WatchGuard Technologies SSL VPN manual Collecting the LDAP directory information

Scenario 1: Configuring LDAP Authentication and Authorization

•Determining the Sales and Engineering users who need remote access

•Collecting the LDAP directory information

Determining the internal networks that include the needed resources

Determining the internal networks that include the needed resources is the first of three procedures the administrator performs to prepare for the LDAP authentication and authorization configuration. In this procedure, the administrator determines the network locations of the resources that the remote users must access. As noted earlier:

•Remote users working for the Sales department must have access to an email server, a Web conference server, a Sales Web application, and several file servers residing on the internal network

•Remote users working for the Engineering department must have access to an email server, a Web conference server, and several file servers residing on the internal network

•Three email servers are operating in the internal network, but the administrator wants remote users to access only one of these email servers

To complete this procedure in this example, we assume the administrator collects the following information:

•The Web conference server, email servers, and file servers that the remote Sales and Engineering users must access all reside in the network 10.10.0.0/ 24

•The server containing the Sales Web application resides in the network 10.60.10.0/24

•The single email server that remote users must access has the IP address 10.10.25.50

Determining the Sales and Engineering Users Who Need Remote Access

Determining the Sales and Engineering users who need remote access is the second of three procedures the administrator performs to prepare for LDAP authentication and authorization configuration.

Before an administrator can configure the Firebox SSL VPN Gateway to support authorization with an LDAP directory, the administrator must understand how the Firebox SSL VPN Gateway uses groups to perform the authorization process.

Specifically, the administrator must understand the relationship between a user's group membership in the LDAP directory and a user's group membership on the Firebox SSL VPN Gateway.

Note

The Firebox SSL VPN Gateway also relies on user groups in a similar way to support authorization types such as RADIUS.

When a user in an LDAP directory connects to the Firebox SSL VPN Gateway, the following basic authentication and authorization sequence occurs:

•After a user enters authentication credentials from the LDAP directory, the Firebox SSL VPN Gateway looks the user up in the LDAP directory, verifies the user's credentials, and logs the user on.

•After a user successfully authenticates, the Firebox SSL VPN Gateway examines an attribute in the user's LDAP directory Person entry to determine the LDAP directory groups to which the user belongs.