WatchGuardFireboxSSL VPN Gateway Administration Guide
Address
Contents
Planning for Security with the Firebox SSL VPN Gateway
Installing the Firebox SSL VPN Gateway for the First Time
To download the portal page templates to your local computer
Configuring Authentication without Authorization
Configuring Firebox SSL VPN Gateway Network Connections
Configuring Ntlm Authentication and Authorization
Using Ldap Servers for Authentication and Authorization
Requiring Certificates from Internal Connections
Digital Certificates and Firebox SSL VPN Gateway Operation
Recovering from a Failure of the Firebox SSL VPN Gateway
Appendix B Using Firewalls with Firebox SSL VPN Gateway
Operating System Requirements
Audience
Access to technical support and training
LiveSecurity Service Solutions
Threat responses, alerts, and expert advice
Easy software updates
Information Alert
LiveSecurity Service Broadcasts
Activating LiveSecurity Service
LiveSecurity Service Self Help Tools
Click Register
Click your selection
To get access to the LiveSecurity Service Self Help Tools
WatchGuard Users Forum
Click Self Help Tools
Product Documentation Technical Support
LiveSecurity Service technical support
Using the WatchGuard Users Forum
Online Help
LiveSecurity Gold
Firebox Installation Service
VPN Installation Service
Training and Certification
Training and Certification
Overview
Introduction to Firebox SSL VPN Gateway
Overview
Network topology showing the TCP circuit
Configurable symmetric encryption ciphers
New Features
Authentication and one-time passwords
New versions of the Secure Access Client
Disable kiosk mode
Secure Access Client connections
Disable desktop sharing
Additional control over Secure Access Client connections
Updated serial console menu
Features
Ntlm authentication and authorization support
Added challenge-response to Radius user authentication
User Groups, Local Users, and Resources
Firebox SSL VPN Gateway Settings
Authentication and Authorization
Following table maps the Firebox SSL VPN Gateway settings
Feature FireboxSSL VPN Gateway Server Upgrade
User Experience
Feature Summary
Connecting to the Firebox SSL Access Portal
Deployment and Administration
Deploying the Firebox SSL VPN Gateway in the Network DMZ
Planning your deployment
Deploying the Firebox SSL VPN Gateway in a Secure Network
RSA SecurID
Configuring Secure Certificate Management
Authentication Support
Planning for Security with the Firebox SSL VPN Gateway
Getting Ready to Install the Firebox SSL VPN Gateway
Installing the Firebox SSL VPN Gateway for the First Time
Configuring TCP/IP Settings for the Firebox SSL VPN Gateway
Setting Up the Firebox SSL VPN Gateway Hardware
To physically connect the Firebox SSL VPN Gateway
To configure TCP/IP settings using a serial cable
Power on the Firebox SSL VPN Gateway
To configure TCP/IP Settings Using Network Cables
To redirect unsecure connections
Using the Firebox SSL VPN Gateway
Redirecting Connections on Port 80 to a Secure Port
Firebox SSL VPN Gateway operates as follows
To configure a proxy server
Starting the Secure Access Client
Operation through Firewalls and Proxies
Establishing the Secure Tunnel
Performance and Real-Time Traffic
Connecting to a Server Load Balancer
Using Kiosk Mode
Using the Firebox SSL VPN Gateway
Using the Firebox SSL VPN Gateway
Configuring Basic Settings
Using the Administration Portal
Firebox SSL VPN Gateway Administration Desktop
Downloads Tab
To change the administrator password
Using the Serial Console
Admin Users Tab
Maintenance Tab
To download and install the Administration Tool
Using the Administration Tool
To open the serial console
Product Activation and Licensing
Publishing Settings to Multiple Firebox SSL VPN Gateways
To publish Firebox SSL VPN Gateway settings
Upgrading the tunnel and tunnel upgrade license
To manage licenses on the Firebox SSL VPN Gateway
Managing Licenses
Information about Your Licenses
To install a license file
Testing Your License Installation
To test your configuration
Using the Default Portal
Blocking External Access to the Administration Portal
Using Portal Pages
To block external access to the Administration Portal
Downloading and Working with Portal Page Templates
Variable Content inserted by variable
Save the file
Using the ActiveX Control
Kiosk mode only
To work with the templates for Windows and Linux users
To remove a portal file from the Firebox SSL VPN Gateway
Enabling Portal Page Authentication
To enable portal page authentication
Linking to Clients from Your Web Site
On the Gateway Portal tab, select Redirect to URL
Multiple Log On Options using the Portal
Pre-Authentication Policy Portal
To configure multiple log on options
Double-source authentication portal
Connecting Using a Web Address
Connecting Using Secure Access Client
Double-source Authentication Portal
To upgrade the Firebox SSL VPN Gateway
Saving and Restoring the Configuration
To save the Firebox SSL VPN Gateway configuration
To restore a saved configuration
To restart the Firebox SSL VPN Gateway
Restarting the Firebox SSL VPN Gateway
Shutting Down the Firebox SSL VPN Gateway
Firebox SSL VPN Gateway System Date and Time
Network Time Protocol
To enable Icmp traffic
Allowing Icmp traffic
To change the system date and time
Configuring Network Information
Configuring Firebox SSL VPN Gateway Network Connections
Firebox SSL VPN Gateway located inside the firewall
General Networking
MTU
To add an entry to the Hosts file
Name Service Providers
To enable split DNS
To edit the Hosts file
Dynamic and Static Routing
Configuring Network Routing
To remove an entry from the Hosts file
To enable RIP authentication for dynamic routing
Configuring Dynamic Routing
Enabling RIP Authentication for Dynamic Routing
To configure dynamic routing
To add a static route
Configuring a Static Route
Changing from Dynamic Routing to Static Routing
To save dynamic routes to the static route table
Network topology showing a static route
Static Route Example
To test a static route
To remove a static route
To enable internal failover
Configuring Firebox SSL VPN Gateway Failover
Configuring Internal Failover
To set up the example static route
Configuring Network Access
Controlling Network Access
Click the Global Cluster Policies tab
Specifying Accessible Networks
To give the Firebox SSL VPN Gateway access to a network
Enabling Split Tunneling
To enable split tunneling
Denying Access to Groups without an ACL
Configuring User Groups
Specific ciphers used to encrypt the UDP traffic include
To deny access to user groups without an ACL
Improving Voice over IP Connections
Enabling Improving Voice over IP Connections
To improve latency for UDP traffic
Configuring Authentication and Authorization
Configuring Authentication Authorization
Configuring Authentication and Authorization
On the Authentication tab, select an authorization realm
Configuring Authentication without Authorization
Default Realm
Using a Local User List for Authentication
To add a user to a group
Configuring Local Users
Changing Password for Users
Adding Users to Multiple Groups
Using Ldap Authorization with Local Authentication
Changing the Authentication Type of the Default Realm
Configuring the Default Realm
Do one of the following
Configure the settings for the realm and then click Submit
Creating Additional Realms
To create a realm
Removing Realms
Using SafeWord for Authentication
Configuring Secure Computing SafeWord Authentication
Configuring SafeWord Settings on the Access Gateway
SafeWord PremierAccess Authorization
To disable Firebox SSL VPN Gateway authentication
To configure SafeWord on the Access Gateway
To configure the IAS Radius realm
Using Radius Servers for Authentication and Authorization
Server
Click Close and then click OK
Select Local computer and click Finish
Policy name, give the policy a name and click Next
Attribute value, type the attribute name and the groups
Attribute format, select String
Complete the settings using the attributes defined in IAS
To specify Radius server authentication
To configure Radius authorization
Choosing Radius Authentication Protocols
Ldap authentication
Using Ldap Servers for Authentication and Authorization
Following table contains examples of bind dn
To configure Ldap authentication
Realm Name, type a name for the authentication realm
This table contains examples of the base dn
Ldap Authorization
Group memberships from group objects working evaluations
Ldap authorization group attribute fields
To configure Ldap authorization
Determining Attributes in your Ldap Directory
Using certificates for secure Ldap connections
To install and set up the Ldap Browser
Ldap Administrator Password, type the password
To look up Ldap attributes
Using RSA SecurID for Authentication
For Agent type, select Unix Agent
Configuration Files
To enable RSA SecurID authentication
To reset the node secret on the RSA ACE/Server
Configuring RSA Settings for a Cluster
Resetting the node secret
Configuring Gemalto Protiva Authentication
To configure Ntlm authentication
Configuring Ntlm Authentication and Authorization
Authorization type, select Ntlm authorization
Configuring Ntlm Authorization
Configuring Authentication to use One-Time Passwords
To configure Ntlm authorization
On the Authentication tab, click Authentication
Configuring Double-Source Authentication
To prevent caching of one-time passwords
Select Use the password one time and click Submit
To change the password labels
Changing Password Labels
To create a user on the Firebox SSL VPN Gateway
Adding Local Users
To delete a user from the Firebox SSL VPN Gateway
User Group Overview
To create a local user group
Creating User Groups
To remove a user group
Forcing Users to Log on Again
Configuring Properties for a User Group
Default group properties
To enable or disable Default group properties
Left pane, right-click a group and then click Properties
Configuring Secure Access Client for single sign-on
To configure Secure Access Client for single sign-on
Enabling domain logon scripts
Left pane, right-click a group and click Properties
To enable logon scripts
To enable session time-out
Enabling session time-out
Setting Application Options
Configuring Web Session Time-Outs
Disabling Desktop Sharing
To allow failover to a user’s local DNS
To configure IP pooling for a group
Enabling Split DNS
Enabling IP Pooling
Choosing a portal page for a group
Client certificate criteria configuration
To specify a portal page for a group
Global policies
Configuring Resources for a User Group
To specify client certificate configuration
To create pre-authentication policies
Group resources include
Group properties include
Adding Users to Multiple Groups
Defining network resources
To configure resource access control for a group
To remove a resource from a user group
22, 80
To create and configure a network resource
To remove a network resource
To configure an application policy
Application policies
To add a network resource to a group
To deny one application network access
Configuring file share resources
To add an application policy to a group
To remove a share
Configuring kiosk mode
To create and configure a kiosk resource
To create a file share resource
Click Registry Rule
Configuring end point resources
End point resources and policies
To create an end point resource
If you selected Process Rule, do the following
Configuring an end point policy for a group
To delete an end point resource
To create an end point policy for a group
To build an end point policy expression
Setting the Priority of Groups
Under End Point Scan Expression, select Auto-build
Click the Group Priority tab
Configuring Pre-Authentication Policies
To set the priority of groups
To view the group priorities for a user
108
Creating and Installing Secure Certificates
Digital Certificates and Firebox SSL VPN Gateway Operation
Password-Protected Private Keys
Overview of the Certificate Signing Request
To create a Certificate Signing Request
Creating a Certificate Signing Request
Locate the file you want to upload and click Open
Installing Root Certificates on the Firebox SSL VPN Gateway
To install a certificate file using the Administration Tool
To upload a certificate using the Administration Portal
To reset the default certificate
Installing Multiple Root Certificates
Creating Root Certificates Using a Command Prompt
Resetting the Certificate to the Default Setting
To require client certificates
Client Certificates
To select an encryption type for client connections
Installing Root Certificates on a Client Device
Obtaining a Root Certificate from a CertificateAuthority
Selecting an Encryption Type for Client Connections
Wildcard Certificates
Requiring Certificates from Internal Connections
Operating Systems
System Requirements
Web Browsers
To connect using the default portal
Using the Access Portal
Firebox SSL VPN Gateway operates as follows
Connecting from a Private Computer
Sbin/service net6vpnd start
To remove the Linux VPN client
Establishing the Secure Tunnel
Tunneling Private Network Traffic over Secure Connections
Administration Guide 121
ActiveX Helper
Using the Secure Access Client Window
To log on to the Firebox SSL VPN Gateway
To disconnect the Secure Access Client
To use the Secure Access Client status properties
To close the window, click Close
To manually configure a proxy server
Configuring Proxy Servers for the Secure Access Client
To view the Connection Log
Connections Using Kiosk Mode
Connecting from a Public Computer
Enter your network logon credentials and click Login
Creating a Kiosk Mode Resource
To enable kiosk mode
To log on to the Firebox SSL VPN Gateway using kiosk mode
To add a file share to a kiosk resource
Working with File Share Resources
To work with file share resources
To enable client applications
Client Applications
To remove a file share
Remote Desktop client
Firefox Web Browser
SSH Client
VNC Client
Telnet 3270 Emulator Client
Gaim Instant Messenging
To use Gaim
Supporting Secure Access Client
Connection handling
Managing Client Connections
Disabling and enabling a user
To disable a user at a particular MAC address
To enable a user at a particular MAC address
Closing a connection to a resource
Administration Guide 135
136
To view and filter the system log
Viewing and Downloading System Message Logs
Viewing the W3C-Formatted Request Log
Forwarding System Messages to a Syslog Server
Multi Router Traffic Grapher Example
To enable logging of Snmp messages
Under Snmp Settings, select Enable Snmp
Enabling and Viewing Snmp Logs
Viewing System Statistics
Multi Router Traffic Grapher configuration file
Monitoring Firebox SSL VPN Gateway Operations
To open the Firebox SSL VPN Gateway Administration Desktop
Recovering from a Failure of the Firebox SSL VPN Gateway
Monitoring applications are as follows
Upgrading to SSL v
Reinstalling v 4.9 application software
Backing up your configuration settings
Apply the v 5.5 software update
Web Interface Appears without Typing in Credentials
Troubleshooting
Launching the v 5.5 Administration Tool
Troubleshooting the Web Interface
License File Does not Match Firebox SSL VPN Gateway
Other Issues
Read/Write Access to the Firebox SSL VPN Gateway
Web Interface Credentials Are Invalid
VMWare
Defining Accessible Networks
Ping Command
Ldap Authentication
Certificate Revocation Lists
Administration Tool Is Inaccessible
Internal Failover
Certificate Signing
DNS Name Resolution Using Named Service Providers
Certificates Using 512-bit keypairs
Secure Access Client
Secure Access Client Connections with Windows XP
Wins Entries
Ntlm Authentication
Using Third-Party Client Software
Client Connections from a Windows Server
Appendix B Using Firewalls with Firebox SSL VPN Gateway
BlackICE PC Protection
To view Secure Access Client status properties
McAfee Personal Firewall Plus
Sygate Personal Firewall Free and Pro Versions
Norton Personal Firewall
Tiny Personal Firewall
Add
ZoneAlarm Pro
Click Install from Internet and then click Next
To install Cygwin
New column for those two entries, click Skip
Double-click the Cygwin icon on the desktop
To generate a CSR using the Cygwin Unix environment
Unencrypting the Private Key
To unencrypt the private key
Openssl verify -verbose -CApath /tmp certFile
Converting to a PEM-Formatted Certificate
Combining the Private Key with the Signed Certificate
To convert the certificate from PKCS7 to PEM format
To combine the private key with the signed certificate
Generating Trusted Certificates for Multiple Levels
To generate trusted certificates for multiple levels
Intermediate Certificate
158
Appendix D Examples of Configuring Network Access
Scenario 1 Configuring Ldap Authentication and Authorization
Administration Guide 161
Collecting the Ldap Directory Information
Ldap Server User Attributes Case Sensitive
10.10.0.0/24 10.60.10.0/24
Configuring Accessible Networks
To configure accessible networks
If necessary, select Enable split tunneling
Realm Name, type Default
Creating an Ldap Authentication and Authorization Realm
Creating and Assigning Network Resources to the Sales Users
Creating and Assigning Network Resources to the User Groups
To provide the Engineering users with access to the network
To implement the application policy for the email server
Creating an Application Policy for an Email Server
Administration Guide 169
Creating a Guest User Authentication Realm
Creating Local Users
To create a guest authentication realm for the guest users
To add the local users
Scenario 3 Configuring Local Authorization for Local Users
Appendix E Legal and Copyright Information
174
Administration Guide 175
176
No Warranty
END of Terms and Conditions
Administration Guide 179
180
Index
DNS
FTP
LiveSecurity Service activating 4 benefits of 2 broadcasts
Administration Guide 185
Connection to 28 service scanner 141 session timeout 15, 88
Wctp
188
