Manuals / WatchGuard Technologies / Household Appliance / Water Heater

WatchGuard Technologies SSL VPN manual Configuring Secure Certificate Management

Models: SSL VPN

1 198

Download 198 pages 26.5 Kb

Page 4

Configuring Secure Certificate Management

Disable kiosk mode	12
Specify multiple ports and port ranges for network resources	12
Voice over IP softphone support	12
Editable HOSTS file	12
NTLM authentication and authorization support. ...................................................................... 13
Added challenge-response to RADIUS user authentication	13
SafeWord PremierAccess changed to support standards-based RADIUS token user
authentication	13
Updated serial console menu	13
Features	13
Administration Tool	13
Firebox SSL VPN Gateway Settings	14
Feature Summary	16
The User Experience	16
Deployment and Administration	17
Planning your deployment	18
Deploying the Firebox SSL VPN Gateway in the Network DMZ	18
Deploying the Firebox SSL VPN Gateway in a Secure Network	18
Planning for Security with the Firebox SSL VPN Gateway	19
Configuring Secure Certificate Management	19
Authentication Support	19
Deploying Additional Appliances for Load Balancing and Failover	20
Installing the Firebox SSL VPN Gateway for the First Time	20
Getting Ready to Install the Firebox SSL VPN Gateway	20
Setting Up the Firebox SSL VPN Gateway Hardware	21
Configuring TCP/IP Settings for the Firebox SSL VPN Gateway	21
Redirecting Connections on Port 80 to a Secure Port	24
Using the Firebox SSL VPN Gateway	24
The Firebox SSL VPN Gateway operates as follows:	24
Starting the Secure Access Client	25
Enabling Single Sign-On Operation for the Secure Access Client	25
Establishing the Secure Tunnel	26
Tunneling Destination Private Address Traffic over SSL or TLS	26
Operation through Firewalls and Proxies	26
Terminating the Secure Tunnel and Returning Packets to the Client	27
Using Kiosk Mode	28
Connecting to a Server Load Balancer	28
CHAPTER 3 Configuring Basic Settings	31
Firebox SSL VPN Gateway Administration Desktop	32
To open the Administration Portal and Administrative Desktop	32
Using the Administration Portal	32
Downloads Tab	32
Admin Users Tab	33
Logging Tab	33
Maintenance Tab	33

iv	WatchGuard SSL VPN Gateway

Image 4

WatchGuard Technologies Configuring Secure Certificate Management, Setting Up the Firebox SSL VPN Gateway Hardware

Contents

Firebox SSL VPN Gateway ADDRESS SUPPORTSALES ABOUT WATCHGUARDContents Configuring Secure Certificate Management Setting Up the Firebox SSL VPN Gateway HardwareFirebox SSL VPN Gateway Administration Desktop The Firebox SSL VPN Gateway operates as followsUsing the Serial Console Configuring Authentication and Authorization Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Generating a Secure Certificate for the Firebox SSL VPN Gateway APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting Combining the Private Key with the Signed Certificate CHAPTER 1 Getting Started with Firebox SSL VPN GatewayAudience Operating System RequirementsLiveSecurity Service Solutions Threat responses, alerts, and expert adviceEasy software updates Access to technical support and trainingLiveSecurity Service Broadcasts Software UpdateInformation Alert Threat ResponseLiveSecurity Service Self Help Tools Activating LiveSecurity ServiceBasic FAQs New from WatchGuardAdvanced FAQs Known IssuesWatchGuard Users Forum Fireware “How To”’sLiveSecurity Service technical support Using the WatchGuard Users ForumOnline Help Product DocumentationFirebox Installation Service VPN Installation ServiceService time Training and Certificationa certification exam. The training materials include links to books and web sites with more information about network security CHAPTER 2 Introduction to Firebox SSL VPN Gateway OverviewNetwork topology showing the TCP circuit OverviewNew Features Authentication and one-timepasswordsNew versions of the Secure Access Client Configurable symmetric encryption ciphersSecure Access Client connections Disable desktop sharingDisable kiosk mode Automatic port redirectionFeatures NTLM authentication and authorization supportUpdated serial console menu Administration ToolAuthentication and Authorization Firebox SSL VPN Gateway SettingsUser Groups, Local Users, and Resources Feature Server UpgradeEnable External Administration Saving and RestoringServerConfigurationFeature Summary The User ExperienceDeployment and Administration Connecting to the Firebox SSL Access PortalPlanning your deployment Planning your deploymentConfiguring Secure Certificate Management Authentication Support•A cross-overcable and a Windows computer Setting Up the Firebox SSL VPN Gateway Hardware To physically connect the Firebox SSL VPN GatewayTo configure TCP/IP settings using a serial cable To configure TCP/IP settings using network cables To configure TCP/IP Settings Using Network CablesFirebox SSL VPN Gateway Administration Tool Using the Firebox SSL VPN Gateway The Firebox SSL VPN Gateway operates as followsTo redirect unsecure connections 2Click the General Networking tabStarting the Secure Access Client To configure a proxy serverEstablishing the Secure Tunnel Operation through Firewalls and ProxiesUsing the Firebox SSL VPN Gateway Performance and Real-TimeTrafficAdministration Guide Using Kiosk Mode Connecting to a Server Load BalancerUsing the Firebox SSL VPN Gateway Administration GuideUsing the Firebox SSL VPN Gateway Firebox SSL VPN GatewayCHAPTER 3 Configuring Basic Settings Using the Administration Portal Firebox SSL VPN Gateway Administration DesktopDownloads Tab Using the Serial Console Admin Users TabMaintenance Tab To change the administrator passwordTo download and install the Administration Tool Using the Administration ToolTo open the serial console To publish Firebox SSL VPN Gateway settings Upgrading the tunnel and tunnel upgrade licenseProduct Activation and Licensing In SyncManaging Licenses To manage licenses on the Firebox SSL VPN GatewayTo install a license file Testing Your License InstallationTo test your configuration Information about Your LicensesUsing Portal Pages Using the Default Portal Page7Click My own computer and then click Connect 1Click the VPN Gateway Cluster tabContent inserted by variable VariableUsing the ActiveX Control To enable portal page authentication Enabling Portal Page AuthenticationLinking to Clients from Your Web Site Multiple Log On Options using the Portal Page Pre-AuthenticationPolicy Portal PageSecure Desktop Access Secure Application AccessConnecting Using a Web Address Connecting Using Secure Access ClientDouble-sourceAuthentication Portal Page Double-sourceauthentication portal pageSaving and Restoring the Configuration To save the Firebox SSL VPN Gateway configurationTo restore a saved configuration To upgrade the Firebox SSL VPN GatewayRestarting the Firebox SSL VPN Gateway Shutting Down the Firebox SSL VPN GatewayFirebox SSL VPN Gateway System Date and Time To restart the Firebox SSL VPN GatewayTo enable ICMP traffic Allowing ICMP trafficTo change the system date and time Network Time ProtocolConfiguring Network Information CHAPTER 4 Configuring Firebox SSL VPNGateway Network Connections General Networking General NetworkingExternal Public FQDN Duplex modeVPN port IP addressName Service Providers To enable split DNSTo edit the HOSTS file DNS Server 1, DNS Server 2, DNS ServerConfiguring Network Routing Enable Dynamic GatewayDynamic and Static Routing To remove an entry from the HOSTS fileConfiguring Dynamic Routing Enabling RIP Authentication for Dynamic RoutingTo configure dynamic routing To enable RIP authentication for dynamic routingConfiguring a Static Route Changing from Dynamic Routing to Static RoutingTo save dynamic routes to the static route table To add a static routeStatic Route Example To test a static routeTo remove a static route Network topology showing a static routeConfiguring Firebox SSL VPN Gateway Failover Configuring Internal FailoverTo set up the example static route To enable internal failoverControlling Network Access Configuring Network AccessEnabling Split Tunneling Specifying Accessible Networks1Click the Global Cluster Policies tab Denying Access to Groups without an ACL To enable split tunnelingConfiguring User Groups 1Click the Global Cluster Policies tabTo deny access to user groups without an ACL Improving Voice over IP ConnectionsEnabling Improving Voice over IP Connections 1Click the Global Cluster Policies tabTo improve latency for UDP traffic 1Click the Global Cluster Policies tabAuthorization CHAPTER 5 Configuring Authentication andConfiguring Authentication and Authorization Configuring Authentication and Authorization The Default Realm Configuring Authentication without AuthorizationUsing a Local User List for Authentication Configuring Local Users Changing Password for UsersAdding Users to Multiple Groups To add a user to a groupConfiguring the Default Realm To change a user’s passwordTo remove and create a Default realm 4In Authorization Type, select LDAP AuthorizationTo create a realm Creating Additional Realms3On the Action menu, select Remove Default realm Using SafeWord for Authentication SafeWord PremierAccess Authorization To disable Firebox SSL VPN Gateway authenticationTo configure SafeWord on the Access Gateway 1Click the Authentication tab To configure the IAS RADIUS realmServer 5Select Local computer and click Finish 22Under Vendor-assignedattribute number, type default RADIUS=Standard23In Attribute format, select String To specify RADIUS server authentication To configure RADIUS authorizationChoosing RADIUS Authentication Protocols 1Click the Authentication tabLDAP authentication LDAP ServerUser Attribute Case Sensitive1Click the Authentication tab To configure LDAP authentication5Click the Authentication tab LDAP Authorization LDAP authorization group attribute fields To configure LDAP authentication1Click the Authentication tab 4Click the Authentication tabTo configure LDAP authorization Using certificates for secure LDAP connections To install and set up the LDAP BrowserDetermining Attributes in your LDAP Directory To upload a secure client certificate for LDAPUsing RSA SecurID for Authentication HostPort Base DN5 For Agent type, select UNIX Agent Configuration Files To enable RSA SecurID authentication1Click the Authentication tab Configuring RSA Settings for a Cluster Resetting the node secretConfiguring Gemalto Protiva Authentication To reset the node secret on the RSA ACE/ServerConfiguring NTLM Authentication and Authorization To configure NTLM authentication1Click the Authentication tab 5Click the Authentication tabTo configure NTLM authorization Configuring NTLM Authorization3In Authorization type, select NTLM authorization To prevent caching of one-timepasswords Configuring Double-SourceAuthentication1On the Authentication tab, click Authentication Changing Password Labels To change the password labelsTo create a user on the Firebox SSL VPN Gateway Adding Local Users1Click the Access Policy Manager tab User Group Overview To delete a user from the Firebox SSL VPN GatewayCreating User Groups To create a local user groupTo remove a user group 1Click the Access Policy Manager tabConfiguring Properties for a User Group Default group propertiesTo enable or disable Default group properties Forcing Users to Log on AgainEnabling domain logon scripts 1Click the Access Policy Manager tabTo enable logon scripts To enable session time-outEnabling session time-out 1Click the Access Policy Manager tabConfiguring Web Session Time-Outs Setting Application OptionsTo enable Web session time-outs To disable desktop sharingTo configure IP pooling for a group Enabling Split DNSEnabling IP Pooling To allow failover to a user’s local DNSClient certificate criteria configuration Choosing a portal page for a groupTo specify a portal page for a group 3In Use this custom portal page, select the pageConfiguring Resources for a User Group To specify client certificate configurationTo create pre-authenticationpolicies Global policiesGroup properties include Group resources includeAdding Users to Multiple Groups To configure resource access control for a group Defining network resourcesTo remove a resource from a user group 1Click the Access Policy Manager tabTo create and configure a network resource 1Click the Access Policy Manager tabTo configure an application policy Application policiesTo add a network resource to a group To remove a network resourceConfiguring file share resources To deny one application network accessTo add an application policy to a group To deny applications without policiesConfiguring kiosk mode To create and configure a kiosk resourceTo create a file share resource To remove a shareConfiguring end point resources End point resources and policiesTo create an end point resource 1Click the Access Policy Manager tabConfiguring an end point policy for a group To delete an end point resourceTo create an end point policy for a group 1Click the Access Policy Manager tabTo build an end point policy expression Setting the Priority of Groups1Click the Access Policy Manager tab Configuring Pre-AuthenticationPolicies To set the priority of groupsTo view the group priorities for a user To create pre-authenticationpoliciesSetting the Priority of Groups Firebox SSL VPN GatewayCHAPTER 7 Creating and Installing Secure CertificatesPassword-ProtectedPrivate Keys Overview of the Certificate Signing RequestCreating a Certificate Signing Request To create a Certificate Signing Request1Click the VPN Gateway Cluster tab Installing Multiple Root Certificates Creating Root Certificates Using a Command PromptResetting the Certificate to the Default Setting To reset the default certificateTo require client certificates Client Certificates1Click the Global Cluster Policies tab Installing Root Certificates Requiring Certificates from Internal Connections Wildcard CertificatesCHAPTER 8 Working with Client Connections System RequirementsOperating Systems Web BrowsersUsing the Access Portal To connect using the default portal pageConnecting from a Private Computer To remove the Linux VPN clientThe Firebox SSL VPN Gateway operates as follows sbin/service net6vpnd startEstablishing the Secure Tunnel ipconfig/all or route printAdministration Guide Connecting from a Private ComputerOperation through Firewalls and Proxies Using the Secure Access Client Window ActiveX HelperConnecting from a Private Computer To log on to the Firebox SSL VPN GatewayAdministration Guide To use the Secure Access Client status properties To disconnect the Secure Access ClientTo view the Connection Log To manually configure a proxy serverTo disconnect the Secure Access Client Connecting from a Public Computer Connections Using Kiosk ModeCreating a Kiosk Mode Resource To enable kiosk modecomputer Working with File Share Resources To add a file share to a kiosk resourceTo create and configure a kiosk resource 1Click the Access Policy Manager tabTo enable client applications Client ApplicationsTo remove a file share To work with file share resourcesTo configure Firefox To configure Remote DesktopFirefox Web Browser Remote Desktop clientTelnet 3270 Emulator Client VNC ClientGaim Instant Messenging To use the SSH clientSupporting Secure Access Client To use GaimManaging Client Connections Connection handlingTo disable a user at a particular MAC address To enable a user at a particular MAC addressClosing a connection to a resource Disabling and enabling a user4Click OK Managing Client Connections Firebox SSL VPN GatewayMonitoring and Troubleshooting APPENDIX A Firebox SSL VPN GatewayViewing and Downloading System Message Logs To view and filter the system logForwarding System Messages to a Syslog Server Viewing the W3C-FormattedRequest Log3Click Logging/Settings 4Under Gateway Log, click Display Logging WindowTo enable logging of SNMP messages Enabling and Viewing SNMP LogsMulti Router Traffic Grapher Example 2 Under SNMP Settings, select Enable SNMPViewing System Statistics Monitoring Firebox SSL VPN Gateway OperationsFirebox SSL Real-timeMonitor Ethereal Network AnalyzerxNetTools TracerouteReinstalling v 4.9 application software Backing up your configuration settingsUpgrading to SSL v Upgrading to SSL vTroubleshooting Launching the v 5.5 Administration ToolTroubleshooting the Web Interface Applications do not Appear after Logging OnRead/Write Access to the Firebox SSL VPN Gateway Other IssuesWeb Interface Credentials Are Invalid Defining Accessible Networks Ping CommandLDAP Authentication VMWareThe Administration Tool Is Inaccessible Internal FailoverCertificate Signing Certificate Revocation ListsCertificates Using 512-bitkeypairs Secure Access ClientSecure Access Client Connections with Windows XP DNS Name Resolution Using Named Service ProvidersNTLM Authentication Using Third-PartyClient SoftwareClient Connections from a Windows Server WINS EntriesAPPENDIX B Using Firewalls with Firebox SSL VPN GatewayBlackICE PC Protection To view Secure Access Client status propertiesMcAfee Personal Firewall Plus Norton Personal Firewall Sygate Personal Firewall Free and Pro VersionsTiny Personal Firewall ServicesZoneAlarm Pro To install Cygwin APPENDIX C Installing Windows Certificates4Click Install from Internet and then click Next Unencrypting the Private Key To unencrypt the private keyConverting to a PEM-FormattedCertificate openssl verify -verbose -CApath /tmp certFileBEGINRSA PRIVATE KEY <Unencrypted Private Key> Intermediate Certificate Intermediate Certificate Administration GuideIntermediate Certificate Firebox SSL VPN Gateway APPENDIX D Examples of Configuring Network Access Administration Guide•Global Cluster Policies •Authentication Collecting the LDAP directory information Collecting the LDAP Directory Information ou=Users,dc=ace,dc=com cn=Users,dc=ace,dc=com To configure accessible networks Configuring Accessible Networks2Click the Global Cluster Policies tab 5In Realm Name, type Default 1Click the Access Policy Manager tab 1Click the Access Policy Manager tab10.10.0.0/24 10.60.10.0/24 10.10.25.50/32 Administration Guide Creating a Guest User Authentication Realm To add the local users Creating Local Users1Click the Access Policy Manager tab 1Click the Access Policy Manager tab 2Expand User Groups and then expand Local UsersAPPENDIX E Legal and Copyright Information GNU GENERAL PUBLIC LICENSE change be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or NO WARRANTY END OF TERMS AND CONDITIONS Administration Guide Firebox SSL VPN Gateway Index Page Page Page Page Page Page Firebox SSL VPN Gateway