Manuals / WatchGuard Technologies / Household Appliance / Water Heater

WatchGuard Technologies SSL VPN manual Requiring Certificates from Internal Connections

Models: SSL VPN

1 198

Download 198 pages 26.5 Kb

Page 126

Requiring Certificates from Internal Connections

Requiring Certificates from Internal Connections

3Click Submit.

Requiring Certificates from Internal Connections

To increase security for connections originating from the Firebox SSL VPN Gateway to your internal net- work, you can require the Firebox SSL VPN Gateway to validate SSL server certificates. Previous versions of the Firebox SSL VPN Gateway did not validate the SSL server certificate presented by the Web Inter- face and the Secure Ticket Authority. Validating SSL server certificates is an important security measure as it can help prevent security breaches, such as man-in-the-middle attacks.

The Firebox SSL VPN Gateway requires installing the proper root certificates that are used to sign the server certificates.

To install root certificates,

On the Cluster Config tab, select Administration > Manage Trusted root CA certificates

To require server certificates for internal client connections

On the Global Cluster Policies tab, under SSL Options, select Validate SSL Certificates for Internal Connections.

Wildcard Certificates

The Firebox SSL VPN Gateway supports validation of wildcard certificates for Secure Access Clients. The wildcard certificate has an asterisk (*) in the certificate name. Wildcard certificates can be formatted in one of two ways, such as *.mycompany.com or www*.mycompany.com. When a wildcard certificate is used, clients can choose different Web addresses, such as http://www1.mycompany.com or http://www2.mycompany.com. The use of a wildcard certificate allows several Web sites to be covered by a single certificate.

116	Firebox SSL VPN Gateway

Image 126

WatchGuard Technologies SSL VPN manual Requiring Certificates from Internal Connections, Wildcard Certificates

Contents

Firebox SSL VPN Gateway SALES ADDRESSSUPPORT ABOUT WATCHGUARDContents Firebox SSL VPN Gateway Administration Desktop Configuring Secure Certificate ManagementSetting Up the Firebox SSL VPN Gateway Hardware The Firebox SSL VPN Gateway operates as followsUsing the Serial Console Configuring Authentication and Authorization Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Generating a Secure Certificate for the Firebox SSL VPN Gateway APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting Combining the Private Key with the Signed Certificate Audience CHAPTER 1 Getting Started with Firebox SSLVPN Gateway Operating System RequirementsEasy software updates LiveSecurity Service SolutionsThreat responses, alerts, and expert advice Access to technical support and trainingInformation Alert LiveSecurity Service BroadcastsSoftware Update Threat ResponseBasic FAQs LiveSecurity Service Self Help ToolsActivating LiveSecurity Service New from WatchGuardWatchGuard Users Forum Advanced FAQsKnown Issues Fireware “How To”’sOnline Help LiveSecurity Service technical supportUsing the WatchGuard Users Forum Product DocumentationService time Firebox Installation ServiceVPN Installation Service Training and Certificationa certification exam. The training materials include links to books and web sites with more information about network security CHAPTER 2 Introduction to Firebox SSL VPN Gateway OverviewNetwork topology showing the TCP circuit OverviewNew versions of the Secure Access Client New FeaturesAuthentication and one-timepasswords Configurable symmetric encryption ciphersDisable kiosk mode Secure Access Client connectionsDisable desktop sharing Automatic port redirectionUpdated serial console menu FeaturesNTLM authentication and authorization support Administration ToolFirebox SSL VPN Gateway Settings Authentication and AuthorizationUser Groups, Local Users, and Resources Enable External Administration FeatureServer Upgrade Saving and RestoringServerConfigurationFeature Summary The User ExperienceDeployment and Administration Connecting to the Firebox SSL Access PortalPlanning your deployment Planning your deploymentConfiguring Secure Certificate Management Authentication Support•A cross-overcable and a Windows computer Setting Up the Firebox SSL VPN Gateway Hardware To physically connect the Firebox SSL VPN GatewayTo configure TCP/IP settings using a serial cable To configure TCP/IP Settings Using Network Cables To configure TCP/IP settings using network cablesFirebox SSL VPN Gateway Administration Tool To redirect unsecure connections Using the Firebox SSL VPN GatewayThe Firebox SSL VPN Gateway operates as follows 2Click the General Networking tabStarting the Secure Access Client To configure a proxy serverEstablishing the Secure Tunnel Operation through Firewalls and ProxiesPerformance and Real-TimeTraffic Using the Firebox SSL VPN GatewayAdministration Guide Using Kiosk Mode Connecting to a Server Load BalancerUsing the Firebox SSL VPN Gateway Administration GuideUsing the Firebox SSL VPN Gateway Firebox SSL VPN GatewayCHAPTER 3 Configuring Basic Settings Firebox SSL VPN Gateway Administration Desktop Using the Administration PortalDownloads Tab Maintenance Tab Using the Serial ConsoleAdmin Users Tab To change the administrator passwordUsing the Administration Tool To download and install the Administration ToolTo open the serial console Product Activation and Licensing To publish Firebox SSL VPN Gateway settingsUpgrading the tunnel and tunnel upgrade license In SyncManaging Licenses To manage licenses on the Firebox SSL VPN GatewayTo test your configuration To install a license fileTesting Your License Installation Information about Your Licenses7Click My own computer and then click Connect Using Portal PagesUsing the Default Portal Page 1Click the VPN Gateway Cluster tabContent inserted by variable VariableUsing the ActiveX Control Enabling Portal Page Authentication To enable portal page authenticationLinking to Clients from Your Web Site Secure Desktop Access Multiple Log On Options using the Portal PagePre-AuthenticationPolicy Portal Page Secure Application AccessDouble-sourceAuthentication Portal Page Connecting Using a Web AddressConnecting Using Secure Access Client Double-sourceauthentication portal pageTo restore a saved configuration Saving and Restoring the ConfigurationTo save the Firebox SSL VPN Gateway configuration To upgrade the Firebox SSL VPN GatewayFirebox SSL VPN Gateway System Date and Time Restarting the Firebox SSL VPN GatewayShutting Down the Firebox SSL VPN Gateway To restart the Firebox SSL VPN GatewayTo change the system date and time To enable ICMP trafficAllowing ICMP traffic Network Time ProtocolCHAPTER 4 Configuring Firebox SSL VPN Configuring Network InformationGateway Network Connections General Networking General NetworkingVPN port External Public FQDNDuplex mode IP addressTo edit the HOSTS file Name Service ProvidersTo enable split DNS DNS Server 1, DNS Server 2, DNS ServerDynamic and Static Routing Configuring Network RoutingEnable Dynamic Gateway To remove an entry from the HOSTS fileTo configure dynamic routing Configuring Dynamic RoutingEnabling RIP Authentication for Dynamic Routing To enable RIP authentication for dynamic routingTo save dynamic routes to the static route table Configuring a Static RouteChanging from Dynamic Routing to Static Routing To add a static routeTo remove a static route Static Route ExampleTo test a static route Network topology showing a static routeTo set up the example static route Configuring Firebox SSL VPN Gateway FailoverConfiguring Internal Failover To enable internal failoverControlling Network Access Configuring Network AccessSpecifying Accessible Networks Enabling Split Tunneling1Click the Global Cluster Policies tab Configuring User Groups Denying Access to Groups without an ACLTo enable split tunneling 1Click the Global Cluster Policies tabEnabling Improving Voice over IP Connections To deny access to user groups without an ACLImproving Voice over IP Connections 1Click the Global Cluster Policies tabTo improve latency for UDP traffic 1Click the Global Cluster Policies tabCHAPTER 5 Configuring Authentication and AuthorizationConfiguring Authentication and Authorization Configuring Authentication and Authorization Configuring Authentication without Authorization The Default RealmUsing a Local User List for Authentication Adding Users to Multiple Groups Configuring Local UsersChanging Password for Users To add a user to a groupTo remove and create a Default realm Configuring the Default RealmTo change a user’s password 4In Authorization Type, select LDAP AuthorizationCreating Additional Realms To create a realm3On the Action menu, select Remove Default realm Using SafeWord for Authentication To disable Firebox SSL VPN Gateway authentication SafeWord PremierAccess AuthorizationTo configure SafeWord on the Access Gateway To configure the IAS RADIUS realm 1Click the Authentication tabServer 5Select Local computer and click Finish default RADIUS=Standard 22Under Vendor-assignedattribute number, type23In Attribute format, select String Choosing RADIUS Authentication Protocols To specify RADIUS server authenticationTo configure RADIUS authorization 1Click the Authentication tabUser Attribute LDAP authenticationLDAP Server Case SensitiveTo configure LDAP authentication 1Click the Authentication tab5Click the Authentication tab LDAP Authorization 1Click the Authentication tab LDAP authorization group attribute fieldsTo configure LDAP authentication 4Click the Authentication tabTo configure LDAP authorization Determining Attributes in your LDAP Directory Using certificates for secure LDAP connectionsTo install and set up the LDAP Browser To upload a secure client certificate for LDAPPort Using RSA SecurID for AuthenticationHost Base DN5 For Agent type, select UNIX Agent To enable RSA SecurID authentication Configuration Files1Click the Authentication tab Configuring Gemalto Protiva Authentication Configuring RSA Settings for a ClusterResetting the node secret To reset the node secret on the RSA ACE/Server1Click the Authentication tab Configuring NTLM Authentication and AuthorizationTo configure NTLM authentication 5Click the Authentication tabConfiguring NTLM Authorization To configure NTLM authorization3In Authorization type, select NTLM authorization Configuring Double-SourceAuthentication To prevent caching of one-timepasswords1On the Authentication tab, click Authentication Changing Password Labels To change the password labelsAdding Local Users To create a user on the Firebox SSL VPN Gateway1Click the Access Policy Manager tab User Group Overview To delete a user from the Firebox SSL VPN GatewayTo remove a user group Creating User GroupsTo create a local user group 1Click the Access Policy Manager tabTo enable or disable Default group properties Configuring Properties for a User GroupDefault group properties Forcing Users to Log on AgainEnabling domain logon scripts 1Click the Access Policy Manager tabEnabling session time-out To enable logon scriptsTo enable session time-out 1Click the Access Policy Manager tabTo enable Web session time-outs Configuring Web Session Time-OutsSetting Application Options To disable desktop sharingEnabling IP Pooling To configure IP pooling for a groupEnabling Split DNS To allow failover to a user’s local DNSTo specify a portal page for a group Client certificate criteria configurationChoosing a portal page for a group 3In Use this custom portal page, select the pageTo create pre-authenticationpolicies Configuring Resources for a User GroupTo specify client certificate configuration Global policiesGroup properties include Group resources includeAdding Users to Multiple Groups To remove a resource from a user group To configure resource access control for a groupDefining network resources 1Click the Access Policy Manager tabTo create and configure a network resource 1Click the Access Policy Manager tabTo add a network resource to a group To configure an application policyApplication policies To remove a network resourceTo add an application policy to a group Configuring file share resourcesTo deny one application network access To deny applications without policiesTo create a file share resource Configuring kiosk modeTo create and configure a kiosk resource To remove a shareTo create an end point resource Configuring end point resourcesEnd point resources and policies 1Click the Access Policy Manager tabTo create an end point policy for a group Configuring an end point policy for a groupTo delete an end point resource 1Click the Access Policy Manager tabSetting the Priority of Groups To build an end point policy expression1Click the Access Policy Manager tab To view the group priorities for a user Configuring Pre-AuthenticationPoliciesTo set the priority of groups To create pre-authenticationpoliciesSetting the Priority of Groups Firebox SSL VPN GatewayCHAPTER 7 Creating and Installing Secure CertificatesPassword-ProtectedPrivate Keys Overview of the Certificate Signing RequestCreating a Certificate Signing Request To create a Certificate Signing Request1Click the VPN Gateway Cluster tab Resetting the Certificate to the Default Setting Installing Multiple Root CertificatesCreating Root Certificates Using a Command Prompt To reset the default certificateClient Certificates To require client certificates1Click the Global Cluster Policies tab Installing Root Certificates Requiring Certificates from Internal Connections Wildcard CertificatesOperating Systems CHAPTER 8 Working with Client ConnectionsSystem Requirements Web BrowsersUsing the Access Portal To connect using the default portal pageThe Firebox SSL VPN Gateway operates as follows Connecting from a Private ComputerTo remove the Linux VPN client sbin/service net6vpnd startEstablishing the Secure Tunnel ipconfig/all or route printConnecting from a Private Computer Administration GuideOperation through Firewalls and Proxies Using the Secure Access Client Window ActiveX HelperTo log on to the Firebox SSL VPN Gateway Connecting from a Private ComputerAdministration Guide To use the Secure Access Client status properties To disconnect the Secure Access ClientTo manually configure a proxy server To view the Connection LogTo disconnect the Secure Access Client Connecting from a Public Computer Connections Using Kiosk ModeTo enable kiosk mode Creating a Kiosk Mode Resourcecomputer To create and configure a kiosk resource Working with File Share ResourcesTo add a file share to a kiosk resource 1Click the Access Policy Manager tabTo remove a file share To enable client applicationsClient Applications To work with file share resourcesFirefox Web Browser To configure FirefoxTo configure Remote Desktop Remote Desktop clientGaim Instant Messenging Telnet 3270 Emulator ClientVNC Client To use the SSH clientSupporting Secure Access Client To use GaimManaging Client Connections Connection handlingClosing a connection to a resource To disable a user at a particular MAC addressTo enable a user at a particular MAC address Disabling and enabling a user4Click OK Managing Client Connections Firebox SSL VPN GatewayViewing and Downloading System Message Logs Monitoring and TroubleshootingAPPENDIX A Firebox SSL VPN Gateway To view and filter the system log3Click Logging/Settings Forwarding System Messages to a Syslog ServerViewing the W3C-FormattedRequest Log 4Under Gateway Log, click Display Logging WindowMulti Router Traffic Grapher Example To enable logging of SNMP messagesEnabling and Viewing SNMP Logs 2 Under SNMP Settings, select Enable SNMPViewing System Statistics Monitoring Firebox SSL VPN Gateway OperationsxNetTools Firebox SSL Real-timeMonitorEthereal Network Analyzer TracerouteUpgrading to SSL v Reinstalling v 4.9 application softwareBacking up your configuration settings Upgrading to SSL vTroubleshooting the Web Interface TroubleshootingLaunching the v 5.5 Administration Tool Applications do not Appear after Logging OnOther Issues Read/Write Access to the Firebox SSL VPN GatewayWeb Interface Credentials Are Invalid LDAP Authentication Defining Accessible NetworksPing Command VMWareCertificate Signing The Administration Tool Is InaccessibleInternal Failover Certificate Revocation ListsSecure Access Client Connections with Windows XP Certificates Using 512-bitkeypairsSecure Access Client DNS Name Resolution Using Named Service ProvidersClient Connections from a Windows Server NTLM AuthenticationUsing Third-PartyClient Software WINS EntriesAPPENDIX B Using Firewalls with Firebox SSL VPN GatewayTo view Secure Access Client status properties BlackICE PC ProtectionMcAfee Personal Firewall Plus Tiny Personal Firewall Norton Personal FirewallSygate Personal Firewall Free and Pro Versions ServicesZoneAlarm Pro APPENDIX C Installing Windows Certificates To install Cygwin4Click Install from Internet and then click Next Unencrypting the Private Key To unencrypt the private keyConverting to a PEM-FormattedCertificate openssl verify -verbose -CApath /tmp certFileBEGINRSA PRIVATE KEY <Unencrypted Private Key> Administration Guide Intermediate Certificate Intermediate CertificateIntermediate Certificate Firebox SSL VPN Gateway APPENDIX D Examples of Configuring Network Access Administration Guide•Global Cluster Policies •Authentication Collecting the LDAP directory information Collecting the LDAP Directory Information ou=Users,dc=ace,dc=com cn=Users,dc=ace,dc=com Configuring Accessible Networks To configure accessible networks2Click the Global Cluster Policies tab 5In Realm Name, type Default 1Click the Access Policy Manager tab 1Click the Access Policy Manager tab10.10.0.0/24 10.60.10.0/24 10.10.25.50/32 Administration Guide Creating a Guest User Authentication Realm Creating Local Users To add the local users1Click the Access Policy Manager tab 1Click the Access Policy Manager tab 2Expand User Groups and then expand Local UsersAPPENDIX E Legal and Copyright Information GNU GENERAL PUBLIC LICENSE change be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or NO WARRANTY END OF TERMS AND CONDITIONS Administration Guide Firebox SSL VPN Gateway Index Page Page Page Page Page Page Firebox SSL VPN Gateway