Manuals / WatchGuard Technologies / Household Appliance / Water Heater

WatchGuard Technologies SSL VPN manual Configuring Authentication and Authorization

Models: SSL VPN

1 198

Download 198 pages 26.5 Kb

Page 72

Configuring Authentication and Authorization

Configuring Authentication and Authorization

Communications between the Firebox SSL VPN Gateway and authentication servers.

If a user is not located on an authentication server or fails authentication on that server, the Firebox SSL VPN Gateway checks the user against the local user list, if the check box Use the local user database on the Firebox SSL VPN Gateway is selected on the Authentication > Settings tab.

Communication between the client, the Firebox SSL VPN Gateway, and the local user account.

After a user is authenticated, the Firebox SSL VPN Gateway performs a group authorization check by obtaining the user’s group information from either an LDAP server, a RADIUS server, a Windows NT 4.0 server (for NTLM authorization), or the local group file (if not available on the LDAP or RADIUS server). If group information is available for the user, the Firebox SSL VPN Gateway then checks the network resources allowed for the group. LDAP authorization works with all supported authentication methods. You can configure the Firebox SSL VPN Gateway to obtain an authenticated user’s group(s) from an LDAP server. If the user is not located on the LDAP server, the Firebox SSL VPN Gateway checks its local group file if the check box Use the local user database on the Firebox SSL VPN Gateway is selected on the Authentication > Settings tab.

The group names obtained from the LDAP server are compared with the group names created locally on the Firebox SSL VPN Gateway. If the two group names match, the properties of the local group apply to the group obtained from the LDAP server.

62	Firebox SSL VPN Gateway

Image 72

WatchGuard Technologies SSL VPN manual Configuring Authentication and Authorization

Contents

Firebox SSL VPN Gateway ADDRESS SUPPORTSALES ABOUT WATCHGUARDContents Configuring Secure Certificate Management Setting Up the Firebox SSL VPN Gateway HardwareFirebox SSL VPN Gateway Administration Desktop The Firebox SSL VPN Gateway operates as followsUsing the Serial Console Configuring Authentication and Authorization Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Generating a Secure Certificate for the Firebox SSL VPN Gateway APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting Combining the Private Key with the Signed Certificate CHAPTER 1 Getting Started with Firebox SSL VPN GatewayAudience Operating System RequirementsLiveSecurity Service Solutions Threat responses, alerts, and expert adviceEasy software updates Access to technical support and trainingLiveSecurity Service Broadcasts Software UpdateInformation Alert Threat ResponseLiveSecurity Service Self Help Tools Activating LiveSecurity ServiceBasic FAQs New from WatchGuardAdvanced FAQs Known IssuesWatchGuard Users Forum Fireware “How To”’sLiveSecurity Service technical support Using the WatchGuard Users ForumOnline Help Product DocumentationFirebox Installation Service VPN Installation ServiceService time Training and Certificationa certification exam. The training materials include links to books and web sites with more information about network security CHAPTER 2 Introduction to Firebox SSL VPN Gateway OverviewNetwork topology showing the TCP circuit OverviewNew Features Authentication and one-timepasswordsNew versions of the Secure Access Client Configurable symmetric encryption ciphersSecure Access Client connections Disable desktop sharingDisable kiosk mode Automatic port redirectionFeatures NTLM authentication and authorization supportUpdated serial console menu Administration ToolFirebox SSL VPN Gateway Settings Authentication and AuthorizationUser Groups, Local Users, and Resources Feature Server UpgradeEnable External Administration Saving and RestoringServerConfigurationFeature Summary The User ExperienceDeployment and Administration Connecting to the Firebox SSL Access PortalPlanning your deployment Planning your deploymentConfiguring Secure Certificate Management Authentication Support•A cross-overcable and a Windows computer Setting Up the Firebox SSL VPN Gateway Hardware To physically connect the Firebox SSL VPN GatewayTo configure TCP/IP settings using a serial cable To configure TCP/IP Settings Using Network Cables To configure TCP/IP settings using network cablesFirebox SSL VPN Gateway Administration Tool Using the Firebox SSL VPN Gateway The Firebox SSL VPN Gateway operates as followsTo redirect unsecure connections 2Click the General Networking tabStarting the Secure Access Client To configure a proxy serverEstablishing the Secure Tunnel Operation through Firewalls and ProxiesPerformance and Real-TimeTraffic Using the Firebox SSL VPN GatewayAdministration Guide Using Kiosk Mode Connecting to a Server Load BalancerUsing the Firebox SSL VPN Gateway Administration GuideUsing the Firebox SSL VPN Gateway Firebox SSL VPN GatewayCHAPTER 3 Configuring Basic Settings Firebox SSL VPN Gateway Administration Desktop Using the Administration PortalDownloads Tab Using the Serial Console Admin Users TabMaintenance Tab To change the administrator passwordUsing the Administration Tool To download and install the Administration ToolTo open the serial console To publish Firebox SSL VPN Gateway settings Upgrading the tunnel and tunnel upgrade licenseProduct Activation and Licensing In SyncManaging Licenses To manage licenses on the Firebox SSL VPN GatewayTo install a license file Testing Your License InstallationTo test your configuration Information about Your LicensesUsing Portal Pages Using the Default Portal Page7Click My own computer and then click Connect 1Click the VPN Gateway Cluster tabContent inserted by variable VariableUsing the ActiveX Control Enabling Portal Page Authentication To enable portal page authenticationLinking to Clients from Your Web Site Multiple Log On Options using the Portal Page Pre-AuthenticationPolicy Portal PageSecure Desktop Access Secure Application AccessConnecting Using a Web Address Connecting Using Secure Access ClientDouble-sourceAuthentication Portal Page Double-sourceauthentication portal pageSaving and Restoring the Configuration To save the Firebox SSL VPN Gateway configurationTo restore a saved configuration To upgrade the Firebox SSL VPN GatewayRestarting the Firebox SSL VPN Gateway Shutting Down the Firebox SSL VPN GatewayFirebox SSL VPN Gateway System Date and Time To restart the Firebox SSL VPN GatewayTo enable ICMP traffic Allowing ICMP trafficTo change the system date and time Network Time ProtocolCHAPTER 4 Configuring Firebox SSL VPN Configuring Network InformationGateway Network Connections General Networking General NetworkingExternal Public FQDN Duplex modeVPN port IP addressName Service Providers To enable split DNSTo edit the HOSTS file DNS Server 1, DNS Server 2, DNS ServerConfiguring Network Routing Enable Dynamic GatewayDynamic and Static Routing To remove an entry from the HOSTS fileConfiguring Dynamic Routing Enabling RIP Authentication for Dynamic RoutingTo configure dynamic routing To enable RIP authentication for dynamic routingConfiguring a Static Route Changing from Dynamic Routing to Static RoutingTo save dynamic routes to the static route table To add a static routeStatic Route Example To test a static routeTo remove a static route Network topology showing a static routeConfiguring Firebox SSL VPN Gateway Failover Configuring Internal FailoverTo set up the example static route To enable internal failoverControlling Network Access Configuring Network AccessSpecifying Accessible Networks Enabling Split Tunneling1Click the Global Cluster Policies tab Denying Access to Groups without an ACL To enable split tunnelingConfiguring User Groups 1Click the Global Cluster Policies tabTo deny access to user groups without an ACL Improving Voice over IP ConnectionsEnabling Improving Voice over IP Connections 1Click the Global Cluster Policies tabTo improve latency for UDP traffic 1Click the Global Cluster Policies tabCHAPTER 5 Configuring Authentication and AuthorizationConfiguring Authentication and Authorization Configuring Authentication and Authorization Configuring Authentication without Authorization The Default RealmUsing a Local User List for Authentication Configuring Local Users Changing Password for UsersAdding Users to Multiple Groups To add a user to a groupConfiguring the Default Realm To change a user’s passwordTo remove and create a Default realm 4In Authorization Type, select LDAP AuthorizationCreating Additional Realms To create a realm3On the Action menu, select Remove Default realm Using SafeWord for Authentication To disable Firebox SSL VPN Gateway authentication SafeWord PremierAccess AuthorizationTo configure SafeWord on the Access Gateway To configure the IAS RADIUS realm 1Click the Authentication tabServer 5Select Local computer and click Finish default RADIUS=Standard 22Under Vendor-assignedattribute number, type23In Attribute format, select String To specify RADIUS server authentication To configure RADIUS authorizationChoosing RADIUS Authentication Protocols 1Click the Authentication tabLDAP authentication LDAP ServerUser Attribute Case SensitiveTo configure LDAP authentication 1Click the Authentication tab5Click the Authentication tab LDAP Authorization LDAP authorization group attribute fields To configure LDAP authentication1Click the Authentication tab 4Click the Authentication tabTo configure LDAP authorization Using certificates for secure LDAP connections To install and set up the LDAP BrowserDetermining Attributes in your LDAP Directory To upload a secure client certificate for LDAPUsing RSA SecurID for Authentication HostPort Base DN5 For Agent type, select UNIX Agent To enable RSA SecurID authentication Configuration Files1Click the Authentication tab Configuring RSA Settings for a Cluster Resetting the node secretConfiguring Gemalto Protiva Authentication To reset the node secret on the RSA ACE/ServerConfiguring NTLM Authentication and Authorization To configure NTLM authentication1Click the Authentication tab 5Click the Authentication tabConfiguring NTLM Authorization To configure NTLM authorization3In Authorization type, select NTLM authorization Configuring Double-SourceAuthentication To prevent caching of one-timepasswords1On the Authentication tab, click Authentication Changing Password Labels To change the password labelsAdding Local Users To create a user on the Firebox SSL VPN Gateway1Click the Access Policy Manager tab User Group Overview To delete a user from the Firebox SSL VPN GatewayCreating User Groups To create a local user groupTo remove a user group 1Click the Access Policy Manager tabConfiguring Properties for a User Group Default group propertiesTo enable or disable Default group properties Forcing Users to Log on AgainEnabling domain logon scripts 1Click the Access Policy Manager tabTo enable logon scripts To enable session time-outEnabling session time-out 1Click the Access Policy Manager tabConfiguring Web Session Time-Outs Setting Application OptionsTo enable Web session time-outs To disable desktop sharingTo configure IP pooling for a group Enabling Split DNSEnabling IP Pooling To allow failover to a user’s local DNSClient certificate criteria configuration Choosing a portal page for a groupTo specify a portal page for a group 3In Use this custom portal page, select the pageConfiguring Resources for a User Group To specify client certificate configurationTo create pre-authenticationpolicies Global policiesGroup properties include Group resources includeAdding Users to Multiple Groups To configure resource access control for a group Defining network resourcesTo remove a resource from a user group 1Click the Access Policy Manager tabTo create and configure a network resource 1Click the Access Policy Manager tabTo configure an application policy Application policiesTo add a network resource to a group To remove a network resourceConfiguring file share resources To deny one application network accessTo add an application policy to a group To deny applications without policiesConfiguring kiosk mode To create and configure a kiosk resourceTo create a file share resource To remove a shareConfiguring end point resources End point resources and policiesTo create an end point resource 1Click the Access Policy Manager tabConfiguring an end point policy for a group To delete an end point resourceTo create an end point policy for a group 1Click the Access Policy Manager tabSetting the Priority of Groups To build an end point policy expression1Click the Access Policy Manager tab Configuring Pre-AuthenticationPolicies To set the priority of groupsTo view the group priorities for a user To create pre-authenticationpoliciesSetting the Priority of Groups Firebox SSL VPN GatewayCHAPTER 7 Creating and Installing Secure CertificatesPassword-ProtectedPrivate Keys Overview of the Certificate Signing RequestCreating a Certificate Signing Request To create a Certificate Signing Request1Click the VPN Gateway Cluster tab Installing Multiple Root Certificates Creating Root Certificates Using a Command PromptResetting the Certificate to the Default Setting To reset the default certificateClient Certificates To require client certificates1Click the Global Cluster Policies tab Installing Root Certificates Requiring Certificates from Internal Connections Wildcard CertificatesCHAPTER 8 Working with Client Connections System RequirementsOperating Systems Web BrowsersUsing the Access Portal To connect using the default portal pageConnecting from a Private Computer To remove the Linux VPN clientThe Firebox SSL VPN Gateway operates as follows sbin/service net6vpnd startEstablishing the Secure Tunnel ipconfig/all or route printConnecting from a Private Computer Administration GuideOperation through Firewalls and Proxies Using the Secure Access Client Window ActiveX HelperTo log on to the Firebox SSL VPN Gateway Connecting from a Private ComputerAdministration Guide To use the Secure Access Client status properties To disconnect the Secure Access ClientTo manually configure a proxy server To view the Connection LogTo disconnect the Secure Access Client Connecting from a Public Computer Connections Using Kiosk ModeTo enable kiosk mode Creating a Kiosk Mode Resourcecomputer Working with File Share Resources To add a file share to a kiosk resourceTo create and configure a kiosk resource 1Click the Access Policy Manager tabTo enable client applications Client ApplicationsTo remove a file share To work with file share resourcesTo configure Firefox To configure Remote DesktopFirefox Web Browser Remote Desktop clientTelnet 3270 Emulator Client VNC ClientGaim Instant Messenging To use the SSH clientSupporting Secure Access Client To use GaimManaging Client Connections Connection handlingTo disable a user at a particular MAC address To enable a user at a particular MAC addressClosing a connection to a resource Disabling and enabling a user4Click OK Managing Client Connections Firebox SSL VPN GatewayMonitoring and Troubleshooting APPENDIX A Firebox SSL VPN GatewayViewing and Downloading System Message Logs To view and filter the system logForwarding System Messages to a Syslog Server Viewing the W3C-FormattedRequest Log3Click Logging/Settings 4Under Gateway Log, click Display Logging WindowTo enable logging of SNMP messages Enabling and Viewing SNMP LogsMulti Router Traffic Grapher Example 2 Under SNMP Settings, select Enable SNMPViewing System Statistics Monitoring Firebox SSL VPN Gateway OperationsFirebox SSL Real-timeMonitor Ethereal Network AnalyzerxNetTools TracerouteReinstalling v 4.9 application software Backing up your configuration settingsUpgrading to SSL v Upgrading to SSL vTroubleshooting Launching the v 5.5 Administration ToolTroubleshooting the Web Interface Applications do not Appear after Logging OnOther Issues Read/Write Access to the Firebox SSL VPN GatewayWeb Interface Credentials Are Invalid Defining Accessible Networks Ping CommandLDAP Authentication VMWareThe Administration Tool Is Inaccessible Internal FailoverCertificate Signing Certificate Revocation ListsCertificates Using 512-bitkeypairs Secure Access ClientSecure Access Client Connections with Windows XP DNS Name Resolution Using Named Service ProvidersNTLM Authentication Using Third-PartyClient SoftwareClient Connections from a Windows Server WINS EntriesAPPENDIX B Using Firewalls with Firebox SSL VPN GatewayTo view Secure Access Client status properties BlackICE PC ProtectionMcAfee Personal Firewall Plus Norton Personal Firewall Sygate Personal Firewall Free and Pro VersionsTiny Personal Firewall ServicesZoneAlarm Pro APPENDIX C Installing Windows Certificates To install Cygwin4Click Install from Internet and then click Next Unencrypting the Private Key To unencrypt the private keyConverting to a PEM-FormattedCertificate openssl verify -verbose -CApath /tmp certFileBEGINRSA PRIVATE KEY <Unencrypted Private Key> Administration Guide Intermediate Certificate Intermediate CertificateIntermediate Certificate Firebox SSL VPN Gateway APPENDIX D Examples of Configuring Network Access Administration Guide•Global Cluster Policies •Authentication Collecting the LDAP directory information Collecting the LDAP Directory Information ou=Users,dc=ace,dc=com cn=Users,dc=ace,dc=com Configuring Accessible Networks To configure accessible networks2Click the Global Cluster Policies tab 5In Realm Name, type Default 1Click the Access Policy Manager tab 1Click the Access Policy Manager tab10.10.0.0/24 10.60.10.0/24 10.10.25.50/32 Administration Guide Creating a Guest User Authentication Realm Creating Local Users To add the local users1Click the Access Policy Manager tab 1Click the Access Policy Manager tab 2Expand User Groups and then expand Local UsersAPPENDIX E Legal and Copyright Information GNU GENERAL PUBLIC LICENSE change be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or NO WARRANTY END OF TERMS AND CONDITIONS Administration Guide Firebox SSL VPN Gateway Index Page Page Page Page Page Page Firebox SSL VPN Gateway