WatchGuard Technologies SSL VPN manual Establishing the Secure Tunnel, ipconfig/all or route print

Connecting from a Private Computer

•The Firebox SSL VPN Gateway terminates the SSL tunnel, accepts any incoming traffic destined for the private network, and forwards the traffic to the private network. The Firebox SSL VPN Gateway sends traffic back to the remote computer over a secure tunnel.

When a remote user logs on using the Secure Access Client, the Firebox SSL VPN Gateway prompts the user for authentication over HTTP 401 Basic or Digest. The Firebox SSL VPN Gateway authenticates the credentials using an authentication type such as local authentication, RSA SecurID, SafeWord, LDAP, NTLM, or RADIUS. If the credentials are correct, the Firebox SSL VPN Gateway finishes the handshake with the client. This logon step is required only when a user initially downloads the Secure Access Client. If the user is behind a proxy server, the user can specify the proxy server and authentication credentials. For more information, see “Configuring Proxy Servers for the Secure Access Client” on page 125.

The Secure Access Client is installed on the user’s computer. After the first connection, the remote user can subsequently use a desktop shortcut to start the Secure Access Client.

The Advanced Options dialog box, which is used to configure client computer settings, can also be opened by right-clicking the Secure Access Client icon on the desktop and then clicking Properties. If users are connecting using a Web page, they are either prompted to log on or are taken directly to a portal page where they can connect using Secure Access Client.

If the Firebox SSL VPN Gateway is configured to have users log on before making a connection with Secure Access Client, they type their user name and password and then log on. A portal page appears that provides the choice to log on using the full Secure Access Client or in kiosk mode (if enabled). If a user chooses to log on using Secure Access Client, the connection provides full access to the network resources that the user’s group(s) have permission to access.

The access granted by the security policies enable users to work with the remote system just as if they are logged on locally. For example, users might be granted permission to applications, including Web, client-server, and peer-to-peer such as Instant Messaging, video conferencing, and real-time Voice over IP applications. Users can also map network drives to access allowed network resources, including shared folders and printers.

While connected to an Firebox SSL VPN Gateway, remote users cannot see network information from the site to which they are connected. For example, while connected to the Firebox SSL VPN Gateway, type the following at a command prompt:

ipconfig/all or route print

You will not see network information from the corporate network.

Establishing the Secure Tunnel

After the Secure Access Client is started, it establishes a secure tunnel over port 443 (or any configured port on the Firebox SSL VPN Gateway) and sends authentication information. When the tunnel is estab- lished, the Firebox SSL VPN Gateway sends configuration information to the Secure Access Client describing the networks to be secured and containing an IP address if you enabled IP pooling. For more information about IP pooling see “Enabling IP Pooling” on page 94.

Tunneling Private Network Traffic over Secure Connections

When the Secure Access Client is started and the user is authenticated, all network traffic destined for specified private networks is captured and redirected over the secure tunnel to the Firebox SSL VPN Gateway.

The Firebox SSL VPN Gateway intercepts all network connections made by the client device and multi- plexes/tunnels them over SSL to the Firebox SSL VPN Gateway, where the traffic is demultiplexed and the connections are forwarded to the correct host and port combination.

The connections are subject to administrative security policies that apply to a single application, a sub- set of applications, or an entire intranet. You specify the resources (ranges of IP address/subnet pairs)