NETGEAR SRX5308-100NAS VPN Certificates

294

7

7. Manage Users, Authentication, and

VPN Certificates

This chapter describes how to manage users, authentication, and security certificates for IPSec

VPN and SSL VPN. The chapter contains the following sections:

•The VPN Firewall’s Authentication Process and Options

•Configure Authentication Domains, Groups, and Users

•Manage Digital Certificates for VPN Connections

The VPN Firewall’s Authentication Process and Options

Users are assigned to a group, and a group is assigned to a domain. Therefore, you should

first create any domains, then groups, then user accounts.

Note: Do not confuse the authentication groups with the LAN groups that

are discussed in Manage IPv4 Groups and Hosts (IPv4 LAN

Groups) on page 91.

You need to create name and password accounts for all users who need to be able to

connect to the VPN firewall. This includes administrators, guests, and SSL VPN clients.

Accounts for IPSec VPN clients are required only if you have enabled extended

authentication (XAUTH) in your IPSec VPN configuration.

Users connecting to the VPN firewall need to be authenticated before being allowed to

access the VPN firewall or the VPN-protected network. The login screen that is presented to

the user requires three items: a user name, a password, and a domain selection. The domain

determines the authentication method that is used and, for SSL connections, the portal

layout that is presented.

Note: IPSec VPN, L2TP, and PPTP users do not belong to a domain and

are not assigned to a group.

Contents

Main Tech nica l Sup port Trademarks Statement of Conditions Revision History ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Contents Chapter 1 Introduction Chapter 2 IPv4 and IPv6 Internet and WAN Settings Chapter 3 LAN Configuration Chapter 4 Firewall Protection Chapter 5 Virtual Private Networking Using IPSec and L2TP Connections Chapter 6 Virtual Private Networking Using SSL Connections Chapter 7 Manage Users, Authentication, and VPN Certificates Chapter 8 Network and System Management Chapter 9 Monitor System Access and Performance Chapter 10 Troubleshooting Appendix A Default Settings and Technical Specifications Appendix B Network Planning for Multiple WAN Ports (IPv4 Only) Appendix C System Logs and Error Messages Page What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? Key Features and Capabilities Quad-WAN Ports for Increased Reliability and Load Balancing Advanced VPN Support for Both IPSec and SSL A Powerful, True Firewall with Content Filtering Security Features Autosensing Ethernet Connections with Auto Uplink Extensive Protocol Support Easy Installation and Management Maintenance and Support Package Contents Hardware Features Front Panel LEDs Introduction ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 1. LED descriptions Rear Panel Bottom Panel with Product Label Choose a Location for the VPN Firewall Use the Rack-Mounting Kit Log In to the VPN Firewall Page Web Management Interface Menu Layout Page Requirements for Entering IP Addresses IPv4 IPv6 Internet and WAN Configuration Tasks Tasks to Set Up IPv4 Internet Connections to Your ISPs Tasks to Set Up an IPv6 Internet Connection to Your ISPs Configure the IPv4 Internet Connection and WAN Settings Configure the IPv4 WAN Mode Network Address Translation Classical Routing Configure the IPv4 Routing Mode Let the VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection Page Page Manually Configure an IPv4 Internet Connection Page Figure 16. Table 3. PPTP and PPPoE settings Figure 17. Table 3. PPTP and PPPoE settings (continued) Figure 18. Table 4. Internet IP address settings Table 5. DNS server settings Page Configure Load Balancing or Auto-Rollover Configure Load Balancing Mode and Optional Protocol Binding Page Page Figure 22. 4. Configure the protocol binding settings as explained in the following table: Table 6. Add Protocol Binding screen settings Page Configure the Auto-Rollover Mode and Failure Detection Method Page Configure Secondary WAN Addresses Page Configure Dynamic DNS Page Page Configure the IPv6 Internet Connection and WAN Settings Configure the IPv6 Routing Mode Page Use a DHCPv6 Server to Configure an IPv6 Internet Connection Page Page Configure a Static IPv6 Internet Connection Page Page Configure a PPPoE IPv6 Internet Connection Page Page Configure 6to4 Automatic Tunneling Configure ISATAP Automatic Tunneling Page View the Tunnel Status and IPv6 Addresses Configure Stateless IP/ICMP Translation Configure Advanced WAN Options and Other Tasks Page Page Table 12. WAN Advanced Options screen settings (continued) 5. Click Apply to save your changes. WARNING: Table 12. WAN Advanced Options screen settings (continued) Configure WAN QoS Profiles Page Figure 45. Table 13. Add QoS screen settings for a rate control profile Table 13. Add QoS screen settings for a rate control profile (continued) Page Table 14. Add QoS screen settings for a priority profile (continued) Additional WAN-Related Configuration Tasks Verify the Connection What to Do Next Manage IPv4 Virtual LANs and DHCP Options Port-B ased VLAN s Assign and Manage VLAN Profiles VLAN DHCP Options DHCP Server DHCP Relay DNS Proxy LDAP Server Configure a VLAN Profile Page Table 15. Add VLAN Profile screen settings Table 15. Add VLAN Profile screen settings (continued) Table 15. Add VLAN Profile screen settings (continued) Configure VLAN MAC Addresses and LAN Advanced Settings Configure IPv4 Multihome LAN IP Addresses on the Default VLAN Page Manage IPv4 Groups and Hosts (IPv4 LAN Groups) Manage the Network Database Page Add Computers or Devices to the Network Database Edit Computers or Devices in the Network Database Deleting Computers or Devices from the Network Database Change Group Names in the Network Database Set Up DHCP Address Reservation Manage the IPv6 LAN DHCPv6 Server Options Stateless DHCPv6 Server Stateless DHCPv6 Server With Prefix Delegation Stateful DHCPv6 Server Configure the IPv6 LAN Table 17. LAN Setup screen settings for IPv6 4. Click Apply to save your changes. IPv6 LAN Address Pools To add an IPv6 LAN address pool: Table 17. LAN Setup screen settings for IPv6 (continued) Page IPv6 LAN Prefixes for Prefix Delegation Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN Page Advertisement Prefixes for the LAN Page Configure IPv6 Multihome LAN IP Addresses on the Default VLAN Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic DMZ Port for IPv4 Traffic Figure 61. Table 22. DMZ Setup screen settings for IPv4 Table 22. DMZ Setup screen settings for IPv4 (continued) DMZ Port for IPv6 Traffic Page Table 23. DMZ Setup screen settings for IPv6 IPv6 DMZ Address Pools Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the DMZ Page Figure 64. 4. Enter the settings as explained in the following table: Table 26. RADVD screen settings for the DMZ Advertisement Prefixes for the DMZ Page Manage Static IPv4 Routing Configure Static IPv4 Routes Figure 66. 2. Click the Add table button under the Static Routes table. The Add Static Route screen displays: Figure 67. 3. Enter the settings as explained in the following table: Table 28. Add Static Route screen settings for IPv4 Configure the Routing Information Protocol Figure 68. Table 29. RIP Configuration screen settings Table 29. RIP Configuration screen settings (continued) IPv4 Static Route Example Manage Static IPv6 Routing Figure 69. Figure 70. 4. Enter the settings as explained in the following table: Table 30. Add IPv6 Static Routing screen settings Page About Firewall Protection Administrator Tips Overview of Rules to Block or Allow Specific Kinds of Traffic Page Outbound Rules (Service Blocking) Table 32. Outbound rules overview (continued) Inbound Rules (Port Forwarding) Page Table 33. Inbound rules overview Table 33. Inbound rules overview (continued) Order of Precedence for Rules Table 33. Inbound rules overview (continued) Configure LAN WAN Rules Page Page Create LAN WAN Outbound Service Rules IPv4 LAN WAN Outbound Rules IPv6 LAN WAN Outbound Rules Create LAN WAN Inbound Service Rules IPv4 LAN WAN Inbound Service Rules IPv6 LAN WAN Inbound Rules Configure DMZ WAN Rules Page Create DMZ WAN Outbound Service Rules IPv4 DMZ WAN Outbound Service Rules IPv6 DMZ WAN Outbound Service Rules Create DMZ WAN Inbound Service Rules IPv4 DMZ WAN Inbound Service Rules IPv6 DMZ WAN Inbound Service Rules Configure LAN DMZ Rules Page Create LAN DMZ Outbound Service Rules IPv4 LAN DMZ Outbound Service Rules IPv6 LAN DMZ Outbound Service Rules Create LAN DMZ Inbound Service Rules IPv4 LAN DMZ Inbound Service Rules IPv6 LAN DMZ Inbound Service Rules Examples of Firewall Rules Examples of Inbound Firewall Rules IPv4 LAN WAN Inbound Rule: Host a Local Public Web Server Page IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Set Up One-to-One NAT Mapping Page IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Specifying an Exposed Host IPv6 LAN WAN Inbound Rule: Restrict RTelnet from a Single WAN User to a Single LAN User Examples of Outbound Firewall Rules IPv4 LAN WAN Outbound Rule: Block Instant Messenger Page Configure Other Firewall Features Attack Checks IPv4 Attack Checks Table 34. Attack Checks screen settings for IPv4 IPv6 Attack Checks Set Limits for IPv4 Sessions Table 35. Session Limit screen settings Manage the Application Level Gateway for SIP Sessions Services, Bandwidth Profiles, and QoS Profiles Add Customized Services Page Create IP Groups Page Create Bandwidth Profiles Page Page Create Quality of Service Profiles for IPv4 Firewall Rules Figure 108. 3. Enter the settings as explained in the following table. Table 38. Add QoS Profile screen settings Quality of Service Priorities for IPv6 Firewall Rules Configure Content Filtering Page Page Page Set a Schedule to Block or Allow Specific Traffic Enable Source MAC Filtering Set Up IP/MAC Bindings IPv4/MAC Bindings Page IPv6/MAC Bindings Page Configure Port Triggering Page Configure Universal Plug and Play Page Using IPSec and L2TP Connections Considerations for Dual WAN Port Systems (IPv4 Only) The following diagrams and table show how the WAN mode selection relates to VPN configuration. Use the IPSec VPN Wizard for Client and Gateway Configurations Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard Page Figure 123. 2. Complete the settings as explained in the following table: Table 43. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel Page Page Page Figure 128. Table 44. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel Page Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard Use the VPN Wizard to Configure the Gateway for a Client Tunnel Table 45. IPSec VPN Wizard settings for a client-to-gateway tunnel (continued) Use the NETGEAR VPN Client Wizard to Create a Secure Connection Page Page Page c. Specify the settings that are explained in the following table. Table 47. VPN client advanced authentication settings Manually Create a Secure Connection Using the NETGEAR VPN Client Page Page Page Page Figure 144. 3. Specify the settings that are explained in the following table. Table 50. VPN client IPSec configuration settings Page Test the Connection and View Connection and Status Information Test the NETGEAR VPN Client Connection Page NETGEAR VPN Client Status and Log Information View the VPN Firewall IPSec VPN Connection Status View the VPN Firewall IPSec VPN Log Manage IPSec VPN Policies Manage IKE Policies IKE Policies Screen Page Manually Add or Edit an IKE Policy Table 53. Add IKE Policy screen settings Page Table 53. Add IKE Policy screen settings (continued) Manage VPN Policies VPN Policies Screen Manually Add or Edit a VPN Policy Page Page Page Page Page Configure Extended Authentication (XAUTH) Configure XAUTH for VPN Clients User Database Configuration RADIUS Client and Server Configuration Page Table 57. RADIUS Client screen settings (continued) Assign IPv4 Addresses to Remote Users (Mode Config) Mode Config Operation Configure Mode Config Operation on the VPN Firewall Page Table 58. Add Mode Config Record screen settings Page Page Table 59. Add IKE Policy screen settings for a Mode Config configuration Table 59. Add IKE Policy screen settings for a Mode Config configuration (continued) 9. Click Apply to save your settings. The IKE policy is added to the List of IKE Policies table. Configure the ProSafe VPN Client for Mode Config Operation Table 59. Add IKE Policy screen settings for a Mode Config configuration (continued) Page Page Page Page Figure 167. 3. Specify the settings that are explained in the following table. Table 62. VPN client IPSec configuration settings (Mode Config) Page Test the Mode Config Connection Modify or Delete a Mode Config Record Configure Keep-Alives and Dead Peer Detection Configure Keep-Alives Configure Dead Peer Detection Configure NetBIOS Bridging with IPSec VPN Configure the PPTP Server View the Active PPTP Users Configure the L2TP Server View the Active L2TP Users Page Using SSL Connections SSL VPN Portal Options Overview of the SSL Configuration Process Create the Portal Layout Page Page Table 69. Add Portal Layout screen settings Configure Domains, Groups, and Users Configure Applications for Port Forwarding Add Servers and Port Numbers Add a New Host Name Configure the SSL VPN Client Configure the Client IP Address Range Figure 184. SSL VPN Client screen for IPv6 Table 71. SSL VPN Client screen settings for IPv4 and IPv6 Add Routes for VPN Tunnel Clients Use Network Resource Objects to Simplify Policies Add New Network Resources Edit Network Resources to Specify Addresses Figure 186. Table 72. Resources screen settings to edit a resource Configure User, Group, and Global Policies View Policies Add an IPv4 or IPv6 SSL VPN Policy Figure 189. Add SSL VPN Policy screen for IPv6 Table 73. Add SSL VPN Policy screen settings Table 73. Add SSL VPN Policy screen settings (continued) Page Access the New SSL Portal Login Screen Page View the SSL VPN Connection Status and SSL VPN Log Page VPN Certificates The VPN Firewalls Authentication Process and Options Manage Users, Authentication, and VPN Certificates ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 74. External authentication protocols and methods Configure Authentication Domains, Groups, and Users Configure Domains Create Domains Page Manage Users, Authentication, and VPN Certificates ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 75. Add Domain screen settings (continued) Page Edit Domains Configure Groups Create Groups Edit Groups Configure User Accounts Page Page Set User Login Policies Configure Login Policies Configure Login Restrictions Based on IPv4 Addresses Configure Login Restrictions Based on IPv6 Addresses Page Configure Login Restrictions Based on Web Browser Change Passwords and Other User Settings Page Manage Digital Certificates for VPN Connections VPN Certificates Screen Manage VPN CA Certificates Manage VPN Self-Signed Certificates Generate a CSR and Obtain a Self-Signed Certificate from a CA Page Page View and Manage Self-Signed Certificates Manage the VPN Certificate Revocation List Performance Management Bandwidth Capacity Features That Reduce Traffic LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking) Page Content Filtering Source MAC Filtering Features That Increase Traffic LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding) Page Port Trigg ering DMZ Port Exposed Hosts VPN, L2TP, and PPTP Tunnels Use QoS and Bandwidth Assignment to Shift the Traffic Mix Set QoS Priorities Assign Bandwidth Profiles Monitoring Tools for Traffic Management System Management Change Passwords and Administrator and Guest Settings Page Configure Remote Management Access Page Network and System Management ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 216. Remote Management screen for IPv6 Table 82. Remote Management screen settings for IPv4 and IPv6 About Remote Access Use the Command-Line Interface Use a Simple Network Management Protocol Manager Page Page Page Page Manage the Configuration File Back Up Settings Restore Settin gs Revert to Factory Default Settings Upgrade the Firmware Select the Firmware and Reboot the VPN Firewall Configure Date and Time Service Page Network and System Management ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 86. Time Zone screen settings (continued) Page Configure and Enable the WAN Traffic Meter Figure 223. Table 87. WAN1 Traffic Meter screen settings Page Configure and Enable the LAN Traffic Meter Page To view the LAN IP traffic meter statistics: Table 88. Add LAN Traffic Meter Account screen settings Configure Logging, Alerts, and Event Notifications Page Table 89. Firewall Logs & E-mail screen settings Table 89. Firewall Logs & E-mail screen settings (continued) Page Page How to Send Syslogs over a VPN Tunnel between Sites Configure Gateway 1 at Site 1 Configure Gateway 2 at Site 2 View Status Screens View the System Status Router Status Screen Table 90. Router Status screen information (continued) Router Statist ics Screen Page The following table explains the fields of the Detailed Status screen: Table 92. Detailed Status screen information Table 92. Detailed Status screen information (continued) VLAN Status Screen Figure 235. To view the status of the IPv4 VLANs: Select Monitoring > Router Status > VLAN Status. The VLAN Status screen displays: Table 92. Detailed Status screen information (continued) Tunnel Status Screen Figure 236. To view the status of the tunnels and IPv6 addresses: Select Monitoring > Router Status > Tunnel Status. The Tunnel Status screen displays: Table 93. VLAN Status screen information View the VPN Connection Status, L2TP Users, and PPTP Users Page View the VPN Logs View the Port Triggering Status View the WAN Port Status IPv4 WAN Port Status Page IPv6 WAN Port Status View the Attached Devices and the DHCP Log View the Attached Devices View the DHCP Log Diagnostics Utilities Send a Ping Packet Trace a Route Look Up a DNS Address Display the Routing Tables Capture Packets in Real Time Reboot the VPN Firewall Remotely Page Basic Functioning Power L ED Not On Test LED Never Turns Off LAN or WAN Port LEDs Not On Troubleshoot the Web Management Interface When You Enter a URL or IP Address, a Time-Out Error Occurs Troubleshoot the ISP Connection Troubleshooting the IPv6 Connection Page Page Troubleshoot a TCP/IP Network Using a Ping Utility Test the LAN Path to Your VPN Firewall Test the Path from Your Computer to a Remote Device Restore the Default Configuration and Password Page Address Problems with Date and Time Access the Knowledge Base and Documentation A Specifications Factory Default Settings Page Page Page Page Page Physical and Technical Specifications The following table shows the physical and technical specifications for the VPN firewall: Table 100. VPN firewall physical and technical specifications The following table shows the IPSec VPN specifications for the VPN firewall: The following table shows the SSL VPN specifications for the VPN firewall: Table 101. VPN firewall IPSec VPN specifications Table 102. VPN firewall SSL VPN specifications B Ports (IPv4 Only) What to Consider Before You Begin Page Cabling and Computer Hardware Requirements Computer Network Configuration Requirements Internet Configuration Requirements Where Do I Get the Internet Configuration Information? Internet Connection Information Overview of the Planning Process Inbound Traffic Inbound Traffic to a Single WAN Port System Inbound Traffic to a Dual WAN Port System Inbound Traffic: Dual WAN Ports for Improved Reliability Inbound Traffic: Dual WAN Ports for Load Balancing Virtual Private Networks VPN Road Warrior (Client-to-Gateway) VPN Road Warrior: Single-Gateway WAN Port (Reference Case) VPN Road Warrior: Dual-Gateway WAN Ports for Improved Reliability VPN Road Warrior: Dual-Gateway WAN Ports for Load Balancing VPN Gateway-to-Gateway VPN Gateway-to-Gateway: Single-Gateway WAN Ports (Reference Case) VPN Gateway-to-Gateway: Dual-Gateway WAN Ports for Improved Reliability VPN Gateway-to-Gateway: Dual-Gateway WAN Ports for Load Balancing VPN Telecommuter (Client-to-Gateway through a NAT Router) VPN Telecommuter: Single-Gateway WAN Port (Reference Case) VPN Telecommuter: Dual-Gateway WAN Ports for Improved Reliability VPN Telecommuter: Dual-Gateway WAN Ports for Load Balancing C System Log Messages NTP Login/Logout Table 106. System logs: NTP (continued) This section describes logs generated by the administrative interfaces of the device. This section describes the log message generated during system startup. System Startup Reboot This section describes the log message generated during system reboot. Unicast, Multicast, and Broadcast Logs Firewall Restart This section describes logs that are generated when the VPN firewall restarts. WAN Status Load Balancing Auto-Rollover Table 115. System logs: WAN status, load balancing (continued) Table 116. System logs: WAN status, auto-rollover PPP Logs Table 116. System logs: WAN status, auto-rollover (continued) Table 117. System logs: WAN status, PPPoE idle time-out PPTP Idle Timeout Logs Table 117. System logs: WAN status, PPPoE idle time-out (continued) Table 118. System logs: WAN status, PPTP idle time-out Resolved DNS Names VPN Log Messages IPSec VPN Logs Table 121. System logs: IPSec VPN tunnel, tunnel establishment Page Table 124. System logs: IPSec VPN tunnel, Dead Peer Detection and keep-alive (default 30 sec) Page SSL VPN Logs This section describes the log messages that are generated by SSL VPN policies. Table 127. System logs: IPSec VPN tunnel, client policy behind a NAT device Table 128. System logs: SSL VPN tunnel, WAN host and interface Table 129. System logs: VPN log messages, port forwarding, WAN host and interface Routing Logs LAN to WAN Logs LAN to DMZ Logs WAN to LAN Logs DMZ to WAN Logs Table 132. Routing logs: LAN to WAN Other Event Logs Source MAC Filter Logs Bandwidth Limit Logs DHCP Logs Table 139. Other event logs: source MAC filter logs Table 140. Other event logs: bandwidth limit, outbound bandwidth profile Table 141. Other event logs: bandwidth limit, inbound bandwidth profile Table 142. DHCP logs D Why Do I Need Two-Factor Authentication? What Are the Benefits of Two-Factor Authentication? What Is Two-Factor Authentication? NETGEAR Two-Factor Authentication Solutions Page Page E NETGEAR Wired Products Page Notification of Compliance (Wired) Additional Copyrights Notification of Compliance (Wired) Index Numerics A B C D Page E F G H I J K L M N O P Page Q R S T U V W X