Administration Guide | WatchGuard Technologies SSL VPN

Scenario 2: Creating Guest Accounts Using the Local Users List

5In the left pane, click the "Email server" network resource you just created and drag it to Application Network Policies listed under Application Constraints in the right pane. Click OK.

6In the left pane, expand both the "Remote Sales" user group and the "Remote Engineers" user group.

7In the right pane, under Application Policies, click the "Email Application Policy" and drag it to Application Policies under the Remote Sales user group in the left pane, so that the Application Policy is part of the Remote Sales ACL.

8In the right pane, under Application Policies, click the "Email Application Policy" and drag it to Application Policies under the Remote Engineers user group in the left pane, so that the Application Policy is part of the Remote Engineers ACL.

Note

In the procedure above, the administrator could also add an application end point policy to the application policy to require every client device to meet specific requirements when accessing the email server. For more information, see “Application policies” on page 101.

This procedure concludes the scenario for configuring LDAP authentication and authorization. When this procedure is complete, the administrator has configured all of the following:

•Users can authenticate to the LDAP directory specified in the Default authentication realm using their LDAP directory credentials.

•Users are authorized to access the internal network resources based on their group memberships in the LDAP directory and on the Firebox SSL VPN Gateway.

Only users who are members of the "Remote Sales" group and the "Remote Engineers" group are authorized to access resources on the internal network. (Each of these groups must exist both in the LDAP directory and on the Firebox SSL VPN Gateway.)

•Users in the "Remote Sales" group are authorized to access the Web conference server and file servers in the 10.10.0.0/24 network and the Sales Web application in the 10.60.10.0/24 network.

The Sales users can access the email application on the server with the 10.10.25.50 IP address, but cannot access the email application on other email servers in the allowed networks.

The Sales users can also access other network resources located in the two allowed networks.

•Users in the "Remote Engineering" group can access the Web conference server and the file servers in the 10.10.0.0/24 network (and other network resources located in this network).

The Engineering users can also access the email application on the server with the 10.10.25.50 IP address, but cannot access the email application on other email servers in the allowed networks. To understand the purpose of local users on the Firebox SSL VPN Gateway and to understand how to enable authentication and authorization for the local users, continue to “Scenario 2: Creating Guest Accounts Using the Local Users List” on page 169.

Scenario 2: Creating Guest Accounts Using the Local Users List

This example illustrates how local users work on the Firebox SSL VPN Gateway and shows one way in which an administrator can support authentication and authorization for the local users.

In the previous example, users were authenticated and authorized based on their LDAP directory cre- dentials and group memberships.

Administration Guide

169

WatchGuard Technologies SSL VPN manual Administration Guide

Models: SSL VPN