WatchGuard Technologies SSL VPN manual User Group Overview

User Group Overview

5All users are members of the Default resource group. To add a user to another group, under Local Users, click and drag the user to the user group to which you want the user to belong.

To delete a user from the Firebox SSL VPN Gateway

Right-click the user in the Local Users list and click Remove.

User Group Overview

When you enable authorization on the Firebox SSL VPN Gateway, user group information is obtained from the authentication server after a user is authenticated. If the group name that is obtained from the authentication server matches a group name created locally on the Firebox SSL VPN Gateway, the prop- erties of the local group are used for the matching group obtained from the authentication servers.

Note

Group names on authentication servers and on the Firebox SSL VPN Gateway must be identical and they are case sensitive.

Each user should belong to at least one group that is defined locally on the Firebox SSL VPN Gateway. If a user does not belong to a group, the overall access of the user is determined by the Deny Access without ACL setting on the Global Cluster Policies tab, as follows:

•If the Deny Access option is enabled, the user cannot establish a connection

•If the Deny Access option is disabled, the user has full network access

•In either case, the user can use kiosk mode, but network access within that session is determined by the Deny Access without ACL setting

You can also add local groups that are not related to groups on authentication servers. For example, you might create a local group to set up a contractor or visitor to whom you want to provide temporary access without having to create an entry on the authentication server. For information about creating a local user, see “Adding Local Users” on page 87.

Several aspects of Firebox SSL VPN Gateway operation are configured at the group level. These are sep- arated between group properties and group resources.

Group properties include:

•Groups that inherit properties from the default group.

•Requiring users to log on again if there is a network interruption or if the computer is coming out of standby or hibernate.

•Enabling single sign-on.

•Running logon scrips when a user logs on using domain credentials.

•Denying access to applications to the network that do not have a defined application policy.

•Specify the length of time a session is active. If the user has a 60 minute session time-out, the session ends at 60 minutes. Users are given a one minute warning that their session is about to end.

•Enabling Split DNS allows local DNS servers to be contacted if the DNS servers for the remote client are non-responsive.

•IP pooling where a unique IP address is assigned to each client’s session.

•Portal page usage that defines the portal page the user sees when logging on. The portal page can be one of the provided templates, modified for individual companies.

•Requiring client certificates.