Firebox SSL VPN Gateway
SUPPORT
ADDRESS
SALES
ABOUT WATCHGUARD
Contents
Setting Up the Firebox SSL VPN Gateway Hardware
Configuring Secure Certificate Management
Firebox SSL VPN Gateway Administration Desktop
The Firebox SSL VPN Gateway operates as follows
Using the Serial Console
Configuring Authentication and Authorization
Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication
Generating a Secure Certificate for the Firebox SSL VPN Gateway
APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting
Combining the Private Key with the Signed Certificate
VPN Gateway
CHAPTER 1 Getting Started with Firebox SSL
Audience
Operating System Requirements
Threat responses, alerts, and expert advice
LiveSecurity Service Solutions
Easy software updates
Access to technical support and training
Software Update
LiveSecurity Service Broadcasts
Information Alert
Threat Response
Activating LiveSecurity Service
LiveSecurity Service Self Help Tools
Basic FAQs
New from WatchGuard
Known Issues
Advanced FAQs
WatchGuard Users Forum
Fireware “How To”’s
Using the WatchGuard Users Forum
LiveSecurity Service technical support
Online Help
Product Documentation
VPN Installation Service
Firebox Installation Service
Service time
Training and Certification
a certification exam. The training materials include links to books and web sites with more information about network security
Overview
CHAPTER 2 Introduction to Firebox SSL VPN Gateway
Overview
Network topology showing the TCP circuit
Authentication and one-timepasswords
New Features
New versions of the Secure Access Client
Configurable symmetric encryption ciphers
Disable desktop sharing
Secure Access Client connections
Disable kiosk mode
Automatic port redirection
NTLM authentication and authorization support
Features
Updated serial console menu
Administration Tool
User Groups, Local Users, and Resources
Firebox SSL VPN Gateway Settings
Authentication and Authorization
Server Upgrade
Feature
Enable External Administration
Saving and RestoringServerConfiguration
The User Experience
Feature Summary
Connecting to the Firebox SSL Access Portal
Deployment and Administration
Planning your deployment
Planning your deployment
Authentication Support
Configuring Secure Certificate Management
•A cross-overcable and a Windows computer
To physically connect the Firebox SSL VPN Gateway
Setting Up the Firebox SSL VPN Gateway Hardware
To configure TCP/IP settings using a serial cable
Firebox SSL VPN Gateway Administration Tool
To configure TCP/IP Settings Using Network Cables
To configure TCP/IP settings using network cables
The Firebox SSL VPN Gateway operates as follows
Using the Firebox SSL VPN Gateway
To redirect unsecure connections
2Click the General Networking tab
To configure a proxy server
Starting the Secure Access Client
Operation through Firewalls and Proxies
Establishing the Secure Tunnel
Administration Guide
Performance and Real-TimeTraffic
Using the Firebox SSL VPN Gateway
Connecting to a Server Load Balancer
Using Kiosk Mode
Administration Guide
Using the Firebox SSL VPN Gateway
Firebox SSL VPN Gateway
Using the Firebox SSL VPN Gateway
CHAPTER 3 Configuring Basic Settings
Downloads Tab
Firebox SSL VPN Gateway Administration Desktop
Using the Administration Portal
Admin Users Tab
Using the Serial Console
Maintenance Tab
To change the administrator password
To open the serial console
Using the Administration Tool
To download and install the Administration Tool
Upgrading the tunnel and tunnel upgrade license
To publish Firebox SSL VPN Gateway settings
Product Activation and Licensing
In Sync
To manage licenses on the Firebox SSL VPN Gateway
Managing Licenses
Testing Your License Installation
To install a license file
To test your configuration
Information about Your Licenses
Using the Default Portal Page
Using Portal Pages
7Click My own computer and then click Connect
1Click the VPN Gateway Cluster tab
Variable
Content inserted by variable
Using the ActiveX Control
Linking to Clients from Your Web Site
Enabling Portal Page Authentication
To enable portal page authentication
Pre-AuthenticationPolicy Portal Page
Multiple Log On Options using the Portal Page
Secure Desktop Access
Secure Application Access
Connecting Using Secure Access Client
Connecting Using a Web Address
Double-sourceAuthentication Portal Page
Double-sourceauthentication portal page
To save the Firebox SSL VPN Gateway configuration
Saving and Restoring the Configuration
To restore a saved configuration
To upgrade the Firebox SSL VPN Gateway
Shutting Down the Firebox SSL VPN Gateway
Restarting the Firebox SSL VPN Gateway
Firebox SSL VPN Gateway System Date and Time
To restart the Firebox SSL VPN Gateway
Allowing ICMP traffic
To enable ICMP traffic
To change the system date and time
Network Time Protocol
Gateway Network Connections
CHAPTER 4 Configuring Firebox SSL VPN
Configuring Network Information
General Networking
General Networking
Duplex mode
External Public FQDN
VPN port
IP address
To enable split DNS
Name Service Providers
To edit the HOSTS file
DNS Server 1, DNS Server 2, DNS Server
Enable Dynamic Gateway
Configuring Network Routing
Dynamic and Static Routing
To remove an entry from the HOSTS file
Enabling RIP Authentication for Dynamic Routing
Configuring Dynamic Routing
To configure dynamic routing
To enable RIP authentication for dynamic routing
Changing from Dynamic Routing to Static Routing
Configuring a Static Route
To save dynamic routes to the static route table
To add a static route
To test a static route
Static Route Example
To remove a static route
Network topology showing a static route
Configuring Internal Failover
Configuring Firebox SSL VPN Gateway Failover
To set up the example static route
To enable internal failover
Configuring Network Access
Controlling Network Access
1Click the Global Cluster Policies tab
Specifying Accessible Networks
Enabling Split Tunneling
To enable split tunneling
Denying Access to Groups without an ACL
Configuring User Groups
1Click the Global Cluster Policies tab
Improving Voice over IP Connections
To deny access to user groups without an ACL
Enabling Improving Voice over IP Connections
1Click the Global Cluster Policies tab
1Click the Global Cluster Policies tab
To improve latency for UDP traffic
Configuring Authentication and Authorization
CHAPTER 5 Configuring Authentication and
Authorization
Configuring Authentication and Authorization
Using a Local User List for Authentication
Configuring Authentication without Authorization
The Default Realm
Changing Password for Users
Configuring Local Users
Adding Users to Multiple Groups
To add a user to a group
To change a user’s password
Configuring the Default Realm
To remove and create a Default realm
4In Authorization Type, select LDAP Authorization
3On the Action menu, select Remove Default realm
Creating Additional Realms
To create a realm
Using SafeWord for Authentication
To configure SafeWord on the Access Gateway
To disable Firebox SSL VPN Gateway authentication
SafeWord PremierAccess Authorization
Server
To configure the IAS RADIUS realm
1Click the Authentication tab
5Select Local computer and click Finish
23In Attribute format, select String
default RADIUS=Standard
22Under Vendor-assignedattribute number, type
To configure RADIUS authorization
To specify RADIUS server authentication
Choosing RADIUS Authentication Protocols
1Click the Authentication tab
LDAP Server
LDAP authentication
User Attribute
Case Sensitive
5Click the Authentication tab
To configure LDAP authentication
1Click the Authentication tab
LDAP Authorization
To configure LDAP authentication
LDAP authorization group attribute fields
1Click the Authentication tab
4Click the Authentication tab
To configure LDAP authorization
To install and set up the LDAP Browser
Using certificates for secure LDAP connections
Determining Attributes in your LDAP Directory
To upload a secure client certificate for LDAP
Host
Using RSA SecurID for Authentication
Port
Base DN
5 For Agent type, select UNIX Agent
1Click the Authentication tab
To enable RSA SecurID authentication
Configuration Files
Resetting the node secret
Configuring RSA Settings for a Cluster
Configuring Gemalto Protiva Authentication
To reset the node secret on the RSA ACE/Server
To configure NTLM authentication
Configuring NTLM Authentication and Authorization
1Click the Authentication tab
5Click the Authentication tab
3In Authorization type, select NTLM authorization
Configuring NTLM Authorization
To configure NTLM authorization
1On the Authentication tab, click Authentication
Configuring Double-SourceAuthentication
To prevent caching of one-timepasswords
To change the password labels
Changing Password Labels
1Click the Access Policy Manager tab
Adding Local Users
To create a user on the Firebox SSL VPN Gateway
To delete a user from the Firebox SSL VPN Gateway
User Group Overview
To create a local user group
Creating User Groups
To remove a user group
1Click the Access Policy Manager tab
Default group properties
Configuring Properties for a User Group
To enable or disable Default group properties
Forcing Users to Log on Again
1Click the Access Policy Manager tab
Enabling domain logon scripts
To enable session time-out
To enable logon scripts
Enabling session time-out
1Click the Access Policy Manager tab
Setting Application Options
Configuring Web Session Time-Outs
To enable Web session time-outs
To disable desktop sharing
Enabling Split DNS
To configure IP pooling for a group
Enabling IP Pooling
To allow failover to a user’s local DNS
Choosing a portal page for a group
Client certificate criteria configuration
To specify a portal page for a group
3In Use this custom portal page, select the page
To specify client certificate configuration
Configuring Resources for a User Group
To create pre-authenticationpolicies
Global policies
Group resources include
Group properties include
Adding Users to Multiple Groups
Defining network resources
To configure resource access control for a group
To remove a resource from a user group
1Click the Access Policy Manager tab
1Click the Access Policy Manager tab
To create and configure a network resource
Application policies
To configure an application policy
To add a network resource to a group
To remove a network resource
To deny one application network access
Configuring file share resources
To add an application policy to a group
To deny applications without policies
To create and configure a kiosk resource
Configuring kiosk mode
To create a file share resource
To remove a share
End point resources and policies
Configuring end point resources
To create an end point resource
1Click the Access Policy Manager tab
To delete an end point resource
Configuring an end point policy for a group
To create an end point policy for a group
1Click the Access Policy Manager tab
1Click the Access Policy Manager tab
Setting the Priority of Groups
To build an end point policy expression
To set the priority of groups
Configuring Pre-AuthenticationPolicies
To view the group priorities for a user
To create pre-authenticationpolicies
Firebox SSL VPN Gateway
Setting the Priority of Groups
Certificates
CHAPTER 7 Creating and Installing Secure
Overview of the Certificate Signing Request
Password-ProtectedPrivate Keys
To create a Certificate Signing Request
Creating a Certificate Signing Request
1Click the VPN Gateway Cluster tab
Creating Root Certificates Using a Command Prompt
Installing Multiple Root Certificates
Resetting the Certificate to the Default Setting
To reset the default certificate
1Click the Global Cluster Policies tab
Client Certificates
To require client certificates
Installing Root Certificates
Wildcard Certificates
Requiring Certificates from Internal Connections
System Requirements
CHAPTER 8 Working with Client Connections
Operating Systems
Web Browsers
To connect using the default portal page
Using the Access Portal
To remove the Linux VPN client
Connecting from a Private Computer
The Firebox SSL VPN Gateway operates as follows
sbin/service net6vpnd start
ipconfig/all or route print
Establishing the Secure Tunnel
Operation through Firewalls and Proxies
Connecting from a Private Computer
Administration Guide
ActiveX Helper
Using the Secure Access Client Window
Administration Guide
To log on to the Firebox SSL VPN Gateway
Connecting from a Private Computer
To disconnect the Secure Access Client
To use the Secure Access Client status properties
To disconnect the Secure Access Client
To manually configure a proxy server
To view the Connection Log
Connections Using Kiosk Mode
Connecting from a Public Computer
computer
To enable kiosk mode
Creating a Kiosk Mode Resource
To add a file share to a kiosk resource
Working with File Share Resources
To create and configure a kiosk resource
1Click the Access Policy Manager tab
Client Applications
To enable client applications
To remove a file share
To work with file share resources
To configure Remote Desktop
To configure Firefox
Firefox Web Browser
Remote Desktop client
VNC Client
Telnet 3270 Emulator Client
Gaim Instant Messenging
To use the SSH client
To use Gaim
Supporting Secure Access Client
Connection handling
Managing Client Connections
To enable a user at a particular MAC address
To disable a user at a particular MAC address
Closing a connection to a resource
Disabling and enabling a user
4Click OK
Firebox SSL VPN Gateway
Managing Client Connections
APPENDIX A Firebox SSL VPN Gateway
Monitoring and Troubleshooting
Viewing and Downloading System Message Logs
To view and filter the system log
Viewing the W3C-FormattedRequest Log
Forwarding System Messages to a Syslog Server
3Click Logging/Settings
4Under Gateway Log, click Display Logging Window
Enabling and Viewing SNMP Logs
To enable logging of SNMP messages
Multi Router Traffic Grapher Example
2 Under SNMP Settings, select Enable SNMP
Monitoring Firebox SSL VPN Gateway Operations
Viewing System Statistics
Ethereal Network Analyzer
Firebox SSL Real-timeMonitor
xNetTools
Traceroute
Backing up your configuration settings
Reinstalling v 4.9 application software
Upgrading to SSL v
Upgrading to SSL v
Launching the v 5.5 Administration Tool
Troubleshooting
Troubleshooting the Web Interface
Applications do not Appear after Logging On
Web Interface Credentials Are Invalid
Other Issues
Read/Write Access to the Firebox SSL VPN Gateway
Ping Command
Defining Accessible Networks
LDAP Authentication
VMWare
Internal Failover
The Administration Tool Is Inaccessible
Certificate Signing
Certificate Revocation Lists
Secure Access Client
Certificates Using 512-bitkeypairs
Secure Access Client Connections with Windows XP
DNS Name Resolution Using Named Service Providers
Using Third-PartyClient Software
NTLM Authentication
Client Connections from a Windows Server
WINS Entries
VPN Gateway
APPENDIX B Using Firewalls with Firebox SSL
McAfee Personal Firewall Plus
To view Secure Access Client status properties
BlackICE PC Protection
Sygate Personal Firewall Free and Pro Versions
Norton Personal Firewall
Tiny Personal Firewall
Services
ZoneAlarm Pro
4Click Install from Internet and then click Next
APPENDIX C Installing Windows Certificates
To install Cygwin
To unencrypt the private key
Unencrypting the Private Key
openssl verify -verbose -CApath /tmp certFile
Converting to a PEM-FormattedCertificate
BEGINRSA PRIVATE KEY <Unencrypted Private Key>
Intermediate Certificate
Administration Guide
Intermediate Certificate Intermediate Certificate
Firebox SSL VPN Gateway
Administration Guide
APPENDIX D Examples of Configuring Network Access
•Global Cluster Policies •Authentication
Collecting the LDAP directory information
Collecting the LDAP Directory Information
ou=Users,dc=ace,dc=com cn=Users,dc=ace,dc=com
2Click the Global Cluster Policies tab
Configuring Accessible Networks
To configure accessible networks
5In Realm Name, type Default
1Click the Access Policy Manager tab
1Click the Access Policy Manager tab
10.10.0.0/24 10.60.10.0/24
10.10.25.50/32
Administration Guide
Creating a Guest User Authentication Realm
1Click the Access Policy Manager tab
Creating Local Users
To add the local users
2Expand User Groups and then expand Local Users
1Click the Access Policy Manager tab
APPENDIX E Legal and Copyright Information
GNU GENERAL PUBLIC LICENSE
change
be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or
NO WARRANTY
END OF TERMS AND CONDITIONS
Administration Guide
Firebox SSL VPN Gateway
Index
Page
Page
Page
Page
Page
Page
Firebox SSL VPN Gateway
