Firebox SSL VPN Gateway
SALES
ADDRESS
SUPPORT
ABOUT WATCHGUARD
Contents
Firebox SSL VPN Gateway Administration Desktop
Configuring Secure Certificate Management
Setting Up the Firebox SSL VPN Gateway Hardware
The Firebox SSL VPN Gateway operates as follows
Using the Serial Console
Configuring Authentication and Authorization
Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication
Generating a Secure Certificate for the Firebox SSL VPN Gateway
APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting
Combining the Private Key with the Signed Certificate
Audience
CHAPTER 1 Getting Started with Firebox SSL
VPN Gateway
Operating System Requirements
Easy software updates
LiveSecurity Service Solutions
Threat responses, alerts, and expert advice
Access to technical support and training
Information Alert
LiveSecurity Service Broadcasts
Software Update
Threat Response
Basic FAQs
LiveSecurity Service Self Help Tools
Activating LiveSecurity Service
New from WatchGuard
WatchGuard Users Forum
Advanced FAQs
Known Issues
Fireware “How To”’s
Online Help
LiveSecurity Service technical support
Using the WatchGuard Users Forum
Product Documentation
Service time
Firebox Installation Service
VPN Installation Service
Training and Certification
a certification exam. The training materials include links to books and web sites with more information about network security
CHAPTER 2 Introduction to Firebox SSL VPN Gateway
Overview
Network topology showing the TCP circuit
Overview
New versions of the Secure Access Client
New Features
Authentication and one-timepasswords
Configurable symmetric encryption ciphers
Disable kiosk mode
Secure Access Client connections
Disable desktop sharing
Automatic port redirection
Updated serial console menu
Features
NTLM authentication and authorization support
Administration Tool
Firebox SSL VPN Gateway Settings
Authentication and Authorization
User Groups, Local Users, and Resources
Enable External Administration
Feature
Server Upgrade
Saving and RestoringServerConfiguration
Feature Summary
The User Experience
Deployment and Administration
Connecting to the Firebox SSL Access Portal
Planning your deployment
Planning your deployment
Configuring Secure Certificate Management
Authentication Support
•A cross-overcable and a Windows computer
Setting Up the Firebox SSL VPN Gateway Hardware
To physically connect the Firebox SSL VPN Gateway
To configure TCP/IP settings using a serial cable
To configure TCP/IP Settings Using Network Cables
To configure TCP/IP settings using network cables
Firebox SSL VPN Gateway Administration Tool
To redirect unsecure connections
Using the Firebox SSL VPN Gateway
The Firebox SSL VPN Gateway operates as follows
2Click the General Networking tab
Starting the Secure Access Client
To configure a proxy server
Establishing the Secure Tunnel
Operation through Firewalls and Proxies
Performance and Real-TimeTraffic
Using the Firebox SSL VPN Gateway
Administration Guide
Using Kiosk Mode
Connecting to a Server Load Balancer
Using the Firebox SSL VPN Gateway
Administration Guide
Using the Firebox SSL VPN Gateway
Firebox SSL VPN Gateway
CHAPTER 3 Configuring Basic Settings
Firebox SSL VPN Gateway Administration Desktop
Using the Administration Portal
Downloads Tab
Maintenance Tab
Using the Serial Console
Admin Users Tab
To change the administrator password
Using the Administration Tool
To download and install the Administration Tool
To open the serial console
Product Activation and Licensing
To publish Firebox SSL VPN Gateway settings
Upgrading the tunnel and tunnel upgrade license
In Sync
Managing Licenses
To manage licenses on the Firebox SSL VPN Gateway
To test your configuration
To install a license file
Testing Your License Installation
Information about Your Licenses
7Click My own computer and then click Connect
Using Portal Pages
Using the Default Portal Page
1Click the VPN Gateway Cluster tab
Content inserted by variable
Variable
Using the ActiveX Control
Enabling Portal Page Authentication
To enable portal page authentication
Linking to Clients from Your Web Site
Secure Desktop Access
Multiple Log On Options using the Portal Page
Pre-AuthenticationPolicy Portal Page
Secure Application Access
Double-sourceAuthentication Portal Page
Connecting Using a Web Address
Connecting Using Secure Access Client
Double-sourceauthentication portal page
To restore a saved configuration
Saving and Restoring the Configuration
To save the Firebox SSL VPN Gateway configuration
To upgrade the Firebox SSL VPN Gateway
Firebox SSL VPN Gateway System Date and Time
Restarting the Firebox SSL VPN Gateway
Shutting Down the Firebox SSL VPN Gateway
To restart the Firebox SSL VPN Gateway
To change the system date and time
To enable ICMP traffic
Allowing ICMP traffic
Network Time Protocol
CHAPTER 4 Configuring Firebox SSL VPN
Configuring Network Information
Gateway Network Connections
General Networking
General Networking
VPN port
External Public FQDN
Duplex mode
IP address
To edit the HOSTS file
Name Service Providers
To enable split DNS
DNS Server 1, DNS Server 2, DNS Server
Dynamic and Static Routing
Configuring Network Routing
Enable Dynamic Gateway
To remove an entry from the HOSTS file
To configure dynamic routing
Configuring Dynamic Routing
Enabling RIP Authentication for Dynamic Routing
To enable RIP authentication for dynamic routing
To save dynamic routes to the static route table
Configuring a Static Route
Changing from Dynamic Routing to Static Routing
To add a static route
To remove a static route
Static Route Example
To test a static route
Network topology showing a static route
To set up the example static route
Configuring Firebox SSL VPN Gateway Failover
Configuring Internal Failover
To enable internal failover
Controlling Network Access
Configuring Network Access
Specifying Accessible Networks
Enabling Split Tunneling
1Click the Global Cluster Policies tab
Configuring User Groups
Denying Access to Groups without an ACL
To enable split tunneling
1Click the Global Cluster Policies tab
Enabling Improving Voice over IP Connections
To deny access to user groups without an ACL
Improving Voice over IP Connections
1Click the Global Cluster Policies tab
To improve latency for UDP traffic
1Click the Global Cluster Policies tab
CHAPTER 5 Configuring Authentication and
Authorization
Configuring Authentication and Authorization
Configuring Authentication and Authorization
Configuring Authentication without Authorization
The Default Realm
Using a Local User List for Authentication
Adding Users to Multiple Groups
Configuring Local Users
Changing Password for Users
To add a user to a group
To remove and create a Default realm
Configuring the Default Realm
To change a user’s password
4In Authorization Type, select LDAP Authorization
Creating Additional Realms
To create a realm
3On the Action menu, select Remove Default realm
Using SafeWord for Authentication
To disable Firebox SSL VPN Gateway authentication
SafeWord PremierAccess Authorization
To configure SafeWord on the Access Gateway
To configure the IAS RADIUS realm
1Click the Authentication tab
Server
5Select Local computer and click Finish
default RADIUS=Standard
22Under Vendor-assignedattribute number, type
23In Attribute format, select String
Choosing RADIUS Authentication Protocols
To specify RADIUS server authentication
To configure RADIUS authorization
1Click the Authentication tab
User Attribute
LDAP authentication
LDAP Server
Case Sensitive
To configure LDAP authentication
1Click the Authentication tab
5Click the Authentication tab
LDAP Authorization
1Click the Authentication tab
LDAP authorization group attribute fields
To configure LDAP authentication
4Click the Authentication tab
To configure LDAP authorization
Determining Attributes in your LDAP Directory
Using certificates for secure LDAP connections
To install and set up the LDAP Browser
To upload a secure client certificate for LDAP
Port
Using RSA SecurID for Authentication
Host
Base DN
5 For Agent type, select UNIX Agent
To enable RSA SecurID authentication
Configuration Files
1Click the Authentication tab
Configuring Gemalto Protiva Authentication
Configuring RSA Settings for a Cluster
Resetting the node secret
To reset the node secret on the RSA ACE/Server
1Click the Authentication tab
Configuring NTLM Authentication and Authorization
To configure NTLM authentication
5Click the Authentication tab
Configuring NTLM Authorization
To configure NTLM authorization
3In Authorization type, select NTLM authorization
Configuring Double-SourceAuthentication
To prevent caching of one-timepasswords
1On the Authentication tab, click Authentication
Changing Password Labels
To change the password labels
Adding Local Users
To create a user on the Firebox SSL VPN Gateway
1Click the Access Policy Manager tab
User Group Overview
To delete a user from the Firebox SSL VPN Gateway
To remove a user group
Creating User Groups
To create a local user group
1Click the Access Policy Manager tab
To enable or disable Default group properties
Configuring Properties for a User Group
Default group properties
Forcing Users to Log on Again
Enabling domain logon scripts
1Click the Access Policy Manager tab
Enabling session time-out
To enable logon scripts
To enable session time-out
1Click the Access Policy Manager tab
To enable Web session time-outs
Configuring Web Session Time-Outs
Setting Application Options
To disable desktop sharing
Enabling IP Pooling
To configure IP pooling for a group
Enabling Split DNS
To allow failover to a user’s local DNS
To specify a portal page for a group
Client certificate criteria configuration
Choosing a portal page for a group
3In Use this custom portal page, select the page
To create pre-authenticationpolicies
Configuring Resources for a User Group
To specify client certificate configuration
Global policies
Group properties include
Group resources include
Adding Users to Multiple Groups
To remove a resource from a user group
To configure resource access control for a group
Defining network resources
1Click the Access Policy Manager tab
To create and configure a network resource
1Click the Access Policy Manager tab
To add a network resource to a group
To configure an application policy
Application policies
To remove a network resource
To add an application policy to a group
Configuring file share resources
To deny one application network access
To deny applications without policies
To create a file share resource
Configuring kiosk mode
To create and configure a kiosk resource
To remove a share
To create an end point resource
Configuring end point resources
End point resources and policies
1Click the Access Policy Manager tab
To create an end point policy for a group
Configuring an end point policy for a group
To delete an end point resource
1Click the Access Policy Manager tab
Setting the Priority of Groups
To build an end point policy expression
1Click the Access Policy Manager tab
To view the group priorities for a user
Configuring Pre-AuthenticationPolicies
To set the priority of groups
To create pre-authenticationpolicies
Setting the Priority of Groups
Firebox SSL VPN Gateway
CHAPTER 7 Creating and Installing Secure
Certificates
Password-ProtectedPrivate Keys
Overview of the Certificate Signing Request
Creating a Certificate Signing Request
To create a Certificate Signing Request
1Click the VPN Gateway Cluster tab
Resetting the Certificate to the Default Setting
Installing Multiple Root Certificates
Creating Root Certificates Using a Command Prompt
To reset the default certificate
Client Certificates
To require client certificates
1Click the Global Cluster Policies tab
Installing Root Certificates
Requiring Certificates from Internal Connections
Wildcard Certificates
Operating Systems
CHAPTER 8 Working with Client Connections
System Requirements
Web Browsers
Using the Access Portal
To connect using the default portal page
The Firebox SSL VPN Gateway operates as follows
Connecting from a Private Computer
To remove the Linux VPN client
sbin/service net6vpnd start
Establishing the Secure Tunnel
ipconfig/all or route print
Connecting from a Private Computer
Administration Guide
Operation through Firewalls and Proxies
Using the Secure Access Client Window
ActiveX Helper
To log on to the Firebox SSL VPN Gateway
Connecting from a Private Computer
Administration Guide
To use the Secure Access Client status properties
To disconnect the Secure Access Client
To manually configure a proxy server
To view the Connection Log
To disconnect the Secure Access Client
Connecting from a Public Computer
Connections Using Kiosk Mode
To enable kiosk mode
Creating a Kiosk Mode Resource
computer
To create and configure a kiosk resource
Working with File Share Resources
To add a file share to a kiosk resource
1Click the Access Policy Manager tab
To remove a file share
To enable client applications
Client Applications
To work with file share resources
Firefox Web Browser
To configure Firefox
To configure Remote Desktop
Remote Desktop client
Gaim Instant Messenging
Telnet 3270 Emulator Client
VNC Client
To use the SSH client
Supporting Secure Access Client
To use Gaim
Managing Client Connections
Connection handling
Closing a connection to a resource
To disable a user at a particular MAC address
To enable a user at a particular MAC address
Disabling and enabling a user
4Click OK
Managing Client Connections
Firebox SSL VPN Gateway
Viewing and Downloading System Message Logs
Monitoring and Troubleshooting
APPENDIX A Firebox SSL VPN Gateway
To view and filter the system log
3Click Logging/Settings
Forwarding System Messages to a Syslog Server
Viewing the W3C-FormattedRequest Log
4Under Gateway Log, click Display Logging Window
Multi Router Traffic Grapher Example
To enable logging of SNMP messages
Enabling and Viewing SNMP Logs
2 Under SNMP Settings, select Enable SNMP
Viewing System Statistics
Monitoring Firebox SSL VPN Gateway Operations
xNetTools
Firebox SSL Real-timeMonitor
Ethereal Network Analyzer
Traceroute
Upgrading to SSL v
Reinstalling v 4.9 application software
Backing up your configuration settings
Upgrading to SSL v
Troubleshooting the Web Interface
Troubleshooting
Launching the v 5.5 Administration Tool
Applications do not Appear after Logging On
Other Issues
Read/Write Access to the Firebox SSL VPN Gateway
Web Interface Credentials Are Invalid
LDAP Authentication
Defining Accessible Networks
Ping Command
VMWare
Certificate Signing
The Administration Tool Is Inaccessible
Internal Failover
Certificate Revocation Lists
Secure Access Client Connections with Windows XP
Certificates Using 512-bitkeypairs
Secure Access Client
DNS Name Resolution Using Named Service Providers
Client Connections from a Windows Server
NTLM Authentication
Using Third-PartyClient Software
WINS Entries
APPENDIX B Using Firewalls with Firebox SSL
VPN Gateway
To view Secure Access Client status properties
BlackICE PC Protection
McAfee Personal Firewall Plus
Tiny Personal Firewall
Norton Personal Firewall
Sygate Personal Firewall Free and Pro Versions
Services
ZoneAlarm Pro
APPENDIX C Installing Windows Certificates
To install Cygwin
4Click Install from Internet and then click Next
Unencrypting the Private Key
To unencrypt the private key
Converting to a PEM-FormattedCertificate
openssl verify -verbose -CApath /tmp certFile
BEGINRSA PRIVATE KEY <Unencrypted Private Key>
Administration Guide
Intermediate Certificate Intermediate Certificate
Intermediate Certificate
Firebox SSL VPN Gateway
APPENDIX D Examples of Configuring Network Access
Administration Guide
•Global Cluster Policies •Authentication
Collecting the LDAP directory information
Collecting the LDAP Directory Information
ou=Users,dc=ace,dc=com cn=Users,dc=ace,dc=com
Configuring Accessible Networks
To configure accessible networks
2Click the Global Cluster Policies tab
5In Realm Name, type Default
1Click the Access Policy Manager tab
1Click the Access Policy Manager tab
10.10.0.0/24 10.60.10.0/24
10.10.25.50/32
Administration Guide
Creating a Guest User Authentication Realm
Creating Local Users
To add the local users
1Click the Access Policy Manager tab
1Click the Access Policy Manager tab
2Expand User Groups and then expand Local Users
APPENDIX E Legal and Copyright Information
GNU GENERAL PUBLIC LICENSE
change
be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or
NO WARRANTY
END OF TERMS AND CONDITIONS
Administration Guide
Firebox SSL VPN Gateway
Index
Page
Page
Page
Page
Page
Page
Firebox SSL VPN Gateway
