Manuals / WatchGuard Technologies / Household Appliance / Water Heater

WatchGuard Technologies SSL VPN manual APPENDIX B Using Firewalls with Firebox SSL, VPN Gateway

Models: SSL VPN

1 198

Download 198 pages 26.5 Kb

Page 159

APPENDIX B Using Firewalls with Firebox SSL

APPENDIX B Using Firewalls with Firebox SSL

VPN Gateway

If a user cannot establish a connection to the Firebox SSL VPN Gateway or cannot access allowed resources, it is possible that the firewall software on the user’s computer is blocking traffic. The Firebox SSL VPN Gateway works with any personal firewall, provided that the application allows the user to specify a trusted network or IP address for the Firebox SSL VPN Gateway.

This section discuss the following popular firewalls and configuration instructions for them.

•BlackICE PC Protection

•McAfee Personal Firewall Plus

•Norton Personal Firewall

•Sygate Personal Firewall (Free and Pro Versions)

•Tiny Personal Firewall

•ZoneAlarm Pro

Note

The following sections are a supplement to the firewall manufacturer’s documentation. The recommended source for current information about firewall applications and configuration is the manufacturer’s documentation.

WatchGuard recommends that the user’s personal firewall allow full access for the Secure Access Client. If you do not want to allow full access, the following UDP and UDP/TCP ports need to be open on the cli- ent computer:

•10000 (UDP)

•10010 (UDP/TCP)

•10020 (UDP)

•10030 (UDP)

Personal firewalls need to be configured to allow traffic to and from the Firebox SSL VPN Gateway IP address or FQDN. To find out which ports are open, use the Secure Access Client Properties page that is accessible from the connection icon in the notification tray. The ports that are open are listed on the Details tab.

Administration Guide

149

Image 159

WatchGuard Technologies SSL VPN manual APPENDIX B Using Firewalls with Firebox SSL, VPN Gateway

Contents

Firebox SSL VPN Gateway ABOUT WATCHGUARD ADDRESSSUPPORT SALESContents The Firebox SSL VPN Gateway operates as follows Configuring Secure Certificate ManagementSetting Up the Firebox SSL VPN Gateway Hardware Firebox SSL VPN Gateway Administration DesktopUsing the Serial Console Configuring Authentication and Authorization Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Generating a Secure Certificate for the Firebox SSL VPN Gateway APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting Combining the Private Key with the Signed Certificate Operating System Requirements CHAPTER 1 Getting Started with Firebox SSLVPN Gateway AudienceAccess to technical support and training LiveSecurity Service SolutionsThreat responses, alerts, and expert advice Easy software updatesThreat Response LiveSecurity Service BroadcastsSoftware Update Information AlertNew from WatchGuard LiveSecurity Service Self Help ToolsActivating LiveSecurity Service Basic FAQsFireware “How To”’s Advanced FAQsKnown Issues WatchGuard Users ForumProduct Documentation LiveSecurity Service technical supportUsing the WatchGuard Users Forum Online HelpTraining and Certification Firebox Installation ServiceVPN Installation Service Service timea certification exam. The training materials include links to books and web sites with more information about network security Overview CHAPTER 2 Introduction to Firebox SSL VPN GatewayOverview Network topology showing the TCP circuitConfigurable symmetric encryption ciphers New FeaturesAuthentication and one-timepasswords New versions of the Secure Access ClientAutomatic port redirection Secure Access Client connectionsDisable desktop sharing Disable kiosk modeAdministration Tool FeaturesNTLM authentication and authorization support Updated serial console menuFirebox SSL VPN Gateway Settings Authentication and AuthorizationUser Groups, Local Users, and Resources Saving and RestoringServerConfiguration FeatureServer Upgrade Enable External AdministrationThe User Experience Feature SummaryConnecting to the Firebox SSL Access Portal Deployment and AdministrationPlanning your deployment Planning your deploymentAuthentication Support Configuring Secure Certificate Management•A cross-overcable and a Windows computer To physically connect the Firebox SSL VPN Gateway Setting Up the Firebox SSL VPN Gateway HardwareTo configure TCP/IP settings using a serial cable To configure TCP/IP Settings Using Network Cables To configure TCP/IP settings using network cablesFirebox SSL VPN Gateway Administration Tool 2Click the General Networking tab Using the Firebox SSL VPN GatewayThe Firebox SSL VPN Gateway operates as follows To redirect unsecure connectionsTo configure a proxy server Starting the Secure Access ClientOperation through Firewalls and Proxies Establishing the Secure TunnelPerformance and Real-TimeTraffic Using the Firebox SSL VPN GatewayAdministration Guide Connecting to a Server Load Balancer Using Kiosk ModeAdministration Guide Using the Firebox SSL VPN GatewayFirebox SSL VPN Gateway Using the Firebox SSL VPN GatewayCHAPTER 3 Configuring Basic Settings Firebox SSL VPN Gateway Administration Desktop Using the Administration PortalDownloads Tab To change the administrator password Using the Serial ConsoleAdmin Users Tab Maintenance TabUsing the Administration Tool To download and install the Administration ToolTo open the serial console In Sync To publish Firebox SSL VPN Gateway settingsUpgrading the tunnel and tunnel upgrade license Product Activation and LicensingTo manage licenses on the Firebox SSL VPN Gateway Managing LicensesInformation about Your Licenses To install a license fileTesting Your License Installation To test your configuration1Click the VPN Gateway Cluster tab Using Portal PagesUsing the Default Portal Page 7Click My own computer and then click ConnectVariable Content inserted by variableUsing the ActiveX Control Enabling Portal Page Authentication To enable portal page authenticationLinking to Clients from Your Web Site Secure Application Access Multiple Log On Options using the Portal PagePre-AuthenticationPolicy Portal Page Secure Desktop AccessDouble-sourceauthentication portal page Connecting Using a Web AddressConnecting Using Secure Access Client Double-sourceAuthentication Portal PageTo upgrade the Firebox SSL VPN Gateway Saving and Restoring the ConfigurationTo save the Firebox SSL VPN Gateway configuration To restore a saved configurationTo restart the Firebox SSL VPN Gateway Restarting the Firebox SSL VPN GatewayShutting Down the Firebox SSL VPN Gateway Firebox SSL VPN Gateway System Date and TimeNetwork Time Protocol To enable ICMP trafficAllowing ICMP traffic To change the system date and timeCHAPTER 4 Configuring Firebox SSL VPN Configuring Network InformationGateway Network Connections General Networking General NetworkingIP address External Public FQDNDuplex mode VPN portDNS Server 1, DNS Server 2, DNS Server Name Service ProvidersTo enable split DNS To edit the HOSTS fileTo remove an entry from the HOSTS file Configuring Network RoutingEnable Dynamic Gateway Dynamic and Static RoutingTo enable RIP authentication for dynamic routing Configuring Dynamic RoutingEnabling RIP Authentication for Dynamic Routing To configure dynamic routingTo add a static route Configuring a Static RouteChanging from Dynamic Routing to Static Routing To save dynamic routes to the static route tableNetwork topology showing a static route Static Route ExampleTo test a static route To remove a static routeTo enable internal failover Configuring Firebox SSL VPN Gateway FailoverConfiguring Internal Failover To set up the example static routeConfiguring Network Access Controlling Network AccessSpecifying Accessible Networks Enabling Split Tunneling1Click the Global Cluster Policies tab 1Click the Global Cluster Policies tab Denying Access to Groups without an ACLTo enable split tunneling Configuring User Groups1Click the Global Cluster Policies tab To deny access to user groups without an ACLImproving Voice over IP Connections Enabling Improving Voice over IP Connections1Click the Global Cluster Policies tab To improve latency for UDP trafficCHAPTER 5 Configuring Authentication and AuthorizationConfiguring Authentication and Authorization Configuring Authentication and Authorization Configuring Authentication without Authorization The Default RealmUsing a Local User List for Authentication To add a user to a group Configuring Local UsersChanging Password for Users Adding Users to Multiple Groups4In Authorization Type, select LDAP Authorization Configuring the Default RealmTo change a user’s password To remove and create a Default realmCreating Additional Realms To create a realm3On the Action menu, select Remove Default realm Using SafeWord for Authentication To disable Firebox SSL VPN Gateway authentication SafeWord PremierAccess AuthorizationTo configure SafeWord on the Access Gateway To configure the IAS RADIUS realm 1Click the Authentication tabServer 5Select Local computer and click Finish default RADIUS=Standard 22Under Vendor-assignedattribute number, type23In Attribute format, select String 1Click the Authentication tab To specify RADIUS server authenticationTo configure RADIUS authorization Choosing RADIUS Authentication ProtocolsCase Sensitive LDAP authenticationLDAP Server User AttributeTo configure LDAP authentication 1Click the Authentication tab5Click the Authentication tab LDAP Authorization 4Click the Authentication tab LDAP authorization group attribute fieldsTo configure LDAP authentication 1Click the Authentication tabTo configure LDAP authorization To upload a secure client certificate for LDAP Using certificates for secure LDAP connectionsTo install and set up the LDAP Browser Determining Attributes in your LDAP DirectoryBase DN Using RSA SecurID for AuthenticationHost Port5 For Agent type, select UNIX Agent To enable RSA SecurID authentication Configuration Files1Click the Authentication tab To reset the node secret on the RSA ACE/Server Configuring RSA Settings for a ClusterResetting the node secret Configuring Gemalto Protiva Authentication5Click the Authentication tab Configuring NTLM Authentication and AuthorizationTo configure NTLM authentication 1Click the Authentication tabConfiguring NTLM Authorization To configure NTLM authorization3In Authorization type, select NTLM authorization Configuring Double-SourceAuthentication To prevent caching of one-timepasswords1On the Authentication tab, click Authentication To change the password labels Changing Password LabelsAdding Local Users To create a user on the Firebox SSL VPN Gateway1Click the Access Policy Manager tab To delete a user from the Firebox SSL VPN Gateway User Group Overview1Click the Access Policy Manager tab Creating User GroupsTo create a local user group To remove a user groupForcing Users to Log on Again Configuring Properties for a User GroupDefault group properties To enable or disable Default group properties1Click the Access Policy Manager tab Enabling domain logon scripts1Click the Access Policy Manager tab To enable logon scriptsTo enable session time-out Enabling session time-outTo disable desktop sharing Configuring Web Session Time-OutsSetting Application Options To enable Web session time-outsTo allow failover to a user’s local DNS To configure IP pooling for a groupEnabling Split DNS Enabling IP Pooling3In Use this custom portal page, select the page Client certificate criteria configurationChoosing a portal page for a group To specify a portal page for a groupGlobal policies Configuring Resources for a User GroupTo specify client certificate configuration To create pre-authenticationpoliciesGroup resources include Group properties includeAdding Users to Multiple Groups 1Click the Access Policy Manager tab To configure resource access control for a groupDefining network resources To remove a resource from a user group1Click the Access Policy Manager tab To create and configure a network resourceTo remove a network resource To configure an application policyApplication policies To add a network resource to a groupTo deny applications without policies Configuring file share resourcesTo deny one application network access To add an application policy to a groupTo remove a share Configuring kiosk modeTo create and configure a kiosk resource To create a file share resource1Click the Access Policy Manager tab Configuring end point resourcesEnd point resources and policies To create an end point resource1Click the Access Policy Manager tab Configuring an end point policy for a groupTo delete an end point resource To create an end point policy for a groupSetting the Priority of Groups To build an end point policy expression1Click the Access Policy Manager tab To create pre-authenticationpolicies Configuring Pre-AuthenticationPoliciesTo set the priority of groups To view the group priorities for a userFirebox SSL VPN Gateway Setting the Priority of GroupsCertificates CHAPTER 7 Creating and Installing SecureOverview of the Certificate Signing Request Password-ProtectedPrivate KeysTo create a Certificate Signing Request Creating a Certificate Signing Request1Click the VPN Gateway Cluster tab To reset the default certificate Installing Multiple Root CertificatesCreating Root Certificates Using a Command Prompt Resetting the Certificate to the Default SettingClient Certificates To require client certificates1Click the Global Cluster Policies tab Installing Root Certificates Wildcard Certificates Requiring Certificates from Internal ConnectionsWeb Browsers CHAPTER 8 Working with Client ConnectionsSystem Requirements Operating SystemsTo connect using the default portal page Using the Access Portalsbin/service net6vpnd start Connecting from a Private ComputerTo remove the Linux VPN client The Firebox SSL VPN Gateway operates as followsipconfig/all or route print Establishing the Secure TunnelConnecting from a Private Computer Administration GuideOperation through Firewalls and Proxies ActiveX Helper Using the Secure Access Client WindowTo log on to the Firebox SSL VPN Gateway Connecting from a Private ComputerAdministration Guide To disconnect the Secure Access Client To use the Secure Access Client status propertiesTo manually configure a proxy server To view the Connection LogTo disconnect the Secure Access Client Connections Using Kiosk Mode Connecting from a Public ComputerTo enable kiosk mode Creating a Kiosk Mode Resourcecomputer 1Click the Access Policy Manager tab Working with File Share ResourcesTo add a file share to a kiosk resource To create and configure a kiosk resourceTo work with file share resources To enable client applicationsClient Applications To remove a file shareRemote Desktop client To configure FirefoxTo configure Remote Desktop Firefox Web BrowserTo use the SSH client Telnet 3270 Emulator ClientVNC Client Gaim Instant MessengingTo use Gaim Supporting Secure Access ClientConnection handling Managing Client ConnectionsDisabling and enabling a user To disable a user at a particular MAC addressTo enable a user at a particular MAC address Closing a connection to a resource4Click OK Firebox SSL VPN Gateway Managing Client ConnectionsTo view and filter the system log Monitoring and TroubleshootingAPPENDIX A Firebox SSL VPN Gateway Viewing and Downloading System Message Logs4Under Gateway Log, click Display Logging Window Forwarding System Messages to a Syslog ServerViewing the W3C-FormattedRequest Log 3Click Logging/Settings2 Under SNMP Settings, select Enable SNMP To enable logging of SNMP messagesEnabling and Viewing SNMP Logs Multi Router Traffic Grapher ExampleMonitoring Firebox SSL VPN Gateway Operations Viewing System StatisticsTraceroute Firebox SSL Real-timeMonitorEthereal Network Analyzer xNetToolsUpgrading to SSL v Reinstalling v 4.9 application softwareBacking up your configuration settings Upgrading to SSL vApplications do not Appear after Logging On TroubleshootingLaunching the v 5.5 Administration Tool Troubleshooting the Web InterfaceOther Issues Read/Write Access to the Firebox SSL VPN GatewayWeb Interface Credentials Are Invalid VMWare Defining Accessible NetworksPing Command LDAP AuthenticationCertificate Revocation Lists The Administration Tool Is InaccessibleInternal Failover Certificate SigningDNS Name Resolution Using Named Service Providers Certificates Using 512-bitkeypairsSecure Access Client Secure Access Client Connections with Windows XPWINS Entries NTLM AuthenticationUsing Third-PartyClient Software Client Connections from a Windows ServerVPN Gateway APPENDIX B Using Firewalls with Firebox SSLTo view Secure Access Client status properties BlackICE PC ProtectionMcAfee Personal Firewall Plus Services Norton Personal FirewallSygate Personal Firewall Free and Pro Versions Tiny Personal FirewallZoneAlarm Pro APPENDIX C Installing Windows Certificates To install Cygwin4Click Install from Internet and then click Next To unencrypt the private key Unencrypting the Private Keyopenssl verify -verbose -CApath /tmp certFile Converting to a PEM-FormattedCertificateBEGINRSA PRIVATE KEY <Unencrypted Private Key> Administration Guide Intermediate Certificate Intermediate CertificateIntermediate Certificate Firebox SSL VPN Gateway Administration Guide APPENDIX D Examples of Configuring Network Access•Global Cluster Policies •Authentication Collecting the LDAP directory information Collecting the LDAP Directory Information ou=Users,dc=ace,dc=com cn=Users,dc=ace,dc=com Configuring Accessible Networks To configure accessible networks2Click the Global Cluster Policies tab 5In Realm Name, type Default 1Click the Access Policy Manager tab 1Click the Access Policy Manager tab10.10.0.0/24 10.60.10.0/24 10.10.25.50/32 Administration Guide Creating a Guest User Authentication Realm Creating Local Users To add the local users1Click the Access Policy Manager tab 2Expand User Groups and then expand Local Users 1Click the Access Policy Manager tabAPPENDIX E Legal and Copyright Information GNU GENERAL PUBLIC LICENSE change be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or NO WARRANTY END OF TERMS AND CONDITIONS Administration Guide Firebox SSL VPN Gateway Index Page Page Page Page Page Page Firebox SSL VPN Gateway