WatchGuard Technologies SSL VPN manual Using Ldap Servers for Authentication and Authorization

Using LDAP Servers for Authentication and Authorization

RADIUS authentication. If you synchronize configurations among several Firebox SSL VPN Gateway appliances in a cluster, all the appliances are configured with the same secret. Shared secrets are config- ured on the Firebox SSL VPN Gateway when a RADIUS realm is created.

Using LDAP Servers for Authentication and Authorization

You can configure the Firebox SSL VPN Gateway to authenticate user access with an LDAP server. If a user is not located in an LDAP directory or fails authentication on a server, the Firebox SSL VPN Gateway checks the user against the user information stored locally on the Firebox SSL VPN Gateway.

LDAP authorization requires identical group names in Active Directory, on the LDAP server, and on the Firebox SSL VPN Gateway. The characters and case must also be the same.

LDAP authentication

Starting with Version 5.0 of the Firebox SSL VPN Gateway, LDAP authentication, by default, is secure using SSL/TLS. There are two types of secure LDAP connections. With one type, the LDAP server accepts the SSL/TLS connection on a port separate from the port used to accept clear LDAP connections. After a client establishes the SSL/TLS connection, LDAP traffic can be sent over the connection. The second type allows both unsecure and secure LDAP connections and is handled by a single port on the server. In this scenario, to create a secure connection, the client first establishes a clear LDAP connection. Then, the LDAP command StartTLS is sent to the server over the connection. If the LDAP server supports Start- TLS, the connection is converted to a secure LDAP connection using TLS.

The standard port numbers for unsecure LDAP connections is 389. The port number for secure LDAP connections with SSL/TLS is 636. LDAP connections that use the StartTLS command use port number

389.The Microsoft port numbers for unsecure and secure LDAP connections are 3268 and 3269. If port numbers 389 or 3268 are configured on the Firebox SSL VPN Gateway, it tries to use StartTLS to make the connection. If any other port number is used, connection attempts are made using SSL/TLS.

When configuring the Firebox SSL VPN Gateway to use LDAP authentication and the check box Allow Unsecure Traffic is selected, LDAP connections are unsecure.

Note

When upgrading the Firebox SSL VPN Gateway from an earlier version, and an LDAP realm is already configured, LDAP connections are unsecure by default. If this is a new installation of the Firebox SSL VPN Gateway, or you are creating a new LDAP realm, LDAP connections are secure by default.

When configuring the LDAP server, the letter case must match what is on the server and what is on the Firebox SSL VPN Gateway. If the root directory of the LDAP server is specified, all of the subdirectories are also searched to find the user attribute. In large directories, this can affect performance; we recom- mend that you use a specific organizational unit (OU).

The following table contains examples of user attribute fields for LDAP servers.