is not running Windows 2000 or above or Linux, but is running a Java Virtual Machine (JVM) 1.5 or higher, the user can use the Java applet version of the kiosk. The Web address for connecting to the Java applet version of the kiosk is: https://AccessGateway/vpn_portal-javaonly.html • The authentication realm name required for logon (if you use realms other than the realm named Default). • Path to any network drives that the users can access, which is done by mapping a network drive on their computer. • Any system requirements for running the Secure Access Client if you configured end point resources and policies. Depending on the configuration of a remote user’s system, you might also need to provide additional information: • To start the Secure Access Client, Windows 2000 users must be a local administrator or a member of the Administrators group to install programs on their computer. This restriction applies to Windows XP for first-time installation only, not for upgrades. • If a user runs a firewall on the remote computer, the user might need to change the firewall settings so that it does not block traffic to or from the IP addresses corresponding to the resources for which you granted access. The Secure Access Client automatically handles Internet Connection Firewall in Windows XP and Windows Firewall in Windows XP Service Pack 2. For information about configuring a variety of popular firewalls, see “Using Firewalls with Firebox SSL VPN Gateway” on page 149. • Users who want to send traffic to FTP over the Firebox SSL VPN Gateway connection must set their FTP application to perform passive transfers. A passive transfer means that the remote computer establishes the data connection to your FTP server, rather than your FTP server establishing the data connection to the remote computer. • Users who want to run X client applications across the connection must run an X server, such as XManager, on their computers. • Because users work with files and applications just as if they were local to the organization’s network, no retraining of users or configuration of applications is needed. 122 Firebox SSL VPN Gateway Connecting from a Private Computer An email template is provided that includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. WatchGuard recommends that you customize the text for your site and then send the text in an email to users. When the Secure Access Client is loaded, users are prompted to log on to the Firebox SSL VPN Gateway to establish the connection. The Firebox SSL VPN Gateway administrator determines the type of authentication using the Authentication tab of the Firebox SSL VPN Gateway Administration Tool, as described in “Configuring Authentication and Authorization” on page 61. If double-source authentication is configured on the Firebox SSL VPN Gateway, and the users are logging on using full access, they type their user name and passwords for each type of authentication. For example, users are configured to use LDAP authentication and RSA SecurID. They would type their password, their RSA SecurID personal identification number (PIN), and RSA SecureID code. For more information about logging on using double-source authentication, see “Double-source Authentication Portal Page” on page 43. Note If you are using the Linux Client, the connection window will not include the options described in the following procedure. The Secure Access Client is installed the first time the user logs on to the portal Web page. To log on to the Firebox SSL VPN Gateway 1 In the Firebox SSL Secure Access dialog box, enter the logon credentials. If the Firebox SSL VPN Gateway is configured with more than one authentication realm and you need to connect to a realm other than the Default, enter the realm name before your user name (realmName\userName). If your site uses RSA SecurID authentication, your password is your PIN plus the RSA SecurID token. 2 If the Firebox SSL VPN Gateway requires double-source authentication, type the user name and the password for each authentication type. The Secure Access Client dialog box showing double-source authentication Note When a user logs on, the authentication is checked in the order that is configured in the realm. If the user log on fails the primary authentication, the secondary authentication is not checked. 3 If you are behind a proxy server, right-click the dialog box and then click Advanced Options. Administration Guide 123 Connecting from a Private Computer The Secure Access Client dialog box with the pop-up menu showing Advanced Options 4 Under Proxy Settings, select Use Proxy Host and then in Proxy Address and Proxy Host, type the IP address and port. If the proxy server requires authentication, select Proxy server requires authentication. When users attempt to establish a connection, they are first prompted for their proxy server logon credentials. 5 6 To allow failover to your local DNS, under Connection Settings, select Enable Split DNS. 7 To allow the Secure Access Client to update automatically, without prompts, when a new version is available on the Firebox SSL VPN Gateway, under Connection Settings, select the Always update client check box. Click OK and then click Connect. Note If a digital certificate signed by a Certificate Authority is not installed on the Firebox SSL VPN Gateway, you will see a Security Alert. For more information, see “Digital Certificates and Firebox SSL VPN Gateway Operation” on page 110. When the connection is established, a status window briefly appears and the Secure Access Client window is minimized to the notification area. The icon indicates whether the connection is enabled or disabled and flashes during activity. A shortcut to the Secure Access Client is placed on the desktop. To use the Secure Access Client status properties 1 To open the window, double-click the connection icon in the notification area. Alternatively, rightclick the icon and choose VPN Properties from the menu. The Secure Access Client dialog box appears. 2 To view the properties of the connection, click the General, Details or Access Lists tabs. These tabs provide information that is helpful for troubleshooting. The properties include: • The General tab displays connection information. • The Details tab displays server information and a list of the secured networks the clients are allowed to access. • The Access Lists tab displays the access control lists (ACLs) that are configured for the user connection. This tab does not appear for users who are not in a group or if an ACL is not configured for a group. 3 To close the window, click Close. To disconnect the Secure Access Client Right-click the Secure Access icon in the notification area and choose Disconnect from the menu. 124 Firebox SSL VPN Gateway Connecting from a Private Computer To view the Connection Log The Connection Log contains real-time connection information that is particularly useful for troubleshooting connection issues. 1 2 Right-click the Firebox SSL Secure Access Client icon in the notification area. Choose Connection Log from the menu. The Connection Log for the session appears. Note The Connection Log is written to the computer in %systemroot\Documents and Settings\username\Local Settings\Application Data\NET6\net6vpn.log. The log is overwritten each time a new VPN connection is established. To disconnect the Secure Access Client Right-click the Secure Access Client icon in the notification area and choose Disconnect from the menu. Note When you share an application, instead of your desktop, the person with whom you are sharing the application can view and work with only that application. The rest of your desktop is not visible to the other person. Configuring Proxy Servers for the Secure Access Client When the Secure Access Client connects, before downloading polices from the Firebox SSL VPN Gateway, the Secure Access Client queries the operating system for client proxy settings. If auto-detection is enabled, the Secure Access Client automatically changes client proxy settings to match settings stored in the operating system. The Secure Access Client attempts to connect to the Firebox SSL VPN Gateway, download pre-authentication policies, and then prompt the users for their logon credentials. If the Secure Access Client cannot automatically detect the client proxy settings, it resorts to a straight connection without using the proxy server. Automatic detection of the proxy settings is configured in the Advanced Options dialog box in the Secure Access Client. Users can also manually configure a proxy server from the Secure Access Client. When a proxy server is manually configured, this disables the automatic detection of proxy settings. To manually configure a proxy server 1 2 3 On the desktop of the client computer, click the Secure Access Client icon to open the logon dialog box. Right-click anywhere in the Secure Access Client logon dialog box and select Advanced Options. In the WatchGuard Secure Access Options dialog box, under Proxy settings, select Manually configure proxy server. 4 In IP Address and Port, type the IP address and port number. 5 If authentication is required by the server, select Proxy server requires authentication. The Advanced Options dialog box can also be opened by right-clicking the WatchGuard Secure Access icon on the desktop and then clicking Properties. Administration Guide 125 Connecting from a Public Computer Configuring Secure Access Client to Work with Non-Administrative Users If a user is not logged on as an administrator on a computer running Windows 2000 Professional, the Secure Access Client must be installed locally on the client computer and then started using the Web address of https://FQDN/ WatchGuardsaclient.exe, where FQDN is the address of the Firebox SSL VPN Gateway. The ActiveX applet does not have the rights to download and install the file. Clients who are logged on as non-administrators using Windows 2003 Server or Windows XP are able to download and install the ActiveX applet. For a user who is not logged on as an administrator and connects using the Secure Access Client, applications such as Microsoft Outlook might occasionally lose the network connection. Connecting from a Public Computer Connections Using Kiosk Mode The Firebox SSL VPN Gateway provides secure access to a corporate network from a public computer using kiosk mode. When users select A public computer on the WatchGuard portal page, a Web browser opens. The user logs on and then can access applications provided in the browser window. By default, kiosk mode is disabled. When kiosk mode is disabled, users do not see the A public computer option on the portal page and the Firebox SSL VPN Gateway does not provide any kiosk mode functionality. For computers running Java virtual machine (JVM 1.5) or higher (such as Macintosh, Windows 95, or Windows 98 computers), kiosk mode is available through a Java applet. For Macintosh computers to support kiosk mode, the Safari browser and JRE 1.5 must be installed. When the user is logged on using kiosk mode, the Firebox SSL VPN Gateway sends images only (no data) over the connection. As a result, there is no risk of leaving temporary files or cookies on the public computer. Both temporary files and cookies for the session are maintained on the Firebox SSL VPN Gateway. The browser defaults to a Web address that is configured per group through the Administration Tool. The Web browser window can also include icons for Remote Desktop, SSH, Telnet 3270 emulator, Gaim instant messenging, and VNC clients. The icons are displayed in the bottom-left corner of the window. The applications are specified for each group. For more information about configuring applications for kiosk mode, see “Creating a Kiosk Mode Resource” on page 127. The Web browser window also provides access to shared network drives. The Firebox SSL VPN Gateway administrator configures the permissions granted (read-only or read/write) to each shared network drive. For more information about configuring network shares, see “Configuring file share resources” on page 102. Users can copy files from the network share to their computer simply by dragging the file onto the KioskFTP icon and selecting the destination in the File Download dialog box. Note Important: End point policies are not supported or enforced when users are logged on using kiosk mode. Kiosk mode can include the following applications if they are enabled on the User Groups tab in the Administration Tool: 126 Firebox SSL VPN Gateway Connecting from a Public Computer • Firefox Web browser. You configure by group whether or not to include the Firefox browser and the browser’s default Web address. Firefox preferences, such as saved passwords, are retained for the next session. • Shared network drives. Icons that provide access to shared network drives. The user can download files from a network share by dragging a file onto the KioskFTP icon, as described in “Configuring File Shares for Kiosk Mode” on page 141. • Icons that provide access to the VNC client, Remote Desktop, Telnet 3270 emulator, and SSH. You configure by group the clients to be included in the kiosk session. For information about using the clients, see the following sections: • “Remote Desktop client” on page 130 • “SSH Client” on page 130 • “Telnet 3270 Emulator Client” on page 131 • “VNC Client” on page 131 • “Gaim Instant Messenging” on page 131 If the user’s browser is configured to use a proxy server, users connected using kiosk mode use the browser’s proxy setting. To allow users access to corporate resources using kiosk mode, it must be enabled. To enable kiosk mode On the Global Cluster Policies tab, under Access options, select Enable kiosk mode. If this check box is clear, users cannot use kiosk mode and the option is not available from the Web portal page. When kiosk mode is enabled, users can connect using the Web portal page. To log on to the Firebox SSL VPN Gateway using kiosk mode 1 Use the logon page to connect, as described in “Connecting Using a Web Address”. Click A public computer. The WatchGuard Secure Access logon dialog box appears. 2 Enter your network logon credentials and click Login. Note Note: Users logged on using kiosk mode can use the FTP protocol to download files from the corporate network. Files that are downloaded using the kiosk session cannot be returned to the corporate network. Creating a Kiosk Mode Resource Kiosk mode is configured using kiosk resources that define the file shares and applications users have access to when they log on in kiosk mode. By default, kiosk mode is disabled. To enable it, the resources are configured and then added to user groups. Kiosk mode is configured on the Access Policy Manager tab and then added to the groups in the left pane. Note Note: If the user has general Internet access before making a connection, the user can browse the Internet from the Firefox browser in the Web browser window, unless a network resource is defined that denies access to the Internet. Administration Guide 127 Connecting from a Public Computer To create and configure a kiosk resource 1 2 3 4 5 6 7 Click the Access Policy Manager tab. In the right pane, right-click Kiosk Resources and then click New Kiosk Resource. Type a name for the resource and click OK. To add a file share, under File shares, drag the resource to Shares. Select the applications users are allowed to use in kiosk mode. Select Save kiosk application settings to retain Firefox preferences between sessions. The preferences are saved on the remote server (hosting the session). Click OK. To add a kiosk resource to one or more groups, click the resource and drag it to the group or groups to which the policy applies. Working with File Share Resources When a user connects with a Web browser and selects A public computer, the Firebox SSL VPN Gateway opens a kiosk connection. If file shares are configured, the user can work with files that reside on the share. Files are not downloaded to the public computer. The network shares available to the user are configured on the Access Policy Manager tab. To create a file share resource 1 2 Click the Access Policy Manager tab. 3 4 In Share source, type the path to the share source using the form: //server/share. In the right pane, right-click File Share Resources, click New File Share Resource, type a name, and click OK In Mount type, select the file sharing network protocol, either CIFS/SMB or NFS. Note Note: CIFS/SMB is the Common Internet File System/Server Message Block network protocol used for file sharing in Microsoft Windows. NFS is the Network File System that allows you to mount a disk partition on a remote computer as if it was on the hard drive on the local computer. NFS is typically used with Linux computers. 5 If administrative user credentials are required to mount a CIFS/SMB drive, in User name, specify the user name and in Password, type a password. These fields are not enabled for NFS. All users who access the share have the rights of this user. 6 7 In Domain, type the Active Directory domain of the share. This field is not enabled for NFS. In Permissions, specify whether you want remote users to have read/write or read-only permissions for the share. Click OK. Note Note: Users can use the FTP protocol to send and receive files to the remote computer. After configuring the file share, it must be added to the kiosk resource. To add a file share to a kiosk resource 1 128 On the Access Policy Manager tab, in the right-pane, under Kiosk Resources, right-click a resource, and click Properties. Firebox SSL VPN Gateway Client Applications 2 Select a file share from File Share Resources and drag it to Shares under File shares in the kiosk resource. 3 Click OK. To remove a file share On the Access Policy Manager tab, in the right-pane, right-click the file share and click Remove. You can specify the shared network drives that are accessible for sessions. For each shared drive, you specify whether users have read-only or read/write access. If users are granted read-write access, a user can change the files on the shared network drive, provided that the user’s account has the permissions to do so. To work with file share resources 1 In the Web browser, double-click a shared network drive icon. The share window opens inside of the kiosk window. 2 3 To copy a file from the network drive to your computer, drag the file icon over the KioskFTP icon. In the Kiosk File Download dialog box, navigate to the location where you want to copy the file and then click Open. When the FTP transfer is complete, a message window appears. You cannot use FTP to transfer folders or copy files back to the shared network drive. Client Applications When users are logged on using kiosk mode, you can allow them to use different applications. The applications include: • Firefox web browser • Remote Desktop Client • SSH Client • Telnet 3270 Emulator Client • VNC Client • Gaim Instant Messenging Configuration of these client applications is done on the Access Policy Manager tab in the Administration Tool. To enable client applications 1 2 Click the Access Policy Manager tab. 3 4 5 Under Kiosk Resource, select the applications users are allowed to use. Click OK. 2. In the right pane, under Kiosk Resources, right-click a resource and click Properties. If you are enabling Firefox, type the Web address of the browser. If you are enabling Remote Desktop, type the IP address of the remote computer. Drag the resource to the group or groups to which it belongs. Click OK. Administration Guide 129 Client Applications Firefox Web Browser The Firefox Web browser allows users to connect to the Internet when they are logged on in kiosk mode. They can connect to Web sites as if they were sitting at their own computer. To configure Firefox 1 2 3 Click the Access Policy Manager tab. In the right pane, under Kiosk Resources, right-click a resource and click Properties. Select Enable Firefox and in the text box, type the Web address for the browser. Remote Desktop client The Remote Desktop client enables a user to remotely access the desktop of a server that is running Windows Terminal Services. The Remote Desktop does not require any configuration on the user’s computer. If Remote Desktop is configured for kiosk mode, it is the only application that can be used by the client. When the client connects using kiosk mode and then starts the Remote Desktop connection, the Remote Desktop session takes control of the session. It is not possible to switch back between the kiosk session and Remote Desktop. If other clients, such as VNC or SSH are configured, Remote Desktop cannot be configured. To configure Remote Desktop 1 On the Access Policy Manager tab, right-click Kiosk Resources. 2 Type a name for the resource and click OK. 3 Select Remote Desktop and type the FQDN of the server in the text box. Click OK. Remote Desktop provides the user with full access to a remote computer’s resources, including files, applications, and network resources. Thus, the user can remotely control the computer, just as if the user is sitting at it. The user’s work remains on the remote computer; no files, only images, are sent to the user’s computer. When users log on from a public computer, and Remote Desktop is configured, there is an icon that they can click to start Remote Desktop. After typing their user name and password, the desktop of the remote computer appears on the public computer. To use the Remote Desktop client 1 2 3 4 From the portal page, choose A public computer and log on. In the Web browser, click the Remote Desktop icon. Enter the user name and the remote host and click Connect. In the Windows logon screen, enter the credentials and network name of the remote server. The desktop of the Remote Desktop server displays in a window on your computer. 5 Work with the remote server just as if it was your local computer. SSH Client The SSH client enables the user to establish an SSH connection to a remote computer. 130 Firebox SSL VPN Gateway Client Applications To use the SSH client 1 2 3 From the portal page, choose A public computer and log on. In the Web browser, click the SSH icon. Enter the user name and SSH host name or IP address. The SSH window opens. Telnet 3270 Emulator Client The Telnet 3270 Emulator client enables the user to establish a Telnet 3270 connection to a remote computer. To use the Telnet 3270 Emulator client 1 2 From the portal page, choose A public computer and log on. In the Web browser, click the Telnet 3270 Emulator icon. The x3270 window opens. 3 On the Connect menu, choose Other. The x3270 Connect window opens. 4 5 Enter the host name or IP address and click Connect to log on and receive a prompt. To view the 3270 keypad, click the keypad icon in the upper-right corner. VNC Client The VNC client enables a user to remotely access the desktop of a VNC server. The user’s work remains on the remote server; no files, only images, are sent to the user’s computer. To use the VNC client 1 2 3 From the portal page, choose A public computer and log on. In the Web browser, click the VNC icon. In VNC Host, type the IP address of the VNC host, and in Password, type the password for the server and click Connect. The desktop of the VNC server displays in a window on your computer. 4 Work with the remote server just as if it were your local computer. Note To send a Ctrl+Alt+Del to the connected server through the VNC server, press Shift+Ctrl+Alt+Delete. Gaim Instant Messenging Gaim is an instant messaging client that supports multiple instant messenging applications including: • AOL Instant Messenger • ICQ (Oscar Protocol) • MSN Messenger • Yahoo! Messenger • IRC Gaim users can log on to multiple accounts of different instant messenging networks at the same time. Administration Guide 131 Supporting Secure Access Client To use Gaim 1 2 3 4 5 6 7 From the portal page, choose A public computer and log on. In the Web browser, double-click the Gaim icon. If messenging services were not added, an Accounts window opens. Click Add. In the Add Account dialog box, in Protocol, select the instant messenging service to add. Complete the rest of the information and click Save. Repeat, adding instant messenging services for each product. To log on to an instant messenging service, in the Gaim Login dialog box, in Account, select the service, type the password, and then click Sign on. Supporting Secure Access Client To enable users to connect to and use the Firebox SSL VPN Gateway, you need to provide them with the following information: • Firebox SSL VPN Gateway Web address, such as https://AccessGatewayFQDN/ If a user needs access from a computer that is not running Windows 2000 or above or Linux, but is running a Java Virtual Machine (JVM) 1.4.2 or higher, the user can use the Java applet version of the kiosk. The Web address for connecting to the Java applet version of the kiosk is: https://AccessGateway/vpn_portal-javaonly.html • The authentication realm name required for logon (if you use realms other than the realm named Default). • Path to any network drives that the users can access, which is done by mapping a network drive on their computer. • Any system requirements for running the Firebox SSL VPN Gateway Clients if you configured end point resources and policies. Depending on the configuration of a remote user’s system, you might also need to provide additional information: • To start the Secure Access Client, Windows 2000 users must be an administrator to install programs on their computer. This restriction applies to Windows XP for first-time installation only, not for upgrades. • If a user runs a firewall on the remote computer, the user might need to change the firewall settings so that it does not block traffic to or from the IP addresses to which you granted access. The Secure Access Client automatically handles Internet Connection Firewall in Windows XP and Windows Firewall in Windows XP Service Pack 2. For information about configuring a variety of popular firewalls, see “Using Firewalls with Firebox SSL VPN Gateway” on page 149. • Users who want to FTP over the Firebox SSL VPN Gateway connection must set their FTP application to perform passive transfers. A passive transfer means that the remote computer establishes the data connection to your FTP server, rather than your FTP server establishing the data connection to the remote computer. • Users who want to run X client applications across the connection must run an X server, such as XManager, on their computer. Because users work with files and applications just as if they were local to the organization’s network, no retraining of users or configuration of applications is needed. 132 Firebox SSL VPN Gateway Managing Client Connections An email template is provided that includes the information discussed in this section. The template is available from the Downloads page of the Administration Portal. Customize the text for your site and then send the text in an email to users. Note To install the Secure Access Client from inside the firewall, go to the portal page and use the Click here to download the client installer link to download the client. The first time that the client is run from inside the firewall, point the client to the internal IP address of the Firebox SSL VPN Gateway by rightclicking the Secure Access Client logon and then choosing Advanced Options. Managing Client Connections The Real-time Monitor lists the open VPN connections by user name and MAC address. For each user, the type of connection by protocol (such as TCP or UDP) is also listed. The Target IP and Target Port provide additional information about the connection. For example, connections to port 21 are FTP connections and connections to port 23 are Telnet connections. The connections can be managed as follows: • You can close a connection, such as TCP or UDP. For example, suppose that a user has a TCP connection to a Target IP (perhaps a mapped drive) that should be off-limits to the user. You can correct the access control list (ACL) for the user’s group and then close the TCP connection. For more information about ACL management, see “Adding Local Users” on page 87. If you do not correct the ACL before closing the connection, the user can reestablish the TCP connection. Note The Firebox SSL VPN Gateway maintains connections to Target IP 0.0.0.0 that are required for VPN operations. Closing any of those connections temporarily closes a connection. • You can disable a user’s connection and prevent subsequent logon from that user at the listed MAC address. The user can log on from a different MAC address. • You can reenable a user name/MAC address combination. Connection handling If a user abruptly disconnects the network or puts the computer in hibernate or standby mode, the SSL/ TCP connection to the Firebox SSL VPN Gateway is terminated after 10 minutes. A shorter wait period penalizes users who have slow network connections. This handling of connections results in the following: • The user might continue to appear active in the Firebox SSL VPN Gateway Real-time Monitor for 10 minutes, after which the connection is terminated. • The inactive user occupies a license until the wait period expires and the connection is closed. Suppose that you have a license for10 users and all 10 users are logged onto the Firebox SSL VPN Gateway, leaving no available licenses. If one of the active users goes into standby mode, that user’s license is not available for 10 minutes. The wait period does not apply to connections that are terminated through the Real-Time Monitor. Administration Guide 133 Managing Client Connections Closing a connection to a resource Without disrupting a user’s VPN connection, you can temporarily close the user’s connection to a particular resource. To prevent the user from connecting to the resource, correct the user’s group ACL. To close a connection 1 In the Firebox SSL VPN Gateway Administration Desktop, click the Real-time Monitor icon. 2 Click the arrow to expand the user’s entry. 3 Right-click the connection that you want to close and select Close connection. The Firebox SSL VPN Gateway maintains connections to Target IP 0.0.0.0 that are required for VPN operations. Closing any of those connections temporarily closes a connection. Disabling and enabling a user The Firebox SSL VPN Gateway tracks user connections by a combination of user name and MAC address, enabling a user to establish simultaneous VPN connections from different computers. You can disable and enable a user and MAC address combination. Disabling a user frees a license. To disable a user at a particular MAC address 1 2 In the Administration Desktop, click the Real-time Monitor icon. Right-click the main entry for the user and choose Disable User from MAC. The user cannot establish a connection from that MAC address until you reenable the user or restart the Firebox SSL VPN Gateway. To enable a user at a particular MAC address 1 2 In the Administration Desktop window, click the Real-time Monitor icon. Right-click the user’s entry and choose Enable User from MAC. The user can establish a connection provided that there is an available license. Configuring Authentication Requirements after Network Interruption By default, if a user’s network connection is briefly interrupted, the user does not have to log on again when the connection is restored. You can require that users log on after interruptions such as when a computer comes out of hibernation or standby, when the user switches to a different wireless network, or when a connection is forcefully closed. Note Note: The Firebox SSL VPN Gateway attempts to authenticate users using the cached password. If users log on using a one-time password, such as used by an RSA SecurID token, authentication on the Firebox SSL VPN Gateway fails, and the user can be locked out and unable to log on. To prevent the use of one-time passwords, the Firebox SSL VPN Gateway can be configured to force users to log on again after a network interruption. For more information, see “Configuring Authentication to use One-Time Passwords” on page 84. To require users to log on after a network interruption or on system resume 1 134 Click the Access Policy Manager tab. Firebox SSL VPN Gateway Managing Client Connections 2 3 In the left pane, right-click a group and click Properties. On the General tab, under Session options, select one or both of the following: • Authenticate after network interruption. This option forces a user to log on again if the network connection is briefly interrupted. • Authenticate upon system resume. This option forces a user to log on again if the user’s computer awakens from standby or hibernation. This option provides additional security for unattended computers. 4 Click OK. Note Note: If you want to close a connection and prevent a user or group from reconnecting automatically, you must select the Authenticate after network interruption setting. Otherwise, users immediately reconnect without being prompted for their credentials. Administration Guide 135 Managing Client Connections 136 Firebox SSL VPN Gateway APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting The following topics describe how to use Firebox SSL VPN Gateway logs and troubleshoot issues: • Viewing and Downloading System Message Logs • Enabling and Viewing SNMP Logs • Viewing System Statistics • Monitoring Firebox SSL VPN Gateway Operations • Recovering from a Failure of the Firebox SSL VPN Gateway • Troubleshooting Viewing and Downloading System Message Logs There are two types of logging for the Firebox SSL VPN Gateway. All of the logs are stored locally and can be viewed from either the Administration Tool or the Administration Portal. Optionally, this same information can be sent to a syslog server. System message logs contain information that can help Firebox SSL VPN Gateway support personnel assist with troubleshooting. By reviewing the information provided, you can track unusual changes that can affect the stability and performance of the Firebox SSL VPN Gateway. System message logs are archived on the Firebox SSL VPN Gateway for 30 days. The oldest log is then replaced with the current log. You can download one or all logs at any time. You can also have system messages forwarded to your syslog server, as described in “Forwarding System Messages to a Syslog Server” on page 138. Note If you need to view the system log and the Firebox SSL VPN Gateway is offline, go to the Administration Portal and click the Logging tab. To view and filter the system log 1 2 In the Administration Tool, click the VPN Gateway Cluster tab. Open the tab for the Firebox SSL VPN Gateway. Administration Guide 137 Viewing and Downloading System Message Logs 3 4 Click Logging/Settings. Under Gateway Log, click Display Logging Window. The log for today’s date is displayed. 5 6 To display the log for a prior date, select the date in the Log Archive list and click View Log. By default, the log displays all entries. The log can be filtered as described below: • To filter the log by user or applications, under Log Filter, select Admins, Apps, or Users. • To filter the log by priority, under Log Filter, select LO, MED, HI, or CRIT. • The filters that you select are treated as logical ORs. Thus, for each selected filter, all matches for the filter are displayed. To download a log: • Select a log in the Log Archive list and next to Selected Log File, click Download. The log filename defaults to yyyymmdd.log. • To download all of the logs, next to All Log Files, click Download. The filename defaults to log_archive_yyyymmdd.tgz. To download logs from the Firebox SSL VPN Gateway, you must have a data compression utility, such as WinZip, installed on your computer. The logs are downloaded as .tgz files and that data must be extracted. After the file downloads, it can be unzipped to access the individual log files. Forwarding System Messages to a Syslog Server The Firebox SSL VPN Gateway archives system messages, as described in “Viewing and Downloading System Message Logs” on page 137. You can also have the Firebox SSL VPN Gateway forward system messages to a syslog server. To forward Firebox SSL VPN Gateway system messages to a syslog server 1 2 3 4 5 Click the VPN Gateway Cluster tab and then click the Logging/Settings tab. Under Syslog Settings, in Server, type the IP address of the syslog server. In Facility, select the syslog facility level. In Broadcast Interval (mins), type a broadcast frequency in minutes. If the broadcast frequency is set to 0, logging is continuous. Click Submit. Viewing the W3C-Formatted Request Log The Firebox SSL VPN Gateway logs incoming and outgoing HTTP requests in the W3C extended log format. You can analyze the log by using a conventional log file analysis tool. The log contains the following fields:: 138 Field Description date Date of access, specified in GMT and formatted as YYYY-MM-DD time Time of access, specified in GMT and in 24-hour format, HH:MM:SS. c-ip Client IP address. cs-method The client-to-Firebox SSL VPN Gateway request method, either GET or POST. sc-method The Firebox SSL VPN Gateway-to-client request method, either GET or POST. Firebox SSL VPN Gateway Enabling and Viewing SNMP Logs Field Description sc-status The Firebox SSL VPN Gateway-to-client request status code. For a description of status codes, refer to http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html. cs-uri The client-to-Firebox SSL VPN Gateway request URI. sc-uri The Firebox SSL VPN Gateway-to-client request URI. To view or download the log, go to the Logging > Configuration tab and click Download W3C Log. Enabling and Viewing SNMP Logs When Simple Network Management Protocol (SNMP) is enabled, the Firebox SSL VPN Gateway reports the MIB-II system group (1.3.6.1.2.1). The Firebox SSL VPN Gateway does not support Firebox SSL VPN Gateway-specific SNMP data. You can view SNMP messages in the Administration Tool and you can configure an SNMP monitoring tool such as the Multi Router Traffic Grapher to provide a visual representation of the SNMP data reported by the Firebox SSL VPN Gateway in response to queries. For a sample of Traffic Grapher output, see “Multi Router Traffic Grapher Example” on page 139. To enable logging of SNMP messages 1 2 3 4 5 6 7 Click the VPN Gateway Cluster tab and then click the Logging/Settings tab. Under SNMP Settings, select Enable SNMP. In SNMP Location, type the SNMP location. This field is informational only. In SNMP Contact, type the contact. This field is informational only. In Community, type the community. This field is informational only. In Port, type the port. Click Submit. Multi Router Traffic Grapher Example The Multi Router Traffic Grapher is a tool used to monitor SNMP data, such as traffic load. Multi Router Traffic Grapher generates HTML pages containing PNG images that provide a visual representation of the traffic. Multi Router Traffic Grapher works under UNIX, Windows 2000 Server, and Windows Server 2003. Note The information in this section provides a general overview of working with Multi Router Traffic Grapher. For information about obtaining and using this tool, visit the Multi Router Traffic Grapher Web site at http://people.ee.ethz.ch/~oetiker/webtools/mrtg/. Administration Guide 139 Viewing System Statistics To obtain SNMP data for the Firebox SSL VPN Gateway through Multi Router Traffic Grapher (in UNIX) 1 2 Configure the Firebox SSL VPN Gateway to respond to SNMP queries as discussed in “To enable logging of SNMP messages” on page 139. Create Multi Router Traffic Grapher configuration files in /etc/mrtg. Each configuration file specifies the object identifiers that the grapher daemon is to monitor, specifies the target from which to obtain SNMP data, and defines the grapher output. The Multi Router Traffic Grapher configuration file 3 4 Modify /etc/crontab to perform an SNMP query every five minutes, resulting in graphed data. The various .cfg files listed generate a separate output. View the output in a Web browser. The grapher stores HTML output in the Workdir specified in the configuration file. The output filename that corresponds to the configuration file in Step 2 is vpn.myorg.com.tcpcurrestab.html. Viewing System Statistics To obtain general system statistics, select the VPN Gateway Cluster tab and then click the Statistics tab. The statistical information provides an overview of the Firebox SSL VPN Gateway and includes: • Length of time the Firebox SSL VPN Gateway has been running. • Memory usage. • Maximum and used connections. Maximum connections represent the number of licenses that are available for use with the Firebox SSL VPN Gateway. • Logon information for both the full client and kiosk clients. Monitoring Firebox SSL VPN Gateway Operations The Firebox SSL VPN Gateway includes a variety of standard Linux monitoring applications so that you can conveniently access the applications from one location. With the exception of the Real-time Monitor, written by Firebox SSL, the applications are included in the Firebox SSL VPN Gateway under the GNU public license. The monitoring applications are located in the Firebox SSL VPN Gateway Administration Desktop. The icons across the bottom left of the screen provide single-click access to the six monitoring tools. In the 140 Firebox SSL VPN Gateway Recovering from a Failure of the Firebox SSL VPN Gateway bottom right corner, you can view process and network activity levels; mouse over the two graphs to view numeric data. To open the Firebox SSL VPN Gateway Administration Desktop 1 2 3 Open a Web browser and type the IP address or FQDN of the Firebox SSL VPN Gateway. The accepted formats are https://IPaddress or https://FQDN. In the Firebox SSL VPN Gateway Administration Portal, click Downloads. Under Administration, click Launch Firebox SSL VPN Gateway Administration Desktop. The monitoring applications are as follows. Firebox SSL Real-time Monitor Shows the open client connections. To view details about a connection, click the arrow for the user name. From the monitor, you can temporarily close a connection by connection type (TCP and so on), disable a user (the user cannot connect until you enable the user), and enable a user again. For more information, see “Managing Client Connections” on page 133. Ethereal Network Analyzer Enables you to interactively browse packet data from a live network or from a previously saved capture file. For more information, refer to the Help that is available from the Ethereal Network Analyzer window. xNetTools Multi-threaded network tool that includes a service scanner, port scanner, ping utility, ping scan, name scan, whois query, and finger query. This is located on the Tools menu. Traceroute Combines the functionality of the traceroute and ping commands in one network diagnostic tool. As Traceroute starts, it investigates the network connection between the Firebox SSL VPN Gateway and the destination host that you specify. After it determines the address of each network hop between the devices, it sends a sequence ICMP ECHO request to each one to determine the quality of the link to each device. As it does this, it prints running statistics about each device. fnetload Provides real-time network interface statistics. It checks the /proc/net/dev every second and builds a graphical representation of its values. System Monitor Shows information about CPU usage and memory/swap usage. For more information, refer to the Help available from the System Monitor window. Recovering from a Failure of the Firebox SSL VPN Gateway In the event of a total system failure, you must do four procedures to recover: • reinstall the v 4.9 software on your Firebox® SSL Core appliance • back up your configuration settings • apply the v 5.0 software update Administration Guide 141 Recovering from a Failure of the Firebox SSL VPN Gateway • apply the v 5.5 software update Reinstalling v 4.9 application software To reinstall v 4.9 on your appliance: 1 Find the Firebox® SSL v 4.9.2 Recovery CD that came with your original Firebox® SSL Core appliance. 2 Use the instructions in the v 4.9 Administration Guide starting on page 153 to reinstall your application software with the system CD. Backing up your configuration settings Before starting the v 5.0 software update process, be sure to back up your configuration settings. 1 In the v 4.9 Administration Tool, click the Access Gateway Cluster tab. 2 Open the dialog box for the appliance. 3 On the Administration tab, click Save Configuration (this option appears near the option Save the current configuration). 4 Save the file, named config.restore, to your computer. For more information about creating backup files, see page 47 of the v 4.9 Administration Guide. Upgrading to SSL v 5.0 To obtain the v 5.0 software update, v 5.0 Administrator’s Guide and v 5.0 Release Notes, go to https:// www.watchguard.com/archive/softwarecenter.asp. You must log in with your LiveSecurity user name and passphrase and select the Firebox SSL VPN Gateway support view. From your current Firebox SSL VPN Gateway running v 4.9, you can upgrade to SSL v 5.0 in one of two ways: • From the v 4.9 Administration Tool Interface, go to the Administration tab and Maintenance sub tab. Click on the Browse button for Upload a server Upgrade or saved config. or • From the v 4.9 Administration Portal web page, go to the Maintenance tab and click Browse for the Upload Server Upgrade or Server Config option. After you upgrade your Firebox® SSL VPN Gateway and re-connect to the Administration Portal, select the option Download Access Gateway Administration Tool. Double-click the citrix_admin_monitor.exe file to install the executable. Note Make sure that the v 4.9 Administration Tool has been uninstalled using Control Panel > Add/Remove Programs. Upgrading to SSL v 5.5 To obtain the v 5.5 software update, v 5.5 Administrator’s Guide and v 5.5 Release Notes, go to https:// www.watchguard.com/archive/softwarecenter.asp. You must log in with your LiveSecurity user name and passphrase and select the Firebox SSL VPN Gateway support view. 142 Firebox SSL VPN Gateway Troubleshooting To upgrade to v 5.5. 1 In the v5.0 Administration Tool, click the Firebox® SSL VPN Gateway Cluster tab. 2 On the Administration tab, next to Upload a server upgrade or saved config, click Browse. 3 Navigate to the upgrade file and click Open. 4 Wait for the message Upgrade successful to appear and then restart the device. Note: If the upgrade file has the extension .zip, extract the files before you upgrade the Firebox® SSL VPN Gateway. Launching the v 5.5 Administration Tool After the Administration Tool installation is complete, you can launch the new tool from Start > All Programs > WatchGuard. Type the IP address or FQDN of the SSL VPN Gateway device in the Connecting To dialog box. Note that the dialog box does not always appear in the foreground—it may be buried behind other open windows on your desktop. Note Both ports 9001 and 9002 are required for administrator traffic. This is detailed in Chapter 2, “Introduction to Firebox SSL VPN Gateway.” . You may need to log in to your LiveSecurity account at https://www.watchguard.com/archive/getcredentials.asp to get a copy of your feature key.. Troubleshooting The following information explains how to deal with problems you might encounter when setting up and using the Firebox SSL VPN Gateway. Troubleshooting the Web Interface This section describes issues you might have with connecting to the Web Interface. Web Interface Appears without Typing in Credentials If you typed the Web address for the Firebox SSL VPN Gateway, the Web Interface appears without asking for the user name and password. The problem is that you have portal page authentication disabled. In the Administration Tool, on the Global Cluster Policies tab, under Advanced Options, select Enable Portal Page Authentication. If this is disabled, unauthenticated network traffic is sent to the Web Interface. This is a valid configuration; however, make sure the Web Interface is located in the DMZ. Applications do not Appear after Logging On When users log on to the Firebox SSL VPN Gateway, they cannot see their applications. The Message Center states that a domain was not specified. Administration Guide 143 Troubleshooting By default, the Firebox SSL VPN Gateway passes only the user name and password to the Web Interface. To correct this, configure a default domain or a set of domains users can log on to. The Web Interface uses the first one in the list as the default domain. Web Interface Credentials Are Invalid When users log on to the Firebox SSL VPN Gateway, they are sent to the Web Interface but their applications are not displayed. The Message Center states that the users’ credentials are invalid. The most likely cause of this error message is that the users logged onto the Firebox SSL VPN Gateway with non-LDAP credentials from a different domain than the Web Interface is set up to accept. To resolve this issue, make sure that the default domain on the server running the Web Interface is the same as the default realm in the Firebox SSL VPN Gateway. Users could also log on using a realm in the Firebox SSL VPN Gateway but the realm name does not correspond to a domain name that is supported by the Web Interface. To allow users to log on with a realm name, type the realm name after the domain in Active Directory. When users log on to the Firebox SSL VPN Gateway, the realm name and user name are passed to the Web Interface. The Web Interface converts the realm name and user name to the domain name and user name. Other Issues This section describes known issues and solutions for the Firebox SSL VPN Gateway. License File Does not Match Firebox SSL VPN Gateway If you are trying to install a license file on the Firebox SSL VPN Gateway, you might receive the error message “License file does not match any Firebox SSL VPN Gateway’s.” A license file is already installed on the Firebox SSL VPN Gateway. To upload a new license file, the old license needs to be removed. To install a new license file on the Firebox SSL VPN Gateway 1 2 3 4 5 6 7 Open the Administration Tool. On the VPN Gateway Cluster tab, select the Firebox SSL VPN Gateway to which you want to add the license. On the Licensing tab, next to Clear all licensing, click Remove All. Restart the Firebox SSL VPN Gateway. On the Licensing tab, next to Upload a license file, click Browse and navigate to the license file. Click Open to install the file. Restart the Firebox SSL VPN Gateway. Read/Write Access to the Firebox SSL VPN Gateway If a user is using a signed Java applet, it is possible to read and write files to the Firebox SSL VPN Gateway’s local disk in a restricted area. This can be prevented by doing one of the following: • Disabling connections from a public computer • Allowing connections from a public computer but disabling Firefox • Allowing connections from a public computer with Firefox but configuring the correct Access Control policies that prevent Firefox from accessing any Web site that contains a signed Java applet 144 Firebox SSL VPN Gateway Troubleshooting Defining Accessible Networks In the Accessible Networks field on the Global Cluster Policies tab, up to 24 subnets can be defined. If more than 24 subnets are entered, the Firebox SSL VPN Gateway ignores the additional subnets. VMWare If a user logs on to the Secure Access Client from two computers that are running VMWare and VMWare uses the same MAC address for the two computers, the Firebox SSL VPN Gateway does not allow both clients to run simultaneously. The Firebox SSL VPN Gateway uses the MAC address to manage licenses and does not allow more than one client session at a time per MAC address. ICMP Transmissions The Firebox SSL VPN Gateway returns a “Request timed out” error message if an ICMP transmission fails for any reason. The Firebox SSL VPN Gateway always sends a standard ICMP packet to the remote destination host when a client tries to ping it. Any client options such as increasing the size of the ICMP payload are not recognized by the Firebox SSL VPN Gateway and are not sent to the remote host. Ping Command The Firebox SSL VPN Gateway always sends out the same ping command, regardless of the options specified with the ping command from a client computer. LDAP Authentication When the Firebox SSL VPN Gateway is configured to use LDAP authentication and authorization, the LDAP group information is not used to automatically populate the group field in the Administration Tool. End Point Policies When the Firebox SSL VPN Gateway is evaluating the union of a group’s end point policies, it does not consider the group priorities and therefore might not resolve conflicting policies correctly. The last policy appended in an expression is the policy that takes effect. For example, one group has policy ProcessA and another group has policy !ProcessA. If the union of the policies is ProcessA and !ProcessA, the !ProcessA takes effect. Network Resources For added network resources, the Firebox SSL VPN Gateway does not recognize the CIDR notation address ipaddress/0. For example, to add a resource group that provides access to all resources, specify 0.0.0.0/0.0.0.0 instead of 0.0.0.0/0. Kiosk Connections For kiosk connections, the Firebox SSL VPN Gateway must have a certificate that is signed by a Sun Microsystems trusted Certificate Authority. Client connections using kiosk mode require the installation of Java Runtime Environment (JRE) 1.4+ on their computer. Administration Guide 145 Troubleshooting Internal Failover If internal failover is enabled and the administrator is connected to the Firebox SSL VPN Gateway, the Administration Tool cannot be reached over the connection. To fix this problem, enable IP pooling and then connect to the lowest IP address in the pool range on port 9001. For example, if the IP pool range starts at 10.10.3.50, connect to the Administration Tool using 10.10.3.50:9001. For information about configuring IP pools, see “Enabling IP Pooling” on page 94. Certificate Signing There are several server components that support SSL/TLS, such as the Firebox SSL VPN Gateway, Secure Gateway, and SSL Relay. All of these components support server certificates issued either by a public Certificate Authority (CA) or by a private Certificate Authority. Public CAs include organizations such as Verisign and Thawte. Private CAs are implemented by products such as Microsoft Certificate Services. Certificates signed by a private CA are sometimes described as enterprise certificates or self-signed certificates. In this context, the term self-signed certificate is not technically accurate; such certificates are signed by the private CA. True self-signed certificates are not signed by any CA and are not supported by the server components, because there is no CA to provide a root of trust. However, as described above, certificates issued by a private CA are supported by the server components because the private CA is the root of trust. Certificate Revocation Lists Certificate Revocation Lists (CRLs) cannot be configured by the administrator. When a user connects to the Firebox SSL VPN Gateway using a client certificate, the Firebox SSL VPN Gateway uses the cRLDistributionPoints extension in the client certificate, if it is present, to locate relevant CRLs using HTTP. The client certificate is checked against those CRLs. Retrieving CRLs using LDAP is not supported. Network Messages to Non-Existent IPs If an invalid sdconf.rec file is uploaded to the Firebox SSL VPN Gateway, this might cause the Firebox SSL VPN Gateway to send out messages to non-existent IPs. A network monitor might flag this activity as network spamming. To correct the problem, upload a valid sdconf.rec file to the Firebox SSL VPN Gateway. The Firebox SSL VPN Gateway Does not Start and the Serial Console Is Blank Verify that the following are correctly set up: • The serial console is using the correct port and the physical and logical ports match • The cable is a null-modem cable • The COM settings in your serial communication software are set to 9600 bits per second, 8 data bits, no parity, and 1 stop bit The Administration Tool Is Inaccessible If the Firebox SSL VPN Gateway is offline, the Administration Tool is not available. You can use the Administration Portal to perform tasks such as viewing the system log and restarting the Firebox SSL VPN Gateway. 146 Firebox SSL VPN Gateway Troubleshooting Devices Cannot Communicate with the Firebox SSL VPN Gateway Verify that the following are correctly set up: • The External Public Address specified on the General Networking tab in the Firebox SSL VPN Gateway Administration Tool is available outside of your firewall • Any changes made in the Firebox SSL VPN Gateway serial console or Administration Tool were submitted Using Ctrl-Alt-Delete to Restart the Firebox SSL VPN Gateway Fails The restart function on the Firebox SSL VPN Gateway is disabled. You must use the Firebox SSL VPN Gateway Administration Tool to restart and shut down the device. SSL Version 2 Sessions and Multi-Level Certificate Chains If intermediate (multi-level) certificates are part of your secure certificate upload, make sure that the intermediate certificates are part of the certificate file you are uploading. SSL Version 2 does not support certificate chaining. Any certificate that has more than one level must include all intermediate certificates or the system may become unusable. For information about how to add intermediate certificates to the uploaded certificate file, see “Generating Trusted Certificates for Multiple Levels” on page 156. H.323 Protocol The Firebox SSL VPN Gateway does not support the H.323 protocol. Applications that use the H.323 protocol, such as Microsoft’s NetMeeting, cannot be used with the Firebox SSL VPN Gateway. Certificates Using 512-bit keypairs When configuring certificates, do not use 512-bit keypairs. They are subject to brute force attacks. Secure Access Client The following are issues with the Secure Access Client. Secure Access Client Connections with Windows XP If a user makes a connection to the Firebox SSL VPN Gateway using Windows XP, logs off the computer without first disconnecting the Secure Access Client, and then logs on again, the Internet connection is broken. To restore the Internet connection, restart the computer. DNS Name Resolution Using Named Service Providers If clients without administrative privileges use Windows 2000 Professional or Windows XP to connect to the Firebox SSL VPN Gateway, DNS name resolution may fail if the client is using the Name Service Provider. To correct the problem, connect using the IP address of the computer instead of the DNS name. Auto-Update Feature The Secure Access Client auto-update feature does not work if the client is configured to connect through a proxy server. Administration Guide 147 Troubleshooting Client Connections from a Windows Server 2003 If a connection to the Firebox SSL VPN Gateway is made from a Windows Server 2003 computer that is its own DNS server, local and public DNS resolution does not work. To fix this issue, configure the Windows Server 2003 network settings to point to a different DNS server. NTLM Authentication The Secure Access Client does not support NTLM authentication to proxy servers. Only Basic authentication is supported for proxy servers. WINS Entries When the Secure Access Client is disconnected, WINS entries are not removed from the computer that is running the client. Using Third-Party Client Software If a user’s computer is running Secure Access Client, and also has a third-party VPN software application installed on the computer, and connections are not correctly crossing the Firebox SSL VPN Gateway, make sure the third-party application is disabled or turned off. When the third-party application is disabled or off, try the Firebox SSL VPN Gateway connection again. 148 Firebox SSL VPN Gateway APPENDIX B Using Firewalls with Firebox SSL VPN Gateway If a user cannot establish a connection to the Firebox SSL VPN Gateway or cannot access allowed resources, it is possible that the firewall software on the user’s computer is blocking traffic. The Firebox SSL VPN Gateway works with any personal firewall, provided that the application allows the user to specify a trusted network or IP address for the Firebox SSL VPN Gateway. This section discuss the following popular firewalls and configuration instructions for them. • BlackICE PC Protection • McAfee Personal Firewall Plus • Norton Personal Firewall • Sygate Personal Firewall (Free and Pro Versions) • Tiny Personal Firewall • ZoneAlarm Pro Note The following sections are a supplement to the firewall manufacturer’s documentation. The recommended source for current information about firewall applications and configuration is the manufacturer’s documentation. WatchGuard recommends that the user’s personal firewall allow full access for the Secure Access Client. If you do not want to allow full access, the following UDP and UDP/TCP ports need to be open on the client computer: • 10000 (UDP) • 10010 (UDP/TCP) • 10020 (UDP) • 10030 (UDP) Personal firewalls need to be configured to allow traffic to and from the Firebox SSL VPN Gateway IP address or FQDN. To find out which ports are open, use the Secure Access Client Properties page that is accessible from the connection icon in the notification tray. The ports that are open are listed on the Details tab. Administration Guide 149 BlackICE PC Protection To view Secure Access Client status properties Double-click the Secure Access Client connection icon in the notification area. Alternatively, right-click the icon and choose Properties from the menu. The Secure Access Client dialog box appears. The properties of the connection provide information that is helpful for troubleshooting. The properties include: • The General tab displays connection information. • The Details tab displays server information and a list of the secured networks clients are allowed to access. • The Access Lists tab displays the access control lists (ACLs) that are configured for the user connection. This tab does not appear for users who are not in a group or if an ACL is not configured for a group. The following are suggestions for using some popular firewalls with the Firebox SSL VPN Gateway. BlackICE PC Protection The following BlackICE settings enable the Secure Access Client to reach the Internet and the resources allowed by the Firebox SSL VPN Gateway. To configure the settings, open the BlackICE window and choose the following commands. Tools > Edit On the Firewall tab, make sure that the Protection Level is lower than BlackICE “Paranoid,” which prevents you from running applications, such as email, Settings over the connection. On the Intrusion Detection tab, add the IP address of the Firebox SSL VPN Gateway as a trusted zone. Also add the IP address or range of allowed resources as trusted zones. When you add an IP address, be sure to select the Add Firewall Entry check box. McAfee Personal Firewall Plus The following McAfee Personal Firewall Plus settings enable the Secure Access Client to reach the Internet and the resources allowed by the Firebox SSL VPN Gateway. To configure the settings, open the McAfee Security Center window, click the Personal Firewall+ tab, and choose the following commands. The following settings assume that you are using the Standard security level. To check your security level, go to the Personal Firewall+ tab, click Utilities, and then click Security Settings. Note By default, when the Secure Access Client is installed, Personal Firewall Plus prompts you to grant or block access for the application. Select Grant Access. 150 Firebox SSL VPN Gateway Norton Personal Firewall . Add the IP address or range of allowed resources as trusted IP addresses. Trusted & Banned IPs System Services In the System Services list, select each service that you plan to use over the VPN connection. Norton Personal Firewall If you are using the default Norton Personal Firewall settings, you can simply respond to the Program Control alerts the first time that you attempt to start the Secure Access Client or when you access a blocked location or application. When you respond to such an alert, choose the Permit action, select Always use this action, and click OK. If you changed the default firewall settings, you might need to manually configure the following settings to reach the Internet and the resources allowed by the Firebox SSL VPN Gateway. To configure the settings, open the Norton Personal Firewall window and choose the following tabs. Networking You might need to add the following as trusted zones: - The IP address of the Firebox SSL VPN Gateway - The IP address or range of allowed resources Click Add and enter the IP address(es). Programs You might need to grant access to individual applications. Click Add and then browse for and select the application. When prompted, choose Permit. Sygate Personal Firewall (Free and Pro Versions) Each time the Sygate Personal Firewall encounters new activity for which it does not have a rule, it displays a prompt. To grant access to the applications and locations that you will access through the Secure Access Client, select the Remember my answer check box and click Yes when the prompt appears. Tiny Personal Firewall The following Tiny Personal Firewall settings enable the Secure Access Client to reach the Internet and the resources allowed by the Firebox SSL VPN Gateway. Note One method to configure Tiny Personal Firewall is to respond to the prompts displayed when the firewall encounters new activity for which it does not have a rule. The following information assumes that Tiny Personal Firewall is configured before installing the Secure Access Client. Administration Guide 151 ZoneAlarm Pro To configure the settings, open the Tiny Personal Firewall administration window, click the Advanced button to view the Firewall Configuration window, and then use the Filter Rule dialog box as indicated below. Add To permit the IP address or range of allowed resources, use the following settings: Protocol = TCP and UDP Direction = Both Directions Local Endpoint fields = Any Remote Endpoint = specify IP address(es) Action = Permit After you apply the above configuration and start the Secure Access Client, Tiny Personal Firewall displays several Incoming Connection Alerts related to the Secure Access Client. For each alert, select the Create appropriate filter check box and click Permit. ZoneAlarm Pro The following ZoneAlarm settings enable the Secure Access Client to reach the Internet and the resources allowed by the Firebox SSL VPN Gateway. To configure the settings, choose the tabs indicated in the following table. Firewall > Zones 152 Define the host name of the Firebox SSL VPN Gateway as a trusted zone. Firebox SSL VPN Gateway APPENDIX C Installing Windows Certificates The Firebox SSL VPN Gateway includes the Certificate Request Generator to automatically create a certificate request. After the file is returned from the Certificate Authority, it can be uploaded to the Firebox SSL VPN Gateway. When the file is uploaded, it is converted automatically to the correct format for use. If you do not want to use the Certificate Request Generator to create the signed certificate, use Linux OpenSSL to administer any certificate tasks. If Linux is not available, Cygwin UNIX environment for Windows is recommended, which includes an OpenSSL module. Instructions for downloading, installing, and using the Cygwin UNIX environment to generate a CSR are included in this section. If you are familiar with certificate manipulation, you can use other tools to create a PEM-formatted file. The certificate that you upload to the Firebox SSL VPN Gateway must have the following characteristics: • It must be in PEM format and must include a private key • The signed certificate and private key must be unencrypted If Linux OpenSSL is not available, install the Cygwin UNIX environment for Windows. When you install Cygwin, you must choose the OpenSSL modules as described in the following steps. To install Cygwin 1 2 3 4 5 6 7 8 9 10 Use a Web browser to navigate to http://www.cygwin.com and click Install Cygwin Now. Follow the on-screen instructions to open the setup installer. In the Cygwin Setup dialog box, click Next. Click Install from Internet and then click Next. Accept the default root installation directory settings and then click Next. Accept the default local package directory setting and then click Next. In the Internet Connection screen, click Use IE5 Settings and then click Next. In the list of Available Download Sites, click ftp://ftp.nas.nasa.gov and then click Next. In the Select Packages screen, click the View button. Scroll the packages list to locate in the Package column openssl: The OpenSSL runtime environment and openssl-devel: The OpenSSL development environment. 11 In the New column for those two entries, click Skip. The current version number of Cygwin appears. Administration Guide 153 Unencrypting the Private Key 12 Click Next to start the installation. After Cygwin installs, you can generate the CSR. These instructions to generate a CSR assume that you are using the Cygwin UNIX environment installed as described in “To install Cygwin” on page 153. To generate a CSR using the Cygwin UNIX environment 1 Double-click the Cygwin icon on the desktop. A command window opens with a UNIX bash environment. 2 3 To change to a particular drive, use the command: cd driveLetter: 4 When prompted for the Common name, enter the DNS name of the Firebox SSL VPN Gateway. The name that you enter appears on the certificate and must match the name expected by computers that connect to the Firebox SSL VPN Gateway. Thus, if you alias DNS names, you need to use the alias name instead. 5 Submit your CSR (public.csr) to an authorized Certificate Authority such as Verisign. When asked for the type of server that the certificate will be used with, select Apache. At the $ prompt, type the following to generate a CSR: openssl req -new -nodes -keyout privateKeyFilename -out certRequestFilename For example: openssl req -new -nodes -keyout private.key -out public.csr Status messages about the private key generation appear. You are prompted for information such as country name. Note If you select “Microsoft,” the certificate might be in PKCS7 format and you will need to follow the procedure in “Converting to a PEM-Formatted Certificate” on page 155 to convert the certificate to a PEM format. Unencrypting the Private Key The following procedure is not needed if you use the Cygwin UNIX environment to generate the CSR and private key. Follow this procedure only if the method you use to generate the private key results in an encrypted key. To unencrypt the private key 1 At the $ prompt enter the command: openssl rsa If you enter this command without arguments, you are prompted as follows: read RSA key 2 Enter the name of the password to be encrypted. You can enter the openssl rsa command with arguments if you know the name of the private key and the unencrypted PEM file. For example, if the private key filename is my_keytag_key.pvk and the unencrypted filename is keyout.pem, enter openssl rsa -in my_keytag_key.pvk -out keyout.pem. For more information, see the Open SSL Web site at http://www.openssl.org/docs/apps/rsa.html#EXAMPLES. 154 Firebox SSL VPN Gateway Converting to a PEM-Formatted Certificate For information about downloading OpenSSL for Windows, see the SourceForge Web site at http://sourceforge.net/project/showfiles.php?group_id=23617&release_id=48801. Converting to a PEM-Formatted Certificate The signed certificate file that you receive from the Certificate Authority might not be in a PEM format. If the file is in binary format (DER), convert it to PEM format as follows: openssl x509 -in certFile -inform DER -outform PEM -out convertedCertFile If the certificate is already in a text format, it may be in PKCS format. You will receive a PKCS formatted certificate if you specified that the certificate will be used with a Microsoft rather than Apache operating system. The following command results in an error message if the certificate is not in PEM format. The certFile should not contain the private key when you run this command. openssl verify -verbose -CApath /tmp certFile If that command results in the following error message, the file is not in PEM format. certFile: unable to load certificate file 4840:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:781: To convert the certificate from PKCS7 to PEM format 1 Run the command: openssl pkcs7 -in ./certFile -print_certs The output will look like this: subject=... ... -----BEGIN CERTIFICATE----... Server Certificate ... -----END CERTIFICATE----subject=... ... -----BEGIN CERTIFICATE----... Intermediate Cert ... -----END CERTIFICATE----- 2 Combine the server certificate data and the intermediate certificate data (if it exists) from the output with the private key as specified in “Combining the Private Key with the Signed Certificate” on page 155 and “Generating Trusted Certificates for Multiple Levels” on page 156. Combining the Private Key with the Signed Certificate You must combine the signed certificate with the private key before you can upload it to the Firebox SSL VPN Gateway. Administration Guide 155 Generating Trusted Certificates for Multiple Levels To combine the private key with the signed certificate 1 Use a text editor to combine the unencrypted private key with the signed certificate in the PEM file format. The file contents should look similar to the following: -----BEGIN RSA PRIVATE KEY---- -----END RSA PRIVATE KEY---------BEGIN CERTIFICATE---- -----END CERTIFICATE----- 2 Save and name the PEM file; for example, AccessGateway.pem. Generating Trusted Certificates for Multiple Levels Note You must determine whether or not your certificate has more than one level and, if it does, handle the intermediate certificates properly. To generate trusted certificates for multiple levels 1 Open Internet Explorer and access a Web page through the Firebox SSL VPN Gateway. For example, enter an address similar to the following: https://ipAddress:httpPort//www.mypage.com where: ipAddress is the IP address of your Firebox SSL VPN Gateway httpPort is the Firebox SSL VPN Gateway port number 2 3 4 Double-click the Lock symbol in the bottom right corner of the browser. 5 6 7 8 9 10 11 12 Click the Copy to File button at the bottom. Switch to the Certificate Path window pane at the top of the screen. Double-click the first path level to bring up the certificate information for the first level and then go to the Details screen. After the Certificate Export wizard appears, click Next. Click the format Base-64 encoded and then click Next. Enter a filename; for example, G:\tmp\root.cer. Review the information and note the complete filename. Click Finish. Click OK to close the Certificate Information window for the first level. Repeat Steps 4–10 for all levels except the last level. Insert all certificates into one file and make sure that any intermediate certificates are part of any certificate file you upload. The file to be uploaded should be in the following format: private key Server Certificate 156 Firebox SSL VPN Gateway Generating Trusted Certificates for Multiple Levels Intermediate Certificate 0 Intermediate Certificate 1 Intermediate Certificate 2 Administration Guide 157 Generating Trusted Certificates for Multiple Levels 158 Firebox SSL VPN Gateway APPENDIX D Examples of Configuring Network Access After the Firebox SSL VPN Gateway is installed and configured to operate in your network environment, use the Administration Tool to configure user access to the servers, applications, and other resources on the internal network. Configuring user access to internal network resources involves defining accessible networks for split tunneling, configuring authentication and authorization, creating user groups, creating local users, and defining the access control lists (ACLs) for user groups. Note An ACL is a set of policies that determines the level of access that users have to the network resources. The Firebox SSL VPN Gateway supports several different authentication and authorization types that can be configured in a variety of combinations and used with policies to control user access to the internal network. Because of the number of options and possibilities involved with configuring user access to the internal network, this aspect of Firebox SSL VPN Gateway configuration is covered in four different sections of this book. • This appendix provides example user access scenarios and includes step-by-step instructions for configuring the Firebox SSL VPN Gateway to support the access scenarios. These scenarios are intended as tutorials to help you understand how to use the features of the Administration Tool to configure user access, and are not examples of real-world configurations. After you read these examples and understand the basics of configuring user access, use the information provided in the three chapters listed below to complete your configuration. • “Configuring Authentication and Authorization” on page 61". This chapter discusses the different authentication and authorization options and how to configure them. • “Adding and Configuring Local Users and User Groups” on page 87. This chapter discusses how to work with user groups, network resources, and various policies to define access control lists (ACLs) on the Firebox SSL VPN Gateway. • “Working with Client Connections” on page 117. This chapter discusses client connectivity to the Firebox SSL VPN Gateway. Administration Guide 159 Scenario 1: Configuring LDAP Authentication and Authorization Before reading the examples in this chapter, you should become familiar with the settings on three tabs of the Administration Tool. The settings on these tabs control user access to internal network resources: • Global Cluster Policies • Authentication • Access Policy Manager The three user access configuration examples discussed in this chapter are: • “Scenario 1: Configuring LDAP Authentication and Authorization” on page 160. This step-by-step example illustrates how an administrator might provide access to internal network resources in an LDAP environment. • “Scenario 2: Creating Guest Accounts Using the Local Users List” on page 169. This example extends the scenario for configuring LDAP authentication and authorization to illustrate the concept of local users. • “Scenario 3: Configuring Local Authorization for Local Users” on page 172. This example illustrates the concept of local authorization by slightly altering the configuration discussed in the scenario for creating guest accounts using the Local Users list. Scenario 1: Configuring LDAP Authentication and Authorization This example shows how an administrator might use the settings in the Administration Tool to configure user access in the following example scenario: • The organization uses a single LDAP directory as the user repository • Remote users working for the Sales department must have access to an email server, a Web conference server, a Sales Web application, and several file servers residing on the internal network • Remote users working for the Engineering department must have access to an email server, a Web conference server, and several file servers residing on the internal network • Three email servers are operating in the internal network, but the administrator wants remote users to access only one of these email servers To configure access to the internal network resources in this scenario, the administrator completes two basic tasks: • Preparing for the LDAP authentication and authorization configuration • Configuring the Firebox SSL VPN Gateway to support access to the internal network resources Each of these tasks is discussed below. Preparing for the LDAP Authentication and Authorization Configuration Preparing for the LDAP authentication and authorization configuration is the first of two tasks the administrator performs in the scenario for configuring LDAP authentication and authorization. In this task, the administrator assembles the information needed to configure the Firebox SSL VPN Gateway to support LDAP authentication and authorization. This task includes these procedures: • Determining the internal networks that include the needed resources 160 Firebox SSL VPN Gateway Scenario 1: Configuring LDAP Authentication and Authorization • Determining the Sales and Engineering users who need remote access • Collecting the LDAP directory information Determining the internal networks that include the needed resources Determining the internal networks that include the needed resources is the first of three procedures the administrator performs to prepare for the LDAP authentication and authorization configuration. In this procedure, the administrator determines the network locations of the resources that the remote users must access. As noted earlier: • Remote users working for the Sales department must have access to an email server, a Web conference server, a Sales Web application, and several file servers residing on the internal network • Remote users working for the Engineering department must have access to an email server, a Web conference server, and several file servers residing on the internal network • Three email servers are operating in the internal network, but the administrator wants remote users to access only one of these email servers To complete this procedure in this example, we assume the administrator collects the following information: • The Web conference server, email servers, and file servers that the remote Sales and Engineering users must access all reside in the network 10.10.0.0/ 24 • The server containing the Sales Web application resides in the network 10.60.10.0/24 • The single email server that remote users must access has the IP address 10.10.25.50 Determining the Sales and Engineering Users Who Need Remote Access Determining the Sales and Engineering users who need remote access is the second of three procedures the administrator performs to prepare for LDAP authentication and authorization configuration. Before an administrator can configure the Firebox SSL VPN Gateway to support authorization with an LDAP directory, the administrator must understand how the Firebox SSL VPN Gateway uses groups to perform the authorization process. Specifically, the administrator must understand the relationship between a user's group membership in the LDAP directory and a user's group membership on the Firebox SSL VPN Gateway. Note The Firebox SSL VPN Gateway also relies on user groups in a similar way to support authorization types such as RADIUS. When a user in an LDAP directory connects to the Firebox SSL VPN Gateway, the following basic authentication and authorization sequence occurs: • After a user enters authentication credentials from the LDAP directory, the Firebox SSL VPN Gateway looks the user up in the LDAP directory, verifies the user's credentials, and logs the user on. • After a user successfully authenticates, the Firebox SSL VPN Gateway examines an attribute in the user's LDAP directory Person entry to determine the LDAP directory groups to which the user belongs. Administration Guide 161 Scenario 1: Configuring LDAP Authentication and Authorization For example, if the Firebox SSL VPN Gateway operates with the Microsoft Active Directory, the Firebox SSL VPN Gateway checks the "memberOf" attribute in the Person entry to determine the groups to which a user belongs. In this example, we assume that the group membership attribute indicates that a user is a member of an LDAP directory group named "Remote Sales." The Firebox SSL VPN Gateway then looks for a user group configured on the Access Policy Manager tab of the Administration Tool that has a name that matches the name of an LDAP directory group to which the user belongs. In this example, the Firebox SSL VPN Gateway looks for a user group named "Remote Sales" configured on the Firebox SSL VPN Gateway. If the Firebox SSL VPN Gateway finds a user group configured on the Firebox SSL VPN Gateway that has the same name as an LDAP directory group to which the user belongs, the Firebox SSL VPN Gateway grants the user with the access privileges (authorization) assigned to the user group on the Firebox SSL VPN Gateway. In this example, the Firebox SSL VPN Gateway provides the user with the access levels associated with the "Remote Sales" user group on the Access Policy Manager tab of the Administration Tool. Therefore, before the administrator can authorize the Sales and Engineering users to access internal network resources through the Firebox SSL VPN Gateway, the administrator must know the LDAP directory groups to which these users belong. At this point in this user access scenario, the administrator must accomplish one of two things regarding the group membership of the users: • Identify groups on the LDAP directory that contain all of the members who need remote access to the internal networks • If there are no existing groups that contain all of the appropriate members, the administrator can create new groups in the LDAP directory and add the appropriate members to these groups In this example, we assume that the administrator creates groups named "Remote Sales" and "Remote Engineers" in the LDAP directory and populates these groups with the Sales and Engineering users that need remote access to the internal network resources. Collecting the LDAP Directory Information Collecting the LDAP directory information is the last of three procedures the administrator performs to prepare for the LDAP authentication and authorization configuration. In this example scenario, the organization uses a single LDAP directory as its user repository. Before the administrator can configure the Firebox SSL VPN Gateway to support authentication and authorization with an LDAP directory, the administrator must collect information about the LDAP directory. This information is used in a later procedure to configure the Firebox SSL VPN Gateway to connect to the LDAP directory to perform user and group name lookups. Note To determine the information needed to configure a particular authentication or authorization type click the Authentication tab in the Administration Tool and create a test authentication realm that includes the authentication and authorization types that you must support. Collect the information needed to complete the fields for the selected authentication and authorization types. In this procedure, the administrator collects the following information about the LDAP directory. • LDAP Server IP address. The IP address of the computer running the LDAP server. 162 Firebox SSL VPN Gateway Scenario 1: Configuring LDAP Authentication and Authorization • • • • LDAP Server port. The port on which the LDAP server listens for connections. The default port for LDAP connections is port 389. LDAP Administrator Bind DN and LDAP Administrator Password. If the LDAP directory requires applications to authenticate when accessing it, the administrator must know the name of the user account that the Firebox SSL VPN Gateway should use for this authentication and the password associated with this account. LDAP Base DN. The base object of the directory (or level of the directory) where user names are stored. All remote users must have a Person entry at this level of the directory. Some example values are: ou=Users,dc=ace,dc=com cn=Users,dc=ace,dc=com LDAP Server login name attribute. The attribute of an LDAP directory Person entry that contains a user's name. The following table contains examples of the user name attribute fields for different LDAP directories: LDAP Server User Attributes Case Sensitive Microsoft Active Directory Server sAM AccountName No Novell eDirectory cn Yes IBM Directory Server uid Lotus Domino CN Sun ONE directory (formerly iPlanet) uid or cn Yes • LDAP Group attribute - The attribute of a user's Person entry that lists the groups to which a user belongs; for example, "memberOf." The LDAP Group attribute is used only for LDAP authorization. At this point, the administrator has completed all of the procedures needed to prepare for the LDAP authentication and authorization configuration task. When this task is complete, the administrator has the following information: • The specific network locations of all network resources that the remote Sales and Engineering users must access • The names of the user groups in the LDAP directory that contain the Sales and Engineering users who require remote access ("Remote Sales" and "Remote Engineers" in this example) • The specific LDAP directory information needed to configure the Firebox SSL VPN Gateway to operate with the LDAP directory With this information available, the administrator is now ready to configure the Firebox SSL VPN Gateway to provide access to the internal network resources for the Sales and Engineering users. Configuring the Firebox SSL VPN Gateway to Support Access to the Internal Network Resources Configuring the Firebox SSL VPN Gateway to support access to the internal network resources is the last of two tasks the administrator performs in the scenario for configuring LDAP authentication and authorization. In this task, the administrator uses the information gathered in the previous task to configure the settings in the Administration Tool that enable the remote users to access the internal network resources. Administration Guide 163 Scenario 1: Configuring LDAP Authentication and Authorization This task includes these five procedures: • Configuring accessible networks • Creating an LDAP authentication realm • Creating the appropriate groups on the Firebox SSL VPN Gateway • Creating and assigning network resources to the user groups • Creating an application policy for the email server Each of these procedures is discussed in detail below. Configuring Accessible Networks Configuring accessible networks is the first of five procedures the administrator performs to configure access to the internal network resources in the configuring LDAP authentication and authorization scenario. In this procedure, the administrator specifies the internal networks that contain the network resources that users must access using the Secure Access Client. In the previous task, the administrator determined that the remote Sales and Engineering users must have access to the resources on these specific internal networks: • The Web conference server, file servers, and email server residing in the network 10.10.0.0/24 • The server containing the Sales Web application residing in the network 10.60.10.0/24 The administrator specifies these networks as accessible networks. Specifying the accessible networks enables the Secure Access Client to support split tunneling. When a user logs on to the Firebox SSL VPN Gateway, the Firebox SSL VPN Gateway sends this list of networks to the Secure Access Client on the user's computer. The Secure Access Client uses this list of networks as a filter to determine which outbound packets should be sent to the Firebox SSL VPN Gateway and which should be sent elsewhere. The Secure Access Client transmits only the packets bound for the Firebox SSL VPN Gateway through the secure tunnel to the Firebox SSL VPN Gateway. Note If you do not want to support split tunneling, you do not need to configure accessible networks. To configure accessible networks 1 2 3 4 Open the Administration Tool. 5 Select the Enable logon page authentication check box. This setting requires users to authenticate when accessing the portal page of the Firebox SSL VPN Gateway with a Web browser. 6 To simplify this example, assume the administrator clears all other check boxes that appear on the Global Cluster Policies tab. Click the Global Cluster Policies tab. If necessary, select Enable split tunneling. In the Accessible networks box, enter all of the internal networks that the Firebox SSL VPN Gateway must access. Separate each network entered with a space or a carriage return. In this example access scenario, the administrator would make these entries: 10.10.0.0/24 10.60.10.0/24 For more information about split tunneling, see “Enabling Split Tunneling” on page 57. For more information about the Deny Access without ACL setting, see “Denying Access to Groups without an ACL” on page 58. 164 Firebox SSL VPN Gateway Scenario 1: Configuring LDAP Authentication and Authorization Creating an LDAP Authentication and Authorization Realm Creating an LDAP authentication and authorization realm is the second of five procedures the administrator performs to configure access to the internal network resources in this scenario. In this scenario, all of the Sales and Engineering users are listed in a corporate LDAP directory. To authenticate users listed in an LDAP directory, the administrator must create an authentication realm that supports LDAP authentication. To authorize users listed in LDAP directory groups to access the internal network resources, the administrator selects LDAP Authorization as the authorization type of the realm. Because all of the users authenticate to the LDAP directory, the administrator sets up the Default authentication realm to support LDAP authentication and authorization. To set up the Default realm to support LDAP authentication, the administrator first deletes the existing Default realm and then immediately creates a new Default realm that supports LDAP authentication. This new realm includes the address, port, and other LDAP directory information that the Firebox SSL VPN Gateway needs to connect to the LDAP directory server and resolve searches for names in the directory. Note The existing Default realm on the Firebox SSL VPN Gateway is configured for local authentication. By deleting the existing Default realm and creating a new Default realm for LDAP, the administrator simplifies the logon process for the end user. Users who authenticate using the Default realm do not need to enter the realm name as part of their logon credentials. For more information about realms, authentication, and authorization, see “Configuring Authentication and Authorization” on page 61. To complete this procedure, the administrator must have available the LDAP directory information gathered in the procedure “Collecting the LDAP Directory Information” on page 162" in the previous task. To delete the existing Default realm and create a new Default realm that supports LDAP authentication and authorization 1 2 3 4 5 6 7 8 In the Firebox SSL VPN Gateway Administration Tool, click the Authentication tab. Open the window for the Default realm. On the Action menu, select Remove "Default" realm. A warning message appears. Click Yes. In Realm Name, type Default. Select One Source and click Add. At Select Authentication Type, select LDAP authentication and then click OK. The new Default realm window opens. In the Authentication tab of the new Default realm window, complete the fields that enable the Firebox SSL VPN Gateway to access the LDAP server. (Use the information gathered in the procedure “Collecting the LDAP Directory Information” on page 162 in the previous task to complete these fields). 9 Select the Authorization tab. 10 In Authorization type, select LDAP authorization. 11 In the Authorization tab, complete the fields that enable the Firebox SSL VPN Gateway to access the LDAP server. 12 Click Submit. For more information about creating realms, see “Creating Additional Realms” on page 66. Administration Guide 165 Scenario 1: Configuring LDAP Authentication and Authorization Creating the Appropriate Groups on the Firebox SSL VPN Gateway Creating the appropriate groups on the Firebox SSL VPN Gateway is the third of five procedures the administrator performs to configure access to the internal network resources in the configuring LDAP authentication and authorization scenario. In this step, the administrator creates user groups on the Firebox SSL VPN Gateway that have names that match the groups the administrator identified or created in the LDAP directory. In an earlier task, the administrator created LDAP directory groups named “Remote Sales” and “Remote Engineers” in the LDAP directory. In this step, the administrator must now create user groups named “Remote Sales” and “Remote Engineers” on the Firebox SSL VPN Gateway. 1 2 Click the Access Policy Manager tab. In the left pane, right-click User Groups and then click New Group. In Group Name, type a name that is an exact case-sensitive match to an LDAP directory group that was identified or created in the earlier procedure. For example, type "Remote Sales" and then click OK. 3 At this point, a Group Properties window appears that includes several tabs. To simplify this example, accept all of the default settings for the Group Properties and click OK. The group properties provide additional settings that affect user access. For more information, about group properties and creating local groups, see “Configuring Properties for a User Group” on page 90. Creating and Assigning Network Resources to the User Groups Creating and assigning network resources to the user groups is the fourth of five procedures the administrator performs to configure access to the internal network resources in the configuring LDAP authentication and authorization scenario. In this step, the administrator specifies the network resources (network segments or individual computers) that users can access and then assigns those resources to the user groups on the Firebox SSL VPN Gateway. To complete this step, the administrator does the following: • Creates a network resource named "Sales Resource" and assigns this resource to the "Remote Sales" user group • Creates a network resource named "Engineering Resource" and assigns this resource to the "Remote Engineers" user group Creating and Assigning Network Resources to the Sales Users This section briefly discusses how the administrator creates a network resource for the Sales users and assigns it to those users. As noted earlier, the Sales users need access to these systems: • An email server, Web conference server, and several file servers in the 10.10.0.0/24 network. • A Sales Web application in the 10.60.10.0/24 network. To create a network resource named "Sales Resource" for the Sales users 1 2 3 166 Click the Access Policy Manager tab. In the right pane, right-click Network Resources and then click New Network Resource. Type "Sales Resources" as the Network Resource Name, and click OK. Firebox SSL VPN Gateway Scenario 1: Configuring LDAP Authentication and Authorization 4 In Network/Subnet, type these two IP address/subnet pairs for the resources. Separate each of these IP address/subnet pairs with a space: 10.10.0.0/24 10.60.10.0/24 5 To simplify this example, the administrator accepts the default values for the other settings on the Network Resource window and clicks OK. After creating the Network Resource named "Sales Resource," the administrator uses the procedure below to add this network resource to the ACL of the "Remote Sales" user group. 1 2 3 4 From the Firebox SSL VPN Gateway Administration Tool, click the Access Policy Manager tab. In the left-pane, expand User Groups, and then expand the "Remote Sales" user group. In the right pane, expand Network Resources. Click the "Sales Resource" network resource and drag it to Network Policies beneath the "Remote Sales" user group in the left-hand pane. With this action, the administrator grants the users associated with the "Remote Sales" user group access to the systems defined in the network resource named "Sales Resources." Note In the procedure above, the administrator assigned the "Sales Resource" network resource to the access control list (ACL) of the "Remote Sales" user group. The administrator creates ACLs on the Firebox SSL VPN Gateway by adding resources to the network policies, application policies, kiosk policies, and end point policies associated with the user group. The ACL is comprised of all policies that are assigned to a user group on the Firebox SSL VPN Gateway. Creating and Assigning Network Resources to the Engineering users This section briefly discusses how the administrator creates a network resource and assigns it to the Engineering users. This procedure is essentially the same as the procedure completed for the Sales users in the previous step, except the administrator does not provide the engineering users with access to the Sales Web application in the 10.60.10.0/24 network. As noted earlier, the Engineering users need access to a Web conference server, an email server, and several file servers. All of these servers reside in the network 10.10.0.0/24. To provide the Engineering users with access to the network: 1 From the right pane of the Access Policy Manager tab in the Firebox SSL VPN Gateway Administration Tool, create a new network resource named "Engineering Resources." Specify only the 10.10.0.0/24 network when creating this resource. 2 3 In the left pane, expand the "Remote Engineers" user group. Drag the "Engineering Resources" network resource from the right pane of the Access Policy Manager tab to the Network Policies of the "Remote Engineers" group in the left pane. The "Engineering Resources" Network Resource is now part of the ACL for the "Remote Engineers" group. Note In more complex environments, it may be necessary to restrict access to a particular segment of a larger network. For example, an administrator may need to deny access to the 10.0.20.x network while allowing access to everything else in the 10.0.x.x network. The administrator creates a network resource for the 10.0.20.x network and a network resource for the 10.0.x.x network and assigns both network resources to the user group. The administrator then right-clicks each of the resources to deny access to Administration Guide 167 Scenario 1: Configuring LDAP Authentication and Authorization the 10.0.20.x resource and allow access to the 10.0.x.x resource. In these cases, configure the policy denying access to 10.0.20.x first and then configure the policy allowing access to the 10.0.x.x network second. Always configure the most restrictive policy first and the least restrictive policy last. Creating an Application Policy for an Email Server Creating an application policy for an email server is the last of five procedures the administrator performs to configure access to the internal network resources in the configuring LDAP authentication and authorization scenario. In this example, the network 10.10.0.0/24 contains three email servers, but the administrator wants the remote Sales and Engineering users to have access to only one of these email servers. The email server that remote users must access has the IP address 10.10.25.50/32. To enable users to access only a single email server, the administrator creates an application policy on the Firebox SSL VPN Gateway that enables the users to access only the email application on the 10.10.25.50/32 email server. Note An administrator uses application policies to require a client application to access a specific internal server or to require a client device to meet specific requirements before it is allowed to access an internal server. To create an application policy to restrict email client access to one server, the administrator must perform three actions: • Create a network resource that includes only the email server • Create an application policy that specifies the email application on the email server and assign the network resource containing the email server to this application policy • Assign the application policy to the user groups in the Firebox SSL VPN Gateway In this example, the administrator creates a network resource named "Email Server" that includes only IP address 10.10.25.50/32 (the email server). The administrator then creates an application policy named "Email Application Policy" that specifies the email application that remote users can access. The administrator assigns the "Email Server" network resource to this application policy. Next, the administrator adds the "Email Application Policy" to the Remote Sales and Remote Engineers groups. Adding the policy to those groups ensures that those groups always access the email application on the specific email server specified by the administrator in the application policy. To implement the application policy for the email server 1 From the right pane of the Access Policy Manager tab in the Firebox SSL VPN Gateway Administration Tool, create a new network resource named "Email server." For this Network Resource, specify only the IP address of the email server that users are allowed to access (for example, 10.10.25.50/ 32). This is the same basic procedure that was used to define the network resources for the Sales users and Engineering users in the previous procedures. 2 3 4 In the right pane, right-click Application Policies and then click New Application Policies. In Application Resource Name, type "Email Application Policy" and click OK. Browse to and select the email application located on the server that has the IP address 10.10.25.50/32. The MD5 field is populated automatically with the binary sum of the application. 168 Firebox SSL VPN Gateway Scenario 2: Creating Guest Accounts Using the Local Users List 5 In the left pane, click the "Email server" network resource you just created and drag it to Application Network Policies listed under Application Constraints in the right pane. Click OK. 6 In the left pane, expand both the "Remote Sales" user group and the "Remote Engineers" user group. 7 In the right pane, under Application Policies, click the "Email Application Policy" and drag it to Application Policies under the Remote Sales user group in the left pane, so that the Application Policy is part of the Remote Sales ACL. 8 In the right pane, under Application Policies, click the "Email Application Policy" and drag it to Application Policies under the Remote Engineers user group in the left pane, so that the Application Policy is part of the Remote Engineers ACL. Note In the procedure above, the administrator could also add an application end point policy to the application policy to require every client device to meet specific requirements when accessing the email server. For more information, see “Application policies” on page 101. This procedure concludes the scenario for configuring LDAP authentication and authorization. When this procedure is complete, the administrator has configured all of the following: • Users can authenticate to the LDAP directory specified in the Default authentication realm using their LDAP directory credentials. • Users are authorized to access the internal network resources based on their group memberships in the LDAP directory and on the Firebox SSL VPN Gateway. Only users who are members of the "Remote Sales" group and the "Remote Engineers" group are authorized to access resources on the internal network. (Each of these groups must exist both in the LDAP directory and on the Firebox SSL VPN Gateway.) • Users in the "Remote Sales" group are authorized to access the Web conference server and file servers in the 10.10.0.0/24 network and the Sales Web application in the 10.60.10.0/24 network. The Sales users can access the email application on the server with the 10.10.25.50 IP address, but cannot access the email application on other email servers in the allowed networks. The Sales users can also access other network resources located in the two allowed networks. • Users in the "Remote Engineering" group can access the Web conference server and the file servers in the 10.10.0.0/24 network (and other network resources located in this network). The Engineering users can also access the email application on the server with the 10.10.25.50 IP address, but cannot access the email application on other email servers in the allowed networks. To understand the purpose of local users on the Firebox SSL VPN Gateway and to understand how to enable authentication and authorization for the local users, continue to “Scenario 2: Creating Guest Accounts Using the Local Users List” on page 169. Scenario 2: Creating Guest Accounts Using the Local Users List This example illustrates how local users work on the Firebox SSL VPN Gateway and shows one way in which an administrator can support authentication and authorization for the local users. In the previous example, users were authenticated and authorized based on their LDAP directory credentials and group memberships. Administration Guide 169 Scenario 2: Creating Guest Accounts Using the Local Users List An administrator can also create a list of local users on the Firebox SSL VPN Gateway and configure the Firebox SSL VPN Gateway to provide authentication and authorization services for these users. This list of local users is maintained in a database on the Firebox SSL VPN Gateway and not in an external directory. Local users are especially useful if the administrator wants to do any of the following: • Grant access to users who are not listed in any corporate directory • Grant access to users who are listed in a corporate directory to which the Firebox SSL VPN Gateway does not connect • Provide a small number of users with a special level of access to the internal network resources without creating a new group in the corporate directory for these users This example assumes the following: • Silvio Branco and Lisa Marth are consultants that do not work for the corporation and are not listed in the corporate directory • Silvio Branco and Lisa Marth must have remote access to the Web conference server on the internal network to participate in conferences with the Sales and Engineering users who are employed by the corporation • The administrator has already completed the previous LDAP authentication with LDAP authorization example scenario earlier in this chapter to provide Sales and Engineering users with access to the Web conference server • The Web conference server IP address is 10.10.50.60 Note In this example, Silvio Branco and Lisa Marth are referred to as guest users because they are not employed by the corporation and are not listed in the corporate directory. To provide Silvio Branco and Lisa Marth with access to the Web conference server, the administrator performs these three procedures: • Creates a guest user authentication realm • Creates local users • Creates and assigns a network resource to the Default user group on the Firebox SSL VPN Gateway Creating a Guest User Authentication Realm Creating a guest user authentication realm is the first of three procedures the administrator performs in the scenario for creating guest accounts using the Local Users list. In the previous scenario for configuring LDAP authentication and authorization, the administrator created a Default authentication realm to support authentication and authorization of the users listed in a corporate LDAP directory. Because Silvio Branco and Lisa Marth are not listed in the corporate LDAP directory, the administrator creates a separate authentication realm for them that supports the following: • Local Authentication. This option in an authentication realm ensures that users are authenticated against a Local Users list on the Firebox SSL VPN Gateway, and not an external directory • No Authorization. This option in an authentication realm ensures that users of this realm are provided with the access levels associated with the Default user group on the Firebox SSL VPN Gateway. 170 Firebox SSL VPN Gateway Scenario 2: Creating Guest Accounts Using the Local Users List To create a guest authentication realm for the guest users 1 2 3 4 5 6 In the Firebox SSL VPN Gateway Administration Tool, click the Authentication tab. In Realm Name, type Guest. Select One Source and click Add. At Select Authentication Type, select Local authentication only and then click OK. From the Authorization tab, select No authorization. Click Submit. Creating Local Users Creating local users is the second of three procedures the administrator performs in the scenario for creating guest accounts using the Local Users list. In this procedure, the administrator creates local user accounts for Silvio Branco and Lisa Marth on the Firebox SSL VPN Gateway and provides each user with a password. To add the local users 1 2 3 4 5 Click the Access Policy Manager tab. Right-click Local Users and select New User. In User Name, type Lisa Marth. In the Password and Verify Password fields, enter a password for Lisa Marth and click OK. Repeat Steps 2 through 4 for to create a local user account for Silvio Branco. Creating and Assigning a Network Resource to the Default User Group Creating and assigning a network resource to the Default user group is the last of three procedures in the scenario for creating guest accounts using the Local Users list. In this step, the administrator creates a network resource that specifies only the Web conference server and then assigns this resource to the Default user group. 1 From the right pane of the Access Policy Manager tab in the Administration Tool, create a new network resource named "Guest Resource." Specify only the IP address of the Web conference server when creating this network resource (for example 10.10.50.60/32). 2 3 In the left pane, expand the "Default" user group. Drag the "Guest Resource" network resource from the right pane of the Access Policy Manager tab to the Network Policies of the "Default" group in the left pane. Note If a user logs on and cannot get group information, the user will always use the Default group settings. When this procedure is complete, the administrator has accomplished the following: • Silvio Branco and Lisa Marth can enter the user credential "Guest\Silvio Branco" or "Guest\Lisa Marth" to authenticate to the Guest realm on the Firebox SSL VPN Gateway. Silvio and Lisa must include the realm name as part of their user name credential when authenticating because they authenticate to a realm that is not the Default authentication realm. • Silvio and Lisa also use the passwords that the administrator specified for them to authenticate to the Firebox SSL VPN Gateway. The administrator entered these passwords when creating Silvio and Lisa as local users on the Firebox SSL VPN Gateway. Administration Guide 171 Scenario 3: Configuring Local Authorization for Local Users Silvio and Lisa are authorized to access any resource defined in the ACL of the Default user group because No Authorization is specified as the authorization type of the Guest realm. In this example, Silvio and Lisa can access only the Web conference server on the internal network because that is the only network resource defined for the Default user group. Scenario 3: Configuring Local Authorization for Local Users By slightly altering the configuration discussed previously in the "Scenario for Creating Guest Accounts Using the Local Users List", the administrator can provide local users (Lisa Marth and Silvio Branco) with the same level of access to the internal network resources as either the Sales or the Engineering users. This scenario illustrates the concept of local authorization for local users. Assume the administrator wants to provide Lisa and Silvio with the same level of access as the Engineering users. To accomplish this, the administrator could perform two procedures: • Change the authorization type of the Guest realm to Local Authorization • Assign the local users Lisa Marth and Silvio Branco to the Remote Engineers group on the Firebox SSL VPN Gateway To assign local users Lisa Marth and Silvio Branco to the Remote Engineers group on the Firebox SSL VPN Gateway, the administrator performs this procedure: 1 2 3 Click the Access Policy Manager tab. Expand User Groups and then expand Local Users. Under Local Users, click the name Lisa Marth and drag her name to Local Group Users underneath the Remote Engineers user group. 4 Under Local Users, click the name Silvio Branco and drag his name to Local Group Users underneath the Remote Engineers user group. When this procedure is complete, both of the following are true: • Silvio Branco and Lisa Marth can enter the user credential "Guest\Silvio Branco" or "Guest\Lisa Marth" to authenticate to the Guest realm on the Firebox SSL VPN Gateway. • Silvio and Lisa are authorized to access any resource defined in the ACL of the Remote Engineers user group because Local Authorization is specified as the authorization type of the Guest realm. When Local Authorization is specified, local users receive the authorization associated with the user group on the Firebox SSL VPN Gateway to which they are assigned. They do not receive the authorization associated with the Default user group on the Firebox SSL VPN Gateway, as is the case when No Authorization is selected for the Guest authentication realm. 172 Firebox SSL VPN Gateway APPENDIX E Legal and Copyright Information GNU GENERAL PUBLIC LICENSE FOR LINUX KERNEL AS PROVIDED WITH FIREBOX SSL Firebox SSL VPN Gateway Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Administration Guide 173 We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any 174 Firebox SSL VPN Gateway change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to Administration Guide 175 be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. 176 Firebox SSL VPN Gateway If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. Administration Guide 177 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 178 Firebox SSL VPN Gateway This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. Administration Guide 179 180 Firebox SSL VPN Gateway Index A access control list 56, 97 allow and deny rules 98 deny access 15, 58 deny access without ACL 57, 88 Access Policy Manager tab 15, 87 add network resource 101 Application Policies 16, 101 applications without policies 15 client certificate criteria 16, 95 create network resource 100 create user group 89 end point policy 16, 105 end point policy expression 106 end point resource 16, 104 end point resource, removing 105 file share resources 16, 103 force authentication 15, 90 global policies 16 group membership 16 inherit default group properties 15 IP pooling 15, 94 kiosk mode 16 local users 15, 87 logon scripts 91 network resources 16 portal page 15, 95 portal page configuration 16 remove network resource 101 remove resource 99 remove user group 89 resources 96, 99 session timeout 92 single sign-on 15 split DNS 15, 50, 94 Web Interface portal page 15 accessible networks 15, 56 deny access without access control list 58 DNS split tunneling 57 limitations 145 specifying 57 Administration deployment overview 17 Administration Desktop 17, 32 Administration Guide downloading or starting 32 Ethereal Network Analyzer 141 fnetload 141 group priorities 107 monitoring tools 140 My traceroute 141 opening 32, 141 Real-time Monitor 141 System Monitor 141 xNetTools 141 Administration Portal 32 administrative user account 33 administrator password 33 available downloads 32 blocking external access 38 logging 33 maintenance 33 restarting the appliance 45 Web address 32 Administration Tool 13 configuration 34 downloading 32 inaccessible 146 Application Policies 101 resources application policies 16 applications without policies 15 archive of system log 137 authentication 15 configuring 61 default realm 63 double source 43, 85 enabling RSA SecurID 81 LDAP 15, 25, 73, 76 local 15, 25 NTLM 148 RADIUS 15, 25, 69, 72 realm, removing 86 RSA SecurID 25, 79 SafeWord for Citrix 68 SafeWord for RemoteAccess 68 SafeWord PremierAccess 25, 67 authentication RSA SecureID 15 user group 88 181 Authentication tab LDAP 74 authorization 15 configuring 61 LDAP 65, 73 LDAP and RSA/ACE Server 81 local users 65 RADIUS 69, 72 B backing up 44 BlackICE PC Protection 150 C certificate 109 512-bit keypairs 147 backing up 44 certificate signing request 14, 110 client 15, 95, 114 combining with private key 155 converting to PEM format 155 creating signing request 111 generating for multiple levels 156 installing 14 installing Cygwin for 153 internal connection 15 multilevel and SSL version 2 147 private key, unencrypting 154 Security Alert 110 signed by Certificate Authority 109 signing 146 wildcard 116 Certificate Authority 109 Certificate Revocation Lists 146 Certificate Signing Request 14 generating 111 overview 110 certificates internal connections 116 CIFS/SMB 103 client connection types 118 GAIM 28 Remote Desktop 28 SSH 28 Telnet 3270 emulator 28 VNC 28 client access IP pooling 88 portal page 95 resource access control 99 session timeout 88 single sign-on 91 split DNS 88 client certificate criteria 16, 95 requiring 15 client certificates 114 client variables for portal page 39 closing connection 133 computer hibernate 90 suspend 90 182 configuration dynamic routes 52 network connections 47 restoring 15, 44 saving 15, 44 serial console 33 static routes 53 with Administration Tool 34 configuring for a group 105 connection client cannot connect 147 closing 134 handling 133 managing 133 connection failure 147 Connection Properties 94 CPU usage 141 CRLs, see Certificate Revocation Lists CSRs, see Certificate Signing Request D default group inherit properties 15 Default realm 63 authentication type 65 replacing 65 deny access without access control list 15, 58, 88 deployment overview 17 deployment, server load balancer 28 DNS enable split 50 failover to local 50 name resolution 14, 147 server settings 50 suffixes 50 user override 124 DNS split tunneling 15, 57 DNS/WINS see Name Service Providers DNS/WINS, see Name Service Providers documentation downloading 32 double source authentication 43, 85 downloads Administration Desktop 32 Administration Tool 32 Firebox SSL VPN Gateway documentation 32 from Administration Portal 32 portal page templates 32 Duplex Mode 49 dynamic route 14 dynamic routing 48, 52 E end point policy 16, 104, 105 build expression 106 conflicts 145 creating 105 valid operators 105 end point resource 16, 104 configuring 104 creating 104 Firebox SSL VPN Gateway removing 105 Ethereal Network Analyzer 141 unencrypted traffic 27 Ethereal Network Monitor 17 external access 15 F failover 48 appliances 14 DNS servers 50 gateways 55 internal 15, 55 failure recovery 141 FAQs 5 file share configuring 103 mount type 103 source path 103 file share resources 16, 128 finger query 141 Firebox Installation Services 7 Firefox 104 preventing Java access 144 firewall BlackICE PC Protection 150 McAfee Personal Firewall Plus 150 Norton Personal Firewall 151 Sygate Personal Firewall 151 Tiny Personal Firewall 151 using with Secure Access Client 26 ZoneAlarm Pro 152 fnetload 17 fnetload tool 141 force authentication 15 forcing 15 FTP configuring for use with client 132 using during kiosk session 128 G Gaim 28, 131 gateway device default 49 Gateway Interface 49 General Networking configuration 48 settings 14, 47 Global Cluster Policies accessible networks 15 deny access without ACL 15 Global Cluster Policies tab accessible networks 57 certificates for internal connections 116 client certificate 15 client certificates 114 deny access without ACL 57, 88, 100 deny network access 59 enable portal page authentication 15, 41 internal failover 55 split tunneling 15, 58 Voice over IP 15 global policies 16 group membership 16 Administration Guide group priority 16, 106 Group Priority tab 89, 107 H H.323 protocol 147 hibernate forcing user authentication 90 host check rules, see end point resource I IAS, see Internet Authentication Server ICMP allowing traffic 46 ICMP transmissions 145 inherit default group properties 15 installation certificate 14 portal pages 40 instant messenging AOL Instant Messenger 131 Gaim 28, 131 ICQ 131 IRC 131 MSN Messenger 131 Yahoo! Messenger 131 internal connection certificate 15 internal connections certificates 116 internal failover 15, 55 Administration cannot be reached 146 Internet virus traffic on 3 Internet Authentication Server RADIUS 69 using with SafeWord for Citrix 68 IP address default Firebox SSL setting 47 default gateway 49 external setting 49 internal and external adapters 47 IP pooling 15, 88, 94 J Java disabling access 144 Java client support 132 K kiosk mode 16, 28 certificate 145 configuring 103 connecting to 126 Gaim 131 instant messenging 131 Java applet 132 Java Runtime Environment 145 link to Web site 41 183 persistence 104 Remote Desktop Client 130 shared network drives, using 128 SSH client 130 Telnet 3270 Emulator client 131 using FTP to copy files 129 VNC client 131 known issues 5 using 140 Multi Router Traffic Grapher 139 multiple log on options portal page 42 My traceroute tool 141 L name scanner 141 Name Service Providers 14, 50, 148 NetMeeting 147 network 147 access 56 accessible networks 57 activity level graph 140 address translation (NAT) 49 connections overview 47 deny access without access control list 58 DNS split tunneling 57 drives, shared 128 duplex mode 49 flooding 146 interface traffic load monitor 141 monitoring 17, 140 MTU 49 network adapter settings 47 packet data analyzer 141 port setting 49 resource groups 99 route tracing 141 scanning tools 141 spamming 146 split tunneling 58 network address translation host 49 network interruption forcing user authentication 90 network resource 16 adding to a group 101 CIDR not recognized 145 creating 100 defining 99 removing 101 Network Time Protocol 15, 46 networking configuring 14, 48 node secret 69, 82 Norton Personal Firewall 151 NTLM authentication 148 NTP, see Network Time Protocol LDAP authentication 15, 25 authorization 15, 73 authorization with RSA/ACE Server 81 LDAP authentication 73, 76 LDAP Browser 78 LDAP server finding attributes 78 licenses backing up 44 file does not match error 144 freeing 133 managing 15, 36 Linux support (client) 119 checking status 119 command-line options 119 link to Web Site 41 removing client 119 restarting 119 LiveSecurity Gold Program 7 LiveSecurity Service activating 4 benefits of 2 broadcasts 3 Rapid Response Team 3 technical support 6 local authentication 25 local user groups 88 local users 15, 87 adding 87 authorization 65 closing connection 133 LDAP authorization 65 multiple user groups 89 Logging 137 logging Administration Portal 33 VPN Gateway Cluster tab 14 Logging > Configuration tab download W3C log 139 logon scripts 91 M Macintosh support (JVM client) 126 maintenance Administration Portal 33 man in the middle attacks 110 maximum transmission unit (MTU) 49 McAfee Personal Firewall Plus 150 membership groups 16 memory usage 141 monitoring tools 32 184 N O online support services accessing 5 described 4 online training 5 P packet data, browsing 141 passthrough authentication 15 password administrator 33 Firebox SSL VPN Gateway ping 46 command 33, 145 from xNetTools 141 policies access control lists 56 IP pooling 94 network access 56 portal pages 38, 41 setting priority 106 port for connections 49 scanner 141 portal page client connections 118 client variables 39 configuring 16, 95 customizing 15, 38 disabling 95 double source authentication 43, 85 downloading templates 32, 39 enabling authentication 15, 41 installing 40 multiple log on options 42 pre-authentication policy 42 usage 88 user name variables 39 pre-authentication portal page 42 pre-authentication policies 16 private key combining with signed certificate 155 unencrypting 154 process activity level graph 140 proxy server configuring 25 setup for client 123 Publish tab 16 R RADIUS authentication 15, 25 configuring Internet Authentication Server 69 using with SafeWord for Citrix 68 RADIUS authentication 72 RADIUS authorization configuring 72 RADIUS server authentication 69 Rapid Response Team 2, 3 realm removing 86 realm-based authentication Default realm 63 Real-time Monitor 18, 133, 141 group priorities 107 reinstalling software 141 remote client, see Secure Access client Remote Desktop Client 130 removing realm 86 resource configuring for user groups 96 network 16 resource group network access 56 Administration Guide resource groups removing from user group 99 resources configuring for a user group 99 file share 103 file shares 16 restarting appliance 15, 45 restarting server 147 restoring a configuration 44 restoring configuration 44 routes 48 dynamic 52 static and dynamic 14 RSA ACE/Server 25 configuration file 79 generating sdconf.rec file 80 resetting node secret 82 SecurID authentication 79 settings 79 uploading sdconf.rec file 81 RSA SecurID 25 authentication 15, 25, 79 IP address setup 81 RSA/ACE Server LDAP authorization 81 S SafeWord for Citrix 68 IAS agent 69 SafeWord PremierAccess 25, 67 authentication 15 SafeWord RemoteAccess 68 sdconf.rec file 80 invalid file 146 replacing 81 uploading 81 Secure Access Client 16 assigning IP address from pool 94 automatic updates 124 auto-update feature 147 Connection Log 125 default portal page 118 description 122 forcing authentication 90 FTP configuration 132 link to Web site 41 Linux support 119 operation 25 portal page 38 proxy server setup 123 single sign-on 91 third-party VPN software 148 using with firewalls 26 using with proxies 26 Voice over IP 59 Windows 2003 Server 148 Windows XP 147 security controlling network access 56 deny access without access control list 58 digital certificates 109 forcing user authentication 90 preventing man in the middle attacks 110 serial console 33, 146 Server 15 server load balancer 185 connection to 28 service scanner 141 session timeout 15, 88, 92 settings General Networking 47 shared network drives 128 shared secret 69, 82 shutting down 15, 45 single sign-on 15 single sign-on for client 91 SNMP 139 logs, enabling and viewing 139 MIB groups reported 139 settings 139 software reinstalling 141 shutting down 45 upgrades 44 software reinstallation 141 software upgrades and LiveSecurity Service 3 split DNS 15, 94 enabling 50, 88, 124 user override 94, 124 split tunneling 15, 58 SSH client 28, 130 SSL 26, 59 standby forcing user authentication 90 static route 14 static routes adding 53 example 54 removing 54 testing 54 static routing 48 statistics 15 support services, online 4 swap space usage 141 Sygate Personal Firewall 151 syslog server, forwarding system log to 138 Syslog settings 138 system configuration restoring 44 saving 44 system date and time changing 45 viewing 45 system log archive 137 downloading 137 filtering 137 forwarding to syslog server 138 viewing 137 System Monitor 17, 141 system statistics 140 T Technical Support assisted support 6 Firebox Installation Services 7 LiveSecurity Gold Program 7 LiveSecurity Service 6 users forum 5, 6 186 VPN Installation Services 7 Telnet 3270 Emulator client 28, 131 templates downloading 39 time synchronizing 15 time zone, changing 45 Tiny Personal Firewall 151 TLS 26 tools network monitoring 17 Traceroute 17 training and certification 5, 7 troubleshooting 143 U UDP connections 59 upgrades and LiveSecurity Service 3 upgrading 15 user groups 87 authentication servers 88 creating 89 enable session timeout 92 enabling IP pooling 94 local 88 multiple 89 overview 88 portal page 95 RADIUS 88 removing 89 resource access control 99 resources 96, 97 set priority 106 spit DNS 94 users 87 user groups information 88 user name variable for portal page 39 users adding to multiple groups 98 closing connection 133 disabling and enabling 134 enabling single sign-on 91 force authentication 90 online forum for 5 overriding split DNS 94 supporting 132 viewing groups and priority group 107 viewing open connections 141 working with shared network drives 128 users forum 5 V viruses information about new 3 VMWAre 145 VNC client 28, 131 Voice over IP 15, 59 VPN Gateway Cluster tab 44 blocking external access 15, 38 Certificate Signing Request 111 date and time 15 failover appliances 14, 48 Firebox SSL VPN Gateway failover servers 55 General Networking 14, 47 logging 14, 137 managing licenses 15, 36 Name Service Providers 14, 47 Network Time Protocol 15 restarting 15 restarting appliance 45 restoring configuration 15, 44 routes 14, 48, 52, 54 save configuration 15, 44 shut down 15, 45 SNMP 139 static route 53 statistics 15, 140 Syslog settings 138 system date and time 45 upgrading 15, 44 VPN Installation Services 7 W W3C-formatted log 138 WatchGuard Certified Training Partners 8 WatchGuard users forum 5, 6 WCTP 8 Web address of Administration Portal 32 of Java client 126 Web Interface access without credentials 143 applications not available 143 configuring as portal page 15 invalid credentials 144 single sign-on 15 troubleshooting 143 whois query 141 wildcard certificates 116 WINS IP address 50 name resolution 14 WINS server setting 50 WINS, see Name Service Providers X xNetTools 17, 141 Z ZoneAlarm Pro 152 Administration Guide 187 188 Firebox SSL VPN Gateway

Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : Yes
Tagged PDF                      : Yes
Page Mode                       : UseOutlines
XMP Toolkit                     : 3.1-701
Producer                        : Acrobat Distiller 7.0.5 (Windows)
Creator Tool                    : FrameMaker 7.1
Modify Date                     : 2008:03:25 13:23:48Z
Create Date                     : 2008:03:25 13:20:28Z
Format                          : application/pdf
Title                           : VPN_AdminGuide.book
Creator                         : cklassen
Document ID                     : uuid:8c721945-3ba0-40b8-ad22-690bb831edee
Instance ID                     : uuid:ae9fde56-a91e-40a4-8b24-dc1fd66f45ee
Page Count                      : 198
Author                          : cklassen
EXIF Metadata provided by EXIF.tools

Navigation menu