Manuals / WatchGuard Technologies / Household Appliance / Water Heater

WatchGuard Technologies SSL VPN To configure LDAP authentication, 1Click the Authentication tab

Models: SSL VPN

1 198

Download 198 pages 26.5 Kb

Page 84

To configure LDAP authentication

Using LDAP Servers for Authentication and Authorization

This table contains examples of the base dn

Microsoft Active Directory Server	DC=citrix, DC=local

Novell eDirectory	dc=citrix,dc=net

IBM Directory Server

Lotus Domino	OU=City, O=Citrix, C=US

Sun ONE directory (formerly iPlanet)	ou=People,dc=citrix,dc=com

The following table contains examples of bind dn:

Microsoft Active Directory Server	CN=Administrator, CN=Users, DC=citrix, DC=local

Novell eDirectory	cn=admin, dc=citrix, dc=net

IBM Directory Server

Lotus Domino	CN=Notes Administrator, O=Citrix, C=US

Sun ONE directory (formerly iPlanet)	uid=admin,ou=Administrators,
	ou=TopologyManagement,o=NetscapeRoot

Note

For further information to determine the LDAP server settings, see “Determining Attributes in your LDAP Directory” on page 78.

To configure LDAP authentication

1Click the Authentication tab.

2In Realm Name, type a name for the authentication realm.

If your site has multiple authentication realms, you might use a name that identifies the LDAP realm for which you specify settings. Realm names are case-sensitive and can contain spaces.

Note

If you want the Default realm to use LDAP authentication, remove the Default realm as described in “Changing the Authentication Type of the Default Realm” on page 65.

3Select One Source and click Add.

4In Select Authentication Type, in Authentication Type, choose LDAP Authentication and click

OK.

The Realm dialog box opens.

5Click the Authentication tab.

6In Server IP Address, type the IP address of the LDAP server.

7 In Server Port, type the port number.

The LDAP Server port defaults to 389. If you are using an indexed database, such as Microsoft Active Directory with a Global Catalog, changing the LDAP Server port to 3268 significantly increases the speed of the LDAP queries.

If your directory is not indexed, use an administrative connection rather than an anonymous connection from the Firebox SSL VPN Gateway to the database. Download performance improves when you use an administrative connection.

74	Firebox SSL VPN Gateway

Image 84

WatchGuard Technologies SSL VPN manual To configure LDAP authentication, 1Click the Authentication tab

Contents

Firebox SSL VPN Gateway ADDRESS SUPPORTSALES ABOUT WATCHGUARDContents Configuring Secure Certificate Management Setting Up the Firebox SSL VPN Gateway HardwareFirebox SSL VPN Gateway Administration Desktop The Firebox SSL VPN Gateway operates as followsUsing the Serial Console Configuring Authentication and Authorization Using SafeWord for Citrix or SafeWord RemoteAccess for Authentication Generating a Secure Certificate for the Firebox SSL VPN Gateway APPENDIX A Firebox SSL VPN Gateway Monitoring and Troubleshooting Combining the Private Key with the Signed Certificate CHAPTER 1 Getting Started with Firebox SSL VPN GatewayAudience Operating System RequirementsLiveSecurity Service Solutions Threat responses, alerts, and expert adviceEasy software updates Access to technical support and trainingLiveSecurity Service Broadcasts Software UpdateInformation Alert Threat ResponseLiveSecurity Service Self Help Tools Activating LiveSecurity ServiceBasic FAQs New from WatchGuardAdvanced FAQs Known IssuesWatchGuard Users Forum Fireware “How To”’sLiveSecurity Service technical support Using the WatchGuard Users ForumOnline Help Product DocumentationFirebox Installation Service VPN Installation ServiceService time Training and Certificationa certification exam. The training materials include links to books and web sites with more information about network security CHAPTER 2 Introduction to Firebox SSL VPN Gateway OverviewNetwork topology showing the TCP circuit OverviewNew Features Authentication and one-timepasswordsNew versions of the Secure Access Client Configurable symmetric encryption ciphersSecure Access Client connections Disable desktop sharingDisable kiosk mode Automatic port redirectionFeatures NTLM authentication and authorization supportUpdated serial console menu Administration ToolFirebox SSL VPN Gateway Settings Authentication and AuthorizationUser Groups, Local Users, and Resources Feature Server UpgradeEnable External Administration Saving and RestoringServerConfigurationFeature Summary The User ExperienceDeployment and Administration Connecting to the Firebox SSL Access PortalPlanning your deployment Planning your deploymentConfiguring Secure Certificate Management Authentication Support•A cross-overcable and a Windows computer Setting Up the Firebox SSL VPN Gateway Hardware To physically connect the Firebox SSL VPN GatewayTo configure TCP/IP settings using a serial cable To configure TCP/IP Settings Using Network Cables To configure TCP/IP settings using network cablesFirebox SSL VPN Gateway Administration Tool Using the Firebox SSL VPN Gateway The Firebox SSL VPN Gateway operates as followsTo redirect unsecure connections 2Click the General Networking tabStarting the Secure Access Client To configure a proxy serverEstablishing the Secure Tunnel Operation through Firewalls and ProxiesPerformance and Real-TimeTraffic Using the Firebox SSL VPN GatewayAdministration Guide Using Kiosk Mode Connecting to a Server Load BalancerUsing the Firebox SSL VPN Gateway Administration GuideUsing the Firebox SSL VPN Gateway Firebox SSL VPN GatewayCHAPTER 3 Configuring Basic Settings Firebox SSL VPN Gateway Administration Desktop Using the Administration PortalDownloads Tab Using the Serial Console Admin Users TabMaintenance Tab To change the administrator passwordUsing the Administration Tool To download and install the Administration ToolTo open the serial console To publish Firebox SSL VPN Gateway settings Upgrading the tunnel and tunnel upgrade licenseProduct Activation and Licensing In SyncManaging Licenses To manage licenses on the Firebox SSL VPN GatewayTo install a license file Testing Your License InstallationTo test your configuration Information about Your LicensesUsing Portal Pages Using the Default Portal Page7Click My own computer and then click Connect 1Click the VPN Gateway Cluster tabContent inserted by variable VariableUsing the ActiveX Control Enabling Portal Page Authentication To enable portal page authenticationLinking to Clients from Your Web Site Multiple Log On Options using the Portal Page Pre-AuthenticationPolicy Portal PageSecure Desktop Access Secure Application AccessConnecting Using a Web Address Connecting Using Secure Access ClientDouble-sourceAuthentication Portal Page Double-sourceauthentication portal pageSaving and Restoring the Configuration To save the Firebox SSL VPN Gateway configurationTo restore a saved configuration To upgrade the Firebox SSL VPN GatewayRestarting the Firebox SSL VPN Gateway Shutting Down the Firebox SSL VPN GatewayFirebox SSL VPN Gateway System Date and Time To restart the Firebox SSL VPN GatewayTo enable ICMP traffic Allowing ICMP trafficTo change the system date and time Network Time ProtocolCHAPTER 4 Configuring Firebox SSL VPN Configuring Network InformationGateway Network Connections General Networking General NetworkingExternal Public FQDN Duplex modeVPN port IP addressName Service Providers To enable split DNSTo edit the HOSTS file DNS Server 1, DNS Server 2, DNS ServerConfiguring Network Routing Enable Dynamic GatewayDynamic and Static Routing To remove an entry from the HOSTS fileConfiguring Dynamic Routing Enabling RIP Authentication for Dynamic RoutingTo configure dynamic routing To enable RIP authentication for dynamic routingConfiguring a Static Route Changing from Dynamic Routing to Static RoutingTo save dynamic routes to the static route table To add a static routeStatic Route Example To test a static routeTo remove a static route Network topology showing a static routeConfiguring Firebox SSL VPN Gateway Failover Configuring Internal FailoverTo set up the example static route To enable internal failoverControlling Network Access Configuring Network AccessSpecifying Accessible Networks Enabling Split Tunneling1Click the Global Cluster Policies tab Denying Access to Groups without an ACL To enable split tunnelingConfiguring User Groups 1Click the Global Cluster Policies tabTo deny access to user groups without an ACL Improving Voice over IP ConnectionsEnabling Improving Voice over IP Connections 1Click the Global Cluster Policies tabTo improve latency for UDP traffic 1Click the Global Cluster Policies tabCHAPTER 5 Configuring Authentication and AuthorizationConfiguring Authentication and Authorization Configuring Authentication and Authorization Configuring Authentication without Authorization The Default RealmUsing a Local User List for Authentication Configuring Local Users Changing Password for UsersAdding Users to Multiple Groups To add a user to a groupConfiguring the Default Realm To change a user’s passwordTo remove and create a Default realm 4In Authorization Type, select LDAP AuthorizationCreating Additional Realms To create a realm3On the Action menu, select Remove Default realm Using SafeWord for Authentication To disable Firebox SSL VPN Gateway authentication SafeWord PremierAccess AuthorizationTo configure SafeWord on the Access Gateway To configure the IAS RADIUS realm 1Click the Authentication tabServer 5Select Local computer and click Finish default RADIUS=Standard 22Under Vendor-assignedattribute number, type23In Attribute format, select String To specify RADIUS server authentication To configure RADIUS authorizationChoosing RADIUS Authentication Protocols 1Click the Authentication tabLDAP authentication LDAP ServerUser Attribute Case SensitiveTo configure LDAP authentication 1Click the Authentication tab5Click the Authentication tab LDAP Authorization LDAP authorization group attribute fields To configure LDAP authentication1Click the Authentication tab 4Click the Authentication tabTo configure LDAP authorization Using certificates for secure LDAP connections To install and set up the LDAP BrowserDetermining Attributes in your LDAP Directory To upload a secure client certificate for LDAPUsing RSA SecurID for Authentication HostPort Base DN5 For Agent type, select UNIX Agent To enable RSA SecurID authentication Configuration Files1Click the Authentication tab Configuring RSA Settings for a Cluster Resetting the node secretConfiguring Gemalto Protiva Authentication To reset the node secret on the RSA ACE/ServerConfiguring NTLM Authentication and Authorization To configure NTLM authentication1Click the Authentication tab 5Click the Authentication tabConfiguring NTLM Authorization To configure NTLM authorization3In Authorization type, select NTLM authorization Configuring Double-SourceAuthentication To prevent caching of one-timepasswords1On the Authentication tab, click Authentication Changing Password Labels To change the password labelsAdding Local Users To create a user on the Firebox SSL VPN Gateway1Click the Access Policy Manager tab User Group Overview To delete a user from the Firebox SSL VPN GatewayCreating User Groups To create a local user groupTo remove a user group 1Click the Access Policy Manager tabConfiguring Properties for a User Group Default group propertiesTo enable or disable Default group properties Forcing Users to Log on AgainEnabling domain logon scripts 1Click the Access Policy Manager tabTo enable logon scripts To enable session time-outEnabling session time-out 1Click the Access Policy Manager tabConfiguring Web Session Time-Outs Setting Application OptionsTo enable Web session time-outs To disable desktop sharingTo configure IP pooling for a group Enabling Split DNSEnabling IP Pooling To allow failover to a user’s local DNSClient certificate criteria configuration Choosing a portal page for a groupTo specify a portal page for a group 3In Use this custom portal page, select the pageConfiguring Resources for a User Group To specify client certificate configurationTo create pre-authenticationpolicies Global policiesGroup properties include Group resources includeAdding Users to Multiple Groups To configure resource access control for a group Defining network resourcesTo remove a resource from a user group 1Click the Access Policy Manager tabTo create and configure a network resource 1Click the Access Policy Manager tabTo configure an application policy Application policiesTo add a network resource to a group To remove a network resourceConfiguring file share resources To deny one application network accessTo add an application policy to a group To deny applications without policiesConfiguring kiosk mode To create and configure a kiosk resourceTo create a file share resource To remove a shareConfiguring end point resources End point resources and policiesTo create an end point resource 1Click the Access Policy Manager tabConfiguring an end point policy for a group To delete an end point resourceTo create an end point policy for a group 1Click the Access Policy Manager tabSetting the Priority of Groups To build an end point policy expression1Click the Access Policy Manager tab Configuring Pre-AuthenticationPolicies To set the priority of groupsTo view the group priorities for a user To create pre-authenticationpoliciesSetting the Priority of Groups Firebox SSL VPN GatewayCHAPTER 7 Creating and Installing Secure CertificatesPassword-ProtectedPrivate Keys Overview of the Certificate Signing RequestCreating a Certificate Signing Request To create a Certificate Signing Request1Click the VPN Gateway Cluster tab Installing Multiple Root Certificates Creating Root Certificates Using a Command PromptResetting the Certificate to the Default Setting To reset the default certificateClient Certificates To require client certificates1Click the Global Cluster Policies tab Installing Root Certificates Requiring Certificates from Internal Connections Wildcard CertificatesCHAPTER 8 Working with Client Connections System RequirementsOperating Systems Web BrowsersUsing the Access Portal To connect using the default portal pageConnecting from a Private Computer To remove the Linux VPN clientThe Firebox SSL VPN Gateway operates as follows sbin/service net6vpnd startEstablishing the Secure Tunnel ipconfig/all or route printConnecting from a Private Computer Administration GuideOperation through Firewalls and Proxies Using the Secure Access Client Window ActiveX HelperTo log on to the Firebox SSL VPN Gateway Connecting from a Private ComputerAdministration Guide To use the Secure Access Client status properties To disconnect the Secure Access ClientTo manually configure a proxy server To view the Connection LogTo disconnect the Secure Access Client Connecting from a Public Computer Connections Using Kiosk ModeTo enable kiosk mode Creating a Kiosk Mode Resourcecomputer Working with File Share Resources To add a file share to a kiosk resourceTo create and configure a kiosk resource 1Click the Access Policy Manager tabTo enable client applications Client ApplicationsTo remove a file share To work with file share resourcesTo configure Firefox To configure Remote DesktopFirefox Web Browser Remote Desktop clientTelnet 3270 Emulator Client VNC ClientGaim Instant Messenging To use the SSH clientSupporting Secure Access Client To use GaimManaging Client Connections Connection handlingTo disable a user at a particular MAC address To enable a user at a particular MAC addressClosing a connection to a resource Disabling and enabling a user4Click OK Managing Client Connections Firebox SSL VPN GatewayMonitoring and Troubleshooting APPENDIX A Firebox SSL VPN GatewayViewing and Downloading System Message Logs To view and filter the system logForwarding System Messages to a Syslog Server Viewing the W3C-FormattedRequest Log3Click Logging/Settings 4Under Gateway Log, click Display Logging WindowTo enable logging of SNMP messages Enabling and Viewing SNMP LogsMulti Router Traffic Grapher Example 2 Under SNMP Settings, select Enable SNMPViewing System Statistics Monitoring Firebox SSL VPN Gateway OperationsFirebox SSL Real-timeMonitor Ethereal Network AnalyzerxNetTools TracerouteReinstalling v 4.9 application software Backing up your configuration settingsUpgrading to SSL v Upgrading to SSL vTroubleshooting Launching the v 5.5 Administration ToolTroubleshooting the Web Interface Applications do not Appear after Logging OnOther Issues Read/Write Access to the Firebox SSL VPN GatewayWeb Interface Credentials Are Invalid Defining Accessible Networks Ping CommandLDAP Authentication VMWareThe Administration Tool Is Inaccessible Internal FailoverCertificate Signing Certificate Revocation ListsCertificates Using 512-bitkeypairs Secure Access ClientSecure Access Client Connections with Windows XP DNS Name Resolution Using Named Service ProvidersNTLM Authentication Using Third-PartyClient SoftwareClient Connections from a Windows Server WINS EntriesAPPENDIX B Using Firewalls with Firebox SSL VPN GatewayTo view Secure Access Client status properties BlackICE PC ProtectionMcAfee Personal Firewall Plus Norton Personal Firewall Sygate Personal Firewall Free and Pro VersionsTiny Personal Firewall ServicesZoneAlarm Pro APPENDIX C Installing Windows Certificates To install Cygwin4Click Install from Internet and then click Next Unencrypting the Private Key To unencrypt the private keyConverting to a PEM-FormattedCertificate openssl verify -verbose -CApath /tmp certFileBEGINRSA PRIVATE KEY <Unencrypted Private Key> Administration Guide Intermediate Certificate Intermediate CertificateIntermediate Certificate Firebox SSL VPN Gateway APPENDIX D Examples of Configuring Network Access Administration Guide•Global Cluster Policies •Authentication Collecting the LDAP directory information Collecting the LDAP Directory Information ou=Users,dc=ace,dc=com cn=Users,dc=ace,dc=com Configuring Accessible Networks To configure accessible networks2Click the Global Cluster Policies tab 5In Realm Name, type Default 1Click the Access Policy Manager tab 1Click the Access Policy Manager tab10.10.0.0/24 10.60.10.0/24 10.10.25.50/32 Administration Guide Creating a Guest User Authentication Realm Creating Local Users To add the local users1Click the Access Policy Manager tab 1Click the Access Policy Manager tab 2Expand User Groups and then expand Local UsersAPPENDIX E Legal and Copyright Information GNU GENERAL PUBLIC LICENSE change be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or NO WARRANTY END OF TERMS AND CONDITIONS Administration Guide Firebox SSL VPN Gateway Index Page Page Page Page Page Page Firebox SSL VPN Gateway