Manuals / WatchGuard Technologies / Household Appliance / Water Heater

WatchGuard Technologies SSL VPN manual Configuring Resources for a User Group, Global policies

Models: SSL VPN

1 198

Download 198 pages 26.5 Kb

Page 106

To specify client certificate configuration

Configuring Resources for a User Group

Note

Client certificate configuration is not available for the default user group.

To specify client certificate configuration

1On the Access Policy Manager tab, right-click a group that is not the default group.

2On the Client Certificates tab, under Client Certificate Criteria Expression, type the certificate information.

3Click OK.

Global policies

Users can be restricted from logging on to the Firebox SSL VPN Gateway using Global Policies. When users utilize a Web browser to connect to the Firebox SSL VPN Gateway, before they receive the logon dialog box, the end point policy scans the client computer. If the scan fails, users are prevented from logging on. To log on to the Web portal, the client needs to install the correct applications.

To create pre-authentication policies

1Click the Access Policy Manager tab.

2If an end point policy was created and configured, under End Point Policies, click the configured policy and drag it to Pre-Authentication Policies in the left pane.

Note

To create and configure end point resources and policies, see “End point resources and policies” on page 104.

Configuring Resources for a User Group

Note

For background information about network access, see “Controlling Network Access” on page 56. Inform users about which resources they can access. A sample email with instructions that you can customize is available from the Administration Portal Downloads page. After making the appropriate changes, send the email to your users.

Resources for user groups are configured on the Access Policy Manager tab. The resources include:

•Network Resources

•Application Policies

•File Share Resources

•Kiosk Resources

•End Point Resources

•End Point Policies

•Pre-Authentication Policies

Resources are configured in the right pane of the Access Policy Manager tab. When the settings are complete, the resource is dragged to the group in the left pane. For example, you configured and saved

96	Firebox SSL VPN Gateway

Image 106

WatchGuard Technologies SSL VPN manual Configuring Resources for a User Group, Global policies

Contents

Firebox SSL VPN Gateway SALES ADDRESSSUPPORT ABOUT WATCHGUARDContents Firebox SSL VPN Gateway Administration Desktop Configuring Secure Certificate ManagementSetting Up the Firebox SSL VPN Gateway Hardware The Firebox SSL VPN Gateway operates as followsUsing the Serial Console Configuring Authentication and Authorization Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Generating a Secure Certificate for the Firebox SSL VPN Gateway APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting Combining the Private Key with the Signed Certificate Audience CHAPTER 1 Getting Started with Firebox SSLVPN Gateway Operating System RequirementsEasy software updates LiveSecurity Service SolutionsThreat responses, alerts, and expert advice Access to technical support and trainingInformation Alert LiveSecurity Service BroadcastsSoftware Update Threat ResponseBasic FAQs LiveSecurity Service Self Help ToolsActivating LiveSecurity Service New from WatchGuardWatchGuard Users Forum Advanced FAQsKnown Issues Fireware “How To”’sOnline Help LiveSecurity Service technical supportUsing the WatchGuard Users Forum Product DocumentationService time Firebox Installation ServiceVPN Installation Service Training and Certificationa certification exam. The training materials include links to books and web sites with more information about network security CHAPTER 2 Introduction to Firebox SSL VPN Gateway OverviewNetwork topology showing the TCP circuit OverviewNew versions of the Secure Access Client New FeaturesAuthentication and one-timepasswords Configurable symmetric encryption ciphersDisable kiosk mode Secure Access Client connectionsDisable desktop sharing Automatic port redirectionUpdated serial console menu FeaturesNTLM authentication and authorization support Administration ToolAuthentication and Authorization Firebox SSL VPN Gateway SettingsUser Groups, Local Users, and Resources Enable External Administration FeatureServer Upgrade Saving and RestoringServerConfigurationFeature Summary The User ExperienceDeployment and Administration Connecting to the Firebox SSL Access PortalPlanning your deployment Planning your deploymentConfiguring Secure Certificate Management Authentication Support•A cross-overcable and a Windows computer Setting Up the Firebox SSL VPN Gateway Hardware To physically connect the Firebox SSL VPN GatewayTo configure TCP/IP settings using a serial cable To configure TCP/IP settings using network cables To configure TCP/IP Settings Using Network CablesFirebox SSL VPN Gateway Administration Tool To redirect unsecure connections Using the Firebox SSL VPN GatewayThe Firebox SSL VPN Gateway operates as follows 2Click the General Networking tabStarting the Secure Access Client To configure a proxy serverEstablishing the Secure Tunnel Operation through Firewalls and ProxiesUsing the Firebox SSL VPN Gateway Performance and Real-TimeTrafficAdministration Guide Using Kiosk Mode Connecting to a Server Load BalancerUsing the Firebox SSL VPN Gateway Administration GuideUsing the Firebox SSL VPN Gateway Firebox SSL VPN GatewayCHAPTER 3 Configuring Basic Settings Using the Administration Portal Firebox SSL VPN Gateway Administration DesktopDownloads Tab Maintenance Tab Using the Serial ConsoleAdmin Users Tab To change the administrator passwordTo download and install the Administration Tool Using the Administration ToolTo open the serial console Product Activation and Licensing To publish Firebox SSL VPN Gateway settingsUpgrading the tunnel and tunnel upgrade license In SyncManaging Licenses To manage licenses on the Firebox SSL VPN GatewayTo test your configuration To install a license fileTesting Your License Installation Information about Your Licenses7Click My own computer and then click Connect Using Portal PagesUsing the Default Portal Page 1Click the VPN Gateway Cluster tabContent inserted by variable VariableUsing the ActiveX Control To enable portal page authentication Enabling Portal Page AuthenticationLinking to Clients from Your Web Site Secure Desktop Access Multiple Log On Options using the Portal PagePre-AuthenticationPolicy Portal Page Secure Application AccessDouble-sourceAuthentication Portal Page Connecting Using a Web AddressConnecting Using Secure Access Client Double-sourceauthentication portal pageTo restore a saved configuration Saving and Restoring the ConfigurationTo save the Firebox SSL VPN Gateway configuration To upgrade the Firebox SSL VPN GatewayFirebox SSL VPN Gateway System Date and Time Restarting the Firebox SSL VPN GatewayShutting Down the Firebox SSL VPN Gateway To restart the Firebox SSL VPN GatewayTo change the system date and time To enable ICMP trafficAllowing ICMP traffic Network Time ProtocolConfiguring Network Information CHAPTER 4 Configuring Firebox SSL VPNGateway Network Connections General Networking General NetworkingVPN port External Public FQDNDuplex mode IP addressTo edit the HOSTS file Name Service ProvidersTo enable split DNS DNS Server 1, DNS Server 2, DNS ServerDynamic and Static Routing Configuring Network RoutingEnable Dynamic Gateway To remove an entry from the HOSTS fileTo configure dynamic routing Configuring Dynamic RoutingEnabling RIP Authentication for Dynamic Routing To enable RIP authentication for dynamic routingTo save dynamic routes to the static route table Configuring a Static RouteChanging from Dynamic Routing to Static Routing To add a static routeTo remove a static route Static Route ExampleTo test a static route Network topology showing a static routeTo set up the example static route Configuring Firebox SSL VPN Gateway FailoverConfiguring Internal Failover To enable internal failoverControlling Network Access Configuring Network AccessEnabling Split Tunneling Specifying Accessible Networks1Click the Global Cluster Policies tab Configuring User Groups Denying Access to Groups without an ACLTo enable split tunneling 1Click the Global Cluster Policies tabEnabling Improving Voice over IP Connections To deny access to user groups without an ACLImproving Voice over IP Connections 1Click the Global Cluster Policies tabTo improve latency for UDP traffic 1Click the Global Cluster Policies tabAuthorization CHAPTER 5 Configuring Authentication andConfiguring Authentication and Authorization Configuring Authentication and Authorization The Default Realm Configuring Authentication without AuthorizationUsing a Local User List for Authentication Adding Users to Multiple Groups Configuring Local UsersChanging Password for Users To add a user to a groupTo remove and create a Default realm Configuring the Default RealmTo change a user’s password 4In Authorization Type, select LDAP AuthorizationTo create a realm Creating Additional Realms3On the Action menu, select Remove Default realm Using SafeWord for Authentication SafeWord PremierAccess Authorization To disable Firebox SSL VPN Gateway authenticationTo configure SafeWord on the Access Gateway 1Click the Authentication tab To configure the IAS RADIUS realmServer 5Select Local computer and click Finish 22Under Vendor-assignedattribute number, type default RADIUS=Standard23In Attribute format, select String Choosing RADIUS Authentication Protocols To specify RADIUS server authenticationTo configure RADIUS authorization 1Click the Authentication tabUser Attribute LDAP authenticationLDAP Server Case Sensitive1Click the Authentication tab To configure LDAP authentication5Click the Authentication tab LDAP Authorization 1Click the Authentication tab LDAP authorization group attribute fieldsTo configure LDAP authentication 4Click the Authentication tabTo configure LDAP authorization Determining Attributes in your LDAP Directory Using certificates for secure LDAP connectionsTo install and set up the LDAP Browser To upload a secure client certificate for LDAPPort Using RSA SecurID for AuthenticationHost Base DN5 For Agent type, select UNIX Agent Configuration Files To enable RSA SecurID authentication1Click the Authentication tab Configuring Gemalto Protiva Authentication Configuring RSA Settings for a ClusterResetting the node secret To reset the node secret on the RSA ACE/Server1Click the Authentication tab Configuring NTLM Authentication and AuthorizationTo configure NTLM authentication 5Click the Authentication tabTo configure NTLM authorization Configuring NTLM Authorization3In Authorization type, select NTLM authorization To prevent caching of one-timepasswords Configuring Double-SourceAuthentication1On the Authentication tab, click Authentication Changing Password Labels To change the password labelsTo create a user on the Firebox SSL VPN Gateway Adding Local Users1Click the Access Policy Manager tab User Group Overview To delete a user from the Firebox SSL VPN GatewayTo remove a user group Creating User GroupsTo create a local user group 1Click the Access Policy Manager tabTo enable or disable Default group properties Configuring Properties for a User GroupDefault group properties Forcing Users to Log on AgainEnabling domain logon scripts 1Click the Access Policy Manager tabEnabling session time-out To enable logon scriptsTo enable session time-out 1Click the Access Policy Manager tabTo enable Web session time-outs Configuring Web Session Time-OutsSetting Application Options To disable desktop sharingEnabling IP Pooling To configure IP pooling for a groupEnabling Split DNS To allow failover to a user’s local DNSTo specify a portal page for a group Client certificate criteria configurationChoosing a portal page for a group 3In Use this custom portal page, select the pageTo create pre-authenticationpolicies Configuring Resources for a User GroupTo specify client certificate configuration Global policiesGroup properties include Group resources includeAdding Users to Multiple Groups To remove a resource from a user group To configure resource access control for a groupDefining network resources 1Click the Access Policy Manager tabTo create and configure a network resource 1Click the Access Policy Manager tabTo add a network resource to a group To configure an application policyApplication policies To remove a network resourceTo add an application policy to a group Configuring file share resourcesTo deny one application network access To deny applications without policiesTo create a file share resource Configuring kiosk modeTo create and configure a kiosk resource To remove a shareTo create an end point resource Configuring end point resourcesEnd point resources and policies 1Click the Access Policy Manager tabTo create an end point policy for a group Configuring an end point policy for a groupTo delete an end point resource 1Click the Access Policy Manager tabTo build an end point policy expression Setting the Priority of Groups1Click the Access Policy Manager tab To view the group priorities for a user Configuring Pre-AuthenticationPoliciesTo set the priority of groups To create pre-authenticationpoliciesSetting the Priority of Groups Firebox SSL VPN GatewayCHAPTER 7 Creating and Installing Secure CertificatesPassword-ProtectedPrivate Keys Overview of the Certificate Signing RequestCreating a Certificate Signing Request To create a Certificate Signing Request1Click the VPN Gateway Cluster tab Resetting the Certificate to the Default Setting Installing Multiple Root CertificatesCreating Root Certificates Using a Command Prompt To reset the default certificateTo require client certificates Client Certificates1Click the Global Cluster Policies tab Installing Root Certificates Requiring Certificates from Internal Connections Wildcard CertificatesOperating Systems CHAPTER 8 Working with Client ConnectionsSystem Requirements Web BrowsersUsing the Access Portal To connect using the default portal pageThe Firebox SSL VPN Gateway operates as follows Connecting from a Private ComputerTo remove the Linux VPN client sbin/service net6vpnd startEstablishing the Secure Tunnel ipconfig/all or route printAdministration Guide Connecting from a Private ComputerOperation through Firewalls and Proxies Using the Secure Access Client Window ActiveX HelperConnecting from a Private Computer To log on to the Firebox SSL VPN GatewayAdministration Guide To use the Secure Access Client status properties To disconnect the Secure Access ClientTo view the Connection Log To manually configure a proxy serverTo disconnect the Secure Access Client Connecting from a Public Computer Connections Using Kiosk ModeCreating a Kiosk Mode Resource To enable kiosk modecomputer To create and configure a kiosk resource Working with File Share ResourcesTo add a file share to a kiosk resource 1Click the Access Policy Manager tabTo remove a file share To enable client applicationsClient Applications To work with file share resourcesFirefox Web Browser To configure FirefoxTo configure Remote Desktop Remote Desktop clientGaim Instant Messenging Telnet 3270 Emulator ClientVNC Client To use the SSH clientSupporting Secure Access Client To use GaimManaging Client Connections Connection handlingClosing a connection to a resource To disable a user at a particular MAC addressTo enable a user at a particular MAC address Disabling and enabling a user4Click OK Managing Client Connections Firebox SSL VPN GatewayViewing and Downloading System Message Logs Monitoring and TroubleshootingAPPENDIX A Firebox SSL VPN Gateway To view and filter the system log3Click Logging/Settings Forwarding System Messages to a Syslog ServerViewing the W3C-FormattedRequest Log 4Under Gateway Log, click Display Logging WindowMulti Router Traffic Grapher Example To enable logging of SNMP messagesEnabling and Viewing SNMP Logs 2 Under SNMP Settings, select Enable SNMPViewing System Statistics Monitoring Firebox SSL VPN Gateway OperationsxNetTools Firebox SSL Real-timeMonitorEthereal Network Analyzer TracerouteUpgrading to SSL v Reinstalling v 4.9 application softwareBacking up your configuration settings Upgrading to SSL vTroubleshooting the Web Interface TroubleshootingLaunching the v 5.5 Administration Tool Applications do not Appear after Logging OnRead/Write Access to the Firebox SSL VPN Gateway Other IssuesWeb Interface Credentials Are Invalid LDAP Authentication Defining Accessible NetworksPing Command VMWareCertificate Signing The Administration Tool Is InaccessibleInternal Failover Certificate Revocation ListsSecure Access Client Connections with Windows XP Certificates Using 512-bitkeypairsSecure Access Client DNS Name Resolution Using Named Service ProvidersClient Connections from a Windows Server NTLM AuthenticationUsing Third-PartyClient Software WINS EntriesAPPENDIX B Using Firewalls with Firebox SSL VPN GatewayBlackICE PC Protection To view Secure Access Client status propertiesMcAfee Personal Firewall Plus Tiny Personal Firewall Norton Personal FirewallSygate Personal Firewall Free and Pro Versions ServicesZoneAlarm Pro To install Cygwin APPENDIX C Installing Windows Certificates4Click Install from Internet and then click Next Unencrypting the Private Key To unencrypt the private keyConverting to a PEM-FormattedCertificate openssl verify -verbose -CApath /tmp certFileBEGINRSA PRIVATE KEY <Unencrypted Private Key> Intermediate Certificate Intermediate Certificate Administration GuideIntermediate Certificate Firebox SSL VPN Gateway APPENDIX D Examples of Configuring Network Access Administration Guide•Global Cluster Policies •Authentication Collecting the LDAP directory information Collecting the LDAP Directory Information ou=Users,dc=ace,dc=com cn=Users,dc=ace,dc=com To configure accessible networks Configuring Accessible Networks2Click the Global Cluster Policies tab 5In Realm Name, type Default 1Click the Access Policy Manager tab 1Click the Access Policy Manager tab10.10.0.0/24 10.60.10.0/24 10.10.25.50/32 Administration Guide Creating a Guest User Authentication Realm To add the local users Creating Local Users1Click the Access Policy Manager tab 1Click the Access Policy Manager tab 2Expand User Groups and then expand Local UsersAPPENDIX E Legal and Copyright Information GNU GENERAL PUBLIC LICENSE change be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or NO WARRANTY END OF TERMS AND CONDITIONS Administration Guide Firebox SSL VPN Gateway Index Page Page Page Page Page Page Firebox SSL VPN Gateway