WatchGuard Technologies SSL VPN manual Collecting the LDAP Directory Information

Scenario 1: Configuring LDAP Authentication and Authorization

For example, if the Firebox SSL VPN Gateway operates with the Microsoft Active Directory, the Firebox SSL VPN Gateway checks the "memberOf" attribute in the Person entry to determine the groups to which a user belongs.

In this example, we assume that the group membership attribute indicates that a user is a member of an LDAP directory group named "Remote Sales."

The Firebox SSL VPN Gateway then looks for a user group configured on the Access Policy Manager tab of the Administration Tool that has a name that matches the name of an LDAP directory group to which the user belongs.

In this example, the Firebox SSL VPN Gateway looks for a user group named "Remote Sales" configured on the Firebox SSL VPN Gateway.

If the Firebox SSL VPN Gateway finds a user group configured on the Firebox SSL VPN Gateway that has the same name as an LDAP directory group to which the user belongs, the Firebox SSL VPN Gateway grants the user with the access privileges (authorization) assigned to the user group on the Firebox SSL VPN Gateway.

In this example, the Firebox SSL VPN Gateway provides the user with the access levels associated with the "Remote Sales" user group on the Access Policy Manager tab of the Administration Tool. Therefore, before the administrator can authorize the Sales and Engineering users to access internal network resources through the Firebox SSL VPN Gateway, the administrator must know the LDAP directory groups to which these users belong.

At this point in this user access scenario, the administrator must accomplish one of two things regarding the group membership of the users:

•Identify groups on the LDAP directory that contain all of the members who need remote access to the internal networks

•If there are no existing groups that contain all of the appropriate members, the administrator can create new groups in the LDAP directory and add the appropriate members to these groups

In this example, we assume that the administrator creates groups named "Remote Sales" and "Remote Engineers" in the LDAP directory and populates these groups with the Sales and Engineering users that need remote access to the internal network resources.

Collecting the LDAP Directory Information

Collecting the LDAP directory information is the last of three procedures the administrator performs to prepare for the LDAP authentication and authorization configuration.

In this example scenario, the organization uses a single LDAP directory as its user repository. Before the administrator can configure the Firebox SSL VPN Gateway to support authentication and authorization with an LDAP directory, the administrator must collect information about the LDAP directory. This information is used in a later procedure to configure the Firebox SSL VPN Gateway to connect to the LDAP directory to perform user and group name lookups.

Note

To determine the information needed to configure a particular authentication or authorization type click the Authentication tab in the Administration Tool and create a test authentication realm that includes the authentication and authorization types that you must support. Collect the information needed to complete the fields for the selected authentication and authorization types.

In this procedure, the administrator collects the following information about the LDAP directory.

•LDAP Server IP address. The IP address of the computer running the LDAP server.