WatchGuard Technologies SSL VPN manual Controlling Network Access, Configuring Network Access

Controlling Network Access

nect to port 9001 when you are logged on from an external connection, configure IP pools and connect to the lowest IP address in the IP pool.

Controlling Network Access

Configuring Network Access

After you configure the appliance to operate in your network environment, the next step is to configure network access for the appliance and for groups and users.

The steps to configure network access are:

•Step 1: Configuring networks to which clients can connect. By default, clients cannot connect to any networks. The first step in configuring network access is to specify the networks that clients can connect to, using the Global Cluster Policies tab.

•Step 2: Configuring authentication and authorization. Authentication defines how users log on and is configured using realms. Authentication types include local, NTLM, LDAP, RADIUS, RSA SecurID, and SafeWord. Authorization types include local, LDAP, RADIUS, NTLM, or no authorization. For more information about configuring authentication and authorization, see“Configuring Authentication and Authorization” on page 61.

•Step 3: Configuring user groups. User groups are used in conjunction with authorization. For example, if your users are connecting using LDAP, create an LDAP authentication realm, and then create a group. The names of the user group must be the same as that on the LDAP server. In addition, you can create local users on the Firebox SSL VPN Gateway for local authentication. Local users are then added to user groups. For information about configuring local users, see “Adding and Configuring Local Users and User Groups” on page 87.

•Step 4: Configuring network access for groups. After you configure your user groups, you then configure network access for the groups. This includes the network resources users in the group are allowed to access, application policies, kiosk connections, and end point policies.

For more information about configuring accessible networks, user groups, and network access for users, see“Adding and Configuring Local Users and User Groups” on page 87.

By default, the Firebox SSL VPN Gateway is blocked from accessing any networks. You must specify the networks that the Firebox SSL VPN Gateway can access, referred to as accessible networks. You then con- trol user access to those networks as follows:

•You create network resource groups.

A network resource group includes one or more network locations. For example, a resource group might provide access to a single application, a subset of applications, a range of IP addresses, or an entire intranet. What you include in a network resource group depends largely on the varying access requirements of your users. You might want to provide some user groups with access to many resources and other user groups with access to smaller subsets of resources. By allowing and denying a user group access to network resource groups, you create an access control list (ACL) for that user group.

•You specify whether or not any user group without an ACL has full access to all of the accessible networks defined for the Firebox SSL VPN Gateway.

By default, user groups without an ACL have access to all of the accessible networks defined for the Firebox SSL VPN Gateway. This default operation provides simple configuration if most of your user groups are to have full network access. By retaining this default operation, you need to configure an ACL only for the user groups that should have more restricted access. The default operation can also be useful for initial testing.